I-AS MPLS Solutions - KISpalo/Rozne/cisco-expo-2009/Presentati… · MPLS VPN Inter-AS Option AB...
Transcript of I-AS MPLS Solutions - KISpalo/Rozne/cisco-expo-2009/Presentati… · MPLS VPN Inter-AS Option AB...
-
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
I-AS MPLS Solutions
Stefan KollarConsulting System Engineer, CCIE #10668 [email protected]
-
2© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Agenda 1. Inter-AS Networks
Inter-AS Connectivity ModelsInter-AS L3 VPNsInter-AS L2VPNsInter-AS Multicast VPNs
1. Carrier Supporting Carrier CSC Service ModelsMPLS L3 VPNsMulticast VPNsMPLS L2 VPNs
-
3© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Carrier Supporting Carrier vs. Inter-AS
CSC1. Client-Server model2. IP/MPLS Carrier is a customer
of another MPLS backbone provider
3. IP/MPLS Carrier doesn’t want to manage own backbone
4. Only the backbone provider is required to have MPLS VPN core
5. Customer Carriers do not distribute their subscribers’ VPN info to the backbone carrier
Inter-AS1. Peer-Peer model2. SPs provide services to the
common customer base3. Single SP POPs not available in
all geographical areas required by their subscribers/customers
4. Both SPs must support MPLS VPNs
5. Subscriber VPN information shared between peering SPs(ASs)
MPLS Backbone ProviderCustomer Carrier-B Customer Carrier-B
Subscriber A Site1 Subscriber A Site1
Subscriber A Site1 Subscriber A Site2
Provider-A Provider-BASBR-A ASBR-B
-
4© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
I-AS L3 VPNs
-
5© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS VPNv4 Distribution Options
VPN-R1 VPN-R2
PE22
CE2 CE1
AS #1 AS #2PE11
MP-eBGP for VPNv4
Multihop MP-eBGPbetween RRs
Back-to-Back VRFsASBR1 ASBR2
How to Distribute VPN Routes between ASBRs?
VPN Sites Attached to Different MPLS VPN Service Providers
-
6© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Each ASBR Thinks the Other Is a CE
Inter-AS VPN—Option ABack-to-Back VRFs
1. One logical interface per VPN on directly connected ASBRs2. Packet is forwarded as an IP packet between the ASBRs3. Link may use any supported PE-CE routing protocol 4. IP QoS policies negotiated and configured manually on the ASBRs5. Option A is the most secure and easiest to provision6. May not be easy to manage as #s of VPNs grow
AS1 PE-ASBR1
PE1P1
Use VPN label 40 Unlabeled IP Packets
AS2PE-ASBR2
PE2
P2
Use VPN label 80
P1
IP IP 40 P1 IP 42 IP IPIP 80 P2 IP 80
-
7© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
AS #1 AS #2PE1 PE2
VPN-R1
CE1 CE2
VPN-R2
ASBR1
152.12.4.0/24
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE2
VPN-v4 update:RD:1:27:152.12.4.0
/24, NH=PE1RT=1:222, Label=(L1)
VPN-v4 update:RD:1:27:152.12.4.0/24,
NH=ASBR2RT=1:222, Label=(L3)
BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE2
Inter-AS VPN—Option BControl Plane
ASBR2
All VPNv4 Prefixes/Labels from PEs Distributed to PE-ASBRs
VPN-v4 update:RD:1:27:152.12.4.0/24, NH=ASBR1
RT=1:222, Label=(L2)
eBGP for VPNv4
Label Exchangebetween GatewayPE-ASBR Routers
Using eBGP
-
8© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS VPN—Option BKey Points
1. PE-ASBRs exchange routes directly using eBGPExternal MP-BGP for VPNv4 prefix exchange;
2. MP-BGP session with NH to advertising PE-ASBRNext-hop and labels are rewritten when advertised across the inter-provider MP-BGP
session3. Receiving PE-ASBR automatically creates a /32 host route to a peer
ASBRWhich must be advertised into receiving IGP if next-hop-self is not in operation to maintain
the LSP4. PE-ASBR stores all VPN routes that need to be exchanged
But only within the BGP tableNo VRFs; labels are populated into the LFIB of the PE-ASBR
5. ASBR-ASBR link must be directly connected!!!!!! Could use GRE tunnel-considered directly connected
6. Receiving PE-ASBRs may allocate new labelControlled by configuration of next-hop-self (default is off)
-
9© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
ASBR1 ASBR2
152.12.4.1
LR1’’ 152.12.4.1152.12.4.1LR1
152.12.4.1
PE1
VPN-R1
CE1
152.12.4.0/24
PE2
CE2
VPN-R2
Inter-AS VPN—Option BForwarding Plane
152.12.4.1LR1’
152.12.4.1LASBR2 LR1’
152.12.4.1LPE1 LR1
-
10© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
PE1 PE2
AS #1 AS #2
CE1
VPN-R1 VPN-R2
CE2
ASBR1 ASBR2eBGP for VPNv4
Inter-AS VPN—Option BCisco IOS Configuration
L0:194.1.1.2
!router bgp 1neighbor 195.1.1.2 remote-as 2neighbor 194.1.1.2 remote-as 1neighbor 194.1.1.2 update-source loop0no bgp default route-target filter!address-family vpnv4neighbor 194.1.1.2 remote-as 1 activateneighbor 194.1.1.2 remote-as 1 next-hop-selfneighbor 195.1.1.2 remote-as 2 activateneighbor 195.1.1.2 remote-as 2 send-community extended
L0:195.1.1.1 L0:195.1.1.2
ASBR1#sh mpls forwarding-table label 18 detLocal Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 18 20 1:100:100.0.0.5/32 \
0 Se2/0 point2point MAC/Encaps=4/8, MRU=1500, Label Stack{20}0F008847 00014000
Ser2/0
-
11© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
PE1AS #1 AS #2
ASBR2
eBGP IPv4 + Labels IGP + LDP
Inter-AS VPN—Option CMulti-hop EBGP VPNv4 between RRs
1. Eliminates LFIB duplication at ASBRs. ASBRs don’t hold VPNv4 prefix/label info.2. ASBRs Exchange PE loopbacks (IPv4) with labels as these are BGP NH
addresses3. Two Options for Label Distribution for BGP NH Addresses:
IGP + LDP OR eBGP IPv4 + Labels (RFC3107)4. BGP exchange Label Advertisement Capability Enables end-end LSP Paths5. Subsequent Address Family Identifier (value 4) field is used to indicate that the
NLRI contains a label6. Disable Next-hop-self on RRs
RR2RR1 Exchange VPNv4 Routes
ASBR1
PE2
-
12© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
VPN-R1
CE1CE2
VPN-R2
ASBR1
RR2
ASBR2
BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE1
VPN-v4 update:RD:1:27:152.12.4.0/24,NH=PE1RT=1:222, Label=(L1)
VPN-v4 update:RD:1:27:152.12.4.0/24, NH=PE1RT=1:222, Label=(L1)
BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE2
PE1 PE2
I-AS VPN—Option CControl Plane
AS #1
VPN-v4 update:RD:1:27:152.12.4.0/24, NH=PE1RT=1:222, Label=(L1)
To ASBR2:Network=PE1 NH=ASBR-1Label=(L2)
From ASBR1:Network=PE1 NH=ASBR-2Label=(L3)
152.12.4.0/24
RR1
IGP+label(LDP)or iBGP+label
-
13© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
VPN-ias
CE1 CE2
VPN-ias
ASBR1
RR2
ASBR2
RR1
PE1
152.12.4.1
L4 L1 152.12.4.1
152.12.4.1L1
152.12.4.1
I-AS VPN—Option CForwarding Plane
PE2
L1L2 152.12.4.1
152.12.4.0/24
152.12.4.1L1L5152.12.4.1L1L2L3
PE2#sh ip cef vrf ias 152.12.4.1 det152.12.4.0/24, epoch 0recursive via 10.254.254.254 label 23recursive via 10.254.254.3 label 24nexthop 10.0.2.2 Ethernet1/0 label 17
Lo: 10.254.254.254
Lo: 10.254.254.3Eth1/0: 10.0.2.2
-
14© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
ASBR1
RR2
ASBR2
RR1
PE1PE2
I-AS VPN—Option CCisco IOS Configuration_related to I-AS only!address-family ipv4neighbor activateneighbor send-label!
!router bgp 1neighbor ebgp-multihop 255!address-family ipv4neighbor activateneighbor activateneighbor send-labelneighbor activateneighbor send-label!address-family vpnv4neighbor next-hop-unchangedexit-address-family!
!address-family ipv4neighbor activateneighbor send-labelneighbor activateneighbor next-hop-selfneighbor send-label!
AS #1
Loopbacks(/32) of remote PE routers distributed via iBGPNOT made known to the P routers
-
15© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
MPLS VPN Inter-AS Option AB
VPN-B1
PE-1
VPN-G1
CE-2CE-1
ASBR1
AS 1
VPN-B2
PE-2
CE-4 CE-3
VPN-G2
ASBR2
AS 2Data forwarding on per VRF interface as in Option A
vpn-Gvpn-B
MP-eBGP between ASBRs on a control plane interface
in global table
1. Combines the benefits of Option A & Option B.2. eBGP sessions are reduced to a single session between the ASBRs as
defined in RFC 4363 Option B, leading to a better scaling and reduced configurations.
3. Separate per VRF interfaces between ASBRs forward data as in Option A. This provides security and QoS benefits of IP forwarding on the I-AS link.
-
16© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
VPN-B1
PE1
VPN-G1
CE-2CE-1
ASBR1
AS 100
VPN-B2
CE-4 CE-3
VPN-G2
ASBR2
AS 200VPN-GVPN-B
eBGP Peering Interface
MPLS VPN Inter-AS Option AB Sample Configuration
!ip vrf VPN-Brd 200:21route-target both 100:3route-target both 100:2inter-as-hybrid !ip vrf VPN-Grd 200:22route-target both 200:3route-target both 200:2inter-as-hybrid !router bgp 200neighbor 103.0.0.1 remote-as 100!address-family vpnv4neighbor 103.0.0.1 inter-as-hybridexit-address-family!
!ip vrf VPN-Brd 100:11route-target both 100:1route-target both 100:3 inter-as-hybrid !ip vrf VPN-Grd 100:21route-target both 200:1route-target both 200:3inter-as-hybrid !router bgp 100neighbor 103.0.0.2 remote-as 200!address-family vpnv4neighbor 103.0.0.2 inter-as-hybridexit-address-family!
ASBR2ASBR1PE2
-
17© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS Multipath Load Balance Options
1. Support VPNv4 and label negotiated IPv4 eBGP sessions between loopbacks of directly connected routers w/o the use of LDP on the connecting interfaces
2. Consider the three topologies –Designated by Topo-1, Topo-2, Topo-3
3. Load balancing for Inter-AS sub-cases with:
Interface PeeringLoopback peeringIPv4 + LabelVPNv4 + Label
ASBR1
ASBR1
ASBR3ASBR2
ASBR2
Topo-1
Topo-2
Topo-3
AS1 AS2
ASBR1
ASBR3ASBR4
ASBR2
-
18© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS Loopback Peering for Directly Connected ASBRs
HOSTNAME ASBR2!interface e0/0ip address 168.192.0.2 255.255.255.252 mpls bgp forwarding ! Enable BGP forwarding on connecting interfaces
!interface e2/0ip address 168.192.2.2 255.255.255.252 mpls bgp forwardingrouter bgp 2neighbor 10.10.10.10 remote-as 1neighbor 10.10.10.10 disable-connected-check neighbor 10.10.10.10 update-source Loopback0 !address-family vpnv4 neighbor 10.10.10.10 activate neighbor 10.10.10.10 send-community extended !ip route 10.10.10.10 255.255.255 e0/0 168.192.0.1 ip route 10.10.10.10 255.255.255 e2/0 168.192.2.1! Configure /32 static routes to the eBGP neighbor
loopbackaddress
PE2PE1 AS #1 AS #2RR2RR1
ASBR-1 ASBR-2E0/0: 168.192.0.1
E2/0: 168.192.2.1
L0:10.20.20.20/32L0:10.10.10.10
E2/0: 168.192.2.2
E0/0: 168.192.0.2
Create loopback interfaces on directly connected ASBRs
-
19© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS Security Elements 1. MD5 Authentication on LDP/BGP Sessions2. Apply max prefix3. Static Labels4. TTL Check to diagnose DoS attacks5. Filtering with BGP attributes ASPATH, ext communities, RDs
checks, …etc. Set route-maps to filter and send only the desirable prefixes
6. Customize Route Targets
-
20© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS L3VPN Summary 1. Models: Option A, B, C and AB2. Option A is the most secured. Support granular QoS3. Option B, less invasive4. Option B, only need to know the loopback or interface
address of directly connected ASBR5. Option C, most scalable, most invasive, mostly
deployed in a single service provider’s multi-AS network
-
21© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
I-AS L2 VPNs:AToM
-
22© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS AToMLayer 2 Peering—Option A
1. One layer-2 interface per PW2. Clear demarcation between ASs3. No reachability information shared between ASs4. Granular QoS control between ASBRs
IP/MPLSASBR1 ASBR2
IP/MPLS
..PW1 PW2
Pseudowire
PE1 PE2
LDP LDPForwarding LSP
PW Signaling
LDP/RSVP LDP/RSVP
-
23© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Layer-2 payloadLayer-2 payload
LabelLabelLabelLabel
PayloadPayload
PopPushPushPushPush Pop
LabelLabelLabelLabel
PayloadPayload
Inter-AS AToMLayer 2 Peering—Option A
IP/MPLSASBR1 ASBR2
IP/MPLS
..PW1 PW2
Pseudowire
PE1 PE2
-
24© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
LDPLDP
Inter-AS AToMMulti-Hop PW—Option B
1. Single (labeled) interface between ASBRs2. Single peering point (only one PW endpoint address leaked
between ASs)3. PE and P devices do not learn remote PW endpoint addresses
LDP
LDP/RSVP LDP/RSVPeBGPIPv4+Label
Pseudowire
PW Signaling
Forwarding LSP
IP/MPLSASBR1 ASBR2
IP/MPLS
PW1 PW2PE1 PE2PW2
-
25© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS L2VPN Multi-Hop PW—Option B
LabelLabel
PushPush Pop
LabelLabel LabelLabelLabelLabelLabelLabel
PayloadPayload PayloadPayloadPayloadPayload
PopPush
PopPushPush
PseudowireIP/MPLS
ASBR1 ASBR2IP/MPLS
PW1 PW2PE1 PE2PW2
-
26© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Data Center 2
Data Center 1
Inter-AS AToM Option B—ConfigurationNeed to Switch Pseudowires on ASBRs
AS1
ASBR1 ASBR2
!HOSTNAME PE3!interface giga1/0xconnect 10 encapsulation mpls! *no BGP needed, just IGP
!HOSTNAME PE4!interface giga1/0xconnect 20 encapsulation mpls!*no BGP needed, just IGP
PE3 PE4Intgig3/0
HOSTNAME ASBR1!pseudowire-class pw-switchencapsulation mpls!l2 vfi pw-switch point-to-pointneighbor 100 pw-class pw-switchneighbor 10 pw-class pw-switch!Interface giga3/0mpls bgp forwarding!! router bgp 1Neighbor remote-as 2Neighbor send-label! *Also announce the loopback address (xconnect ID) of ASBR1 in IGP(AS1) and eBGP
HOSTNAME ASBR2!pseudowire-class pw-switchencapsulation mpls!L2 vfi pw-switch point-to-pointneighbor 100 pw-class pw-switchneighbor 20 pw-class pw-switch!Interface giga3/0mpls bgp forwarding!router bgp 2neighbor remote-as1Neighbor send-label! *Also announce the loopback address of ASBR2 in IGP(AS2) and eBGP
Intgig1/0
AS2
-
27© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS AToM Option C—IPv4+LabelSingle Hop Pseudowire
1. I-AS AToM is also known as a pseudowire switching, stitching, or routing where PW is signalled across AS boundaries
2. IPv4 routes for PEs exchanged with labels between directly connected ASBRs
3. PWs are transported through ASBRs. ASBRs don’t store any PW information.
C2S2C2S1 IPv4 + LabelsMPLS AS1PE3 PE4
MPLS AS2ASBR1 ASBR2
PE2PE1C1S2C1S1
C3S1C4S1 C4S2C3S2
-
28© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
iBGPIPv4+Label
iBGPIPv4+Label
Inter-AS AToM—Option C Single-Hop PW: BGP IPv4+label
1. Single (labeled) interface between ASBRs2. PW endpoint addresses leaked between ASs using eBGP
IPv4+label and distributed to PEs using iBGP IPv4+label3. Only PEs and ASBRs learn PW endpoint addresses
IP/MPLS ASBR1 ASBR2 IP/MPLS
LDP
PW1
eBGPIPv4+Label
PE1 PE2
LDP/RSVP LDP/RSVP
Pseudowire
Forwarding LSP
PW Signaling
Forwarding LSP
-
29© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
LabelLabelLabelLabel
Inter-AS AToM—Option CSingle-Hop PW: BGP IPv4+label, Cont.
Pop
LabelLabelLabelLabel
LabelLabelLabelLabel LabelLabel
PayloadPayload PayloadPayloadPayloadPayload
Swap PopPush
IP/MPLS ASBR1 ASBR2 IP/MPLSPW1PE1 PE2
PushPushPush
-
30© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS AToM Option C—Configuration
HOSTNAME ASBR1! Activate IPv4 label capability !router bgp 1!address-family ipv4neighbor send-labelneighbor send-labelexit-address-family!
HOSTNAME ASBR2! Activate IPv4 label capability !router bgp 2!address-family ipv4neighbor send-labelneighbor send-labelexit-address-family!
HOSTNAME PE4!interface Ethernet1/0xconnect 100 encapsulation mpls!! Activate IPv4 label capability !router bgp 2!address-family ipv4neighbor send-labelexit-address-family!
HOSTNAME PE3!interface Ethernet1/0xconnect 100 encapsulation mpls! ! Activate IPv4 label capability !router bgp 1!address-family ipv4neighbor send-labelexit-address-family!
IPv4 + Labels
MPLS AS1
MPLS AS2
ASBR1 ASBR2PE3 PE4
Inteth1/0 Inteth1/0
PE1 PE2
-
31© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
I-AS AToM Key Points1. All three I-AS models are supported to carry point-to-
point PWs2. The sequencing data through the xconnect packet
paths are passed transparently. The endpoint PE-CE connections enforce the sequencing.
3. The control word negotiation results must match. The control word is disabled for both segments if either side doesn’t support it.
.
-
32© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS L2 VPNs: VPLS
-
33© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Virtual Private LAN Service Overview 1. VPLS provides fully meshed L2 connectivity among VPN Sites2. VPLS VPN sites may span multiple Domains3. PEs aggregating VPN sites in both domains need transparency
PE3
CE4CE3
CE2CE1
CE3
CE1
CE4
CE2MPLS AS1
MPLS AS2ASBR1 ASBR2
PE4
PE1 PE2
Exchange Virtual Switching Instance
Database (VLAN IDs + Labels
-
34© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS VPLS BGP-Based Autodiscovery
1. BGP extended communities needed for VPLS BGP-based autodiscovery are transit
2. “Multihop eBGP redistribution of L2VPN NLRIs” as described in draft-ietf-l2vpn-signaling-08.txt is currently supported
3. Inter-as VPLS BGP-Based Autodiscovery is like option C in RFC 4364– eBGP multihop for l2vpn vpls via RRs across two autonomous
systems– the ASBRs perform a P router function and interconnect the PEs of
the two autonomous systems4. An inter-AS LDP peering session exist between each pair of PE
routers in the two autonomous systems– (Full) mesh of PE PWs across autonomous systems
-
35© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
PE3
Inter-AS VPLS—Option C Single Hop Pseudowires
1. Reachability between PEs is provided using eBGP+Labels2. Targeted LDP session is formed between PEs3. PWs are transported through ASBRs4. Auto discovery of VPLS VPNs is supported using BGP5. Route Distinguisher, Route Target and VPN IDs are used similar way as in MPLS
L3 VPNs6. RTs have to match across different domains for the same VPLS VPN sites
CE4CE3
CE1 CE2
IPv4 + Labels
MPLS AS1 MPLS AS2
ASBR1 ASBR2 PE4
PE1 PE2
-
36© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS VPLS BGP-Based Autodiscovery
RR1 RR2
ASBR1 ASBR2PE1 PE3 CE3CE1
eBGP multi-hop for l2vpn vpls + next-hop-unchanged
eBGP for IPv4 + labels
iBGP for IPv4 + labels
iBGP for IPv4 + labels
iBGP for l2vpn vplsiBGP for l2vpn vpls
IGP with LDP or TE
IGP with LDP or TE
-
37© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS VPLS BGP-Based AutodiscoveryMPLS Label Propagation
RR1 RR2
ASBR1 ASBR2PE1 PE3 CE3CE1
PW label
BGP IPv4 label
BGP IPv4 label
IGP label IGP label
-
38© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Inter-AS VPLS BGP-Based AutodiscoveryPacket Forwarding
RR1 RR2
ASBR1 ASBR2PE1 PE3 CE3CE1
Ethernet frame
IGP label to ASBR2
BGP IPv4 label
PW label
next-hop-self
Ethernet frame
BGP IPv4 label
PW label
Ethernet frame
BGP IPv4 label
PW labelEthernet frame
IGP label
PW label
Ethernet frame
PW label
-
39© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
VPLS BGP Auto Discovery with Inter-AS Option C—Cisco IOS Configuration
PE1
CE4CE1
CE2 VPLS ID: customer1
! Setup VPLS instance, Define discovery method and set vpn iD !HOSTNAME PE3!l2 vfi customer1 autodiscoveryvpn id 100! Activate IPv4 label capability !router bgp 1!address-family ipv4neighbor send-labelexit-address-family!
! Setup VPLS instance, Define discovery method and set vpn iD, vpls-id and RT to match the other side. HOSTNAME PE4!l2 vfi customer1 autodiscoveryvpn id 200vpls-id 1:100Route-target both 1:100! Activate IPv4 label capability !router bgp 2!address-family ipv4neighbor send-labelexit-address-family!
MPLS AS1 MPLS
AS2 VPLS ID: customer1
PE3:10.0.0.1PE4
IPv4 + Labels
-
40© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
I-AS mVPNs
-
41© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Receiver 4Receiver 4
B1
D
ACECE
CECE
High bandwidth Multicast Source
Receiver 3Receiver 3
Receiver 2Receiver 2
C
CECE
MPLS VPNMPLS VPNCore Core
CECE
Receiver 1Receiver 1
BPEPE
PEPE
EE
PEPEA
PEPED
C
Join HighBandwidth Source
Join HighBandwidth Source
CECE
DataDataMDTMDT
For High Bandwidth
Traffic Only.
DefaultDefaultMDTMDTFor low
Bandwidth & Control
Traffic Only.
B2San
Francisco
Los Angeles
Dallas
New York
mVPN Concept and Fundamentals—Review
1. CEs join MPLS Core through provider’s PE devices
2. PEs perform RPF check on Source to build Default and Data Trees (Multicast Data Trees – MDT)
3. Interfaces are associated with mVRF
4. Source-Receivers communicate using mVRFs
-
42© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Option A: Back-to-Back ASBR-PEs1. Native IP forwarding between ASBRs
Protocol change not requiredInter-AS MDT not required
2. MDT limited to one ASNo issue with managing MDT group ranges between ASNo issue with RPF
3. VRF created on the ASBRsNot scalable
-
43© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
PE-300 PE-200
P-200P-300
ASBR-300 ASBR-200
AS300 AS200
eBGP MDT(AFI=1, SAFI=66)
CE-300(Site 2)
CE-200(Site 1)
I-AS mVPN with Option BSolution for PE : Use BGP Connector Attribute (transitive)Preserves identity of a PE router originating a VPNv4 Prefix (Option B only)
Source = 10.1.1.1PIM NBR = PE-200BGP NH = ASBR-300RPF Check Fails !
Default-MDT = REDvrf
Receiver
Source – 10.1.1.1, Group - 239.10.10.10
Multicast Traffic
iBGP MDT(RD, S:PE-200, G:RED)PIM Join(PE-200, RED)
1
2
3
4 iBGP MDT(RD, S:PE-200, G:RED)
eBGP MDT(RD, S:PE-200, G:RED)
5VPNv45
VPNv45
6
37VPNv4
Source = 10.1.1.1PIM NBR = PE-200BGP Connector = PE-200RPF Check Passes !
PIM adjacency over MDTDefault MDT239.232.0.1
(10.1.1.1,239.10.10.10)
-
44© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
300 PE-200
P-200P-300
ASBR-300 ASBR-200
AS300 AS200
CE-300(Site 2)
CE-200(Site 1)
I-AS mVPN with Option B and Option C
Default-MDT = REDvrf
ReceiverSource
PIM Join(PE-300, Default MDTVector=ASBR-200RD=300:1)
2
Solution for P : PIM RPF Vector for both options B & CHelps P router in BGP free core do RPF check for both options B & C
(PE-300, Default MDTVector=ASBR-200RD=300:1)
PIM Join3(PE-300, Default MDT
Vector=ASBR-300RD=300:1)
PIM Join4
PIM Join(PE-300, Default MDTRD=300:1)
5
PE-6
Default MDT239.232.0.1
1
iBGPMDT(PE-300,G:Deafult MDTBGP-NH=ASBR - 200)
-
45© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
PE1 PE2AS #1 AS #2
ASBR1I-AS MVPN Configuration Procedure Option B (SSM)
ASBR2
Configuration Steps:1. Enable RPF Vector in the Global table
ip multicast rpf vector2. Setup Multicast Address family on ASBRs
address-family ipv4 mdt3. Configure PE router to send BGP MDT updates to build the Default MDT
ip multicast vrf rpf proxy rd vector
CE-4
! PE1 Configuration:!ip multicast-routingip multicast routing vrf VPN-Aip multicast vrf VPN-A rpf proxy rd vector!router bgp 1!address-family ipv4 mdtneighbor activateneighbor next-hop-selfexit-address-family!ip pim ssm default!
! ASBR1 Configuration:!ip multicast-routingip multicast routing vrf VPN-A!router bgp 1!address-family ipv4 mdtneighbor activateneighbor activateneighbor next-hop-selfexit-address-family!ip pim ssm default!
-
46© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Carrier Supporting Carrier (CSC)
-
47© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Introducing Carrier Supporting Carrier
1. CSC is one of the VPN services that is applicable in a Multi-AS network environment
2. CSC VPN service is a VPN service that provides MPLS transport for customers with MPLS networks
3. It is also known as hierarchical MPLS VPN service since MPLS VPN customer carrier subscribes MPLS VPN service from an MPLS Backbone provider
4. Defined in RFC 4364. (previously well know by draft 2547biz)
MPLS Backbone
Backbone Service Provider
Customer Carrier ISP1
MPLS NWMPLS NWCustomer Carrier ISP1
-
48© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Carrier’s Carrier building blocks
� External Routes: IP routes from VPN customer networks� Internal Routes: Internal routes (global table) of Customer Carrier network� External routes are stored and exchanged among Customer Carrier PEs� MPLS Backbone network doesn’t have any knowledge of external routes� Customer Carrier selectively provides NLRI to MPLS VPN backbone provider
MPLS Backbone
CSC-PE1 CSC-PE2
CSC-CE2
Backbone Service Provider
CSC-CE1
San Francisco ISP1 London ISP1
PE1 RR1
PE2
RR2 PE4
PE3
MPLSMPLSCSC-RR1
CE1R CE1G
VPN Customers
External Routes
External Routes
CE2G CE2R
VPN Customers
External Routes
External Routes
Internal RoutesInternal Routes Internal RoutesInternal Routes
-
49© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Carrier’s Carrier building blocks (continue)
Label Switched paths between CSC-CE and CSC-PE IGP+LDP or eBGPv4 + Labels� CSC-PE and CSC-CE exchange MPLS Labels
-this is necessary to transport labeled traffic from a Customer Carrier
MPLS Backbone
CSC-PE1 CSC-PE2 CSC-CE2
Backbone Service ProviderCSC-CE1
San FranciscoISP1
LondonISP1
PE1 RR1
PE2
RR2 PE4
PE3
MPLSMPLSCSC-RR1
CE1R CE1G CE2G CE2R
-
50© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Carrier Supporting Carrier Models
I. Customer Carrier Is Running IP Only-similar to basic MPLS L3 VPN environment
II. Customer Carrier Is Running MPLS-LSP is established between CSC-CE and CSC-PE-Customer carrier is VPN subscriber of MPLS VPN backbone provider
III. Customer Carrier Supports MPLS VPNs-LSP is established between CSC-CE and CSC-PE-Customer carrier is VPN subscriber of MPLS VPN backbone provider-True hierarchical VPN model
-
51© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
IGP LabelIGP LabelLabel=101Label=101Label=120Label=120
IGP LabelIGP LabelLabel=50Label=50
CSC Model III—Customer Carrier Supports MPLS VPNs
IP/MPLS CSC-PE1 CSC-PE2 IP/MPLS
Label=100Label=100
SwapPushPush Swap Swap
Label=140Label=140Label=28Label=28
PayloadPayload
PE1
Site A – VPNA Site B – VPN A149.27.2.0/24
CE1CE2
MP-iBGP Peering& Label Exchange
BGP or (OSPF, RIPv2) +LDP Network=PE2, NH=CSC-CE2
Label=(100)
MP-iBGP PeeringVPN-v4 Update:
RD:1:30:149.27.2.0/24,NH=PE2
RT=1:200, Label=(28)
Label=28Label=28
PayloadPayload
Label=28Label=28
PayloadPayloadPayloadPayload
Label=28Label=28
PayloadPayload
SwapPush
Label=28Label=28
PayloadPayload
Pop
PayloadPayload
PE2VRF VRFIP/MPLS
VRFVRF CSC-CE2CSC-CE1
BGP or (OSPF, RIPv2) +LDP Network=PE2, NH=CSC-PE1
Label=(120)
VPN-v4 Update:RD:1:27:CSC-CE2, PE2
NH=CSC-PE2RT=1:27, Label=(50)
PoP
Label=50Label=50Label=28Label=28
PayloadPayload
LDP LDP
-
52© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
CSC Model III -Cisco IOS Show configs& commands
MPLS Backbone
CSC-PE1200.0.0.4/32
CSC-PE2200.0.0.6/32
kkkk
ISPaISPaCSC-CE1
100.0.0.3/32CSC-CE2
100.0.0.7/32
PE2100.0.0.8/32
PE1100.0.0.2/32
CE-VPN-A110.1.1.1/32
CE-VPN-B150.0.0.1/32 CE-VPN-A210.1.1.9/32 CE-VPN-B2
50.0.0.9/32
BB-P1200.0.0.5/32
192.168.0.x/24192.168.2.x/24
172.16.0.x/24 172.16.1.x/24
CSC-PE1#sh mpls forwarding-table label 27 detLocal Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 27 22 100.0.0.8/32[V] 72864 Se0/0 point2point
MAC/Encaps=4/12, MRU=1496, Label Stack{16 22}!interface Serial1/0ip vrf forwarding ISPaip address 10.0.0.4 255.255.255.0mpls label protocol ldpmpls ip
CSC-PE2#sh mpls forwarding-table label 22Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 22 17 100.0.0.8/32[V] 69298 Se0/0 point2pointCSC-CE1#sh mpls forwarding label 21Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or VC or Tunnel Id Switched interface 21 27 100.0.0.8/32 67228 Se0/0 point2point
CSC-CE2#sh mpls forwarding-table label 17Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 17 Pop Label 100.0.0.8/32 65251 Se0/0 point2point
PE1#sh ip cef vrf kk 50.0.0.950.0.0.9/32nexthop 192.168.0.3 Serial0/0 label 21 26
PE1#sh ip bgp vpnv4 all summBGP router identifier 100.0.0.2, local AS number 2..Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd100.0.0.8 4 2 580 577 13 0 0 10:36:23
PE2#sh mpls forwarding-table label 26 detLocal Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 26 No Label 50.0.0.9/32[V] 0 Se0/0 point2point
MAC/Encaps=4/4, MRU=1504, Label Stack{}0F000800 VPN route: kk
ISPaISPa
kkkk
-
53© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Customer Carrier A
ASBR1 ASBR2PW1PE1 PE2ASBR3 ASBR4
MPLS L2VPNs Across a CSC Network
ASBR1 ASBR2
PW1PE1 PE2ASBR3 ASBR4
Multi-Hop PW
Single-Hop PW Pseudowire
Pseudowire
MPLS Backbone Carrier(CsC)
MPLS Backbone Carrier(CsC)
Customer Carrier A
Customer Carrier A
Customer Carrier A
-
54© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
CSC Security Elements 1. MD5 authentication on LDP/BGP sessions2. Applying max prefix limits per VRF3. Use of static labels4. Route Filtering
…Customer Carrier may not want to send all the internal routes to MPLS VPN backbone provider…
Use Route-maps to control route distribution & filter routesUse match and set capabilities in route-maps
-
55© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
CSC Security Elements1. MPLS static labels introduced in 12.0.23S, but only supported
global routing tables (not VRF aware):Config. only MPLS forwarding table entries for the global tableAssign label values to FECs learned by the LDP for the global tableLimits usage to the provider core only
2. Feature is enhanced so static labels can be used for VRF trafficat the VPN edge for CSC networks:In 12.0(26)S, the MPLS LDP—VRF-Aware Static Labels feature was
introduced, allowing MPLS static labels to be used for VRF traffic at the VPN edge.
In 12.3(14)T, 12.2(33)SRA,12.2(33)SXH, 12.2(33)SB, this feature was integrated.
-
56© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Best Practice Recommendations1. Do not use Static default routes on CSC-CE
Need end-end LSP is required across the VPN and MPLS VPN backbone
2. Use dynamic protocol instead of static on CSC-CE –CSC-PE link
3. Set Next-Hop-Self on PEs carrying external routes4. If using IGP on CSC-CE routers, use filters to limit
incoming routes from the CSC-PE side5. If using RRs in customer carrier network, set next-
hop-unchanged on RRs6. If using BGP on CSC-PE-CE link, use as-override on
CSC-PE
-
57© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID