Inter-AS MPLS Solutions. BRKMPL-2105 Sangita Pandya, TME, Cisco Systems, Inc.

Transcription

1 Inter-AS MPLS Solutions BRKMPL-2105 Sangita Pandya, TME, Cisco Systems, Inc.

2 The Prerequisites Must understand basic IP routing Familiar with MPLS architectures Familiar with MPLS applications Some level of MPLS network design/ deployment experience 2

3 Goal Explore Inter-AS MPLS VPN use cases Discuss various architectures that facilitate support of MPLS VPN services in Inter-AS environment Highlight some of the key differences between IOS and IOS XR Introduce some of the key commands in IOS or IOS XR For full configuration examples please refer to 3

4 Agenda Inter-AS Networks Inter-AS Connectivity Models Inter-AS L3 VPNs Inter-AS L2VPNs Inter-AS Multicast VPNs Carrier Supporting Carrier CSC Service Models MPLS L3 VPNs Multicast VPNs MPLS L2 VPNs Inter-AS RSVP-TE 4

5 Inter-AS MPLS Service Use Cases Subscriber1 AS1 Provider 1 AS2 Provider 2 AS3 Provider 2 Subscriber1 SubscriberN SubscriberN Extend VPN services over multiple independently managed MPLS domains Fast geographic service coverage expansion Two MPLS VPN Providers peering to cover for a common customer base Build MPLS VPN networks on original multi-domain network IGP isolation with service continuity Interconnect BGP confederations with different IGPs in the same AS Two available as described in RFC 4364 : 1.Carrier Supporting Carrier (CSC) 2.Inter-Autonomous Systems (I-AS) 5

6 Carrier Supporting Carrier vs. Inter-AS Customer Carrier-B MPLS Backbone Provider Customer Carrier-B Provider-A ASBR-A ASBR-B Provider-B Subscriber A Site1 Subscriber A Site2 Subscriber A Site1 Subscriber A Site2 CSC IP/MPLS Carrier doesn t want to manage own MPLS backbone IP/MPLS Carrier is a customer of another MPLS backbone provider Only the backbone provider is required to have MPLS VPN core Customer Carriers do not distribute their subscribers VPN info to the backbone carrier Client-Server model Inter-AS Single SP POPs not available in all geographical areas required by their subscribers/customers SPs provide services to the common customer base Both SPs must support MPLS VPNs Subscribers VPN information distributed to peering SPs network Peer-Peer model 6

7 Inter-AS L3 VPNs Overview 7

8 Extending VPN services over Inter-AS networks VPN Sites attached to different MPLS VPN Service Providers How do you distribute and share VPN routes between ASs ASBR1 Back-to-Back VRFs (Option A) ASBR2 PE11 MP-eBGP for VPNv4 (Option B) AS #1 AS #2 Multihop MP-eBGP between RRs (Option C) MP-eBGP+Labels PE22 CE1 CE2 VPN-R1 VPN-R2 8

9 Intra-AS MPLS VPNs Review Route Distinguisher (RD) convert IPv4 routes to VPNv4 Routes Route Target allows VPN routes to be imported/exported to/from a VPN Peer PE loopbacks are known via IGP MP-BGP protocol carries VPNv4 routes and communities using BGP address-families 18.1/16 MP-iBGP Update BGP VPN-IPv4 Net=RD:16.1/16 NH=PE1 Route Target 100:1 VPN Label= /16 VPN/VRF Endpoints IP PE1 P1 P2 MPLS Core MP-iBGP Update: BGP VPN-IPv4 Net=RD:18.1/16 NH=PE1 Route Target 100:1 VPN Label=41 IP 40 PE2 IP VPN/VRF Endpoints IP 9

10 Inter-AS VPN Option A Connecting ASBRs using Back-to-Back VRFs PE1 BGP VPN-IPv4 Net=RD:16.1/16 NH=PE1 Route Target 100:1 VPN Label=40 P1 P1 AS1 Two providers prefer not to share MPLS link Each ASBR Thinks the Other Is a CE One logical interface per VPN/VRF on directly connected ASBRs; Packet is forwarded as an IP packet between the ASBRs Link may use any supported PE-CE routing protocol IP QoS policies negotiated and configured manually on the ASBRs Option A is the most secure and easiest to provision May not be easy to manage as #s of VPNs grow Unlabeled IP Packets VRF-Lite Configuration PE-ASBR1 PE-ASBR2 BGP VPN-IPv4 Net=RD:17.1/16 NH=PE1 Route Target 200:1 VPN Label=80 10 P2 AS2 IP IP 40 P1 IP 40 IP IP 80 P2 IP 80 IP PE2

11 Inter-AS VPN Option B Connecting two ASBRs Two Methods 1. Redistribute ebgp link into the IGP of both AS ASBR1 ASBR2 AS #1 AS #2 PE1 IGP1 IGP2 PE2 2. Receiving PE-ASBRs be the next hop I m the Next Hop to AS2 ASBR1 I m the Next Hop to AS1 ASBR2 AS #1 AS #2 PE1 PE2 11

12 Inter-AS VPN Option B Establishing reachability between geographically dispersed VPNs using Next Hop Self on ASBRs ebgp for VPNv4 VPN-v4 update: RD:1:27: /24, NH=PE1 RT=1:222, Label=(L1) PE1 BGP, OSPF, RIPv /24,NH=CE2 ASBR1 AS #1 VPN-v4 update: RD:1:27: AS #2 /24, NH=ASBR1 RT=1:222, Label=(L2) CE1 Customer-A /24 Label Exchange between Gateway PE-ASBR Routers Using ebgp ASBR2 CE2 Customer-A VPN-v4 update: RD:1:27: /24, NH=ASBR2 RT=1:222, Label=(L3) PE2 BGP, OSPF, RIPv /24,NH=PE2 All VPNv4 Prefixes/Labels from PEs Distributed to ASBRs Next Hop and labels are rewritten on ASBRs when routes are advertised across domains. ASBRs store all VPNv4 routes in BGP table. 12

13 Inter-AS VPN Option B Establishing reachability between geographically dispersed VPNs using Next Hop Self on ASBRs No Virtual Routing Forwarding tables on ASBRs unless ASBR also supports PE functionality (has VRF interfaces) In IOS, Receiving PE-ASBR automatically creates a /32 host route to a peer ASBR Which must be advertised into receiving IGP if next-hop-self is not in operation to maintain the LSP In XR, must define a static route to the Next Hop of peer ASBR for Option B and C as well as all address families (IPv4, IPv6, VPNv4, VPNv6). The CLI is only shown in Option B configuration example. In XR, must define route-policy to pass or filter selected VPNv4 routes for for Option B and Option C as well as all address families (IPv4, IPv6, VPNv4, VPNv6). The CLI is only shown in Option B configuration example. ASBR-ASBR link must be directly connected Could use GRE tunnelconsidered directly connected. 13

14 Inter-AS VPN Option B End-to-end VPN packet forwarding - Next Hop Self on ASBRs ASBR1 ASBR2 L L1 PE1 AS #1 AS #2 L PE CE1 CE VPN-R /24 VPN-R2 L1, L2, L3 are BGP VPN label. The Outer Most Core (IGP Labels in an AS) Label Is not displayed in on this slide. 14

15 Inter-AS VPN Option B Cisco IOS ASBR ebgp configuration ASBR1 ebgp for VPNv4 ASBR2 PE1 CE1 VPN-R1 AS #1 AS #2 router bgp 1 neighbor <ASBR2> remote-as 2 neighbor <PE1> remote-as 1 neighbor <PE1> update-source loopback0 no bgp default route-target filter address-family vpnv4 neighbor <PE1> remote-as 1 activate neighbor <PE1> remote-as 1 next-hop-self neighbor <ASBR2> remote-as 2 activate neighbor <ASBR2> remote-as 2 send-community extended PE2 CE2 VPN-R2 ASBRs require no bgp default route-target filter command to store VPNv4 routes as it does not have any VRF interfaces. 15

16 Inter-AS VPN Option B Cisco IOS XR ASBR1 Configuration PE1 ASBR1 ebgp for VPNv4 Int gig0/0/1 Int gig0/0/1 ASBR2 AS # AS #2 router bgp 1 mpls activate (Enables MPLS forwarding onasbr) interface <type & #> (Specify ASBR-ASBR link) address-family vpnv4 unicast neighbor <ASBR2> remote-as 2 address-family vpnv4 unicast (Initialize VPNv4 address family for ASBR) route-policy pass-all in route-policy pass-all out (Allow forwarding of VPNv4 routes to other AS) route-policy pass-all pass end-policy neighbor <PE1> remote-as 1 update-source loopback0 address-family vpnv4 unicast next-hop-self (Set ASBR1 as next-hop-self) router static /32 interface gig0/0/1 (Static Route for ASBR-ASBR link must be configured. It is not installed automatically like in IOS) 16 PE2 Note: Static route and route-policy required for all address-families & Option B and C

17 Inter-AS VPN Option C Multihop ebgp VPNv4 Between RRs for better scale Route Reflectors exchange VPNv4 routes ASBRs Exchange PE loopbacks (IPv4) with labels as these are BGP NH addresses Eliminates LFIB duplication at ASBRs. ASBRs don t hold VPNv4 prefix/label info. RR1 Exchange VPNv4 Routes RR2 Two Options for Label Distribution for BGP NH Addresses for PEs in each domain: 1. BGP IPv4 + Labels (RFC3107) most preferred & recommended 2. IGP + LDP BGP exchange Label Advertisement Capability - Enables end-end LSP Paths AS #1 PE1 ASBR1 ebgp IPv4 + Labels ASBR2 IGP + LDP AS #2 PE2 Subsequent Address Family Identifier (SAFI value 4) field is used to indicate that the NLRI contains a label Disable Next-hop-self on ebgp RRs (peers) 17

18 I-AS VPN Option C Establishing reachability between VPNs BGP update: RD:1:27: /24, NH=PE1 RT=1:222, Label=(L1) AS #1 RR1 BGP VPNv4 update: RD:1:27: /24, NH=PE1 RT=1:222, Label=(L1) ASBR1 ASBR2 RR2 BGP VPN-v4 update: RD:1:27: /2 4, NH=PE1 RT=1:222, Label=(L1) PE1 PE2 BGP, OSPF, RIPv /24,NH=CE2 CE1 VPN-R /24 To ASBR2: Network=PE1 NH=ASBR-1 Label=(L2) From ASBR1: Network=PE1 NH=ASBR-2 Label=(L3) BGP, OSPF, RIPv /24,NH=PE2 VPN-R2 CE2 ASBRs store PE loopbacks & exchange labels for PE Loopback addresses RRs store and exchage VPNv4 routes & labels 18

19 I-AS VPN Option C VPN packet forwarding RR1 RR2 L ASBR1 ASBR2 L3 L PE1 L2 L PE CE1 CE VPN-R /24 VPN-R2 L1 is a VPN label. L2 and L3 are IPv4 labels. The Outer Most Core (IGP Labels in an AS) Label Is not displayed in on this slide. 19

20 I-AS VPN Option C IPv4+Label, Cisco IOS Configuration address-family ipv4 neighbor <RR1> activate neighbor <RR1> send-label RR1 AS #1 ASBR1 router bgp 1 neighbor <RR2> ebgp-multihop 255 address-family ipv4 neighbor <RR2> activate neighbor <PE1> activate neighbor <PE1> send-label PE1 address-family ipv4 neighbor <ASBR2> activate neighbor <ASBR2> send-label neighbor ASBR2 <ASBR1> activate neighbor <ASBR1> send-label PE2 address-family vpnv4 neighbor <RR2> next-hop-unchanged exit-address-family neighbor <RR1> activate neighbor <RR1> next-hop-self neighbor <RR1> send-label 20

21 I-AS VPN Option C IPv4+Label, Cisco IOS XR Configuration Command towards all peers address-family ipv4 labeled-unicast Command towards all peers address-family ipv4 labeled-unicast RR1 RR2 AS #1 ASBR1 PE1 router bgp 1 address-family vpnv4 unicast neighbor <RR2> remote-as 2 address-family vpnv4 unicast ebgp-multihop 255 next-hop-unchanged ASBR2 PE2 21

22 Inter-AS Multipath Load Balance Options Support VPNv4 and label negotiated IPv4 ebgp sessions between loopbacks of directly connected routers w/o the use of LDP on the connecting interfaces Consider the three topologies Designated by Topo-1, Topo-2, Topo-3 Load balancing for Inter-AS sub-cases with: 1. Interface Peering 2. Loopback peering 3. IPv4 + Label 4. VPNv4 + Label ASBR1 Topo-1 ASBR1 ASBR3 Topo-2 ASBR1 AS1 AS2 ASBR2 ASBR2 ASBR2 ASBR3 Topo-3 ASBR4 22

23 Inter-AS Loopback Peering for Directly Connected ASBRs RR1 PE1 AS #1 L0: E0/0: ASBR-1 E2/0: L0: /32 E0/0: ASBR-2 E2/0: AS #2 RR2 PE2 Create loopback interfaces on directly connected ASBRs HOSTNAME ASBR2 (IOS configuration) interface e0/0 ip address mpls bgp forwarding Enable BGP forwarding on connecting interfaces interface e2/0 ip address mpls bgp forwarding router bgp 2 neighbor remote-as 1 neighbor disable-connected-check neighbor update-source Loopback0 address-family vpnv4 neighbor activate neighbor send-community extended ip route e0/ ip route e2/ Configure /32 static routes to the ebgp neighbor loopback address 23

24 Inter-AS Security Elements MD5 Authentication on LDP/BGP Sessions Apply max prefix Static Labels TTL check to diagnose DoS attacks Filtering with BGP attributes ASPATH, ext communities, RDs checks, etc. Set route-maps to filter and send only the desirable prefixes RT Constraint (filtering) Customize Route Targets, RT Rewrite 24

25 Route Target Rewrite Example VPN-A Export RT 100:1 Import RT 100:1 VPNv4 Exchange Rewrite RT: 100:1->200:1 VPN-A Export RT 200:1 Import RT 200:1 PE-1 PE-ASBR1 AS #1 AS #2 PE-ASBR2 PE2 VPN-A-1 CE-1 Rewrite RT: 200:1->100:1 Replace Incoming Update on ASBR2: ip extcommunity-list 1 permit rt 100:1 route-map extmap permit 10 match extcommunity 1 set extcomm-list 1 delete set extcommunity rt 200:1 additive route-map extmap permit 20 neighbor X.X.X.X route-map extmap in VPN-A-2 25 CE2

26 Inter-AS L3VPN Summary Three models: Option A, B, and C Option A is the most secured, least invasive. Support granular QoS. Option B, more scalable than Option-A for high numbers of VRFs. more adoptable by different provider corporations Less invasive than Option C, More invasive than Option A More scalable than Option-A if have high numbers of VRFs Use ebgp for ASBR peering ASBRs store VPNv4 routes and allocate labels for VPN prefixes Option C, most scalable, most invasive, mostly deployed in a single service provider s multi-as network Use ASBRs to handle IPv4 PE loopbacks Route Reflectors exchange VPNv4 routes 26

27 Inter-AS IPV6 VPNs 27

28 Inter-AS IPv6 VPN 2003:1:: is reachable via BGP Next Hop = :1:: is reachable via BGP Next Hop = VPE1 CE1 AS1 ASBR ASBR AS2 2003:1:: is reachable via BGP Next Hop = bind BGP label to 2003:1:: (*) VPE2 CE2 VPN-R1 2001:0db8:: VPN-R2 2003:1:: All three ASBR-to-ASBR connectivity options discussed in earlier sections are supported for -IPv6 Provider Edge Router - 6PE model (uses vanilla IPv6) -IPv6 VPN Provider Edge - 6VPE model (uses option A,B,C) IPv4 address is used for PE-ASBR and ASBR-ASBR peering 28

29 Inter-AS IPv6 VPN IOS Configuration ASBR1 ASBR VPE1 CE1 VPN-R1 2001:0db8:: AS router bgp 1 no bgp default ipv4-unicast no bgp default route-target filter neighbor remote-as 2 neighbor remote-as 1 neighbor update-source Loopback1 address-family vpnv6 Peering to ASBR2 over an IPv4 link neighbor activate neighbor send-community extended Peering to PE1 over an IPv4 link neighbor activate neighbor next-hop-self neighbor send-community extended VPE2 29 AS2 CE2 VPN-R2 2003:1::

30 Inter-AS IPv6 VPN IOS XR Configuration ASBR1 ASBR VPE1 CE1 VPN-R1 2001:0db8:: AS router bgp 1 address-family vpnv6 unicast Peering to ASBR2 over an IPv4 link neighbor remote-as 2 address-family vpnv6 unicast AS VPE2 CE2 VPN-R2 2003:1:: Peering to PE1 over an IPv4 link neighbor remote-as 1 address-family vpnv6 unicast 30

31 Inter-AS L2 VPNs 31

32 Enabling L2VPNs Targetted-LDP Peers VC types & Labels exchanged Pseudowire CE1 PE1 PW1 PW2 PE2 CE3 CE2 AC IP/MPLS AS1 AC CE4 An L2VPN is comprised of switched connections between subscriber endpoints over a shared network PW is an emulated circuit over IP or MPLS core Virtual Circuit(VC) is created for every Attachment Circuit (AC) Goal is to transport Native Services without loosing original encapsulation format L2VPN PEs exchange labels for VC types 32

33 Building L2VPNs in I-AS environment Challenge: LDP or BGP L2VPN (for VPWS or VPLS) peers are located in different AS Solution: Use Option A, don t need to know loopbacks of L2VPN peers in other AS Use Option B to establish NLRI beween L2VPN peers Use Option C to establish NLRI between L2VPN peers 33

34 Inter-AS L2VPN Multiple PW Segments Using Option A T-LDP Peers VC type & Label T-LDP Peers VC type & Label Pseudowire PW Label PL = Payload PW1 PW1 CE1 AC PE1 PW2 IP/MPLS AS1 ASBR1 ASBR2. AC PW2 IP/MPLS AS2 PE2 AC CE2 PL 40 PL 40 PL 80 PL 80 Any Transport over MPLS is a point-to-point L2VPN service Need T-LDP sessions to build a PW. Need an IP address to build T-LDP session. One PW/AC (AC types: Ethernet, VLAN, PPP, ATM, TDM, FR, HDLC) Clear demarcation between ASs PE-ASBR exchange PW (VC) label Granular QoS control between ASBRs 34

35 Inter-AS L2VPN Multihop PW Using Option B T-LDP Peers T-LDP Peers PW Labels PL = Payload PE1 PW1 ASBR1 PW2 ASBR2 PW3 PE2 IP/MPLS AS1 T-LDP Peers IP/MPLS AS2 PL 40 PL 40 PL 80 PL 80 PL 10 PE and P devices do not learn remote PW endpoint addresses Only PW endpoint address (ASBR) leaked between ASs ASBRs swap PW (Virtual Circuit) Label 35

36 Inter-AS L2VPN Option B IOS Configuration HOSTNAME PE1 interface giga1/0 xconnect <ASBR1> 10 encapsulation mpls HOSTNAME PE2 interface giga1/0 xconnect <ASBR2> 20 encapsulation mpls PE1 PW1 IP/MPLS AS1 ASBR1 PW2 ASBR2 PW3 IP/MPLS AS2 PE2 HOSTNAME ASBR1 pseudowire-class pw-switch encapsulation mpls l2 vfi pw-switch point-to-point neighbor <ASBR2> 100 pw-class pw-switch neighbor <PE3> 10 pw-class pw-switch Interface giga3/0 mpls bgp forwarding router bgp 1 Neighbor <ASBR2-WAN> remote-as 2 exit-address-family *Also announce the loopback address (xconnect ID) of ASBR1 in IGP(AS1) and ebgp HOSTNAME ASBR2 pseudowire-class pw-switch encapsulation mpls L2 vfi pw-switch point-to-point neighbor <ASBR1> 100 pw-class pw-switch neighbor <PE4> 20 pw-class pw-switch Interface giga3/0 mpls bgp forwarding router bgp 2 neighbor <ASBR1-WAN> remote-as1 exit-address-family *Also announce the loopback address of ASBR2 in IGP(AS2) and ebgp 36

37 Inter-AS L2VPN Option C Single-Hop PW: BGP IPv4+label T-LDP Peers PW Labels PL = Payload PE1 ASBR1 ASBR2 PE2 IP/MPLS AS1 IP/MPLS AS2 PL PL PL 40 PL 40 Single physical interface between ASBRs PW endpoint addresses leaked between ASs using ebgp IPv4+label and distributed to PEs using ibgp IPv4+label PWs are not terminated on ASBRs 37

38 Inter-AS AToM Option C Configuration HOSTNAME PE3 interface Gig1/1/1 xconnect <PE4> 100 encapsulation mpls Activate IPv4 label capability router bgp 1 address-family ipv4 neighbor <ASBR-1> send-label exit-address-family Notice PW configuration remains the same as in intra-as network T-LDP Peers HOSTNAME PE4 interface Gig1/1/1 xconnect <PE3> 100 encapsulation mpls Activate IPv4 label capability router bgp 2 address-family ipv4 neighbor <ASBR-2> send-label exit-address-family PE3 ASBR1 ASBR2 PE4 Int Gig1/1/1 IP/MPLS AS1 IP/MPLS AS2 Int Gig1/1/1 HOSTNAME ASBR1 Activate IPv4 label capability router bgp 1 address-family ipv4 neighbor <PE3> send-label neighbor <ASBR-2> send-label exit-address-family HOSTNAME ASBR2 Activate IPv4 label capability router bgp 2 address-family ipv4 neighbor <PE4> send-label neighbor <ASBR-1> send-label exit-address-family 38

39 I-AS L2VPNs Key Points All three I-AS models are supported to carry VPWS or VPLS PWs Transparently forwarding of data over PWs IOS supports LDP for signaling, BGP for Autodiscovery(VPLS) IOS XR supports both LDP and BGP signaling Option B is not supported for BGP signaled PWs Per-PW Quality of Service (QoS) is not supported. Attachment circuit inter-working is supported in IOS XR Transporting L2VPN virtual circuit over Traffic Engineering (TE) (tunnel selection) or GRE is supported. 39

40 Inter-AS mvpns 40

41 mvpn Concept and Fundamentals Review Multicast Applications: E-Learning, Gaming, Conferencing, Monitoring mvpn over IP (eric-rosen draft) In an mvpn network CEs join MPLS Core through provider s PE devices PEs perform RPF check on Source to build Default and Data Trees (Multicast Data Trees MDT) Interfaces are associated with mvrf Source-Receivers communicate using mvrfs CE San Francisco CE Receiver 4 B1 PE Default MDT For low Bandwidth & control traffic only. Los Angeles D PE CE B D B2 Receiver 3 Source MPLS VPN Core PE A C A PE CE New York PE E Data MDT For High Bandwidth traffic only. Dallas C CE CE E CE F High bandwidth multicast source Join high bandwidth source Receiver 2 41

42 I-AS mvpn Requirements Extending mvpn service offerings Challenge: Setup Multicast Data Trees across ASs To form the Default MDT, PE routers must perform an RPF check on the source The Source address is not shared between ASs Solution: Support reverse path forwarding (RPF) check for I-AS sources P and PE devices Build I-AS MDTs Introduced two new components: 1. BGP Connector Attribute 2. PIM RPF Vector 42

43 RPF Check with Option B and Option C ASBR1 ASBR2 P11 PE1 AS #1 MDTs AS #2 PE2 CE1 VPN-A1 CE4 VPN-A2 For Option B(eBGP between ASBRs): Use BGP Connector Attribute to RPF to source that is reachable via PE router in remote AS Preserves identity of a PE router originating a VPNv4 Prefix Receiving PEs in the remote AS use RPF Connector to resolve RPF For Option B and C: Use PIM RPF Vector to help P routers build an I-AS MDT to Source PEs in remote AS Leverage BGP MDT SAFI on ASBRs and receiver PEs to insert the RPF Vector needed to build an I-AS MDT to source PEs in remote ASs 43

44 I-AS MVPN MDT Establishment for Option B using BGP connector attribute From ASBR1 to PE1 RD 1:1, Prefix /24 NH ASBR1, CONN PE2 BGP MDT SAFI Update RD1:1, Prefix PE2, MDT , NH ASBR1 3. ASBR1 ASBR2 From ASBR2 to ASBR1 RD 1:1, Prefix /24 NH ASBR2, CONN PE2 BGP MDT SAFI Update RD1:1, Prefix PE2, MDT , NH ASBR2 2. CE2 PE1 VPN-A1 P11 AS #1 MDTs AS #2 BGP VPNv4 Update from PE2 to ASBR2 RD 1:1, Prefix /24 NH PE2, CONN PE2 1. PE2 CE-4 VPN-A2 BGP MDT SAFI Update (Source and Group) RD1:1, Prefix PE2, MDT , NH PE2 44

45 SSM Default PIM Join for option B Source, Group and RPF Vector is learned via BGP SAFI Update PIM Join From PE1 to P11 Source PE2, RD 1:1, Group RPF Neighbor P11, RPF Vector ASBR1 1. ASBR1 ASBR2 P11 AS #1 2. MDTs AS #2 PE1 PE2 PIM Join From P11 to ASBR1 Source PE2, RD 1:1, Group RPF Neighbor ASBR1, RPF Vector ASBR1 45

46 SSM Default PIM Join for option B From ASBR1 to ASBR2 Source PE2, RD 1:1, Group RPF Neighbor ASBR2, NH ASBR2 3. ASBR1 ASBR2 PE1 P11 AS #1 AS #2 MDTs PE2 CE-4 4. From ASBR2 to PE2 Source PE2, RD 1:1, Group RPF Neighbor PE2 VPN-A2 Step #4 completes the setup of the SSM tree for MDT Default Group rooted at PE2. The SSM Setup from CE1 to PE2 follows the same procedure 46

47 I-AS MVPN Configuration Procedure Option B (SSM) PE1 Configuration: PE1 ip multicast-routing ip multicast routing vrf VPN-A ip multicast vrf VPN-A rpf proxy rd vector router bgp 1 address-family ipv4 mdt neighbor <ASBR1> activate neighbor <ASBR1> next-hop-self exit-address-family ip pim ssm default ASBR1 ASBR1 ASBR2 Configuration: ip multicast-routing ip multicast routing vrf VPN-A AS #1 AS #2 1. Enable RPF Vector in the Global table ip multicast rpf vector 2. Setup Multicast Address family on ASBRs address-family ipv4 mdt 3. Configure PE router to send BGP MDT updates to build the Default MDT ip multicast vrf <vrf name> rpf proxy rd vector PE2 router bgp 1 address-family ipv4 mdt neighbor <ASBR2> activate neighbor <PE1> activate neighbor <PE1> next-hop-self exit-address-family ip pim ssm default CE-4 47

48 Agenda Inter-AS Networks Inter-AS Connectivity Models Inter-AS L3 VPNs Inter-AS L2VPNs Inter-AS Multicast VPNs Carrier Supporting Carrier CSC Service Models MPLS L3 VPNs Multicast VPNs MPLS L2 VPNs Inter-AS RSVP-TE 48

49 Carrier Supporting Carrier Use Cases How can Tier 2 or Tier 3 MPLS VPN service providers interconnect remote sites without self managing own MPLS WAN MPLS NW San Francisco Tier 2 or 3 ISP Site 1 MPLS Backbone MPLS NW San Francisco Tier 2 or 3 ISP Site 1 How can a corporation (enterprise network) MPLS VPN service providers interconnect remote sites without self managing own MPLS WAN New York Enterprise MPLS VPN NW MPLS Backbone Las Vegas Enterprise MPLS VPN NW 49

50 Carrier Supporting Carrier Use Cases MPLS NW PoP 1 ISP1 Backbone Service Provider MPLS Backbone MPLS NW PoP 2 ISP1 MPLS VPN services offerings by an MPLS VPN backbone provider to customers with MPLS networks Provide business continuity by extending segmented networks Customer networks include ISP, Carriers, or other enterprise networks Addressing scalability issues in a provider network MPLS-VPN works well for carrying customer IGPs Reduce #s of VPN routes carried by a PE by using hierarchical model Platforms, network scale to N*O(IGP) routes: Internet Routes Separate Carrier s Internal routes from external routes eliminating the need to store customer s external routes 50

51 Carrier s Carrier Building Blocks San Francisco ISP1 PE1 MPLS PE2 RR1 Customer Carrier1 CSC-CE1 Backbone Service Provider CSC-PE1 CSC-PE2 CSC-RR1 MPLS Backbone CSC-CE2 RR2 London ISP1 MPLS PE3 PE4 Customer Carrier1 MPLS-VPN enabled Carrier s backbone CSC-PE: MPLS VPN PEs located in backbone Carrier s Core CSC-CE: Located at the Customer Carrier (ISP/SPs/Enterprise) network edge and connects to a CSC-PE PE: located in Customer carrier networks & carries customer VPN routes CSC-RR: Route Reflectors located in MPLS Backbone provider network RR: Route Reflectors located in Customer Carrier Network MPLS Label exchange between Carrier s PE & ISP/SPs CE 51

52 Carrier s Carrier Building Blocks (Cont.) San Francisco ISP1 Internal Routes PE1 MPLS PE2 RR1 CSC-CE1 CSC-PE1 Backbone Service Provider CSC-RR1 MPLS Backbone CSC-PE2 CSC-CE2 London ISP1 Internal Routes RR2 MPLS PE3 PE4 CE1R CE1G CE2G CE2R External Routes External Routes External Routes External Routes MPLS VPN Customers MPLS VPN Customers External Routes: IP routes from VPN customer networks Internal Routes: Internal routes (global table) of Customer Carrier network External routes are stored and exchanged among Customer Carrier PEs MPLS Backbone network doesn t have any knowledge of external routes Customer Carrier selectively provides NLRI to MPLS VPN backbone provider 52

53 Carrier s Carrier Building Blocks (Cont.) What is unique between Subscriber to Provider connection? San Francisco ISP1 PE1 RR1 CSC-CE1 Backbone Service Provider CSC-PE1 CSC-RR1 CSC-PE2 CSC-CE2 RR2 London ISP1 PE4 MPLS MPLS PE2 ebgp + Label MPLS Backbone ebgp + Label PE3 CE1R CE1G CE2G CE2R MPLS VPN Customers MPLS VPN Customers Must build Label Switched paths between CSC-CE and CSC-PE CSC-PE and CSC-CE exchange MPLS Labels -this is necessary to transport labeled traffic from a Customer Carrier IP between CE and PE for customer Carrier s VPN customers 53

54 CSC Building Blocks (Cont.) Control Plane configuration is similar to single domain MPLS VPN CSC-CE to CSC-PE is a VPN link to exchange Customer Carrier s internal routes. These routes are redistributed into the BSP s CSC- PE using: 1. Static Routes OR 2. Dynamic IGP OR 3. ebgp Customer Carriers don t exchange their Subscribers (external) VPN routes with the Backbone Service Provider CSC-PE-to-CSC-CE links extend Label Switching Path using: 1. IGP+LDP 2. ebgpv4 + Labels 54

55 Carrier Supporting Carrier Models 1. Customer Carrier Is Running IP Only -similar to basic MPLS L3 VPN environment 2. Customer Carrier Is Running MPLS -LSP is established between CSC-CE and CSC-PE -Customer carrier is VPN subscriber of MPLS VPN backbone provider 3. Customer Carrier Supports MPLS VPNs -LSP is established between CSC-CE and CSC-PE -Customer carrier is VPN subscriber of MPLS VPN backbone provider -True hierarchical VPN model 55

56 CSC Model III Customer Carrier Supports MPLS VPNs MPLS NW San Francisco ISP1 ebgp + Label Backbone Service Provider MPLS Backbone ebgp + Label MPLS NW London ISP1 LSP is extended to CSC-PE, CSC-CE advertises labels for internal routes to CSC-PE; CSC-PE1 performs imposition for site VPN label and IGP label PE swaps the site IGP label with a BB VPN label and push IGP label; PHP is now extended to inside of site 2 External and VPNv4 routes are carried by MP-BGP between customer carrier sites CSC-CE and CSC-PE exchange labels using IGP+LDP or ebgp+label 56

57 CSC Model III Routing Exchange San Francisco ISP1 PE1 MPLS PE2 RR1 CSC-CE1 ebgp + Label Backbone Service Provider CSC-PE1 CSC-RR1 CSC-PE2 CSC-CE2 MPLS Backbone ebgp + Label RR2 London ISP1 MPLS PE3 PE4 CE1R CE1G CE2G CE2R RR1R RR1G RR2G RR2R RR1R and RR2R exchange Red VPN site routes RR1 and RR2 exchange ISP1 site routes CSC-RR1 updates CSC-PEs ISP1 adds Subscriber VPN Label which is removed by the remote ISP1 VPN site Backbone CSC-PE1 adds backbone VPN label which is removed by backbone CSC-PE2 57

58 Customer Carrier Supports MPLS VPNs Establishing peers and forwarding VPN traffic MP-iBGP Peering VPN-v4 Update: RD:1:27: /24, NH=PE2 RT=1:231, Label=(28) Site A VPNA CE1 PE1 VRF Push Push MPLS AS1 CSC-CE1 Swap VRF CSC-PE1 Swap Push IP/MPLS AS2 VRF CSC-PE2 Swap CSC-CE2 Pop MPLS AS1 PE2 VRF Pop /24 Site B VPN A CE2 Label CE2-VPN-Label Label Label=28 Label=120 Label=28 Label=50 Label=28 Label=100 Label=28 Label Label=28 Payload Payload Payload Payload Payload Payload Payload 58

59 Overlapping VPN elements in customer carrier and backbone provider networks VRF name, RD, RT can be the same in Backbone and Customer carrier network GlobalCom San Francisco GC-CSC-CE1 CSC-PE1 BB-P1 MPLS Backbone CSC-PE2 GC-CSC-CE2 GlobalCom London GC-SFPE2 GC-LONPE1 CE-VPN-GC CE-VPN-B1 CSC-PE1# ip vrf GC rd 1:100 route-target export 1:100 route-target import 1:100 CSC-PE1# ip vrf GC rd 1:100 route-target export 1:100 route-target import 1:100 CE-VPN-A2 CE-VPN-B2 GC-SFPE2# ip vrf GC rd 1:100 route-target export 1:100 route-target import 1:100 GC-SFPE2# ip vrf VPNA rd 1:100 route-target export 1:100 route-target import 1:100 59

60 CSC Security Elements MD5 authentication on LDP/BGP sessions Applying max prefix limits per VRF Use of static labels between CSC-CE and CSC-PE Route Filtering Customer Carrier may not want to send all the internal routes to MPLS VPN backbone provider Use Route-maps (IOS) with match and set capabilities in route-maps Use route-policy (XR) to control route distribution & filter routes 60

61 Services support over a CSC network MPLS IPV4 VPNs MPLS IPV6 VPNs mvpns -for PIM require native multicast in the provider network RSVP-TE MPLS L2VPNs 61

62 L2VPN service support over a CSC network Single-Hop PW PE1 Customer Carrier A ASBR1 ASBR3 MPLS Backbone Carrier (CsC) ASBR4 ASBR2 Customer Carrier A Pseudowire PE2 PW1 Multi-Hop PW Pseudowire PE1 PW1 ASBR1 ASBR3 ASBR4 ASBR2 PE2 Customer Carrier A MPLS Backbone Carrier (CsC) Customer Carrier A 62

63 Best Practice Recommendations Do not use Static default routes on CSC-CE End-End LSP is required across the VPN and MPLS VPN backbone Use dynamic protocol instead of static on CSC-CE CSC-PE link preferably ebgp+ipv4 Labels Set Next-Hop-Self on ASBRs carrying external routes If using IGP on CSC-CE routers, use filters to limit incoming routes from the CSC-PE side If using RRs in customer carrier network, set next-hop-unchanged on RRs 63

64 CSC Summary CSC supports hierarchical VPNs VPNs inside customer carrier s network are transparent to the backbone MPLS VPN Service Provider QoS will be honored based on MPLS EXP bits between CSC-CE and CSC-PE Granular QoS policies should be pre-negotiated and manually configured Services supported over CSC network MPLS IPV6 VPNs Multicast VPNs (for PIM, require native mulitcast in the provider network) MPLS L2 VPNs MPLS TE 64

65 Agenda Inter-AS Networks Inter-AS Connectivity Models Inter-AS L3 VPNs Inter-AS L2VPNs Inter-AS Multicast VPNs Carrier Supporting Carrier CSC Service Models MPLS L3 VPNs Multicast VPNs MPLS L2 VPNs Inter-AS RSVP-TE 65

66 Inter-AS TE Applications Transporting CustomerVPN traffic over TE tunnels L2/L3 VPN Site 1 PE11 P2 P3 IP/MPLS ASBR1 ASBR2 IP/MPLS P4 ASBR3 ASBR4 P5 P6 PE7 L2/L3 VPN Site 2 Reserved guaranteed BW path between two PoPs SP1 PoP1 PE11 P2 IP/MPLS ASBR1 ASBR2 IP/MPLS P4 P6 PE7 SP1 PoP2 P3 ASBR3 ASBR4 P5 66

67 How MPLS TE Works in a Single Domain 1. Head-end learns network topology information TE using: Headend ISIS-TE OSPF-TE full view of the topology PATH RESV RESV PATH PATH TE Mid points RESV TE Tailend 2. Path Calculation (CSPF) 3. Path Setup (RSVP-TE): Label_Request (PATH) Label (RESV) Explicit_Route Object Record_Route (Path/RESV) Session_Attribute (Path) 4. LFIB populated using RSVP labels 5. Packets forwarded onto a tunnel via: Static routed Autoroute Policy route CBTS Tunnel Select Forwarding Adjacency 6. Packets follow the tunnel LSP and Not the IGP LSP 67

68 Inter-Domain Traffic Engineering Challenge: Head end and Tail end are located in different domains IGP information is not shared between domains Head end lacks the knowledge of complete network topology to perform path computation Solution: Use Explicit Route Object (ERO) Loose Hop Expansion, Node-id, and Path re-evaluation request/reply Flags to provide per-domain path computation at the head-end + RSVP Policy Control and Confidentiality RFCs: 3209, 4736, 4561, etc. draft-ietf-ccamp-inter-domain-rsvp-te-06.txt draft-ietf-ccamp-inter-domain-pd-path-comp-05.txt BRKMPL Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 Per-Domain Path Computation Using ERO Loose-Hop Expansion Head-End Defines the Path with ASBR and the Destination as Loose Hops P2 IP/MPLS ASBR1 ASBR2 IP/MPLS P4 P6 Path Computation Completed During TE LSP Setup PE11 PE7 P3 ASBR3 ASBR4 P5 Inter-AS TE LSP ERO ASBR4 (Loose) PE7 (Loose) Expansion ERO R3, ASBR3, ASBR4 PE7 (Loose) ERO PE7 (Loose) Expansion ERO P5, PE7 R1 Topology Database ASBR4 Topology Database 69

70 Inter-Domain TE TE LSP Reoptimization Make before break PE1 P2 IP/MPLS ASBR1 ASBR2 IP/MPLS P4 P6 PE7 Inter-AS TE LSP before reoptimization Inter-AS TE LSP after reoptimization PATH P3 Path re-evaluation request ASBR3 ASBR4 PathErr Preferable Path exists Reoptimization can be timer/event/admin triggered Head end sets path re-evaluation request flag (SESSION_ATTRIBUTE) Head end receives a PathErr message notification from the boundary router if a preferable path exists Make-before-break TE LSP setup can be initiated after PathErr notification 70 P5

71 Inter-Domain TE Fast Reroute Primary TE LSP Backup TE LSP PE1 P2 IP/MPLS ASBR1 ASBR2 IP/MPLS P4 P6 PE7 P3 ASBR3 ASBR4 P5 Same configuration as single domain scenario Link and Node protection include ASBRs and ASBR to ASBR links Support for Node-id sub-object is required to implement ABR/ASBR node protection Node-id helps point of local repair (PLR) detect a merge point (MP) Node-id flag defined in draft-ietf-nodeid-subobject 71

72 Inter-Domain TE Policy Control and Confidentiality Inter-AS TE LSP PE1 P2 IP/MPLS ASBR1 ASBR2 IP/MPLS Policy P4 P6 PE7 P3 ASBR3 ASBR4 P5 ASBR may enforce a local policy during Inter-AS TE LSPs setup (e.g. limit bandwidth, message types, protection, etc.) Route Recording may be limited ASBR may modify source address of messages (PathErr) originated in the AS ASBR may perform RSVP authentication (MD5/SHA-1) 72

73 Configuring Inter-AS Tunnels (Cisco IOS) mpls traffic-eng tunnels interface Tunnel1 ip unnumbered Loopback0 no ip directed-broadcast tunnel destination tunnel mode mpls traffic-eng tunnel mpls traffic-eng priority 7 7 tunnel mpls traffic-eng bandwidth 1000 tunnel mpls traffic-eng path-option 10 explicit name LOOSE-PATH ip route Tunnel1 ip explicit-path name LOOSE-PATH enable next-address loose next-address loose Loose-hop path Static route mapping IP traffic to Tunnel1 List of ASBRs as loose hops 73

74 Configuring Inter-AS TE at ASBR (Cisco IOS) mpls traffic-eng tunnels key chain A-ASBR1-key key 1 key-string 7 151E0E18092F222A interface Serial1/0 ip address mpls traffic-eng tunnels mpls traffic-eng passive-interface nbr-te-id nbr-igp-id ospf ip rsvp bandwidth ip rsvp authentication key-chain A-ASBR1-key ip rsvp authentication type sha-1 ip rsvp authentication router bgp no synchronization bgp log-neighbor-changes neighbor remote-as neighbor update-source Loopback0 neighbor remote-as no auto-summary ip rsvp policy local origin-as no fast-reroute maximum bandwidth single forward all Authentication key Add ASBR link to TE topology database Enable RSVP authentication Process signaling from AS if FRR not requested and 10M or less 74

75 Inter-AS Session Summary 75

76 Let s Summarize CSC: Hierarchical VPNs Inter-AS: Extending VPN Boundaries Customer Carrier-B MPLS Backbone Provider Customer Carrier-B Provider-A ASBR-A ASBR-B Provider-B Subscriber A Site1 Subscriber A Site1 Subscriber A Site1 Subscriber A Site2 MPLS VPNs model A, B and C have been deployed to support VPNs among Service Providers and within a single Service Provider s multi-as networks MPLS L2 VPNs, L3VPNs (IPv4, IPv6, and multicast VPNs) are supported in multi-domain environment MPLSTE is also supported in multi-area or multi-as networks QoS policies across the ASBRs need to be agreed by the partners 76

77 Other related Sessions BRKMPL-1101 Introduction to MPLS BRKMPL-2001 Implementation and Utilization of Layer 2 VPN Technologies BRKMPL-2102 Deploying IP/MPLS VPNs BRKMPL-2103 Design considerations for enterprise WAN migrating to subscribed MPLS VPN services BRKMPL-2104 Deploying MPLS Traffic Engineering BRKMPL-2107 Data Center deployments with MPLS on NX-OS (Nexus 7000) BRKMPL-2108 Global WAN Redesign Case Study BRKMPL-3101 Advanced Topics and Future Directions in MPLS BRKMPL-3102 Designing NGN Networks for Scale, Resiliency and Reliability 77

78 Other related Sessions LTRMPL-2104 Implementing MPLS in Service Provider Networks: Introduction LTRMPL-2105 Implementing MPLS in Service Provider Networks LTRMPL-2106 Enterprise Network Virtualization using IP and MPLS Technologies TECVIR-2003 Enterprise Network Virtualization TECMPL-3001 Layer 2 Virtual Private Networks - Converged IP/MPLS Network 78

79 Meet the Engineer To make the most of your time at Networkers at Cisco Live 2010, schedule a Face-to-Face Meeting with top Cisco Engineers Designed to provide a big picture perspective as well as in-depth technology discussions, these Face-to-Face meetings will provide fascinating dialogue and a wealth of valuable insights and ideas Visit the Meeting Centre reception desk located in the Meeting Centre in World of Solutions 79

80 Recommended Reading LTRRST-2106 Source: Cisco Press 80

81 Complete Your Online Session Evaluation Receive 25 Cisco Preferred Access points for each session evaluation you complete. Give us your feedback and you could win fabulous prizes. Points are calculated on a daily basis. Winners will be notified by after July 22nd. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Don t forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit 81

82 Visit the Cisco Store for Related Titles 82

83 83

84 Inter-AS mvpns Option C

85 I-AS MVPN MDT Establishment for option C (SSM) MP-iBGP MDT 3. PE1 VPN-A1 RR1 P11 MP-iBGP MDT ASBR1 2. ASBR2 P21 P21 AS #1 MDTs AS #2 P22 PE2 RR2 MP-iBGP MDT 1. VPN-A2 BGP MDT SAFI Update Sequence: 1. From PE2 to RR2 RD 1:1, Prefix PE2, MDT , NH PE2 2. From RR2 to RR1 (MP-iBGP MDT) RD 1:1, Prefix PE2, MDT , NH PE2 3. From RR1 to PE1 RD 1:1, Prefix PE2, MDT , NH PE2 85

86 SSM Default PIM Join with Proxy Vector for option C ASBR1 4. ASBR2 1. VPN-A1 RR1 PE1 P11 P21 3. AS #1 MDTs AS #2 2. P21 P22 PE2 RR2 VPN-A2 1.From PE1 to P11 Source PE2, RD 1:1, Group Proxy Vector: ASBR1, RPF Neighbor P11 2.From P11 to P21 Source PE2, RD 1:1, Group Proxy Vector: ASBR1, RPF Neighbor P21 3.From P21 to ASBR1 Source PE2, RD 1:1, Group Proxy Vector: ASBR1, RPF Neighbor ASBR1 4.From ASBR1 to PE2 Source PE2, RD 1:1, Group , RPF Neighbor ASBR1 86

87 I-AS MVPN Configuration for option C (SSM) PE1 RR1 P11 RR1 Configuration ASBR2 ASBR1 address-family RR2 ipv4 AS #1 neighbor <PE11> activate AS #2 PE1 Configuration ip multicast-routing ip multicast routing vrf VPN-A ip multicast rpf proxy vector address-family ipv4 neighbor <RR1> activate neighbor <RR1> activate send-label address-family ipv4 mdt neighbor <RR1> activate neighbor <RR1> send-community extended exit-address-family ip pim ssm default neighbor <PE11> send-label Neighbor <ASBR1> send-label address-family ipv4 mdt neighbor <RR2> activate neighbor <RR2> next-hop-unchanged neighbor <PE1> activate exit-address-family ip pim ssm default ASBR1 Configuration ip multicast-routing ip multicast routing vrf VPN-A address-family ipv4 neighbor <RR1> activate neighbor <RR1> next-hop-self neighbor <RR1> activate send-label neighbor <ASBR2> activate neighbor <ASBR2> activate send-label ip pim ssm default 87