MPLS Enterprise Switching - lvk.cs.msu.sulvk.cs.msu.su/~vbabernov/BRKMPL-1102.pdf · MPLS...
Transcript of MPLS Enterprise Switching - lvk.cs.msu.sulvk.cs.msu.su/~vbabernov/BRKMPL-1102.pdf · MPLS...
MPLS Enterprise Switching Product Update and Designs
Sankar Venkat Product Manager
Minhaj Uddin Technical Marketing Engineer
Session ID : BRKMPL-1102
• Introduction
• Segmentation in Enterprise
• MPLS Designs for Enterprise
• MPLS Product Update
• MPLS Configurations
• Q&A
• Summary
Agenda
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Session Goals
This session will focus on MPLS for
Campus Switching network deployments.
At the end of the session, the participants should:
Understand different Segmentation Options
Understand the building blocks of MPLS in Enterprise
Understand different MPLS designs and use cases
Understand the different product options for MPLS design
Understand typical configurations for MPLS in Enterprise
BRKMPL-1102 4
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS Enterprise Requirements• A unique Standards Based Segmentation Technology across LAN-WAN
• Enterprise/Campus Segmentation
• L3 VPN (IPv4), L3 VPN(IPv6)
• L2 VPN (EoMPLS)
• Multicast VPN (MVPN)
• Data Center Interconnect/Inter Campus Connect over WAN
• L2 Extensions with EoMPLS
• Pseudowires, VPLS, H-VPLS, Advanced VPLS
• MPLS Services with Netflow, QoS, Multicast
• Multi-tenancy / Dual Homing
• Traffic Engineering, High Availability/Fast Reroute
Basic MPLS Features
Advanced MPLS Features
BRKMPL-1102 5
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Virtualization with MPLS
Access Core Access
SP Network
L2 L3 (MPLS) L2
L3 (MPLS) L3 (MPLS) L3 (MPLS)
Internet
Enterprise WAN
(MPLS)
Bay Area DC AsiaPac DC
Washington DC
MPLS CorePE
A
BPE
CECE
Mirror
Mirror
Data Center Backup
Data Center
Campus
MPLS
(L2 VPN)
Storage
L2 VPN
DC Interconnect
Branch to DC
Connectivity
A
B
Enterprise Segmentation Data Center
Service ProviderEnterprise WAN Edge
BRKMPL-1102 6
Segmentation in Enterprise
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Factors for Network Segmentation Unique security policies per logical domain
Traffic isolation per application, group, service etc…
Logically separate traffic using one physical infrastructure
Virtual
“Private”
Network
Merged Company
Virtual Network
Isolated Services
Virtual Network
Guest Access
Virtual Network
Actual Physical InfrastructureBRKMPL-1102 8
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Merged Company
Virtual Network
Isolated Services
Virtual Network
Guest Access
Virtual Network
Actual Physical Infrastructure
Network Segmentation Benefits Service isolation
– Telephony systems, badging, building control, surveillance
– Security policies are unique to each virtual group/service
Meet regulatory compliance requirements
– HIPAA
– PCI
– SOX
– etc…
Low
Security
Medium
Security
High
Security
BRKMPL-1102 9
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Line of business Payment Card Industry Hospital Network
Bring-Your-Own-Device (BYOD) Mergers and Acquisitions Multi-Tenancy
POS
Network Other
NetworkDoctor Staff
Medical Device
Network Segmentation Use Cases
INTERNET
HRFinance
Sales
Partner
BRKMPL-1102 10
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• VLAN/VRF-Lite Based Segmentation• Policy enforcement is done using ACLs and
Firewall rules• CLI based Manageability
• L2/L3 VPN Based Logical Segmentation• MPLS labels used to identify and create
traffic isolation between the groups• CLI based Manageability
Segmentation Options in Enterprise
Traditional Segmentation MPLS Based Segmentation
Endpoints
VPN
VPN
VPN
VPN
VPN
• User/Device Group Based Segmentation
• Secure Group Tags (SGT) used to create user / device group policies
• Cisco ISE based Manageability
Trustsec Based Segmentation
SGT
SGT
SGT
Endpoints
Cisc
o ISE
SGT
SGT
Endpoints
Voice VLAN Data VLAN Guest VLAN
BRKMPL-1102 11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Layer
Enterprise
Backbone
Voice
VLAN
Voice
Data
VLAN
Employee
Aggregation Layer
Supplier
Guest
VLAN
BYOD
BYOD
VLAN
Non-Compliant
Quarantine
VLAN
VACLLimitations of Traditional Segmentation
• Security Policy based on Topology
• Not Scalable
• Complex provisioning
• No notion of User/Device Group
Applications
access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
VLAN Based Segmentation
Classification
Static or Dynamic
VLAN assignments
Propagation
Carry “Segment”
context through the
network using VLAN,
IP address, VRF-Lite
Enforcement
IP Based Policies -
ACLs, Firewall Rules
BRKMPL-1102 12
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco TrustSec SegmentationSimplified segmentation with Group Based Policy
VLAN BVLAN A
Campus Switch
DC Switch
or Firewall
Application
Servers
ISE
Enterprise
Backbone
Enforcement
Campus Switch
Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant
Shared
Services
Employee Tag
Supplier Tag
Non-Compliant Tag
DC switch receives policy
for only what is connected
Classification
Static or Dynamic
SGT assignments
Propagation
Carry “Group” context
through the network
using only SGT
Enforcement
Group Based Policies
ACLs, Firewall Rules
BRKMPL-1102 13
• Introduction ✓
• Segmentation in Enterprise ✓
• MPLS Designs for Enterprise
• MPLS Product Update
• MPLS Configurations
• Q&A
• Summary
Agenda
MPLS Designs for Enterprise
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why choose MPLS in Enterprise ?
End-to-end solution – Campus, MAN, WAN, DC head-end
– Standards-based
Layer 3 VPN/Segmentation – IPv4 VPN
– Provides Any-to-Any connectivity
– Multicast VPN
Layer 2 VPN– Ethernet over MPLS
– Point-to-point “pseudo-wire”
– Multi-point – VPLS/H-VPLS
IPv6– 6VPE
– 6PE
MPLS Services– MPLS QoS
– MPLS over WAN
– Path Selection
– Traffic Engineering
– Node/Link Protection
– Fast-Re-Route(FRR)
– 50 msec switchover
BRKMPL-1102 16
MPLS Fundamentals ReCap
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Device Virtualization
Physically one device
Logically many devices
– Control plane
– Data plane
Virtual devices
– Switch
– Router
– Firewall
VRF: Virtual Routing and Forwarding
VRF Green
VRF Red
VRF Blue
BRKMPL-1102 18
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS-VPN Terminology
PE (Provider Edge) router
– Imposes and removes MPLS labels
– Runs an IGP, LDP and MP-BGP
P (Provider) router
– Connects into the PE, Translates labels
– Runs an IGP and LDP
CE (Customer Edge) router
– Connects into the PE
Label Distribution Protocol (LDP)
– IGP to label binding
Multi-Protocol BGP
– Address-family support (IPv4, IPv6, multicast, etc…)
– Used for VRF route exchange
PPE P PE
LDP LDP LDP
MP-BGP
BRKMPL-1102 19
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS VPN packet format
4 Byte
IGP Label Original Packet
4 Byte
VPN Label
MPLS-VPNLabel Stack
P
PE
PE
PPE P PE
BRKMPL-1102 20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS-VPN – Label Exchange
FIB
VRF RED
RT 1:1
Routing
Table
Router PE1
BGP
172.16.1.0172.16.1.0
FIB
VRF GRN
RT 1:2
Routing
Table172.17.1.0172.17.1.0
172.16.1.0
RT1:1
172.17.1.0
RT1:2
MP-BGP
OSPF
Routing
Table
FIB
LFIB
VRF RED
RT 1:1
Router PE4
BGP
FIB
Routing
Table 172.16.4.0
172.17.4.0
MP-BGP
OSPF
Routing
Table
FIB
LFIB
VRF GRN
RT 1:2
FIB
Routing
Table
OSPF
Routing
Table
FIB
LFIB
OSPF
Routing
Table
FIB
LFIB
Router
P2
Router
P3
172.16.1.0
RT1:1
172.17.1.0
RT1:2
172.16.1.0
172.17.1.0
172.16.1.0 RT=1:1 NH=PE1 VPN Label
172.17.1.0 RT=1:2 NH=PE1 VPN Label
IGP Label Exchange
PPE P PE
BRKMPL-1102 21
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS-VPN – Packet Flow
FIB
VRF RED
RT 1:1
Routing
Table
Router PE1
BGP
172.16.1.0172.16.1.0
FIB
VRF GRN
RT 1:2
Routing
Table172.17.1.0172.17.1.0
172.16.1.0
RT1:1
172.17.1.0
RT1:2
MP-BGP
OSPF
Routing
Table
FIB
LFIB
VRF RED
RT 1:1
Router PE4
BGP
FIB
Routing
Table 172.16.4.0
172.17.4.0
MP-BGP
OSPF
Routing
Table
FIB
LFIB
VRF GRN
RT 1:2
FIB
Routing
Table
OSPF
Routing
Table
FIB
LFIB
OSPF
Routing
Table
FIB
LFIB
Router
P2
Router
P3
172.16.1.0
RT1:1
172.17.1.0
RT1:2
172.16.1.0
172.17.1.0
172.16.1.0 RT=1:1 NH=PE1 VPN Label
172.17.1.0 RT=1:2 NH=PE1 VPN Label
4 Byte
IGP
Label Original Packet
4 Byte
VPN
Label
PPE P PE
BRKMPL-1102 22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Route-Target
– Identifier used for importing and exporting routes (64 bit)
Route Distinguisher
– Route attribute used to uniquely identify prefixes among VPNs (64 bits)
VPN-IPv4 addresses
– Includes the 64 bits Route Distinguisher and the 32 bits IP address
VPN-IPv6 addresses
– Includes the 64 bits Route Distinguisher and the 128 bits IP address
MPLS-VPN Terminology
BRKMPL-1102 23
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS-VPN - Routing and Switching
PPE P PECE CE
MPLS VPN
MPLS VPN
CE
Core
Access
Distribution PE
P
Campus
Switching
Routing
BRKMPL-1102 24
MPLS L3 VPN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS L3 VPN Campus Segmentation Use CasesEnd to End Network Virtualization
Distribution
Core
Access
C3850
Distribution
Core
Access
C3850
Core
Access
Standard AccessRouted Access Collapsed Access
L3 VPN
L3 VPN
L3 VPN
BRKMPL-1102 26
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS L3 VPN for IPv4
MP-BGP
SITE B
PE/Distribution
IGP
SITE A
PE/Distribution
SITE C
PE/Distribution
SITE D
PE/Distribution
P/Core P/Core
CE/Access
CE/Access
CE/Access
CE/Access CE/Access
CE/Access
CE/Access
IPv4 VRF
BLUE
IPv4 VRF
RED
IPv4 VRF
GREEN
IPv4 VRF
RED
IPv4 VRF
RED
IPv4 VRF
GREEN
IPv4 VRF
BLUE
BRKMPL-1102 27
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS L3 VPN for IPv6 (6VPE)
MP-BGP
SITE B
6PE/Distribution
IGP
SITE A
6PE/Distribution
SITE C
6PE/Distribution
SITE D
6PE/Distribution
P/Core P/Core
CE/Access
CE/Access
CE/Access
CE/Access CE/Access
CE/Access
CE/Access
IPv4 VRF
BLUE
IPv6 VRF
RED
IPv4 VRF
GREEN
IPv6 VRF
RED
IPv6 VRF
RED
IPv4 VRF
GREEN
IPv4 VRF
BLUE
• IPv6 VPN Provider Edge(6VPE) over MPLS
• 6VPE is like a regular IPv4 MPLS VPN provider edge(PE), with the addition of IPv6 support within Virtual Routing and Forwarding (VRF).
• Provides logically separate routing table entries for VPN member devices for IPv4 & IPv6.
BRKMPL-1102 28
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 over MPLS (6PE)
• P routers in the MPLS core are not IPv6 aware and just use IPv4 MPLS Control Plane
• PE routers are dual stack and use IPv4 MPLS Control Plane with the core, Native IPv6 with IPv6 routers
• P and PE routers share a common IPv4 IGP
• 6PE routers are MP-BGP4 capable
6PE
6PE
IPv6
6PE
6PE
MP-BGP
IPv6
v6
v6
IPv6
v6
v6
IPv6
P/Core P/Core
BRKMPL-1102 29
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
N * (N-1) / 2 = 8 * 7 / 2 = 28
iBGP requires a full mesh of neighbors
MPLS-VPNBGP Scalability – iBGP Neighbor Relationships
BRKMPL-1102 30
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Route Reflector Route Reflector
MPLS-VPN Scale Considerations
BGP Scalability – Route Reflectors
Use “purpose-built” RRs
Don’t place RRs in data path
Geographically diverse
Non-transit devices
BRKMPL-1102 31
L2 VPNs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
L2-VPN Basics
interface Loopback0ip address 192.168.0.2/32
interface Loopback0ip address 192.168.0.1/32
pseudowire
MPLS Label Ethernet PayloadMPLS Label
PW-ID
Ethernet
Header
MPLS Network
interface Ethernet0/0
no ip address
xconnect 192.168.0.1 123 encapsulation mpls
interface Ethernet0/0
no ip address
xconnect 192.168.0.2 123 encapsulation mpls
BRKMPL-1102 33
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Private Lan Services (VPLS)
PE-1PE-2
CE-1CE-2
PE-3
• VPLS allows MPLS networks to offer Layer 2 Ethernet Services
• It provided Multipoint Ethernet service as compared to EoMPLS which is Point to Point
• Service Provider emulates an IEEE Ethernet bridge network.
• No routing interaction between Customer and Service Provider networks
• Virtual Bridges linked with virtual ports aka Pseudo Wires or PWs.
BRKMPL-1102 34
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hierarchical VPLS(H-VPLS) for VPLS Scaling
• Scales VPLS deployments
• Use Cases : Campus/DC Interconnect, DCI
N-PE1 N-PE2MPLS
CORE
DC1-CE
DC3-CE
DC2-CE.1q.1q
U-PE1
.1q.1q
U-PE2
N-PE3
BRKMPL-1102 35
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced Virtual Private LAN Service (A-VPLS)
• AVPLS built on top of VPLS infrastructure
• Simplifies VPLS configurations
• Enhances VPLS Load balancing & High Availability
• Use Cases: Campus/DC Interconnect, DCI
PE-1PE-2
CE-1CE-2
PE-3
VFI VFI
VFI
A-VPLS Multipoint Services
BRKMPL-1102 36
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
L2
IP
HeaderData
Ethernet
Header
MPLS
Label(s)
L3
CampusMPLS
L2 IP
HeaderData
Ethernet
Header
MPLS
Label(s)
Tunnel
L3 Transport
Point-to-point
– MPLS over GRE
Other MPLS Transport Options
Multipoint
– MPLS-VPN over mGRE
– MPLS over DMVPN
BRKMPL-1102 37
MPLS-VPN over mGRE
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS VPN over mGRE
GRE Header
VPN Label
src add
dst add
data
src add
dst add
data
src add
dst add
data
IP
CE1 CE2
PE1
¥
PE2
IPv4 Route Exchange IPv4 Route Exchange
VRFVRF
• VPN traffic forwarded by PEs using separate routing instance (VRFs)
• GRE header and VPN label imposed on VPN traffic
• Packets switched to egress PE based on GRE header
• Egress PE uses VPN label to forward packet to remote CE
Ties MPLS VRFs across sites with IP multi-point GRE tunnel over IP Core
BRKMPL-1102 39
MPLS QoS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS QoS – Uniform ModePropagate EXP Markings
CE PE P PE CEmatch ip prec 4
set mpls exp imp 6
IPP 4 IPP 4
EXP 6
match mpls exp 6
priority
match mpls exp 6
priority
IPP 4 EXP 6
mpls propagate-cos
IPP 4 EXP 6
The use of “mpls propogate-cos” command will cause the EXP
value to be copied down to the IP packet after a POP operation.
IPP 6
ip packet
Ingress Egress
By default, IP ToS byte is unchanged.
EXP 6
EXP 6
IPP 4 EXP 6
VPN Imposition Pop
IPP 6
BRKMPL-1102 41
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS QoS – Short Pipe Mode
CE PE P PE CEmatch ip prec 4
set mpls exp imp 6
IPP 4 IPP 4
EXP 6
match mpls exp 6
priority
match mpls exp 6
priority
IPP 4 EXP 6 IPP 4 EXP 6
IPP 4
IPP 4
ip packet
Ingress Egress
EXP 6
EXP 6
IPP 4 EXP 6
VPN Imposition Pop
Egress classification based on IP DSCP
not MPLS expConsistent policy in MPLS core
BRKMPL-1102 42
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS QoS –Pipe Mode
CE PE P PE CEmatch ip prec 4
set mpls exp imp 6
IPP 4 IPP 4
EXP 6
match mpls exp 6
priority
match mpls exp 6
priority
IPP 4 EXP 6 IPP 4 EXP 6
IPP 4
IPP 4
ip packet
Ingress Egress
EXP 6
EXP 6
IPP 4 EXP 6
VPN Imposition Pop
Egress classification based on MPLS
Ingress EXP not IP DSCP
BRKMPL-1102 43
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS QoS Options SummaryUniform, Pipe and Short Pipe Modes
Uniform Mode:
This mode provides consistent QoS classification/marking throughout the network. This includes
the CE and the Core routers. EXP marking is propagated to the underlying TOS byte on egress
Short Pipe Mode:
In this mode the QoS policies being implemented in the Core do NOT propagate to the packet TOS
byte. The classification based on MPLS EXP ends at the customer facing egress PE interface and
queuing is based on the IPP/DSCP values in the IP header (supported – default mode)
Pipe Mode:
Pipe Mode is similar to Short Pipe Mode except that at the egress PE, classification at the CE
facing interface is done based on ingress EXP
BRKMPL-1102 44
• Introduction ✓
• Segmentation in Enterprise ✓
• MPLS Designs for Enterprise ✓
• MPLS Product Update
• MPLS Configurations
• Q&A
• Summary
Agenda
MPLS Product Update
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Industry-LeadingCampus Backbone Platform
FIXED
Fe
atu
res
Scale
MODULAR
* Roadmap Item
Catalyst 6880-X
Up to 80 10G Ports
Catalyst C6840-X
Up to 40 10G Ports
Catalyst 3650/3850
12p/24p/48p 10G 1RU Aggregation
MPLS Catalyst Campus Switching PortfolioF
eatu
res
Scale
Stackable Access
MPLS
Jul 16
Catalyst 6K
BRKMPL-1102 47
MPLS Portfolio – Catalyst 3K
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Catalyst 3850 Series
Wireless CAPWAP TerminationUp to 2000 Clients
per Stack
40 Gbps Uplink Bandwidth
FRU Fans, Power Supplies
Granular QoS/Flexible NetFlow
Up to 100APs per stack, and 40G per switch
480 GbpsStackingBandwidth
Stackpower
Line Rate on All Ports
MPLS
Full POE+ and UPOE
Multigigabit(mGig)
MPLS on UADP powered Stackable Access Programmable Switches
MPLS Shipping
In Jul 2016
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Catalyst 3850 Multigigabit Ethernet
48 Port Version 24 Port Version
Downlinks:
36 x 1G LineRate 10/100/1000BASE-T, 12 x GE/mGig/10GT
PoE/PoE+/UPoE, EEE, MACSec
Uplinks:
4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G
SFP+ (NEW)
Downlinks:
24 x GE/mGig/10GT
PoE/PoE+/UPoE, EEE, MACSec
Uplinks:
4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G
SFP+ (NEW)
MPLS on Access with Multigigabit Ethernet
MPLS Shipping
In Jul 2016
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
UADP ASICConverged
AccessStackWise-480 StackPower Line-Rate
Catalyst 3850 10G: 12 and 24 Port
1+1 Power
Redundancy
C3850-NM-4x10G
C3850-NM-2x40G
C3850-NM-8x10G
C3850-NM-4x10G
MPLS Shipping
In Jul 2016
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
UADP ASIC
*No StackWise or StackPower on 48p SKU
Catalyst 3850 10G: 48 Port
UADP ASICConverged
AccessLine-Rate No Stacking
Front-to-Back & Back-to-Front
Fans and Power Supplies
1+1 Power
Redundancy
4 x QSFP Fixed48 x SFP+ Fixed
Front-to-Back and
Back-to-Front Fan options
New 750W AC Power Supplies
1+1 Power Supply Redundancy
MPLS Shipping
In Jul 2016
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Optional StackWise-160 9 member Stack
Dual FRUPower Supplies
FRU Fans
Cisco Catalyst 3650 Switch
Full Netflow/QoSfor wired/wireless
MPLS
POE+
40G WirelessCapacity Per Switch
Fixed Uplinks4 x 1G2 x10G 4 x 10G2 x 40G (New)8 x 10G (new)
EEE
MACsec
Multi-Core CPU
Line Rate on All Ports
802.11n802.11ac
50 AP’s and 1000 Clients Per Stack
MPLS on UADP powered Stackable Access Programmable Switches
MPLS Shipping
In Jul 2016
Multigigabit(mGig) New
MPLS Portfolio – Catalyst 6K
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The New Catalyst 6807-XLTaking Catalyst 6K Up to 880G/Slot
Investment Protection!
Compatible with Sup2T, 6700, 6800,
6900 Series and latest Service Modules
Backwards compatible backplane connectors
Catalyst 6500 DNA
7 Slots 10 RU
Low-power and noise
High-efficiency fans
Up to 4 (N+1) power
supply redundancy
3000W AC
Up to 880G/Slot capable
Next-generation ready
Side-to-side air flow (redirectable via airflow baffles)
BRKMPL-1102 55
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Supervisor 6TTaking Catalyst 6800 to a New Level
Shipping!!
VSS, LISP, SGT,
MACSEC, HQoS, on all
Ports
Fiber & Copper
Management and
Console Ports
1M IPv4 Route
1M NetFlow
256K QoS / ACL
2 x 40G QSFP and
8 x 10G SFP+ uplinks
High-Scale Control Plane
with X86 CPU
Improved Fabric
Provides 440G/Slot in the
6807-XL
Feature Parity with Sup2T from Day 1: 3500+ Features
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
C6800 Multi-Rate Line Cards
32 ports of SFP/SFP+ or
up to 8 ports of QSFP*
10/100/1000M GLC-T
100M FX
250MB per Port
500MB per Port in
Performance Mode
VSS, SGT, MACSec, LISP,
HQoS
160G Throughput,
Performance mode
for line rate
1M IPv4 Routes
2M NetFlow
256K QoS & ACL
Feature Rich MPLS
* With CVR-4SFP-QSFP Adapter
Not Every Port is Created Equal!
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Catalyst 6880-XC6K-Based “Extensible” Fixed Platform
Fixed Supervisor module
X86 2.0 GHz CPU
up to 4GB DDR3 DRAM
Each Card has 16 x 1G/10G or
up to 4 x 40G ports
VSS, MPLS, VPLS, LISP,
MACSEC, SGT, on every portUp to 80 x 1G/10G ports
Low Power &
Low Noise Fans
Platinum Efficiency
Redundant AC & DC PS
Front Serviceable Power Supplies and Fan Tray,
NEBS Level 3-Compliant Platform
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Depth:
21.8”
Height:
2RU
16, 24, 32 or 40 SFP+ Uplinks
Convert 4 x SFP+ to QSFP*
256K IPv4 Routes
1.5M NetFlow
64K QoS / ACL
High-Scale Control
Plane with 2.0GHz CPU
Higher Scale for IA
Shipping Since
October 2015
The New Catalyst 6840-X
All Catalyst 6800 Features in a Smaller Fixed Form Factor
2 models with 2 QSFP Uplinks
Convert 4 x SFP+ to QSFP*
VSS, MPLS, LISP, SGT,
MACSEC, HQoS, etc.
750W or 1100W Power
Redundant AC / DC
Front-to-Back Airflow
MPLS Portfolio – Catalyst N7K
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS on Nexus 7K - M Series
48x 1/10G SFP+ Ports24x 40G QSFP Ports
Nexus 7700 M3 Series
10G & 40G Modules
Large Table Size & Packet Buffers -
2M FIB (1M @ FCS), 128K ACL/QoS
384K MAC (128K @ FCS)
MACSEC 256-bit AES
Deep Buffers
NEW
N7K-M224XP-23L
N7K-M202CF-22L N7K-M206FQ-23L
Nexus M2 Series Modules
BRKMPL-1102 61
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS on Nexus 7K - F3 Series
CiscoNexus
7000/7700
Nexus 7700 F3 40G Nexus 7700 F3 100GNexus 7700 F3 10G
Nexus 7000 F3 100GNexus 7000 F3 10G Nexus 7000 F3 40G
Nexus F3 Series Modules
BRKMPL-1102 62
What product option do I choose…
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS Deployment Options – Medium to Large Campus
Standard Access
Distribution
Core
Access
MPLS
Catalyst 3850/3650
C6K/N7K
Routed Access
MPLS
Catalyst 3850/3650 or 4500
C6K/N7K
C6K/N7K
C6K/N7K
Key Design factors: VRF/Route Scale, Port Density, MPLS features, Fixed vs. Modular in Access/Backbone
BRKMPL-1102 64
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS Deployment Options – Small to Medium Campus
Distribution
Core
Access
Standard Access
MPLS
C6840-X
C3850
C3850/ C3650
C3850/
C3650
Access + Distribution
Collapsed Access
CoreC6840-X/
C3850
MPLS
Distribution
Core
Access
Routed Access
MPLS
C6840-X
C3850
C3850/ C3650
BRKMPL-1102 65
Unprecedented Services
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Catalyst Campus Innovations
Secure Segmentation with TrustSec
One Policy with Identity Services Engine
NG PnP for Zero Touch Deployment of Network
Devices
Programmable Enterprise Campus Fabric
Network as Sensor with Device Profiler,
Netflow and Wireshark
One Network with Converged Access
One Management with Prime Infrastructure
High Availability with VSS, ISSU and Stackpower
UADP Flexparser ASIC, SDN-ready
UPOE to Connect Broad Range of End Points—
VDI and LED lights
Simplifies Operations with Instant Access
Maximize Throughput and Resiliency with VSS
IT Simplicity with Auto Conf, Interface Template and EEM Rich-media Experiences
Energy Savings
BRKMPL-1102 67
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Robust Enterprise Security
Robust Security for Next Generation Enterprise
RA Guard
DHCPv6Guard
Source/Prefix Guard
Destination Guard
Protection:• Rogue or
malicious RA• MiM attacks
Protection:• Invalid DHCP
Offers• DoS attacks• MiM attacks
Protection:• Invalid source
address• Invalid prefix• Source address
spoofing
Protection:• DoS attacks • Scanning• Invalid
destination address
RA Throttler
Facilitates:• Scale
converting multicast traffic to unicast
ND Multicast Suppress
Reduces:• Control
traffic , improves performance
C o r e F e a t u r e s A d v a n c e F e a t u r e s S c a l a b i l i t y & P e r f o r m a n c e
IPv6 First Hop Security
BRKMPL-1102 68
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Visibility with Flexible NetFlow
Control with
EEM Integration
IP, PortsTCP
Flags
L2
MAC
L2
VLAN
UDP
FlagsIPv6
IP
OptionsMulticast …
Day0 Attacks
Detect Anomaly
Compliance
SLA
App. M&T
Capacity Planning
Flexible NetFlow
Visibility
Mobility, Unified Communications, Network Virtualization
Campus
Branch
Collector Ecosystem
• Lower CAPEX/OPEX
• Better insights for network capacity planning
• Better service and user experience
• Increased IT staff productivity, IT security
CapabilitiesBenefits
• Unprecedented visibility with new L2–L7 fields
• Scalable, flexible flow monitors
• Customizable policy action with EEM
• Broad collector partner ecosystem 69
• Introduction ✓
• Segmentation in Enterprise ✓
• MPLS Designs for Enterprise ✓
• MPLS Product Update ✓
• MPLS Configurations
• Q&A
• Summary
Agenda
MPLS Configurations
• L3VPN
• L2VPN
• MPLS-VPN Services
MPLS Configurations
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
L3VPNMPLS VPN Protocols
• IGP Protocols are used to exchange the routes between PE and CE Devices
• MP-IBGP is used for exchanging VPNv4 routes between the PE Devices
• MPLS or Label forwarding is configured between PE and P Devices
P
L3 VPN
P
Distribution
Core
AccessCE CE
L3 VPN
P
EBGP, OSPF, RIPv2, Static
MP-IBGP
IPV4 and IPv6
PEPE
P P
Distribution
Core
AccessCE CE
PEPE
P P
OSPF, ISIS
VRF Green VRF BlueVRF Green VRF Blue
BRKMPL-1102 73
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Distribution
Core
AccessCE CE
L3 VPN
OSPF
PEPE
P P
L3VPNMPLS VPN Protocols
PPP
VRF Definition
Ip vrf VPN-Green
Rd 1:1
Route-target import 100:1
Route-target export 100:1
!
Interface vlan 10
Ip address 192.168.10.1 255.255.255.0
Ip vrf forwarding VPN-Green
!
Router ospf 1
!
Router ospf 2 vrf VPN-Green
Network 192.168.10.0 0.0.0.255 area 0
Redistribute bgp 1 subnets
!
Vlan 10
VRF Green VRF Blue
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Distribution
Core
Access
CE CE
L3 VPN
BGP
PEPE
P P
L3VPNMPLS VPN Protocols
PPP
router bgp 1
!
address-family ipv4 vrf VPN-Green
neighbor 192.168.10.2 remote-as 2
neighbor 192.168.10.2 activate
exit-address-family
!
EIGRP
VRF Green VRF Blue
Router eigrp 1
!
address-family ipv4 vrf VPN-Green
no auto-sumary
neighbor 192.168.10.0 0.0.0.255
automonous-system 1
Redistribute bgp 1 metric 100000 100 255 1 1500
!
BRKMPL-1102 75
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Distribution
Core
Access
CE CE
L3 VPN
RIP
PEPE
P P
L3VPNMPLS VPN Protocols
PPP
Static
router rip
!
address-family ipv4 vrf VPN-Green
version 2
no auto-summary
Network 192.168.10.0
Redistribute bgp 1 metric transparent
!
Ip route vrf VPN-Green 10.1.1.0 255.255.255.0 192.168.10.2
VRF Green VRF Blue
BRKMPL-1102 76
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Distribution
Core
Access
CE CE
L3 VPN
PEPE
P P
L3VPNPE-P
PPP
OSPF
VRF Green VRF Blue
Interface x/x
Ip address 130.130.1.1 255.255.255.252
Mpls ip
!
Router ospf 1
Network 130.130.1.0 0.0.0.3 area 0
BRKMPL-1102 77
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Distribution
Core
Access
CE CE
L3 VPN
PEPE
P P
L3VPNIBGP
PPP
Distribution
Core
Access
CE CE
L3 VPN
PEPE
P P
IBGP
VRF Green VRF Blue VRF Green VRF Blue
Router bgp 1
Neighbor 1.2.3.4 remote-as 1
Neighbor 1.2.3.4 update-source loopback0
!Address-family vpnv4
Neighbor 1.2.3.4 activate
Neighbor 1.2.3.4 send-community both
BRKMPL-1102 78
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Distribution
Core
Access
CE CE
L3 VPN
PEPE
P P
L3VPNIPv6 VPN
PPP
Distribution
Core
Access
CE CE
L3 VPN
PEPE
P P
IPV4/IPv6IPV4/IPv6
VRF Green VRF BlueVRF Green VRF Blue
PE#
!
vrf definition v2
rd 2:2
!
address-family ipv4
route-target export 1:2
route-target import 1:2
exit-address-family
!
address-family ipv6
route-target export 2:2
route-target import 2:2
exit-address-family
!
!
router bgp 1
!
address-family vpnv4
neighbor 10.13.1.21 activate
neighbor 10.13.1.21 send-community both
exit-address-family
!
address-family vpnv6
neighbor 10.13.1.21 activate
neighbor 10.13.1.21 send-community both
exit-address-family
!
address-family ipv4 vrf v2
exit-address-family
!
address-family ipv6 vrf v2
neighbor 200::2 remote-as 30000
neighbor 200::2 activate
exit-address-fam
BRKMPL-1102 79
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
L3VPNMPLS VPN Protocols
P
L3 VPN
P
Distribution
Core
AccessCE CE
L3 VPN
P
EBGP, OSPF, RIPv2, Static
MP-IBGP
IPV4 and IPv6
PEPE
P P
Distribution
Core
AccessCE CE
PEPE
P P
OSPF, ISIS
VRF Green VRF Blue VRF Green VRF Blue
BRKMPL-1102 80
• L3VPN ✓
• L2VPN
• MPLS-VPN Services
MPLS Configurations
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS L2VPNL2VPN Protocols
Distribution
Core
Access
Distribution
Access
PE
CE
Distribution
Access
VPLS
CE
PE
PE
CE
EOMPLS
Core
Ethernet/Vlan
VRF Green VRF Blue
VRF Green VRF Blue
VRF Green VRF Blue
BRKMPL-1102 82
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS L2VPNL2VPN Protocols
Distribution
Core
Access
Distribution
Access
PE
CE
Ethernet or VLAN
PE
CE
EOMPLS
Core
# Vlan mode
interface GigabitEthernet7/4.2
encapsulation dot1Q 3
xconnect 13.13.13.13 3 encapsulation mpls
no shut
# Port mode
interface GigabitEthernet7/4
xconnect 13.13.13.13 3encapsulation mpls
no shutVRF Green VRF Blue
VRF Green VRF Blue
Ethernet or VLAN
BRKMPL-1102 83
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS L2VPNL2VPN Protocols
Distribution
Core
Access
Distribution
Access
PE
CE
Distribution
Access
VPLS
CE
PE
PE
CE
Core
Ethernet/Vlan
VRF Green VRF Blue
VRF Green VRF Blue
VRF Green VRF Blue
# L2 Interface Config -> CE
Switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200
switchport mode trunk
# Define the VFI and bind it to the Intf
l2 vfi Cust_A manual
vpn id 200
neighbor 10.10.10.102 encapsulation
mpls
interface vlan 200
xconnect vfi Cust_A
BRKMPL-1102 84
• L3VPN ✓
• L2VPN ✓
• MPLS-VPN Services
MPLS Configurations
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multicast VPN (MVPN)
Distribution
Core
Access
Distribution
Access
PE
CE
Distribution
Access
CE
PE
PE
CE
Core
Default MDT for all groups
VRF Green VRF Blue
VRF Green VRF Blue
VRF Green VRF Blue
MPLS Backbone
# Configure the Default MDT and Data
MDT for the VRF under VRF Definition
Ip vrf test
Rd 100:!
Route target import 100:1
Route target export 100:1
mdt default group-address
Mdt data group-address mask
# Enable PIM and Multicast Routing at
the interfaces towards the CE and P
BRKMPL-1102 86
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS over GRE
Distribution
Core
Access
Distribution
Access
PE
CE
Distribution
Access
Ethernet or VLAN
CE
PE
PE
CE
Core
IPv4 CloudMPLS over GRE
L3VPN
SITEL3VPN
SITE
L2VPN
SITE L2VPN
SITE
VRF Green VRF Blue
VRF Green VRF Blue
VRF Green VRF Blue
BRKMPL-1102 87
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS-VPN Services
• VPN customers may want SLA so as to treat real-time, mission-critical and best-effort traffic appropriately
• QoS can be applied to VRF interfaces
- Just like any global interface
- Same old QoS mechanisms are applicable
• Remember - IP precedence bits are copies to MPLS TC/EXP bits ( default behavior )
• MPLS Traffic-Eng could be used to provide the bandwidth-on-demand for Fast Rerouting to VPN customers
Providing QoS to VPN Customers
BRKMPL-1102 88
In Conclusion…
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Key Takeaways
MPLS offers Secure Segmentation for Enterprise Networks Design
End to End Standards based Segmentation from Access to WAN in Enterprise
MPLS offers a wide range of features and services
MPLS L3VPN and L2VPN are most commonly deployed in Enterprise
MPLS Technology is available on a wide range of Switching products:
• Cisco Catalyst 3850 and 3650 Series (New)
• Cisco Catalyst 6K Fixed and Modular Series
• Cisco Nexus 7K Series
End to End Network Virtualization for Digital Enterprise
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS Sessions at Cisco Live 2016
• BRKMPL-1100 Introduction to MPLS
• BRKMPL-1102 MPLS Enterprise Switching Product Update and Designs
• BRKMPL-2100 Deploying MPLS Traffic Engineering
• BRKMPL-2102 Designing MPLS-based IP VPNs
• BRKMPL-2108 Designing MPLS in Next Generation Data Center: A Case Study
• BRKMPL-2110 Enterprise MPLS - Customer Case Studies
• BRKMPL-2115 MPLS Architectural approaches for Data Center and Cloud
• BRKMPL-2333 E-VPN & PBB-EVPN: the Next Generation of MPLS-based L2VPN
• BRKMPL-3124 Troubleshooting End-to-End MPLS
• LTRMPL-2104 Cisco WAN Automation Engine (WAE) Network Programmability with Segment Routing
• LTRMPL-3102 Enterprise Network Virtualization using IP and MPLS Technologies: Advanced
• TECMPL-3200 SDN WAN Orchestration in MPLS and Segment Routing Networks
BRKMPL-1102 91
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Terminology ReferenceAcronyms Used in MPLS Reference Architecture
Terminology Description
AC Attachment Circuit. An AC Is a Point-to-Point, Layer 2 Circuit Between a CE and a PE.
AS Autonomous System (a Domain)
CoS Class of Service
ECMP Equal Cost Multipath
IGP Interior Gateway Protocol
LAN Local Area Network
LDP Label Distribution Protocol, RFC 3036.
LER Label Edge Router. An Edge LSR Interconnects MPLS and non-MPLS Domains.
LFIB Labeled Forwarding Information Base
LSP Label Switched Path
LSR Label Switching Router
NLRI Network Layer Reachability Information
P Router An Interior LSR in the Service Provider's Autonomous System
PE Router An LER in the Service Provider Administrative Domain that Interconnects the Customer Network and the Backbone Network.
PSN Tunnel Packet Switching Tunnel
BRKMPL-1102 92
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Terminology ReferenceAcronyms Used in MPLS Reference Architecture (cont.)
Terminology Description
Pseudo-Wire A Pseudo-Wire Is a Bidirectional “Tunnel" Between Two Features on a Switching Path.
PWE3 Pseudo-Wire End-to-End Emulation
QoS Quality of Service
RD Route Distinguisher
RIB Routing Information Base
RR Route Reflector
RT Route Target
RSVP-TE Resource Reservation Protocol based Traffic Engineering
VPN Virtual Private Network
VFI Virtual Forwarding Instance
VLAN Virtual Local Area Network
VPLS Virtual Private LAN Service
VPWS Virtual Private WAN Service
VRF Virtual Route Forwarding Instance
VSI Virtual Switching Instance
BRKMPL-1102 93
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Further Reading
• http://www.cisco.com/go/mpls
• http://www.ciscopress.com
• MPLS and VPN Architectures — Cisco Press®
• Jim Guichard, Ivan Papelnjak
• Traffic Engineering with MPLS — Cisco Press®
• Eric Osborne, Ajay Simha
• Layer 2 VPN Architectures — Cisco Press®
• Wei Luo, Carlos Pignataro, Dmitry Bokotey, and Anthony Chan
• MPLS QoS — Cisco Press ®
• Santiago Alvarez
MPLS References at Cisco Press and cisco.com
BRKMPL-1102 94
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.
BRKMPL-1102 95
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKMPL-1102 96
Thank you