I-AS MPLS Solutions - KISpalo/Rozne/cisco-expo-2009/Presentati… · MPLS VPN Inter-AS Option AB...

57
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 1 I-AS MPLS Solutions Stefan Kollar Consulting System Engineer, CCIE #10668 [email protected]

Transcript of I-AS MPLS Solutions - KISpalo/Rozne/cisco-expo-2009/Presentati… · MPLS VPN Inter-AS Option AB...

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

    I-AS MPLS Solutions

    Stefan KollarConsulting System Engineer, CCIE #10668 [email protected]

  • 2© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Agenda 1. Inter-AS Networks

    Inter-AS Connectivity ModelsInter-AS L3 VPNsInter-AS L2VPNsInter-AS Multicast VPNs

    1. Carrier Supporting Carrier CSC Service ModelsMPLS L3 VPNsMulticast VPNsMPLS L2 VPNs

  • 3© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Carrier Supporting Carrier vs. Inter-AS

    CSC1. Client-Server model2. IP/MPLS Carrier is a customer

    of another MPLS backbone provider

    3. IP/MPLS Carrier doesn’t want to manage own backbone

    4. Only the backbone provider is required to have MPLS VPN core

    5. Customer Carriers do not distribute their subscribers’ VPN info to the backbone carrier

    Inter-AS1. Peer-Peer model2. SPs provide services to the

    common customer base3. Single SP POPs not available in

    all geographical areas required by their subscribers/customers

    4. Both SPs must support MPLS VPNs

    5. Subscriber VPN information shared between peering SPs(ASs)

    MPLS Backbone ProviderCustomer Carrier-B Customer Carrier-B

    Subscriber A Site1 Subscriber A Site1

    Subscriber A Site1 Subscriber A Site2

    Provider-A Provider-BASBR-A ASBR-B

  • 4© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    I-AS L3 VPNs

  • 5© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS VPNv4 Distribution Options

    VPN-R1 VPN-R2

    PE22

    CE2 CE1

    AS #1 AS #2PE11

    MP-eBGP for VPNv4

    Multihop MP-eBGPbetween RRs

    Back-to-Back VRFsASBR1 ASBR2

    How to Distribute VPN Routes between ASBRs?

    VPN Sites Attached to Different MPLS VPN Service Providers

  • 6© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Each ASBR Thinks the Other Is a CE

    Inter-AS VPN—Option ABack-to-Back VRFs

    1. One logical interface per VPN on directly connected ASBRs2. Packet is forwarded as an IP packet between the ASBRs3. Link may use any supported PE-CE routing protocol 4. IP QoS policies negotiated and configured manually on the ASBRs5. Option A is the most secure and easiest to provision6. May not be easy to manage as #s of VPNs grow

    AS1 PE-ASBR1

    PE1P1

    Use VPN label 40 Unlabeled IP Packets

    AS2PE-ASBR2

    PE2

    P2

    Use VPN label 80

    P1

    IP IP 40 P1 IP 42 IP IPIP 80 P2 IP 80

  • 7© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    AS #1 AS #2PE1 PE2

    VPN-R1

    CE1 CE2

    VPN-R2

    ASBR1

    152.12.4.0/24

    BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE2

    VPN-v4 update:RD:1:27:152.12.4.0

    /24, NH=PE1RT=1:222, Label=(L1)

    VPN-v4 update:RD:1:27:152.12.4.0/24,

    NH=ASBR2RT=1:222, Label=(L3)

    BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE2

    Inter-AS VPN—Option BControl Plane

    ASBR2

    All VPNv4 Prefixes/Labels from PEs Distributed to PE-ASBRs

    VPN-v4 update:RD:1:27:152.12.4.0/24, NH=ASBR1

    RT=1:222, Label=(L2)

    eBGP for VPNv4

    Label Exchangebetween GatewayPE-ASBR Routers

    Using eBGP

  • 8© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS VPN—Option BKey Points

    1. PE-ASBRs exchange routes directly using eBGPExternal MP-BGP for VPNv4 prefix exchange;

    2. MP-BGP session with NH to advertising PE-ASBRNext-hop and labels are rewritten when advertised across the inter-provider MP-BGP

    session3. Receiving PE-ASBR automatically creates a /32 host route to a peer

    ASBRWhich must be advertised into receiving IGP if next-hop-self is not in operation to maintain

    the LSP4. PE-ASBR stores all VPN routes that need to be exchanged

    But only within the BGP tableNo VRFs; labels are populated into the LFIB of the PE-ASBR

    5. ASBR-ASBR link must be directly connected!!!!!! Could use GRE tunnel-considered directly connected

    6. Receiving PE-ASBRs may allocate new labelControlled by configuration of next-hop-self (default is off)

  • 9© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    ASBR1 ASBR2

    152.12.4.1

    LR1’’ 152.12.4.1152.12.4.1LR1

    152.12.4.1

    PE1

    VPN-R1

    CE1

    152.12.4.0/24

    PE2

    CE2

    VPN-R2

    Inter-AS VPN—Option BForwarding Plane

    152.12.4.1LR1’

    152.12.4.1LASBR2 LR1’

    152.12.4.1LPE1 LR1

  • 10© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    PE1 PE2

    AS #1 AS #2

    CE1

    VPN-R1 VPN-R2

    CE2

    ASBR1 ASBR2eBGP for VPNv4

    Inter-AS VPN—Option BCisco IOS Configuration

    L0:194.1.1.2

    !router bgp 1neighbor 195.1.1.2 remote-as 2neighbor 194.1.1.2 remote-as 1neighbor 194.1.1.2 update-source loop0no bgp default route-target filter!address-family vpnv4neighbor 194.1.1.2 remote-as 1 activateneighbor 194.1.1.2 remote-as 1 next-hop-selfneighbor 195.1.1.2 remote-as 2 activateneighbor 195.1.1.2 remote-as 2 send-community extended

    L0:195.1.1.1 L0:195.1.1.2

    ASBR1#sh mpls forwarding-table label 18 detLocal Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 18 20 1:100:100.0.0.5/32 \

    0 Se2/0 point2point MAC/Encaps=4/8, MRU=1500, Label Stack{20}0F008847 00014000

    Ser2/0

  • 11© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    PE1AS #1 AS #2

    ASBR2

    eBGP IPv4 + Labels IGP + LDP

    Inter-AS VPN—Option CMulti-hop EBGP VPNv4 between RRs

    1. Eliminates LFIB duplication at ASBRs. ASBRs don’t hold VPNv4 prefix/label info.2. ASBRs Exchange PE loopbacks (IPv4) with labels as these are BGP NH

    addresses3. Two Options for Label Distribution for BGP NH Addresses:

    IGP + LDP OR eBGP IPv4 + Labels (RFC3107)4. BGP exchange Label Advertisement Capability Enables end-end LSP Paths5. Subsequent Address Family Identifier (value 4) field is used to indicate that the

    NLRI contains a label6. Disable Next-hop-self on RRs

    RR2RR1 Exchange VPNv4 Routes

    ASBR1

    PE2

  • 12© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    VPN-R1

    CE1CE2

    VPN-R2

    ASBR1

    RR2

    ASBR2

    BGP, OSPF, RIPv2 152.12.4.0/24,NH=CE1

    VPN-v4 update:RD:1:27:152.12.4.0/24,NH=PE1RT=1:222, Label=(L1)

    VPN-v4 update:RD:1:27:152.12.4.0/24, NH=PE1RT=1:222, Label=(L1)

    BGP, OSPF, RIPv2 152.12.4.0/24,NH=PE2

    PE1 PE2

    I-AS VPN—Option CControl Plane

    AS #1

    VPN-v4 update:RD:1:27:152.12.4.0/24, NH=PE1RT=1:222, Label=(L1)

    To ASBR2:Network=PE1 NH=ASBR-1Label=(L2)

    From ASBR1:Network=PE1 NH=ASBR-2Label=(L3)

    152.12.4.0/24

    RR1

    IGP+label(LDP)or iBGP+label

  • 13© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    VPN-ias

    CE1 CE2

    VPN-ias

    ASBR1

    RR2

    ASBR2

    RR1

    PE1

    152.12.4.1

    L4 L1 152.12.4.1

    152.12.4.1L1

    152.12.4.1

    I-AS VPN—Option CForwarding Plane

    PE2

    L1L2 152.12.4.1

    152.12.4.0/24

    152.12.4.1L1L5152.12.4.1L1L2L3

    PE2#sh ip cef vrf ias 152.12.4.1 det152.12.4.0/24, epoch 0recursive via 10.254.254.254 label 23recursive via 10.254.254.3 label 24nexthop 10.0.2.2 Ethernet1/0 label 17

    Lo: 10.254.254.254

    Lo: 10.254.254.3Eth1/0: 10.0.2.2

  • 14© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    ASBR1

    RR2

    ASBR2

    RR1

    PE1PE2

    I-AS VPN—Option CCisco IOS Configuration_related to I-AS only!address-family ipv4neighbor activateneighbor send-label!

    !router bgp 1neighbor ebgp-multihop 255!address-family ipv4neighbor activateneighbor activateneighbor send-labelneighbor activateneighbor send-label!address-family vpnv4neighbor next-hop-unchangedexit-address-family!

    !address-family ipv4neighbor activateneighbor send-labelneighbor activateneighbor next-hop-selfneighbor send-label!

    AS #1

    Loopbacks(/32) of remote PE routers distributed via iBGPNOT made known to the P routers

  • 15© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    MPLS VPN Inter-AS Option AB

    VPN-B1

    PE-1

    VPN-G1

    CE-2CE-1

    ASBR1

    AS 1

    VPN-B2

    PE-2

    CE-4 CE-3

    VPN-G2

    ASBR2

    AS 2Data forwarding on per VRF interface as in Option A

    vpn-Gvpn-B

    MP-eBGP between ASBRs on a control plane interface

    in global table

    1. Combines the benefits of Option A & Option B.2. eBGP sessions are reduced to a single session between the ASBRs as

    defined in RFC 4363 Option B, leading to a better scaling and reduced configurations.

    3. Separate per VRF interfaces between ASBRs forward data as in Option A. This provides security and QoS benefits of IP forwarding on the I-AS link.

  • 16© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    VPN-B1

    PE1

    VPN-G1

    CE-2CE-1

    ASBR1

    AS 100

    VPN-B2

    CE-4 CE-3

    VPN-G2

    ASBR2

    AS 200VPN-GVPN-B

    eBGP Peering Interface

    MPLS VPN Inter-AS Option AB Sample Configuration

    !ip vrf VPN-Brd 200:21route-target both 100:3route-target both 100:2inter-as-hybrid !ip vrf VPN-Grd 200:22route-target both 200:3route-target both 200:2inter-as-hybrid !router bgp 200neighbor 103.0.0.1 remote-as 100!address-family vpnv4neighbor 103.0.0.1 inter-as-hybridexit-address-family!

    !ip vrf VPN-Brd 100:11route-target both 100:1route-target both 100:3 inter-as-hybrid !ip vrf VPN-Grd 100:21route-target both 200:1route-target both 200:3inter-as-hybrid !router bgp 100neighbor 103.0.0.2 remote-as 200!address-family vpnv4neighbor 103.0.0.2 inter-as-hybridexit-address-family!

    ASBR2ASBR1PE2

  • 17© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS Multipath Load Balance Options

    1. Support VPNv4 and label negotiated IPv4 eBGP sessions between loopbacks of directly connected routers w/o the use of LDP on the connecting interfaces

    2. Consider the three topologies –Designated by Topo-1, Topo-2, Topo-3

    3. Load balancing for Inter-AS sub-cases with:

    Interface PeeringLoopback peeringIPv4 + LabelVPNv4 + Label

    ASBR1

    ASBR1

    ASBR3ASBR2

    ASBR2

    Topo-1

    Topo-2

    Topo-3

    AS1 AS2

    ASBR1

    ASBR3ASBR4

    ASBR2

  • 18© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS Loopback Peering for Directly Connected ASBRs

    HOSTNAME ASBR2!interface e0/0ip address 168.192.0.2 255.255.255.252 mpls bgp forwarding ! Enable BGP forwarding on connecting interfaces

    !interface e2/0ip address 168.192.2.2 255.255.255.252 mpls bgp forwardingrouter bgp 2neighbor 10.10.10.10 remote-as 1neighbor 10.10.10.10 disable-connected-check neighbor 10.10.10.10 update-source Loopback0 !address-family vpnv4 neighbor 10.10.10.10 activate neighbor 10.10.10.10 send-community extended !ip route 10.10.10.10 255.255.255 e0/0 168.192.0.1 ip route 10.10.10.10 255.255.255 e2/0 168.192.2.1! Configure /32 static routes to the eBGP neighbor

    loopbackaddress

    PE2PE1 AS #1 AS #2RR2RR1

    ASBR-1 ASBR-2E0/0: 168.192.0.1

    E2/0: 168.192.2.1

    L0:10.20.20.20/32L0:10.10.10.10

    E2/0: 168.192.2.2

    E0/0: 168.192.0.2

    Create loopback interfaces on directly connected ASBRs

  • 19© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS Security Elements 1. MD5 Authentication on LDP/BGP Sessions2. Apply max prefix3. Static Labels4. TTL Check to diagnose DoS attacks5. Filtering with BGP attributes ASPATH, ext communities, RDs

    checks, …etc. Set route-maps to filter and send only the desirable prefixes

    6. Customize Route Targets

  • 20© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS L3VPN Summary 1. Models: Option A, B, C and AB2. Option A is the most secured. Support granular QoS3. Option B, less invasive4. Option B, only need to know the loopback or interface

    address of directly connected ASBR5. Option C, most scalable, most invasive, mostly

    deployed in a single service provider’s multi-AS network

  • 21© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    I-AS L2 VPNs:AToM

  • 22© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS AToMLayer 2 Peering—Option A

    1. One layer-2 interface per PW2. Clear demarcation between ASs3. No reachability information shared between ASs4. Granular QoS control between ASBRs

    IP/MPLSASBR1 ASBR2

    IP/MPLS

    ..PW1 PW2

    Pseudowire

    PE1 PE2

    LDP LDPForwarding LSP

    PW Signaling

    LDP/RSVP LDP/RSVP

  • 23© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Layer-2 payloadLayer-2 payload

    LabelLabelLabelLabel

    PayloadPayload

    PopPushPushPushPush Pop

    LabelLabelLabelLabel

    PayloadPayload

    Inter-AS AToMLayer 2 Peering—Option A

    IP/MPLSASBR1 ASBR2

    IP/MPLS

    ..PW1 PW2

    Pseudowire

    PE1 PE2

  • 24© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    LDPLDP

    Inter-AS AToMMulti-Hop PW—Option B

    1. Single (labeled) interface between ASBRs2. Single peering point (only one PW endpoint address leaked

    between ASs)3. PE and P devices do not learn remote PW endpoint addresses

    LDP

    LDP/RSVP LDP/RSVPeBGPIPv4+Label

    Pseudowire

    PW Signaling

    Forwarding LSP

    IP/MPLSASBR1 ASBR2

    IP/MPLS

    PW1 PW2PE1 PE2PW2

  • 25© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS L2VPN Multi-Hop PW—Option B

    LabelLabel

    PushPush Pop

    LabelLabel LabelLabelLabelLabelLabelLabel

    PayloadPayload PayloadPayloadPayloadPayload

    PopPush

    PopPushPush

    PseudowireIP/MPLS

    ASBR1 ASBR2IP/MPLS

    PW1 PW2PE1 PE2PW2

  • 26© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Data Center 2

    Data Center 1

    Inter-AS AToM Option B—ConfigurationNeed to Switch Pseudowires on ASBRs

    AS1

    ASBR1 ASBR2

    !HOSTNAME PE3!interface giga1/0xconnect 10 encapsulation mpls! *no BGP needed, just IGP

    !HOSTNAME PE4!interface giga1/0xconnect 20 encapsulation mpls!*no BGP needed, just IGP

    PE3 PE4Intgig3/0

    HOSTNAME ASBR1!pseudowire-class pw-switchencapsulation mpls!l2 vfi pw-switch point-to-pointneighbor 100 pw-class pw-switchneighbor 10 pw-class pw-switch!Interface giga3/0mpls bgp forwarding!! router bgp 1Neighbor remote-as 2Neighbor send-label! *Also announce the loopback address (xconnect ID) of ASBR1 in IGP(AS1) and eBGP

    HOSTNAME ASBR2!pseudowire-class pw-switchencapsulation mpls!L2 vfi pw-switch point-to-pointneighbor 100 pw-class pw-switchneighbor 20 pw-class pw-switch!Interface giga3/0mpls bgp forwarding!router bgp 2neighbor remote-as1Neighbor send-label! *Also announce the loopback address of ASBR2 in IGP(AS2) and eBGP

    Intgig1/0

    AS2

  • 27© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS AToM Option C—IPv4+LabelSingle Hop Pseudowire

    1. I-AS AToM is also known as a pseudowire switching, stitching, or routing where PW is signalled across AS boundaries

    2. IPv4 routes for PEs exchanged with labels between directly connected ASBRs

    3. PWs are transported through ASBRs. ASBRs don’t store any PW information.

    C2S2C2S1 IPv4 + LabelsMPLS AS1PE3 PE4

    MPLS AS2ASBR1 ASBR2

    PE2PE1C1S2C1S1

    C3S1C4S1 C4S2C3S2

  • 28© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    iBGPIPv4+Label

    iBGPIPv4+Label

    Inter-AS AToM—Option C Single-Hop PW: BGP IPv4+label

    1. Single (labeled) interface between ASBRs2. PW endpoint addresses leaked between ASs using eBGP

    IPv4+label and distributed to PEs using iBGP IPv4+label3. Only PEs and ASBRs learn PW endpoint addresses

    IP/MPLS ASBR1 ASBR2 IP/MPLS

    LDP

    PW1

    eBGPIPv4+Label

    PE1 PE2

    LDP/RSVP LDP/RSVP

    Pseudowire

    Forwarding LSP

    PW Signaling

    Forwarding LSP

  • 29© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    LabelLabelLabelLabel

    Inter-AS AToM—Option CSingle-Hop PW: BGP IPv4+label, Cont.

    Pop

    LabelLabelLabelLabel

    LabelLabelLabelLabel LabelLabel

    PayloadPayload PayloadPayloadPayloadPayload

    Swap PopPush

    IP/MPLS ASBR1 ASBR2 IP/MPLSPW1PE1 PE2

    PushPushPush

  • 30© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS AToM Option C—Configuration

    HOSTNAME ASBR1! Activate IPv4 label capability !router bgp 1!address-family ipv4neighbor send-labelneighbor send-labelexit-address-family!

    HOSTNAME ASBR2! Activate IPv4 label capability !router bgp 2!address-family ipv4neighbor send-labelneighbor send-labelexit-address-family!

    HOSTNAME PE4!interface Ethernet1/0xconnect 100 encapsulation mpls!! Activate IPv4 label capability !router bgp 2!address-family ipv4neighbor send-labelexit-address-family!

    HOSTNAME PE3!interface Ethernet1/0xconnect 100 encapsulation mpls! ! Activate IPv4 label capability !router bgp 1!address-family ipv4neighbor send-labelexit-address-family!

    IPv4 + Labels

    MPLS AS1

    MPLS AS2

    ASBR1 ASBR2PE3 PE4

    Inteth1/0 Inteth1/0

    PE1 PE2

  • 31© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    I-AS AToM Key Points1. All three I-AS models are supported to carry point-to-

    point PWs2. The sequencing data through the xconnect packet

    paths are passed transparently. The endpoint PE-CE connections enforce the sequencing.

    3. The control word negotiation results must match. The control word is disabled for both segments if either side doesn’t support it.

    .

  • 32© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS L2 VPNs: VPLS

  • 33© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Virtual Private LAN Service Overview 1. VPLS provides fully meshed L2 connectivity among VPN Sites2. VPLS VPN sites may span multiple Domains3. PEs aggregating VPN sites in both domains need transparency

    PE3

    CE4CE3

    CE2CE1

    CE3

    CE1

    CE4

    CE2MPLS AS1

    MPLS AS2ASBR1 ASBR2

    PE4

    PE1 PE2

    Exchange Virtual Switching Instance

    Database (VLAN IDs + Labels

  • 34© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS VPLS BGP-Based Autodiscovery

    1. BGP extended communities needed for VPLS BGP-based autodiscovery are transit

    2. “Multihop eBGP redistribution of L2VPN NLRIs” as described in draft-ietf-l2vpn-signaling-08.txt is currently supported

    3. Inter-as VPLS BGP-Based Autodiscovery is like option C in RFC 4364– eBGP multihop for l2vpn vpls via RRs across two autonomous

    systems– the ASBRs perform a P router function and interconnect the PEs of

    the two autonomous systems4. An inter-AS LDP peering session exist between each pair of PE

    routers in the two autonomous systems– (Full) mesh of PE PWs across autonomous systems

  • 35© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    PE3

    Inter-AS VPLS—Option C Single Hop Pseudowires

    1. Reachability between PEs is provided using eBGP+Labels2. Targeted LDP session is formed between PEs3. PWs are transported through ASBRs4. Auto discovery of VPLS VPNs is supported using BGP5. Route Distinguisher, Route Target and VPN IDs are used similar way as in MPLS

    L3 VPNs6. RTs have to match across different domains for the same VPLS VPN sites

    CE4CE3

    CE1 CE2

    IPv4 + Labels

    MPLS AS1 MPLS AS2

    ASBR1 ASBR2 PE4

    PE1 PE2

  • 36© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS VPLS BGP-Based Autodiscovery

    RR1 RR2

    ASBR1 ASBR2PE1 PE3 CE3CE1

    eBGP multi-hop for l2vpn vpls + next-hop-unchanged

    eBGP for IPv4 + labels

    iBGP for IPv4 + labels

    iBGP for IPv4 + labels

    iBGP for l2vpn vplsiBGP for l2vpn vpls

    IGP with LDP or TE

    IGP with LDP or TE

  • 37© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS VPLS BGP-Based AutodiscoveryMPLS Label Propagation

    RR1 RR2

    ASBR1 ASBR2PE1 PE3 CE3CE1

    PW label

    BGP IPv4 label

    BGP IPv4 label

    IGP label IGP label

  • 38© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Inter-AS VPLS BGP-Based AutodiscoveryPacket Forwarding

    RR1 RR2

    ASBR1 ASBR2PE1 PE3 CE3CE1

    Ethernet frame

    IGP label to ASBR2

    BGP IPv4 label

    PW label

    next-hop-self

    Ethernet frame

    BGP IPv4 label

    PW label

    Ethernet frame

    BGP IPv4 label

    PW labelEthernet frame

    IGP label

    PW label

    Ethernet frame

    PW label

  • 39© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    VPLS BGP Auto Discovery with Inter-AS Option C—Cisco IOS Configuration

    PE1

    CE4CE1

    CE2 VPLS ID: customer1

    ! Setup VPLS instance, Define discovery method and set vpn iD !HOSTNAME PE3!l2 vfi customer1 autodiscoveryvpn id 100! Activate IPv4 label capability !router bgp 1!address-family ipv4neighbor send-labelexit-address-family!

    ! Setup VPLS instance, Define discovery method and set vpn iD, vpls-id and RT to match the other side. HOSTNAME PE4!l2 vfi customer1 autodiscoveryvpn id 200vpls-id 1:100Route-target both 1:100! Activate IPv4 label capability !router bgp 2!address-family ipv4neighbor send-labelexit-address-family!

    MPLS AS1 MPLS

    AS2 VPLS ID: customer1

    PE3:10.0.0.1PE4

    IPv4 + Labels

  • 40© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    I-AS mVPNs

  • 41© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Receiver 4Receiver 4

    B1

    D

    ACECE

    CECE

    High bandwidth Multicast Source

    Receiver 3Receiver 3

    Receiver 2Receiver 2

    C

    CECE

    MPLS VPNMPLS VPNCore Core

    CECE

    Receiver 1Receiver 1

    BPEPE

    PEPE

    EE

    PEPEA

    PEPED

    C

    Join HighBandwidth Source

    Join HighBandwidth Source

    CECE

    DataDataMDTMDT

    For High Bandwidth

    Traffic Only.

    DefaultDefaultMDTMDTFor low

    Bandwidth & Control

    Traffic Only.

    B2San

    Francisco

    Los Angeles

    Dallas

    New York

    mVPN Concept and Fundamentals—Review

    1. CEs join MPLS Core through provider’s PE devices

    2. PEs perform RPF check on Source to build Default and Data Trees (Multicast Data Trees – MDT)

    3. Interfaces are associated with mVRF

    4. Source-Receivers communicate using mVRFs

  • 42© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Option A: Back-to-Back ASBR-PEs1. Native IP forwarding between ASBRs

    Protocol change not requiredInter-AS MDT not required

    2. MDT limited to one ASNo issue with managing MDT group ranges between ASNo issue with RPF

    3. VRF created on the ASBRsNot scalable

  • 43© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    PE-300 PE-200

    P-200P-300

    ASBR-300 ASBR-200

    AS300 AS200

    eBGP MDT(AFI=1, SAFI=66)

    CE-300(Site 2)

    CE-200(Site 1)

    I-AS mVPN with Option BSolution for PE : Use BGP Connector Attribute (transitive)Preserves identity of a PE router originating a VPNv4 Prefix (Option B only)

    Source = 10.1.1.1PIM NBR = PE-200BGP NH = ASBR-300RPF Check Fails !

    Default-MDT = REDvrf

    Receiver

    Source – 10.1.1.1, Group - 239.10.10.10

    Multicast Traffic

    iBGP MDT(RD, S:PE-200, G:RED)PIM Join(PE-200, RED)

    1

    2

    3

    4 iBGP MDT(RD, S:PE-200, G:RED)

    eBGP MDT(RD, S:PE-200, G:RED)

    5VPNv45

    VPNv45

    6

    37VPNv4

    Source = 10.1.1.1PIM NBR = PE-200BGP Connector = PE-200RPF Check Passes !

    PIM adjacency over MDTDefault MDT239.232.0.1

    (10.1.1.1,239.10.10.10)

  • 44© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    300 PE-200

    P-200P-300

    ASBR-300 ASBR-200

    AS300 AS200

    CE-300(Site 2)

    CE-200(Site 1)

    I-AS mVPN with Option B and Option C

    Default-MDT = REDvrf

    ReceiverSource

    PIM Join(PE-300, Default MDTVector=ASBR-200RD=300:1)

    2

    Solution for P : PIM RPF Vector for both options B & CHelps P router in BGP free core do RPF check for both options B & C

    (PE-300, Default MDTVector=ASBR-200RD=300:1)

    PIM Join3(PE-300, Default MDT

    Vector=ASBR-300RD=300:1)

    PIM Join4

    PIM Join(PE-300, Default MDTRD=300:1)

    5

    PE-6

    Default MDT239.232.0.1

    1

    iBGPMDT(PE-300,G:Deafult MDTBGP-NH=ASBR - 200)

  • 45© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    PE1 PE2AS #1 AS #2

    ASBR1I-AS MVPN Configuration Procedure Option B (SSM)

    ASBR2

    Configuration Steps:1. Enable RPF Vector in the Global table

    ip multicast rpf vector2. Setup Multicast Address family on ASBRs

    address-family ipv4 mdt3. Configure PE router to send BGP MDT updates to build the Default MDT

    ip multicast vrf rpf proxy rd vector

    CE-4

    ! PE1 Configuration:!ip multicast-routingip multicast routing vrf VPN-Aip multicast vrf VPN-A rpf proxy rd vector!router bgp 1!address-family ipv4 mdtneighbor activateneighbor next-hop-selfexit-address-family!ip pim ssm default!

    ! ASBR1 Configuration:!ip multicast-routingip multicast routing vrf VPN-A!router bgp 1!address-family ipv4 mdtneighbor activateneighbor activateneighbor next-hop-selfexit-address-family!ip pim ssm default!

  • 46© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Carrier Supporting Carrier (CSC)

  • 47© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Introducing Carrier Supporting Carrier

    1. CSC is one of the VPN services that is applicable in a Multi-AS network environment

    2. CSC VPN service is a VPN service that provides MPLS transport for customers with MPLS networks

    3. It is also known as hierarchical MPLS VPN service since MPLS VPN customer carrier subscribes MPLS VPN service from an MPLS Backbone provider

    4. Defined in RFC 4364. (previously well know by draft 2547biz)

    MPLS Backbone

    Backbone Service Provider

    Customer Carrier ISP1

    MPLS NWMPLS NWCustomer Carrier ISP1

  • 48© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Carrier’s Carrier building blocks

    � External Routes: IP routes from VPN customer networks� Internal Routes: Internal routes (global table) of Customer Carrier network� External routes are stored and exchanged among Customer Carrier PEs� MPLS Backbone network doesn’t have any knowledge of external routes� Customer Carrier selectively provides NLRI to MPLS VPN backbone provider

    MPLS Backbone

    CSC-PE1 CSC-PE2

    CSC-CE2

    Backbone Service Provider

    CSC-CE1

    San Francisco ISP1 London ISP1

    PE1 RR1

    PE2

    RR2 PE4

    PE3

    MPLSMPLSCSC-RR1

    CE1R CE1G

    VPN Customers

    External Routes

    External Routes

    CE2G CE2R

    VPN Customers

    External Routes

    External Routes

    Internal RoutesInternal Routes Internal RoutesInternal Routes

  • 49© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Carrier’s Carrier building blocks (continue)

    Label Switched paths between CSC-CE and CSC-PE IGP+LDP or eBGPv4 + Labels� CSC-PE and CSC-CE exchange MPLS Labels

    -this is necessary to transport labeled traffic from a Customer Carrier

    MPLS Backbone

    CSC-PE1 CSC-PE2 CSC-CE2

    Backbone Service ProviderCSC-CE1

    San FranciscoISP1

    LondonISP1

    PE1 RR1

    PE2

    RR2 PE4

    PE3

    MPLSMPLSCSC-RR1

    CE1R CE1G CE2G CE2R

  • 50© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Carrier Supporting Carrier Models

    I. Customer Carrier Is Running IP Only-similar to basic MPLS L3 VPN environment

    II. Customer Carrier Is Running MPLS-LSP is established between CSC-CE and CSC-PE-Customer carrier is VPN subscriber of MPLS VPN backbone provider

    III. Customer Carrier Supports MPLS VPNs-LSP is established between CSC-CE and CSC-PE-Customer carrier is VPN subscriber of MPLS VPN backbone provider-True hierarchical VPN model

  • 51© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    IGP LabelIGP LabelLabel=101Label=101Label=120Label=120

    IGP LabelIGP LabelLabel=50Label=50

    CSC Model III—Customer Carrier Supports MPLS VPNs

    IP/MPLS CSC-PE1 CSC-PE2 IP/MPLS

    Label=100Label=100

    SwapPushPush Swap Swap

    Label=140Label=140Label=28Label=28

    PayloadPayload

    PE1

    Site A – VPNA Site B – VPN A149.27.2.0/24

    CE1CE2

    MP-iBGP Peering& Label Exchange

    BGP or (OSPF, RIPv2) +LDP Network=PE2, NH=CSC-CE2

    Label=(100)

    MP-iBGP PeeringVPN-v4 Update:

    RD:1:30:149.27.2.0/24,NH=PE2

    RT=1:200, Label=(28)

    Label=28Label=28

    PayloadPayload

    Label=28Label=28

    PayloadPayloadPayloadPayload

    Label=28Label=28

    PayloadPayload

    SwapPush

    Label=28Label=28

    PayloadPayload

    Pop

    PayloadPayload

    PE2VRF VRFIP/MPLS

    VRFVRF CSC-CE2CSC-CE1

    BGP or (OSPF, RIPv2) +LDP Network=PE2, NH=CSC-PE1

    Label=(120)

    VPN-v4 Update:RD:1:27:CSC-CE2, PE2

    NH=CSC-PE2RT=1:27, Label=(50)

    PoP

    Label=50Label=50Label=28Label=28

    PayloadPayload

    LDP LDP

  • 52© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    CSC Model III -Cisco IOS Show configs& commands

    MPLS Backbone

    CSC-PE1200.0.0.4/32

    CSC-PE2200.0.0.6/32

    kkkk

    ISPaISPaCSC-CE1

    100.0.0.3/32CSC-CE2

    100.0.0.7/32

    PE2100.0.0.8/32

    PE1100.0.0.2/32

    CE-VPN-A110.1.1.1/32

    CE-VPN-B150.0.0.1/32 CE-VPN-A210.1.1.9/32 CE-VPN-B2

    50.0.0.9/32

    BB-P1200.0.0.5/32

    192.168.0.x/24192.168.2.x/24

    172.16.0.x/24 172.16.1.x/24

    CSC-PE1#sh mpls forwarding-table label 27 detLocal Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 27 22 100.0.0.8/32[V] 72864 Se0/0 point2point

    MAC/Encaps=4/12, MRU=1496, Label Stack{16 22}!interface Serial1/0ip vrf forwarding ISPaip address 10.0.0.4 255.255.255.0mpls label protocol ldpmpls ip

    CSC-PE2#sh mpls forwarding-table label 22Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 22 17 100.0.0.8/32[V] 69298 Se0/0 point2pointCSC-CE1#sh mpls forwarding label 21Local Outgoing Prefix Bytes Label Outgoing Next Hop

    Label Label or VC or Tunnel Id Switched interface 21 27 100.0.0.8/32 67228 Se0/0 point2point

    CSC-CE2#sh mpls forwarding-table label 17Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 17 Pop Label 100.0.0.8/32 65251 Se0/0 point2point

    PE1#sh ip cef vrf kk 50.0.0.950.0.0.9/32nexthop 192.168.0.3 Serial0/0 label 21 26

    PE1#sh ip bgp vpnv4 all summBGP router identifier 100.0.0.2, local AS number 2..Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd100.0.0.8 4 2 580 577 13 0 0 10:36:23

    PE2#sh mpls forwarding-table label 26 detLocal Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 26 No Label 50.0.0.9/32[V] 0 Se0/0 point2point

    MAC/Encaps=4/4, MRU=1504, Label Stack{}0F000800 VPN route: kk

    ISPaISPa

    kkkk

  • 53© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Customer Carrier A

    ASBR1 ASBR2PW1PE1 PE2ASBR3 ASBR4

    MPLS L2VPNs Across a CSC Network

    ASBR1 ASBR2

    PW1PE1 PE2ASBR3 ASBR4

    Multi-Hop PW

    Single-Hop PW Pseudowire

    Pseudowire

    MPLS Backbone Carrier(CsC)

    MPLS Backbone Carrier(CsC)

    Customer Carrier A

    Customer Carrier A

    Customer Carrier A

  • 54© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    CSC Security Elements 1. MD5 authentication on LDP/BGP sessions2. Applying max prefix limits per VRF3. Use of static labels4. Route Filtering

    …Customer Carrier may not want to send all the internal routes to MPLS VPN backbone provider…

    Use Route-maps to control route distribution & filter routesUse match and set capabilities in route-maps

  • 55© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    CSC Security Elements1. MPLS static labels introduced in 12.0.23S, but only supported

    global routing tables (not VRF aware):Config. only MPLS forwarding table entries for the global tableAssign label values to FECs learned by the LDP for the global tableLimits usage to the provider core only

    2. Feature is enhanced so static labels can be used for VRF trafficat the VPN edge for CSC networks:In 12.0(26)S, the MPLS LDP—VRF-Aware Static Labels feature was

    introduced, allowing MPLS static labels to be used for VRF traffic at the VPN edge.

    In 12.3(14)T, 12.2(33)SRA,12.2(33)SXH, 12.2(33)SB, this feature was integrated.

  • 56© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

    Best Practice Recommendations1. Do not use Static default routes on CSC-CE

    Need end-end LSP is required across the VPN and MPLS VPN backbone

    2. Use dynamic protocol instead of static on CSC-CE –CSC-PE link

    3. Set Next-Hop-Self on PEs carrying external routes4. If using IGP on CSC-CE routers, use filters to limit

    incoming routes from the CSC-PE side5. If using RRs in customer carrier network, set next-

    hop-unchanged on RRs6. If using BGP on CSC-PE-CE link, use as-override on

    CSC-PE

  • 57© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID