1 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS Bootcamp MPLS VPN Khalid Raza, Kyle Bearden, & Munther Antoun March, 2001 Version 0.1.

Slides:



Advertisements
Similar presentations
Virtual Links: VLANs and Tunneling
Advertisements

MPLS VPN.
Identifying MPLS Applications
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing the MPLS VPN Routing Model.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.
Deployment of MPLS VPN in Large ISP Networks
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
BGP.
CS Summer 2003 CS672: MPLS Architecture, Applications and Fault-Tolerance.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.
MPLS VPN TOI
MPLS-VPN/BGP Approach Hari Rakotoranto Technical Marketing Engineer
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Troubleshooting MPLS VPNs.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Introducing MPLS Labels and Label Stacks
CS Summer 2003 Lecture 14. CS Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.
1 Network Architecture and Design Routing: Exterior Gateway Protocols and Autonomous Systems Border Gateway Protocol (BGP) Reference D. E. Comer, Internetworking.
MPLS H/W update Brief description of the lab What it is? Why do we need it? Mechanisms and Protocols.
CS Summer 2003 Lecture 4. CS Summer 2003 Route Aggregation The process of representing a group of prefixes with a single prefix is known as.
CS Summer 2003 Lecture 13. CS Summer 2003 MP_REACH_NLRI Attribute The MP_REACH_NLRI attribute is encoded as shown below:
More on BGP Check out the links on politics: ICANN and net neutrality To read for next time Path selection big example Scaling of BGP.
Routing and Routing Protocols
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.
© 2009 Cisco Systems, Inc. All rights reserved.ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Configuring and Verifying Basic BGP Operations.
MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5#-1 MPLS VPN Implementation Configuring OSPF as the Routing Protocol Between PE and CE Routers.
1 MPLS Architecture. 2 MPLS Network Model MPLS LSR = Label Switched Router LER = Label Edge Router LER LSR LER LSR IP MPLS IP Internet LSR.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring Small-Scale Routing Protocols Between PE and CE Routers.
SMUCSE 8344 MPLS Virtual Private Networks (VPNs).
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—4-1 MPLS VPN Technology Forwarding MPLS VPN Packets.
1 Semester 2 Module 6 Routing and Routing Protocols YuDa college of business James Chen
MPLS VPN Security assessment
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Using MPLS VPN Mechanisms of Cisco IOS Platforms.
1 © 2003 Cisco Systems, Inc. All rights reserved. MPLS VPN Inter-AS, 12/03 INTER-AUTONOMOUS SYSTEM MPLS VPN December 2003.
1 © 1999, Cisco Systems, Inc _05F9_c2 1 NW’99 Vienna © 1999, Cisco Systems, Inc. MPLS VPNs Peter Tomsu Senior Consultant EMEA
1 © 2003 Cisco Systems, Inc. All rights reserved. MPLS VPN Inter-AS, 12/03 INTER-AUTONOMOUS SYSTEM MPLS VPN: CONFIGURATION AND TROUBLESHOOTING DECEMBER.
MPLS VPN Configurations Khalid Raza
© 2001, Cisco Systems, Inc. Multiprotocol BGP. © 2001, Cisco Systems, Inc. Multiprotocol BGP-2 Objectives Upon completion of this chapter, you will be.
TCOM 515 Lecture 6.
1 Multi-Protocol Label Switching (MPLS). 2 MPLS Overview A forwarding scheme designed to speed up IP packet forwarding (RFC 3031) Idea: use a fixed length.
M. Menelaou CCNA2 DYNAMIC ROUTING. M. Menelaou DYNAMIC ROUTING Dynamic routing protocols can help simplify the life of a network administrator Routing.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network BGP Attributes and Path Selection Process.
1 Multiprotocol Label Switching. 2 “ ” It was designed to provide a unified data-carrying service for both circuit-based clients and packet-switching.
1 © 2001, Cisco Systems. MPLS Architecture Overview Jay Kumarasamy Adopted from Stefano Previdi’s presentation.
Lab MPLS Basic Configuration Last Update Copyright 2011 Kenneth M. Chipps Ph.D. 1.
Chapter 9. Implementing Scalability Features in Your Internetwork.
CS 540 Computer Networks II Sandy Wang
© 2001, Cisco Systems, Inc. A_BGP_Confed BGP Confederations.
BGP4 - Border Gateway Protocol. Autonomous Systems Routers under a single administrative control are grouped into autonomous systems Identified by a 16.
Border Gateway Protocol (BGP) W.lilakiatsakun. BGP Basics (1) BGP is the protocol which is used to make core routing decisions on the Internet It involves.
Inter AS option D (draft-mapathak-interas-option-d-00) Manu Pathak Keyur Patel Arjun Sreekantiah November 2012.
1MPLS QOS 10/00 © 2000, Cisco Systems, Inc. rfc2547bis VPN Alvaro Retana Alvaro Retana
CCNA 2 Week 6 Routing Protocols. Copyright © 2005 University of Bolton Topics Static Routing Dynamic Routing Routing Protocols Overview.
Module 2 MPLS Concepts.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—6-1 Scaling Service Provider Networks Scaling IGP and BGP in Service Provider Networks.
Multiple Protocol Support: Multiprotocol Level Switching.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—5-1 Customer-to-Provider Connectivity with BGP Connecting a Multihomed Customer to a Single Service.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Outbound Route Filtering.
BGP Transit Autonomous System
RIP Routing Protocol. 2 Routing Recall: There are two parts to routing IP packets: 1. How to pass a packet from an input interface to the output interface.
Multi-protocol Label Switching
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID MPLS Introduction.
Multiprotocol Label Switching (MPLS) Routing algorithms provide support for performance goals – Distributed and dynamic React to congestion Load balance.
MBGP and Customer Routes
MPLS Virtual Private Networks (VPNs)
MPLS VPN Implementation
BGP supplement Abhigyan Sharma.
INTER-AUTONOMOUS SYSTEM MPLS VPN: CONFIGURATION AND TROUBLESHOOTING
1 Multi-Protocol Label Switching (MPLS). 2 MPLS Overview A forwarding scheme designed to speed up IP packet forwarding (RFC 3031) Idea: use a fixed length.
Presentation transcript:

1 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS Bootcamp MPLS VPN Khalid Raza, Kyle Bearden, & Munther Antoun March, 2001 Version 0.1 Khalid Raza, Kyle Bearden, & Munther Antoun March, 2001 Version 0.1

2 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Agenda VPN Concepts MPLS VPN Functional Components MPLS VPN Architectural Components VPN Routing & Forwarding MPLS VPN Route Distribution MPLS VPN Data Plane MPLS VPN Topologies Convergence & Scaling Considerations QoS Deployment Strategies MPLS VPN Labs

3 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Virtual Private Networks Concepts 3 © 2000, Cisco Systems, Inc. NW’00 Paris

4 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Virtual Private Networks An IP Network Infrastructure Delivering Private Network Services over a Public Infrastructure Certainly not a new concept Leased Lines --> Statistical Multiplexing Delivered at Layer-2 (SP backbone) or Layer-3 (IP backbone) Private connectivity amongst multiple sites Controlled access into the VPN Global or non-unique private IP addressing space amongst the different VPNs

5 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Virtual Private Networks

6 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential VPN - Overlay Model Service Provider Network Provider Edge (PE) device VPN Site Virtual Circuit CPE (CE) Device Layer-3 Routing Adjacency Private Trunks Across a Telco/SP Shared Infrastructure Leased/Dialup Lines FR/ATM Virtual Circuits IP(GRE) Tunnelling Point-to-point Solution between Customer Sites How to Size Inter-site Circuit Capacities? Full Mesh Requirement for Optimal Routing CPE Routing Adjacencies between Sites

7 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Service Provider Network Provider Edge Router VPN Site 1VPN Site 2 CPE Router Layer-3 Routing Adjacencies VPN - Peer-to-Peer Model Provider Edge Device Exchanges Routing Information with CPE All customer routes carried within SP IGP Simple routing scheme for VPN customer Routing between sites is optimal Circuit sizing no longer an issue Private Addressing is NOT an Option Addition of New Sites is Simpler No overlay mesh to contend with

8 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Service Provider Network Provider Edge (PE) Router VPN Site 1VPN Site 2 Customer Edge (CE) Router Static, RIP, OSPF, or eBGP Routing VPN - MPLS VPN Model Combines Benefits of Overlay and Peer-to-peer Paradigms Overlay (security and isolation amongst customers) Peer-to-peer (simplified customer routing) PE Routers only Hold Routes for Attached VPNs Reduces size of PE routing information Proportional to number of VPNs attached MPLS Used to Forward Packets (not Traditional IP Routing) Full routing within backbone no longer required MP-iBGP Session

9 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Functional Components

10 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Connection Model The Whole Picture VPN_A VPN_B PP PP PE CE VPN_A VPN_B CE PE CE VPN_A CE iBGP sessions P Routers (LSRs) are in the core of the MPLS cloud PE Routers (Edge LSRs or LERs) use MPLS with the core and plain IP with CE routers P and PE routers share a common IGP PE routers are MP-iBGP fully-meshed or use Route-Reflectors (RRs) Confederations supported in IOS 12.1(5)T & higher [maybe also 12.0(14)ST?]

11 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential P-Network PE Router C-Network CE Router VPN Site P Router VPN Site MPLS VPN Model

12 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Connectivity Model A VPN is a collection of sites sharing common routing information Same set of routes within the routing table A site may belong to more than one VPN through sharing of routing information A VPN can be thought of as a closed user group (CUG) or community of interest

13 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Architectural Components

14 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Architectural Components Control Planes LDP/TDP, MP-BGP, CE-PE Peering, IGP Forwarding Table VRF Data Plane

15 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential PEs Maintain Separate Routing Tables Global Routing Table Contains all PE and P routes (perhaps non-VPN BGP) Populated by the VPN backbone IGP VRF (VPN Routing & Forwarding) Routing & forwarding table associated with one or more directly connected sites (CE Routers) VRF is associated with any type of interface, whether logical or physical (e.g. Sub/Virtual/Tunnel) Interfaces may share the same VRF if the connected sites share the same routing information VPN Routing & Forwarding Instance (VRF)

16 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential VPN Routing & Forwarding Instances (VRF) PE CE VPN-A CEVPN-B Global Routing Table VRF for VPN-A VRF for VPN-B VPN Routing Table CE Multiple routing & forwarding instances (VRFs) provide separation amongst different customers IGP & non- VPN BGP Paris London Munich

17 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Connectivity Model Private addressing in multiple VPNs no longer an issue Provided that members of a VPN do not use the same address range VPN A VPN BVPN C London Milan ParisMunich BrusselsVienna Address space for VPN A and B must be unique / / / / / /24

18 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential VRF Route Population VRF populated locally through PE and CE routing protocol RIP, OSPF, BGP-4 & Static routing Separate routing context for each VRF Routing Protocol Context (BGP-4 & RIP V2) Separate Process (OSPF) PE CE CECE Site-2 Site-1 EBGP,OSPF, RIPv2,Static

19 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential VRF Route Distribution PE routers distribute local VPN information across the MPLS VPN backbone through MP-iBGP & redistribution from VRF Receiving PE imports routes into attached VRFs PE CE Router P Router Site MP-iBGP

20 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Multi-Protocol BGP (MP-BGP) VPN Components

21 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Route Distinguisher (RD) Route Target (RT) Site of Origin (SOO) MP-BGP VPN Components

22 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential VPN Routing & Forwarding Instances

23 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential The global (non-VRF) routing table is populated through IGP protocols May also contain BGP-4 (IPv4) routes No VPN routes VRF routing tables contain VPN-specific routes MP-iBGP routes imported into VRFs CE routes populate VRFs based on routing protocol context MPLS VPN Table Population

24 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential VRF Population of MP-iBGP PE CE VPN-A CE VPN-B VRF VPN-AVRF VPN-B CE MP-iBGP PE BGP Table Routes from VPN-A Routes from VPN-B Re-distribution from VRFs into MP-iBGP for VPN information exchange Paris London Munich

25 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential VRF Population through MP-iBGP Receiving PE router needs to understand: where the route originated from into which VRF(s) the route should be placed how to distinguish between duplicate addresses Uniqueness of IPv4 prefix achieved through the use of a Route Distinguisher RD (64-bit) identifier VPNv4 Route: 96-bit NLRI (RD + 32-bit IPv4 NLRI)

26 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Extended Community Attribute Permits placement in the proper VRF and site origin BGP transitive optional attributes containing a set of extended communities Route Target Identifies set of sites to which a particular route should be exported SOO (Site of Origin) (Optionally) refers to the site that originated a particular route

27 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential VRF Population of MP-iBGP PE CE-1 MP-iBGP PE BGP, OSPF, RIPv2 update for /24,NH=CE-1 VPN-v4 update: RD:1:27: /24, Next-hop=PE-1 SOO=Paris, RT=VPN-A, Label=(28) CE-2 PE Routers Translate (32-bit) IPv4 Prefix into (96-bit) VPN-v4 Route Assign a RD, RT and (Optional) SOO based on configuration Re-write next-hop attribute (to PE loopback) Assign a label based on VRF and/or interface Send MP-iBGP update to all PE neighbors ParisLondon

28 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential VPN-V4 Address Route Distinguisher (64 bits) Makes the IPv4 route globally unique RD is configured in the PE for each VRF RD may or may not be related to a site or a VPN IPv4 address (32bits) Route Target (RT) & Optional Site of Origin (SOO) MP-iBGP Update

29 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MP-iBGP Update Any other standard BGP attribute Local Preference MED Next-hop AS_PATH Standard community A Label identifying: The outgoing interface or VRF where a lookup has to be performed (Aggregate/Connected) MP-iBGP utilizes a second label in the label stack

30 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential VRF Population of MP-iBGP PE CE-1 MP-iBGP PE ip vrf VPN-B route-target import VPN-A VPN-v4 update: RD:1:27: /24, Next-hop=PE-1 SOO=Paris, RT=VPN-A, Label=(28) CE-2 Receiving PE routers translate to IPv4 Insert the route into the VRF identified by the RT attribute (based on PE configuration) The label associated to the VPN-V4 address will be set on packets forwarded towards the destination VPN-v4 update is translated into IPv4 address and put into VRF VPN-A as RT=VPN-A and optionally advertised to CE-2 ParisLondon

31 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential P Router MPLS VPN Backbone VPN A SITE-2 Site-1 routes Site-2 routes Site-3 routes Site-4 routes MP-iBGP Basic Intranet Model Site-3 & Site-4 routes RT=VPN-A Site-1 & Site-2 routes RT=VPN-A Site-1 routes Site-2 routes Site-3 routes Site-4 routes SITE-1SITE-3 SITE-4

32 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MP-BGP Route Target (RT) and Site of Origin (SOO)

33 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential RT & SOO Two EXTENDED (64-bit) BGP Attributes Used to Define Route-target Set of routers the route has to be exported to SOO (Site of Origin Identifier) Routers where the route has been originated This enables the closed user group functionality Set by PE routers in order to define import/export policies on a per-site/VRF basis

34 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential BGP-4 Enhancements

35 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Extended Community Extended community attribute type code: TBD Type Field: 2 bytes Value Field: 6 bytes Types 0 through 0x7FFF inclusive are assigned by IANA Types 0x8000 through 0xFFFF inclusive are vendor-specific

36 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Extended Community High order bit of the type field 0x00 Administrator sub-field: 2 bytes (AS#) Assigned number sub-field: 4 bytes Example: 9177:123 High order bit of the type field 0x01 Administrator sub-field: 4 bytes (IP address) Assigned number sub-field: 2 bytes Example: :123

37 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Extended Community Router origin community Identifies one or more routers that inject a set of routes (that carry this community) into BGP The Type field for the Route Origin community is 0x0001 or 0x0101 Similar to the Site of Origin (SOO) Site of Origin use code 0x0003 and 0x0103

38 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Extended Community Route target community Identifies one or more routers that may receive a set of routes (that carry this community) carried by BGP The type field for the route target community is 0x0002 or 0x0102

39 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Extended Community Site of Origin (SOO) Identifies customer site Used to prevent loops when AS_PATH cannot be used The type field for SOO is 0x0003 or 0x0103

40 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential PE CE Site-1 Site of Origin ip vrf odd rd 100:1 route-target export 100:3 route-target import 100:3 ! interface Serial1 ip vrf forwarding odd ip address ! router bgp 100 no synchronization no bgp default ipv4-unicast neighbor remote-as 100 neighbor update-source Loop0 neighbor activate neighbor next-hop-self no auto-summary ! address-family ipv4 vrf odd neighbor remote-as 250 neighbor activate neighbor route-map setsoo in no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor activate neighbor send-community extended no auto-summary exit-address-family ! route-map setsoo permit 10 set extcommunity soo 100: #sh ip route vrf odd C /24 is directly connected, Serial2 B [20/0] via , 00:08:44, Serial # #sh ip bgp vpn all Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:1 (default for vrf odd) *> / i #sh ip bgp vpn all BGP routing table entry for 100:1: /32, version 17 Paths: (1 available, best #1) Advertised to non peer-group peers: from ( ) Origin IGP, metric 0, localpref 100, valid, external, best Extended community: SoO:100:65 RT:100: # /32

41 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Site of Origin PE-1 CE-1 Site-1 SOO=100: /32 PE-2 CE-2 eBGP4 update: /32 intCE1 VPN-IPv4 update: RD: /32, Next-hop=PE-1 SOO=100:65, RT=100:3, Label=(intCE1) eBGP4 update: /32 PE-2 will not propagate the route since the update SOO is equal to the one configured for the site

42 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Multi-Protocol BGP Extension to the BGP protocol in order to carry routing information about other protocols Multicast MPLS IPv6 … Exchange of Multi-Protocol NLRI must be negotiated at session set up BGP Capabilities negotiation

43 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Multi-Protocol BGP - RFC2858 Obsoletes RFC2283 New non-transitive and optional BGP attributes MP_REACH_NLRI “Carry the set of reachable destinations together with the next-hop information to be used for forwarding to these destinations” MP_UNREACH_NLRI Carry the set of unreachable destinations Attribute contains one or more triples Address Family Information (AFI) Next-Hop Information NLRI

44 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Labelled VPN-IPV4 Addresses in BGP-4 Labelled VPN-IPV4 address appears in BGP NLRI AFI = 1 - Sub-AFI = 128 NLRI is encoded as one or more triples Length: total length of Label + prefix (RD included) Label: 24 bits Prefix: RD (64 bits) + IPv4 prefix (32 bits)

45 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Labelled VPN-IPV4 Addresses in BGP-4 The label is assigned by the router originating the NLRI i.e., the router identified by the next-hop value The label is changed by the router that modifies the next-hop value Typically the EBGP speaker Or iBGP forwarder configured with next-hop-self

46 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Labelled VPN-IPV4 addresses in BGP-4 Next-hop address must be of the same family of the NLRI The next-hop will be a VPN-IPv4 address with RD set to 0 BGP will consider two VPN-IPV4 comparable even with different labels A withdrawn of a VPN-IPv4 address will be considered for all NLRI corresponding to the VPN-IPV4 address, whatever are the different assigned labels

47 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential BGP Capabilities Negotiation BGP routers establish BGP sessions through the OPEN message OPEN message contains optional parameters BGP session is terminated if OPEN parameters are not recognised A new optional parameter: CAPABILITIES

48 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential BGP Capabilities Negotiation A BGP router sends an OPEN message with CAPABILITIES parameter containing its capabilities: Multiprotocol extension Route Refresh Co-operative Route Filtering...

49 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential BGP Capabilities Negotiation BGP routers determine capabilities of their neighbors by looking at the capabilities parameters in the open message Unknown or unsupported capabilities may trigger the transmission of a NOTIFICATION message “The decision to send the NOTIFICATION message and terminate peering is local to the speaker. Such peering should not be re-established automatically” draft-ietf-idr-bgp4-cap-neg

50 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential BGP Capabilities Negotiation BGP routers use BGP-4 Multiprotocol Extension to carry label (label) mapping information Multiprotocol Extension capability Used to negotiate the Address Family Identifier AFI = 1 Sub-AFI = 128 for MPLS-VPN

51 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential BGP Route Refresh New BGP Capability: Route Refresh Allows a router to request to any neighbor the re-transmission of BGP updates Useful when inbound policy has been modified Similar to Cisco “soft-reconfiguration” without need to store any route BGP speakers may send “Route-Refresh” message only to neighbors from which the capability has been exchanged

52 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential BGP Route Refresh When the inbound policy has been modified, the BGP speaker sends a Route-Refresh message to its neighbors With AFI, Sub-AFI attributes Neighbors will re-transmit all routes for that particular AFI and Sub-AFI

53 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential BGP Co-operative Route Filtering In order to reduce amount of BGP traffic and CPU used to process updates, routers exchange filter configurations BGP speakers advertise to downstream neighbors the outbound filter(s) they have to use Filters are described in ORF entries Outbound Route Filter ORF entries are part of the Route-Refresh message

54 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential BGP Co-operative Route Filtering ORF capability must be negotiated during session set-up Capability negotiation ORF capable BGP speaker will install ORFs per neighbor Each ORF will be defined by the upstream neighbor through route- refresh messages

55 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential BGP Co-operative Route Filtering ORF Entry ORF Entry AFI/Sub-AFI Filter will apply only to selected address families ORF-Type Determine the content of ORF-Value NLRI is one ORF-Type NLRI is used to match IP addresses (subnets)

56 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential BGP Co-operative Route Filtering ORF Entry ORF Entry Action ADD: Add an ORF entry to the current ORF DELETE: Delete a previously received ORF entry DELETE ALL: Delete all existing ORF entries Match PERMIT: Pass routes that match the ORF entry DENY: Do not pass routes that match the ORF entry

57 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential BGP Co-operative Route Filtering ORF Entry ORF Entry ORF-Value (for ORF-Type=NLRI) is Scope EXACT: Remote peer should consider routes equal to the NLRI specified in the ORF REFINE: Remote peer should consider routes that are part of a subset of the NLRI specified in the ORF NLRI: Multiple ORF entries will follow longest match

58 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential ORF Entries and Route-Refresh ORF entries are carried in BGP Route- Refresh messages AFI/Sub-AFI are encoded into the AFI/Sub- AFI field of the route refresh message WHEN-TO-REFRESH field IMMEDIATE: apply the filter immediately DEFER: wait for subsequent route-refresh message ORF-Type to be extended for Extended Communities

59 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Packet Forwarding MPLS VPN Data Plane

60 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential T1 L7 L2 L8 L3 L9 L4 L7 L5 LB L6 LB L7 L8 MPLS VPN Forwarding VPN_A VPN_B P1 P3 P4 P2 PE4 CE Data, iBGP next hop PE1, iBGP next hop PE2, iBGP next hop PE3, iBGP next hop PE1, iBGP next hop PE4, iBGP next hop PE2, iBGP NH= PE2, L2 L8 Ingress PE Receives Normal IP Packets from CE Router VRFPE2 L2 L8PE Router Does “IP Longest Match” in VRF, Finds iBGP Next Hop PE2 and Imposes a Stack of Labels: Second Level Label L2 + Top Label L8 DataL8L2 VPN_A VPN_B CE PE1 PE2 CE VPN_A CE PE3

61 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Forwarding VPN_A VPN_B P1 P3 P4 P2 PE4 CE T7 T8 L9 La Lb Lu Lw Lx Ly Lz L8, POP L2Data outin / All subsequent P routers switch packet solely on top label Egress PE router’s upstream LDP neighbor (Penultimate Hop or PH) removes top label (PHP) Egress PE uses bottom (VPN) label to select which VPN/CE to forward the Packet to Bottom label is removed and packet forwarded to CE router VPN_A VPN_B CE PE1 PE2 CE VPN_A CE L2Data LAL2 Data PE3

62 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential P router In Label FEC Out Label /32 - In Label FEC Out Label /32 POP In Label FEC Out Label /32 41 MPLS VPN Packet Forwarding Paris Use label implicit-null for destination /32 Use label 41 for destination /24 VPN-v4 update: RD:1:27: /24, NH= SOO=Paris, RT=VPN-A, Label=(28) PE-1 London PE and P routers have BGP next-hop reachability through the backbone IGP Labels are distributed through LDP corresponding to BGP next-hops or RSVP with Traffic Engineering /24

63 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Packet Forwarding Label Stack is used for packet forwarding Top label indicates BGP next-hop (exterior label) Second level label indicates outgoing interface or VRF (interior VPN label) MPLS nodes forward packets based on top label any subsequent labels are ignored

64 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential In Label FEC Out Label /32 41 MPLS VPN Packet Forwarding Paris PE-1 London /24 Ingress PE receives normal IP packets PE router performs IP Longest Match from VPN FIB, finds iBGP next-hop and imposes a stack of labels VPN-A VRF /24, NH= Label=(28)

65 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential In Label FEC Out Label /32 POP MPLS VPN Packet Forwarding Paris PE-1 London /24 VPN-A VRF /24, NH= Label=(28) In Label FEC Out Label 28(V) /24 - VPN-A VRF /24, NH=Paris Penultimate PE router removes the IGP label Penultimate Hop Popping procedures (implicit-null label) Egress PE router uses the VPN label to select which VPN/CE to forward the packet to VPN label is removed and the packet is routed toward the VPN site In Label FEC Out Label /32 68

66 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Topologies

67 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Extranet Support Extranet support is simply the import of routes from one VRF into another VRF which services a different VPN Controlled through the use of Route Target if we import the route, we have access Various topologies are viable using this technique

68 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Extranet Support PE VPN-A CE VPN-B VRF for VPN-A VRF for VPN-B VPN-A Paris Routes VPN-B Munich Routes CE Sharing of VPN information between VRFs provides Extranet support Extranet VPN Routing Table Paris Munich

69 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Central Services Model Common topology is central services VPN client sites may access central services but may not communicate directly with other client sites Once again controlled through the use of route target client sites belong to unique VRF, servers share common VRF client exports routes using client-rt and imports server-rt server exports routes using server-rt and imports server-rt & client-rt

70 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Central Services Model VPN A Central Server Site VPN B / / /24 VPN A VRF / /24 VPN B VRF / /24 VPN A VRF (Export RT=client-rt) (Import RT=server-rt) VPN B VRF (Export RT=client-rt) (Import RT=server-rt) Server VRF (Export RT=server-rt) (Import RT=server-rt) (Import RT=client-rt) MP-iBGP Update RD: /24, RT=client-rt MP-iBGP Update RD: /24, RT=server-rt MP-iBGP Update RD: /24, RT=client-rt

71 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Internet Connectivity Static Default Route VPN sites may require Internet access either directly or via a central site - no full routing Default route provided through static or dynamic route within the VRF extension to ‘ip route’ command - Global keyword Internet gateway points to an exit point whose address is within the global routing table PE router generates VPN customer routes into BGP through global static routes

72 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Internet Connectivity Static Default Route VPN A Global Internet Access VPN B VPN A VRF NH=Internet-PE VPN B VRF NH=Internet PE Internet Routing Table MPLS VPN Backbone ip route vrf VPN_A Internet-PE global ip route serial 1/0 ip route vrf VPN_B Internet-PE global ip route serial 1/ / /24

73 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Backbone VPN A VPN A Central Site VPN B Central Site VPN-IPv4 Update Net= /0 RT=17:22 VPN-IPv4 Update Net= /0 RT=17:28 VPN-IPv4 Update Net= /0 RT=17:22 Export VPN A default with RT=17:22 and VPN B default with RT=17:28 VPN B MPLS VPN Internet Connectivity Dynamic Default Route VPN A VRF (Import RT=17:22) VPN B VRF (Import RT=17:28)

74 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Internet Connectivity Separate BGP Session PE/CE Link Many clients wish to send/receive routes directly with the Internet default route is not sufficient in this environment Routes reside on the PE router but within the global not VRF tables Mechanism needed to distribute this routing information to VPN customer sites and also receive routes and place them into the global, and not VRF table

75 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Achieved by using a second interface to the client site either physical or logical, such as sub-interface or tunnel MPLS VPN Internet Connectivity Separate BGP Session PE/CE Link PE VPN Site Global Internet Internet Routes (sub)interface associated with global routing table (sub)interface associated with VRF CE

76 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Internet Connectivity Global Internet Table Association If multiple exit points, then possibility to associate full Internet routes with a VRF if only one exit point, then default pointing to Internet exit point interface will normally suffice With multiple interfaces, sub-optimal routing a possibility with default route generation as multiple defaults would allow load balancing but no best path selection Association of Internet routes with VRF provide ability to generate aggregate default

77 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential ISP B ISP A Export default route with Internet_access route target Full Internet Routes PE Static default pointing to loopback interface so lookup in VRF will occur on incoming packets MPLS VPN Internet Connectivity Global Internet Table Association

78 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Optimal routing between providers now possible Need to filter everything other than default cpu and administrative overhead Label assignment will occur for every route within the VRF memory overhead even though labels are never used If full routes distributed, could result in multiple copies of Internet routing table MPLS VPN Internet Connectivity Global Internet Table Association

79 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Convergence

80 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Routing Convergence Convergence needs to be assessed in two main areas convergence within the MPLS VPN backbone convergence between VPN client sites Both areas are completely independent... but work together to provide end-to-end convergence as perceived by the VPN client therefore must be assessed in conjunction

81 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential PE VPN Client A New VPN route advertised Advertisement of new VPN route to relevant VPN sites New VPN route imported into relevant VRFs End-to-End Routing Convergence Client-to-client and MPLS VPN backbone IGP convergence are independent New VPN route propagated across MP- iBGP session If link fails, MPLS VPN backbone IGP converges on new path to BGP next-hop

82 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Convergence Across Backbone Convergence of MPLS VPN backbone IGP will not affect client-to-client route convergence unless BGP next-hop becomes unavailable; but will affect client-to-client traffic while backbone converges Backbone may be router-only based or based on ATM switches convergence will be different for the MPLS forwarding plane - cell-mode versus frame-mode implementation

83 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Convergence - Router Based Backbone Unsolicited Downstream Bindings advertised as soon as route is in the routing table Liberal Label Retention If multiple neighbors, next-hop change causes new label to be used for forwarding Immediate Notification of Routing Table Change A route change (addition/deletion) immediately propagated to MPLS process

84 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential PE-1 P-1 VPN Client A Convergence - Router Based Backbone MPLS & IGP backbone convergence are closely entwined If P-1 to PE-2 link fails, PE-1 next- hop to destinations reachable via /32 (PE-2 Loopback) will change to P-3. As label exists (41), convergence is as quick as the IGP PE-2 Use label 41 for destination /32 Use label POP for destination /32 Use label 23 for destination /32 Use label 25 for destination /32 P-2 P-3 Use label POP for destination /32

85 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Convergence - ATM Backbone Downstream-on-demand Affects convergence as LSR must signal for downstream label binding Conservative Label Retention Convergence is affected as LSR must signal for downstream label binding if one does not exist Next-hop change will cause label request Two-stage Convergence: IGP: converge around topology changes MPLS: re-establish label mappings

86 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential PE-1 P-1 VPN Client A Convergence - ATM Based Backbone MPLS LSR must re-converge on IGP change AND re- signal for label mapping to downstream next-hop If P-1 to PE-2 link fails, PE-1 next- hop to destinations reachable via /32 (PE-2 Loopback) will change to P-3. As label does not exist, PE-1 must signal the next-hop downstream ATM-LSR PE-2 Label request for destination /32 Use label 1/239 for destination /32 P-2 P-3 Use label 1/321 for destination /32 Label request for destination /32

87 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Client-to-Client Convergence Four Main Convergence Areas –Advertisement of routes from CE to PE and placement into VRF –Propagation of routes across the MPLS VPN backbone –Import process of these routes into relevant VRFs –Advertisement of VRF routes to attached VPN sites

88 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Backbone Route Propagation Changes are not propagated to other BGP speakers immediately Batched together and sent at “advertisement- interval” Default = 5 seconds for iBGP, 30 for eBGP Can be tweaked using the “neighbor advertisement-interval” command Needs to be changed for both backbone and CE routers if BGP between PE & CE

89 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Import Process Import Process Uses a Separate Invocation of the Scanner Process Default = 15 seconds Can be tuned using the “bgp scan-time import” command Can take up to 15 Seconds for a Route to be Placed into a Receiving VRF and then potentially another 30 Seconds to be advertised to CE if eBGP is in operation!

90 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Scanner Process Scanner process will also have an effect on convergence Used to check next-hop reachability and to process any “network” commands within the BGP process Invoked every 60 seconds by default Can be tuned with the “bgp scan-time” command Large BGP table and small scan-time can be VERY CPU intensive - beware !

91 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential BGP Route Advertisement In addition to the scanning and importing of routes, each PE router needs to advertise the best routes within each VRF to all its VRF neighbors This occurs at both ingress and egress of the MPLS VPN network With eBGP CE neighbors, advertisement of these routes occurs every 30 seconds With (iBGP) PE neighbors, routes advertisement occurs every 5 seconds Can be tuned with the “neighbor a.b.c.d advertisement-interval” command

92 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Scaling

93 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Scaling Existing BGP techniques can be used to scale the route distribution: route reflectors (RRs) & BGP confederations (Inter-AS VPN) Each edge router needs only the information for the directly-connected VPNs it supports RRs are used to distribute VPN routing information

94 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS-VPN Scaling BGP Route Reflectors Route reflectors may be partitioned Each RR stores routes for a set of VPNs Thus, no BGP router needs to store information on ALL VPNs PEs will peer to RRs according to the VPNs they support

95 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS-VPN Scaling BGP Updates Filtering iBGP full mesh amongst PEs results in flooding of all VPN routes to all PEs Scaling problems when large amount of routes. PEs need routes for only attached VRFs

96 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS-VPN Scaling BGP Updates Filtering Each PE will discard any VPN-IPv4 route that hasn’t a route-target configured to be imported in any of the attached VRFs This reduces significantly the amount of information each PE has to store Volume of BGP table is equivalent of volume of attached VRFs (nothing more)

97 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS-VPN Scaling BGP Updates Filtering Each VRF has an import and export policy configured Policies use route-target attribute (extended community) PE receives MP-iBGP updates for VPN-IPv4 routes If route-target is equal to any of the import values configured in the PE, the update is accepted Otherwise it is silently discarded PE MP-iBGP sessions VRFs for VPNs yellow green VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOO=Site1, RT=Red, Label=XYZ Import RT=yellow Import RT=green

98 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS-VPN Scaling Route Refresh Policy may change in the PE if VRF modifications are done New VRFs, removal of VRFs However, the PE may not have stored routing information which become useful after a change PE request a re-transmission of updates to neighbors Route-Refresh PE VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOO=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOO=Site1, RT=Red, Label=XYZ Import RT=green Import RT=red 1. PE doesn’t have red routes (previously filtered out) 2. PE issue a Route- Refresh to all neighbors in order to ask for re- transmission 3. Neighbors re-send updates and “red” route-target is now accepted

99 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS-VPN Scaling Outbound Route Filters - ORF PE router will discard update with unused route- target Optimisation requires these updates NOT to be sent Outbound Route Filter (ORF) allows a router to tell its neighbors which filter to use prior to propagate BGP updates PE VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOO=Site1, RT=Green, Label=XYZ Import RT=yellow Import RT=green 1. PE doesn’t need red routes 2. PE issue a Route-Refresh message with a ORF entry to neighbors in order not to receive red routes: Permit RT = Green, Yellow 3. Neighbors dynamically configure the outbound filter and send updates accordingly VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOO=Site1, RT=Red, Label=XYZ

100 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Connecting MPLS-VPN Backbones

101 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Connecting MPLS-VPN Backbones Providers exchange routes between PE- ASBR routers MP-eBGP for (Labelled) VPNv4 addresses between ASBRs Next-hop and labels are re-written by the PE-ASBRs Requires PE-ASBRs to store VPN routes that need to be exchanged Routes are in the MP-BGP table but not in any routing table PE-ASBRs do not have any VRFs MP-eBGP labels are used in LFIB

102 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Connecting MPLS-VPN backbones PE-1 PE-ASBR1 CE-2 PE-ASBR2 PE-3 CE-1 PE-2 CE-5 CE-4 CE-3 RR-1 Core of P LSRs RR-2 Core of P LSRs MP-eBGP VPNv4 routes with label distribution PE-ASBRs exchange VPNv4 addresses with labels RR-1 reflects VPNv4 internal routes PE-ASBR1 advertises VPNv4 external routes RR-2 reflects VPNv4 internal routes PE-ASBR2 advertises VPNv4 external routes

103 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Connecting MPLS-VPN backbones PE-1 PE-ASBR1 CE-2 PE-ASBR2 PE-3 CE-1 PE-2 CE-5 CE-4 CE-3 RR-1 Core of P LSRs RR-2 Core of P LSRs Network=RD1:N Next-hop=PE1 Label=L1 Network=RD1:N Next-hop=PE-ASBR1 Label=L2 Network=RD1:N Next-hop=PE1 Label=L1 Network=RD1:N Next-hop=PE-ASBR2 Label=L3 Network=N Next-hop=CE2 Network=N Next-hop=PE3

104 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Multi-AS MPLS-VPN backbones VPNV4 routes exchanged between PE-ASBRs PE-1 PE-ASBR1 CE-2 PE-ASBR2 PE-3 CE-1 PE-2 CE-5 CE-4 CE-3 RR-1 Core of P LSRs RR-2 Core of P LSRs Dest=N LDP-PE-ASBR2-label L3 Dest=N L3 Dest=N L2 Dest=N LDP-PE1-label L1 Dest=N L1 Dest=N Dest=N

105 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Configuration

106 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Configuration VPN knowledge is on PE routers Several basic steps are necessary to provision a PE router for VPN service configuration of VRFs configuration of Route Distinguishers configuration of import/export policies configuration of PE to CE links association of VRFs to interfaces configuration of MP-BGP

107 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential VRF & RD Configuration RD is configured on PE routers separate RD per VRF good practise is to use the same RD for the same VPN in all PE routers although this is not mandatory VRF configuration commands ip vrf rd route-target import route-target export

108 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential VRF Configuration PE CE VPN-A CE VPN-B VRF VPN-AVRF VPN-B CE Paris London Munich ip vrf VPN-A rd 1:129 route-target export 100:1 route-target import 100:1 ip vrf VPN-B rd 1:131 route-target export 100:2 route-target import 100:2 VRF for VPN-A (RT100:1) Paris routes London routes VRF for VPN-B (RT100:2) Munich routes

109 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential PE/CE Routing Protocol PE/CE can use BGP, RIPv2, OSPF or Static Routing context used for all except OSPF which uses a separate process Routing contexts are defined within the routing protocol instance router rip version 2 ! address-family ipv4 vrf version 2 network ! address-family ipv4 vrf..

110 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential router ospf 100 vrf ! router ospf 200 vrf OSPF uses a different process PE/CE Routing Protocol BGP uses address-family command router bgp ! address-family ipv4 vrf ! address-family vpnv4 Static routes are configured per-VRF ip route vrf

111 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential PE CE VPN-A CE VPN-B CE Paris London Munich interface Serial3/5 ip vrf forwarding VPN-A ip address encapsulation ppp ! interface Serial3/6 ip vrf forwarding VPN-A ip address encapsulation ppp ! interface Serial3/7 ip vrf forwarding VPN-B ip address encapsulation ppp router bgp 109 no bgp default ipv4-unicast neighbor remote-as 100 neighbor update-source Loopback0 ! address-family ipv4 vrf VPN-B neighbor remote-as neighbor activate exit-address-family ! address-family ipv4 vrf VPN-A neighbor remote-as neighbor activate neighbor remote-as neighbor activate exit-address-family ! address-family vpnv4 neighbor activate neighbor send-community extended exit-address-family PE/CE Routing Protocol

112 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential All show commands are VRF based show ip route vrf show ip protocol vrf show ip cef vrf Ping and Telnet commands are VRF based ping x.x.x.x vrf telnet x.x.x.x /vrf VRF Based Commands

113 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Internet Routing VRF Specific Default Route PE Internet Site-1 PE-IG Site-2 Network /16 Serial ip vrf VPN-A rd 100:1 route-target both 100:1 ! Interface Serial0 ip address ip vrf forwarding VPN-A ! Router bgp 100 no bgp default ipv4-unicast network mask neighbor remote 100 neighbor activate neighbor next-hop-self neighbor update-source loopback0 ! address-family ipv4 vrf VPN-A neighbor remote-as neighbor activate exit-address-family ! address-family vpnv4 neighbor activate exit-address-family ! ip route Serial0 ip route vrf VPN-A global BGP-4 MP-BGP

114 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Internet Routing VRF Specific Default Route PE Internet Site-1 PE-IG Site-2 Network /16 Serial Site-2 VRF / (global) Site-1 routes Site-2 routes Global Table and LFIB /32 Label= /32 Label=5... IP packet D=cisco.co m Label = 3 IP packet D=cisco.co m

115 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Internet Routing Separated (sub)Interfaces PE Internet Site-1 PE-IG Site-2 Network /16 Serial ip vrf VPN-A rd 100:1 route-target both 100:1 ! Interface Serial0 no ip address ! Interface Serial0.1 ip address ip vrf forwarding VPN-A ! Interface Serial0.2 ip address ! Router bgp 100 no bgp default ipv4-unicast neighbor remote 100 neighbor activate neighbor next-hop-self neighbor update-source loopback0 network mask neighbor remote 502 ! address-family ipv4 vrf VPN-A neighbor remote-as 502 neighbor activate exit-address-family ! address-family vpnv4 neighbor activate exit-address-family BGP-4 MP-BGP Serial0.2 BGP-4

116 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN Internet Routing Separate (sub)Interfaces PE Internet Site-1 PE-IG Site-2 Network /16 Serial Serial0.2 Serial0.1 Serial0.2 CE routing table Site-1 routes ----> Serial0.1 Internet routes ---> Serial0.2 IP packet D=cisco.co m PE Global Table Internet routes ---> , Label=3 Label = 3 IP packet D=cisco.co m

117 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS-VPN Scaling Route Refresh PE VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOI=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOI=Site1, RT=Red, Label=XYZ Import RT=yellow Import RT=green Import RT=red 1. PE doesn’t have red routes (previously filtered out) 2. PE issue a Route- Refresh to all neighbors in order to ask for re- transmission 3. Neighbors re-send updates and “red” route-target is now accepted New BGP capability: route refresh Allows a router to request to any neighbor the re-transmission of BGP updates Useful when inbound policy has been modified Similar to Cisco “soft-reconfiguration” without need to store any route BGP speakers may send “Route-Refresh” message only to neighbors from which the capability has been exchanged draft-chen-bgp-route-refresh-02.txt

118 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS-VPN Scaling Outbound Route Filters - ORF PE router will discard update with unused route-target Optimisation requires these updates NOT to be sent Outbound Route Filter (ORF) allows a router to tell its neighbors which filter to use prior to propagate BGP updates draft-chen-bgp-route-filter-00.txt PE VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOI=Site1, RT=Green, Label=XYZ VPN-IPv4 update: RD:Net1, Next-hop=PE- X SOI=Site1, RT=Red, Label=XYZ Import RT=yellow Import RT=green 1. PE doesn’t need red routes 2. PE issue a ORF message to all neighbors in order not to receive red routes 3. Neighbors dynamically configure the outbound filter and send updates accordingly

119 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN - Configuration Site-1Site-2Site-3Site-4 PE1 PE2 PP Multihop MP-iBGP Site-1 Site-3 Site-4 Site-2 VPN-A VPN-C VPN-B VRF for site-4 (100:3) Site-3 routes Site-4 routes VRF for site-2 (100:2) Site-1 routes Site-2 routes Site-3 routes VRF for site-3 (100:2) Site-2 routes Site-3 routes Site-4 routes ip vrf site3 rd 100:2 route-target export 100:2 route-target import 100:2 route-target import 100:3 route-target export 100:3 ip vrf site-4 rd 100:3 route-target export 100:3 route-target import 100:3 ! interface Serial4/6 ip vrf forwarding site3 ip address encapsulation ppp ! interface Serial4/7 ip vrf forwarding site4 ip address encapsulation ppp ip vrf site3 rd 100:2 route-target export 100:2 route-target import 100:2 route-target import 100:3 route-target export 100:3 ip vrf site-4 rd 100:3 route-target export 100:3 route-target import 100:3 ! interface Serial4/6 ip vrf forwarding site3 ip address encapsulation ppp ! interface Serial4/7 ip vrf forwarding site4 ip address encapsulation ppp ip vrf site1 rd 100:1 route-target export 100:1 route-target import 100:1 ip vrf site2 rd 100:2 route-target export 100:2 route-target import 100:2 route-target import 100:1 route-target export 100:1 ! interface Serial3/6 ip vrf forwarding site1 ip address encapsulation ppp ! interface Serial3/7 ip vrf forwarding site2 ip address encapsulation ppp ip vrf site1 rd 100:1 route-target export 100:1 route-target import 100:1 ip vrf site2 rd 100:2 route-target export 100:2 route-target import 100:2 route-target import 100:1 route-target export 100:1 ! interface Serial3/6 ip vrf forwarding site1 ip address encapsulation ppp ! interface Serial3/7 ip vrf forwarding site2 ip address encapsulation ppp VRF for site-1 (100:1) Site-1 routes Site-2 routes

120 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS VPN - Configuration PE/CE routing protocols Site-1Site-2Site-3Site-4 PE1 PE2 PP MP-iBGP Site-1 Site-3 Site-4 Site-2 VPN-A VPN-C VPN-B VRF for site-1 (100:1) Site-1 routes Site-2 routes VRF for site-4 (100:3) Site-3 routes Site-4 routes VRF for site-2 (100:2) Site-1 routes Site-2 routes Site-3 routes VRF for site-3 (100:2) Site-2 routes Site-3 routes Site-4 routes router bgp 100 no bgp default ipv4-unicast neighbor remote-as 100 neighbor update-source Loop0 ! address-family ipv4 vrf site4 neighbor remote-as neighbor activate exit-address-family ! address-family ipv4 vrf site3 neighbor remote-as neighbor activate exit-address-family ! address-family vpnv4 neighbor activate neighbor next-hop-self exit-address-family router bgp 100 no bgp default ipv4-unicast neighbor remote-as 100 neighbor update-source Loop0 ! address-family ipv4 vrf site4 neighbor remote-as neighbor activate exit-address-family ! address-family ipv4 vrf site3 neighbor remote-as neighbor activate exit-address-family ! address-family vpnv4 neighbor activate neighbor next-hop-self exit-address-family router bgp 100 no bgp default ipv4-unicast neighbor remote-as 100 neighbor update-source Loop0 ! address-family ipv4 vrf site2 neighbor remote-as neighbor activate exit-address-family ! address-family ipv4 vrf site1 neighbor remote-as neighbor activate exit-address-family ! address-family vpnv4 neighbor activate neighbor next-hop-self exit-address-family router bgp 100 no bgp default ipv4-unicast neighbor remote-as 100 neighbor update-source Loop0 ! address-family ipv4 vrf site2 neighbor remote-as neighbor activate exit-address-family ! address-family ipv4 vrf site1 neighbor remote-as neighbor activate exit-address-family ! address-family vpnv4 neighbor activate neighbor next-hop-self exit-address-family

121 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential IOS Support for MPLS

122 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential MPLS-VPN IOS Releases - LDP Status Initial limited deployment release in 12.0(10)ST and up 12.0(11)ST available on CCO General deployment also planned for 12.2(1)T Will be based on the current IETF draft (draft-ietf-mpls-ldp-11.txt?)

123 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential References

124 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential References RFCs and Internet Drafts draft-rosen-rfc2547bis-02.txt (was RFC2547) RFC2858 (Obsoletes RFC2283) draft-ietf-mpls-bgp4-mpls-02.txt draft-ramachandra-bgp-extcommunities04.txt Textbook “MPLS and VPN Architectures,” by Ivan Pepelnjak, Jim Guichard (ISBN# ) MPLS: Technology and Applications, by Bruce Davie, Yakov Rekhter (ISBN# ) Useful URLs

125 MPLS Bootcamp © 2000, Cisco Systems, Inc. Cisco Confidential Reference Pointers Mailing Lists (mpls-vpn questions) <-- (general mpls questions) <--(mpls-te questions)

126 © 2000, Cisco Systems, Inc. NW’00 Paris

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.