Presentation ID - Cisco€¦ · Gerhard Wieser & Peter Tomsu MPLS-based VPNs Designing Advanced...
Transcript of Presentation ID - Cisco€¦ · Gerhard Wieser & Peter Tomsu MPLS-based VPNs Designing Advanced...
111© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
2© 2001, Cisco Systems, Inc. All rights reserved.
Session NumberPresentation_ID
Carrier Supporting Carrier& InterAS VPNs
Gerhard Wieser – [email protected]
333© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Christian Schmutzer & Peter Tomsu
Next Generation Optical NetworksThe Convergence of IP Intelligence and Optical Technologies
• World wide available since End of AugustAmazon.com, Fatbrain.com, Prentice Hall ISBN 0-13-028226-x
• Covers
•Optical & Data Transmission Basics
Fibers, DWDM, POS, DPT, MPLS-TE
•Optical Standardization
ITU, IEEE, OIF, IETF
•IP+Optical Control Planes
•Applications
444© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Gerhard Wieser & Peter Tomsu
MPLS-based VPNsDesigning Advanced Virtual Networks
• World wide available since End of SeptemberAmazon.com, Fatbrain.com, Prentice Hall ISBN 0-13-028225-1
• Covers
•MPLS Technology Basics
•MPLS VPN Architecture
•MPLS VPN Implementation
•Application Scenarios
555© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Agenda
• Carrier’s Carrier backbone
• ISP customer not running MPLS
• ISP customer running MPLS
• ISP customer running MPLS-VPN
• Transit between VPN-Aware backbones
• BGP/MP-BGP enhancements
666© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier Supporting Carrier akaCarriers` Carrier
PE-1
PE-2
CE-1
CE-2
ISP customersASBR-1
ASBR-2
ISP customersNetwork = N
P1
Customer ISP – Site 1Customer ISP – Site 2
Primary Carrier Backbone
777© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s Carrier
• Technology based on draft-ietf-ppvpn-rfc2547bis-00.txt
• Developed for the Service Provider space
• Applicable in Enterprise environments
888© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
L3 vs L2 VPNs
• Customer benefit:
any to any communication
total outsource of the WANrouting/QoS/capacity planning
• Provider benefit
scalability (one network instead of1000’s of them)
statistical multiplexing
intelligence in the PE rather thanin the CE
economies of scale
• Customer requirements
– keep control of the layer3(routing, TE, QoS)
– just ask for cheap p2p layer2connections
• Service Provider offer
– past: ATM/FR
– what is the equivalent on ashared IP infrastructure?
> MPLS-VPN: does not matchthe Layer3 independence
> IPSEC: does not work at thespeed required (>OC3)
> Layer2Transport !!!
Bundled: RFC2547bis – ProviderProvisioned VPNs
UnBundled: L2VPN
999© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s Carrier
• A central MPLS-VPN backbone (primarycarrier) may deliver VPN services todepartments running MPLS-VPN servicesthemselves (secondary carrier, ISP)
• CE sites are in fact department/ISP PoPs
• High volume of routing information on eachPop
• Possible full Internet table
• Scalability issue if these routes have to betranslated in VPN-IPv4 routes and injectedinto the primary carrier’s backbone
101010© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s Carrier
• ISP customer may NOT run MPLS and being aVPN customer of the primary Carrier
• ISP customer may use MPLS on each site andrequest end to end label swapping
• ISP customer may use MPLS-VPN on each siteand provide VPN services to final customers
• Recursive VPNs
• In all cases primary Carrier backboneneed not to know ISP external routes
111111© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s Carrier
• In all cases MPLS is used between PE andCE routers
• IGP/LDP to distribute labels for IPv4 routesbetween Carrier-PE and ISP-CE
• BGP is used to distribute labels betweensites
•iBGP multihop / eBGP multihop IntraConfederation sessions across the Carrierbackbone
121212© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s Carrier
• If ISP customer use same ASN in all sitesiBGP session is used between sites
• Private ASN procedures
• iBGP sessions between sites
Route reflectors to improve scalability
• If ISP customer use different ASN per siteeBGP session is used between sites• eBGP multihop intra-confederation
131313© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s CarrierLabels and BGP-4 routes
• Each ISP site advertise internal routes only
• ISP-CE routers announces site routes
• PE routers propagate sites routes to other PEs
• VPN-IPv4 addresses through MP-iBGP
• PE routers advertise to CEs routes learned frominternal PE neighbors
• IGP/LDP for IPv4 addresses and labels
141414© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Agenda
• Carrier’s Carrier backbone
• ISP customer not running MPLS
• ISP customer running MPLS
• ISP customer running MPLS-VPN
• Transit between VPN-Aware backbones
• BGP/MP-BGP enhancements
151515© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s CarrierISP not running MPLS
• Sites establish iBGP sessions betweenASBRs on each site
•ISP-CE and ASBR can be the same router
•iBGP or eBGP multihop intra-confederation
• Each site runs iBGP full mesh
• ISP-CEs receive BGP-4 routes with labels
• ISP-CEs advertise site routes WITHOUT labels
•No need to advertise labels since site is notrunning MPLS
161616© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s CarrierISP not running MPLS
• Carrier-PEs need NOT to know ISP externaladdresses
• Packets are received labelled by Carrier-PE
• The inter-site iBGP session distributes the ISPexternal routes
• Each site has BGP routes for externaladdresses with next-hop learned by anotherBGP route or IGP route
Advertised by Carrier-PE
171717© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s CarrierISP not running MPLS
Carrier Backbonerunning IGP and LDP
PE-1
PE-2
CE-1
CE-2
ISP customersASBR-1
ASBR-2
ISP customers
iBGP or eBGP intra-confederationsession between ASBRs
Network = N
P1
MP-iBGP for VPN-IPv4
ISP Site-2 IGPand iBGP
ISP Site-1 IGPand iBGP
IGP session & LDP forLabel Assignment (RIP,OSPF, static, [BGP infuture]) IGP session & LDP for Label
Assignment (RIP, OSPF, static,[BGP in future])
181818© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s CarrierISP not running MPLS
Carrier Backbone
PE-1
PE-2
CE-1
CE-2
ISP Site-2 IGP
ISP Site-1 IGP ISP customersASBR-1
ASBR-2
ISP customersNetwork = N
BGP-4Net=NNH=ASBR1
BGP-4Net=NNH=ASBR1 BGP-4
Net=NNH=CE-2
LDPP-1Label=6
VPN-IPv4Net=ASBR1NH=PE1Label=1
LDPPE-1Label=pop
IGP session & LDP forLabel Assignment (RIP,OSPF, static, [BGP infuture])
IGP session & LDP for LabelAssignment (RIP, OSPF, static,[BGP in future])
LDPPE-2Label=2
191919© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s CarrierISP not running MPLS
Carrier Backbone
PE-1
PE-2
CE-1CE-2
ISP Site-2 IGPISP Site-1 IGP ISP customersASBR-1
ASBR-2
ISP customersNetwork = N
IPDest=N
IPDest=N
1
IPDest=N
IPDest=N
IPDest=N
IPDest=N
2
IPDest=N
IPDest=N
1
6
202020© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Configuration CE-PE pair
CE1 Configurationmpls label protocol ldp
!
interface Loopback0
ip address 14.14.14.14 255.255.255.255
!
interface ATM1/0
no ip address
!
interface ATM1/0.1 point-to-point
ip address 46.0.0.2 255.0.0.0
atm pvc 101 0 51 aal5snap
mpls label protocol ldp
mpls ip
!
router ospf 200
redistribute connected subnets
network 14.14.14.14 0.0.0.0 area 200
network 38.0.0.0 0.255.255.255 area 200
!
PE1 Configurationip cef distributed
!
ip vrf vpn1
Etc………….
!
mpls label protocol ldp
!
interface ATM3/0/0.1 point-to-point
ip vrf forwarding vpn1
ip address 46.0.0.1 255.0.0.0
atm pvc 101 0 51 aal5snap
mpls label protocol ldp
mpls ip
!
router ospf 100
network 11.11.11.11 0.0.0.0 area 100
network 33.0.0.0 0.255.255.255 area 100
!
router ospf 200 vrf vpn1
redistribute bgp 100 metric-type 1 subnets
network 19.19.19.19 0.0.0.0 area 200
network 46.0.0.0 0.255.255.255 area 200
!
router bgp 100
Etc………………
212121© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Agenda
• Carrier’s Carrier backbone
• ISP customer not running MPLS
• ISP customer running MPLS
• ISP customer running MPLS-VPN
• Transit between VPN-Aware backbones
• BGP/MP-BGP enhancements
222222© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s CarrierISP running MPLS
• BGP-4 is used in ISP sites
•BGP-4 session between sites
•iBGP Multihop or eBGP multihop intra-confederation
•BGP-4 routes have next-hop addresses given byIGP and LDP
•ISP-CE router redistribute into site IGP all ISPinternal routes learned from the Carrier-PE
•In each site iBGP sessions are needed betweenASBR routers and CE routers
No need to iBGP full mesh in the site
232323© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s Carrier - ISP running MPLS
Carrier Backbonerunning IGP and LDP
PE-1
PE-2
CE-1
CE-2
ASBR-1
ASBR-2
iBGP-4 session forIPv4 addresses
P1
MP-iBGP for VPN-IPv4
ISP Site-1 IGP, LDPiBGP between ASBR and CE
ISP Site-1 IGP, LDPiBGP between ASBR and CE
Network = N
IGP session & LDP forLabel Assignment (RIP,OSPF, static, [BGP infuture])
IGP session & LDP for LabelAssignment (RIP, OSPF, static,[BGP in future])
242424© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s Carrier - ISP running MPLS
Carrier Backbone
PE-1
PE-2
CE-1
CE-2
ISP Site-2 IGP
ASBR-1
ASBR-2
Network = N
iBGP-4Net=NNH=ASBR1
LDPPE-1Label=Pop
BGP-4Net=NNH=ASBR1 IGP
Net=ASBR1NH=CE-2
IGP/LDPNet=ASBR1NH=PE2Label=2
IGP/LDPNet=ASBR1NH=CE-1Label=15
VPN-IPv4Net=ASBR1NH=PE1Label=1
LDPPE-1Label=6
LDPNet=ASBR1Label=Pop
LDPNet=ASBR1Label 3
LDPNet=ASBR1Label=7
IGP session & LDP forLabel Assignment (RIP,OSPF, static, [BGP infuture])
IGP session & LDP for LabelAssignment (RIP, OSPF, static,[BGP in future])
252525© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s Carrier - ISP running MPLS
Carrier Backbone
PE-1
PE-2
CE-1CE-2
ISP Site-2 IGPISP Site-1 IGP ISP customersASBR-1
ASBR-2
ISP customersNetwork = N
IPDest=NIP
Dest=N
IPDest=N
IPDest=N
3
IPDest=N
2
IPDest=N
1
6 IPDest=N
1
IPDest=N
15
IPDest=N
7
262626© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Agenda
• Carrier’s Carrier backbone
• ISP customer not running MPLS
• ISP customer running MPLS
• ISP customer running MPLS-VPN
• Transit between VPN-Aware backbones
• BGP/MP-BGP enhancements
272727© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s CarrierISP running MPLS-VPN
• Recursive VPNs
• A VPN customer can run MPLS-VPN inorder to offer VPN services to othercustomers
• MPLS-VPN backbone with MPLS-VPNbackbones as clients
• ISP VPN backbone emulated overCarrier backbone
282828© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s CarrierISP running MPLS-VPN
• ISP sites exchange VPN-IPv4 addresses withlabels
• BGP-4 between Carrier-PE and ISP-CE•Labels are distributed into BGP-4 updatesbetween Carrier-PE and ISP-CE
• At the ISP side the CE interface connecting tothe Carrier PE is part of the backbone (noVRF configured)
292929© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s CarrierISP running MPLS-VPN
Carrier Backbonerunning IGP and LDP
PE-1
PE-2
CE-1
CE-2
ISP-PE-1
ISP-PE-2
MP-iBGP session forVPN-IPv4 addresseswith labels
P1
MP-iBGP for VPN-IPv4
ISP Site-2 IGP, LDP
ISP Site-1 IGP, LDP
Network = N
IGP session & LDP forLabel Assignment (RIP,OSPF, static, [BGP infuture])
IGP session & LDP for LabelAssignment (RIP, OSPF, static,[BGP in future])
303030© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s CarrierISP running MPLS-VPN
Carrier Backbone
PE-1
PE-2
CE-1
CE-2
ISP Site-2 IGP
ASBR-1
ASBR-2
Network = N
VPN-IPv4Net=NNH=ASBR1Label=12
LDPPE-1Label=pop
IGPNet=ASBR1NH=CE-2
IGP/LDPNet=ASBR1NH=PE2Label=2
IGP/LDPNet=ASBR1NH=CE-1Label=25
VPN-IPv4Net=ASBR1NH=PE1Label=1
LDPPE-1Label=6
LDPNet=ASBR1Label 3
BGP-4Net=NNH=ASBR1
LDPNet=ASBR1Label=Pop
LDPNet=ASBR1Label=7
IGP session & LDP forLabel Assignment (RIP,OSPF, static, [BGP infuture])
IGP session & LDP for LabelAssignment (RIP, OSPF, static,[BGP in future])
313131© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s CarrierISP running MPLS-VPN
Carrier Backbone
PE-1
PE-2
CE-1CE-2
ISP Site-2 IGPASBR-1
ASBR-2
Network = N
IPDest=NIP
Dest=N
IPDest=N
12
3
IPDest=N
12
2
IPDest=N
1
6
12 IPDest=N
1
12
IPDest=N
20
12
IPDest=N
7
12
IPDest=N
12
323232© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Carrier’s Carrier Security Requirements
• PE need a security mechanism to accept (or not) labelsused by the CE
• The PE must control that labels used by the CE areassociated to IP routes present in the PE/CE VRF
• Label security in order to prevent label “spoofing”
• PE will keep the knowledge of which label bindings havebeen advertised to which interface
• Every packet that crosses the backbone carrier must beencapsulated, so that the packet includes MPLS labels.To ensure that the packets are encapsulated, issue thefollowing command on the PE routers that connect toCE routers:
• (config-if)# mpls ip
333333© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
PE Security
• The PE router ensures that the data traffic of onecustomer is not spoofed by other customers
• It is accomplished in the PE router by examiningthe labels in the MPLS traffic that each CE routertransmits to the PE router
• PE verify that each packet contains a label thatthe PE router previously advertised to theparticular CE router
343434© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Agenda
• Carrier’s Carrier backbone
• ISP customer not running MPLS
• ISP customer running MPLS
• ISP customer running MPLS-VPN
• Transit between VPN-Aware backbones
• BGP/MP-BGP enhancements
353535© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Transit between MPLS-VPNbackbones
• Customers may have sites connected todifferent ISPs
• MPLS-VPN networks exchange routesthrough MP-BGP• VPN-IPv4 addresses with Labels
• PE-ASBRs establish direct eBGP sessions
• No IGP between PE-ASBRs
• Single label
• No LDP between ASBRs
363636© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Transit between MPLS-VPNbackbones
• Interface connecting PE-ASBRs is partof the global routing table
•No VRF assigned
• PE-ASBRs exchange all VPN-IPv4routes
•Routes are forwarded without being in anyrouting table
•Like VPN-IPv4 BGP route reflector
373737© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
BenefitsBenefits
• Allows a VPN to Cross more than oneService Provider Backbone
• Allows a VPN to Exist in Different Areas
• Allows Confederations to Optimize IBGPMeshing
383838© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Transit between MPLS-VPNbackbones
Carrier Backbonerunning IGP and LDP
PE-1
PE-ASBR1
CE-1
CE-2
P1
MP-iBGP for VPN-IPv4
Network = N
Carrier Backbonerunning IGP and LDP
PE-ASBR2
PE-2
P2
MP-iBGP for VPN-IPv4MP-eBGP for VPN-IPv4
393939© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Transit between MPLS-VPNbackbones
PE-1
PE-ASBR1
CE-1
CE-2
P1
Network = N
PE-ASBR2
PE-2
P2
BGP-4, RIPNet=NNH=CE1
VPN-IPv4Net=NNH=PE1Label=1RT=100:1
LDPPE-1Label=pop
LDPPE-ASBR-1Label=7
LDPPE-1Label=6
VPN-IPv4Net=NNH=PE-ASBR1Label=12RT=100:1
VPN-IPv4Net=NNH=PE-ASBR2Label=20RT=100:1
LDPPE-ASBR-1Label=8
404040© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Transit between MPLS-VPNbackbones
PE-1
PE-ASBR1
CE-1
CE-2
P1
Network = N
PE-ASBR2
PE-2
P2
IPDest=N
IPDest=N
20
8
IPDest=N
20
IPDest=N
12
IPDest=N
1
6 IPDest=N
1
IPDest=N
414141© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
ConfederationConfederationmultiple IGP domainsmultiple IGP domains
• Separate IGPs
• Each sub-confederations runs a single IGP
• Route-reflectors used as peering pointsbetween sub-confederations• Not strictly necessary but scale better
• Next-hop self done by border routers oneBGP sessions AND on iBGP sessiontowards intra-confederation peers
• Next-hop-self is done by RR-1 and RR-2
424242© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
ConfederationConfederationmultiple IGP domainsmultiple IGP domains
PE-1
CEGBP-1
CE-2
CEGBP-2
PE-3
CE-1
PE-2
CE-5
CE-4
CE-3
Core of P LSRs
Core of P LSRs
Confederation
Sub-AS1 withIGP-1
Sub-AS2 with IGP-2
MP-eBGP intraconfederationfor VPNv4 routes withlabel distribution
PEs exchange VPNv4 addresses with labelsNext-hop and labels are changed (next-hop self is used)
PE1 and PE-2 addresses are known in both IGPs
MP-iBGP
434343© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
ConfederationConfederationmultiple IGP domainsmultiple IGP domains
PE-1
CEGBP-1
CE-2
CEBGP-2
PE-3
CE-1
PE-2
CE-5
CE-4
CE-3
Core of P LSRs
Core of P LSRs
Confederation
Sub-AS1 withIGP-1
Sub-AS2 with IGP-2
Network=NNext-hop=CE2
Network=NNext-hop=PE3
Network=RD1:NNext-hop=PE1Label=L1
Network=RD1:NNext-hop=RR1Label=L2
Network=RD1:NNext-hop=RR2Label=L3
444444© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
ConfederationConfederationmultiple IGP domainsmultiple IGP domains
• Important points
• When next-hop self is used on both iBGP andeBGP sessions (in CEBGP-1 and CEBGP-2) thetopology is similar to a Multiprovider-VPN topology
• Route reflectors exchange routes
• Using Route reflectors is a natural approachsince they already have all VPN routes
• Next-hop-self choices
Option-1: eBGP only
Option-2: eBGP and iBGP on border routers
454545© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Agenda
• Carrier’s Carrier backbone
• ISP customer not running MPLS
• ISP customer running MPLS
• ISP customer running MPLS-VPN
• Transit between VPN-Aware backbones
• BGP/MP-BGP enhancements
464646© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
BGP Enhancements
• BGP-4 extended to distribute labels
• eBGP for PE/CE label distribution
• iBGP to distribute labels between MPLSsites
Carrier customer running MPLS
Avoids egress ASBR IP lookup
• MP-BGP (VPN-IPv4 addresses) extendedto distribute labels over eBGP sessions
474747© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Roadmap
• InterAS VPN
– available for 72xx, 75xx, 12xxx (E0, E2) in 12.0(18)ST
– 12.0(22)ST adds support for 12xxx (E3, E4+)
• CsC
– available for 72xx, 75xx, 12xxx (E0) in 12.0(16)ST
– 12.0(21)ST for 12xxx (E2)
– 12.0(22)ST adds support for 12xxx (E3, E4+)
– 12.0(22)ST adds support BGP between PE-CE link
484848© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Documentation
• InterAS VPN
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120st/120st16/intras16.htm
• CsC
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120st/120st16/csc16.htm
494949© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID