MPLS/VPN Overview. 2009 Cisco Systems, Inc. All rights reserved. 1

MPLS/VPN Overview 2009 Cisco Systems, Inc. All rights reserved. 1

Legal Notice THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS DOCUMENT ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB s public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iphone, iquick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. Copyright 2009 Cisco Systems, Inc. All rights reserved. 2009 Cisco Systems, Inc. All rights reserved. 2

Agenda Major VPN topologies MPLS/VPN Architecture - Connection Model MPLS/VPN Configuration samples MPLS/VPN Topologies MPLS/VPN «show commands» 2009 Cisco Systems, Inc. All rights reserved. 3

Major VPN Topologies 2009 Cisco Systems, Inc. All rights reserved. 4

MPLS-VPN What is a VPN? An IP network infrastructure delivering private network services over a public infrastructure Use a layer 3 backbone Scalability, easy provisioning Global as well as non-unique private address space QoS Controlled access Easy configuration for customers 2009 Cisco Systems, Inc. All rights reserved. 5

Major VPN topologies 3 Major categorizations Topology categorization Business categorization Connectivity categorization 2009 Cisco Systems, Inc. All rights reserved. 6

Topology categorization Overlay VPNs are categorized based on the topology of the virtual circuits Hub and spoke Partial mesh Full mesh 2009 Cisco Systems, Inc. All rights reserved. 7

VPN Business categorization Intranet VPN connects sites within an organization Extranet VPN connects different organizations in a secure way Access VPN VPDN provides dialup into a customer network Internet VPN Provides internet to sites. 2009 Cisco Systems, Inc. All rights reserved. 8

VPN connectivity categorization Simple VPN every site can communicate with every other site Overlapping VPN some sites participate in more than one simple VPN Central Services VPN all sites can communicate with central servers, but no with each other Managed Network a dedicated VPN is established to manage CE routers 2009 Cisco Systems, Inc. All rights reserved. 9

MPLS/VPN Architecture Connection Model 2009 Cisco Systems, Inc. All rights reserved. 10

MPLS/VPN Model P Router CE Router PE Router PE Router CE Router VPN Site P-Network VPN Site C-Network 2009 Cisco Systems, Inc. All rights reserved. 11

MPLS/VPN Terminology Provider Network (P-network) backbone under the control of the Service Provider Customer Network (C-network) network under VPN customer control CE Router part of the C-network and interfaces to a PE router PE Router part of the P-network and interfaces to CE routers P Router Site provider (core) router without knowledge of VPN set of (sub)networks which are part of the Customer network and co-located connected to the MPLS/VPN backbone through one of more PE/CE links 2009 Cisco Systems, Inc. All rights reserved. 12

MPLS VPN Protocols OSPF/IS-IS Used as IGP provides reachability between all Label Switch Routers (PE <-> P <-> PE) TDP/LDP Distributes label information for IP destinations in core MP-BGP4 Used to distribute VPN routing information between PE s RIPv2/BGP/OSPF/Static/EIGRP Can be used to route between PE and CE 2009 Cisco Systems, Inc. All rights reserved. 13

VPN Components VRF Tables Hold customer routes at PE Route-Distinguisher Allows MP-BGP to distinguish between identical customer routes that are in different VPN s Route-Targets Used to import and export routes between different VRF tables (creates Intranets and Extranets) Route-maps Allows finer granularity and control of importing exporting routes between VRF s instead of just using route-target 2009 Cisco Systems, Inc. All rights reserved. 14

MPLS VPN Operation CE = RT? RD +,RD +,RD + VPN labels, RT s = RT? CE PE P P PE PE PE CE RD +,RD +,RD + VPN labels, RT s Import routes into VRF if route-targets match (export = import) Customer routes placed into separate VRF tables at each PE IGP (OSPF,ISIS) used to establish reachability to destination networks. Label Distribution Protocol establishes mappings to IGP addresses CE-PE dynamic routing (or static) populate the VRF routing tables MP-BGP between PE s to distribute routes between VPN s CE 2009 Cisco Systems, Inc. All rights reserved. 15

VPN Routing & Forwarding Instance (VRF) PE routers maintain separate routing tables Global routing table contains all PE and P routes (perhaps BGP) populated by the VPN backbone IGP VRF (VPN routing & forwarding) routing & forwarding table associated with one or more directly connected sites (CE routers) VRF is associated with any type of interface, whether logical or physical (e.g. sub/virtual/tunnel) interfaces may share the same VRF if the connected sites share the same routing information VRF can be thought of as a virtual router 2009 Cisco Systems, Inc. All rights reserved. 16

MPLS VPN VRF and Multiple Routing Instances Routing processes run within specific routing contexts Routing processes BGP RIP Static Populate specific VPN routing table and FIBs (VRF) Interfaces are assigned to VRFs Routing contexts VRF Routing tables VRF Forwarding tables 2009 Cisco Systems, Inc. All rights reserved. 17

MPLS VPN OSPF and Single Routing Instances With OSPF there is a single process per VRF Routing processes OSPF OSPF OSPF No routing contexts Routing contexts VRF Routing tables VRF Forwarding tables 2009 Cisco Systems, Inc. All rights reserved. 18

MPLS VPN Connection Model PE P P VPN Backbone IGP P P PE MP-iBGP session Edge Routers PE routers Use MPLS with P routers Uses IP with CE routers Connects to both CE and P routers. Distribute VPN information through MP-BGP to other PE router with VPN-IPv4 addresses, Extended Community, Label P Routers P routers are in the core of the MPLS cloud P routers do not need to run BGP and doesn t need to have any VPN knowledge Forward packets by looking at labels P and PE routers share a common IGP 2009 Cisco Systems, Inc. All rights reserved. 19

VRF: Virtual Routing and Forwarding Instance vpn site 2 CE vpn site 1 EBGP,OSPF, RIPv2,Static CE PE MPLS Backbone IGP (OSPF, ISIS) PE installs the routes, learned from CE routers, in the appropriate VRF routing table(s) PE installs the IGP (backbone) routes in the global routing table VPN customers can use overlapping IP addresses. Global Routing Table VRF Routing Table 2009 Cisco Systems, Inc. All rights reserved. 20

VRF Route Distribution PE routers distribute local VPN information across the MPLS/VPN backbone through the use of MP-iBGP & redistribution from VRF receiving PE imports routes into attached VRFs P Router CE Router PE PE CE Router Site MP-iBGP Site 2009 Cisco Systems, Inc. All rights reserved. 21

MP-BGP4 Propagates VPN routing information Customer routes held in VPN Routing and Forwarding tables (VRF S) Only runs on Provider Edge P routers are not aware of VPN s only labels PE s are fully meshed Route Reflectors should be considered 2009 Cisco Systems, Inc. All rights reserved. 22

MP-iBGP Update RFC2858 VPN-IPV4 address Route Distinguisher: Makes the IPv4 route globally unique IPv4 address (32bits) Extended Community attribute (64 bits) Route-target (RT): identifies the destination sites RT act as filters: RT export: Tag routes export criterias RT import: Select the routes to import 2009 Cisco Systems, Inc. All rights reserved. 23

MPLS VPN Connection Model MP-BGP Update Any other standard BGP attribute Local Preference MED Next-hop AS_PATH Standard Community... A Label identifying: The outgoing interface The VRF where a lookup has to be done (aggregate label) The BGP label will be the second label in the label stack of packets travelling in the core 2009 Cisco Systems, Inc. All rights reserved. 24

MPLS VPN Control Plane MP-BGP Update Components: VPNv4 address 8 Bytes 4 Bytes 8 Bytes 3 Bytes 1:1 10.1.1.0 RD VPNv4 IPv4 Route-Target Label MP-IBGP update with RD, RT, and Label To convert an IPv4 address into a VPNv4 address, RD is appended to the IPv4 address i.e 1:1:10.1.1.0 Makes the customer s IPv4 route globally unique. Each VRF must be configured with an RD at the PE RD is what that defines the VRF ip vrf v1 rd 1:1 2009 Cisco Systems, Inc. All rights reserved. 25

MPLS VPN Control Plane MP-BGP Update Components: Route-Target 8 Bytes 4 Bytes 8 Bytes 3 Bytes 1:1 10.1.1.0 2:2 RD VPNv4 IPv4 Route-Target Label MP-IBGP update with RD, RT, and Label Route-target (RT): Identifies the VRF for the received VPNv4 prefix. It is an 8-byte extended Community (a BGP attribute) Each VRF is configured with RT(s) at the PE RT helps to color the prefix ip vrf v1 route-target import 1:1 route-target export 1:2 2009 Cisco Systems, Inc. All rights reserved. 26

MPLS VPN Control Plane MP-BGP Update Components: Label 8 Bytes 4 Bytes 8 Bytes 3 Bytes 1:1 RD VPNv4 10.1.1.0 2:2 50 IPv4 Route-Target Label MP-IBGP update with RD, RT, and Label The Label (for the VPNv4 prefix) is assigned only by the PE whose address is the Next-Hop attribute PE routers re-write the Next-Hop with their own address (loopback) Next-Hop-Self towards MP-iBGP neighbors by default PE addresses used as BGP Next-Hop must be uniquely known in the backbone IGP DO NOT summarize the PE loopback addresses in the core 2009 Cisco Systems, Inc. All rights reserved. 27

MPLS VPN Control Plane: Putting It All Together Site 1 10.10.1.0/24 CE1 3 MP-iBGP update: RD:10.10.1.0 Next-hop=PE-1 RT=Green, Label=100 CE2 Site 2 10.10.1.0/24 Next-Hop=CE-1 1 P P P P PE2 MPLS Backbone 1) receives an IPv4 update (ebgp,ospf,eigrp) 2) translates it into VPNv4 address Assigns an RT per VRF configuration Re-writes Next-Hop attribute to itself Assigns a label based on VRF and/or interface 3) sends MP-iBGP UPDATE to other PE routers 2009 Cisco Systems, Inc. All rights reserved. 28

MPLS VPN Control Plane: Putting It All Together Site 1 10.10.1.0/24 CE1 3 MP-iBGP update: RD:10.10.1.0 Next-hop=PE-1 RT=Green, Label=100 5 10.10.1.0/24 Next-Hop=PE-2 CE2 Site 2 10.10.1.0/24 Next-Hop=CE-1 1 P P P P PE2 MPLS Backbone 4) PE2 receives and checks whether the RT=green is locally configured within any VRF, if yes, then 5) PE2 translates VPNv4 prefix back into IPv4 prefix, Installs the prefix into the VRF Routing table Updates the VRF CEF table with label=100 for 10.10.1.0/24 Advertise this IPv4 prefix to CE2 (EBGP, OSPF, EIGRP) 2009 Cisco Systems, Inc. All rights reserved. 29

MPLS VPN Forwarding Plane: Site 1 CE1 10.1.1.0/24 P1 P2 P P PE2 CE2 Site 2 e VRF Green forwarding Table Dest->NextHop 10.1.1.0/24-, label: 100 Global routing/forwarding table Dest->Next-Hop PE2 P1, label: 50 Global routing/forwarding table Dest->NextHop P2, label: 25 The Global Forwarding table (show ip cef) PE routers store IGP routes Associated labels Label distributed through LDP/TDP VRF Forwarding table (show ip cef vrf <vrf>) PE routers store VPN routes Associated labels Labels distributed through MP-BGP 2009 Cisco Systems, Inc. All rights reserved. 30

MPLS VPN Forwarding Plane: Site 1 Site 2 e 10.1.1.0/24 CE1 CE2 10.1.1.1 P P PE2 10.1.1.1 100 10.1.1.1 P P 50 100 10.1.1.1 25 100 10.1.1.1 PE2 imposes TWO labels for each packet going to the VPN destination 10.1.1.1 The top label is LDP learned and Derived from an IGP route Represents LSP to PE address (exit point of a VPN route) The second label is learned via MP-BGP Corresponds to the VPN address 2009 Cisco Systems, Inc. All rights reserved. 31

Two Levels of Labels IP Packet L2 Header Label 1 Label 2 L3 Header Data Frame, e.g. HDLC or PPP 1st level label follows L2 Header Defines which destination PE 2nd level label precedes L3H in data Defines PE egress point 2009 Cisco Systems, Inc. All rights reserved. 32

MPLS VPN forwarding MPLS-VPN uses TWO labels Level 1 label is the TDP/LDP Derived from an IGP route Corresponds to a PE address (VPN egress point) PE addresses are MP-BGP next-hops of VPN routes The Level 2 is the MP-BGP label Corresponds to the actual VPN route Identifies the PE outgoing interface or routing table 2009 Cisco Systems, Inc. All rights reserved. 33

MPLS VPN summary Switching layer (& Penultimate Hop Popping) CE1 IP packet P routers switch the packets based on the IGP label (label on top of the stack) Penultimate Hop Popping P2 remove the top label (This has been requested through LDP by PE2) PE2 receives the packets with the label corresponding to the outgoing interface (VRF) One single lookup Label is popped and packet sent to IP neighbor CE2 IGP Label(PE2) Label=(intCE2) IP packet IP packet receives IP packet Lookup is done on site VRF BGP route with Next-Hop and Label is found Lookup is done on Global BGP next-hop (PE2) is reachable through IGP route with associated label P1 IGP Label(PE2) Label=(intCE2) IP packet P2 Label=(intCE2) IP packet PE2 2009 Cisco Systems, Inc. All rights reserved. 34

MPLS/VPN Configuration Samples 2009 Cisco Systems, Inc. All rights reserved. 35

MPLS VPN Sample Configuration VRF Definition Site 1 10.1.1.0/24 CE1 Se0 192.168.10.1 ip vrf VPN-A rd 1:1 route-target export 100:1 route-target import 100:1 Interface Serial0 ip vrf forwarding VPN-A ip address 192.168.10.1 255.255.255.0 PE-P Configuration P Se0 s1 Interface Serial1 ip address 130.130.1.1 255.255.255.252 mpls ip router ospf 1 network 130.130.1.0 0.0.0.3 area 0 2009 Cisco Systems, Inc. All rights reserved. 36

MPLS VPN Sample Configuration PE: MP-IBGP RR PE2 router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback 0 address-family vpnv4 neighbor 1.2.3.4 activate neighbor 1.2.3.4 send-community both RR: MP-IBGP router bgp 1 no bgp default route-target filter RR PE2 RR neighbor 1.2.3.6 remote-as 1 neighbor 1.2.3.6 update-source loopback0 address-family vpnv4 neighbor 1.2.3.6 route-reflector-client Neighbor 1.2.3.6 activate 2009 Cisco Systems, Inc. All rights reserved. 37

MPLS VPN Sample Configuration PE-CE BGP Site 1 CE1 10.1.1.0/24 192.168.10.2 192.168.10.1 router bgp 1 address-family ipv4 vrf VPN-A neighbor 192.168.10.2 remote-as 2 neighbor 192.168.10.2 activate exit-address-family PE-CE OSPF Site 1 10.1.1.0/24 192.168.10.2 CE1 router ospf 1 router ospf 2 vrf VPN-A network 192.168.10.0 0.0.0.255 area 0 192.168.10.1 2009 Cisco Systems, Inc. All rights reserved. 38

MPLS VPN Sample Configuration PE-CE RIP Site 1 CE1 10.1.1.0/24 192.168.10.2 192.168.10.1 router rip address-family ipv4 vrf VPN-A version 2 no auto-summary network 192.168.10.0 exit-address-family PE-CE EIGRP Site 1 CE1 10.1.1.0/24 192.168.10.2 192.168.10.1 router eigrp 1 address-family ipv4 vrf VPN-A network 192.168.10.0 0.0.0.255 autonomous-system 1 exit-address-family 2009 Cisco Systems, Inc. All rights reserved. 39

MPLS VPN Sample Configuration PE-CE Static Site 1 10.1.1.0/24 192.168.10.2 CE1 ip route vrf VPN-A 10.1.1.0 255.255.255.0 192.168.10.2 192.168.10.1 PE-CE MB-iBGP routes to VPN Site 1 RR CE1 router rip address-family ipv4 vrf VPN-A version 2 redistribute bgp 1 metric 1 no auto-summary network 192.168.10.0 exit-address-family If PE-CE protocol is non BGP then redistribution of other sites VPN routes from MP-IBGP is required. 2009 Cisco Systems, Inc. All rights reserved. 40

MPLS VPN Sample Configuration PE-RR (VPN routes to VPNv4) Site 1 RR CE1 router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback 0 address-family ipv4 vrf VPN-A redistribute {rip connected static eigrp ospf} If PE-CE protocol is non BGP then redistribution of other sites VPN routes into MP-IBGP is required. 2009 Cisco Systems, Inc. All rights reserved. 41

VPN Services VPN Services Intranet Extranet Internet 2009 Cisco Systems, Inc. All rights reserved. 42

MPLS/VPN Intranet DEFINITION: Consists of sites of the same customer that share information Intranet topologies assume that the customer use the same addressing scheme, so that no address overlapping can occur. 2009 Cisco Systems, Inc. All rights reserved. 43

MPLS/VPN Intranet Different models: «Any-to-any» AKA «Full Mesh» «Central» (hub&spoke no connectivity between spokes) «Hub&spoke» (connectivity between spokes) 2009 Cisco Systems, Inc. All rights reserved. 44

MPLS/VPN Intranet Any-to-any Model 2009 Cisco Systems, Inc. All rights reserved. 45

MPLS/VPN Intranet Any-to-any Model 2009 Cisco Systems, Inc. All rights reserved. 46

MPLS/VPN Intranet Central Model 2009 Cisco Systems, Inc. All rights reserved. 47

MPLS/VPN Intranet Central Model 2009 Cisco Systems, Inc. All rights reserved. 48

MPLS/VPN Intranet Central Model 2009 Cisco Systems, Inc. All rights reserved. 49

MPLS/VPN Intranet Hub&Spokes Model 2009 Cisco Systems, Inc. All rights reserved. 50

MPLS/VPN Intranet Hub&Spokes Model 2009 Cisco Systems, Inc. All rights reserved. 51

MPLS/VPN extranet The creation of an Extranet is simply a matter of exchanging routes between the VPN of two or more customers. Major differences between Central or Hub&Spokes Intranets: Security (ACL) IP address overlapping Network Address Translation is required 2009 Cisco Systems, Inc. All rights reserved. 52

MPLS/VPN INTERNET Two major design models when Internet access is offered on a MPLS/VPN backbone: Internet routing can be implemented as yet another VPN, or Internet routing is implemented through global routing on the PE routers. The major benefit of implementing Internet access as a separate VPN: increase isolation between the provider backbone and the Internet increase security The obvious drawback of running the Internet as a VPN in the MPLS VPN architecture: Scalability of such a solution (routes are VPNv4-12 bytes instead of 4 bytes). 2009 Cisco Systems, Inc. All rights reserved. 53

MPLS/VPN INTERNET in a VPN Two other options when using Internet in a VPN: 1. Shared internet access for all VPNs Firewall, address translation or caching will be done by common gateway points and managed by the Internet Service Provider. Main drawback: security: all VPN customers share the same DMZ 2. Internet access with per VPN DMZs (Demilitarized Zone) 2009 Cisco Systems, Inc. All rights reserved. 54

MPLS/VPN INTERNET in a VPN Option 1: Shared internet access for all VPNs 2009 Cisco Systems, Inc. All rights reserved. 55

MPLS/VPN INTERNET in a VPN Option 2: Internet access with per VPN DMZs 2009 Cisco Systems, Inc. All rights reserved. 56

MPLS/VPN INTERNET Global routing 1. VRF Specific default route 1.1 Static default route to move traffic from VRF to Internet (global routing table) 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF 2. Separate PE-CE sub-interface (non VRF) May run BGP to propagate Internet routes between PE and CE 2009 Cisco Systems, Inc. All rights reserved. 57

MPLS/VPN INTERNET Global routing : VRF Specific Default Route (Config) Site1 172.68.0.0/16 CE1 so 192.168.1.2 MPLS Backbone ASBR Internet ip vrf VPN-A rd 100:1 route-target both 100:1 Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A Router bgp 100 no bgp default ipv4-unicast redistribute static neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0 P 192.168.1.1 Internet GW A default route, pointing to the ASBR, is installed into the site VRF at each PE A single label is used for packets forwarded according to the default route The label is the IGP label corresponding to the IP address of the ASBR known via the IGP The static route, pointing to the VRF interface, is installed in the global routing table and redistributed into BGP ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global ip route 172.68.0.0 255.255.0.0 Serial0 2009 Cisco Systems, Inc. All rights reserved. 58

MPLS/VPN INTERNET Global routing : VRF Specific Default Route (Forwarding) Site1 172.68.0.0/16 IP packet D=172.68.1.1 IP packet D=Cisco.com so 192.168.1.2 Global Routing/FIB Table Destination Label/Interface 192.168.1.1/32 Label=30 172.68.0.0/16 Serial 0 Label = 30 IP packet D=Cisco.com MPLS Backbone P Label = 35 IP packet D=172.68.1.1 PE2 IP packet D=Cisco.com 192.168.1.1 so IP packet D=172.68.1.1 Internet Global Table and LFIB Destination Label/Interface 192.168.1.2/32 Label=35 172.68.0.0/16 192.168.1.2 Internet Serial 0 VRF Routing/FIB Table Destination Label/interface 0.0.0.0/0 192.168.1.1 (global) Site-1 Serial 0 Pros Different Internet gateways can be used for different VRFs PE routers need not to hold the Internet table Simple Configuration Cons Using default route for Internet routing does NOT allow any other default route for intra_vpn routing Increasing size of global routing Table by leaking VPN routes. Static configuration 2009 Cisco Systems, Inc. All rights reserved. 59

MPLS/VPN INTERNET Global routing : Using Separate Sub-Interface Site1 172.68.0.0/16 CE1 MPLS Backbone BGP-4 Internet Internet ip vrf VPN-A rd 100:1 route-target both 100:1 S0.1 S0.2 192.168.1.2 P ASBR 192.168.1.1 Internet GW Interface Serial0.1 ip vrf forwarding VPN-A ip address 192.168.20.1 255.255.255.0 frame-relay interface-dlci 100 Interface Serial0.2 ip address 172.68.10.1 255.255.255.0 frame-relay interface-dlci 200 Router bgp 100 no bgp default ipv4-unicast [snip] neighbor 172.68.10.2 remote 502 One sub-interface for VPN routing associated to a VRF Another sub-interface for Internet routing associated to the global routing table. Could advertise full Internet Routes or a default route to CE. The PE will need to advertise VPN routes to the Internet (via global routing table) 2009 Cisco Systems, Inc. All rights reserved. 60

MPLS/VPN INTERNET Global routing : Using Separate Sub-Interface Site1 172.68.0.0/16 IP packet D=Cisco.com S0.1 S0.2 Label = 30 IP packet D=Cisco.com 192.168.1.2 MPLS Backbone PE2 192.168.1.1 P IP packet D=cisco.com Internet CE routing table VPN routes Serial0.1 Internet routes Serial0.2 PE-Internet GW PE Global Table and FIB Internet routes 192.168.1.1 192.168.1.1 Label=30 Pros CE could dual home and perform optimal routing. Traffic separation done by CE. Cons PE to hold full Internet routes in each VRF. BGP complexities introduced in CE. Increasing size of global routing Table by leaking VPN routes. 2009 Cisco Systems, Inc. All rights reserved. 61

MPLS-VPN Show commands 2009 Cisco Systems, Inc. All rights reserved. 62

MPLS VPN Control Plane MPBGP Flow CE-1 MP-iBGP: Use Label=20 to Reach CE1 Ser2/0 Loop0:10.13.1.61/32 P1 MPLS Backbone Ok. I Will Use Label=20 to CE-1 in VRF v1; And the Next-hop Is Ser2/0 PE2 Alright. So I Have Label=20 for CE1 via. And I Already Have a Label=2003 for CE-2 Loop0:5.5.5.5/32 #sh ip bgp vpn vrf v1 label i 5.5.5.5 Network Next Hop In label/out label 5.5.5.5/32 172.1.61.6 20/nolabel # #sh mpls forwarding i 5.5.5.5 Local Outgoing Prefix Bytes tag 20 Untagged 5.5.5.5/32[V] 0 Se2/0 point2point # On, Verify Label 20 in both BGP and LFIB On PE2, Verify Label 20 in both BGP and FIB PE2#sh ip bgp vpn vrf v1 label i 5.5.5.5 Network Next Hop In label/outlabel 5.5.5.5/32 10.13.1.61 nolabel/20 PE2# PE2#sh ip cef vrf v1 5.5.5.5 5.5.5.5/32, version 10, epoch 0, cached adjacency to Serial2/0 0 packets, 0 bytes tag information set local tag: VPN-route-head IGP Label BGP Label fast tag rewrite with Se2/0, point2point, tags imposed: {2003 20} via 10.13.1.61, 0 dependencies, recursive next hop 10.13.2.5, Serial2/0 via 10.13.1.61/32 valid cached adjacency tag rewrite with Se2/0, point2point, tags imposed: {2003 20} PE2# 2009 Cisco Systems, Inc. All rights reserved. 63

MPLS VPN Control Plane PE-CE int RR1 ip vrf v1 rd 1:1 import map rajivaimport AS#1 P1 export map rajivaexport Ser2/0 route-target export 1:1 Loop0:10.13.1.61/32 route-target import 1:1 route-target import 3:3 CE1 Interfce Serial2/0 Ip vrf forwarding v1 Ip add 172.1.61.5/30 #sh ip vrf detail v1 VRF v1; default RD 1:1; default VPNID <not set> Interfaces: Serial2/0 Connected addresses are not in global routing table Export VPN route-target communities RT:1:1 Import VPN route-target communities RT:1:1 RT:3:3 Import route-map: rajiva-import Export route-map: rajiva-export # #sh ip route vrf v1 connected 172.1.61.0/30 is subnetted, 1 subnets C 172.1.61.4 is directly connected, Serial2/0 # MPLS Backbone Ser2/0 PE2 CE-2 Interface(s) Associated with VRF v1 Import and Export Route-targets that Are Configured Export or Import-map if Configured 2009 Cisco Systems, Inc. All rights reserved. 64

MPLS VPN Control Plane PE-CE Protocol router bgp 1 address-family ipv4 vrf v1 redistribute connected neighbor 172.1.61.6 remote-as 65000 neighbor 172.1.61.6 activate neighbor 172.1.61.6 as-override no auto-summary Ser2/0 exit-address-family CE1 10.13.1.61/32 AS#1 P1 RR1 10.13.1.21/32 MPLS Backbone Ser2/0 PE2 10.13.1.62/32 CE-2 #sh ip bgp vpnv4 vrf v1 summary BGP router identifier 10.13.1.61, local AS number 1 BGP table version is 2818, main routing table version 2818 3 network entries using 363 bytes of memory 3 path entries using 192 bytes of memory 8 BGP path attribute entries using 480 bytes of memory 1 BGP extended community entries using 24 bytes of memory..rest is deleted. BGP activity 19/12 prefixes, 1402/1394 paths, scan interval 15 secs CE1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.1.61.6 4 65000 5544 5540 2818 0 0 00:04:39 4 # All the ebgp neighbors i.e. CEs in VRF v1 2009 Cisco Systems, Inc. All rights reserved. 65

MPLS VPN Control Plane PE-CE Protocol router bgp 1 address-family ipv4 vrf v1 redistribute connected neighbor 172.1.61.6 remote-as 65000 neighbor 172.1.61.6 activate neighbor 172.1.61.6 as-override no auto-summary Ser2/0 exit-address-family CE1 10.13.1.61/32 AS#1 P1 RR1 10.13.1.21/32 MPLS Backbone Ser2/0 PE2 10.13.1.62/32 CE-2 #sh ip bgp vpnv4 vrf v1 neighbors 172.1.61.6 routes BGP table version is 2835, local router ID is 10.13.1.61 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1:1 (default for vrf v1) *> 5.5.5.5/32 172.1.61.6 0 0 65000? *> 10.1.61.4/30 172.1.61.6 0 0 65000? *> 10.30.30.1/32 172.1.61.6 0 0 65000? * 172.1.61.4/30 172.1.61.6 0 0 65000? Total number of prefixes 4 BGP routes received from the CE in VRF v1 2009 Cisco Systems, Inc. All rights reserved. 66

MPLS VPN Control Plane PE-CE Protocol router bgp 1 address-family ipv4 vrf v1 redistribute connected neighbor 172.1.61.6 remote-as 65000 neighbor 172.1.61.6 activate neighbor 172.1.61.6 as-override no auto-summary Ser2/0 exit-address-family CE1 10.13.1.61/32 AS#1 P1 RR1 10.13.1.21/32 MPLS Backbone Ser2/0 PE2 10.13.1.62/32 CE-2 #sh ip bgp vpn vrf v1 BGP table version is 26, local router ID is 10.13.1.61 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1:1 (default for vrf v1) *> 5.5.5.5/32 172.1.61.6 0 0 65000? *> 10.1.61.4/30 172.1.61.6 0 0 65000? *> 10.30.30.1/32 172.1.61.6 0 0 65000? * 172.1.61.4/30 172.1.61.6 0 0 65000? *> 0.0.0.0 0 32768? # BGP routes in VRF v1 (from CE and PEs) 2009 Cisco Systems, Inc. All rights reserved. 67

MPLS VPN Control Plane PE-CE Protocol router bgp 1 address-family ipv4 vrf v1 redistribute connected neighbor 172.1.61.6 remote-as 65000 neighbor 172.1.61.6 activate neighbor 172.1.61.6 as-override Ser2/0 no auto-summary exit-address-family CE1 10.13.1.61/32 AS#1 P1 RR1 10.13.1.21/32 MPLS Backbone Ser2/0 PE2 10.13.1.62/32 CE-2 CE1 Export RT #sh ip bgp vpnv4 vrf v1 172.1.61.4 BGP routing table entry for 1:1:172.1.61.4/30, version 24 Paths: (2 available, best #2, table v1) Advertised to non peer-group peers: 172.1.61.6 65000 172.1.61.6 from 172.1.61.6 (20.20.20.1) Origin incomplete, metric 0, localpref 100, valid, external Extended Community: RT:1:1 Local 0.0.0.0 from 0.0.0.0 (10.13.1.61) Origin incomplete, metric 0, localpref 100, weight 32768, valid, sourced, best Extended Community: RT:1:1 # Routes in BGP table of VRF v1 (from CEs+PEs) 2009 Cisco Systems, Inc. All rights reserved. 68

MPLS VPN Control Plane PE-CE Protocol router bgp 1 address-family ipv4 vrf v1 redistribute connected neighbor 172.1.61.6 remote-as 65000 neighbor 172.1.61.6 activate neighbor 172.1.61.6 as-override Ser2/0 no auto-summary exit-address-family CE1 10.13.1.61/32 AS#1 P1 RR1 10.13.1.21/32 MPLS Backbone Ser2/0 PE2 10.13.1.62/32 CE-2 #sh ip bgp vpnv4 vrf v1 labels Network Next Hop In label/out label Route Distinguisher: 1:1 (v1) 0.0.0.0 0.0.0.0 26/aggregate(v1) 5.5.5.5/32 172.1.61.6 27/nolabel 10.1.61.4/30 172.1.61.6 28/nolabel 10.30.30.1/32 172.1.61.6 29/nolabel 172.1.61.4/30 172.1.61.6 30/nolabel 0.0.0.0 30/aggregate(v1) # Routes and labels in BGP table of VRF v1 2009 Cisco Systems, Inc. All rights reserved. 69

MPLS VPN Control Plane PE-CE Protocol router bgp 1 address-family ipv4 vrf v1 redistribute connected neighbor 172.1.61.6 remote-as 65000 neighbor 172.1.61.6 activate neighbor 172.1.61.6 as-override Ser2/0 no auto-summary exit-address-family CE1 10.13.1.61/32 AS#1 P1 RR1 10.13.1.21/32 MPLS Backbone Ser2/0 PE2 10.13.1.62/32 CE-2 #sh mpls forwarding vrf v1 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 27 Untagged 5.5.5.5/32[V] 0 Se2/0 point2point 28 Untagged 10.1.61.4/30[V] 0 Se2/0 point2point 29 Untagged 10.30.30.1/32[V] 0 Se2/0 point2point 30 Aggregate 172.1.61.4/30[V] 0 # Routes learned from CEs go into the LFIB 2009 Cisco Systems, Inc. All rights reserved. 70

MPLS VPN Control Plane PE-RR router bgp 1 bgp router-id 10.13.1.61 neighbor 10.13.1.21 remote-as 1 neighbor 10.13.1.21 update-source Lo0 address-family vpnv4 Ser2/0 neighbor 10.13.1.21 activate neighbor 10.13.1.21 send-comm bothloop0:10.13.1.61/32 CE1 AS#1 P1 RR1 MPLS Backbone Ser2/0 router bgp 1 bgp router-id 10.13.1.21 neighbor 10.13.1.61 remote-as 1 neighbor 10.13.1.61 update-source Lo0 address-family vpnv4 PE2 neighbor 10.13.1.61 activat neighbor 10.13.1.61 send-comm both neighbor 10.13.1.61 route-reflectorclient CE-2 #sh ip bgp vpnv4 all summary BGP router identifier 10.13.1.61, local AS number 1 BGP table version is 26, main routing table version 26 5 network entries using 605 bytes of memory 6 path entries using 384 bytes of memory..deleted.. BGP using 1361 total bytes of memory BGP activity 26/20 prefixes, 1428/1421 paths, scan interval 15 secs Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.13.1.21 4 1 6240 7612 26 0 0 00:28:00 1 172.1.61.6 4 65000 5594 5596 26 0 0 00:31:22 4 # Lists PE s not only MP-BGP peers, but also CE peers 2009 Cisco Systems, Inc. All rights reserved. 71

router bgp 1 MPLS VPN Control Plane RR-PE router bgp 1 bgp router-id 10.13.1.21 neighbor 10.13.1.62 remote-as 1 neighbor 10.13.1.62 update-source Lo0 CE1 address-family vpnv4 neighbor 10.13.1.62 activat Ser2/0 neighbor 10.13.1.62 send-comm both Loop0:10.13.1.61/32 neighbor 10.13.1.62 route-reflectorclient AS#1 P1 RR1 MPLS Backbone RR1#sh ip bgp vpnv4 all labels Network Next Hop In label/out label Route Distinguisher: 1:1 5.5.5.5/32 10.13.1.61 nolabel/27 10.1.61.4/30 10.13.1.61 nolabel/28 10.30.30.1/32 10.13.1.61 nolabel/29 172.1.61.4/30 10.13.1.61 nolabel/30 192.1.62.4/30 10.13.1.62 nolabel/25 Ser2/0 RR1# RR1#sh mpls forwarding Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface RR1# bgp router-id 10.13.1.62 neighbor 10.13.1.21 remote-as 1 neighbor 10.13.1.21 update-source Lo0 address-family vpnv4 neighbor 10.13.1.21 activate 2009 Cisco Systems, Inc. All rights reserved. 72 PE2 neighbor 10.13.1.21 send-comm both Loop0:10.13.1.62/32 RR shouldn t allocate any local label; hence, LFIB shouldn t have any VPN prefix CE-2

MPLS VPN Control Plane PE Ser2/0 CE1 Loop0:10.13.1.61/32 AS#1 P1 RR1 MPLS Backbone Ser2/0 router bgp 1 bgp router-id 10.13.1.62 neighbor 10.13.1.21 remote-as 1 neighbor 10.13.1.21 update-source Lo0 address-family vpnv4 neighbor 10.13.1.21 activate PE2 neighbor 10.13.1.21 send-comm both Loop0:10.13.1.62/32 CE-2 PE2#sh ip bgp vpnv4 all summary BGP router identifier 10.13.1.62, local AS number 1 BGP table version is 96, main routing table version 96 5 network entries using 605 bytes of memory 5 path entries using 320 bytes of memory 1 BGP extended community entries using 24 bytes of memory..deleted BGP activity 25/19 prefixes, 36/30 paths, scan interval 15 secs RR1 CE2 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.13.1.21 4 1 6219 6188 96 0 0 4d07h 4 192.1.62.6 4 65000 6185 6220 96 0 0 4d07h 0 PE2# CE2 is not advertising any prefix to PE2 2009 Cisco Systems, Inc. All rights reserved. 73

MPLS VPN Control Plane PE Ser2/0 CE1 Loop0:10.13.1.61/32 AS#1 P1 RR1 MPLS Backbone Ser2/0 router bgp 1 bgp router-id 10.13.1.62 neighbor 10.13.1.21 remote-as 1 neighbor 10.13.1.21 update-source Lo0 address-family vpnv4 neighbor 10.13.1.21 activate neighbor 10.13.1.21 send-comm both PE2 Loop0:10.13.1.62/32 CE-2 PE2#sh ip bgp vpnv4 vrf v1 BGP table version is 96, local router ID is 10.13.1.62 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 1:1 (default for vrf v1) *>i5.5.5.5/32 10.13.1.61 0 100 0 65000? *>i10.1.61.4/30 10.13.1.61 0 100 0 65000? *>i10.30.30.1/32 10.13.1.61 0 100 0 65000? *>i172.1.61.4/30 10.13.1.61 0 100 0? *> 192.1.62.4/30 0.0.0.0 0 32768? PE2# PE2 receives 4 routes from (via RR1) 2009 Cisco Systems, Inc. All rights reserved. 74

MPLS VPN Control Plane PE Ser2/0 CE1 Loop0:10.13.1.61/32 AS#1 P1 RR1 MPLS Backbone Ser2/0 router bgp 1 bgp router-id 10.13.1.62 neighbor 10.13.1.21 remote-as 1 neighbor 10.13.1.21 update-source Lo0 address-family vpnv4 neighbor 10.13.1.21 activate neighbor 10.13.1.21 send-comm both PE2 Loop0:10.13.1.62/32 CE-2 PE2#sh ip bgp vpnv4 vrf v1 labels Network Next Hop In label/out label Route Distinguisher: 1:1 (v1) 5.5.5.5/32 10.13.1.61 nolabel/27 10.1.61.4/30 10.13.1.61 nolabel/28 10.30.30.1/32 10.13.1.61 nolabel/29 172.1.61.4/30 10.13.1.61 nolabel/30 192.1.62.4/30 0.0.0.0 25/aggregate(v1) PE2# VPN label (or BGP label) 2009 Cisco Systems, Inc. All rights reserved. 75

MPLS VPN Control Plane PE router bgp 1 address-family ipv4 vrf v1 redistribute connected neighbor 192.1.62.6 remote-as 65000 172.1.61.4/30 Ser2/0 CE1 Loop0:10.13.1.61/32 AS#1 P1 RR1 MPLS Backbone Ser2/0 neighbor 192.1.62.6 activate neighbor 192.1.62.6 as-override no auto-summary exit-address-family PE2 192.1.62.4/30 Loop0:10.13.1.62/32 CE-2 RT PE2#sh ip bgp vpnv4 vrf v1 172.1.61.4 VPNv4 address BGP routing table entry for 1:1:172.1.61.4/30, version 95 Paths: (1 available, best #1, table v1) Advertised to non peer-group peers: prefix is imported in VRF v1 192.1.62.6 Local 10.13.1.61 (metric 75) from 10.13.1.21 (10.13.1.21) RR1 Origin incomplete, metric 0, localpref 100, valid, internal, best Extended Community: RT:1:1 Originator: 10.13.1.61, Cluster list: 10.13.1.21 PE2# 172.1.61.4 is accepted since its RT=1:1 matches with import RT of VRF v1 on PE2 2009 Cisco Systems, Inc. All rights reserved. 76

MPLS VPN Control Plane PE 172.1.61.4/30 Ser2/0 CE1 10.13.1.61/32 AS#1 RR1 P1 Ser2/0 MPLS Backbone ip vrf v1 rd 1:1 route-target both 1:1 PE2 10.13.1.62/32 Eth0/0 CE-2 PE2#sh ip route vrf v1 172.1.61.4 Routing entry for 172.1.61.4/30 Known via "bgp 1", distance 200, metric 0, type internal Last update from 10.13.1.61 00:03:42 ago Routing Descriptor Blocks: * 10.13.1.61 (Default-IP-Routing-Table), from 10.13.1.21, 00:03:42 ago Route metric is 0, traffic share count is 1 AS Hops 0 PE2# 2009 Cisco Systems, Inc. All rights reserved. 77

MPLS VPN Control Plane PE 172.1.61.4/30 CE1 Loop0:10.13.1.61/32 AS#1 P1 RR1 MPLS Backbone Ser2/0 interface Ethernet0/0 ip vrf forwarding v1 ip address 192.1.62.5 255.255.255.252 PE2 Loop0:10.13.1.62/32 Eth0/0 CE-2 PE2#sh ip cef vrf v1 172.1.61.4 172.1.61.4/30, version 39, epoch 0, cached adjacency to Serial2/0 0 packets, 0 bytes tag information set local tag: VPN-route-head fast tag rewrite with Se2/0, point2point, tags imposed: {2003 30} via 10.13.1.61, 0 dependencies, recursive next hop 10.13.2.5, Serial2/0 via 10.13.1.61/32 valid cached adjacency tag rewrite with Se2/0, point2point, tags imposed: {2003 30} PE2# VPN-route-head means no local label IGP label BGP/VPN label The outgoing packet will be sent with the label stack on Se2/0 Traffic received on Eth0/0 will be an IP traffic, hence PE2 will do a CEF lookup in the VRF v1 2009 Cisco Systems, Inc. All rights reserved. 78

MPLS VPN Control Plane PE Ser2/0 CE1 Loop0:10.13.1.61/32 AS#1 P1 RR1 MPLS Backbone Ser2/0 interface Ethernet0/0 ip vrf forwarding v1 ip address 192.1.62.5 255.255.255.252 PE2 Loop0:10.13.1.62/32 CE-2 PE2#sh mpls forwarding vrf v1 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 25 Aggregate 192.1.62.4/30[V] 0 PE2# CE learned VPN routes must be in the LFIB s advertised VPN routes shouldn t be in the PE2 s LFIB; no need 2009 Cisco Systems, Inc. All rights reserved. 79

MPLS VPN Control Plane PE RR1 Ser2/0 CE1 Loop0:10.13.1.61/32 AS#1 P1 Ser2/0 MPLS Backbone PE2 IP Packets CE-2 Loop0:10.13.1.62/32 CE2 Sends an IP Traffic to PE2, PE2 Does a FIB Lookup and Sends MPLS Traffic to P1 CE2#sh ip route 172.1.61.4 Routing entry for 172.1.61.4/30 Known via "bgp 65000", distance 20, metric 0 Tag 1, type external Last update from 192.1.62.5 20:50:28 ago Routing Descriptor Blocks: * 192.1.62.5, from 192.1.62.5, 20:50:28 ago Route metric is 0, traffic share count is 1 AS Hops 1 CE2# CE2#sh ip cef 172.1.61.4 172.1.61.4/30, version 8, epoch 0, cached adjacency 192.1.62.5 0 packets, 0 bytes via 192.1.62.5, 0 dependencies, recursive next hop 192.1.62.5, Ethernet0/0 via 192.1.62.5/32 valid cached adjacency CE2# 2009 Cisco Systems, Inc. All rights reserved. 80

Useful command summary Check VRF: Sh ip vrf Sh ip vrf int Check VPNv4 and VRF BGP peers: sh ip bgp vpn all sum Check VRF routing table: sh ip route vrf VPNA Check a BGP prefix: sh ip bgp vpn all 10.0.0.0 Check BGP labels: sh ip bgp vpn all labels Check forwarding tables: sh mpls for vrf VPNA 10.0.0.0 detail sh ip cef vrf VPNA 10.0.0.0 detail 2009 Cisco Systems, Inc. All rights reserved. 81

2009 Cisco Systems, Inc. All rights reserved. 82