DEPLOYING MPLS-VPN. Rajiv Asati (rajiva@cisco.com)

DEPLOYING MPLS-VPN SESSION Rajiv Asati (rajiva@cisco.com) 1 Agenda MPLS VPN Definition? Technology Configuration MPLS-VPN Services Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services Advanced MPLS VPN Topics Inter-AS MPLS-VPN CsC Carrier Supporting Carrier Best Practices Conclusion. 2

Prerequisites Must understand basic IP routing, especially BGP Must understand MPLS basics (push, pop, swap, label stacking) Must finish the evaluation http://www.networkers04.com/desktop 3 Terminology: LSR : Label Switch Router LSP : Label Switched Path The chain of labels that are swapped at each hop to get from one LSR to another VRF : VPN Routing and Forwarding Mechanism in IOS used to build per-interface RIB and FIB MP-BGP : Multi-Protocol BGP PE : Provider Edge router Interfaces with CE routers P : Provider (core) router, without knowledge of VPN VPNv4 : Address family used in BGP to carry MPLS-VPN routes RD : Route Distinguisher Distinguish same network/mask prefix in different VRFs RT : Route Target Extended Community attribute used to control import and export policies of VPN routes LFIB : Label Forwarding Information Base FIB : Forwarding Information Base (FIB) 4

Agenda MPLS VPN Definition? Technology Configuration MPLS-VPN Services Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services Advanced MPLS VPN Topics Inter-AS MPLS-VPN CsC Carrier Supporting Carrier Best Practices Conclusion. 5 MPLS-VPN Operation s Theory VPN definition: VRF instance VPN Route Propagation (Control Plane) VPN Packet forwarding (Data Plane) 6

MPLS VPN Connection Model PE P P VPN Backbone IGP P P PE MP-iBGP session Edge Routers PE routers Use MPLS with P routers Uses IP with CE routers Connects to both CE and P routers. Distribute VPN information through MP-BGP to other PE router with VPN-IPv4 addresses, Extended Community, Label P Routers P routers are in the core of the MPLS cloud P routers do not need to run BGP and doesn t need to have any VPN knowledge Forward packets by looking at labels P and PE routers share a common IGP 7 MPLS VPN: Separate Routing Tables in PE vpn site 2 vpn site 1 CE EBGP,OSPF, RIPv2,Static CE PE MPLS Backbone IGP (OSPF, ISIS) VRF routing table Routing (RIB) and Forwarding table (CEF) associated with one or more directly connected sites (CEs) The routes the PE receives from CE Routers are installed in the appropriate VRF routing table(s) blue VRF routing table or green VRF routing table The Global routing table Populated by the MPLS backbone IGP In PE routers may contain the BGP Internet routes (standard ipv4 routes) 8

VRF: Virtual Routing and Forwarding Instance vpn site 2 vpn site 1 CE EBGP,OSPF, RIPv2,Static CE VRF green PE VRF blue MPLS Backbone IGP (OSPF, ISIS) What s a VRF? Associates to one or more interfaces on PE Privatize an interface i.e. coloring of the interface Has its own routing table and forwarding table (CEF) VRF has its own instance for the routing protocol (static,rip,bgp,eigrp,ospf) CE router runs standard routing software 9 VRF: Virtual Routing and Forwarding Instance vpn site 2 vpn site 1 CE EBGP,OSPF, RIPv2,Static CE PE MPLS Backbone IGP (OSPF, ISIS) PE installs the routes, learned from CE routers, in the appropriate VRF routing table(s) PE installs the IGP (backbone) routes in the global routing table VPN customers can use overlapping IP addresses. 10

Additions in BGP: MPLS-VPN Info BGP 8 Bytes 4 Bytes 8 Bytes 3 Bytes 1:1 RD VPNv4 10.1.1.0 IPv4 Route-Target Label MP-iBGP update with RD, RT, and Label RD: Route Distinguisher VPNv4 routes RT: Route Target Label 11 MPLS VPN Control Plane MP-BGP Update Components: VPNv4 address 8 Bytes 4 Bytes 8 Bytes 3 Bytes 1:1 RD VPNv4 10.1.1.0 IPv4 Route-Target Label MP-IBGP update with RD, RT, and Label To convert an IPv4 address into a VPNv4 address, RD is appended to the IPv4 address i.e 1:1:10.1.1.0 Makes the customer s IPv4 route globally unique. Each VRF must be configured with an RD at the PE RD is what that defines the VRF! ip vrf v1 rd 1:1! 12

MPLS VPN Control Plane MP-BGP Update Components: Route-Target 8 Bytes 4 Bytes 8 Bytes 3 Bytes 1:1 RD VPNv4 10.1.1.0 2:2 IPv4 Route-Target Label MP-IBGP update with RD, RT, and Label Route-target (RT): Identifies the VRF for the received VPNv4 prefix. It is an 8-byte extended Community (a BGP attribute) Each VRF is configured with RT(s) at the PE RT helps to color the prefix! ip vrf v1 route-target import 1:1 route-target export 1:2! 13 MPLS VPN Control Plane MP-BGP Update Components: Label 8 Bytes 4 Bytes 8 Bytes 3 Bytes 1:1 RD VPNv4 10.1.1.0 2:2 50 IPv4 Route-Target Label MP-IBGP update with RD, RT, and Label The Label (for the VPNv4 prefix) is assigned only by the PE whose address is the Next-Hop attribute PE routers re-write the Next-Hop with their own address (loopback) Next-Hop-Self towards MP-iBGP neighbors by default PE addresses used as BGP Next-Hop must be uniquely known in the backbone IGP DO NOT summarize the PE loopback addresses in the core 14

MPLS VPN Control Plane: Putting It All Together Site 1 3 MP-iBGP update: RD:10.10.1.0 Next-hop=PE-1 RT=Green, Label=100 CE2 Site 2 10.10.1.0/24 Next-Hop=CE-1 1 P P P P PE2 MPLS Backbone 1) receives an IPv4 update (ebgp,ospf,eigrp) 2) translates it into VPNv4 address Assigns an RT per VRF configuration Re-writes Next-Hop attribute to itself Assigns a label based on VRF and/or interface 3) sends MP-iBGP UPDATE to other PE routers 15 MPLS VPN Control Plane: Putting It All Together Site 1 3 MP-iBGP update: RD:10.10.1.0 Next-hop=PE-1 RT=Green, Label=100 5 Next-Hop=PE-2 CE2 Site 2 Next-Hop=CE-1 1 P P P P PE2 MPLS Backbone 4) PE2 receives and checks whether the RT=green is locally configured within any VRF, if yes, then 5) PE2 translates VPNv4 prefix back into IPv4 prefix, Installs the prefix into the VRF Routing table Updates the VRF CEF table with label=100 for Advertise this IPv4 prefix to CE2 (EBGP, OSPF, EIGRP) 16

MPLS VPN Forwarding Plane: Site 1 P1 P2 P P PE2 CE2 Site 2 e VRF Green forwarding Table Dest->NextHop -, label: 100 Global routing/forwarding table Dest->Next-Hop PE2 P1, label: 50 Global routing/forwarding table Dest->NextHop P2, label: 25 The Global Forwarding table (show ip cef) PE routers store IGP routes Associated labels Label distributed through LDP/TDP VRF Forwarding table (show ip cef vrf <vrf>) PE routers store VPN routes Associated labels Labels distributed through MP-BGP 17 MPLS VPN Forwarding Plane: Site 1 CE2 Site 2 e P P PE2 100 P P 50 100 25 100 PE2 imposes TWO labels for each packet going to the VPN destination The top label is LDP learned and Derived from an IGP route Represents LSP to PE address (exit point of a VPN route) The second label is learned via MP-BGP Corresponds to the VPN address 18

Agenda MPLS VPN Definition? Technology Configuration MPLS-VPN Services Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services Advanced MPLS VPN Topics Inter-AS MPLS-VPN CsC Carrier Supporting Carrier Best Practices Conclusion. 19 MPLS VPN Sample Configuration VRF Definition Site 1 Se0 192.168.10.1 ip vrf VPN-A rd 1:1 route-target export 100:1 route-target import 100:1 Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A PE-P Configuration P Se0 s1 Interface Serial1 ip address 130.130.1.1 255.255.255.252 mpls ip router ospf 1 network 130.130.1.0 0.0.0.3 area 0 20

MPLS VPN Sample Configuration PE: MP-IBGP RR PE2 router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback 0 address-family vpnv4 neighbor 1.2.3.4 activate neighbor 1.2.3.4 send-community both RR: MP-IBGP router bgp 1 no bgp default route-target filter RR PE2 RR neighbor 1.2.3.6 remote-as 1 neighbor 1.2.3.6 update-source loopback0 address-family vpnv4 neighbor 1.2.3.6 route-reflector-client Neighbor 1.2.3.6 activate 21 MPLS VPN Sample Configuration PE-CE BGP Site 1 192.168.10.2 192.168.10.1 router bgp 1! address-family ipv4 vrf VPN-A neighbor 192.168.10.2 remote-as 2 neighbor 192.168.10.2 activate exit-address-family! PE-CE OSPF Site 1 192.168.10.2 router ospf 1! router ospf 2 vrf VPN-A network 192.168.10.0 0.0.0.255 area 0! 192.168.10.1 22

MPLS VPN Sample Configuration PE-CE RIP Site 1 192.168.10.2 192.168.10.1 router rip address-family ipv4 vrf VPN-A version 2 no auto-summary network 192.168.10.0 exit-address-family PE-CE EIGRP Site 1 192.168.10.2 192.168.10.1 router eigrp 1 address-family ipv4 vrf VPN-A network 192.168.10.0 0.0.0.255 autonomous-system 1 exit-address-family 23 MPLS VPN Sample Configuration PE-CE Static Site 1 192.168.10.2 192.168.10.1 ip route vrf VPN-A 10.1.1.0 255.255.255.0 192.168.10.2 PE-CE MB-iBGP routes to VPN Site 1 RR router rip address-family ipv4 vrf VPN-A version 2 redistribute bgp 1 metric 1 no auto-summary network 192.168.10.0 exit-address-family If PE-CE protocol is non BGP then redistribution of other sites VPN routes from MP-IBGP is required. 24

MPLS VPN Sample Configuration PE-RR Site 1 (VPN routes to VPNv4) RR router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback 0 address-family ipv4 vrf VPN-A redistribute {rip connected static eigrp ospf} If PE-CE protocol is non BGP then redistribution of other sites VPN routes into MP-IBGP is required. 25 Agenda MPLS VPN Definition? Technology Configuration MPLS-VPN Services Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services Advanced MPLS VPN Topics Inter-AS MPLS-VPN CsC Carrier Supporting Carrier Best Practices Conclusion. 26

MPLS VPN Services: 1. Loadsharing for the VPN traffic 1 RR 171.68.2.0/24 PE2 CE2 Site A 2 MPLS Backbone Site B Route Advertisement VPN sites (such as Site A) could be multihomed VPN customer may demand the traffic to the multihomed sites be loadshared 27 MPLS VPN Services: 1. Loadsharing for the VPN traffic: Cases 1 CE 2 PEs 1 RR 171.68.2.0/24 PE2 CE2 Site A 2 MPLS Backbone Site B 2 CEs 2 PEs RR Traffic Flow 1 PE2 CE2 171.68.2.0/24 CE2 2 MPLS Backbone Site B Site A Traffic Flow 28

MPLS VPN Services: 1. Loadsharing for the VPN Traffic: Deployment How to deploy the loadsharing? 1. Configure different VRFs i.e RDs for multihomed site/interfaces. 2. Enable BGP multipath within the relevant BGP VRF addressfamily at Remote/Receiving PE2. 1 ip vrf green rd 300:11 route-target both 1:1 1 RR 2 router bgp 1 address-family ipv4 vrf green maximum-paths eibgp 2 171.68.2.0/24 PE2 CE2 1 Site A ip vrf green rd 300:12 route-target both 1:1 2 MPLS Backbone 1 ip vrf green rd 300:13 route-target both 1:1 Site B 29 MPLS VPN Services: 1. Loadsharing for the VPN Traffic 1 RR Route Advertisement 171.68.2.0/24 PE2 CE2 Site A 2 MPLS Backbone Site B RR must advertise all the paths learned via 1 and 2 to the remote PE routers With different RD per VRF, RR does the Best path calculation per RD and advertise them to remote PE Watch out for the increased (~20%) memory consumption (within BGP) due to multipaths at the PEs eibgp multipath implicitly provides ebgp and ibgp multipath for VPN paths 30

MPLS-VPN Services: 2. Hub & Spoke Service to the VPN Customers Traditionally, VPN deployments are Hub&Spoke. Spoke to spoke communication is via Hub site only. Despite MPLS VPN s implicit any-to-any i.e fullmesh connectivity, Hub&Spoke service can easily be offered. Done with import and export of Route-Target (RT). 31 MPLS-VPN Services: 2. Hub & Spoke Service - Configuration ip vrf green-spoke1 description VRF for SPOKE A rd 300:111 route-target export 1:1 route-target import 2:2 Spoke A 171.68.1.0/24 CE-SA PE-SA ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1 PE-Hub Eth0/0.1 Eth0/0.2 Spoke B 171.68.2.0/24 CE-SB PE-SB MPLS VPN Backbone ip vrf green-spoke2 description VRF for SPOKE B rd 300:112 route-target export 1:1 route-target import 2:2 ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2 32

MPLS-VPN Services: 2. Hub & Spoke Service Control Plane MPLS Backbone Spoke A 171.68.1.0/24 Spoke B CE-SA VRF RT and LFIB at PE-SA 0.0.0.0 PE-Hub 35 171.68.1.0/24 CE-SA VRF RT and LFIB at PE-SB 0.0.0.0 PE-Hub 35 171.68.2.0/24 CE-SB 171.68.2.0/24 CE-SB PE-SA PE-SB Adv 171.68.1.0/24 Label 40 Route-Target 1:1 Adv 171.68.2.0/24 Label 50 Route-Target 1:1 Adv 0.0.0.0 Label 35 Route-Target 2:2 VRF HUB-OUT RT and LFIB Destination NextHop Label 171.68.1.0/24 PE-SA 40 171.68.2.0/24 PE-SB 50 VRF HUB-OUT PE-Hub VRF HUB-IN VRF HUB-IN Routing Table Destination NextHop 0.0.0.0 CE-H1 All traffic between spokes must pass through the Hub/Central Site. Hub Site could offer FireWall, NAT like applications. Two VRF solution at the PE-Hub: VRF HUB_OUT would have knowledge of every spoke routes. VRF HUB_IN only have Default Route and advertise that to Spoke PEs. Import and export Route-Target within a VRF must be different. 33 MPLS-VPN Services: 2. Hub & Spoke Service Forwarding Plane MPLS Backbone Spoke A 171.68.1.0/24 171.68.1.1 CE-SA PE-SA LA 40 171.68.1.1 PE-Hub VRF HUB-OUT Spoke B 171.68.2.0/24 CE-SB PE-SB LH 35 171.68.1.1 VRF HUB-IN 171.68.1.1 34

MPLS-VPN Services 3. Extranet VPN MPLS VPN, by default, isolates one VPN customer from another. Separate Virtual Routing Table for each VPN customer Communication between VPNs may be required i.e. Extranet. External Inter-company communication (dealers with manufacturer, Retailer with wholesale provider etc) Management VPN, Shared-service VPN etc. Needs right import and export route-target (RT) values configuration within the VRFs export-map or import-map should be used 35 3. MPLS-VPN Services: Extranet VPN Goal: Only VPN_A site#1 to be reachable to VPN_B MPLS Backbone VPN_A Site#1 171.68.0.0/16 so PE2 P 192.6.0.0/16 VPN_A Site#2 180.1.0.0/16 VPN_B Site#1 ip vrf VPN_A rd 3000:111 export map VPN_A_Export import map VPN_A_Import route-target import 3000:111 route-target export 3000:111 route-target import 3000:1! route-map VPN_A_Export permit 10 match ip address 1 set extcommunity rt 3000:2! route-map VPN_A_Import permit 10 match ip address 2! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0 ip vrf VPN_B rd 3000:222 export map VPN_B_Export import map VPN_B_Import route-target import 3000:222 route-target export 3000:222 route-target import 3000:2! route-map VPN_B_Export permit 10 match ip address 2 set extcommunity rt 3000:1! route-map VPN_B_Import permit 10 match ip address 1! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0 Only Site#1 of both VPNs will communicate to each other, 2004 Cisco Systems, Site#2 Inc. All rights reserved. won t. 36

MPLS-VPN Services 4. Internet Access Service to VPN Customers Could be provided as another value-added service. Security mechanism must be in place at both provider network and customer network To protect from the Internet vulnerabilities VPN customers benefit from the single point of contact for both Intranet and Internet connectivity 37 MPLS-VPN Services 4. Internet Access: Different Methods of Service Four ways to provide the Internet service 1. VRF Specific default route with global keyword 2. Separate PE-CE sub-interface (nonvrf) 3. Extranet with Internet-VRF 4. VRF-aware NAT 38

MPLS-VPN Services 4. Internet Access: Different Methods of Service 1. VRF Specific default route 1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF 2. Separate PE-CE sub-interface (non VRF) May run BGP to propagate Internet routes between PE and CE 3. Extranet with Internet-VRF VPN packets never leave VRF context ; issue with Overlapping VPN address 4. Extranet with Internet-VRF along with VRF-aware NAT VPN packets never leave VRF context; works well with overlapping VPN address 39 MPLS-VPN Services: 4.1 Internet access: VRF Specific Default Route (Config) Site1 171.68.0.0/16 so 192.168.1.2 MPLS Backbone ASBR Internet ip vrf VPN-A rd 100:1 route-target both 100:1 Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A Router bgp 100 no bgp default ipv4-unicast redistribute static neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0 P 192.168.1.1 Internet GW A default route, pointing to the ASBR, is installed into the site VRF at each PE A single label is used for packets forwarded according to the default route The label is the IGP label corresponding to the IP address of the ASBR known via the IGP The static route, pointing to the VRF interface, is installed in the global routing table and redistributed into BGP ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global ip route 171.68.0.0 255.255.0.0 Serial0 40

MPLS-VPN Services: 4.1 Internet access: VRF Specific Default Route (Forwarding) Site1 171.68.0.0/16 IP packet D=171.68.1.1 IP packet D=Cisco.com so 192.168.1.2 Global Routing/FIB Table Destination Label/Interface 192.168.1.1/32 Label=30 171.68.0.0/16 Serial 0 VRF Routing/FIB Table Destination Label/interface 0.0.0.0/0 192.168.1.1 (global) Site-1 Serial 0 Label = 30 IP packet D=Cisco.com MPLS Backbone P Pros Label = 35 IP packet D=171.68.1.1 Different Internet gateways can be used for different VRFs PE routers need not to hold the Internet table Simple Configuration PE2 IP packet D=Cisco.com 192.168.1.1 so IP packet D=171.68.1.1 Global Table and LFIB Destination Label/Interface 192.168.1.2/32 Label=35 171.68.0.0/16 192.168.1.2 Internet Serial 0 Cons Using default route for Internet routing does NOT allow any other default route for intra_vpn routing Increasing size of global routing Table by leaking VPN routes. Static configuration Internet 41 MPLS-VPN Services 4.2 Internet Access 1. VRF Specific default route 1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF 2. Separate PE-CE sub-interface (non VRF) May run BGP to propagate Internet routes between PE and CE 3. Extranet with Internet-VRF VPN packets never leave VRF context ; Overlapping VPN addresses could be a problem 4. Extranet with Internet-VRF alongwith VRF-aware NAT VPN packets never leave VRF context; works well with overlapping VPN addresses 42

4.2 Internet Access Service to VPN Customers Using Separate Sub-Interface (Config) Site1 171.68.0.0/16 MPLS Backbone BGP-4 Internet Internet S0.1 ip vrf VPN-A rd 100:1 route-target both 100:1 S0.2 192.168.1.2 P ASBR 192.168.1.1 Internet GW Interface Serial0.1 ip vrf forwarding VPN-A ip address 192.168.20.1 255.255.255.0 frame-relay interface-dlci 100! Interface Serial0.2 ip address 171.68.10.1 255.255.255.0 frame-relay interface-dlci 200! Router bgp 100 no bgp default ipv4-unicast [snip] neighbor 171.68.10.2 remote 502 One sub-interface for VPN routing associated to a VRF Another sub-interface for Internet routing associated to the global routing table. Could advertise full Internet Routes or a default route to CE. The PE will need to advertise VPN routes to the Internet (via global routing table) 43 Internet Access Service to VPN Customers 4.2 Using Separate Sub-Interface (Forwarding) Site1 171.68.0.0/16 IP packet D=Cisco.com S0.1 S0.2 Label = 30 IP packet D=Cisco.com 192.168.1.2 MPLS Backbone PE2 192.168.1.1 P IP packet D=cisco.com Internet CE routing table VPN routes Serial0.1 Internet routes Serial0.2 PE-Internet GW PE Global Table and FIB Internet routes 192.168.1.1 192.168.1.1 Label=30 Pros CE could dual home and perform optimal routing. Traffic separation done by CE. Cons PE to hold full Internet routes. BGP complexities introduced in CE. 44

Internet Access Service 4.3 Extranet with Internet-VRF The internet routes could be placed within the VRF at the Internet-GW i.e. ASBR VRFs for customers could extranet with the internet VRF and receive either default, partial or full internet routes Be careful if duplicating the internet routes in each VRF Works well when the VPN customers don t have overlapping addresses 45 Internet Access Service 4.4 Internet Access using VRF-aware NAT If the VPN customers need Internet access without internet routes, then VRF-aware NAT can be used at the Internet-GW i.e. ASBR The Internet GW doesn t need to have internet routes either Overlapping VPN addresses is not a problem More in the VRF-aware NAT slides,.. 46

MPLS VPN Service 5. VRF-Selection The common notion is that the VRF must be associated to an interface VRF-selection breaks this association and associate multiple VRFs to an interface Each packet on the PE-CE interface could be handled (based on certain criteria) via different VRF routing tables Criteria such as source/dest IP address, ToS, TCP port etc. specified via route-map Voice and Data can be separated out into different VRFs at the PE 47 MPLS VPN Service 5. VRF-Selection Based on Source IP Address Global Interface RR VRF Interfaces VPN Brown 33.3.0.0/16 33.3.14.1 Cable Setup Se0/0 MPLS Backbone (Cable Company) PE2 VPN Blue 44.3.0.0/16 66.3.1.25 44.3.12.1 ip vrf brown rd 3000:111 route-target export 3000:1 route-target import 3000:1! ip vrf blue rd 3000:222 route-target export 3000:2 route-target import 3000:2! ip vrf green rd 3000:333 route-target export 3000:3 route-target import 3000:3 Traffic Flows interface Serial0/0 ip address 215.2.0.6 255.255.255.252 ip policy route-map PBR-VRF-Selection ip receive brown ip receive blue ip receive green access-list 40 permit 33.3.0.0 0.0.255.255 access-list 50 permit 44.3.0.0 0.0.255.255 access-list 60 permit 66.3.0.0 0.0.255.255 VPN Green 66.3.0.0/16 route-map PBR-VRF-Selection permit 10 match ip address 40 set vrf brown route-map PBR-VRF-Selection permit 20 match ip address 50 set vrf blue route-map PBR-VRF-Selection permit 30 match ip address 60 set vrf green 48

MPLS VPN Service 6. Remote Access Service Remote access users i.e. dial users, IPSec users could directly be terminated in VRF PPP users can be terminated into VRFs IPSec tunnels can be terminated into VRFs Remote Access services integration with MPLS VPN opens up new opportunities for Providers 49 MPLS VPN Service 6. Remote Access Service IPSec to MPLS VPN Branch Office SOHO Local or Direct Dial ISP Access Internet Internet PE+IPSec Aggregator PE SP Shared Network SP AAA IP/MPLS/Layer 2 Based Network PE PE Corporate Intranet Customer AAA VPN A VPN B Customer A head office Cable/DSL/ ISDN ISP Customer B Remote Users/ Telecommuters Cisco IOS VPN Routers or Cisco Client 3.x or higher VPN A Customer A branch office VPN C Customer C IP IPSec Session MPLS VPN IP 50

MPLS-VPN Services 7. VRF-Aware NAT Services VPN customers could be using overlapping IP address i.e. 10.0.0.0/8 Such VPN customers must NAT their traffic before using either extranet or internet or any shared* services PE is capable of NATting the VPN packets (eliminating the need for an extra NAT device) * VoIP, Hosted Content, Management etc/ 51 MPLS-VPN Services 7. VRF-Aware NAT Services Typically, inside interface(s) connect to private address space and outside interface connect to global address space NAT occurs after routing for traffic from inside-to-outside interfaces NAT occurs before routing for traffic from outside-to-inside interfaces Each NAT entry is associated with the VRF Works on VPN packets in the following switch paths : IP->IP, IP->MPLS and MPLS->IP 52

MPLS-VPN Services: 7. VRF-Aware NAT Services Internet Access Green VPN Site 1 MPLS Backbone P PE-ASBR.1 217.34.42.2 Internet CE2 2 ip nat inside Blue VPN Site ip nat outside ip vrf green rd 3000:111 route-target both 3000:1 ip vrf blue rd 3000:222 route-target both 3000:2 router bgp 3000 address-family ipv4 vrf green network 0.0.0.0 address-family ipv4 vrf blue network 0.0.0.0 ip nat pool pool-green 24.1.1.0 24.1.1.254 prefix-length 24 ip nat pool pool-blue 25.1.1.0 25.1.1.254 prefix-length 24 ip nat inside source list vpn-to-nat pool pool-green vrf green ip nat inside source list vpn-to-nat pool pool-blue vrf blue ip access-list standard vpn-to-nat permit 10.1.1.0 0.0.0.255 ip route vrf green 0.0.0.0 0.0.0.0 217.34.42.2 global ip route vrf blue 0.0.0.0 0.0.0.0 217.34.42.2 global VRF specific Config VRF-aware NAT Specific Config 53 MPLS-VPN Services: 7. VRF-Aware NAT Services Internet Access Green VPN Site CE2 Blue VPN Site Src= Dest=Internet IP Packet Src= Dest=Internet 1 2 P Label=30 Src= Dest=Internet Label=40 Src= Dest=Internet MPLS Packet PE-ASBR removes the label from the received MPLS packets per LFIB Performs NAT on the resulting IP packets Forwards the packet PE-ASBR Src=24.1.1.1 Dest=Internet Src=25.1.1.1 Dest=Internet IP Packet MPLS Backbone This is also one of the ways to provide Internet access to VPN customers with or without overlapping addresses Internet Traffic Flows NAT Table VRF IP Source Global IP VRF-table-id 24.1.1.1 green 25.1.1.1 blue 54

Agenda MPLS VPN Definition? Technology Configuration MPLS-VPN Services Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services Advanced MPLS VPN Topics Inter-AS MPLS-VPN CsC Carrier Supporting Carrier Best Practices Conclusion. 55 What Is Inter-AS? Provider X Provider Y MP-iBGP update:: BGP, OSPF, RIPv2 149.27.2.0/24,NH=CE-1 VPN-A 149.27.2.0/24 PE-1 CE-1 RR1 AS #1 ASBR1??? ASBR2 Problem: How do Provider X and Provider Y exchange VPN routes? AS #2 RR2 CE2 PE2 VPN-A 56

Inter-AS Deployment Scenarios Following options/scenarios for deploying Inter-AS : ASBR1 1. Back-to-back VRFs ASBR2 2. MP-eBGP for VPNv4 AS #1 AS #2 3. Multihop MP-eBGP between RRs PE2 4. Non-VPN Transit Provider CE2 VPN-A 2 and 3 are more common and will be discussed. 1 and 4 are in backup slides. VPN-A 57 Scenario 2: MP-eBGP between ASBRs to Exchange VPNv4 Routes New CLI no bgp default route-target filter is needed on the ASBRs. ASBRs exchange VPN routes using ebgp (VPNv4 af) ASBRs store all VPN routes But only in BGP table and LFIB table Not in routing nor in CEF table ASBRs don t need - VRFs to be configured on them LDP between them 58

Scenario 2: MP-eBGP bet ASBRs for VPNv4 Control Plane ASBR-1 ASBR-2 MP-iBGP update: RD:1:27:, NH=PE-1 RT=1:1, Label=(40) PE-1 MP-eBGP update: RD:1:27:, NH=ASBR-1 RT=1:1, Label=(20) MP-iBGP update: RD:1:27:, NH=ASBR-2 RT=1:1, Label=(30) PE-2 BGP, OSPF, RIPv2, NH=CE-2 CE-2 CE-3 BGP, OSPF, RIPv2, NH=PE-2 VPN-B VPN-B 59 Scenario 2: MP-eBGP bet ASBRs for VPNv4 Forwarding Plane P1 30 40 ASBR-1 ASBR-2 30 P2 40 20 20 30 PE-1 MPLS Packets between ASBRs PE-2 CE-2 VPN-B VPN-B CE-3 Pros More scalable. Only one interface between ASBRs routers No VRF configuration on ASBR. Less memory consumption (no RIB/FIB memory) MPLS label switching between providers Still simple, more scalable & works today Cons Automatic Route Filtering must be disabled But we can apply BGP filtering. ASBRs are still required to hold VPN routes 60

Cisco IOS Configuration Scenario 2: External MP-BGP between ASBRs for VPNv4 ASBR1 MP-eBGP for VPNv4 ASBR2 1.1.1.0/30 VPN-A CE-1 Label exchange between ASBRs using AS #1 MP-eBGP AS #2 ASBR MB-EBGP Configuration Router bgp x no bgp default route-target filter neighbor 1.1.1.x remote-as x! address-family vpnv4 neighbor 1.1.1.x activate neighbor 1.1.1.x send-com extended PE2 CE-2 VPN-A Note: ASBR must already have MPiBGP session with ibgp neighbors such as RRs or PEs. 61 Scenario 3: Multihop MP-eBGP between RRs to exchange VPNv4 routes Exchange VPNv4 prefixes via the Route Reflectors Requires Multihop MP-eBGP (with next-hop-unchanged) Exchange IPv4 routes with labels between directly connected ASBRs using ebgp Only PE loopback addresses need to be exchanged (they are BGP next-hop addresses of the VPN routes) 62

Scenario 3: Multihop MP-eBGP between RRs for VPN routes : Control Plane VPN-v4 update: RD:1:27:, NH=PE-1 RT=1:1, Label=(90) RR-1 AS#1 VPN-v4 update: RD:1:27:, NH=PE-1 RT=1:1, Label=(90) ASBR-1 ASBR-2 RR-2 AS#2 VPN-v4 update: RD:1:27:, NH=PE-1 RT=1:1, Label=(90) PE-1 BGP, OSPF, RIPv2,NH=CE-2 IGP+LDP: Network=PE-1 NH=PE-1 Label=(40) CE-2 IP-v4 update: Network=PE-1 NH=ASBR-1 Label=(20) IGP+LDP: Network=PE-1 NH=ASBR-2 Label=(30) PE-2 BGP, OSPF, RIPv2,NH=PE-2 VPN-B CE-3 VPN-B Note - Instead of IGP+Label, ibgp+label can be used to exchange PE routes/label. Please see Scenario#5 on slide#49 and 50. 63 Scenario 3: Multihop MP-eBGP between RRs for VPN routes : Forwarding Plane P1 RR-1 RR-2 P2 90 40 90 ASBR-1 ASBR-2 30 90 50 90 PE-1 20 90 PE-2 CE-2 CE-3 VPN-B VPN-B Note - Instead of IGP+Label, ibgp+label can be used to exchange PE routes/label. 64

Scenario 3: Pros/Cons Pros More scalable than Scenario 1 and 2. Separation of control and forwarding planes Route Reflector exchange VPNv4 routes+labels RR hold the VPNv4 information anyway Cons Advertising PE addresses to another AS may not be acceptable to few providers. ASBRs now exchange only IPv4 routes+labels ASBR Forwards MPLS packets 65 Cisco IOS Configuration Scenario 3: Multihop MP-eBGP between RRs for VPNv4 RR-1 Multihop MP-eBGP for VPNv4 with next-hop-unchange RR-2 VPN-A CE-1 ASBR-1 AS #1 AS #2 RR Configuration router bgp x neighbor <RR-x> remote-as x neighbor <RR-x> ebgp-multihop neighbor <RR-x> update loopback 0! address-family vpnv4 neighbor <RR-x> activate neighbor <RR-x> send-com extended neighbor <RR-x> next-hop-unchanged ASBR-2 ebgp IPv4 + Labels ASBR Configuration router ospf x redistribute bgp 1 subnets! router bgp x neighbor < ASBR-x > remote-as x! address-family ipv4 Network <PEx> mask 255.255.255.255 Network <RRx> mask 255.255.255.255 neighbor < ASBR-x > activate neighbor < ASBR-x > send-label PE2 CE-2 VPN-A ibgpipv4+label could also be used in within each AS (instead of network <x.x.x.x> ) to propagate the label information for PEs. 66

Inter-AS Deployment Guidelines 1. Use ASN in the Route-target i.e. ASN:xxxx 2. Max-prefix limit (both BGP and VRF) on PEs 3. Security (BGP MD5, BGP filtering, BGP max-prefix etc) on ASBRs 4. End-to-end QoS agreement on ASBRs 5. Route-Target rewrite on ASBR 6. Internet connectivity on the same ASBR?? 67 Agenda MPLS VPN Definition? Technology Configuration MPLS-VPN Services Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services Advanced MPLS VPN Topics Inter-AS MPLS-VPN CsC Carrier Supporting Carrier Best Practices Conclusion. 68

Carrier Supporting Carriers: CsC Benefits of CsC What do I need to do to enable CsC? Deployment models Security in CsC Deployment Guideline Deployment Scenarios 69 MPLS/VPN Networks without CsC Large Number of VPN Routes at the PE May Pose Limitation to the PE Unwanted routing updates in the Carrier s network => CPU+memory Label/prefix consumptions at PE => memory Scalability issue at PE 70

MPLS/VPN Networks without CsC The no of VPN routes is one of the biggest limiting factor in scaling the PE router Few SPs are running into this scalaing limitation If no of VPN routes can be reduced somehow (without loosing the functionality), then the existing investment can be protected The same PE can still be used to connect more VPN customers Carrier Supporting Carrier (CsC) provides the mechanism to reduce the no of routes from each VRF by enabling MPLS on the PE-CE link 71 Benefits of CsC Provide transport for ISPs ($) No need to manage external routes from ISPs Build MPLS Internet Exchange (MPLS-IX) ($$) Media Independence; POS/FDDI/PPP possible Higher speed such OC192 or more Operational benefits Sell VPN service to subsidiary companies that provide VPN service ($) 72

What Do I Need to Enable CsC? 1. Build an MPLS-VPN enabled carrier s network 2. Connect ISP/SPs sites (or PoPs) to the Carrier s PEs 3. Exchange internal routes + labels between Carrier s PE & ISP/SP s CE 4. Exchange external routes directly between ISP/SP s sites 73 CsC Deployment Models MP-iBGP for VPNv4 P1 IGP+LDP IGP+LDP PE2 IPv4 routes with label distribution ISP PoP Site-1 internal routes = IGP routes INTERNET CE-1 ASBR-1 R1 Carrier s MPLS Core MPLS enabled VRF int Full-mesh ibgp for external routes ASBR-2 R2 CE-2 ISP customers = external routes IPv4 routes with label distribution ISP PoP Site-2 C1 Internal routes = IGP routes 74

CsC Deployment Models 1. Customer-ISP not running MPLS 2. Customer-ISP running MPLS 3. Customer-ISP running MPLS-VPN Model 1 and 2 are less common deployments. Model 3 will be discussed in detail. 75 CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Control Plane MP-iBGP update: 1:1:30.1.61.25/32, RT=1:1 NH =PE-1, Label=51 IGP+LDP, Net=PE-1, Label = pop P1 Carrier s Core IGP+LDP, Net=PE-1, Label = 16 PE2 30.1.61.25/32, NH=CE-1, Label = 50 ISP PoP Site-1 IGP+LDP 30.1.61.25/32,Label = pop Network = VPN Site-1 CE-1 ASBR_PE-1 30.1.61.25/32, NH=R1 R1 MP-iBGP update: 1:1:, RT=1:1 NH =30.1.61.25/32, Label = 90 CE-2 ISP PoP Site-2 ASBR_PE-2, NH =ASBR_PE-2 R2 VPN Site-2 30.1.61.25/32, NH=PE-2, Label = 52 IGP+LDP, 30.1.61.25/32 NH=CE-2, Label=60 C1 IGP+LDP, 30.1.61.25/32 NH=C1, Label=70 76

CsC: ISP Sites Are Running MPLS-VPN Hierarchical MPLS-VPN Forwarding Plane P1 51 90 Carrier s Core 16 51 90 PE2 50 90 52 90 CE-1 CE-2 ISP PoP Site-1 90 ASBR-1 60 ASBR-2 90 ISP PoP Site-2 C1 70 90 Network = VPN Site-1 R1 R2 VPN Site-2 77 Security Mechanism in CsC BGP/LDP MD5 on PE-CE To prevent label spoofing, PE Maintains Label <=> VRF table association Checks during LFIB lookup that received packet s label is what was allocated If the check fails, then the packet is dropped. 78

CsC Deployment Guideline Two choices for deploying CsC 1. IGP+LDP on the PE-CE, or 2. ebgp ipv4 +label on the PE-CE (RFC3107) Choice selection is driven by the choice of routing protocol on the PE-CE CE has to run MPLS-aware code 79 CsC: IOS Commands/Configs Choice 1: What All You Need to Configure? Choice1: Enable LDP on PE-CE; int ser0/0 ip vrf forwarding green mpls ip mpls ldp protcol ldp Sh mpls interface [vrf <name>] all Sh mpls ldp disc [vrf <name>] all Sh mpls ldp bind vrf <name> Sh mpls ip bind vrf <name> Sh mpls ldp neighbor [vrf <name>] all Sh mpls forward [vrf <name>] int ser0/0 mpls ip mpls ldp protcol ldp Sh mpls interface Sh mpls ldp discovery Sh mpls ldp bind Sh mpls ldp neighbor PE-1 IGP+LDP VRF Int CE-1 Sh mpls forward 80

CsC: IOS Commands/Configs Choice 2: What All You Need to Configure? Choice2: Enable ebgp+label on PE-CE; router bgp 1 address-family ip vrf green neighbor 200.1.61.6 remote-as 2 neighbor 200.1.61.6 send-label ebgp+label PE-1 VRF Int CE-1 router bgp 2 neighbor 200.1.61.5 remote-as 1 neighbor 200.1.61.5 send-label 1. No IGP needed on PE-CE 2. No LDP needed on PE-CE 81 IOS Commands/Configs Choice 2: ebgp+label on the PE-CE On PE Sh ip bgp vpn vrf <vrf> neighbor Sh ip bgp vpn vrf <vrf> label Sh mpls forward vrf <vrf> On CE Sh ip bgp neighbor Sh ip bgp labels Sh mpls forward 82

Agenda MPLS VPN Definition? Technology Configuration MPLS-VPN Services Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers Providing MPLS VPN Extranet service Providing Internet access service to VPN customers Providing VRF-selection based services Providing Remote Access MPLS VPN Providing VRF-aware NAT services Advanced MPLS VPN Topics Inter-AS MPLS-VPN CsC Carrier Supporting Carrier Best Practices Conclusion. 83 Best Practices 1. Use RR to scale BGP. 2. Deploy RRs in pair for the redundancy 3. Keep RRs out of the forwarding paths and disable CEF (saves memory). 4. Consider Unique RD per VRF per PE, if Load sharing of VPN traffic is reqd. 5. RT and RD should have ASN in them i.e. ASN : X Reserve first few 100s of X for the internal purposes such as filtering 6. Don't use customer names as the VRF names; Nightmare for the NOC. Use simple combination of numbers and characters in the VRF name For example - v101, v102, v201, v202 etc. Use description. 7. Define an upper limit at the PE on the # of prefixes received from the CE for each VRF or neighbor max-prefix within the VRF configuration max-prefix per neighbor within the BGP VRF af (if BGP on the PE-CE) 84

Conclusion MPLS VPN is a cheaper alternative to traditional l2vpn MPLS-VPN paves the way for new revenue streams VPN customers could outsource their layer3 to the provider Straightforward to configure any-to-any VPN topology partial-mesh, hub&spoke topologies can also be easily deployed CsC and Inter-AS could be used to expand into new markets VRF-aware services could be deployed to maximize the investment 85 Complete Your Online Session Evaluation! WHAT: WHY: Complete an online session evaluation and your name will be entered into a daily drawing Win fabulous prizes! Give us your feedback! WHERE: Go to the Internet stations located throughout the Convention Center HOW: Winners will be posted on the onsite Networkers Website; four winners per day http://www.networkers04.com/desktop 86

Q & A Thanks for your time. Eval - http://www.networkers04.com/desktop 87 88

BACK UP SLIDES 89 Scenario 1: Back-to-back VRF Control Plane VPN-v4 update: RD:1:27: NH=PE-1 RT=1:1, Label=(29) ASBR-1 VPN-B VRF Import routes with route-target 1:1 ASBR-2 VPN-v4 update: RD:1:27:, NH=ASBR-2 RT=1:1, Label=(92) PE-1 BGP, OSPF, RIPv2 NH=ASBR-2 VPN-B VRF Import routes with route-target 1:1 PE-2 BGP, OSPF, RIPv2,NH=CE-2 CE-2 CE-3 BGP, OSPF, RIPv2,NH=PE-2 VPN-B VPN-B VRF to VRF Connectivity between ASBRs 90

Scenario 1: Back-to-back VRF Forwarding Plane 30 29 ASBR-1 ASBR-2 92 P2 P1 20 92 PE-1 CE-2 IP Packets between ASBRs CE-3 PE-2 VPN-B VPN-B Pros Cons Per-customer QoS is possible It is simple and elegant since no need to load the Inter-AS code (but still not widely deployed). Not scalable. #of interface on both ASBRs is directly proportional to #VRF. No end-to-end MPLS. Unnecessary memory consumed in RIB/(L)FIB Dual-homing of ASBR makes provisioning worse 91 Cisco IOS Configuration Scenario 1: Back-to-Back VRF between ASBRs ASBR1 ASBR2 1.1.1.0/30 VPN-A CE-1 VRF routes exchange via AS #1 any routing protocol AS #2 ASBR VRF and BGP config ip vrf green rd 1:1 route-target both 1:1! Router bgp x Address-family ipv4 vrf green neighbor 1.1.1.x activate Note: ASBR must already have MPiBGP session with ibgp neighbors such as RRs or PEs. PE2 CE-2 VPN-A 92

IOS Configuration Scenario 2.5: Multi-Hop MP-eBGP for VPNv4 ASBR1 Multi-Hop MP-eBGP for VPNv4 ASBR2 so so VPN-A CE-1 AS #1 IGP & LDP AS #2 Multi-Hop MP-BGP session between ASBRs interface serial 0 ip address 1.1.1.x/30 mpls ldp protcol ldp router bgp x no bgp default route-target filter neighbor < ASBR-x > remote-as x neighbor < ASBR-x > update loopback0 neighbor < ASBR-x > ebgp-multihop! address-family vpnv4 neighbor < ASBR-x > activate neighbor < ASBR-x > send-comm extended PE2 CE-2 VPN-A 93 Scenario 4: Non-VPN Transit Provider Two MPLS VPN providers may exchange routes via one or more transit providers Which may be non-vpn transit backbones just running MPLS Multihop MP-eBGP deployed between edge providers With the exchange of BGP next-hops via the transit provider 94

Option 4: Non-VPN Transit Provider ASBR-1 ebgp IPv4 + Labels ASBR-2 ibgp IPv4 + Labels MPLS VPN Provider #1 RR-1 Non-VPN MPLS Transit Backbone ASBR-3 VPN-B CE-2 next-hop-unchanged Multihop MP-eBGP OR MP-iBGP for VPNv4 ASBR-4 ebgp IPv4 + Labels RR-2 ibgp IPv4 + Labels MPLS VPN Provider #2 PE2 CE-3 VPN-B 95 Route-Target rewrite at ASBR ASBR can add/delete route-target associated with a VPNv4 prefix Secures the VPN environment ASBR(conf)#router bgp 1000 ASBR(conf-router)#neighbor 1.1.1.1 route-map route-target-deletion out ASBR(conf-router)#exit ASBR(conf)#route-map route-target-delete ASBR(conf-route-map)#match extcommunity 101 ASBR(conf-route-map)#set extcomm-list 101 delete ASBR(conf-route-map)#set extcommunity rt 123:123 additive ASBR(conf)# ip extcommunity-list 101 permit rt 100:100 96