Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
MPLS Bootcamp MPLS VPN Khalid Raza, Kyle Bearden, & Munther Antoun March, 2001 Version 0.1 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 1 MPLS VPN Agenda • VPN Concepts • MPLS VPN Functional Components • MPLS VPN Architectural Components • VPN Routing & Forwarding • MPLS VPN Route Distribution • MPLS VPN Data Plane • MPLS VPN Topologies • Convergence & Scaling Considerations • QoS • Deployment Strategies • MPLS VPN Labs MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 2 Virtual Private Networks Concepts MPLS NW’00 Bootcamp Paris © 2000, Cisco Systems, Inc. Cisco Confidential 3 Virtual Private Networks • An IP Network Infrastructure Delivering Private Network Services over a Public Infrastructure Certainly not a new concept Leased Lines --> Statistical Multiplexing Delivered at Layer-2 (SP backbone) or Layer-3 (IP backbone) Private connectivity amongst multiple sites Controlled access into the VPN Global or non-unique private IP addressing space amongst the different VPNs MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 4 Virtual Private Networks Virtual Networks Virtual Private Networks Virtual Dialup Networks Overlay VPN Layer-2 VPN X.25 MPLS Bootcamp F/R ATM © 2000, Cisco Systems, Inc. Virtual LANs Peer-to-Peer VPN Layer-3 VPN GRE Access lists (Shared router) Split routing (Dedicated router) MPLS/VPN IPSec Cisco Confidential 5 VPN - Overlay Model Virtual Circuit Layer-3 Routing Adjacency CPE (CE) Device VPN Site Provider Edge (PE) device Provider Edge (PE) device Service Provider Network CPE (CE) Device VPN Site Private Trunks Across a Telco/SP Shared Infrastructure Leased/Dialup Lines FR/ATM Virtual Circuits IP(GRE) Tunnelling Point-to-point Solution between Customer Sites How to Size Inter-site Circuit Capacities? Full Mesh Requirement for Optimal Routing CPE Routing Adjacencies between Sites MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 6 VPN - Peer-to-Peer Model Layer-3 Routing Adjacencies CPE Router VPN Site 1 Provider Edge Router Provider Edge Router Service Provider Network CPE Router VPN Site 2 Provider Edge Device Exchanges Routing Information with CPE All customer routes carried within SP IGP Simple routing scheme for VPN customer Routing between sites is optimal Circuit sizing no longer an issue Private Addressing is NOT an Option Addition of New Sites is Simpler No overlay mesh to contend with MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 7 VPN - MPLS VPN Model Static, RIP, OSPF, or eBGP Routing MP-iBGP Session Customer Edge (CE) Router VPN Site 1 Provider Edge (PE) Router Provider Edge (PE) Router Service Provider Network Customer Edge (CE) Router VPN Site 2 Combines Benefits of Overlay and Peer-to-peer Paradigms Overlay (security and isolation amongst customers) Peer-to-peer (simplified customer routing) PE Routers only Hold Routes for Attached VPNs Reduces size of PE routing information Proportional to number of VPNs attached MPLS Used to Forward Packets (not Traditional IP Routing) Full routing within backbone no longer required MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 8 MPLS VPN Functional Components MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 9 MPLS VPN Connection Model The Whole Picture VPN_A VPN_A iBGP sessions 10.2.0.0 11.5.0.0 CE CE VPN_A VPN_B 10.2.0.0 CE PE P P P P PE CE 10.1.0.0 VPN_A 11.6.0.0 CE VPN_B PE PE CE VPN_B 10.3.0.0 10.1.0.0 CE • P Routers (LSRs) are in the core of the MPLS cloud • PE Routers (Edge LSRs or LERs) use MPLS with the core and plain IP with CE routers • P and PE routers share a common IGP • PE routers are MP-iBGP fully-meshed or use Route-Reflectors (RRs) MPLS Bootcamp Confederations supported in IOS 12.1(5)T & higher [maybe also 10 Cisco Confidential 12.0(14)ST?] © 2000, Cisco Systems, Inc. MPLS VPN Model P Router CE Router PE Router PE Router VPN Site CE Router VPN Site P-Network C-Network MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 11 MPLS VPN Connectivity Model • A VPN is a collection of sites sharing common routing information Same set of routes within the routing table • A site may belong to more than one VPN through sharing of routing information • A VPN can be thought of as a closed user group (CUG) or community of interest MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 12 MPLS VPN Architectural Components MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 13 MPLS VPN Architectural Components • Control Planes LDP/TDP, MP-BGP, CE-PE Peering, IGP Forwarding Table VRF • Data Plane MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 14 VPN Routing & Forwarding Instance (VRF) • PEs Maintain Separate Routing Tables Global Routing Table Contains all PE and P routes (perhaps non-VPN BGP) Populated by the VPN backbone IGP VRF (VPN Routing & Forwarding) Routing & forwarding table associated with one or more directly connected sites (CE Routers) VRF is associated with any type of interface, whether logical or physical (e.g. Sub/Virtual/Tunnel) Interfaces may share the same VRF if the connected sites share the same routing information MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 15 VPN Routing & Forwarding Instances (VRF) VPN Routing Table VPN-A CE PE Paris VPN-A VRF for VPN-A CE IGP & nonVPN BGP London VRF for VPN-B VPN-B CE Munich Global Routing Table Multiple routing & forwarding instances (VRFs) provide separation amongst different customers MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 16 MPLS VPN Connectivity Model • Private addressing in multiple VPNs no longer an issue Provided that members of a VPN do not use the same address range VPN A London 10.2.1.0/24 Address space for VPN A and B must be unique 10.3.3.0/24 Munich 10.2.12.0/24 10.4.12.0/24 Milan VPN B MPLS Bootcamp Paris © 2000, Cisco Systems, Inc. Brussels 10.2.1.0/24 Cisco Confidential Vienna 10.22.12.0/24 VPN C 17 VRF Route Population • VRF populated locally through PE and CE routing protocol RIP, OSPF, BGP-4 & Static routing • Separate routing context for each VRF Routing Protocol Context (BGP-4 & RIP V2) Separate Process (OSPF) C E Site-1 PE EBGP,OSPF, RIPv2,Static CE Site-2 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 18 VRF Route Distribution • PE routers distribute local VPN information across the MPLS VPN backbone through MP-iBGP & redistribution from VRF Receiving PE imports routes into attached VRFs P Router CE Router Site MPLS Bootcamp © 2000, Cisco Systems, Inc. PE PE MP-iBGP Cisco Confidential CE Router Site 19 Multi-Protocol BGP (MP-BGP) VPN Components MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 20 MP-BGP VPN Components • Route Distinguisher (RD) • Route Target (RT) • Site of Origin (SOO) MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 21 VPN Routing & Forwarding Instances MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 22 MPLS VPN Table Population • The global (non-VRF) routing table is populated through IGP protocols May also contain BGP-4 (IPv4) routes No VPN routes • VRF routing tables contain VPN-specific routes MP-iBGP routes imported into VRFs CE routes populate VRFs based on routing protocol context MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 23 VRF Population of MP-iBGP VPN-A CE PE Paris VPN-A PE CE MP-iBGP BGP Table London VPN-B Routes from VPN-A Routes from VPN-B CE Munich VRF VPN-A VRF VPN-B Re-distribution from VRFs into MP-iBGP for VPN information exchange MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 24 VRF Population through MP-iBGP • Receiving PE router needs to understand: where the route originated from into which VRF(s) the route should be placed how to distinguish between duplicate addresses • Uniqueness of IPv4 prefix achieved through the use of a Route Distinguisher RD (64-bit) identifier VPNv4 Route: 96-bit NLRI (RD + 32-bit IPv4 NLRI) MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 25 Extended Community Attribute • Permits placement in the proper VRF and site origin • BGP transitive optional attributes containing a set of extended communities Route Target Identifies set of sites to which a particular route should be exported SOO (Site of Origin) (Optionally) refers to the site that originated a particular route MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 26 VRF Population of MP-iBGP MP-iBGP PE BGP, OSPF, RIPv2 update for 149.27.2.0/24,NH=CE-1 PE VPN-v4 update: RD:1:27:149.27.2.0/24, Next-hop=PE-1 SOO=Paris, RT=VPN-A, Label=(28) CE-2 CE-1 Paris London • PE Routers Translate (32-bit) IPv4 Prefix into (96-bit) VPN-v4 Route Assign a RD, RT and (Optional) SOO based on configuration Re-write next-hop attribute (to PE loopback) Assign a label based on VRF and/or interface Send MP-iBGP update to all PE neighbors MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 27 MP-iBGP Update • VPN-V4 Address Route Distinguisher (64 bits) Makes the IPv4 route globally unique RD is configured in the PE for each VRF RD may or may not be related to a site or a VPN IPv4 address (32bits) • Route Target (RT) & Optional Site of Origin (SOO) MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 28 MP-iBGP Update • Any other standard BGP attribute Local Preference MED Next-hop AS_PATH Standard community • A Label identifying: The outgoing interface or VRF where a lookup has to be performed (Aggregate/Connected) MP-iBGP utilizes a second label in the label stack MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 29 VRF Population of MP-iBGP MP-iBGP PE VPN-v4 update: RD:1:27:149.27.2.0/24, Next-hop=PE-1 SOO=Paris, RT=VPN-A, Label=(28) PE ip vrf VPN-B route-target import VPN-A VPN-v4 update is translated into IPv4 address and put into VRF VPN-A as RT=VPN-A and optionally advertised to CE-2 CE-1 Paris CE-2 London • Receiving PE routers translate to IPv4 Insert the route into the VRF identified by the RT attribute (based on PE configuration) • The label associated to the VPN-V4 address will be set on packets forwarded towards the destination MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 30 Basic Intranet Model VPN A MPLS VPN Backbone SITE-1 Site-1 & Site-2 routes RT=VPN-A VPN A Site-3 & Site-4 routes RT=VPN-A SITE-3 MP-iBGP P Router SITE-2 VPN A MPLS Bootcamp © 2000, Cisco Systems, Inc. Site-1 routes Site-2 routes Site-3 routes Site-4 routes Site-1 routes Site-2 routes Site-3 routes Site-4 routes Cisco Confidential SITE-4 VPN A 31 MP-BGP Route Target (RT) and Site of Origin (SOO) MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 32 RT & SOO • Two EXTENDED (64-bit) BGP Attributes Used to Define Route-target Set of routers the route has to be exported to SOO (Site of Origin Identifier) Routers where the route has been originated • This enables the closed user group functionality • Set by PE routers in order to define import/export policies on a per-site/VRF basis MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 33 BGP-4 Enhancements MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 34 Extended Community • Extended community attribute type code: TBD Type Field: 2 bytes Value Field: 6 bytes • Types 0 through 0x7FFF inclusive are assigned by IANA • Types 0x8000 through 0xFFFF inclusive are vendor-specific MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 35 Extended Community • High order bit of the type field 0x00 Administrator sub-field: 2 bytes (AS#) Assigned number sub-field: 4 bytes Example: 9177:123 • High order bit of the type field 0x01 Administrator sub-field: 4 bytes (IP address) Assigned number sub-field: 2 bytes Example: 141.253.1.1:123 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 36 Extended Community • Router origin community • Identifies one or more routers that inject a set of routes (that carry this community) into BGP The Type field for the Route Origin community is 0x0001 or 0x0101 • Similar to the Site of Origin (SOO) Site of Origin use code 0x0003 and 0x0103 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 37 Extended Community • Route target community Identifies one or more routers that may receive a set of routes (that carry this community) carried by BGP The type field for the route target community is 0x0002 or 0x0102 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 38 Extended Community • Site of Origin (SOO) • Identifies customer site • Used to prevent loops when AS_PATH cannot be used • The type field for SOO is 0x0003 or 0x0103 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 39 Site of Origin Site-1 PE 192.168.0.5/32 CE 7200-1#sh ip route vrf odd C 192.168.65.0/24 is directly connected, Serial2 B 192.168.0.5 [20/0] via 192.168.65.5, 00:08:44, Serial2 7200-1# 7200-1#sh ip bgp vpn all Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:1 (default for vrf odd) *> 192.168.0.5/32 192.168.65.5 0 0 250 i 7200-1#sh ip bgp vpn all 192.168.0.5 BGP routing table entry for 100:1:192.168.0.5/32, version 17 Paths: (1 available, best #1) Advertised to non peer-group peers: 192.168.0.7 250 192.168.65.5 from 192.168.65.5 (192.168.0.5) Origin IGP, metric 0, localpref 100, valid, external, best Extended community: SoO:100:65 RT:100:3 7200-1# MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential ip vrf odd rd 100:1 route-target export 100:3 route-target import 100:3 ! interface Serial1 ip vrf forwarding odd ip address 192.168.65.6 255.255.255.0 ! router bgp 100 no synchronization no bgp default ipv4-unicast neighbor 192.168.0.7 remote-as 100 neighbor 192.168.0.7 update-source Loop0 neighbor 192.168.0.7 activate neighbor 192.168.0.7 next-hop-self no auto-summary ! address-family ipv4 vrf odd neighbor 192.168.65.5 remote-as 250 neighbor 192.168.65.5 activate neighbor 192.168.65.5 route-map setsoo in no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor 192.168.0.7 activate neighbor 192.168.0.7 send-community extended no auto-summary exit-address-family ! route-map setsoo permit 10 set extcommunity soo 100:65 40 Site of Origin VPN-IPv4 update: RD:192.168.0.5/32, Next-hop=PE-1 SOO=100:65, RT=100:3, Label=(intCE1) PE-1 PE-2 intCE1 eBGP4 update: 192.168.0.5/32 PE-2 will not propagate the route since the update SOO is equal to the one configured for the site eBGP4 update: 192.168.0.5/32 CE-1 192.168.0.5/32 MPLS Bootcamp © 2000, Cisco Systems, Inc. Site-1 SOO=100:65 CE-2 Cisco Confidential 41 Multi-Protocol BGP • Extension to the BGP protocol in order to carry routing information about other protocols Multicast MPLS IPv6 … • Exchange of Multi-Protocol NLRI must be negotiated at session set up BGP Capabilities negotiation MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 42 Multi-Protocol BGP - RFC2858 • Obsoletes RFC2283 • New non-transitive and optional BGP attributes MP_REACH_NLRI “Carry the set of reachable destinations together with the next-hop information to be used for forwarding to these destinations” MP_UNREACH_NLRI Carry the set of unreachable destinations • Attribute contains one or more triples Address Family Information (AFI) Next-Hop Information NLRI MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 43 Labelled VPN-IPV4 Addresses in BGP-4 • Labelled VPN-IPV4 address appears in BGP NLRI AFI = 1 - Sub-AFI = 128 • NLRI is encoded as one or more triples Length: total length of Label + prefix (RD included) Label: 24 bits Prefix: RD (64 bits) + IPv4 prefix (32 bits) MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 44 Labelled VPN-IPV4 Addresses in BGP-4 • The label is assigned by the router originating the NLRI i.e., the router identified by the next-hop value • The label is changed by the router that modifies the next-hop value Typically the EBGP speaker Or iBGP forwarder configured with next-hop-self MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 45 Labelled VPN-IPV4 addresses in BGP-4 • Next-hop address must be of the same family of the NLRI The next-hop will be a VPN-IPv4 address with RD set to 0 • BGP will consider two VPN-IPV4 comparable even with different labels A withdrawn of a VPN-IPv4 address will be considered for all NLRI corresponding to the VPN-IPV4 address, whatever are the different assigned labels MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 46 BGP Capabilities Negotiation • BGP routers establish BGP sessions through the OPEN message • OPEN message contains optional parameters • BGP session is terminated if OPEN parameters are not recognised • A new optional parameter: CAPABILITIES MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 47 BGP Capabilities Negotiation • A BGP router sends an OPEN message with CAPABILITIES parameter containing its capabilities: Multiprotocol extension Route Refresh Co-operative Route Filtering ... MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 48 BGP Capabilities Negotiation • BGP routers determine capabilities of their neighbors by looking at the capabilities parameters in the open message • Unknown or unsupported capabilities may trigger the transmission of a NOTIFICATION message “The decision to send the NOTIFICATION message and terminate peering is local to the speaker. Such peering should not be re-established automatically” draft-ietf-idr-bgp4-cap-neg MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 49 BGP Capabilities Negotiation • BGP routers use BGP-4 Multiprotocol Extension to carry label (label) mapping information Multiprotocol Extension capability Used to negotiate the Address Family Identifier AFI = 1 Sub-AFI = 128 for MPLS-VPN MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 50 BGP Route Refresh • New BGP Capability: Route Refresh • Allows a router to request to any neighbor the re-transmission of BGP updates Useful when inbound policy has been modified Similar to Cisco “soft-reconfiguration” without need to store any route • BGP speakers may send “Route-Refresh” message only to neighbors from which the capability has been exchanged MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 51 BGP Route Refresh • When the inbound policy has been modified, the BGP speaker sends a Route-Refresh message to its neighbors With AFI, Sub-AFI attributes • Neighbors will re-transmit all routes for that particular AFI and Sub-AFI MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 52 BGP Co-operative Route Filtering • In order to reduce amount of BGP traffic and CPU used to process updates, routers exchange filter configurations • BGP speakers advertise to downstream neighbors the outbound filter(s) they have to use • Filters are described in ORF entries Outbound Route Filter • ORF entries are part of the Route-Refresh message MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 53 BGP Co-operative Route Filtering • ORF capability must be negotiated during session set-up Capability negotiation • ORF capable BGP speaker will install ORFs per neighbor • Each ORF will be defined by the upstream neighbor through routerefresh messages MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 54 BGP Co-operative Route Filtering ORF Entry • ORF Entry AFI/Sub-AFI Filter will apply only to selected address families ORF-Type Determine the content of ORF-Value NLRI is one ORF-Type NLRI is used to match IP addresses (subnets) MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 55 BGP Co-operative Route Filtering ORF Entry • ORF Entry Action ADD: Add an ORF entry to the current ORF DELETE: Delete a previously received ORF entry DELETE ALL: Delete all existing ORF entries Match PERMIT: Pass routes that match the ORF entry DENY: Do not pass routes that match the ORF entry MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 56 BGP Co-operative Route Filtering ORF Entry • ORF Entry ORF-Value (for ORF-Type=NLRI) is <Scope,NLRI> Scope EXACT: Remote peer should consider routes equal to the NLRI specified in the ORF REFINE: Remote peer should consider routes that are part of a subset of the NLRI specified in the ORF NLRI: <length, prefix> Multiple ORF entries will follow longest match MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 57 ORF Entries and Route-Refresh • ORF entries are carried in BGP RouteRefresh messages • AFI/Sub-AFI are encoded into the AFI/SubAFI field of the route refresh message WHEN-TO-REFRESH field IMMEDIATE: apply the filter immediately DEFER: wait for subsequent route-refresh message ORF-Type to be extended for Extended Communities MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 58 Packet Forwarding MPLS VPN Data Plane MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 59 MPLS VPN Forwarding VPN_A VPN_A 10.2.0.0 CE CE VPN_B 10.2.0.0 CE P2 PE4 VPN_A 11.6.0.0 P3 P1 CE VPN_B VPN_A P4 PE2 11.5.0.0 L8L2Data PE3 PE1 CE Data CE 10.1.0.0 VPN_B 10.3.0.0 10.1.0.0 CE • Ingress PE Receives Normal IP Packets from CE Router <RD_B,10.1>,, iBGP iBGP next hop PE1, L2 <RD_B,10.2> NH= PE2 T1 L7 L8 • PE Router Does “IP Longest Match” in VRF , Finds iBGP Next Hop PE2 and Imposes a Stack of Labels: Second Level Label L2 + Top Label L8 MPLS Bootcamp © 2000, Cisco Systems, Inc. <RD_B,10.2> , iBGP next hop PE2L2 <RD_B,10.3> , iBGP next hop PE3L3 <RD_A,11.6> , iBGP next hop PE1L4 <RD_A,10.1> , iBGP next hop PE4L5 <RD_A,10.4> , iBGP next hop PE4L6 L7 <RD_A,10.2> , iBGP next hop PE2 Cisco Confidential L8 L9 L7 LB LB L8 60 MPLS VPN Forwarding VPN_A VPN_A CE 10.2.0.0 11.5.0.0 CE VPN_B Data 10.2.0.0 CE L2 Data PE2 P2 LAL2 Data VPN_A 11.6.0.0 P1 CE VPN_B 10.1.0.0 CE VPN_A P4 P3 PE4 L2 Data PE3 PE1 CE 10.1.0.0 Data CE VPN_B 10.3.0.0 in / out T7 Lu L8, T8 POP Lw L9 Lx La Ly Lb Lz • All subsequent P routers switch packet solely on top label • Egress PE router’s upstream LDP neighbor (Penultimate Hop or PH) removes top label (PHP) • Egress PE uses bottom (VPN) label to select which VPN/CE to forward the Packet to • Bottom label is removed and packet forwarded to CE router MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 61 MPLS VPN Packet Forwarding In Label - FEC 197.26.15.1/32 Out Label - In Label FEC 41 197.26.15.1/32 Out Label POP In Label - FEC Out Label 197.26.15.1/32 41 PE-1 P router Use label implicit-null for destination 197.26.15.1/32 Paris 149.27.2.0/24 Use label 41 for destination 197.26.15.0/24 VPN-v4 update: RD:1:27:149.27.2.0/24, NH=197.26.15.1 SOO=Paris, RT=VPN-A, Label=(28) London • PE and P routers have BGP next-hop reachability through the backbone IGP • Labels are distributed through LDP corresponding to BGP next-hops or RSVP with Traffic Engineering MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 62 MPLS VPN Packet Forwarding • Label Stack is used for packet forwarding Top label indicates BGP next-hop (exterior label) Second level label indicates outgoing interface or VRF (interior VPN label) • MPLS nodes forward packets based on top label any subsequent labels are ignored MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 63 MPLS VPN Packet Forwarding In Label FEC Out Label - 197.26.15.1/32 41 VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28) PE-1 41 Paris 28 149.27.2.27 149.27.2.27 London 149.27.2.0/24 • Ingress PE receives normal IP packets • PE router performs IP Longest Match from VPN FIB, finds iBGP next-hop and imposes a stack of labels <IGP, VPN> MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 64 MPLS VPN Packet Forwarding In Label 28(V) FEC Out Label In Label FEC Out Label 149.27.2.0/24 - 68 197.26.15.1/32 POP VPN-A VRF 149.27.2.0/24, NH=Paris In Label FEC 41 197.26.15.1/32 68 VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28) PE-1 149.27.2.27 Out Label 28 149.27.2.27 68 28 149.27.2.27 41 Paris 28 149.27.2.27 149.27.2.27 London 149.27.2.0/24 • Penultimate PE router removes the IGP label Penultimate Hop Popping procedures (implicit-null label) • Egress PE router uses the VPN label to select which VPN/CE to forward the packet to • VPN label is removed and the packet is routed toward the VPN site MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 65 MPLS VPN Topologies MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 66 MPLS VPN Extranet Support • Extranet support is simply the import of routes from one VRF into another VRF which services a different VPN • Controlled through the use of Route Target if we import the route, we have access • Various topologies are viable using this technique MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 67 MPLS VPN Extranet Support VPN-A VPN-A Paris Routes VPN-B Munich Routes CE Paris PE VRF for VPN-A VPN-A Extranet VPN Routing Table VPN-B VRF for VPN-B CE Munich Sharing of VPN information between VRFs provides Extranet support MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 68 Central Services Model • Common topology is central services VPN client sites may access central services but may not communicate directly with other client sites • Once again controlled through the use of route target client sites belong to unique VRF, servers share common VRF client exports routes using client-rt and imports server-rt server exports routes using server-rt and imports server-rt & client-rt MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 69 Central Services Model 195.12.2.0/24 VPN A VRF (Export RT=client-rt) (Import RT=server-rt) VPN A VPN A VRF 195.12.2.0/24 146.12.9.0/24 MP-iBGP Update RD:195.12.2.0/24, RT=client-rt 146.12.9.0/24 MP-iBGP Update RD:146.12.9.0/24, RT=server-rt VPN B VRF 146.12.7.0/24 146.12.9.0/24 MP-iBGP Update RD:146.12.7.0/24, RT=client-rt VPN B 146.12.7.0/24 MPLS Bootcamp © 2000, Cisco Systems, Inc. VPN B VRF (Export RT=client-rt) (Import RT=server-rt) Cisco Confidential Central Server Site Server VRF (Export RT=server-rt) (Import RT=server-rt) (Import RT=client-rt) 70 MPLS VPN Internet Connectivity Static Default Route • VPN sites may require Internet access either directly or via a central site - no full routing • Default route provided through static or dynamic route within the VRF extension to ‘ip route’ command - Global keyword Internet gateway points to an exit point whose address is within the global routing table • PE router generates VPN customer routes into BGP through global static routes MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 71 MPLS VPN Internet Connectivity Static Default Route VPN A 195.12.2.0/24 ip route vrf VPN_A 0.0.0.0 0.0.0.0 Internet-PE global ip route 195.12.2.0 255.255.255.0 serial 1/0 VPN A VRF 0.0.0.0 NH=Internet-PE Internet Routing Table MPLS VPN Backbone Global Internet Access VPN B VRF 0.0.0.0 NH=Internet PE VPN B ip route vrf VPN_B 0.0.0.0 0.0.0.0 Internet-PE global ip route 146.12.9.0 255.255.255.0 serial 1/1 146.12.9.0/24 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 72 MPLS VPN Internet Connectivity Dynamic Default Route VPN A Central Site VPN B Central Site Export VPN A default with RT=17:22 and VPN B default with RT=17:28 VPN-IPv4 Update Net=0.0.0.0/0 RT=17:28 VPN-IPv4 Update Net=0.0.0.0/0 RT=17:28 VPN-IPv4 Update Net=0.0.0.0/0 RT=17:22 VPN A VPN-IPv4 Update Net=0.0.0.0/0 RT=17:22 VPN A VRF (Import RT=17:22) MPLS Bootcamp VPN B MPLS VPN Backbone © 2000, Cisco Systems, Inc. VPN B VRF (Import RT=17:28) Cisco Confidential 73 MPLS VPN Internet Connectivity Separate BGP Session PE/CE Link • Many clients wish to send/receive routes directly with the Internet default route is not sufficient in this environment • Routes reside on the PE router but within the global not VRF tables • Mechanism needed to distribute this routing information to VPN customer sites and also receive routes and place them into the global, and not VRF table MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 74 MPLS VPN Internet Connectivity Separate BGP Session PE/CE Link • Achieved by using a second interface to the client site either physical or logical, such as sub-interface or tunnel (sub)interface associated with VRF Internet Routes VPN Site CE PE Global Internet (sub)interface associated with global routing table MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 75 MPLS VPN Internet Connectivity Global Internet Table Association • If multiple exit points, then possibility to associate full Internet routes with a VRF if only one exit point, then default pointing to Internet exit point interface will normally suffice • With multiple interfaces, sub-optimal routing a possibility with default route generation as multiple defaults would allow load balancing but no best path selection • Association of Internet routes with VRF provide ability to generate aggregate default MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 76 MPLS VPN Internet Connectivity Global Internet Table Association ISP A ISP B Export default route with Internet_access route target PE MPLS Bootcamp © 2000, Cisco Systems, Inc. Export default route with Internet_access route target Static default pointing to loopback interface so lookup in VRF will occur on incoming packets PE Cisco Confidential 77 MPLS VPN Internet Connectivity Global Internet Table Association • Optimal routing between providers now possible • Need to filter everything other than default cpu and administrative overhead • Label assignment will occur for every route within the VRF memory overhead even though labels are never used • If full routes distributed, could result in multiple copies of Internet routing table MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 78 MPLS VPN Convergence MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 79 Routing Convergence • Convergence needs to be assessed in two main areas convergence within the MPLS VPN backbone convergence between VPN client sites • Both areas are completely independent ... but work together to provide end-to-end convergence as perceived by the VPN client therefore must be assessed in conjunction MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 80 End-to-End Routing Convergence VPN Client A VPN Client A New VPN route propagated across MPiBGP session New VPN route advertised PE PE If link fails, MPLS VPN backbone IGP converges on new path to Advertisement of new VPN route to relevant VPN sites New VPN route imported into relevant VRFs BGP next-hop Client-to-client and MPLS VPN backbone IGP convergence are independent MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 81 Convergence Across Backbone • Convergence of MPLS VPN backbone IGP will not affect client-to-client route convergence unless BGP next-hop becomes unavailable; but will affect client-to-client traffic while backbone converges • Backbone may be router-only based or based on ATM switches convergence will be different for the MPLS forwarding plane - cell-mode versus frame-mode implementation MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 82 Convergence - Router Based Backbone • Unsolicited Downstream Bindings advertised as soon as route is in the routing table • Liberal Label Retention If multiple neighbors, next-hop change causes new label to be used for forwarding • Immediate Notification of Routing Table Change A route change (addition/deletion) immediately propagated to MPLS process MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 83 Convergence - Router Based Backbone If P-1 to PE-2 link fails, PE-1 nexthop to destinations reachable via 197.26.15.1/32 (PE-2 Loopback) will change to P-3. As label exists (41), convergence is as quick as the IGP VPN Client A VPN Client A Use label 23 for destination 197.26.15.1/32 Use label POP for destination 197.26.15.1/32 PE-1 PE-2 P-1 Use label 41 for destination 197.26.15.1/32 Use label POP for destination 197.26.15.1/32 P-3 Use label 25 for destination 197.26.15.1/32 P-2 MPLS & IGP backbone convergence are closely entwined MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 84 Convergence - ATM Backbone • Downstream-on-demand Affects convergence as LSR must signal for downstream label binding • Conservative Label Retention Convergence is affected as LSR must signal for downstream label binding if one does not exist Next-hop change will cause label request • Two-stage Convergence: IGP: converge around topology changes MPLS: re-establish label mappings MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 85 Convergence - ATM Based Backbone If P-1 to PE-2 link fails, PE-1 nexthop to destinations reachable via 197.26.15.1/32 (PE-2 Loopback) will change to P-3. As label does not exist, PE-1 must signal the next-hop downstream ATM-LSR VPN Client A VPN Client A Use label 1/239 for destination 197.26.15.1/32 Use label 1/321 for destination 197.26.15.1/32 PE-1 PE-2 P-1 Label request for destination 197.26.15.1/32 Label request for destination 197.26.15.1/32 P-3 Label request for destination 197.26.15.1/32 P-2 MPLS LSR must re-converge on IGP change AND resignal for label mapping to downstream next-hop MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 86 Client-to-Client Convergence • Four Main Convergence Areas – Advertisement of routes from CE to PE and placement into VRF – Propagation of routes across the MPLS VPN backbone – Import process of these routes into relevant VRFs – Advertisement of VRF routes to attached VPN sites MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 87 Backbone Route Propagation • Changes are not propagated to other BGP speakers immediately Batched together and sent at “advertisementinterval” Default = 5 seconds for iBGP, 30 for eBGP • Can be tweaked using the “neighbor advertisement-interval” command Needs to be changed for both backbone and CE routers if BGP between PE & CE MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 88 Import Process • Import Process Uses a Separate Invocation of the Scanner Process Default = 15 seconds Can be tuned using the “bgp scan-time import” command • Can take up to 15 Seconds for a Route to be Placed into a Receiving VRF and then potentially another 30 Seconds to be advertised to CE if eBGP is in operation! MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 89 Scanner Process • Scanner process will also have an effect on convergence Used to check next-hop reachability and to process any “network” commands within the BGP process Invoked every 60 seconds by default Can be tuned with the “bgp scan-time” command Large BGP table and small scan-time can be VERY CPU intensive - beware ! MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 90 BGP Route Advertisement • In addition to the scanning and importing of routes, each PE router needs to advertise the best routes within each VRF to all its VRF neighbors This occurs at both ingress and egress of the MPLS VPN network With eBGP CE neighbors, advertisement of these routes occurs every 30 seconds With (iBGP) PE neighbors, routes advertisement occurs every 5 seconds Can be tuned with the “neighbor a.b.c.d advertisement-interval” command MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 91 MPLS VPN Scaling MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 92 Scaling • Existing BGP techniques can be used to scale the route distribution: route reflectors (RRs) & BGP confederations (Inter-AS VPN) • Each edge router needs only the information for the directly-connected VPNs it supports • RRs are used to distribute VPN routing information MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 93 MPLS-VPN Scaling BGP Route Reflectors • Route reflectors may be partitioned Each RR stores routes for a set of VPNs • Thus, no BGP router needs to store information on ALL VPNs • PEs will peer to RRs according to the VPNs they support MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 94 MPLS-VPN Scaling BGP Updates Filtering • iBGP full mesh amongst PEs results in flooding of all VPN routes to all PEs • Scaling problems when large amount of routes. • PEs need routes for only attached VRFs MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 95 MPLS-VPN Scaling BGP Updates Filtering • Each PE will discard any VPN-IPv4 route that hasn’t a route-target configured to be imported in any of the attached VRFs • This reduces significantly the amount of information each PE has to store • Volume of BGP table is equivalent of volume of attached VRFs (nothing more) MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 96 MPLS-VPN Scaling BGP Updates Filtering VPN-IPv4 update: RD:Net1, Next-hop=PEX SOO=Site1, RT=Green, Label=XYZ Import RT=yellow PE VRFs for VPNs yellow green MP-iBGP sessions Import RT=green VPN-IPv4 update: RD:Net1, Next-hop=PEX SOO=Site1, RT=Red, Label=XYZ • Each VRF has an import and export policy configured • Policies use route-target attribute (extended community) • PE receives MP-iBGP updates for VPN-IPv4 routes • If route-target is equal to any of the import values configured in the PE, the update is accepted • Otherwise it is silently discarded MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 97 MPLS-VPN Scaling Route Refresh 2. PE issue a RouteRefresh to all neighbors in order to ask for retransmission PE Import RT=green Import RT=red 1. PE doesn’t have red routes (previously filtered out) VPN-IPv4 update: RD:Net1, Next-hop=PEX SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PEX SOO=Site1, RT=Red, Label=XYZ 3. Neighbors re-send updates and “red” route-target is now accepted • Policy may change in the PE if VRF modifications are done New VRFs, removal of VRFs • However, the PE may not have stored routing information which become useful after a change • PE request a re-transmission of updates to neighbors Route-Refresh MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 98 MPLS-VPN Scaling Outbound Route Filters - ORF Import RT=yellow PE 2. PE issue a Route-Refresh message with a ORF entry to neighbors in order not to receive red routes: Permit RT = Green, Yellow VPN-IPv4 update: RD:Net1, Next-hop=PEX SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PEX SOO=Site1, RT=Red, Label=XYZ Import RT=green 1. PE doesn’t need red routes 3. Neighbors dynamically configure the outbound filter and send updates accordingly • PE router will discard update with unused routetarget • Optimisation requires these updates NOT to be sent • Outbound Route Filter (ORF) allows a router to tell its neighbors which filter to use prior to propagate BGP updates MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 99 Connecting MPLS-VPN Backbones MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 100 Connecting MPLS-VPN Backbones • Providers exchange routes between PEASBR routers • MP-eBGP for (Labelled) VPNv4 addresses between ASBRs Next-hop and labels are re-written by the PE-ASBRs • Requires PE-ASBRs to store VPN routes that need to be exchanged • Routes are in the MP-BGP table but not in any routing table PE-ASBRs do not have any VRFs MP-eBGP labels are used in LFIB MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 101 Connecting MPLS-VPN backbones RR-1 reflects VPNv4 internal routes PE-ASBR1 advertises VPNv4 external routes RR-2 reflects VPNv4 internal routes PE-ASBR2 advertises VPNv4 external routes RR-1 RR-2 Core of P LSRs Core of P LSRs MP-eBGP VPNv4 routes with label distribution PE-1 PE-2 PE-ASBR1 PE-3 PE-ASBR2 PE-ASBRs exchange VPNv4 addresses with labels CE-2 CE-1 CE-5 CE-3 CE-4 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 102 Connecting MPLS-VPN backbones Network=RD1:N Next-hop=PE1 Label=L1 RR-1 Network=RD1:N Core of P LSRs Next-hop=PE1 Label=L1 PE-1 RR-2 Network=RD1:N Next-hop=PE-ASBR1 Label=L2 PE-ASBR1 Network=RD1:N Next-hop=PE-ASBR2 Label=L3 Core of P LSRs Network=RD1:N Next-hop=PE-ASBR2 Label=L3 PE-2 PE-3 PE-ASBR2 Network=N Next-hop=PE3 Network=N Next-hop=CE2 CE-2 CE-1 CE-5 CE-3 CE-4 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 103 Multi-AS MPLS-VPN backbones VPNV4 routes exchanged between PE-ASBRs L1 Dest=N RR-1 L3 Dest=N Core of P LSRs LDP-PE1-label L1 Dest=N PE-1 Core of P LSRs RR-2 PE-2 L2 Dest=N PE-ASBR1 LDP-PE-ASBR2-label L3 Dest=N PE-3 PE-ASBR2 Dest=N Dest=N CE-2 CE-1 CE-5 CE-3 CE-4 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 104 MPLS VPN Configuration MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 105 MPLS VPN Configuration • VPN knowledge is on PE routers • Several basic steps are necessary to provision a PE router for VPN service configuration of VRFs configuration of Route Distinguishers configuration of import/export policies configuration of PE to CE links association of VRFs to interfaces configuration of MP-BGP MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 106 VRF & RD Configuration • RD is configured on PE routers separate RD per VRF good practise is to use the same RD for the same VPN in all PE routers although this is not mandatory • VRF configuration commands ip vrf <vrf-symbolic-name> rd <route-distinguisher-value> route-target import <Import route-target community> route-target export <Import route-target community> MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 107 VRF Configuration VPN-A CE PE Paris VPN-A ip vrf VPN-A rd 1:129 route-target export 100:1 route-target import 100:1 ip vrf VPN-B rd 1:131 route-target export 100:2 route-target import 100:2 CE London VRF VPN-A VRF VPN-B VPN-B CE Munich MPLS Bootcamp © 2000, Cisco Systems, Inc. VRF for VPN-A (RT100:1) Paris routes London routes Cisco Confidential VRF for VPN-B (RT100:2) Munich routes 108 PE/CE Routing Protocol • PE/CE can use BGP, RIPv2, OSPF or Static • Routing context used for all except OSPF which uses a separate process • Routing contexts are defined within the routing protocol instance router rip version 2 ! address-family ipv4 vrf <vrf symbolic-name> version 2 network 195.27.15.0 ! address-family ipv4 vrf <vrf symbolic-name> .. MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 109 PE/CE Routing Protocol • OSPF uses a different process router ospf 100 vrf <vrf-symbolic-name> ! router ospf 200 vrf <vrf symbolic-name> • BGP uses address-family command router bgp <AS #> ! address-family ipv4 vrf <vrf symbolic-name> ! address-family vpnv4 • Static routes are configured per-VRF ip route vrf <vrf symbolic-name> MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 110 PE/CE Routing Protocol interface Serial3/5 ip vrf forwarding VPN-A ip address 192.168.61.6 255.255.255.252 encapsulation ppp ! interface Serial3/6 ip vrf forwarding VPN-A ip address 192.168.61.9 255.255.255.252 encapsulation ppp ! interface Serial3/7 ip vrf forwarding VPN-B ip address 192.168.62.6 255.255.255.252 encapsulation ppp VPN-A CE PE Paris VPN-A CE London VPN-B CE router bgp 109 no bgp default ipv4-unicast neighbor 195.27.2.1 remote-as 100 neighbor 195.27.2.1 update-source Loopback0 ! address-family ipv4 vrf VPN-B neighbor 192.168.62.5 remote-as 65503 neighbor 192.168.62.5 activate exit-address-family ! address-family ipv4 vrf VPN-A neighbor 192.168.61.5 remote-as 65501 neighbor 192.168.61.5 activate neighbor 192.168.61.10 remote-as 65502 neighbor 192.168.61.10 activate exit-address-family ! address-family vpnv4 neighbor 195.27.2.1 activate neighbor 195.27.2.1 send-community extended exit-address-family Munich MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 111 VRF Based Commands • All show commands are VRF based show ip route vrf <vrf-symbolic-name> show ip protocol vrf <vrf-symbolic-name> show ip cef vrf <vrf-symbolic-name> • Ping and Telnet commands are VRF based ping x.x.x.x vrf <vrf-symbolic-name> telnet x.x.x.x /vrf <vrf-symbolic-name> MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 112 MPLS VPN Internet Routing VRF Specific Default Route 192.168.1.1 BGP-4 Internet PE-IG MP-BGP PE 192.168.1.2 PE Serial0 Site-1 Network 171.68.0.0/16 Site-2 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential ip vrf VPN-A rd 100:1 route-target both 100:1 ! Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A ! Router bgp 100 no bgp default ipv4-unicast network 171.68.0.0 mask 255.255.0.0 neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0 ! address-family ipv4 vrf VPN-A neighbor 192.168.10.2 remote-as 65502 neighbor 192.168.10.2 activate exit-address-family ! address-family vpnv4 neighbor 192.168.1.2 activate exit-address-family ! ip route 171.68.0.0 255.255.0.0 Serial0 ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 glob 113 MPLS VPN Internet Routing VRF Specific Default Route 192.168.1.1 IP packet D=cisco.co m Internet PE-IG Label = 3 IP packet D=cisco.co m 192.168.1.2 PE PE Serial0 IP packet D=cisco.co m Global Table and LFIB 192.168.1.1/32 Label=3 192.168.1.2/32 Label=5 ... Site-2 VRF 0.0.0.0/0 192.168.1.1 (global) Site-1 routes Site-2 routes Site-1 Network 171.68.0.0/16 Site-2 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 114 MPLS VPN Internet Routing Separated (sub)Interfaces 192.168.1.1 BGP-4 Internet PE-IG PE MP-BGP 192.168.1.2 PE Serial0.1 Serial0.2 BGP-4 Site-1 Network 171.68.0.0/16 Site-2 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential ip vrf VPN-A rd 100:1 route-target both 100:1 ! Interface Serial0 no ip address ! Interface Serial0.1 ip address 192.168.20.1 255.255.255.0 ip vrf forwarding VPN-A ! Interface Serial0.2 ip address 171.68.10.1 255.255.255.0 ! Router bgp 100 no bgp default ipv4-unicast neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0 network 171.68.0.0 mask 255.255.0.0 neighbor 171.68.10.2 remote 502 ! address-family ipv4 vrf VPN-A neighbor 192.168.20.2 remote-as 502 neighbor 192.168.20.2 activate exit-address-family ! address-family vpnv4 neighbor 192.168.1.2 activate exit-address-family 115 MPLS VPN Internet Routing Separate (sub)Interfaces 192.168.1.1 IP packet D=cisco.co m Internet PE-IG Label = 3 IP packet D=cisco.co m 192.168.1.2 PE PE Serial0.1 Serial0.1 Site-1 PE Global Table Internet routes ---> 192.168.1.1 192.168.1.1, Label=3 Serial0.2 IP packet D=cisco.co m Serial0.2 CE routing table Site-1 routes ----> Serial0.1 Network 171.68.0.0/16 Internet routes ---> Serial0.2 Site-2 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 116 MPLS-VPN Scaling Route Refresh Import RT=yellow PE VPN-IPv4 update: RD:Net1, Next-hop=PEX SOI=Site1, RT=Green, Label=XYZ 2. PE issue a RouteRefresh to all neighbors in order to ask for retransmission VPN-IPv4 update: RD:Net1, Next-hop=PEX SOI=Site1, RT=Red, Label=XYZ Import RT=green Import RT=red 1. PE doesn’t have red routes (previously filtered out) • New BGP capability: route refresh 3. Neighbors re-send updates and “red” route-target is now accepted • Allows a router to request to any neighbor the re-transmission of BGP updates Useful when inbound policy has been modified Similar to Cisco “soft-reconfiguration” without need to store any route • BGP speakers may send “Route-Refresh” Cisco Confidential MPLS Bootcamp © 2000, Cisco Systems, Inc. 117 MPLS-VPN Scaling Outbound Route Filters - ORF Import RT=yellow PE 2. PE issue a ORF message to all neighbors in order not to receive red routes VPN-IPv4 update: RD:Net1, Next-hop=PEX SOI=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PEX SOI=Site1, RT=Red, Label=XYZ Import RT=green 1. PE doesn’t need red routes 3. Neighbors dynamically configure the outbound filter and send updates accordingly PE router will discard update with unused route-target Optimisation requires these updates NOT to be sent MPLS Bootcamp Outbound Route Filter (ORF) allows a router to tell its neighbors which filter to use prior to propagate BGP updates © 2000, Cisco Systems, Inc. Cisco Confidential 118 MPLS VPN - Configuration ip vrf site1 Site-4 rd 100:1 route-target export 100:1 Site-1 VPN-C route-target import 100:1 VPN-A ip vrf site2 rd 100:2 Site-3 Site-2 route-target export 100:2 VPN-B route-target import 100:2 route-target import 100:1 route-target export 100:1 ! Multihop MP-iBGP interface Serial3/6 ip vrf forwarding site1 P P ip address 192.168.61.6 PE1 255.255.255.0 encapsulation ppp PE2 ! interface Serial3/7 ip vrf forwarding site2 ip address 192.168.62.6 VRF VRF 255.255.255.0 VRF VRF for site-2 for site-3 for site-4 for site-1 encapsulation ppp (100:2) (100:2) (100:1) Site-1 routes Site-2 routes Site-1 MPLS Bootcamp © 2000, Cisco Systems, Inc. Site-1 routes Site-2 routes Site-3 routes Site-2 Site-2 routes Site-3 routes Site-4 routes Site-3 Cisco Confidential ip vrf site3 rd 100:2 route-target export 100:2 route-target import 100:2 route-target import 100:3 route-target export 100:3 ip vrf site-4 rd 100:3 route-target export 100:3 route-target import 100:3 ! interface Serial4/6 ip vrf forwarding site3 ip address 192.168.73.7 255.255.255.0 encapsulation ppp ! interface Serial4/7 ip vrf forwarding site4 (100:3) Site-3 routes ip address 192.168.74.7 Site-4 routes 255.255.255.0 encapsulation ppp Site-4 119 MPLS VPN - Configuration PE/CE routing protocols router bgp 100 router bgp 100 Site-4 no bgp default ipv4-unicast no bgp default ipv4-unicast neighbor 6.6.6.6 remote-as 100 neighbor 7.7.7.7 remote-as 100 Site-1 VPN-C neighbor 6.6.6.6 update-source neighbor 7.7.7.7 update-source VPN-A Loop0 Loop0 ! ! Site-3 Site-2 address-family ipv4 vrf site4 address-family ipv4 vrf site2 VPN-B neighbor 192.168.74.4 remote-as neighbor 192.168.62.2 remote-as 65504 65502 neighbor 192.168.74.4 activate neighbor 192.168.62.2 activate MP-iBGP exit-address-family exit-address-family ! ! address-family ipv4 vrf site3 address-family ipv4 vrf site1 P P neighbor 192.168.73.3 remote-as neighbor 192.168.61.1 remote-as 65503 65501 neighbor 192.168.73.3 activate neighbor 192.168.61.1 activate PE2 PE1 exit-address-family exit-address-family ! ! address-family vpnv4 address-family vpnv4 VRF VRF neighbor 6.6.6.6 activate neighbor 7.7.7.7 activate VRF VRF for site-2 for site-3 neighbor 7.7.7.7 next-hop-self for site-4 neighbor 6.6.6.6 next-hop-self for site-1 (100:2) (100:2) (100:3) exit-address-family (100:1) exit-address-family Site-1 routes Site-2 routes Site-1 routes Site-2 routes Site-1 MPLS Bootcamp © 2000, Cisco Systems, Inc. Site-2 routes Site-3 routes Site-2 Site-3 routes Site-4 routes Site-3 Cisco Confidential Site-3 routes Site-4 routes Site-4 120 IOS Support for MPLS MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 121 MPLS-VPN IOS Releases - LDP Status • Initial limited deployment release in 12.0(10)ST and up • 12.0(11)ST available on CCO • General deployment also planned for 12.2(1)T • Will be based on the current IETF draft (draft-ietf-mpls-ldp-11.txt?) MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 122 References MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 123 References • RFCs and Internet Drafts draft-rosen-rfc2547bis-02.txt (was RFC2547) RFC2858 (Obsoletes RFC2283) draft-ietf-mpls-bgp4-mpls-02.txt draft-ramachandra-bgp-extcommunities04.txt • Textbook “MPLS and VPN Architectures,” by Ivan Pepelnjak, Jim Guichard (ISBN# 1-58705-002-1) MPLS: Technology and Applications, by Bruce Davie, Yakov Rekhter (ISBN#1-55860-656-4) • Useful URLs http://wwwin-mpls.cisco.com/ http://wwwin-ch.cisco.com/SQA/devtest/tag-switching/ http://wwwin-people.cisco.com/sprevidi/ MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 124 Reference Pointers • Mailing Lists [email protected] <-- (mpls-vpn questions) [email protected] <-- (general mpls questions) [email protected] <--(mpls-te questions) [email protected] MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential 125 NW’00 Paris © 2000, Cisco Systems, Inc. 126