Presentation ID - Cisco€¦ · Gerhard Wieser & Peter Tomsu MPLS-based VPNs Designing Advanced...

2© 2001, Cisco Systems, Inc. All rights reserved.

Session NumberPresentation_ID

Carrier Supporting Carrier& InterAS VPNs

Gerhard Wieser – [email protected]


Christian Schmutzer & Peter Tomsu

Next Generation Optical NetworksThe Convergence of IP Intelligence and Optical Technologies

• World wide available since End of AugustAmazon.com, Fatbrain.com, Prentice Hall ISBN 0-13-028226-x

• Covers

•Optical & Data Transmission Basics

Fibers, DWDM, POS, DPT, MPLS-TE

•Optical Standardization

ITU, IEEE, OIF, IETF

•IP+Optical Control Planes

•Applications


Gerhard Wieser & Peter Tomsu

MPLS-based VPNsDesigning Advanced Virtual Networks

• World wide available since End of SeptemberAmazon.com, Fatbrain.com, Prentice Hall ISBN 0-13-028225-1

• Covers

•MPLS Technology Basics

•MPLS VPN Architecture

•MPLS VPN Implementation

•Application Scenarios


Agenda

• Carrier’s Carrier backbone

• ISP customer not running MPLS

• ISP customer running MPLS

• ISP customer running MPLS-VPN

• Transit between VPN-Aware backbones

• BGP/MP-BGP enhancements


Carrier Supporting Carrier akaCarriers` Carrier

PE-1

PE-2

CE-1

CE-2

ISP customersASBR-1

ASBR-2

ISP customersNetwork = N

P1

Customer ISP – Site 1Customer ISP – Site 2

Primary Carrier Backbone


Carrier’s Carrier

• Technology based on draft-ietf-ppvpn-rfc2547bis-00.txt

• Developed for the Service Provider space

• Applicable in Enterprise environments


L3 vs L2 VPNs

• Customer benefit:

any to any communication

total outsource of the WANrouting/QoS/capacity planning

• Provider benefit

scalability (one network instead of1000’s of them)

statistical multiplexing

intelligence in the PE rather thanin the CE

economies of scale

• Customer requirements

– keep control of the layer3(routing, TE, QoS)

– just ask for cheap p2p layer2connections

• Service Provider offer

– past: ATM/FR

– what is the equivalent on ashared IP infrastructure?

> MPLS-VPN: does not matchthe Layer3 independence

> IPSEC: does not work at thespeed required (>OC3)

> Layer2Transport !!!

Bundled: RFC2547bis – ProviderProvisioned VPNs

UnBundled: L2VPN


Carrier’s Carrier

• A central MPLS-VPN backbone (primarycarrier) may deliver VPN services todepartments running MPLS-VPN servicesthemselves (secondary carrier, ISP)

• CE sites are in fact department/ISP PoPs

• High volume of routing information on eachPop

• Possible full Internet table

• Scalability issue if these routes have to betranslated in VPN-IPv4 routes and injectedinto the primary carrier’s backbone


Carrier’s Carrier

• ISP customer may NOT run MPLS and being aVPN customer of the primary Carrier

• ISP customer may use MPLS on each site andrequest end to end label swapping

• ISP customer may use MPLS-VPN on each siteand provide VPN services to final customers

• Recursive VPNs

• In all cases primary Carrier backboneneed not to know ISP external routes


Carrier’s Carrier

• In all cases MPLS is used between PE andCE routers

• IGP/LDP to distribute labels for IPv4 routesbetween Carrier-PE and ISP-CE

• BGP is used to distribute labels betweensites

•iBGP multihop / eBGP multihop IntraConfederation sessions across the Carrierbackbone


Carrier’s Carrier

• If ISP customer use same ASN in all sitesiBGP session is used between sites

• Private ASN procedures

• iBGP sessions between sites

Route reflectors to improve scalability

• If ISP customer use different ASN per siteeBGP session is used between sites• eBGP multihop intra-confederation


Carrier’s CarrierLabels and BGP-4 routes

• Each ISP site advertise internal routes only

• ISP-CE routers announces site routes

• PE routers propagate sites routes to other PEs

• VPN-IPv4 addresses through MP-iBGP

• PE routers advertise to CEs routes learned frominternal PE neighbors

• IGP/LDP for IPv4 addresses and labels


Agenda








Carrier’s CarrierISP not running MPLS

• Sites establish iBGP sessions betweenASBRs on each site

•ISP-CE and ASBR can be the same router

•iBGP or eBGP multihop intra-confederation

• Each site runs iBGP full mesh

• ISP-CEs receive BGP-4 routes with labels

• ISP-CEs advertise site routes WITHOUT labels

•No need to advertise labels since site is notrunning MPLS



• Carrier-PEs need NOT to know ISP externaladdresses

• Packets are received labelled by Carrier-PE

• The inter-site iBGP session distributes the ISPexternal routes

• Each site has BGP routes for externaladdresses with next-hop learned by anotherBGP route or IGP route

Advertised by Carrier-PE



Carrier Backbonerunning IGP and LDP

PE-1

PE-2

CE-1

CE-2

ISP customersASBR-1

ASBR-2

ISP customers

iBGP or eBGP intra-confederationsession between ASBRs

Network = N

P1

MP-iBGP for VPN-IPv4

ISP Site-2 IGPand iBGP

ISP Site-1 IGPand iBGP

IGP session & LDP forLabel Assignment (RIP,OSPF, static, [BGP infuture]) IGP session & LDP for Label

Assignment (RIP, OSPF, static,[BGP in future])



Carrier Backbone

PE-1

PE-2

CE-1

CE-2

ISP Site-2 IGP

ISP Site-1 IGP ISP customersASBR-1

ASBR-2


BGP-4Net=NNH=ASBR1

BGP-4Net=NNH=ASBR1 BGP-4

Net=NNH=CE-2

LDPP-1Label=6

VPN-IPv4Net=ASBR1NH=PE1Label=1

LDPPE-1Label=pop

IGP session & LDP forLabel Assignment (RIP,OSPF, static, [BGP infuture])

IGP session & LDP for LabelAssignment (RIP, OSPF, static,[BGP in future])

LDPPE-2Label=2



Carrier Backbone

PE-1

PE-2

CE-1CE-2

ISP Site-2 IGPISP Site-1 IGP ISP customersASBR-1

ASBR-2


IPDest=N

IPDest=N

1

IPDest=N

IPDest=N

IPDest=N

IPDest=N

2

IPDest=N

IPDest=N

1

6


Configuration CE-PE pair

CE1 Configurationmpls label protocol ldp

!

interface Loopback0

ip address 14.14.14.14 255.255.255.255

!

interface ATM1/0

no ip address

!

interface ATM1/0.1 point-to-point

ip address 46.0.0.2 255.0.0.0

atm pvc 101 0 51 aal5snap

mpls label protocol ldp

mpls ip

!

router ospf 200

redistribute connected subnets

network 14.14.14.14 0.0.0.0 area 200

network 38.0.0.0 0.255.255.255 area 200

!

PE1 Configurationip cef distributed

!

ip vrf vpn1

Etc………….

!


!

interface ATM3/0/0.1 point-to-point

ip vrf forwarding vpn1

ip address 46.0.0.1 255.0.0.0

atm pvc 101 0 51 aal5snap


mpls ip

!

router ospf 100

network 11.11.11.11 0.0.0.0 area 100

network 33.0.0.0 0.255.255.255 area 100

!

router ospf 200 vrf vpn1

redistribute bgp 100 metric-type 1 subnets

network 19.19.19.19 0.0.0.0 area 200

network 46.0.0.0 0.255.255.255 area 200

!

router bgp 100

Etc………………


Agenda








Carrier’s CarrierISP running MPLS

• BGP-4 is used in ISP sites

•BGP-4 session between sites

•iBGP Multihop or eBGP multihop intra-confederation

•BGP-4 routes have next-hop addresses given byIGP and LDP

•ISP-CE router redistribute into site IGP all ISPinternal routes learned from the Carrier-PE

•In each site iBGP sessions are needed betweenASBR routers and CE routers

No need to iBGP full mesh in the site


Carrier’s Carrier - ISP running MPLS


PE-1

PE-2

CE-1

CE-2

ASBR-1

ASBR-2

iBGP-4 session forIPv4 addresses

P1


ISP Site-1 IGP, LDPiBGP between ASBR and CE

ISP Site-1 IGP, LDPiBGP between ASBR and CE

Network = N





Carrier Backbone

PE-1

PE-2

CE-1

CE-2

ISP Site-2 IGP

ASBR-1

ASBR-2

Network = N

iBGP-4Net=NNH=ASBR1

LDPPE-1Label=Pop

BGP-4Net=NNH=ASBR1 IGP

Net=ASBR1NH=CE-2

IGP/LDPNet=ASBR1NH=PE2Label=2

IGP/LDPNet=ASBR1NH=CE-1Label=15


LDPPE-1Label=6

LDPNet=ASBR1Label=Pop

LDPNet=ASBR1Label 3

LDPNet=ASBR1Label=7





Carrier Backbone

PE-1

PE-2

CE-1CE-2

ISP Site-2 IGPISP Site-1 IGP ISP customersASBR-1

ASBR-2


IPDest=NIP

Dest=N

IPDest=N

IPDest=N

3

IPDest=N

2

IPDest=N

1

6 IPDest=N

1

IPDest=N

15

IPDest=N

7


Agenda








Carrier’s CarrierISP running MPLS-VPN

• Recursive VPNs

• A VPN customer can run MPLS-VPN inorder to offer VPN services to othercustomers

• MPLS-VPN backbone with MPLS-VPNbackbones as clients

• ISP VPN backbone emulated overCarrier backbone



• ISP sites exchange VPN-IPv4 addresses withlabels

• BGP-4 between Carrier-PE and ISP-CE•Labels are distributed into BGP-4 updatesbetween Carrier-PE and ISP-CE

• At the ISP side the CE interface connecting tothe Carrier PE is part of the backbone (noVRF configured)




PE-1

PE-2

CE-1

CE-2

ISP-PE-1

ISP-PE-2

MP-iBGP session forVPN-IPv4 addresseswith labels

P1


ISP Site-2 IGP, LDP

ISP Site-1 IGP, LDP

Network = N





Carrier Backbone

PE-1

PE-2

CE-1

CE-2

ISP Site-2 IGP

ASBR-1

ASBR-2

Network = N

VPN-IPv4Net=NNH=ASBR1Label=12

LDPPE-1Label=pop

IGPNet=ASBR1NH=CE-2

IGP/LDPNet=ASBR1NH=PE2Label=2

IGP/LDPNet=ASBR1NH=CE-1Label=25


LDPPE-1Label=6

LDPNet=ASBR1Label 3

BGP-4Net=NNH=ASBR1

LDPNet=ASBR1Label=Pop

LDPNet=ASBR1Label=7





Carrier Backbone

PE-1

PE-2

CE-1CE-2

ISP Site-2 IGPASBR-1

ASBR-2

Network = N

IPDest=NIP

Dest=N

IPDest=N

12

3

IPDest=N

12

2

IPDest=N

1

6

12 IPDest=N

1

12

IPDest=N

20

12

IPDest=N

7

12

IPDest=N

12


Carrier’s Carrier Security Requirements

• PE need a security mechanism to accept (or not) labelsused by the CE

• The PE must control that labels used by the CE areassociated to IP routes present in the PE/CE VRF

• Label security in order to prevent label “spoofing”

• PE will keep the knowledge of which label bindings havebeen advertised to which interface

• Every packet that crosses the backbone carrier must beencapsulated, so that the packet includes MPLS labels.To ensure that the packets are encapsulated, issue thefollowing command on the PE routers that connect toCE routers:

• (config-if)# mpls ip


PE Security

• The PE router ensures that the data traffic of onecustomer is not spoofed by other customers

• It is accomplished in the PE router by examiningthe labels in the MPLS traffic that each CE routertransmits to the PE router

• PE verify that each packet contains a label thatthe PE router previously advertised to theparticular CE router


Agenda








Transit between MPLS-VPNbackbones

• Customers may have sites connected todifferent ISPs

• MPLS-VPN networks exchange routesthrough MP-BGP• VPN-IPv4 addresses with Labels

• PE-ASBRs establish direct eBGP sessions

• No IGP between PE-ASBRs

• Single label

• No LDP between ASBRs



• Interface connecting PE-ASBRs is partof the global routing table

•No VRF assigned

• PE-ASBRs exchange all VPN-IPv4routes

•Routes are forwarded without being in anyrouting table

•Like VPN-IPv4 BGP route reflector


BenefitsBenefits

• Allows a VPN to Cross more than oneService Provider Backbone

• Allows a VPN to Exist in Different Areas

• Allows Confederations to Optimize IBGPMeshing




PE-1

PE-ASBR1

CE-1

CE-2

P1


Network = N


PE-ASBR2

PE-2

P2

MP-iBGP for VPN-IPv4MP-eBGP for VPN-IPv4



PE-1

PE-ASBR1

CE-1

CE-2

P1

Network = N

PE-ASBR2

PE-2

P2

BGP-4, RIPNet=NNH=CE1

VPN-IPv4Net=NNH=PE1Label=1RT=100:1

LDPPE-1Label=pop

LDPPE-ASBR-1Label=7

LDPPE-1Label=6

VPN-IPv4Net=NNH=PE-ASBR1Label=12RT=100:1

VPN-IPv4Net=NNH=PE-ASBR2Label=20RT=100:1

LDPPE-ASBR-1Label=8



PE-1

PE-ASBR1

CE-1

CE-2

P1

Network = N

PE-ASBR2

PE-2

P2

IPDest=N

IPDest=N

20

8

IPDest=N

20

IPDest=N

12

IPDest=N

1

6 IPDest=N

1

IPDest=N


ConfederationConfederationmultiple IGP domainsmultiple IGP domains

• Separate IGPs

• Each sub-confederations runs a single IGP

• Route-reflectors used as peering pointsbetween sub-confederations• Not strictly necessary but scale better

• Next-hop self done by border routers oneBGP sessions AND on iBGP sessiontowards intra-confederation peers

• Next-hop-self is done by RR-1 and RR-2



PE-1

CEGBP-1

CE-2

CEGBP-2

PE-3

CE-1

PE-2

CE-5

CE-4

CE-3

Core of P LSRs

Core of P LSRs

Confederation

Sub-AS1 withIGP-1

Sub-AS2 with IGP-2

MP-eBGP intraconfederationfor VPNv4 routes withlabel distribution

PEs exchange VPNv4 addresses with labelsNext-hop and labels are changed (next-hop self is used)

PE1 and PE-2 addresses are known in both IGPs

MP-iBGP



PE-1

CEGBP-1

CE-2

CEBGP-2

PE-3

CE-1

PE-2

CE-5

CE-4

CE-3

Core of P LSRs

Core of P LSRs

Confederation

Sub-AS1 withIGP-1

Sub-AS2 with IGP-2

Network=NNext-hop=CE2

Network=NNext-hop=PE3

Network=RD1:NNext-hop=PE1Label=L1

Network=RD1:NNext-hop=RR1Label=L2

Network=RD1:NNext-hop=RR2Label=L3



• Important points

• When next-hop self is used on both iBGP andeBGP sessions (in CEBGP-1 and CEBGP-2) thetopology is similar to a Multiprovider-VPN topology

• Route reflectors exchange routes

• Using Route reflectors is a natural approachsince they already have all VPN routes

• Next-hop-self choices

Option-1: eBGP only

Option-2: eBGP and iBGP on border routers


Agenda








BGP Enhancements

• BGP-4 extended to distribute labels

• eBGP for PE/CE label distribution

• iBGP to distribute labels between MPLSsites

Carrier customer running MPLS

Avoids egress ASBR IP lookup

• MP-BGP (VPN-IPv4 addresses) extendedto distribute labels over eBGP sessions


Roadmap

• InterAS VPN

– available for 72xx, 75xx, 12xxx (E0, E2) in 12.0(18)ST

– 12.0(22)ST adds support for 12xxx (E3, E4+)

• CsC

– available for 72xx, 75xx, 12xxx (E0) in 12.0(16)ST

– 12.0(21)ST for 12xxx (E2)

– 12.0(22)ST adds support for 12xxx (E3, E4+)

– 12.0(22)ST adds support BGP between PE-CE link


Documentation

• InterAS VPN

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120st/120st16/intras16.htm

• CsC

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120st/120st16/csc16.htm

Presentation ID - Cisco€¦ · Gerhard Wieser & Peter Tomsu MPLS-based VPNs Designing Advanced...

Documents

Transcript of Presentation ID - Cisco€¦ · Gerhard Wieser & Peter Tomsu MPLS-based VPNs Designing Advanced...