Geen diatitel - Cisco网络技术(Net130.Com)
Download
Report
Transcript Geen diatitel - Cisco网络技术(Net130.Com)
MPLS Bootcamp
MPLS VPN
Khalid Raza, Kyle Bearden, &
Munther Antoun
March, 2001
Version 0.1
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
1
MPLS VPN
Agenda
• VPN Concepts
• MPLS VPN Functional Components
• MPLS VPN Architectural Components
• VPN Routing & Forwarding
• MPLS VPN Route Distribution
• MPLS VPN Data Plane
• MPLS VPN Topologies
• Convergence & Scaling Considerations
• QoS
• Deployment Strategies
• MPLS VPN Labs
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
2
Virtual Private
Networks
Concepts
MPLS
NW’00
Bootcamp
Paris
© 2000, Cisco Systems, Inc.
Cisco Confidential
3
Virtual Private Networks
• An IP Network Infrastructure Delivering Private
Network Services over a Public Infrastructure
Certainly not a new concept
Leased Lines --> Statistical Multiplexing
Delivered at Layer-2 (SP backbone) or Layer-3 (IP
backbone)
Private connectivity amongst multiple sites
Controlled access into the VPN
Global or non-unique private IP addressing space
amongst the different VPNs
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
4
Virtual Private Networks
Virtual Networks
Virtual Private Networks
Virtual Dialup Networks
Overlay VPN
Layer-2 VPN
X.25
MPLS Bootcamp
F/R
ATM
© 2000, Cisco Systems, Inc.
Virtual LANs
Peer-to-Peer VPN
Layer-3 VPN
GRE
Access lists
(Shared router)
Split routing
(Dedicated router)
MPLS/VPN
IPSec
Cisco Confidential
5
VPN - Overlay Model
Virtual Circuit
Layer-3 Routing
Adjacency
CPE (CE)
Device
VPN Site
Provider Edge
(PE) device
Provider Edge
(PE) device
Service Provider Network
CPE (CE)
Device
VPN Site
Private Trunks Across a Telco/SP Shared Infrastructure
Leased/Dialup Lines
FR/ATM Virtual Circuits
IP(GRE) Tunnelling
Point-to-point Solution between Customer Sites
How to Size Inter-site Circuit Capacities?
Full Mesh Requirement for Optimal Routing
CPE Routing Adjacencies between Sites
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
6
VPN - Peer-to-Peer Model
Layer-3 Routing
Adjacencies
CPE Router
VPN Site 1
Provider Edge
Router
Provider Edge
Router
Service Provider Network
CPE Router
VPN Site 2
Provider Edge Device Exchanges Routing Information with CPE
All customer routes carried within SP IGP
Simple routing scheme for VPN customer
Routing between sites is optimal
Circuit sizing no longer an issue
Private Addressing is NOT an Option
Addition of New Sites is Simpler
No overlay mesh to contend with
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
7
VPN - MPLS VPN Model
Static, RIP, OSPF, or eBGP
Routing
MP-iBGP Session
Customer
Edge (CE)
Router
VPN Site 1
Provider Edge
(PE) Router
Provider Edge
(PE) Router
Service Provider Network
Customer Edge
(CE) Router
VPN Site 2
Combines Benefits of Overlay and Peer-to-peer Paradigms
Overlay (security and isolation amongst customers)
Peer-to-peer (simplified customer routing)
PE Routers only Hold Routes for Attached VPNs
Reduces size of PE routing information
Proportional to number of VPNs attached
MPLS Used to Forward Packets (not Traditional IP Routing)
Full routing within backbone no longer required
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
8
MPLS VPN
Functional Components
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
9
MPLS VPN Connection Model
The Whole Picture
VPN_A
VPN_A
iBGP sessions
10.2.0.0
11.5.0.0
CE
CE
VPN_A
VPN_B
10.2.0.0 CE
PE
P
P
P
P
PE
CE
10.1.0.0
VPN_A
11.6.0.0
CE
VPN_B
PE
PE
CE
VPN_B
10.3.0.0
10.1.0.0 CE
• P Routers (LSRs) are in the core of the MPLS cloud
• PE Routers (Edge LSRs or LERs) use MPLS with the
core and plain IP with CE routers
• P and PE routers share a common IGP
• PE routers are MP-iBGP fully-meshed
or use Route-Reflectors (RRs)
MPLS Bootcamp
Confederations supported in IOS 12.1(5)T & higher [maybe also
10
Cisco Confidential
12.0(14)ST?]
© 2000, Cisco Systems, Inc.
MPLS VPN Model
P Router
CE Router
PE Router
PE Router
VPN Site
CE Router
VPN Site
P-Network
C-Network
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
11
MPLS VPN Connectivity Model
• A VPN is a collection of sites sharing
common routing information
Same set of routes within the routing table
• A site may belong to more than one VPN
through sharing of routing information
• A VPN can be thought of as a closed user
group (CUG) or community of interest
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
12
MPLS VPN
Architectural Components
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
13
MPLS VPN
Architectural Components
• Control Planes
LDP/TDP, MP-BGP, CE-PE Peering, IGP
Forwarding Table
VRF
• Data Plane
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
14
VPN Routing & Forwarding
Instance (VRF)
• PEs Maintain Separate Routing Tables
Global Routing Table
Contains all PE and P routes (perhaps non-VPN BGP)
Populated by the VPN backbone IGP
VRF (VPN Routing & Forwarding)
Routing & forwarding table associated with one or more
directly connected sites (CE Routers)
VRF is associated with any type of interface, whether
logical or physical (e.g. Sub/Virtual/Tunnel)
Interfaces may share the same VRF if the connected
sites share the same routing information
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
15
VPN Routing & Forwarding
Instances (VRF)
VPN Routing Table
VPN-A
CE
PE
Paris
VPN-A
VRF for VPN-A
CE
IGP & nonVPN BGP
London
VRF for VPN-B
VPN-B
CE
Munich
Global Routing Table
Multiple routing & forwarding instances (VRFs) provide
separation amongst different customers
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
16
MPLS VPN Connectivity Model
• Private addressing in multiple VPNs no
longer an issue
Provided that members of a VPN do not use the
same address range
VPN A
London
10.2.1.0/24
Address space for
VPN A and B must be
unique
10.3.3.0/24
Munich
10.2.12.0/24
10.4.12.0/24
Milan
VPN B
MPLS Bootcamp
Paris
© 2000, Cisco Systems, Inc.
Brussels
10.2.1.0/24
Cisco Confidential
Vienna
10.22.12.0/24
VPN C
17
VRF Route Population
• VRF populated locally through PE and CE
routing protocol
RIP, OSPF, BGP-4 & Static routing
• Separate routing context for each VRF
Routing Protocol Context (BGP-4 & RIP V2)
Separate Process (OSPF)
C
E
Site-1
PE
EBGP,OSPF, RIPv2,Static
CE
Site-2
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
18
VRF Route Distribution
• PE routers distribute local VPN information
across the MPLS VPN backbone
through MP-iBGP & redistribution from VRF
Receiving PE imports routes into attached VRFs
P Router
CE Router
Site
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
PE
PE
MP-iBGP
Cisco Confidential
CE Router
Site
19
Multi-Protocol BGP (MP-BGP)
VPN Components
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
20
MP-BGP
VPN Components
• Route Distinguisher (RD)
• Route Target (RT)
• Site of Origin (SOO)
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
21
VPN Routing & Forwarding
Instances
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
22
MPLS VPN Table Population
• The global (non-VRF) routing table is
populated through IGP protocols
May also contain BGP-4 (IPv4) routes
No VPN routes
• VRF routing tables contain VPN-specific
routes
MP-iBGP routes imported into VRFs
CE routes populate VRFs based on routing
protocol context
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
23
VRF Population of MP-iBGP
VPN-A
CE
PE
Paris
VPN-A
PE
CE
MP-iBGP
BGP Table
London
VPN-B
Routes from VPN-A
Routes from VPN-B
CE
Munich
VRF VPN-A VRF VPN-B
Re-distribution from VRFs into MP-iBGP for VPN
information exchange
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
24
VRF Population through MP-iBGP
• Receiving PE router needs to understand:
where the route originated from
into which VRF(s) the route should be placed
how to distinguish between duplicate addresses
• Uniqueness of IPv4 prefix achieved
through the use of a Route Distinguisher
RD (64-bit) identifier
VPNv4 Route: 96-bit NLRI (RD + 32-bit IPv4 NLRI)
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
25
Extended Community Attribute
• Permits placement in the proper VRF and site
origin
• BGP transitive optional attributes containing
a set of extended communities
Route Target
Identifies set of sites to which a particular route should be
exported
SOO (Site of Origin)
(Optionally) refers to the site that originated a particular
route
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
26
VRF Population of MP-iBGP
MP-iBGP
PE
BGP, OSPF, RIPv2 update
for 149.27.2.0/24,NH=CE-1
PE
VPN-v4 update:
RD:1:27:149.27.2.0/24,
Next-hop=PE-1
SOO=Paris, RT=VPN-A,
Label=(28)
CE-2
CE-1
Paris
London
• PE Routers Translate (32-bit) IPv4 Prefix into (96-bit)
VPN-v4 Route
Assign a RD, RT and (Optional) SOO based on configuration
Re-write next-hop attribute (to PE loopback)
Assign a label based on VRF and/or interface
Send MP-iBGP update to all PE neighbors
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
27
MP-iBGP Update
• VPN-V4 Address
Route Distinguisher (64 bits)
Makes the IPv4 route globally unique
RD is configured in the PE for each VRF
RD may or may not be related to a site or a VPN
IPv4 address (32bits)
• Route Target (RT) & Optional Site of Origin
(SOO)
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
28
MP-iBGP Update
• Any other standard BGP attribute
Local Preference
MED
Next-hop
AS_PATH
Standard community
• A Label identifying:
The outgoing interface or VRF where a lookup
has to be performed (Aggregate/Connected)
MP-iBGP utilizes a second label in the label stack
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
29
VRF Population of MP-iBGP
MP-iBGP
PE
VPN-v4 update:
RD:1:27:149.27.2.0/24,
Next-hop=PE-1
SOO=Paris, RT=VPN-A,
Label=(28)
PE
ip vrf VPN-B
route-target import VPN-A
VPN-v4 update is translated into
IPv4 address and put into VRF
VPN-A as RT=VPN-A and
optionally advertised to CE-2
CE-1
Paris
CE-2
London
• Receiving PE routers translate to IPv4
Insert the route into the VRF identified by the RT
attribute (based on PE configuration)
• The label associated to the VPN-V4 address will be
set on packets forwarded towards the destination
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
30
Basic Intranet Model
VPN A
MPLS VPN Backbone
SITE-1
Site-1 & Site-2 routes
RT=VPN-A
VPN A
Site-3 & Site-4 routes
RT=VPN-A
SITE-3
MP-iBGP
P Router
SITE-2
VPN A
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Site-1 routes
Site-2 routes
Site-3 routes
Site-4 routes
Site-1 routes
Site-2 routes
Site-3 routes
Site-4 routes
Cisco Confidential
SITE-4
VPN A
31
MP-BGP
Route Target (RT)
and
Site of Origin (SOO)
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
32
RT & SOO
• Two EXTENDED (64-bit) BGP Attributes
Used to Define
Route-target
Set of routers the route has to be exported to
SOO (Site of Origin Identifier)
Routers where the route has been originated
• This enables the closed user group
functionality
• Set by PE routers in order to define
import/export policies on a per-site/VRF
basis
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
33
BGP-4 Enhancements
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
34
Extended Community
• Extended community attribute type
code: TBD
Type Field: 2 bytes
Value Field: 6 bytes
• Types 0 through 0x7FFF inclusive are
assigned by IANA
• Types 0x8000 through 0xFFFF
inclusive are vendor-specific
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
35
Extended Community
• High order bit of the type field 0x00
Administrator sub-field: 2 bytes (AS#)
Assigned number sub-field: 4 bytes
Example: 9177:123
• High order bit of the type field 0x01
Administrator sub-field: 4 bytes (IP address)
Assigned number sub-field: 2 bytes
Example: 141.253.1.1:123
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
36
Extended Community
• Router origin community
• Identifies one or more routers that
inject a set of routes (that carry
this community) into BGP
The Type field for the Route Origin community is
0x0001 or 0x0101
• Similar to the Site of Origin (SOO)
Site of Origin use code 0x0003 and 0x0103
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
37
Extended Community
• Route target community
Identifies one or more routers that may
receive a set of routes (that carry this
community) carried by BGP
The type field for the route target
community is 0x0002 or 0x0102
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
38
Extended Community
• Site of Origin (SOO)
• Identifies customer site
• Used to prevent loops when
AS_PATH cannot be used
• The type field for SOO is 0x0003 or
0x0103
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
39
Site of Origin
Site-1
PE
192.168.0.5/32
CE
7200-1#sh ip route vrf odd
C 192.168.65.0/24 is directly connected, Serial2
B
192.168.0.5 [20/0] via 192.168.65.5, 00:08:44, Serial2
7200-1#
7200-1#sh ip bgp vpn all
Network
Next Hop
Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf odd)
*> 192.168.0.5/32 192.168.65.5
0
0
250 i
7200-1#sh ip bgp vpn all 192.168.0.5
BGP routing table entry for 100:1:192.168.0.5/32, version 17
Paths: (1 available, best #1)
Advertised to non peer-group peers:
192.168.0.7
250
192.168.65.5 from 192.168.65.5 (192.168.0.5)
Origin IGP, metric 0, localpref 100, valid, external, best
Extended community: SoO:100:65 RT:100:3
7200-1#
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
ip vrf odd
rd 100:1
route-target export 100:3
route-target import 100:3
!
interface Serial1
ip vrf forwarding odd
ip address 192.168.65.6 255.255.255.0
!
router bgp 100
no synchronization
no bgp default ipv4-unicast
neighbor 192.168.0.7 remote-as 100
neighbor 192.168.0.7 update-source Loop0
neighbor 192.168.0.7 activate
neighbor 192.168.0.7 next-hop-self
no auto-summary
!
address-family ipv4 vrf odd
neighbor 192.168.65.5 remote-as 250
neighbor 192.168.65.5 activate
neighbor 192.168.65.5 route-map setsoo in
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 192.168.0.7 activate
neighbor 192.168.0.7 send-community extended
no auto-summary
exit-address-family
!
route-map setsoo permit 10
set extcommunity soo 100:65
40
Site of Origin
VPN-IPv4 update:
RD:192.168.0.5/32,
Next-hop=PE-1
SOO=100:65, RT=100:3,
Label=(intCE1)
PE-1
PE-2
intCE1
eBGP4 update:
192.168.0.5/32
PE-2 will not propagate the route
since the update SOO is equal to
the one configured for the site
eBGP4 update:
192.168.0.5/32
CE-1
192.168.0.5/32
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Site-1
SOO=100:65
CE-2
Cisco Confidential
41
Multi-Protocol BGP
• Extension to the BGP protocol in order
to carry routing information about
other protocols
Multicast
MPLS
IPv6
…
• Exchange of Multi-Protocol NLRI must
be negotiated at session set up
BGP Capabilities negotiation
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
42
Multi-Protocol BGP - RFC2858
• Obsoletes RFC2283
• New non-transitive and optional BGP attributes
MP_REACH_NLRI
“Carry the set of reachable destinations together with the
next-hop information to be used for forwarding to these
destinations”
MP_UNREACH_NLRI
Carry the set of unreachable destinations
• Attribute contains one or more triples
Address Family Information (AFI)
Next-Hop Information
NLRI
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
43
Labelled VPN-IPV4 Addresses in
BGP-4
• Labelled VPN-IPV4 address appears in
BGP NLRI
AFI = 1 - Sub-AFI = 128
• NLRI is encoded as one or more
triples
Length: total length of Label + prefix (RD included)
Label: 24 bits
Prefix: RD (64 bits) + IPv4 prefix (32 bits)
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
44
Labelled VPN-IPV4 Addresses in
BGP-4
• The label is assigned by the router
originating the NLRI
i.e., the router identified by the next-hop value
• The label is changed by the router that
modifies the next-hop value
Typically the EBGP speaker
Or iBGP forwarder configured with next-hop-self
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
45
Labelled VPN-IPV4 addresses in
BGP-4
• Next-hop address must be of the same
family of the NLRI
The next-hop will be a VPN-IPv4 address with RD
set to 0
• BGP will consider two VPN-IPV4
comparable even with different labels
A withdrawn of a VPN-IPv4 address will be
considered for all NLRI corresponding to the
VPN-IPV4 address, whatever are the different
assigned labels
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
46
BGP Capabilities Negotiation
• BGP routers establish BGP sessions
through the OPEN message
• OPEN message contains optional
parameters
• BGP session is terminated if OPEN
parameters are not recognised
• A new optional parameter:
CAPABILITIES
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
47
BGP Capabilities Negotiation
• A BGP router sends an OPEN
message with CAPABILITIES
parameter containing its
capabilities:
Multiprotocol extension
Route Refresh
Co-operative Route Filtering
...
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
48
BGP Capabilities Negotiation
• BGP routers determine capabilities of their
neighbors by looking at the capabilities
parameters in the open message
• Unknown or unsupported capabilities may
trigger the transmission of a NOTIFICATION
message
“The decision to send the NOTIFICATION message
and terminate peering is local to the speaker. Such
peering should not be re-established automatically”
draft-ietf-idr-bgp4-cap-neg
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
49
BGP Capabilities Negotiation
• BGP routers use BGP-4
Multiprotocol Extension to carry
label (label) mapping information
Multiprotocol Extension capability
Used to negotiate the Address Family Identifier
AFI = 1
Sub-AFI = 128 for MPLS-VPN
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
50
BGP Route Refresh
• New BGP Capability: Route Refresh
• Allows a router to request to any neighbor
the re-transmission of BGP updates
Useful when inbound policy has been modified
Similar to Cisco “soft-reconfiguration”
without need to store any route
• BGP speakers may send “Route-Refresh”
message only to neighbors from which the
capability has been exchanged
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
51
BGP Route Refresh
• When the inbound policy has been
modified, the BGP speaker sends a
Route-Refresh message to its
neighbors
With AFI, Sub-AFI attributes
• Neighbors will re-transmit all routes
for that particular AFI and Sub-AFI
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
52
BGP Co-operative Route Filtering
• In order to reduce amount of BGP traffic
and CPU used to process updates, routers
exchange filter configurations
• BGP speakers advertise to downstream
neighbors the outbound filter(s) they have
to use
• Filters are described in ORF entries
Outbound Route Filter
• ORF entries are part of the Route-Refresh
message
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
53
BGP Co-operative Route Filtering
• ORF capability must be negotiated
during session set-up
Capability negotiation
• ORF capable BGP speaker will install
ORFs per neighbor
• Each ORF will be defined by the
upstream neighbor through routerefresh messages
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
54
BGP Co-operative Route Filtering
ORF Entry
• ORF Entry
AFI/Sub-AFI
Filter will apply only to selected address
families
ORF-Type
Determine the content of ORF-Value
NLRI is one ORF-Type
NLRI is used to match IP addresses (subnets)
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
55
BGP Co-operative Route Filtering
ORF Entry
• ORF Entry
Action
ADD: Add an ORF entry to the current ORF
DELETE: Delete a previously received ORF
entry
DELETE ALL: Delete all existing ORF entries
Match
PERMIT: Pass routes that match the ORF entry
DENY: Do not pass routes that match the ORF
entry
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
56
BGP Co-operative Route Filtering
ORF Entry
• ORF Entry
ORF-Value (for ORF-Type=NLRI) is <Scope,NLRI>
Scope
EXACT: Remote peer should consider routes
equal to the NLRI specified in the ORF
REFINE: Remote peer should consider routes that
are part of a subset of the NLRI specified
in the ORF
NLRI: <length, prefix>
Multiple ORF entries will follow longest match
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
57
ORF Entries and Route-Refresh
• ORF entries are carried in BGP RouteRefresh messages
• AFI/Sub-AFI are encoded into the AFI/SubAFI field of the route refresh message
WHEN-TO-REFRESH field
IMMEDIATE: apply the filter immediately
DEFER: wait for subsequent route-refresh
message
ORF-Type to be extended for Extended Communities
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
58
Packet Forwarding
MPLS VPN Data Plane
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
59
MPLS VPN
Forwarding
VPN_A
VPN_A
10.2.0.0
CE
CE
VPN_B
10.2.0.0 CE
P2
PE4
VPN_A
11.6.0.0
P3
P1
CE
VPN_B
VPN_A
P4
PE2
11.5.0.0
L8L2Data
PE3
PE1
CE
Data
CE
10.1.0.0
VPN_B
10.3.0.0
10.1.0.0 CE
• Ingress PE Receives Normal IP
Packets from CE Router
<RD_B,10.1>,, iBGP
iBGP next
hop
PE1, L2
<RD_B,10.2>
NH=
PE2
T1 L7 L8
• PE Router Does “IP Longest Match”
in VRF , Finds iBGP Next Hop PE2
and Imposes a Stack of Labels:
Second Level Label L2 + Top Label
L8
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
<RD_B,10.2> , iBGP next hop PE2L2
<RD_B,10.3> , iBGP next hop PE3L3
<RD_A,11.6> , iBGP next hop PE1L4
<RD_A,10.1> , iBGP next hop PE4L5
<RD_A,10.4> , iBGP next hop PE4L6
L7
<RD_A,10.2> , iBGP next hop PE2
Cisco Confidential
L8
L9
L7
LB
LB
L8
60
MPLS VPN
Forwarding
VPN_A
VPN_A
CE
10.2.0.0
11.5.0.0
CE
VPN_B
Data
10.2.0.0 CE
L2 Data
PE2
P2
LAL2 Data
VPN_A
11.6.0.0
P1
CE
VPN_B
10.1.0.0 CE
VPN_A
P4
P3
PE4
L2 Data
PE3
PE1
CE
10.1.0.0
Data
CE
VPN_B
10.3.0.0
in / out
T7 Lu
L8,
T8 POP
Lw
L9 Lx
La Ly
Lb Lz
• All subsequent P routers switch packet solely on top label
• Egress PE router’s upstream LDP neighbor (Penultimate Hop or
PH) removes top label (PHP)
• Egress PE uses bottom (VPN) label to select which VPN/CE
to forward the Packet to
• Bottom label is removed and packet forwarded to CE router
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
61
MPLS VPN Packet Forwarding
In Label
-
FEC
197.26.15.1/32
Out Label
-
In Label
FEC
41
197.26.15.1/32
Out Label
POP
In Label
-
FEC
Out Label
197.26.15.1/32
41
PE-1
P router
Use label implicit-null for
destination 197.26.15.1/32
Paris
149.27.2.0/24
Use label 41 for destination
197.26.15.0/24
VPN-v4 update:
RD:1:27:149.27.2.0/24,
NH=197.26.15.1
SOO=Paris, RT=VPN-A,
Label=(28)
London
• PE and P routers have BGP next-hop reachability
through the backbone IGP
• Labels are distributed through LDP corresponding
to BGP next-hops
or RSVP with Traffic Engineering
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
62
MPLS VPN Packet Forwarding
• Label Stack is used for packet forwarding
Top label indicates BGP next-hop (exterior label)
Second level label indicates outgoing interface or VRF
(interior VPN label)
• MPLS nodes forward packets based on top label
any subsequent labels are ignored
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
63
MPLS VPN Packet Forwarding
In Label
FEC
Out Label
-
197.26.15.1/32
41
VPN-A VRF
149.27.2.0/24,
NH=197.26.15.1
Label=(28)
PE-1
41
Paris
28
149.27.2.27
149.27.2.27
London
149.27.2.0/24
• Ingress PE receives normal IP packets
• PE router performs IP Longest Match from
VPN FIB, finds iBGP next-hop and imposes
a stack of labels <IGP, VPN>
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
64
MPLS VPN Packet Forwarding
In Label
28(V)
FEC
Out Label
In Label
FEC
Out Label
149.27.2.0/24
-
68
197.26.15.1/32
POP
VPN-A VRF
149.27.2.0/24,
NH=Paris
In Label
FEC
41
197.26.15.1/32
68
VPN-A VRF
149.27.2.0/24,
NH=197.26.15.1
Label=(28)
PE-1
149.27.2.27
Out Label
28
149.27.2.27
68
28
149.27.2.27
41
Paris
28
149.27.2.27
149.27.2.27
London
149.27.2.0/24
• Penultimate PE router removes the IGP label
Penultimate Hop Popping procedures (implicit-null label)
• Egress PE router uses the VPN label to select
which VPN/CE to forward the packet to
• VPN label is removed and the packet is routed
toward the VPN site
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
65
MPLS VPN Topologies
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
66
MPLS VPN Extranet Support
• Extranet support is simply the import of
routes from one VRF into another VRF
which services a different VPN
• Controlled through the use of Route
Target
if we import the route, we have access
• Various topologies are viable using this
technique
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
67
MPLS VPN Extranet Support
VPN-A
VPN-A Paris Routes
VPN-B Munich Routes
CE
Paris
PE
VRF for VPN-A
VPN-A
Extranet VPN
Routing
Table
VPN-B
VRF for VPN-B
CE
Munich
Sharing of VPN information between VRFs provides
Extranet support
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
68
Central Services Model
• Common topology is central services VPN
client sites may access central services but may not
communicate directly with other client sites
• Once again controlled through the use of
route target
client sites belong to unique VRF, servers share
common VRF
client exports routes using client-rt and imports server-rt
server exports routes using server-rt and imports
server-rt & client-rt
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
69
Central Services Model
195.12.2.0/24
VPN A VRF
(Export RT=client-rt)
(Import RT=server-rt)
VPN A
VPN A VRF
195.12.2.0/24
146.12.9.0/24
MP-iBGP Update
RD:195.12.2.0/24,
RT=client-rt
146.12.9.0/24
MP-iBGP Update
RD:146.12.9.0/24,
RT=server-rt
VPN B VRF
146.12.7.0/24
146.12.9.0/24
MP-iBGP Update
RD:146.12.7.0/24,
RT=client-rt
VPN B
146.12.7.0/24
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
VPN B VRF
(Export RT=client-rt)
(Import RT=server-rt)
Cisco Confidential
Central Server
Site
Server VRF
(Export RT=server-rt)
(Import RT=server-rt)
(Import RT=client-rt)
70
MPLS VPN Internet Connectivity
Static Default Route
• VPN sites may require Internet access
either directly or via a central site - no full routing
• Default route provided through static or
dynamic route within the VRF
extension to ‘ip route’ command - Global keyword
Internet gateway points to an exit point whose
address is within the global routing table
• PE router generates VPN customer routes
into BGP through global static routes
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
71
MPLS VPN Internet Connectivity
Static Default Route
VPN A
195.12.2.0/24
ip route vrf VPN_A 0.0.0.0 0.0.0.0 Internet-PE global
ip route 195.12.2.0 255.255.255.0 serial 1/0
VPN A VRF
0.0.0.0 NH=Internet-PE
Internet Routing
Table
MPLS VPN Backbone
Global Internet
Access
VPN B VRF
0.0.0.0 NH=Internet PE
VPN B
ip route vrf VPN_B 0.0.0.0 0.0.0.0 Internet-PE global
ip route 146.12.9.0 255.255.255.0 serial 1/1
146.12.9.0/24
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
72
MPLS VPN Internet Connectivity
Dynamic Default Route
VPN A
Central Site
VPN B
Central Site
Export VPN A default with
RT=17:22 and VPN B default
with RT=17:28
VPN-IPv4 Update
Net=0.0.0.0/0
RT=17:28
VPN-IPv4 Update
Net=0.0.0.0/0
RT=17:28
VPN-IPv4 Update
Net=0.0.0.0/0
RT=17:22
VPN A
VPN-IPv4 Update
Net=0.0.0.0/0
RT=17:22
VPN A VRF
(Import RT=17:22)
MPLS Bootcamp
VPN B
MPLS VPN Backbone
© 2000, Cisco Systems, Inc.
VPN B VRF
(Import RT=17:28)
Cisco Confidential
73
MPLS VPN Internet Connectivity
Separate BGP Session PE/CE Link
• Many clients wish to send/receive routes
directly with the Internet
default route is not sufficient in this environment
• Routes reside on the PE router
but within the global not VRF tables
• Mechanism needed to distribute this
routing information to VPN customer sites
and also receive routes and place them into the
global, and not VRF table
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
74
MPLS VPN Internet Connectivity
Separate BGP Session PE/CE Link
• Achieved by using a second interface to
the client site
either physical or logical, such as sub-interface or
tunnel
(sub)interface
associated with VRF
Internet Routes
VPN Site
CE
PE
Global
Internet
(sub)interface
associated with
global routing table
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
75
MPLS VPN Internet Connectivity
Global Internet Table Association
• If multiple exit points, then possibility to
associate full Internet routes with a VRF
if only one exit point, then default pointing to Internet
exit point interface will normally suffice
• With multiple interfaces, sub-optimal routing a
possibility with default route generation
as multiple defaults would allow load balancing but no
best path selection
• Association of Internet routes with VRF provide
ability to generate aggregate default
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
76
MPLS VPN Internet Connectivity
Global Internet Table Association
ISP A
ISP B
Export default route with
Internet_access route target
PE
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Export default route with
Internet_access route target
Static default pointing to
loopback interface so lookup
in VRF will occur on
incoming packets
PE
Cisco Confidential
77
MPLS VPN Internet Connectivity
Global Internet Table Association
• Optimal routing between providers now
possible
• Need to filter everything other than default
cpu and administrative overhead
• Label assignment will occur for every route
within the VRF
memory overhead even though labels are never used
• If full routes distributed, could result in
multiple copies of Internet routing table
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
78
MPLS VPN Convergence
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
79
Routing Convergence
• Convergence needs to be assessed in two
main areas
convergence within the MPLS VPN backbone
convergence between VPN client sites
• Both areas are completely independent ...
but work together to provide end-to-end
convergence as perceived by the VPN client
therefore must be assessed in conjunction
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
80
End-to-End Routing Convergence
VPN Client
A
VPN Client
A
New VPN route
propagated across MPiBGP session
New VPN route
advertised
PE
PE
If link fails, MPLS VPN backbone
IGP converges on new path to
Advertisement of new
VPN route to relevant
VPN sites
New VPN route imported
into relevant VRFs
BGP next-hop
Client-to-client and MPLS VPN backbone IGP
convergence are independent
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
81
Convergence Across Backbone
• Convergence of MPLS VPN backbone IGP will
not affect client-to-client route convergence
unless BGP next-hop becomes unavailable;
but will affect client-to-client traffic while backbone
converges
• Backbone may be router-only based or based
on ATM switches
convergence will be different for the MPLS forwarding
plane - cell-mode versus frame-mode implementation
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
82
Convergence - Router Based
Backbone
• Unsolicited Downstream
Bindings advertised as soon as route is in the routing
table
• Liberal Label Retention
If multiple neighbors, next-hop change causes new
label to be used for forwarding
• Immediate Notification of Routing Table
Change
A route change (addition/deletion) immediately
propagated to MPLS process
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
83
Convergence - Router Based
Backbone
If P-1 to PE-2 link fails, PE-1 nexthop to destinations reachable via
197.26.15.1/32 (PE-2 Loopback) will
change to P-3. As label exists (41),
convergence is as quick as the IGP
VPN Client
A
VPN Client
A
Use label 23 for destination
197.26.15.1/32
Use label POP for destination
197.26.15.1/32
PE-1
PE-2
P-1
Use label 41 for destination
197.26.15.1/32
Use label POP for destination
197.26.15.1/32
P-3
Use label 25 for destination
197.26.15.1/32
P-2
MPLS & IGP backbone convergence are closely
entwined
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
84
Convergence - ATM Backbone
• Downstream-on-demand
Affects convergence as LSR must signal for downstream
label binding
• Conservative Label Retention
Convergence is affected as LSR must signal for
downstream label binding if one does not exist
Next-hop change will cause label request
• Two-stage Convergence:
IGP: converge around topology changes
MPLS: re-establish label mappings
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
85
Convergence - ATM Based
Backbone
If P-1 to PE-2 link fails, PE-1 nexthop to destinations reachable via
197.26.15.1/32 (PE-2 Loopback) will
change to P-3. As label does not
exist, PE-1 must signal the next-hop
downstream ATM-LSR
VPN Client
A
VPN Client
A
Use label 1/239 for destination
197.26.15.1/32
Use label 1/321 for destination
197.26.15.1/32
PE-1
PE-2
P-1
Label request for destination
197.26.15.1/32
Label request for destination
197.26.15.1/32
P-3
Label request for destination
197.26.15.1/32
P-2
MPLS LSR must re-converge on IGP change AND resignal for label mapping to downstream next-hop
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
86
Client-to-Client Convergence
• Four Main Convergence Areas
– Advertisement of routes from CE to PE and
placement into VRF
– Propagation of routes across the MPLS VPN
backbone
– Import process of these routes into relevant
VRFs
– Advertisement of VRF routes to attached VPN
sites
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
87
Backbone Route Propagation
• Changes are not propagated to other BGP
speakers immediately
Batched together and sent at “advertisementinterval”
Default = 5 seconds for iBGP, 30 for eBGP
• Can be tweaked using the “neighbor
advertisement-interval” command
Needs to be changed for both backbone and CE
routers if BGP between PE & CE
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
88
Import Process
• Import Process Uses a Separate
Invocation of the Scanner Process
Default = 15 seconds
Can be tuned using the “bgp scan-time import”
command
• Can take up to 15 Seconds for a Route to
be Placed into a Receiving VRF
and then potentially another 30 Seconds to be
advertised to CE if eBGP is in operation!
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
89
Scanner Process
• Scanner process will also have an effect
on convergence
Used to check next-hop reachability and to
process any “network” commands within the BGP
process
Invoked every 60 seconds by default
Can be tuned with the “bgp scan-time” command
Large BGP table and small scan-time can be
VERY CPU intensive - beware !
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
90
BGP Route Advertisement
• In addition to the scanning and importing
of routes, each PE router needs to
advertise the best routes within each VRF
to all its VRF neighbors
This occurs at both ingress and egress of the
MPLS VPN network
With eBGP CE neighbors, advertisement of these
routes occurs every 30 seconds
With (iBGP) PE neighbors, routes advertisement
occurs every 5 seconds
Can be tuned with the “neighbor a.b.c.d
advertisement-interval” command
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
91
MPLS VPN Scaling
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
92
Scaling
• Existing BGP techniques can be used to
scale the route distribution: route
reflectors (RRs) & BGP confederations
(Inter-AS VPN)
• Each edge router needs only the
information for the directly-connected
VPNs it supports
• RRs are used to distribute VPN routing
information
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
93
MPLS-VPN
Scaling BGP
Route Reflectors
• Route reflectors may be partitioned
Each RR stores routes for a set of VPNs
• Thus, no BGP router needs to store information
on ALL VPNs
• PEs will peer to RRs according to the VPNs they
support
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
94
MPLS-VPN Scaling
BGP Updates Filtering
• iBGP full mesh amongst PEs results
in flooding of all VPN routes to all
PEs
• Scaling problems when large amount
of routes.
• PEs need routes for only attached
VRFs
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
95
MPLS-VPN Scaling
BGP Updates Filtering
• Each PE will discard any VPN-IPv4
route that hasn’t a route-target
configured to be imported in any of
the attached VRFs
• This reduces significantly the amount
of information each PE has to store
• Volume of BGP table is equivalent of
volume of attached VRFs (nothing
more)
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
96
MPLS-VPN Scaling
BGP Updates Filtering
VPN-IPv4 update:
RD:Net1, Next-hop=PEX
SOO=Site1, RT=Green,
Label=XYZ
Import RT=yellow
PE
VRFs for VPNs
yellow
green
MP-iBGP sessions
Import RT=green
VPN-IPv4 update:
RD:Net1, Next-hop=PEX
SOO=Site1, RT=Red,
Label=XYZ
• Each VRF has an import and export policy configured
• Policies use route-target attribute (extended
community)
• PE receives MP-iBGP updates for VPN-IPv4 routes
• If route-target is equal to any of the import values
configured in the PE, the update is accepted
• Otherwise it is silently discarded
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
97
MPLS-VPN Scaling
Route Refresh
2. PE issue a RouteRefresh to all neighbors
in order to ask for retransmission
PE
Import RT=green
Import RT=red
1. PE doesn’t have red
routes (previously filtered
out)
VPN-IPv4 update:
RD:Net1, Next-hop=PEX
SOO=Site1, RT=Green,
Label=XYZ
VPN-IPv4 update:
RD:Net1, Next-hop=PEX
SOO=Site1, RT=Red,
Label=XYZ
3. Neighbors re-send
updates and “red”
route-target is now
accepted
• Policy may change in the PE if VRF modifications are
done
New VRFs, removal of VRFs
• However, the PE may not have stored routing
information which become useful after a change
• PE request a re-transmission of updates to neighbors
Route-Refresh
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
98
MPLS-VPN Scaling
Outbound Route Filters - ORF
Import RT=yellow
PE
2. PE issue a Route-Refresh
message with a ORF entry to
neighbors in order not to
receive red routes:
Permit RT = Green, Yellow
VPN-IPv4 update:
RD:Net1, Next-hop=PEX
SOO=Site1, RT=Green,
Label=XYZ
VPN-IPv4 update:
RD:Net1, Next-hop=PEX
SOO=Site1, RT=Red,
Label=XYZ
Import RT=green
1. PE doesn’t need
red routes
3. Neighbors
dynamically configure
the outbound filter and
send updates
accordingly
• PE router will discard update with unused routetarget
• Optimisation requires these updates NOT to be sent
• Outbound Route Filter (ORF) allows a router to tell its
neighbors which filter to use prior to propagate BGP
updates
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
99
Connecting MPLS-VPN
Backbones
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
100
Connecting MPLS-VPN Backbones
• Providers exchange routes between PEASBR routers
• MP-eBGP for (Labelled) VPNv4 addresses
between ASBRs
Next-hop and labels are re-written by the PE-ASBRs
• Requires PE-ASBRs to store VPN routes
that need to be exchanged
• Routes are in the MP-BGP table but not in
any routing table
PE-ASBRs do not have any VRFs
MP-eBGP labels are used in LFIB
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
101
Connecting MPLS-VPN backbones
RR-1 reflects VPNv4 internal routes
PE-ASBR1 advertises VPNv4
external routes
RR-2 reflects VPNv4 internal routes
PE-ASBR2 advertises VPNv4
external routes
RR-1
RR-2
Core of P LSRs
Core of P LSRs
MP-eBGP VPNv4 routes
with label distribution
PE-1
PE-2
PE-ASBR1
PE-3
PE-ASBR2
PE-ASBRs exchange VPNv4
addresses with labels
CE-2
CE-1
CE-5
CE-3
CE-4
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
102
Connecting MPLS-VPN backbones
Network=RD1:N
Next-hop=PE1
Label=L1
RR-1
Network=RD1:N
Core of P LSRs
Next-hop=PE1
Label=L1
PE-1
RR-2
Network=RD1:N
Next-hop=PE-ASBR1
Label=L2
PE-ASBR1
Network=RD1:N
Next-hop=PE-ASBR2
Label=L3
Core of P LSRs
Network=RD1:N
Next-hop=PE-ASBR2
Label=L3
PE-2
PE-3
PE-ASBR2
Network=N
Next-hop=PE3
Network=N
Next-hop=CE2
CE-2
CE-1
CE-5
CE-3
CE-4
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
103
Multi-AS MPLS-VPN backbones
VPNV4 routes exchanged between
PE-ASBRs
L1
Dest=N
RR-1
L3
Dest=N
Core of P LSRs
LDP-PE1-label
L1
Dest=N
PE-1
Core of P LSRs
RR-2
PE-2
L2
Dest=N
PE-ASBR1
LDP-PE-ASBR2-label
L3
Dest=N
PE-3
PE-ASBR2
Dest=N
Dest=N
CE-2
CE-1
CE-5
CE-3
CE-4
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
104
MPLS VPN Configuration
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
105
MPLS VPN Configuration
• VPN knowledge is on PE routers
• Several basic steps are necessary to
provision a PE router for VPN service
configuration of VRFs
configuration of Route Distinguishers
configuration of import/export policies
configuration of PE to CE links
association of VRFs to interfaces
configuration of MP-BGP
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
106
VRF & RD Configuration
• RD is configured on PE routers
separate RD per VRF
good practise is to use the same RD for the same
VPN in all PE routers
although this is not mandatory
• VRF configuration commands
ip vrf <vrf-symbolic-name>
rd <route-distinguisher-value>
route-target import <Import route-target community>
route-target export <Import route-target community>
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
107
VRF Configuration
VPN-A
CE
PE
Paris
VPN-A
ip vrf VPN-A
rd 1:129
route-target export 100:1
route-target import 100:1
ip vrf VPN-B
rd 1:131
route-target export 100:2
route-target import 100:2
CE
London
VRF VPN-A VRF VPN-B
VPN-B
CE
Munich
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
VRF
for VPN-A
(RT100:1)
Paris routes
London routes
Cisco Confidential
VRF
for VPN-B
(RT100:2)
Munich routes
108
PE/CE Routing Protocol
• PE/CE can use BGP, RIPv2, OSPF or Static
• Routing context used for all except OSPF
which uses a separate process
• Routing contexts are defined within the
routing protocol instance
router rip
version 2
!
address-family ipv4 vrf <vrf symbolic-name>
version 2
network 195.27.15.0
!
address-family ipv4 vrf <vrf symbolic-name>
..
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
109
PE/CE Routing Protocol
• OSPF uses a different process
router ospf 100 vrf <vrf-symbolic-name>
!
router ospf 200 vrf <vrf symbolic-name>
• BGP uses address-family command
router bgp <AS #>
!
address-family ipv4 vrf <vrf symbolic-name>
!
address-family vpnv4
• Static routes are configured per-VRF
ip route vrf <vrf symbolic-name>
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
110
PE/CE Routing Protocol
interface Serial3/5
ip vrf forwarding VPN-A
ip address 192.168.61.6 255.255.255.252
encapsulation ppp
!
interface Serial3/6
ip vrf forwarding VPN-A
ip address 192.168.61.9 255.255.255.252
encapsulation ppp
!
interface Serial3/7
ip vrf forwarding VPN-B
ip address 192.168.62.6 255.255.255.252
encapsulation ppp
VPN-A
CE
PE
Paris
VPN-A
CE
London
VPN-B
CE
router bgp 109
no bgp default ipv4-unicast
neighbor 195.27.2.1 remote-as 100
neighbor 195.27.2.1 update-source Loopback0
!
address-family ipv4 vrf VPN-B
neighbor 192.168.62.5 remote-as 65503
neighbor 192.168.62.5 activate
exit-address-family
!
address-family ipv4 vrf VPN-A
neighbor 192.168.61.5 remote-as 65501
neighbor 192.168.61.5 activate
neighbor 192.168.61.10 remote-as 65502
neighbor 192.168.61.10 activate
exit-address-family
!
address-family vpnv4
neighbor 195.27.2.1 activate
neighbor 195.27.2.1 send-community extended
exit-address-family
Munich
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
111
VRF Based Commands
• All show commands are VRF based
show ip route vrf <vrf-symbolic-name>
show ip protocol vrf <vrf-symbolic-name>
show ip cef vrf <vrf-symbolic-name>
• Ping and Telnet commands are VRF based
ping x.x.x.x vrf <vrf-symbolic-name>
telnet x.x.x.x /vrf <vrf-symbolic-name>
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
112
MPLS VPN Internet Routing
VRF Specific Default Route
192.168.1.1
BGP-4
Internet
PE-IG
MP-BGP
PE
192.168.1.2
PE
Serial0
Site-1
Network 171.68.0.0/16
Site-2
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
ip vrf VPN-A
rd 100:1
route-target both 100:1
!
Interface Serial0
ip address 192.168.10.1 255.255.255.0
ip vrf forwarding VPN-A
!
Router bgp 100
no bgp default ipv4-unicast
network 171.68.0.0 mask 255.255.0.0
neighbor 192.168.1.1 remote 100
neighbor 192.168.1.1 activate
neighbor 192.168.1.1 next-hop-self
neighbor 192.168.1.1 update-source loopback0
!
address-family ipv4 vrf VPN-A
neighbor 192.168.10.2 remote-as 65502
neighbor 192.168.10.2 activate
exit-address-family
!
address-family vpnv4
neighbor 192.168.1.2 activate
exit-address-family
!
ip route 171.68.0.0 255.255.0.0 Serial0
ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 glob
113
MPLS VPN Internet Routing
VRF Specific Default Route
192.168.1.1
IP packet
D=cisco.co
m
Internet
PE-IG
Label = 3
IP packet
D=cisco.co
m
192.168.1.2
PE
PE
Serial0
IP packet
D=cisco.co
m
Global Table and LFIB
192.168.1.1/32 Label=3
192.168.1.2/32 Label=5
...
Site-2 VRF
0.0.0.0/0 192.168.1.1
(global)
Site-1 routes
Site-2 routes
Site-1
Network 171.68.0.0/16
Site-2
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
114
MPLS VPN Internet Routing
Separated (sub)Interfaces
192.168.1.1
BGP-4
Internet
PE-IG
PE
MP-BGP
192.168.1.2
PE
Serial0.1
Serial0.2
BGP-4
Site-1
Network 171.68.0.0/16
Site-2
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
ip vrf VPN-A
rd 100:1
route-target both 100:1
!
Interface Serial0
no ip address
!
Interface Serial0.1
ip address 192.168.20.1 255.255.255.0
ip vrf forwarding VPN-A
!
Interface Serial0.2
ip address 171.68.10.1 255.255.255.0
!
Router bgp 100
no bgp default ipv4-unicast
neighbor 192.168.1.1 remote 100
neighbor 192.168.1.1 activate
neighbor 192.168.1.1 next-hop-self
neighbor 192.168.1.1 update-source loopback0
network 171.68.0.0 mask 255.255.0.0
neighbor 171.68.10.2 remote 502
!
address-family ipv4 vrf VPN-A
neighbor 192.168.20.2 remote-as 502
neighbor 192.168.20.2 activate
exit-address-family
!
address-family vpnv4
neighbor 192.168.1.2 activate
exit-address-family
115
MPLS VPN Internet Routing
Separate (sub)Interfaces
192.168.1.1
IP packet
D=cisco.co
m
Internet
PE-IG
Label = 3
IP packet
D=cisco.co
m
192.168.1.2
PE
PE
Serial0.1
Serial0.1
Site-1
PE Global Table
Internet routes --->
192.168.1.1
192.168.1.1, Label=3
Serial0.2
IP packet
D=cisco.co
m
Serial0.2
CE routing table
Site-1 routes ---->
Serial0.1
Network 171.68.0.0/16 Internet routes --->
Serial0.2
Site-2
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
116
MPLS-VPN Scaling
Route Refresh
Import RT=yellow
PE
VPN-IPv4 update:
RD:Net1, Next-hop=PEX
SOI=Site1, RT=Green,
Label=XYZ
2. PE issue a RouteRefresh to all neighbors
in order to ask for retransmission
VPN-IPv4 update:
RD:Net1, Next-hop=PEX
SOI=Site1, RT=Red,
Label=XYZ
Import RT=green
Import RT=red
1. PE doesn’t have red
routes (previously filtered
out)
• New BGP capability: route refresh
3. Neighbors re-send
updates and “red”
route-target is now
accepted
• Allows a router to request to any neighbor the
re-transmission of BGP updates
Useful when inbound policy has been modified
Similar to Cisco “soft-reconfiguration”
without need to store any route
• BGP speakers may send
“Route-Refresh”
Cisco Confidential
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
117
MPLS-VPN Scaling
Outbound Route Filters - ORF
Import RT=yellow
PE
2. PE issue a ORF
message to all neighbors
in order not to receive red
routes
VPN-IPv4 update:
RD:Net1, Next-hop=PEX
SOI=Site1, RT=Green,
Label=XYZ
VPN-IPv4 update:
RD:Net1, Next-hop=PEX
SOI=Site1, RT=Red,
Label=XYZ
Import RT=green
1. PE doesn’t need
red routes
3. Neighbors
dynamically configure
the outbound filter and
send updates
accordingly
PE router will discard update with unused
route-target
Optimisation requires these updates NOT
to be sent
MPLS Bootcamp
Outbound Route Filter (ORF) allows a
router to tell its neighbors which filter to
use prior to propagate BGP updates
© 2000, Cisco Systems, Inc.
Cisco Confidential
118
MPLS VPN - Configuration
ip vrf site1
Site-4
rd 100:1
route-target export 100:1
Site-1
VPN-C
route-target import 100:1
VPN-A
ip vrf site2
rd 100:2
Site-3
Site-2
route-target export 100:2
VPN-B
route-target import 100:2
route-target import 100:1
route-target export 100:1
!
Multihop MP-iBGP
interface Serial3/6
ip vrf forwarding site1
P
P
ip address 192.168.61.6
PE1
255.255.255.0
encapsulation ppp
PE2
!
interface Serial3/7
ip vrf forwarding site2
ip address 192.168.62.6
VRF
VRF
255.255.255.0
VRF
VRF
for site-2
for site-3
for site-4
for site-1
encapsulation ppp
(100:2)
(100:2)
(100:1)
Site-1 routes
Site-2 routes
Site-1
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Site-1 routes
Site-2 routes
Site-3 routes
Site-2
Site-2 routes
Site-3 routes
Site-4 routes
Site-3
Cisco Confidential
ip vrf site3
rd 100:2
route-target export 100:2
route-target import 100:2
route-target import 100:3
route-target export 100:3
ip vrf site-4
rd 100:3
route-target export 100:3
route-target import 100:3
!
interface Serial4/6
ip vrf forwarding site3
ip address 192.168.73.7
255.255.255.0
encapsulation ppp
!
interface Serial4/7
ip vrf forwarding site4
(100:3)
Site-3 routes ip address 192.168.74.7
Site-4 routes 255.255.255.0
encapsulation ppp
Site-4
119
MPLS VPN - Configuration
PE/CE routing protocols
router bgp 100
router bgp 100
Site-4
no bgp default ipv4-unicast
no bgp default ipv4-unicast
neighbor 6.6.6.6 remote-as 100
neighbor 7.7.7.7 remote-as 100
Site-1
VPN-C
neighbor 6.6.6.6 update-source
neighbor 7.7.7.7 update-source
VPN-A
Loop0
Loop0
!
!
Site-3
Site-2
address-family ipv4 vrf site4
address-family ipv4 vrf site2
VPN-B
neighbor 192.168.74.4 remote-as
neighbor 192.168.62.2 remote-as
65504
65502
neighbor 192.168.74.4 activate
neighbor 192.168.62.2 activate
MP-iBGP
exit-address-family
exit-address-family
!
!
address-family ipv4 vrf site3
address-family ipv4 vrf site1
P
P
neighbor 192.168.73.3 remote-as
neighbor 192.168.61.1 remote-as
65503
65501
neighbor
192.168.73.3
activate
neighbor 192.168.61.1 activate
PE2
PE1
exit-address-family
exit-address-family
!
!
address-family vpnv4
address-family vpnv4
VRF
VRF
neighbor 6.6.6.6 activate
neighbor 7.7.7.7 activate
VRF
VRF
for site-2
for site-3
neighbor 7.7.7.7 next-hop-self
for site-4 neighbor 6.6.6.6 next-hop-self
for site-1
(100:2)
(100:2)
(100:3) exit-address-family
(100:1)
exit-address-family
Site-1 routes
Site-2 routes
Site-1 routes
Site-2 routes
Site-1
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Site-2 routes
Site-3 routes
Site-2
Site-3 routes
Site-4 routes
Site-3
Cisco Confidential
Site-3 routes
Site-4 routes
Site-4
120
IOS Support for
MPLS
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
121
MPLS-VPN IOS Releases - LDP
Status
• Initial limited deployment release in
12.0(10)ST and up
• 12.0(11)ST available on CCO
• General deployment also planned for
12.2(1)T
• Will be based on the current IETF draft
(draft-ietf-mpls-ldp-11.txt?)
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
122
References
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
123
References
• RFCs and Internet Drafts
draft-rosen-rfc2547bis-02.txt (was RFC2547)
RFC2858 (Obsoletes RFC2283)
draft-ietf-mpls-bgp4-mpls-02.txt
draft-ramachandra-bgp-extcommunities04.txt
• Textbook
“MPLS and VPN Architectures,” by Ivan Pepelnjak, Jim Guichard
(ISBN# 1-58705-002-1)
MPLS: Technology and Applications, by Bruce Davie, Yakov
Rekhter (ISBN#1-55860-656-4)
• Useful URLs
http://wwwin-mpls.cisco.com/
http://wwwin-ch.cisco.com/SQA/devtest/tag-switching/
http://wwwin-people.cisco.com/sprevidi/
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
124
Reference Pointers
• Mailing Lists
[email protected] <-- (mpls-vpn questions)
[email protected] <-- (general mpls
questions)
[email protected] <--(mpls-te questions)
[email protected]
MPLS Bootcamp
© 2000, Cisco Systems, Inc.
Cisco Confidential
125
NW’00 Paris
© 2000, Cisco Systems, Inc.
126