Deploying MPLS-VPN. Session RST Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. 8181_05_2003_c2 RST-2061

Transcription

1 Deploying MPLS-VPN Session 2 Copyright Printed in USA.

2 Agenda Prerequisites Background Theory Practice Route Reflectors Carrier s Carrier Inter-AS Import/Export Maps 3 Prerequisites Must understand basic IP routing, especially BGP Must understand MLPLS basics (push, pop, swap, label stacking) 4 Copyright Printed in USA.

3 Recommended Reading MPLS and VPN Architectures by Jim Guichard and Ivan Pepelnjak ISBN: Agenda Prerequisites Background Theory Practice Route Reflectors Carrier s Carrier Inter-AS Import/Export Maps 6 Copyright Printed in USA.

4 Background Why Have MPLS-VPNs? Tag switching came about from Ipsilon s IP switching Cisco s tag switching begat MPLS One of the fundaments of tag switching was label stacking Label stacking allows the network to transport data across it without needing routing information in the core Like a frame relay network doesn t need IP routing MPLS-VPN = label stacking + BGP extensions 7 Overlay vs. Peer Networks Overlay network: customer s IP network is overlaid on top of the provider s network Provider s IP transport (FR, ATM, etc.) creates private IP network for customer Most technologies that carry IP are p2p Large p2p networks are hard to maintain N^2 provisioning vs. inefficient routing Even with hub and spoke, need lots of stuff at the hub 8 Copyright Printed in USA.

5 Overlay Network Provider sells a circuit service Customers purchases circuits to connect sites, runs IP N sites, (N*(N-1))/2 circuits for full mesh expensive The big scalability issue here is routing peers N sites, each site has N-1 peers Hub and spoke is popular, suffers from the same N-1 number of routing peers Hub and spoke with static routes is simpler, still buying N-1 circuits from hub to spokes Spokes distant from hubs could mean lots of long-haul circuits Provider (FR, ATM, etc.) 9 Peer Network Provider and customer exchange IP routing information directly Customer only has one routing peer per site Need to separate customer s IP network from provider s network Customer A and Customer B need to not talk to each other Customer A and Customer B may have the same address space ( /8, /16, etc.) VPN is provisioned and run by the provider MPLS-VPN does this without p2p connections 10 Copyright Printed in USA.

6 Peer Network Provider sells an MPLS-VPN service Customers purchases circuits to connect sites, runs IP N sites, N circuits into provider Access circuits can be any media at any point (FE, POS, ATM, T1, dial, etc.) Full mesh connectivity without full mesh of L2 circuits Hub and spoke is also easy to build Spokes distant from hubs connect to their local provider s POP, lower access charge because of provider s size The Internet is a large peer network Provider (MPLS-VPN) 11 Terminology, 1/2 RR Route Reflector A router (usually not involved in packet forwarding) that distributes BGP routes within a provider s network PE Provider Edge router The interface between the customer and the MPLS-VPN network; only PEs (and maybe RRs) know anything about MPLS-VPN routes P Provider router A router in the core of the MPLS-VPN network, speaks LDP/RSVP but not VPNv4 CE Customer Edge router The customer router which connects to the PE; does not know anything about labels, only IP (most of the time) LDP Label Distribution Protocol Distributes labels with a provider s network that mirror the IGP, one way to get from one PE to another LSP Label Switched Path The chain of labels that are swapped at each hop to get from one PE to another 12 Copyright Printed in USA.

7 Terminology, 2/2 VPN Virtual Private Network A network deployed on top of another network, where the two netw orks are separate and never communicate VRF Virtual Routing and Forwarding instance VPNv4 RD RT Mechanism in IOS used to build per-interface RIB and FIB Address family used in BGP to carry MPLS-VPN routes Route Distinguisher, used to uniquely identify the same network/mask from different VRFs (i.e., /8 from VPN A and /8 from VPN B) Route Target, used to control import and export policies, to build arbitrary VPN topologies for customers 13 Agenda Prerequisites Background Theory Practice Route Reflectors Carrier s Carrier Inter-AS Import/Export Maps 14 Copyright Printed in USA.

8 Theory Virtual Routing and Forwarding instances Carrying VPN routes in BGP Packet forwarding 15 VRFs A VRF is associated to one or more interfaces on a router VRF is essentially a per-interface routing table and the necessary forwarding stuff (CEF) Not virtual routers, just virtual routing and forwarding VRFs are IP only (no Appletalk-VRF, although in theory it s certainly possible) 16 Copyright Printed in USA.

9 VRFs Within a VRF, provider speaks a routing protocol with their customer Most protocols are supported Static routes RIP BGP EIGRP OSPF No IS-IS support yet (haven t seen the demand) No IGRP or EGP support either (same idea) Routes flow between VRF IGP/BGP and provider BGP (see VPNv4) 17 Virtual Routing and Forwarding Instances Define a VRF for interface 0 Define a different VRF for interface 1 Packets will never go between int. 0 and 1 unless allowed by VRF policy Will explain this policy in the next section No MPLS yet /24 VPN-A VPN-A CE VPN-B CE /24 VRF for VPN-A 0 1 VRF for VPN-B 18 Copyright Printed in USA.

10 Carrying VPN Routes in BGP VRFs by themselves aren t all that useful Need some way to get the VRF routing information off the PE and to other PEs This is done with BGP 19 Additions to BGP to Carry MPLS-VPN Info RD: Route Distinguisher VPNv4 address family RT: Route Target Label all defined in RFC2547 and bis draft 20 Copyright Printed in USA.

11 Route Distinguisher To differentiate /8 in VPN-A from /8 in VPN-B 64-bit quantity Configured as ASN:YY or IPADDR:YY Almost everybody uses ASN Purely to make a route unique Unique route is now RD:IPAddr (96 bits) plus a mask on the IPAddr portion So customers don t see each others routes So route reflectors make a bestpath decision on something other than 32-bit network + 32-bit mask 21 VPNv4 In BGP for IP, 32-bit address + mask makes a unique announcement In BGP for MPLS-VPN, (64-bit RD + 32-bit address) + 32-bit mask makes a unique announcement Since the route encoding is different, need a different address family in BGP VPNv4 = VPN routes for IPv4 As opposed to IPv4 or IPv6 or multicast-rpf, etc VPNv4 announcement carries a label with the route If you want to reach this unique address, get me packets with this label on them 22 Copyright Printed in USA.

12 Route Target To control policy about who sees what routes 64-bit quantity (2 bytes type, 6 bytes value) Carried as an extended community Typically written as ASN:YY Each VRF imports and exports one or more RTs Exported RTs are carried in VPNv4 BGP Imported RTs are local to the box A PE that imports an RT installs that route in its routing table 23 Putting It All Together Control Plane VPN B/Site 1 CE A2 12.1/16 VPN C/Site /16 CE 1 B1 RIPv2 Static RIPv2 CE B2 16.2/16 CE 2 B1 IGP/EBGP Net=16.1/16 CE A1 RIPv2 Step 1 OSPF 16.1/16 VPN A/Site 1 PE 1 Step 2 P 1 VPN-IPv4 P Net=RD:16.1/16 3 NH=PE1 Route Target Label=42 BGP Step 3 CEB3 12.2/16 PE 2 BGP P 2 Step 4 PE 3 VPN C/Site 1 VPN B/Site 2 IGP/EBGP CE Net=16.1/16 A3 OSPF Step /16 VPN A/Site 2 24 Copyright Printed in USA.

13 MPLS-VPN Packet Forwarding Between PE and CE, regular IP packets (for now) Within the provider network label stack Outer label: get this packet to the egress PE Inner label: get this packet to the egress CE 25 Where Do Labels Come From? Within a single network, can use LDP or RSVP to distribute IGP labels LDP follows the IGP path RSVP (for TE) deviates from IGP shortest path, see Deploying MPLS-TE, RST-2062 Which IGP label distribution method you use is independent of any VPN label distribution 26 Copyright Printed in USA.

14 Putting It All Together Forwarding Plane IP Dest= Step 4 CE A1 16.1/16 VPN A/Site 1 VPN-IPv4 Net=RD:16.1/16 NH=PE1 Label=42 PE 1 Label 42 Dest=CEa1 P 1 Step 3 IP Dest= P 3 BGP PE 2 Step 2 Label N Dest=PE1 Label 42 Dest=CEa1 P 2 IP Dest= IP Dest= PE 3 Step 1 CE A3 16.2/16 VPN A/Site 2 27 Import/Export Policies Full mesh: All sites import X:Y and export X:Y Hub and spoke: Hub exports X:H and imports X:S Spokes export X:S and import X:H 28 Copyright Printed in USA.

15 Full Mesh All Clients Get All 16.Z/16 Routes Because All Sites Import and Export X:Y CE A2 16.5/16 VPN A/Site 2 CE B2 16.4/16 PE 2 VPN A/Site 2 PE 1 Net=X:Y:16.Z/16 CE A3 CE A1 P 3 PE /16 CEB3 VPN A/Site /16 VPN A/Site /16 VPN A/Site 1 29 Hub and Spoke 1) Hub Exports: Net=X:H:0/0 CE A2 16.5/16 VPN A/Site 2 2) Spokes Export: Net=X:S:16.X/16 CE B2 16.4/16 3) Hub Imports All X:S Routes PE 1 PE 2 VPN A/Site 2 4) Spokes Import All X:H Routes Net=X:H:0/0 CE A3 CE A1 PE /16 CEB3 VPN A/Site /16 VPN A/Site /16 VPN A/Site 1 30 Copyright Printed in USA.

16 Hub and Spoke 1) Hub Exports: Net=X:H:0/0 CE A2 16.5/16 VPN A/Site 2 2) Spokes Export: Net=X:S:16.X/16 CE B2 16.4/16 3) Hub Imports All X:S Routes PE 1 Net=X:S:16.5/16 Net=X:S:16.4/16 PE 2 VPN A/Site 2 4) Spokes Import All X:H Routes Net=X:S:16.2/16 Net=X:S:16.3/16 CE A3 CE A1 PE /16 CEB3 VPN A/Site /16 VPN A/Site /16 VPN A/Site 1 31 Hub and Spoke 1) Hub Exports: Net=X:H:0/0 CE A2 16.5/16 VPN A/Site 2 2) Spokes Export: Net=X:S:16.X/16 CE B2 16.4/16 3) Hub Imports All X:S Routes PE 1 PE 2 VPN A/Site 2 4) Spokes Import All X:H Routes CE A3 CE A1 All 16.Z/16 Routes PE /16 CEB3 VPN A/Site /16 VPN A/Site /16 VPN A/Site 1 32 Copyright Printed in USA.

17 Hub and Spoke 1) Hub Exports: Net=X:H:0/0 CE A2 16.5/16 VPN A/Site 2 2) Spokes Export: Net=X:S:16.X/16 0/0 0/0 CE B2 16.4/16 3) Hub Imports All X:S Routes PE 1 PE 2 VPN A/Site 2 4) Spokes Import All X:H Routes 0/0 CE A3 CE A1 PE /16 CEB3 0/0 VPN A/Site /16 VPN A/Site /16 VPN A/Site 1 33 Things to Note Core does not run VPNv4 BGP! Same principle can be used to run a BGP-free core for an IP network CE does not know it s in an MPLS-VPN Outer label is from LDP/RSVP Getting packet to egress PE is orthogonal to MPLS-VPN Inner label is from BGP Inner label is there so the egress PE can have the same network in multiple VRFs 34 Copyright Printed in USA.

18 Things to Note Need /32s for all PEs if using LDP Outer label says get me to this prefix If the prefix has a mask shorter than /32, can t guarantee we won t hit summarization at some point in the network What does the summarization point do with the packet? PE1: /32? Label 42 Dest=PE1 VRF Label Dest=CEa1 PE2: /32 P /24, L:42 PE3 35 Agenda Prerequisites Background Theory Practice Route Reflectors Carrier s Carrier Inter-AS Import/Export Maps 36 Copyright Printed in USA.

19 Prerequisites Global Config on PE ip cef {distributed} mpls ip (on by default) CE1 PE1 37 Build a VRF Global Config on PE ip vrf foo rd 100:1 route-target import 247:1 route-target export 247:1 CE1 PE1 38 Copyright Printed in USA.

20 Attach a VRF to a Customer Interface interface Serial0 ip vrf forwarding foo ip address CE PE1 39 Run an IGP within a VRF RIP router rip address-family ipv4 vrf foo version 2 no auto-summary network exit-address-family CE PE1 40 Copyright Printed in USA.

21 Run an IGP within a VRF EIGRP router eigrp 1 address-family ipv4 vrf foo network autonomous-system 1 exit-address-family CE PE1 41 Run an IGP within a VRF OSPF router ospf 1 vrf foo network area 0 CE PE1 42 Copyright Printed in USA.

22 Run BGP within a VRF router bgp 3402 address-family ipv4 vrf foo neighbor remote-as 1000 neighbor activate exit-address-family CE1 AS PE1 AS Enable VPNv4 BGP in the Backbone router bgp 3402 neighbor remote-as 3402 neighbor update-source loopback 0 address-family vpnv4 neighbor activate neighbor send-community both PE1 ibgp VPNv4 PE Copyright Printed in USA.

23 Get Routes from Customer Routing to VPNv4 If CE routing is not BGP, need to redistribute into BGP NOTE: this means you *need* an IPv4 VRF BGP context to get routes into the PE backbone, even if you don t have any BGP neighbors in the VRF IGP metric is usually carried as MED, unless changed EIGRP is an exception, carries the 5-part metric as BGP extended communities router bgp 3402 neighbor remote-as 3402 neighbor update-source loopback 0 address-family ipv4 vrf test redistribute {rip connected static eigrp ospf} Routes from CE1 CE1 PE1 ibgp VPNv4 PE Get Routes from VPNv4 to Customer Routing If CE routing is not BGP, need to redistribute from VPNv4 to CE routing Redistributing BGP into IGP makes some people nervous; don t worry about it, it s hard to screw up Please note that hard!= impossible :) Metric is important when going from MED to RIP or EIGRP Can also use default-metric or route-map router rip address-family ipv4 vrf foo version 2 redistribute bgp 3402 metric 1 no auto-summary network exit-address-family Routes from PE2 CE1 PE ibgp VPNv4 PE2 46 Copyright Printed in USA.

24 Diagnostics on the PE Many commands have a vrf keyword Ping, traceroute, telnet, etc Pretty much every diagnostic command that makes sense ping vrf test trace vrf test telnet /vrf test 47 Diagnostics on the PE show ip route vrf test show ip cef vrf test etc See the session on Troubleshooting MPLS-VPN - (RST-3061) for more information 48 Copyright Printed in USA.

25 Agenda Prerequisites Background Theory Practice Route Reflectors Carrier s Carrier Inter-AS Import/Export Maps 49 Route Reflectors Biggest scaling hurdle with MPLS-VPN is BGP Luckily, we have lots of experience scaling BGP Can use confederations or route reflectors Confederations falling out of favor RRs make more sense when not every router needs all routes (i.e., PEs) Scaling is a little different Currently ~120k Internet routes Some customers are asking for 500k-1M VPNv4 routes Largest in reality is closer to 200k-250k, but be prepared 50 Copyright Printed in USA.

26 Route Reflectors Full ibgp mesh is a lot of neighbors to maintain on every router N^2 provisioning when a PE is added, and VPN networks are growing constantly Route Reflector takes routes from neighbors, gives them to other neighbors Can build a dedicated RR that isn t used for forwarding, but which can hold lots of routes 1GB Memory, ~1,000,000 routes Route Reflector 51 Route Reflectors Basic Configuration Client neighbor remote-as 3402 neighbor update-source loopback0 PE ibgp VPNv4 RR Reflector router bgp 3402 [no bgp default route-target import] neighbor remote-as 3402 neighbor update-source loopback0 address-family vpnv4 neighbor route-reflector-client On by Default If Configured with RR-clients 52 Copyright Printed in USA.

27 Route Reflectors Peer Groups Use peer groups for a tremendous convergence improvement On the RR neighbor foo peer-group neighbor peer-group foo then apply a common output policy to neighbor foo See the deploying BGP session for more details and knobs (RST-3003) 53 Route Reflectors Other Tweaks Peer-groups are such a powerful enhancement that the RR can be overwhelmed by ACKs from lots of clients Increase input hold-queue to hold these ACKs Router(config-if)# hold-queue <x> in Default is 75, consider 500, 1,000, etc (max is 4,096) Memory consumed is (Qsize * ifmtu), so 1500byte depth = 1.5Mbyte per interface If you can t spare the 1.5Mb/interface, you probably shouldn t be a Route Reflector 54 Copyright Printed in USA.

28 Route Reflectors Other Tweaks TCP MSS (max segment size) is 536 by default All backbone links now are MTU 1500 or higher (most ~4k) ip tcp path-mtu-discovery to increase tcp MSS to fix in MTU Benefit: get BGP routes to peers faster, less protocol overhead 55 Route Reflectors Other Tweaks See Complex Deployment and Analysis of BGP (RST-3003) for more details Don t underestimate the power of performance tuning 56 Copyright Printed in USA.

29 Agenda Prerequisites Background Theory Practice Route Reflectors Carrier s Carrier Inter-AS Import/Export Maps 57 BGP + Label RFC3107 defines a way to exchange a label with an IPv4 (not VPNv4) BGP route This is useful to exchange label reachability for IPv4 prefixes between ASes Also used in Carrier s Carrier and Inter-AS Under IPv4 (or IPv4 VRF) address-family: neighbor send-label 58 Copyright Printed in USA.

30 Carrier s Carrier: The Problem MPLS-VPN works well for carrying customer IGPs Platforms, network scale to N*O(IGP) routes What if the CE wants the PE to carry all their BGP routes? Or if CE wants to run their own VPN service? 59 Carrier s Carrier: The Problem (Internet) PE 1 P 1 BGP PE 2 P 2 IP Dest=Internet CE A3 CE A1 P 3 PE 3 Step 1 ISP A/Site 2 ibgp IPv4 ISP A/Site 1 Internet 60 Copyright Printed in USA.

31 Carrier s Carrier: The Problem (VPN) PE 1 P 1 BGP PE 2 P 2 Label (ibgp VPnv4) Dest=VRF A IP Dest= CE A3 CE A1 P 3 PE 3 Step 1 ISP A/Site 2 ibgp VPNv4 ISP A/Site 1 VRF A /24 61 Carrier s Carrier: The Solution MPLS between PE and CE Either IGP+LDP or BGP+Label CEs exchange labels for their IGP routes with the PEs CEs ibgp peer with each other PEs are back to O(IGP) information 62 Copyright Printed in USA.

32 Carrier s Carrier: The Solution (Internet) IP Dest=Internet Step 4 CE A1 VPN A/Site 1 PE 1 P 1 Step 3 Label (VPNv4) Dest=CEa1 IP Dest=Internet P 3 Internet BGP PE 2 Step 2 Label (LDP/TE) Dest=PE1 P 2 Label (VPNv4/IBGP) Dest=CEa1 IP Dest=Internet Label (LDP/BGP+Label) Dest=CEa1 IP Dest=Internet PE 3 Step 1 CE A3 VPN A/Site 2 63 Carrier s Carrier: The Solution (VPN) Label (VPNv4) Dest=VPN1 IP Dest=VPN1-Cust Step 4 CE A1 VPN A/Site 1 PE 1 P 1 Step 3 Label (VPnv4) Dest=CEa1 Label (VPNv4) Dest=VPN1 IP Dest=VPN1-Cust P 3 BGP PE 2 Step 2 Label (LDP/TE) Dest=PE1 Label (VPnv4) Dest=CEa1 P 2 Label (VPNv4) Dest=VPN1 VPN1-Cust IP Dest=VPN1-Cust Label (LDP/BGP) Dest=CEa1 Label (ibgp VPNv4) Dest=VPN1 IP Dest=VPN1-Cust PE 3 Step 1 CE A3 VPN A/Site 2 64 Copyright Printed in USA.

33 Agenda Prerequisites Background Theory Practice Route Reflectors Carrier s Carrier Inter-AS Import/Export Maps 65 Inter-AS MPLS VPN VPN sites may be geographically dispersed Requiring connectivity to separate MPLS VPN service providers Transit between VPN sites may pass through multiple providers MPLS backbones This implies exchange of VPN routing information between providers Provider backbones may or may not provide VPN service directly Referred to as inter-as VPN 66 Copyright Printed in USA.

34 VPN Client Connectivity VPN-v4 Update: RD:1:27: /24, NH=PE-1 RT=1:231, Label=(28) PE-1 BGP, OSPF, RIPv /24,NH=CE-1 CE-1 VPN-A /24 Edge Router1 Edge Router2 AS #1 AS #2 How to Distribute Routes between SPs? VPN-A VRF Import Routes with Route-target 1:231 CE2 PE2 VPN-A-2 VPN Sites Attached to Different MPLS VPN Service Providers 67 VPNv4 Distribution Options PE-ASBR-1 MP-eBGP for VPNv4 PE-ASBR-2 PE-1 Multihop MP-eBGP between RRs AS #1 AS #2 PE-2 CE-1 CE-2 VPN-A-1 VPN-A-2 Other Options Available, These Two Are the Most Sensible 68 Copyright Printed in USA.

35 EBGP VPNv4 Gateway PE-ASBRs exchange routes directly using BGP External MP-BGP for VPNv4 prefix exchange; no LDP or IGP MP-BGP session with next-hop set to advertising PE-ASBR Next-hop and labels are rewritten when advertised across the inter-provider MP-BGP session PE-ASBR stores all VPN routes that need to be exchanged But only within the BGP table No VRFs; labels are populated into the LFIB of the PE-ASBR 69 EBGP VPNv4 Receiving gateway PE-ASBRs may allocate new label if desired Controlled by configuration of next-hop-self (default is off) Receiving PE-ASBR will automatically create a /32 host route for its PE-ASBR neighbor Which must be advertised into receiving IGP if nexthop-self is not in operation to maintain the LSP PE-ASBRs need to hold all inter-as VPN routes 70 Copyright Printed in USA.

36 EBGP VPNv4 PE-ASBR-1 EBGP for VPNv4 PE-ASBR-2 PE-1 Label Exchange between Gateway AS #1 PE-ASBR Routers AS #2 Using EBGP PE-2 CE-1 CE-2 CE-3 CE-4 VPN-A-1 VPN-B-1 VPN-B-2 VPN-A-2 MP-BGP VPNv4 Prefix Exchange between Gateway PE-ASBRs 71 EBGP VPNv4 VPN-v4 Update: RD:1:27: /24, NH=PE-1 RT=1:222, Label=(L1) PE-1 PE-ASBR-1 VPN-v4 Update: RD:1:27: /24, AS #1 NH=PE-ASBR-1 AS #2 RT=1:222, Label=(L2) PE-ASBR-2 VPN-v4 Update: RD:1:27: /24, NH=PE-ASBR-2 RT=1:222, Label=(L3) PE-2 BGP, OSPF, RIPv /24,NH=CE-2 CE-2 CE-3 BGP, OSPF, RIPv /24,NH=PE-2 VPN-B /24 VPN-B-2 72 Copyright Printed in USA.

37 EBGP VPNv4 LDP PE-1 Label L PE-ASBR-1 PE-ASBR-2 L L1 PE-1 L LDP PE-ASBR-2 Label L PE CE-2 CE VPN-B-1 VPN-B /24 73 Multihop EBGP VPNv4 between RRs MPLS VPN providers exchange VPNv4 prefixes via their route reflectors Requires multihop MP-eBGP (VPNv4 routes) Next-hop-self must be disabled on route reflector Preserves next-hop and label as allocated by the originating PE router Providers exchange IPv4 routes with labels between directly connected ASBRs using ebgp Only PE loopback addresses exchanged as these are BGP next-hop addresses 74 Copyright Printed in USA.

38 Multihop EBGP VPNv4 between RRs RR-1 Multihop EBGP for VPNv4 with Nexthop-unchanged RR-2 PE-1 CE-1 AS #1 AS #2 CE-2 ASBR-1 ASBR-2 ebgp IPv4 + Labels ASBRs Exchange BGP Next-hop Addresses with Labels CE-3 PE-2 CE-4 VPN-A-1 VPN-B-1 VPN-B-2 VPN-A-2 Multihop MP-eBGP VPNv4 Prefix Exchange between Route Reflectors 75 Multihop EBGP VPNv4 between RRs VPN-v4 Update: RD:1:27: /24, NH=PE-1 RT=1:222, Label=(L1) PE-1 BGP, OSPF, RIPv /24,NH=CE-2 CE-2 RR-1 VPN-v4 Update: RD:1:27: /24, NH=PE-1 RT=1:222, Label=(L1) ASBR-1 Network=PE-1 NH=ASBR-1 Label=(L2) RR-2 ASBR-2 Network=PE-1 NH=ASBR-2 Label=(L3) CE-3 VPN-v4 Update: RD:1:27: /24, NH=PE-1 RT=1:222, Label=(L1) PE-2 BGP, OSPF, RIPv /24,NH=PE-2 VPN-B /24 VPN-B-2 76 Copyright Printed in USA.

39 Multihop EBGP VPNv4 between RRs RR-1 RR-2 L PE-1 LDP PE-1 Label L ASBR-1 ASBR-2 L2 L L3 L LDP PE-ASBR-2 Label L3 L PE CE-2 CE VPN-B /24 VPN-B-2 77 One Way of Configuring Inter-AS Best practices: Next-hop-self on ASBRs BGP+Label between ASBRs in RR peering case VPNv4 next-hops are not redistributed into IGP, but passed around in BGP+Label 78 Copyright Printed in USA.

40 EBGP VPNv4 PE-ASBR-1 EBGP VPNv4 PE-ASBR-2 IBGP VPNv4 PE-1 AS #1 AS #2 IBGP VPNv4 PE-2 CE-1 CE-4 VPN-A-1 VPN-A-2 MP-BGP VPNv4 Prefix Exchange between Gateway PE-ASBRs 79 EBGP VPNv4 PE-ASBR-1 EBGP VPNv4 PE-ASBR-2 IBGP VPNv4 PE-1 CE-1 VPN-A-1 AS #1 AS #2 router bgp 1 no bgp default route-target filter address-family vpnv4 neighbor <PE-1> next-hop-self neighbor <PE-ASBR2> IBGP VPNv4 PE-2 CE-4 VPN-A-2 MP-BGP VPNv4 Prefix Exchange between Gateway PE-ASBRs 80 Copyright Printed in USA.

41 EBGP VPNv4 PE-ASBR-1 EBGP VPNv4 PE-ASBR-2 IBGP VPNv4 PE-1 CE-1 VPN-A-1 AS #1 AS #2 router bgp 2 no bgp default route-target filter address-family vpnv4 neighbor <PE-2> next-hop-self neighbor <PE-ASBR1> IBGP VPNv4 PE-2 CE-4 VPN-A-2 MP-BGP VPNv4 Prefix Exchange between Gateway PE-ASBRs 81 EBGP VPNv4 PE-ASBR-1 EBGP VPNv4 PE-ASBR-2 IBGP VPNv4 PE-1 AS #1 AS #2 IBGP VPNv4 PE-2 CE-1 VPN-A-1 Good: Easy, Simple to Do Bad: ASBRs Hold All Inter-AS Routes CE-4 VPN-A-2 82 Copyright Printed in USA.

42 BGP+Label Within and Between ASes RR-1 Multihop EBGP for VPNv4 with Nexthop-unchanged RR-2 PE-1 ASBR-1 ASBR-2 AS #1 AS #2 BGP IPv4 + Labels PE-2 CE-1 VPN-A-1 router bgp <1 2> address-family ipv4 neighbor <ASBR> send-label CE-4 VPN-A-2 BGP+Label within and between ASes to Build LSP from PE-2 to PE-2; Also Need to Leak Host Route for PE-1 to AS #2 (and Vice Versa) 83 Multihop EBGP VPNv4 between RRs RR-1 RR-2 PE-1 ASBR-1 ASBR-2 AS #1 AS #2 PE-2 CE-1 VPN-A-1 router bgp 1 neighbor <RR-2> remote-as 2 address-family vpnv4 neighbor <RR-2> activate neighbor <RR-2> next-hop-unchanged CE-4 VPN-A-2 Multihop BGP VPNv4 Prefix Exchange between Route Reflectors 84 Copyright Printed in USA.

43 Multihop EBGP VPNv4 between RRs RR-1 Multihop EBGP for VPNv4 with Nexthop-unchanged RR-2 PE-1 ASBR-1 ASBR-2 AS #1 AS #2 BGP IPv4 + Labels PE-2 CE-1 VPN-A-1 Good: Scales Much Better, ASBRs Can Concentrate on Packet Forwarding Bad: More Complex CE-4 VPN-A-2 85 Agenda Prerequisites Background Theory Practice Route Reflectors Carrier s Carrier Inter-AS Import/Export Maps 86 Copyright Printed in USA.

44 Import/Export Maps So far, the only config we ve seen forces a few things: All routes exported from a VRF have the same RTs All routes matching the route-target import value are imported into a VRF, regardless of the network/mask of the route itself Route-target import and export maps provide more granular control in this area 87 Import/Export Maps: The Problem 16.1/16 Needs to Go to Site A2 16.2/16 Needs to Go to Site A3 How Do I Do This? CE-2 VPN-A-2 PE-1 CE-1 VPN-A / /16 AS42 PE-2 PE-3 CE-3 VPN-A-3 88 Copyright Printed in USA.

45 Import/Export Maps: Theory Export 16.1/16 with RT 100:2 Export 16.1/16 with RT 100:3 VPN-A-2 CE-2 PE-1 CE-1 VPN-A / /16 AS42 PE-2 PE-3 CE-3 VPN-A-3 89 Import/Export Maps: Practice Define the Prefixes to Match ip prefix-list to-a2 seq 5 permit /16 ip prefix-list to-a3 seq 5 permit /16 PE-1 CE-1 Build a Route-map to Set Export Policy Apply Export-map to a VRF route-map VPN-A permit 10 match ip address prefix-list to-a2 set extcommunity rt 100:2 route-map VPN-A permit 20 match ip address prefix-list to-a3 set extcommunity rt 100:3 ip vrf lab rd 100:1 export map VPN-A VPN-A / /16 90 Copyright Printed in USA.

46 Import/Export Maps Same thing for import, except import map foo 91 Conclusion MPLS-VPN simplifies networking for customers Offloads work onto the SP Straightforward to configure basic MPLS-VPN CSC and Inter-AS get a little more complex, are more powerful services MPLS-VPN scales as BGP Complex customer topologies can be replicated using Route Target import/export maps 92 Copyright Printed in USA.

47 Recommended Reading MPLS and VPN Architectures, CCIP Edition ISBN: MPLS and VPN Architectures, Vol II ISBN: Advanced MPLS Design and Implementation ISBN: X Available on-site at the Cisco Company Store 93 Please Complete Your Evaluation Form Session 94 Copyright Printed in USA.

48 95 Copyright Printed in USA.