Advanced MPLS VPN Solutions

Transcription

1 AMVS Advanced MPLS VPN Solutions Volume 1 Version 1.0 Student Guide Text Part Number:

2 The products and specifications, configurations, and other technical information regarding the products in this manual are subject to change without notice. All statements, technical information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind, express or implied. You must take full responsibility for their application of any products specified in this manual. LICENSE PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE MANUAL, DOCUMENTATION, AND/OR SOFTWARE ( MATERIALS ). BY USING THE MATERIALS YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT AGREE WITH THE TERMS OF THIS LICENSE, PROMPTLY RETURN THE UNUSED MATERIALS (WITH PROOF OF PAYMENT) TO THE PLACE OF PURCHASE FOR A FULL REFUND. Cisco Systems, Inc. ( Cisco ) and its suppliers grant to you ( You ) a nonexclusive and nontransferable license to use the Cisco Materials solely for Your own personal use. If the Materials include Cisco software ( Software ), Cisco grants to You a nonexclusive and nontransferable license to use the Software in object code form solely on a single central processing unit owned or leased by You or otherwise embedded in equipment provided by Cisco. You may make one (1) archival copy of the Software provided You affix to such copy all copyright, confidentiality, and proprietary notices that appear on the original. EXCEPT AS EXPRESSLY AUTHORIZED ABOVE, YOU SHALL NOT: COPY, IN WHOLE OR IN PART, MATERIALS; MODIFY THE SOFTWARE; REVERSE COMPILE OR REVERSE ASSEMBLE ALL OR ANY PORTION OF THE SOFTWARE; OR RENT, LEASE, DISTRIBUTE, SELL, OR CREATE DERIVATIVE WORKS OF THE MATERIALS. You agree that aspects of the licensed Materials, including the specific design and structure of individual programs, constitute trade secrets and/or copyrighted material of Cisco. You agree not to disclose, provide, or otherwise make available such trade secrets or copyrighted material in any form to any third party without the prior written consent of Cisco. You agree to implement reasonable security measures to protect such trade secrets and copyrighted Material. Title to the Materials shall remain solely with Cisco. This License is effective until terminated. You may terminate this License at any time by destroying all copies of the Materials. This License will terminate immediately without notice from Cisco if You fail to comply with any provision of this License. Upon termination, You must destroy all copies of the Materials. Software, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. You agree to comply strictly with all such regulations and acknowledge that it has the responsibility to obtain licenses to export, re-export, or import Software. This License shall be governed by and construed in accordance with the laws of the State of California, United States of America, as if performed wholly within the state and without giving effect to the principles of conflict of law. If any portion hereof is found to be void or unenforceable, the remaining provisions of this License shall remain in full force and effect. This License constitutes the entire License between the parties with respect to the use of the Materials Restricted Rights - Cisco s software is provided to non-dod agencies with RESTRICTED RIGHTS and its supporting documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the U.S. Government is subject to the restrictions as set forth in subparagraph C of the Commercial Computer Software - Restricted Rights clause at FAR In the event the sale is to a DOD agency, the U.S. Government s rights in software, supporting documentation, and technical data are governed by the restrictions in the Technical Data Commercial Items clause at DFARS and DFARS DISCLAIMER OF WARRANTY. ALL MATERIALS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall Cisco s or its suppliers liability to You, whether in contract, tort (including negligence), or otherwise, exceed the price paid by You. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Cisco s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of

3 the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures: Turn the television or radio antenna until the interference stops. Move the equipment to one side or the other of the television or radio. Move the equipment farther away from the television or radio. Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product. The following third-party software may be included with your product and will be subject to the software license agreement: CiscoWorks software and documentation are based in part on HP OpenView under license from the Hewlett- Packard Company. HP OpenView is a trademark of the Hewlett-Packard Company. Copyright 1992, 1993 Hewlett-Packard Company. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB s public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. Network Time Protocol (NTP). Copyright 1992, David L. Mills. The University of Delaware makes no representations about the suitability of this software for any purpose. Point-to-Point Protocol. Copyright 1989, Carnegie-Mellon University. All rights reserved. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. The Cisco implementation of TN3270 is an adaptation of the TN3270, curses, and termcap programs developed by the University of California, Berkeley (UCB) as part of UCB s public domain version of the UNIX operating system. All rights reserved. Copyright , Regents of the University of California. Cisco incorporates Fastmac and TrueView software and the RingRunner chip in some Token Ring products. Fastmac software is licensed to Cisco by Madge Networks Limited, and the RingRunner chip is licensed to Cisco by Madge NV. Fastmac, RingRunner, and TrueView are trademarks and in some jurisdictions registered trademarks of Madge Networks Limited. Copyright 1995, Madge Networks Limited. All rights reserved. XRemote is a trademark of Network Computing Devices, Inc. Copyright 1989, Network Computing Devices, Inc., Mountain View, California. NCD makes no representations about the suitability of this software for any purpose. The X Window System is a trademark of the X Consortium, Cambridge, Massachusetts. All rights reserved. Access Registrar, AccessPath, Any to Any, Are You Ready, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cisco logo, Cisco Certified Internetwork Expert logo, CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, the Cisco Technologies logo, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, IQ Breakthrough, IQ Expertise, IQ FastTrack, IQ Readiness Scorecard, The IQ Logo, Kernel Proxy, MGX, Natural Network Viewer, NetSonar, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, Precept, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast, SMARTnet, SVX, The Cell, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router, Workgroup Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, The Internet Economy, and The New Internet Economy are service marks; and Aironet, ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems, the Cisco Systems logo, the Cisco Systems Cisco Press logo, CollisionFree, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch, GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any of its resellers. (0005R) Advanced MPLS VPN Solutions, Revision 1.0: Student Guide Copyright 2000, Cisco Systems, Inc. All rights reserved. Printed in USA.

4

5 Table of Contents Volume 1 ADVANCED MPLS VPN SOLUTIONS 1-1 Overview 1-1 Course Objectives 1-2 Course Objectives Implementation 1-3 Course Objectives Solutions 1-4 Prerequisites 1-5 Participant Role 1-7 General Administration 1-9 Sources of Information 1-10 MPLS VPN TECHNOLOGY 2-1 Overview 2-1 Objectives 2-1 Introduction to Virtual Private Networks 2-2 Objectives 2-2 Summary 2-8 Review Questions 2-8 Overlay and Peer-to-Peer VPN 2-9 Objectives 2-9 Overlay VPN Implementations 2-13 Summary 2-23 Review Questions 2-24 Major VPN Topologies 2-25 Objectives 2-25 VPN Categorizations 2-25 Summary 2-38 Review Questions 2-38 MPLS VPN Architecture 2-39 Objectives 2-39 Summary 2-60 Review Questions 2-61 MPLS VPN Routing Model 2-62 Objectives 2-62 Summary 2-78 Review Questions 2-78 MPLS VPN Packet Forwarding 2-79 Objectives 2-79 Summary 2-91 Review Questions 2-91 Lesson Summary 2-92 Answers to Review Questions 2-93 Introduction to Virtual Private Networks 2-93 Overlay and Peer-to-Peer VPN 2-93 Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions v

6 Major VPN Topologies 2-94 MPLS VPN Architecture 2-94 MPLS VPN Routing Model 2-95 MPLS VPN Packet Forwarding 2-96 MPLS/VPN CONFIGURATION ON IOS PLATFORMS 3-1 Overview 3-1 Objectives 3-1 MPLS/VPN Mechanisms in Cisco IOS 3-2 Objectives 3-2 Summary 3-16 Review Questions 3-16 Configuring Virtual Routing and Forwarding Table 3-17 Objectives 3-17 Summary 3-26 Review Questions 3-26 Configuring a Multi-Protocol BGP Session Between the PE Routers 3-27 Objectives 3-27 Summary 3-43 Review Questions 3-43 Configuring Routing Protocols Between PE and CE Routers 3-44 Objectives 3-44 Summary 3-55 Review Questions 3-55 Monitoring MPLS/VPN Operation 3-56 Objectives 3-56 Summary 3-82 Review Questions 3-82 Troubleshooting MPLS/VPN 3-83 Objectives 3-83 Summary Review Questions Advanced VRF Import/Export Features Objectives Summary Review Questions Advanced PE-CE BGP Configuration Objectives Summary Review Questions USING OSPF IN AN MPLS VPN ENVIRONMENT 4-1 Overview 4-1 Objectives 4-1 Using OSPF as the PE-CE Protocol in an MPLS VPN Environment 4-2 Objectives 4-2 Summary 4-26 Review Questions 4-26 Configuring and Monitoring OSPF in an MPLS VPN Environment 4-27 Objectives 4-27 Summary 4-35 Review Questions 4-35 vi Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

7 Volume 2 Summary 4-36 Answers to Review Questions 4-37 Using OSPF as the PE-CE Protocol in an MPLS VPN Environment 4-37 Configuring and Monitoring OSPF in an MPLS VPN Environment 4-37 MPLS VPN TOPOLOGIES 5-1 Overview 5-1 Objectives 5-1 Simple VPN with Optimal Intra-VPN Routing 5-2 Objectives 5-2 Summary 5-17 Review Questions 5-17 Using BGP as the PE-CE Routing Protocol 5-18 Objectives 5-18 Summary 5-23 Review Questions 5-23 Overlapping Virtual Private Networks 5-24 Objectives 5-24 Summary 5-33 Review Questions 5-33 Central Services VPN Solutions 5-34 Objectives 5-34 Summary 5-47 Review Questions 5-47 Hub-andSpoke VPN Solutions 5-48 Objectives 5-48 Summary 5-54 Review Questions 5-54 Managed CE-Router Service 5-55 Objectives 5-55 Summary 5-60 Review Questions 5-60 Chapter Summary 5-60 INTERNET ACCESS FROM A VPN 6-1 Overview 6-1 Objectives 6-1 Integrating Internet Access with the MPLS VPN Solution 6-2 Objectives 6-2 Summary 6-16 Review Questions 6-16 Design Options for Integrating Internet Access with MPLS VPN 6-17 Objectives 6-17 Summary 6-23 Review Questions 6-23 Leaking Between VPN and Global Backbone Routing 6-24 Objectives 6-24 Usability of Packet Leaking for Various Internet Access Services 6-32 Redundant Internet Access with Packet Leaking 6-36 Summary 6-38 Review Questions 6-38 Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions vii

8 Separating Internet Access from VPN Service 6-39 Objectives 6-39 Usability of Separated Internet Access for Various Internet Access Services 6-44 Summary 6-46 Review Questions 6-46 Internet Access Backbone as a Separate VPN 6-47 Objectives 6-47 Usability of Internet in a VPN Solution for Various Internet Access Services 6-52 Summary 6-56 Review Questions 6-57 Chapter Summary 6-57 MPLS VPN DESIGN GUIDELINES 7-1 Overview 7-1 Objectives 7-1 Backbone and PE-CE Link Addressing Scheme 7-2 Objectives 7-2 Summary 7-15 Review Questions 7-16 Backbone IGP Selection and Design 7-17 Objectives 7-17 Summary 7-30 Review Questions 7-31 Route Distinguisher and Route Target Allocation Schemes 7-32 Objective 7-32 Summary 7-37 Review Questions 7-37 End-to-End Convergence Issues 7-38 Objectives 7-38 Summary 7-52 Review Questions 7-52 Chapter Summary 7-53 Answers to Review Questions 7-54 Backbone and PE-CE Link Addressing Scheme 7-54 Backbone IGP Selection and Design 7-55 Route Distinguisher and Route Target Allocation Scheme 7-56 End-to-End Convergence Issues 7-56 LARGE-SCALE MPLS VPN DEPLOYMENT 8-1 Overview 8-1 Objectives 8-1 MP-BGP Scalability Mechanisms 8-2 Objectives 8-2 Summary 8-12 Review Questions 8-12 Partitioned Route Reflectors 8-13 Objectives 8-13 Summary 8-28 Review Questions 8-28 Chapter Summary 8-29 viii Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

9 MPLS VPN MIGRATION STRATEGIES 9-1 Overview 9-1 Objective 9-1 Infrastructure Migration 9-2 Objective 9-2 Summary 9-9 Review Questions 9-9 Customer Migration to MPLS VPN service 9-10 Objective 9-10 Generic Customer Migration Strategy 9-11 Migration From Layer-2 Overlay VPN 9-13 Migration from GRE Tunnel-Based VPN 9-16 Migration from IPSec-Based VPN 9-19 Migration from L2F-Based VPN 9-20 Migration From Unsupported PE-CE Routing Protocol 9-22 Summary 9-26 Review Questions 9-26 Chapter Summary 9-26 INTRODUCTION TO LABORATORY EXERCISES A-1 Overview A-1 Physical And Logical Connectivity A-2 IP Addressing Scheme A-5 Initial BGP Design A-7 Notes Pages A-8 LABORATORY EXERCISES FRAME-MODE MPLS CONFIGURATION B-1 Overview B-1 Laboratory Exercise B-1: Basic MPLS Setup B-2 Objectives B-2 Command list B-2 Task 1: Configure MPLS in your backbone B-2 Task 2: Remove BGP from your P-routers B-2 Verification: B-3 Review Questions B-4 Laboratory Exercise B-2: Disabling TTL Propagation B-5 Objective B-5 Command list B-5 Task: Disable IP TTL Propagation B-5 Verification B-5 Laboratory Exercise B-3: Conditional Label Advertising B-6 Objective B-6 Command list B-6 Task: Configure Conditional Label Advertising B-6 Verification B-6 Review Questions B-7 Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions ix

10 LABORATORY EXERCISES MPLS VPN IMPLEMENTATION C-1 Overview C-1 Laboratory Exercise C-1: Initial MPLS VPN Setup C-2 Objectives C-2 Background Information C-2 Command list C-3 Task 1: Configure multi-protocol BGP C-3 Task 2: Configure Virtual Routing and Forwarding Tables C-4 Additional Objective C-5 Task 3: Configuring Additional CE routers C-5 Verification C-6 Laboratory Exercise C-2: Running OSPF Between PE and CE Routers C-9 Objectives C-9 Visual Objective C-9 Command list C-10 Task 1: Configure OSPF on CE routers C-10 Task 2: Configure OSPF on PE routers C-10 Verification C-11 Task 3: Configure OSPF connectivity with additional CE routers C-11 Verification C-12 Laboratory Exercise C-3: Running BGP Between the PE and CE Routers C-13 Objectives C-13 Background Information C-13 Command list C-14 Task 1: Configure Additional PE-CE link C-14 Task 2: Configure BGP as the PE-CE routing protocol C-14 Verification C-15 Task 3: Select Primary and Backup Link with BGP C-16 Verification: C-16 Task 4: Convergence Time Optimization C-17 Verification C-17 LABORATORY EXERCISES MPLS VPN TOPOLOGIES D-1 Overview D-1 Laboratory Exercise D-1: Overlapping VPN Topology D-2 Objective D-2 Visual Objective D-2 Command list D-3 Task 1: Design your VPN solution D-4 Task 2: Remove WGxA1/WGxB1 from existing VRFs D-4 Task 3: Configure new VRFs for WGxA1 and WGxB1 D-4 Verification: D-4 Laboratory Exercise D-2: Common Services VPN D-8 Objective D-8 Background Information D-9 Command list D-10 Task 1: Design your Network Management VPN D-10 Task 2: Create Network Management VRF D-10 Verification D-11 Task 3: Establish connectivity between NMS VRF and other VRFs D-11 Verification D-11 Task 4: Establish routing between WGxPE2 and the NMS router D-12 x Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

11 Verification D-13 Laboratory Exercise D-3: Internet Connectivity Through Route Leaking D-14 Objective D-14 Visual Objective D-14 Command list D-15 Task 1: Cleanup from the previous VPN exercises D-15 Task 2: Configure route leaking between customer VPN and the Internet D-15 Verification D-16 Additional exercise: Fix intra-vpn routing D-17 Laboratory Exercise D-4: Separate Interface for Internet Connectivity D-18 Objective D-18 Visual Objective D-19 Command list D-20 Task 1: Cleanup from the previous exercise D-20 Verification D-21 Task 2: Establishing connectivity in the global routing table D-21 Task 3: Routing between the PE-router and the CE-router D-21 Verification D-22 Laboratory Exercise D-5: Internet in a VPN D-23 Objective D-23 Visual Objective D-23 Command list D-24 Task 1: Design your Internet VPN D-24 Task 2: Migrate Internet routers in a VPN D-24 Verification D-25 Additional Task: Direct Internet connectivity for all CE-routers D-26 Verification D-26 INITIAL LABORATORY CONFIGURATION E-1 Overview E-1 Laboratory Exercise E-1: Initial Core Router Configuration E-2 Objective E-2 Task: Configure Initial Router Configuration E-2 Verification E-3 Laboratory Exercise E-2: Initial Customer Router Configuration E-4 Objective E-4 Task: Configure Customer Routers E-4 Verification E-5 Laboratory Exercise E-3: Basic ISP Setup E-6 Objective E-6 Task 1: Configure IS-IS in your backbone E-6 Task 2: Configure BGP in your backbone E-6 Task 3: Configure Customer Routing E-6 Task 4: Peering with other Service Providers E-7 Task 5: Establishing Network Management Connectivity E-7 Verification E-7 INITIAL ROUTER CONFIGURATION F-1 Overview F-1 Router WGxPE1 F-2 Router WGxPE2 F-4 Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions xi

12 Router WGxPE3 F-6 Router WGxPE4 F-8 Router WGxP F-10 Router WGxA1 F-12 Router WGxA2 F-14 Router WGxB1 F-15 Router WGxB2 F-17 xii Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

13 1 Advanced MPLS VPN Solutions Overview Advanced MPLS VPN Solutions (AMVS) is an instructor-led course presented by Cisco training partners to their end-user customers. This four-day course focuses on using Virtual Private Networks (VPN) implemented with Multi-Protocol Label Switching (MPLS) technology. Upon completion of this training course, you will be able to design, implement and troubleshoot MPLS VPN networks. This chapter outlines the course prerequisites and course highlights, as well as some administrative issues. It includes the following topics: Course Objectives Course Topics Prerequisites Participant Role General Administration Sources of Information Course Syllabus Graphic Symbols

14 Course Objectives This section lists the course objectives. Course Objectives Technology Upon completion of this course, you will be able to perform the following tasks: Identify major VPN categories and topologies, their applications and technologies that can be used to implement them Describe MPLS/VPN terminology and architecture Describe the routing and forwarding model of MPLS/VPN 2000, Cisco Systems, Inc. BSCN v Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

15 Course Objectives Implementation Course Objectives Implementation Upon completion of this course, you will be able to perform the following tasks: Configure Virtual Routing and Forwarding tables Configure Multi-protocol BGP in MPLS/VPN backbone and the PE-CE routing protocols Configure advanced MPLS/VPN features Monitor and troubleshoot MPLS/VPN operations Describe the specifics of OSPF operation inside a VPN network 2000, Cisco Systems, Inc. BSCN v Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-3

16 Course Objectives Solutions Course Objectives Solutions Upon completion of this course, you will be able to perform the following tasks: Design and implement various MPLS/VPN topologies Connect your VPN customers to the Internet Design and implement MPLS/VPN backbone Build large-scale MPLS VPN backbones Develop a migration strategy toward MPLS/VPN from a wide range of existing network infrastructures 2000, Cisco Systems, Inc. BSCN v Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

17 Prerequisites This section lists the course prerequisites. Prerequisites Successful completion of: Building Scalable Cisco Networks (BSCN) Configuring BGP on Cisco Routers One of the MPLS technology courses Advanced MPLS VPN Solutions Recommended: CCNP or CCIE certification In-depth OSPF or IS-IS knowledge MPLS Traffic Engineering and QoS knowledge 2000, Cisco Systems, Inc. BSCN v To fully benefit from AMVS, you should already possess certain knowledge and skills gained in a structured learning environment. You need to be have: In-depth understanding of IP routing and route redistribution in Cisco IOS In-depth knowledge of Border Gateway Protocol (BGP) and practical experience in configuring BGP networks Baseline MPLS knowledge. These skills can be gained from self-paced or instructor-led training sessions and from work experience. The best way to gain the skills you need to follow the CBCR course is: To gain IP routing and route redistribution skills, attend Building Scalable Cisco Networks (BSCN) course To gain BGP-related skills, attend Configuring BGP on Cisco Routers (CBCR) course To gain MPLS knowledge, attend MPLS Technology Essentials or Cisco MPLS course. You will be able to gain more practical experience from the course if already have work experience and router configuration skills. These skills are best demonstrated through Cisco career certifications Cisco Certified Networking Professional (CCNP) or Cisco Certified Internetworking Expert (CCIE). In-depth knowledge of Open Shortest Path First (OSPF) or Integrated Intermediate System Intermediate System (IS-IS) routing protocol will help you perform the laboratory exercises Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-5

18 better. MPLS Traffic Engineering and MPLS Quality of Service knowledge will help you understand how these technologies relate to MPLS VPN. 1-6 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

19 Participant Role This section discusses your responsibilities as a student. Participant Role Student role Meet prerequisites Introduce yourself Ask and answer questions 2000, Cisco Systems, Inc. BSCN v To take full advantage of the information presented in this course, you should meet the prerequisites for this class. Introduce yourself to the instructor and other students who will be working with you during the five days of this course. You are encouraged to ask any questions relevant to the course materials. If you have pertinent questions concerning other Cisco features and products not covered in this course, please bring these topics up during breaks or after class, and the instructor will try to answer the questions or direct you to an appropriate information source. Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-7

20 Welcome: Please Introduce Yourself Your name and work location Your job responsibilities Your internetworking experience Your objectives for this week 2000, Cisco Systems, Inc. BSCN v Introduce yourself, stating your name and the job function you perform at your work location. Briefly describe what experience you have with installing and configuring Cisco routers, attending Cisco classes, and how your work experience helped you meet the prerequisites highlighted earlier. You should also state what you expect to learn from this course. 1-8 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

21 General Administration This section highlights miscellaneous administrative tasks that must be addressed. General Administration Class-related Sign-in sheet Length and times Participant materials Attire Facilities-related Rest rooms Site emergency procedures Break and lunch room locations Communications 2000, Cisco Systems, Inc. BSCN v The instructor will discuss the administrative issues in detail so you will know exactly what to expect from both the class and facilities. The following items will be discussed: Recording your name on a sign-in sheet The starting and anticipated ending time of each class day What materials you can expect to receive during the class The appropriate attire during class attendance Rest room locations What to do in the event of an emergency Class breaks and lunch facilities How to send and receive telephone, , and fax messages Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-9

22 Sources of Information This section identifies additional sources of information. Sources of Information Student kit CD-ROMs Cisco Press 2000, Cisco Systems, Inc. BSCN v Most of the information presented in this course can be found on the Cisco Systems Web site or on CD-ROM. These supporting materials are available in HTML format and as manuals and release notes. To learn more about the subjects covered in this course, feel free to access the following sources of information: Cisco Documentation CD-ROM ITM CD-ROM Cisco IOS 12.1 Configuration Guide Cisco IOS 12.1 Command Reference Guide Many of these documents can be found at the following URL: Cisco Press books and documents can be found at the following URL: Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

23 Course Syllabus Technology Implementation Solutions MPLS VPN Technology MPLS VPN Configuration on IOS platforms Running OSPF in an MPLS VPN Environment MPLS VPN Topologies Internet Access from a VPN MPLS VPN Design Guidelines Large-Scale MPLS VPN Deployment MPLS VPN Migration Strategies 2000, Cisco Systems, Inc. BSCN v The following schedule reflects the recommended structure for this course. This structure allows enough time for your instructor to present the course information to you and for you to work through the laboratory exercises. The exact timing of the subject materials and labs depends on the pace of your specific class. Module 1, MPLS VPN Technology (0,5 day) The purpose of this module is to introduce you to the concept of Virtual Private Networks and MPLS VPN Architecture. The module also discusses routing and data forwarding model of MPLS VPN. Module 1 includes the following chapters: Chapter 1, Introduction Chapter 2, MPLS VPN Technology Module 2, MPLS VPN Implementation (1,5 day) The purpose of this module is to describe the operation and configuration of MPLS VPN on Cisco IOS platforms. Module 2 includes the following chapters: Chapter 3, MPLS VPN Configuration on IOS Platforms Chapter 4, Using OSPF in an MPLS VPN Environment Module 3, MPLS VPN Solutions (2 days) The purpose of the module is to describe typical MPLS VPN usage scenarios and give you design and implementation guidelines needed to deploy these scenarios in your network. Module 3 includes the following chapters: Chapter 5, MPLS VPN Topologies Chapter 6, Internet Access from a VPN Copyright 2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-11

24 Chapter 7, MPLS VPN Design Guidelines Chapter 8, Large-Scale MPLS VPN Deployment Chapter 9, MPLS VPN Migration Strategies 1-12 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

25 2 MPLS VPN Technology Overview Objectives This lesson introduces Virtual Private Networks (VPN) and two major VPN design options overlay VPN and peer-to-peer VPN. VPN terminology and topologies are introduced. The lesson then describes MPLS VPN architecture, operations and terminology. It details CE-PE routing from various perspectives and BGP extensions (route targets, and extended community attributes) that allow I-BGP to transport customer routes over a provider network. The MPLS VPN forwarding model is also covered together with its integration with core routing protocols Upon completion of this lesson, you will be able to perform the following tasks: Identify major Virtual Private network topologies, their characteristics and usage scenarios Describe the differences between overlay VPN and peer-to-peer VPN List major technologies supporting overlay VPNs and peer-to-peer VPNs Position MPLS VPN in comparison with other peer-to-peer VPN implementations Describe major architectural blocks of MPLS VPN Describe MPLS VPN routing model and packet forwarding

26 Introduction to Virtual Private Networks Objectives Upon completion of this section, you will be able to perform the following tasks: Describe the concept of VPN Understand VPN terminology as defined by MPLS VPN architecture 2-2 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

27 Traditional Router-Based Networks Site A Site B Site C Site D Traditional router-based networks connect customer sites through routers connected via dedicated point-to-point links 2000, Cisco Systems, Inc. Page5 Traditional router-based networks were implemented with dedicated point-to-point links connecting customer sites. The cost of such an approach was comparatively high for a number of reasons: The dedicated point-to-point links prevented any form of statistical infrastructure sharing on the Service Provider side, resulting in high costs for the end-customer Every link required a dedicated port on a router, resulting in high equipment costs. Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-3

28 Virtual Private Networks Virtual Circuit (VC) #1 Customer site Customer Premises router (CPE) Provider core device Provider edge device (Frame Relay switch) PE device PE device CPE router Other CPE router customer routers Large customer site Virtual Circuit (VC) #2 Service Provider Network Virtual Private Networks replace dedicated point-topoint links with emulated point-to-point links sharing common infrastructure Customers use VPNs primarily to reduce their operational costs 2000, Cisco Systems, Inc. Page6 Virtual Private Networks (VPNs) were introduced very early in the history of data communications with technologies like X.25 and Frame Relay, which use virtual circuits to establish the end-to-end connection over a shared service provider infrastructure. These technologies, although sometimes considered legacy and obsolete, still share the basic business assumptions with the modern VPN approaches: The dedicated links are replaced with common infrastructure that emulates point-to-point links for the customer, resulting in statistical sharing of Service Provider infrastructure Statistical sharing of infrastructure enables the service provider to offer the connectivity for lower price, resulting in lower operational costs for the end customers. The statistical sharing is illustrated in the graphic, where you can see the CPE router on the left has one physical connection to the service provider with two virtual circuits provisioned. Virtual Circuit 1 (VC # 1) provides connectivity to the top CPE router on the right. Virtual Circuit 2 (VC #2) provides the connectivity to the bottom CPE router on the right. 2-4 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

29 VPN Terminology Customer site Large customer site Provider Network (P-Network): the Service Provider infrastructure used to provide VPN services Customer Network (C-Network): the part of the network still under customer control Customer Site: a contiguous part of customer network (can encompass many physical locations) 2000, Cisco Systems, Inc. Page7 There are many conceptual models and terminologies describing various Virtual Private Network technologies and implementations. In this section we ll focus on the terminology introduced by MPLS VPN architecture. As you ll see, the terminology is generic enough to cover any VPN technology or implementation and is thus extremely versatile. The major parts of an overall VPN solution are always: The Service Provider network (P-network): the common infrastructure the Service Provider uses to offer VPN services to the customers The Customer network (C-network): the part of the overall customer network that is still exclusively under customer control. Customer sites: contiguous parts of customer network. A typical customer network implemented with any VPN technology would contain islands of connectivity completely under customer control (customer sites) connected together via the Service Provider infrastructure (P-network). Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-5

30 VPN Terminology Customer site Service Provider Network Large customer site Provider Edge (PE) device: the device in the P-network to which the CE-devices are connected Provider core (P) device: the device in the P-network with no customer connectivity Customer Edge (CE) device: the device in the C-network with link into P-network. Also called Customer Premises Equipment (CPE) 2000, Cisco Systems, Inc. Page8 The devices that enable the overall VPN solution are named based on their position in the network: Customer router that connected the customer site to the Service Provider network is called a Customer Edge router (CE-router). Traditionally this device is called Customer Premises Equipment (CPE). Note If the CE device is not a router, but, for example, a Packet Assembly and Disassembly (PAD) device, we can still use a generic term CE-device. Service Provider devices where the customer devices are attached are called Provider Edge (PE) devices. In traditional switched Wide Area Network (WAN) implementations, these devices would be Frame Relay or X.25 edge switches. Service Provider devices that only provide data transport across the Service Provider backbone and have no customers attached to them are called Provider (P) devices. In traditional switched WAN implementations these would be core (or transit) switches. 2-6 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

31 VPN Terminology Specific to Switched WAN Virtual Circuit (VC) #1 Customer site Customer Premises Router (CPE) Provider core device Provider edge device (Frame Relay switch) PE device PE device CPE router Other CPE router customer routers Large customer site Virtual Circuit (VC) #2 Service Provider Network Virtual Circuit (VC): emulated point-topoint link established across shared layer-2 infrastructure Permanent Virtual Circuit (PVC) is established through out-of-band means (network management) and is always active Switched Virtual Circuit (SVC) is established through CE-PE signaling on demand from the CE device 2000, Cisco Systems, Inc. Page9 Switched WAN technologies introduced a term Virtual Circuit (VC), which is an emulated point-to-point link established across layer-2 infrastructure (for example, Frame Relay network). The virtual circuits are further differentiated into Permanent Virtual Circuits (PVC) which are pre-established by means of network management or manual configuration and Switched Virtual Circuits (SVC) which are established on demand through a call setup request from the CE device. Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-7

32 Summary Virtual Private Networks were introduced by Service Providers to offer a more cost-effective alternative to traditional customer network design, which relied on dedicated point-to-point links between customer sites. The overall network implemented with a VPN solution is divided into the Customer network (C-network), which is exclusively under customer s control and the Provider network (P-network), the shared infrastructure used to offer the VPN services. A contiguous part of the C-network is called a customer site. The device linking a customer site with the P-network is called Customer Edge (CE) device. Most commonly this is a router, called CE-router. This component was traditionally named Customer Premises Equipment (CPE). The edge device in Service Provider network, to which the customers are attached, is called Provider Edge (PE) device. The device inside the Provider network with no customer connectivity is a Provider (P) device. Review Questions Answer the following questions: Why are customers interested in Virtual Private Networks? What is the main role of a VPN? What is a C-network? What is a customer site? What is a CE-router? What is a P-network? What is the difference between a PE-device and a P-device? 2-8 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

33 Overlay and Peer-to-Peer VPN Objectives Upon completion of this section, you will be able to perform the following tasks: Describe the differences between overlay and peer-to-peer VPN Describe the benefits and drawbacks of each VPN implementation option List major technologies supporting overlay VPNs Describe traditional peer-to-peer VPN implementation options Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-9

34 VPN Implementation Technologies VPN services can be offered based on two major paradigms: Overlay Virtual Private Networks where the Service Provider provides virtual point-topoint links between customer sites Peer-to-Peer Virtual Private Networks where the Service Provider participates in the customer routing 2000, Cisco Systems, Inc. Page14 Traditional VPN implementations were all based on the overlay paradigm the Service Provider sells virtual circuits between customer sites as a replacement for dedicated point-to-point links. The overlay paradigm has a number of drawbacks that will be identified in this section. To overcome these drawbacks (particularly in IP-based customer networks), a new paradigm called peer-to-peer VPN was introduced where the Service Provider actively participates in customer routing Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

35 Overlay VPN Implementation (Frame Relay Example) Customer Site Virtual Circuit (VC) #2 Customer Site Router A Customer Site (VC) #1 Provider Edge Device (Frame Relay Switch) Frame Relay Edge Switch Router C Customer Site Router B Frame Relay Edge Switch Virtual Circuit (VC) #3 Frame Relay Edge Switch Service Provider Network Router D 2000, Cisco Systems, Inc. Page15 The diagram above shows a typical overlay VPN, implemented by a Frame Relay network. The customer needs to connect three sites (site Alpha being the central site the hub) and orders connectivity between Alpha (Hub) and Beta (Spoke) and between Alpha (Hub) and Gamma (Spoke). The Service Provider implements this request by providing two PVCs across the Frame Relay network. Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-11

36 Layer-3 routing in Overlay VPN implementation Router A Router B Router C Router D Service Provider infrastructure appears as point-topoint links to customer routes Routing protocols run directly between customer routers Service Provider does not see customer routes and is responsible only for providing point-to-point transport of customer data 2000, Cisco Systems, Inc. Page16 From the layer-3 perspective, the Service Provider network is invisible the customer routers are linked with emulated point-to-point links. The routing protocol is run directly between customer routers that establish routing adjacencies and exchange routing information. The Service Provider is not aware of customer routing and has no information about customer routes. The responsibility of the Service Provider is purely the point-to-point data transport between customer sites Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

37 Overlay VPN Implementations There are a number of different overlay VPN implementations, ranging from traditional Time Division Multiplexing (TDM) to highly complex technologies running across IP backbones. In the following slides, we ll introduce major VPN technologies and implementations. Overlay VPN Layer-1 Implementation IP PPP HDLC ISDN E1, T1, DS0 SDH, SONET This is the traditional TDM solution: Service Provider establishes physical-layer connectivity between customer sites Customer takes responsibility for all higher layers 2000, Cisco Systems, Inc. Page17 In layer-1 overlay VPN implementation, the Service Provider sells layer-1 circuits (bit pipes) implemented with technologies like ISDN, DS0, E1, T1, SDH or SONET. The customer takes responsibility for layer-2 encapsulation between customer devices and the transport of IP data across the infrastructure. Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-13

38 Overlay VPN Layer-2 Implementation IP X.25 Frame Relay ATM This is the traditional Switched WAN solution: Service Provider establishes layer-2 virtual circuits between customer sites Customer takes responsibility for all higher layers 2000, Cisco Systems, Inc. Page18 Layer-2 VPN implementation is the traditional switched WAN model, implemented with technologies like X.25, Frame Relay, ATM or SMDS. The Service Provider is responsible for transport of layer-2 frames between customer sites and the customer takes responsibility for all higher layers Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

39 Overlay VPN IP Tunneling Internet Protocol (IP) Generic Route Encapsulation (GRE) IP Security (IPSec) Internet Protocol (IP) VPN is implemented with IP-over-IP tunnels Tunnels are established with GRE or IPSec GRE is simpler (and quicker), IPSec provides authentication and security 2000, Cisco Systems, Inc. Page19 With the success of Internet Protocol (IP) and associated technologies, some Service Providers started to implement pure IP backbones to offer VPN services based on IP. In other cases, the customers want to take advantage of low cost and universal availability of Internet to build low-cost private networks over it. Whatever the business reasons behind it, overlay Layer 3 VPN implementation over IP backbone always involves tunneling (encapsulation of protocol units at a certain layer of OSI model into protocol units at the same or higher layer of OSI model). Two well-known tunneling technologies are IP Security (IPSEC) and Generic Route Encapsulation (GRE). GRE is fast and simple to implement and supports multiple routed protocols, but provides no security and is thus unsuitable for deployment over the Internet. An alternate tunneling technology is IPSec, which provides network layer authentication and optional encryption to make data transfer over the Internet secure. IPSec only supports the IP routed protocol. Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-15

40 Overlay VPN Layer-2 Forwarding Internet Protocol (IP) Point-to-Point Protocol (PPP) Layer-2 Transport Protocol (L2TP) Layer-2 Forwarding (L2F) Point-to-Point Tunneling (PPTP) Internet Protocol (IP) VPN is implemented with PPP-over-IP tunnels Usually used in access environments (dial-up, DSL) 2000, Cisco Systems, Inc. Page20 Yet another tunneling technique that was first implemented in dial-up networks, where the Service Providers wanted to tunnel customer dial-up data encapsulated in point-to-point protocol (PPP) frames over an IP backbone to the customer s central site. To make the Service Provider transport transparent to the customer, PPP frames are exchanged between the customer sites (usually a dial-up user and a central site) and the customer is responsible for establishing layer-3 connectivity above PPP. There are three well-known PPP forwarding implementations: Layer 2 Forwarding (L2F) Layer 2 Transport Protocol (L2TP) Point-to-Point Tunneling Protocol (PPTP) 2-16 Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

41 Peer-to-Peer VPN Concept Customer Site Routing information is exchanged between customer and service-provider routers Service Provider Network Customer Site Router A Customer Site Provider Edge (PE) Router (PE) Router Router C Customer Site Router B Router D (PE) Router (PE) Router Service Provider routers exchange customer routes through the core network Finally, the customer routes propagated through the service-provider network are sent to other customer routers 2000, Cisco Systems, Inc. Page21 Overlay VPN paradigm has a number of drawbacks, most significant of them being the need for the customer to establish point-to-point links or virtual circuits between sites. The formula to calculate how many point-to-point links or virtual circuits you need in the worst case is ((n)(n-1))/2, where n is the number of sites you need to connect. For example, if you need to have full mesh connectivity between 4 sites, you will need a total of 6 point-to-point links or virtual circuits. To overcome this drawback and provide the customer with optimum data transport across the Service Provider backbone, the peer-to-peer VPN concept was introduced where the Service Provider actively participates in the customer routing, accepting customer routes, transporting them across the Service Provider backbone and finally propagating them to other customer sites. Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-17

42 Peer-to-Peer VPN with Packet Filters Customer A Site #1 Service provider network Point-of-Presence Customer A Site #2 Customer B Site #1 Shared router POP router carries all customer routes Isolation between customers is achieved with packet filters on PE-CE interfaces 2000, Cisco Systems, Inc. Page22 The first peer-to-peer VPN solutions appeared several years ago. Architectures similar to the Internet were used to build them and special provisions had to be taken in account to transform the architecture, which was targeted toward public backbones (Internet) into a solution where the customers would be totally isolated and able to exchange their corporate data securely. The more common peer-to-peer VPN implementation uses packet filters on the PE-routers to isolate the customers. The Service Provider allocates portions of its address space to the customers and manages the packet filters on the PE-routers to ensure full Reachability between sites of a single customer and isolation between customers Advanced MPLS VPN Solutions Copyright 2000, Cisco Systems, Inc.

43 Peer-to-Peer VPN with Controlled Route Distribution Customer A Site #1 Service provider network Point-of-Presence The P-router contains all customer routes Customer A Site #2 PE-router Customer-A P-router Uplink PE-router Customer-B Customer B Site #1 Each customer has a dedicated PE router that only carries its routes Customer isolation is achieved through lack of routing information on PE router 2000, Cisco Systems, Inc. Page23 Maintaining packet filters is a mundane and error-prone task. Some Service Providers thus implemented more innovative solutions based on controlled route distribution. In this approach, the core Service Provider routers (the P-routers) would contain all customer routes and the PE-routers would only contain routes of a single customer, requiring a dedicated PE-router per customer per Point-of- Presence (POP). The customer isolation is achieved solely through lack of routing information on the PE-router. Using route filtering between the P-router and the PE-routers, the PE-router for Customer A will only learn routes belonging to Customer A, and the PE-router for Customer B will only learn routes belonging to Customer B. Border Gateway Protocol (BGP) with BGP communities is usually used inside the Provider backbone since it offers the most versatile route filtering tools. Note Default routes used anywhere in the customer or Service Provider network break isolation between the customers and have to be avoided. Copyright 2000, Cisco Systems, Inc. MPLS VPN Technology 2-19