Mpls

3,083 views

Published on

this presentation cover about the virtual private network

Published in: Technology

Mpls

  1. 1. MPLS VPN Configurations Fahad Ahmed Khan
  2. 2. Agenda <ul><li>Introduction to VPNs concepts </li></ul><ul><li>VPN definitions </li></ul><ul><li>Types of VPNs (Overlay/Peer) </li></ul><ul><li>Comparison between Overlay and Peer model </li></ul><ul><li>Benefits for MPLS VPNs </li></ul>
  3. 3. Agenda <ul><li>Idea behind VRF, RD, RT </li></ul><ul><li>Route propagation in MP-BGP </li></ul><ul><li>Routing between PE-CE </li></ul><ul><li>MPLS Packet Forwarding </li></ul>
  4. 4. Agenda <ul><li>MPLS configuration </li></ul><ul><ul><li>VRF </li></ul></ul><ul><ul><li>MP-BGP </li></ul></ul><ul><ul><li>PE-CE configuration </li></ul></ul><ul><ul><li>Advance configuration </li></ul></ul>
  5. 5. Agenda <ul><li>MPLS topologies </li></ul><ul><li>VPN connectivity </li></ul><ul><li>Design considerations </li></ul><ul><li>Deployment strategies </li></ul>
  6. 6. VPN/MPLS Concepts <ul><li>VPN </li></ul><ul><ul><li>Concept is to use the service providers shared resources connecting multiple customer sites </li></ul></ul><ul><ul><li>Technologies such as X.25, Frame-relay which use virtual circuits to establish end-to-end connection using shared service of the provider infrastructure </li></ul></ul><ul><ul><li>This statistical sharing of resources enables the service provider to offer low cost services to the end user </li></ul></ul>
  7. 7. VPN Terminology <ul><li>Provider Network (P-Network) </li></ul><ul><ul><ul><li>The backbone under control of a Service Provider </li></ul></ul></ul><ul><li>Customer Network (C-Network) </li></ul><ul><ul><ul><li>Network under customer control </li></ul></ul></ul><ul><li>CE router </li></ul><ul><ul><ul><li>Customer Edge router. Part of the C-network and interfaces to a PE router </li></ul></ul></ul>
  8. 8. VPN Terminology <ul><li>Site </li></ul><ul><ul><ul><li>Set of (sub)networks part of the C-network and co-located </li></ul></ul></ul><ul><ul><ul><li>A site is connected to the VPN backbone through one or more PE/CE links </li></ul></ul></ul><ul><li>PE router </li></ul><ul><ul><ul><li>Provider Edge router. Part of the P-Network and interfaces to CE routers </li></ul></ul></ul><ul><li>P router </li></ul><ul><ul><ul><li>Provider (core) router, without knowledge of VPN </li></ul></ul></ul>
  9. 9. Service Provider Network Provider Edge (PE) device Provider Edge (PE) device VPN Site VPN Site VPN Terminology CPE (CE) Device CPE (CE) Device Provider core (P) device
  10. 10. Types of VPNs <ul><li>VPN services are offered in two major ways </li></ul><ul><ul><li>Overlay Model where the service provider provides the virtual connections between sites </li></ul></ul><ul><ul><li>Peer model where the service provider participates in the layer routing of the customer </li></ul></ul>
  11. 11. VPN Overlay Model <ul><li>Service provider network is a connection of point-to-point links </li></ul><ul><li>Routing within the customer network is transparent to the service provider network </li></ul><ul><li>Service provider is responsible purely for data transport between customer sites </li></ul>
  12. 12. VPN Overlay Model <ul><li>Layer 1 implementation (IP, HDLC, PPP (customer) - provider gives bit pipes only </li></ul><ul><li>Layer 2 implementation - service provider responsible for L2 VC via ATM, Frame-relay </li></ul>
  13. 13. Service Provider Network Provider Edge (PE) device Provider Edge (PE) device VPN Site VPN Site Virtual Circuit VPN Overlay Model CPE (CE) Device CPE (CE) Device Layer-3 Routing Adjacency
  14. 14. VPN Peer Model <ul><li>Both provider and customer network use same network protocol </li></ul><ul><li>CE and PE routers have a routing adjacency at each site </li></ul><ul><li>All provider routers hold the full routing information about all customer networks </li></ul><ul><li>Private addresses are not allowed </li></ul><ul><li>May use the virtual router capability </li></ul><ul><ul><ul><li>Multiple routing and forwarding tables based on Customer Networks </li></ul></ul></ul>
  15. 15. Service Provider Network Provider Edge (PE) Router Provider Edge (PE) Router VPN Site VPN Site CPE (CE) Router CPE (CE) Router Layer-3 Routing Adjacency VPN Peer-to-Peer Model Layer-3 Routing Adjacency
  16. 16. VPN Peer Model <ul><li>Peer model used two types of approach </li></ul><ul><ul><li>Shared router </li></ul></ul><ul><ul><li>Dedicated router </li></ul></ul>
  17. 17. VPN Peer Model <ul><li>Shared router </li></ul><ul><ul><li>Where a common router was used, extensive packet filtering is used on the PE router to isolate customer </li></ul></ul><ul><ul><li>Service provider allocated addresses out of its space to the customer and managed the packet filter to ensure same customer reachability, and isolation between customers. </li></ul></ul><ul><ul><li>High maintenance cost associated with packet filters </li></ul></ul><ul><ul><li>Performance impact due to packet filtering </li></ul></ul>
  18. 18. Peer-to-Peer Model Shared Router Approach PE CE VPN-A VPN-B CE VPN-C CE Shared router approach with complex filters Paris London Munich interface Serial0/1 description ** interface to VPN-A customer ip address 192.168.61.6 255.255.255.252 ip access-group VPN-A in ip access-group VPN-A out ! interface Serial0/2 description ** interface to VPN-B customer ip address 192.168.61.9 255.255.255.252 ip access-group VPN-B in ip access-group VPN-B out ! interface Serial0/3 description ** interface to VPN-C customer ip address 192.168.62.6 255.255.255.252 ip access-group VPN-C in ip access-group VPN-C out PE Routing Table VPN-A routes VPN-B routes VPN-C routes
  19. 19. VPN Peer Model <ul><li>Dedicated router </li></ul><ul><ul><li>Customer isolation is achieved via dedicated routers connected to customer </li></ul></ul><ul><ul><li>POP edge router filter routing updates between different provider edge routers </li></ul></ul><ul><ul><li>Route filtering is achieved via BGP Communities </li></ul></ul><ul><ul><li>Not cost effective </li></ul></ul>
  20. 20. Peer-to-Peer Model Dedicated Router Approach VPN-A PE CE VPN-A VPN-B CE Dedicated router approach expensive to deploy Paris London P Routing Table VPN-A routes (community 111:1) VPN-B routes (community 111:2) VPN-B PE P Router CE VPN-A Brussels VPN-A routes ONLY VPN-B router bgp 111 neighbor 10.13.1.2 remote-as 111 neighbor 10.13.1.2 route-reflector-client neighbor 10.13.1.2 route-map VPN-A out ! route-map VPN-A permit 10 match community-list 75 ! ip community-list 75 permit 111:1
  21. 21. Comparison Between the Two Models <ul><li>Overlay Model </li></ul><ul><ul><li>Easy to implement </li></ul></ul><ul><ul><li>No knowledge of customer routing </li></ul></ul><ul><ul><li>Isolation between the two network </li></ul></ul><ul><li>Peer Model </li></ul><ul><ul><li>Optimal routing </li></ul></ul><ul><ul><li>Easy to provision additional VPNs through site provisioning - no need for link provisioning </li></ul></ul>
  22. 22. Comparison Between the Two Models <ul><li>Overlay Model </li></ul><ul><ul><li>Optimal routing between sites requires full mesh </li></ul></ul><ul><ul><li>Bandwidth provisioning </li></ul></ul><ul><ul><li>Virtual circuits have to be manually configured </li></ul></ul><ul><li>Peer Model </li></ul><ul><ul><li>Customer convergence is depended on SP routing convergence </li></ul></ul><ul><ul><li>Lot of routes with the provider networks causes scalability problems </li></ul></ul>
  23. 23. Benefits of MPLS VPNs <ul><li>Best of both worlds </li></ul><ul><li>PE participates in routing so you can achieve optimal routing between sites </li></ul><ul><li>PE isolates customer routing information like dedicated router solution </li></ul><ul><li>Overlapping addresses are permitted between customers </li></ul>
  24. 24. Benefits of MPLS VPNs <ul><li>PE router is subdivided into virtual routers </li></ul><ul><li>Similar to the dedicated router approach </li></ul><ul><li>Each customer is assigned independent routing tables </li></ul><ul><li>IOS does this isolation through the concept of VRF (Virtual Routing and Forwarding) </li></ul>
  25. 25. Benefits of MPLS VPNs PE CE VPN-A VPN-A CE VPN-B Global Routing Table VRF for VPN-A VRF for VPN-B VPN Routing Table CE Multiple routing & forwarding instances (VRFs) provide the separation Paris London Munich IGP &/or BGP
  26. 26. Problem <ul><li>How to propagate routing across the network between the PE devices? </li></ul><ul><li>We need a routing protocol that will transport the customer routes across the provider network </li></ul><ul><li>Need to maintain the independency of customers routing and address space </li></ul>
  27. 27. Easy and Lazy Answer <ul><li>Run multiple routing protocols, one each for customer </li></ul><ul><li>But PE routers will have to run large number of routing instances </li></ul><ul><li>Poor P router will have to carry all the VPN routes </li></ul><ul><li>P routers still will run into overlapping address problem unless you configure all the vrfs on the PE router </li></ul><ul><li>Does not scale </li></ul>
  28. 28. Better Solution <ul><li>Run a routing protocol that can exchange the routing updates only between PE routers </li></ul><ul><li>P router is protected from customer routes </li></ul>
  29. 29. But how to do it ? <ul><li>Use BGP to pass the routing information between PE devices </li></ul><ul><li>Use MPLS labels to exchange packets between next-hops (PE routers) </li></ul><ul><li>Extend BGP to be able to handle overlapping addresses </li></ul>
  30. 30. <ul><li>PE routers maintain separate routing tables </li></ul><ul><ul><li>Global routing table </li></ul></ul><ul><ul><ul><li>contains all PE and P routes (perhaps BGP) </li></ul></ul></ul><ul><ul><ul><li>populated by the VPN backbone IGP </li></ul></ul></ul><ul><ul><li>VRF (VPN routing & forwarding) </li></ul></ul><ul><ul><ul><li>routing & forwarding table associated with one or more directly connected sites (CE routers) </li></ul></ul></ul><ul><ul><ul><li>VRF is associated with any type of interface, whether logical or physical (e.g. sub/virtual/tunnel) </li></ul></ul></ul><ul><ul><ul><li>interfaces may share the same VRF if the connected sites share the same routing information </li></ul></ul></ul>VPN Routing & Forwarding Instance (VRF)
  31. 31. VPN Routing & Forwarding Instance (VRF) PE CE VPN-A VPN-A CE VPN-B Global Routing Table VRF for VPN-A VRF for VPN-B VPN Routing Table CE Multiple routing & forwarding instances (VRFs) provide the separation Paris London Munich IGP &/or BGP
  32. 32. MPLS/VPN Connectivity Model <ul><li>Private addressing in multiple VPNs no longer an issue </li></ul><ul><ul><li>provided that members of a VPN do not use the same address range </li></ul></ul>VPN A VPN B VPN C London Milan Paris Munich Brussels Vienna Address space for VPN A and B must be unique 10.2.1.0/24 10.22.12.0/24 10.2.1.0/24 10.3.3.0/24 10.2.12.0/24 10.4.12.0/24
  33. 33. VPN Routing & Forwarding Instance (VRF) <ul><li>VRF can be thought of as a virtual router with the following structures: </li></ul><ul><ul><li>forwarding table based on CEF </li></ul></ul><ul><ul><li>a set of interfaces that use the derived forwarding table </li></ul></ul><ul><ul><li>rules to control import/export of routes from/into the VPN routing table </li></ul></ul><ul><ul><li>set of routing protocols/peers which inject information into the VPN routing table (including static routing) </li></ul></ul><ul><ul><li>router variables associated with the routing protocol used to populate the VPN routing table </li></ul></ul>
  34. 34. VRF Route Population <ul><li>VRF is populated locally through PE and CE routing protocol exchange </li></ul><ul><ul><li>RIP Version 2, OSPF, BGP-4 & Static routing </li></ul></ul><ul><li>Separate routing context for each VRF </li></ul><ul><ul><li>routing protocol context (BGP-4 & RIP V2) </li></ul></ul><ul><ul><li>separate process (OSPF) </li></ul></ul><ul><li>EBGP,OSPF, RIPv2,Static </li></ul>PE CE CE Site-2 Site-1
  35. 35. Local VRF Route Population PE CE VPN-A VPN-A CE VPN-B VRF for VPN-A VRF for VPN-B CE Local VRF population driven by routing protocol context or process (OSPF) Paris London Munich Which routing protocol context or process ? Global
  36. 36. VRF Route Distribution <ul><li>PE routers distribute local VPN information across the MPLS/VPN backbone </li></ul><ul><ul><li>through the use of MP-BGP & redistribution from VRF </li></ul></ul><ul><ul><li>receiving PE imports routes into attached VRFs </li></ul></ul>PE PE CE Router CE Router P Router VPN Site VPN Site MP-BGP MPLS/VPN Backbone
  37. 37. Concept of RD <ul><li>If customers have overlapping address, BGP will treat them is single prefix </li></ul><ul><li>Extend the prefix with a 64-bit prefix (route-distinguisher) </li></ul><ul><li>Now, with 32 bit IP address and 64 bit RD, the two overlapping IP address are unique </li></ul>
  38. 38. Concept of RD <ul><li>32 bit IP prefix is the IPv4 address </li></ul><ul><li>With 64 bit RD, it is now extended to 96 bit and is now VPNv4 address </li></ul><ul><li>This address is exchanged only between the PE routers via BGP </li></ul><ul><li>This is carried in Multi-Protocol BGP </li></ul>
  39. 39. Concept of RD PE1 CE VPN-A VPN-B VPN-B CE MP-BGP PE2 BGP Table Routes from VPN-A Routes from VPN-B Munich MPLS/VPN Backbone CE router sends 32 bit IPv4 prefix PE router converts it into a 96 bit VPNv4 prefix
  40. 40. Processing of RD <ul><li>RD is propagated between the PE routers </li></ul><ul><li>RD is removed by the receiving PE routers </li></ul><ul><li>CE router receives just the IPv4 prefixes </li></ul>
  41. 41. Usage of RD <ul><li>RD is only used to extend the IP prefix such that overlapping address are unique </li></ul><ul><li>Simple VPN topologies require single RD per customer </li></ul><ul><li>In some cases multiple RDs may be required </li></ul>
  42. 42. Can RD be the VPN Identifier? <ul><li>Yes - it could be a VPN identifier </li></ul><ul><li>Complex topologies require another component for VPN topologies other than RD, just like communities are more flexible. </li></ul>
  43. 43. Concept of RT <ul><li>Sites that have to participate in more than one VPN- RD is not sufficient </li></ul><ul><li>You need another way of deciding the membership </li></ul><ul><li>RT was introduced to support complex topologies such that separation and grouping is easier </li></ul>
  44. 44. Concept of RT <ul><li>RT is extended BGP communities, attached to VPNv4 address </li></ul><ul><li>Give more flexibility to the VPN membership </li></ul><ul><li>Any number of RT can be attached to a route </li></ul><ul><li>Extended communities are 64 bit values </li></ul>
  45. 45. Concept of RT <ul><li>RTs are either exported or imported </li></ul><ul><li>Export route target are attached to the route the moment it is converted from IPv4 to VPNv4 </li></ul><ul><li>Import RT is used to decide the routes that would be imported into the VPN </li></ul>
  46. 46. Routing Within MPLS VPN <ul><li>Pass IPv4 to the customer routers </li></ul><ul><li>No VPN routes within the MPLS core (P routers) </li></ul><ul><li>P routers run IGP and global BGP (if needed) </li></ul><ul><li>Provider Edge router carries connected VPN routes and Internet routes </li></ul>
  47. 47. Routing P-router Perspective <ul><li>Runs IGP with all the P and PE routers in the network </li></ul><ul><li>No MPLS VPN routing information </li></ul><ul><li>Very simple view of the network </li></ul>
  48. 48. Routing PE-router Perspective <ul><li>Exchanges IPv4 routes with CE router </li></ul><ul><li>Exchange VPNv4 routes with other PE routers </li></ul><ul><li>Run common IGP with P router and also internet BGP with P routers (if needed) </li></ul>
  49. 49. Routing Table on PE Router <ul><li>PE router has to maintain number of routing tables </li></ul><ul><li>Global routing table (IGP, Internet routes) </li></ul><ul><li>VRF routing information for VPNs connected </li></ul><ul><li>VRF routing is populated via CE and other PE routes </li></ul>
  50. 50. PE to PE Route Information Flow <ul><li>PE router creates VPNv4 update </li></ul><ul><li>Adds extended community attribute (RT, SOO) </li></ul><ul><li>All other BGP attributes </li></ul><ul><li>Received route is imported into appropriate VRF according to RT values </li></ul><ul><li>Routes installed into VRF are propagated to CE routers </li></ul>
  51. 51. MP-BGP Update <ul><li>Any other standard BGP attribute </li></ul><ul><ul><ul><li>Local Preference MED Next-hop AS_PATH Standard Community </li></ul></ul></ul><ul><li>A Label identifying: </li></ul><ul><ul><ul><li>The outgoing interface or VRF where a lookup has to be performed (aggregate/connected) </li></ul></ul></ul><ul><ul><ul><li>The BGP label will be the second label in the label stack of packets travelling in the core </li></ul></ul></ul>
  52. 52. VRF Population of MP-BGP PE-1 CE-1 ip vrf VPN-A route-target import VPN-A VPN-v4 update: RD:1:27 :149.27.2.0/24 , Next-hop= PE-1 SOO=Paris, RT=VPN-A, Label=( 28 ) CE-2 <ul><li>Receiving PE routers translate to IPv4 </li></ul><ul><ul><ul><li>Insert the route into the VRF identified by the RT </li></ul></ul></ul><ul><ul><ul><li>attribute (based on PE configuration) </li></ul></ul></ul><ul><li>The label associated to the VPN-V4 address will be set on packets forwarded toward the destination </li></ul>VPN-v4 update is translated into IPv4 address and put into VRF VPN-A as RT=VPN-A and optionally advertised to CE-2 Paris London PE-2
  53. 53. Routing Between PE-CE <ul><li>CE does not need any understanding of MPLS </li></ul><ul><li>CE needs standard IP software </li></ul><ul><li>Currently EBGP, OSPF, RIP, and static routing is supported </li></ul><ul><li>PE router looks like a standard corporate backbone to the CE router </li></ul>
  54. 54. In Label FEC Out Label - 197.26.15.1/32 - In Label FEC Out Label 41 197.26.15.1/32 POP In Label FEC Out Label - 197.26.15.1/32 41 MPLS/VPN Packet Forwarding Paris Use label implicit-null for destination 197.26.15.1/32 Use label 41 for destination 197.26.15.1/32 VPN-v4 update: RD:1:27 :149.27.2.0/24, NH= 197.26.15.1 SOO=Paris, RT=VPN-A, Label=( 28 ) PE-1 London <ul><li>PE and P routers have BGP next-hop reachability through the backbone IGP </li></ul><ul><li>Labels are distributed through LDP corresponding to BGP Next-Hops or RSVP with Traffic Engineering </li></ul>149.27.2.0/24 PE-2 197.26.15.1
  55. 55. MPLS/VPN Packet Forwarding <ul><li>Label Stack is used for packet forwarding </li></ul><ul><ul><li>Top label indicates BGP Next-Hop (interior label) </li></ul></ul><ul><ul><li>Second level label indicates outgoing interface or VRF </li></ul></ul><ul><ul><li>(exterior VPN label) </li></ul></ul><ul><li>MPLS nodes forward packets based on top label </li></ul><ul><ul><li>any subsequent labels are ignored </li></ul></ul><ul><li>Penultimate Hop Popping procedures used one hop prior to egress PE router </li></ul>
  56. 56. Penultimate Hop Popping London Brussels Paris 197.26.15.1 In Label FEC Out Label - 197.26.15.1/32 In Label FEC Out Label 41 197.26.15.1/32 POP In Label FEC Out Label - 197.26.15.1/32 41 Use label 41 for destination 197.26.15.1/32 Use label implicit-null for destination 197.26.15.1/32 London# show tag-switching tdp binding 197.26.15.1 tib entry: 197.26.15.1/32, rev 10 local binding: tag: imp-null(1) remote binding: tsr: 172.16.3.1:0, tag: 41 Brussels# show tag-switching tdp binding 197.26.15.1 tib entry: 197.26.15.1/32, rev 10 local binding: tag: 41 remote binding: tsr: 172.16.3.2:0, tag: imp-null(1) Brussels# show tag-switching forwarding Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 41 Pop tag 197.26.15.1/32 0 Se0/0/2 point2point
  57. 57. In Label FEC Out Label - 197.26.15.1/32 41 MPLS/VPN Packet Forwarding Paris 149.27.2.27 PE-1 London 149.27.2.0/24 <ul><li>Ingress PE receives normal IP packets </li></ul><ul><li>PE router performs IP Longest Match from VPN FIB, finds iBGP next-hop and imposes a stack of labels <IGP, VPN> </li></ul>149.27.2.27 28 41 VPN-A VRF 149.27.2.0/24, NH= 197.26.15.1 Label=( 28 )
  58. 58. In Label FEC Out Label 41 197.26.15.1/32 POP MPLS/VPN Packet Forwarding Paris 149.27.2.27 PE-1 London 149.27.2.0/24 149.27.2.27 28 41 VPN-A VRF 149.27.2.0/24, NH= 197.26.15.1 Label=( 28 ) 149.27.2.27 28 In Label FEC Out Label 28(V) 149.27.2.0/24 - VPN-A VRF 149.27.2.0/24, NH= Paris 149.27.2.27 <ul><li>Penultimate PE router removes the IGP label </li></ul><ul><ul><li>Penultimate Hop Popping procedures (implicit-null label) </li></ul></ul><ul><li>Egress PE router uses the VPN label to select which VPN/CE to forward the packet to </li></ul><ul><li>VPN label is removed and the packet is routed toward the VPN site </li></ul>
  59. 59. MPLS/VPN Configuration and Implementation
  60. 60. MPLS Configuration <ul><li>VRF: Sites requiring same routing policies share same VRF </li></ul><ul><ul><li>IP routing table </li></ul></ul><ul><ul><li>CEF forwarding </li></ul></ul><ul><ul><li>Route distinguisher </li></ul></ul><ul><ul><li>Route Target (export, import) </li></ul></ul>
  61. 61. MPLS Configuration <ul><li>VRF configuration </li></ul><ul><ul><li>Step 1. Create VRF </li></ul></ul><ul><ul><li>Step 2. Assign an RD </li></ul></ul><ul><ul><li>Step 3. RT export </li></ul></ul><ul><ul><li>Step 4. RT import </li></ul></ul><ul><ul><li>Step 5. Define an interface to a VRF </li></ul></ul>
  62. 62. MPLS Configuration <ul><li>VRF configuration </li></ul><ul><ul><li>Step 1. </li></ul></ul><ul><ul><li>Creating a VRF </li></ul></ul><ul><ul><ul><li>ip vrf name </li></ul></ul></ul><ul><ul><ul><li>Example ip vrf bootcamp </li></ul></ul></ul><ul><ul><ul><li>Where bootcamp is just a name like route-map name </li></ul></ul></ul>
  63. 63. MPLS Configuration <ul><li>VRF configurations </li></ul><ul><ul><li>Step 2. </li></ul></ul><ul><ul><li>Every VRF needs an associated RD </li></ul></ul><ul><ul><li>rd route-distinguisher </li></ul></ul><ul><ul><li>Could be AS:X or IP address :X </li></ul></ul><ul><ul><li>Example: rd 109:12345 </li></ul></ul>
  64. 64. MPLS Configuration <ul><li>VRF configuration </li></ul><ul><ul><li>Step 3. </li></ul></ul><ul><ul><li>Defining a route target that will be exported with every route that is send from the VRF </li></ul></ul><ul><ul><li>Multiple route-target can be attached to a vrf </li></ul></ul><ul><ul><li>route-target export RT </li></ul></ul><ul><ul><li>Example: route-target export 109:1234 </li></ul></ul>
  65. 65. MPLS Configuration <ul><li>VRF configuration </li></ul><ul><ul><li>Step 4. </li></ul></ul><ul><ul><li>Define a route-target that will be accepted by the router to be imported into the VRF </li></ul></ul><ul><ul><li>route-target import </li></ul></ul><ul><ul><li>Example: route-target import 109:1345 </li></ul></ul>
  66. 66. MPLS Configuration <ul><li>VRF configuration </li></ul><ul><ul><li>Step 5. </li></ul></ul><ul><ul><li>Associate an interface to the VRF; this will remove the interface from the global routing process </li></ul></ul><ul><ul><li>Existing IP address is removed once the interface is defined to a VRF; you will have to re-configure the IP address </li></ul></ul>
  67. 67. MPLS Configuration <ul><li>VRF configuration </li></ul><ul><ul><li>Ip vrf GREEN </li></ul></ul><ul><ul><li>rd 109:145 </li></ul></ul><ul><ul><li>route-target export 109:145 </li></ul></ul><ul><ul><li>route-target import 109:145 </li></ul></ul><ul><ul><li>interface serial 1/0/1 </li></ul></ul><ul><ul><li>ip forwarding vrf GREEN </li></ul></ul><ul><ul><li>ip address 10.1.1.5 255.255.255.252 </li></ul></ul>
  68. 68. MPLS Configuration <ul><li>MP-BGP configuration </li></ul><ul><ul><li>BGP process is extended to perform three functions </li></ul></ul><ul><ul><li>Tasks are configured in same BGP process through address families </li></ul></ul><ul><ul><li>1. Maintain and exchange global routing information (IPv4 routing) </li></ul></ul><ul><ul><li>2. VPNv4 routing </li></ul></ul><ul><ul><li>3. VRF routing exchange with CE </li></ul></ul>
  69. 69. MPLS Configuration <ul><li>MP-BGP configurations </li></ul><ul><ul><li>Global neighbor are configured under the global BGP process (All P and PE neighbors) </li></ul></ul><ul><ul><li>These neighbors need to be activated under the appropriate address family according to requirements </li></ul></ul><ul><ul><li>VRF specific neighbors are defined under the corresponding VRFs </li></ul></ul>
  70. 70. MPLS Configuration <ul><li>MP-BGP configurations </li></ul><ul><ul><li>Step 1. Configure neighbors and their parameters under the global process </li></ul></ul><ul><ul><li>Step 2. Configure address family VPNv4 </li></ul></ul><ul><ul><li>Step 3. Activate neighbors to carry VPNv4 routes </li></ul></ul><ul><ul><li>Step 4. Activate the VPNv4 specific parameters under the address family (filter, etc.) </li></ul></ul>
  71. 71. MPLS Configuration <ul><li>MP-BGP configurations </li></ul><ul><ul><li>Step 1. Configure BGP process </li></ul></ul><ul><ul><li>router bgp 110 </li></ul></ul><ul><ul><li>neighbor 131.108.1.1 remote-as 110 </li></ul></ul><ul><ul><li>neighbor 131.108.1.1 update-source loopback 0 </li></ul></ul>
  72. 72. MPLS Configuration <ul><li>MP-BGP Configurations </li></ul><ul><ul><li>Step 2. Configure the address family, activate the neighbor under the address family for VNPv4 routes. Neighbor that was defined earlier under main BGP process </li></ul></ul><ul><ul><li>address-family vpnv4 </li></ul></ul><ul><ul><li>neighbor 131.108.1.1 activate </li></ul></ul><ul><ul><li>neighbor 131.108.1.1 next-hop-self </li></ul></ul>
  73. 73. MPLS Configuration <ul><li>Let’s talk a little about the IPv4 address family </li></ul><ul><ul><li>Address-family IPv4 is same is your regular BGP process </li></ul></ul><ul><ul><li>Configurations done under this family will be added to the global BGP configurations </li></ul></ul>
  74. 74. MPLS Configuration <ul><li>no bgp default ipv4 unicast </li></ul><ul><li>Disables the default behavior of IPv4 route propagation </li></ul><ul><li>Activate the neighbors that need to get IPv4 routes </li></ul><ul><li>Isolation of VPNv4 and IPv4 routes such that few neighbors get both and few receive VPnv4 only </li></ul>
  75. 75. MPLS Configuration <ul><li>Example: 3 neighbors: two of them need IPv4 routes, one does not </li></ul><ul><li>Requirements </li></ul><ul><ul><li>Neighbor 131.108.1.1 (IPv4, VPNv4) </li></ul></ul><ul><ul><li>Neighbor 131.108.1.2 (IPv4 only) </li></ul></ul><ul><ul><li>Neighbor 131.108.1.3 (VPNv4 only) </li></ul></ul>
  76. 76. MPLS Configuration <ul><li>Router bgp 110 </li></ul><ul><li>No bgp default ipv4 unicast </li></ul><ul><li>Neighbor 131.108.1.1 remote-as 110 </li></ul><ul><li>Neighbor 131.108.1.2 remote-as 110 </li></ul><ul><li>Neighbor 131.108.1.3 remote-as 110 </li></ul><ul><li>Neighbor 131.108.1.1 activate </li></ul><ul><li>Neighbor 131.108.1.2 activate </li></ul><ul><li>Address-family vpnv4 </li></ul><ul><li>Neighbor 131.108.1.1 activate </li></ul><ul><li>Neighbor 131.108.1.3 activate </li></ul>
  77. 77. MPLS Configuration <ul><li>Configuring PE-CE Routing </li></ul><ul><ul><li>BGP between PE-CE </li></ul></ul><ul><ul><li>RIP between PE-CE </li></ul></ul><ul><ul><li>OSPF between PE-CE </li></ul></ul><ul><ul><li>Static routes </li></ul></ul>
  78. 78. MPLS Configuration <ul><li>BGP/RIP require single routing process </li></ul><ul><li>Distance/path vector no database separation needed; done through address-families </li></ul><ul><li>OSPF requires a separate routing process for each VRF to maintain a separate database </li></ul>
  79. 79. MPLS Configuration <ul><li>All non-BGP VRF routes have to be redistributed </li></ul><ul><li>No sync is default </li></ul><ul><li>No auto summary is default </li></ul>
  80. 80. MPLS Configuration <ul><li>BGP </li></ul><ul><ul><li>Define the neighbor under the address-family vrf and not under the global BGP </li></ul></ul><ul><ul><li>router bgp 110 </li></ul></ul><ul><ul><li>! </li></ul></ul><ul><ul><li>address-family ipv4 vrf Green </li></ul></ul><ul><ul><li>neighbor 10.1.1.1 remote-as 115 </li></ul></ul><ul><ul><li>neighbor 10.1.1.1 activate </li></ul></ul>
  81. 81. MPLS Configuration <ul><li>RIP </li></ul><ul><ul><li>Single routing process </li></ul></ul><ul><ul><li>RIP parameters in each VRF </li></ul></ul><ul><ul><li>router rip </li></ul></ul><ul><ul><li>version 2 </li></ul></ul><ul><ul><li>address-family ipv4 vrf BLUE </li></ul></ul><ul><ul><li>network 10.0.0.0 </li></ul></ul><ul><ul><li>redistribute bgp 110 metric transparent </li></ul></ul>
  82. 82. MPLS OSPF <ul><li>IGP-BGP redistribution is done by MPLS </li></ul><ul><li>Not a very good thing for OSPF </li></ul><ul><li>Routes redistributed in OSPF are external </li></ul><ul><li>Single LSA for every external route </li></ul>
  83. 83. MPLS OSPF <ul><li>If all the routes are carried as external </li></ul><ul><li>Route summarization would be a problem </li></ul><ul><li>Stub areas would be hard to implement </li></ul>
  84. 84. MPLS OSPF <ul><li>MPLS VPNs needed to be extended to carry OSPF information </li></ul><ul><li>Per se create a concept of super backbone </li></ul><ul><li>Super backbone is created with MP-BGP between the PE-routers </li></ul><ul><li>This super backbone is between the PE routers; it is transparent to OSPF </li></ul>
  85. 85. MPLS OSPF CE VPN-A CE VPN-B MPLS BGP backbone London Area 0 Area 1 VPN-A CE VPN-B Area 2 Area 0 VPN-A CE Paris
  86. 86. MPLS OSPF <ul><li>OSPF between sites does not use normal OSPF-BGP redistribution </li></ul><ul><li>Internal OSPF routes are kept internal to OSPF </li></ul><ul><li>External routes are kept external </li></ul><ul><li>OSPF metrics are preserved </li></ul><ul><li>MPLS OSPF backbone is transparent to CE OSPF that runs standard software </li></ul>
  87. 87. MPLS OSPF <ul><li>PE routers act as ABRs </li></ul><ul><li>In the case of no stub area, PE routers also act as ASBRs </li></ul><ul><li>For CE routers’ perspective, send an inter-area route into the connected area </li></ul>
  88. 88. MPLS OSPF <ul><li>Intra-area OSPF routes are redistributed into BGP by the PE router </li></ul><ul><li>Route Summarization can be done at the redistribution point by the PE router </li></ul>
  89. 89. MPLS OSPF <ul><li>Super backbone acts just like area 0 in regular OSPF </li></ul><ul><li>Redistributed routes at the PE routers appear as inter-area routes </li></ul><ul><li>Routes from one area 0 site into another area 0 sites appear as inter-area routes </li></ul><ul><li>Redistributed intra- and inter-area routes appear as inter-area routes; external still appear as external </li></ul>
  90. 90. MPLS OSPF <ul><li>For MP-BGP, extended community of 0x8000 is used </li></ul><ul><li>OSPF cost is copied as MED for BGP </li></ul><ul><li>LSA type and metric are carried across </li></ul>
  91. 91. MPLS OSPF <ul><li>OSPF-BGP loop avoidance </li></ul>VPN-A VPN-B MPLS BGP backbone VPN-A CE Paris Area 0 VPN-A VPN-B Area 0 OSPF route Redistributed into BGP PE1 PE2 PE3
  92. 92. MPLS OSPF <ul><li>PE1 learns the route via OSPF intra-area </li></ul><ul><li>PE1 advertises the route to PE2 and PE3 via MP-BGP </li></ul><ul><li>One of the PE router redistributes it first (sort of race condition) </li></ul><ul><li>PE2 sends the route to PE3 via OSPF summary LSA </li></ul>
  93. 93. MPLS OSPF <ul><li>PE3 removes the iBGP route for the destination and installs the OSPF summary route, due to lower admin distance </li></ul><ul><li>You can solve the problem by lowering the administrative distance of iBGP to be less… not a clean solution </li></ul>
  94. 94. MPLS OSPF <ul><li>To solve this problem a (Down bit) has been added to option field of the header like ISIS TLV 135 </li></ul><ul><li>PE router sets the down bit when redistributing routes from MP-BGP to OSPF </li></ul><ul><li>PE router will never redistribute OSPF route back into BGP with down bit set </li></ul>
  95. 95. MPLS OSPF <ul><li>Double redistribution loop is still possible </li></ul><ul><li>When the CE does redistribution between domains and the down bit is lost </li></ul><ul><li>For this purpose, tag field is used as done by standard BGP-OSPF redistribution </li></ul><ul><li>PE routers never redistributes OSPF routes with Tag field equal to their own AS number into MP-BGP </li></ul>
  96. 96. MPLS Configuration <ul><li>OSPF </li></ul><ul><ul><li>Configuration is still simple </li></ul></ul><ul><ul><li>router ospf 110 vrf RED </li></ul></ul><ul><ul><li>network 10.1.0.0 0.0.255.255 area 0 </li></ul></ul><ul><ul><li>redistribute bgp 110 </li></ul></ul>
  97. 97. MPLS IS-IS <ul><li>VPN backbone is treated as a level above L2 </li></ul><ul><li>All L1/L2 routes will be redistributed into BGP at the PE router </li></ul><ul><li>New extended community in BGP 0x0006 </li></ul>
  98. 98. MPLS IS-IS <ul><li>Same as route leaking concept: don’t send out IS-IS back into BGP if UP/Down bit is set </li></ul><ul><li>Don’t send route if the route in the table is not learned via IS-IS </li></ul>
  99. 99. MPLS IS-IS <ul><li>At the receiving site redistribute the route into IS-IS with UP/Down bit set </li></ul><ul><li>Same concept as separation of LSDB: one DB can belong to one VPN </li></ul>
  100. 100. MPLS IS-IS <ul><li>Configuration is similar to OSPF </li></ul><ul><ul><li>router isis tag1 vrf vpn-blue net 49.0001.1201.0003.0001.00 redistribute bgp 65000 metric transparent level-1-2 </li></ul></ul>
  101. 101. MPLS Configuration <ul><li>Static </li></ul><ul><ul><li>Used to configure VRF specific routes </li></ul></ul><ul><ul><li>Always need to specify the interface even though you have the next-hop </li></ul></ul><ul><ul><li>ip route vrf YELLOW 10.1.0.0 255.255.0.0 10.1.1.5 serial 2/0 </li></ul></ul>

×