TELCO GROUP NETWORK. Rafał Jan Szarecki 23/10/2011

Transcription

1 TELCO GROUP NETWORK Rafał Jan Szarecki 23/10/2011

2 GOALS

3 G-NET Regional (MEA) TELCO has 12 national s OpCo. Build international network infrastructure, to allow all OpCo offer VPNs with sites in multiple OpCo. L3 VPN L2 VPN/pseudowires of any L2 type For internal services (shared IP, Voice clearing) For end-users Each OpCo runs own network and is quite autonomous ASN Independent IGP 3 Copyright 2009 Juniper Networks, Inc.

4 GOALS Redundant Infrastructure ; i.e. No Single Point of Failure (link or node) OAM capabilities and fault detection High Availability & Fast Traffic Restoration Scalable to connect 12 OpCos networks, up to 100 PE's in each. QoS for VoIP, Video Conference, Business Critical Services, etc Leverage existing infrastructure Ease of Provisioning & Operations 4 Copyright 2009 Juniper Networks, Inc.

5 SOME GIVEN CONSTRAINS & CHALLENGES Foreseen technology for internal links of Global Network (G-Net) is SDH & GE The use of parallel lower-speed links is expected (e.g. 2 x STM1) in some cases. Foreseen technology for NNI links is GE interfaces STM-1/STM-4 PoS DS3/E3 interfaces Leverage existing GVPN infrastructure with minimal changes Challenges - Large scale 11 OpCo s (Approx 700 PEs), and even more IP/ MPLS nodes OpCO s network and capabilities are unknown End-to-End Service restoration 5 Copyright 2009 Juniper Networks, Inc.

6 SOLUTION SELECTION

7 SOLUTION FOR TRANSIT INFRASTRUCTURE Inter-AS VPN is a must. Option A ruled out Per-end-use provisioning on transit network - G-NET End-user state on transit network - G-NET Option B ruled out End-user state on transit network - G-NET Not exist for L2vpns Option C selected Trusted peers No per VPN/PW provisioning nor states L3VPN, L2VPN and VPLS G-NET 7 Copyright 2009 Juniper Networks, Inc.

8 G-NET TOPOLOGY & ARCHITECTURE

9 G-NET PROTOCOLS& SIGNALLING Interfaces: Ethernet II encapsulation only (no VLANs). Auto-negotiation enabled. Routers back-to-back dark fibre if both routers in same site. Aggregated SDH used when multiple parallel links needed. OSPF Traffic Engineering Extension required to be enabled RSVP Full Mesh Between G-NET PE s Only (GVPN remains on LDP, Internet traffic is native IP forwarding) Fast traffic restoration using Facility Backup BGP for transport LSP signaling Single MPLS LSP from PE in one OpCo, down to PE (loopback) in other OpCo, via G-NET. Used also for VPNv4 routing in GVPN Aggregation of Sonet Links between Core Routers is recommended e.g. AMS & FUJ and LON & FUJ Allows for easier Load Balancing of traffic for RSVP LSP on the international fiber links Single Link Failure in the bundle doesn't flap the LSP Non Stop Routing 9 Copyright 2009 Juniper Networks, Inc.

10 OPCO CONNECTIVITY

11 TRANSPORT LSP SIGNALING MP-EBGP PE1 lo0.0 w/ label MP-EBGP PE1 lo0.0 w/ label PE OpCos_2 OpCos_1 G-Net PE1 This protocol depends on OpCo. It could be: LDP RSVP LDP over RSVP ibgp-lu MP-IBGP MP-EBGP PE1 lo0.0 w/ label OpCos_3 PE 11 Copyright 2009 Juniper Networks, Inc.

12 TRANSPORT LSP - FORWARDING PLANE PE OpCos_2 OpCos_1 G-Net PE1 OpCos_3 PE Any PE in Any OpCo, can have LSP to each PE in each OpCo. This is Inter-AS transport LSP. No per Inter-AS LSP provisioning Constrained by MP-eBGP community-based policy. 12 Copyright 2009 Juniper Networks, Inc.

13 EBGP LU EXPORT POLICY Advertise G-NET s loopback host routes. From inet.3 no Internet routers exist there. Only /32 prefixes All prefix are advertised with noexport community avoid leaking from OpCo. Advertise other OpCo s PE prefixes OPCO_1 BGP-LU If this prefix is marked by community To-all-opco, or If this prefix is marked by community To-opco-XXX where XXX is peering OpCo for this session It is responsibility of OpCo, to mark it s prefixes by communities when advertise it to G-NET. if community "To-opco-OPCO_1" then ACCEPT else reject BGP-LU GGIPVPN BGP-LU OPCO_2 if community "To-opco-OPCO_2" then accept else REJECT mark by community "To-opco-OPCO_1" 13 Copyright 2009 Juniper Networks, Inc.

14 SERVICE MODEL VPN-TRANSPARENT G-NET transparent to VPN Provisioning between Opco s Any type of L3VPN and L2VPN is possible form G-NET point of view NNI are MPLS over whatever. VPN traffic in over MPLS when cross NNI L2VPN for PPP, ATM, Ethernet, FR are supported depends only on OpCo PEs capabilities. VPNv4 and VPNv6 are supported - depends only on OpCo PEs capabilities. Any topology of L3VPN and L2VPN is possible form G-NET point of view E.g. Hub-and Spoke with hub on one PE in one OpCo and spokes on PEs in this OpCo and other OpCo. Extranet topologies across OpCo Fully controlled by Route Target extended community. Not dependent on Topology and NNI technical implementation. Note: Some limitation exist for UAE OpCo. 14 Copyright 2009 Juniper Networks, Inc.

15 SERVICE MODEL G-NET participates in provisioning of NNI only Transport LSP between OpCos using MP-eBGP (Labeled IPv4 Unicast) G-NET doesn t carry individual VPN routes (also cannot enforce any per VPN policies.) Multiple QoS classes are available in G-NET OpCos responsible for Mapping traffic as per G-NET markings No bandwidth control on NNI with OpCos up to interface speed 15 Copyright 2009 Juniper Networks, Inc.

16 THE END-TO-END SERVICE ARCHITECTURE None of Global Network nodes sees customer information. Good for scaling and T-shooting. Only NNI nodes of Global Network sees OpCos global tunnels information. Good for scaling and T- shooting. RFC 3107 Internal network information's are not visible to peering networks. Global Network do not need to bother with OpCos topology, IGP routing or LDP/RSVP signalling. Good for scaling and T- shooting. 16 Copyright 2009 Juniper Networks, Inc.

17 SERVICES ARCHITECTURE L3VPN Inter AS VPN OPTION C (RFC4364) The G-NET internal LSP signalling using RSVP Inter-Provider Global Tunnel signalling is E-BGP Labelled IPv4 NLRI (AFI=1 SAFI=4) provides label to PE (IPv4 address) binding. In effect every PE knows label to use to reach every other PE. NNI nodes act as s have to know label binding for proper handling of MPLS traffic on NNI links. No need for global ebgp full mesh. Service signalling multi-hop E-BGP None of G-NET nodes take a part of this signalling. Regular VPNv4 NLRI (AFI=1, SAFI=128), w/ RD and RT communities. Provides VPN demux label and customer prefixes to stake holders PEs. NNI nodes do not participate in this signalling. (Option) Route-Target-Filter (AFI=1 SAFI=132). Allows PE to advertise for which VPNs (RTs) it is configured. This allows to filter out unnecessary VPNv4 prefixes update closer to originator. Automatic routing policy.(rfc4684) Please note that RR inside each of OpCos can (but not must) be used as usual for BGP routing. 17 Copyright 2009 Juniper Networks, Inc.

18 L3VPN SERVICE PROVISIONING Not a RR ibgp ó ebgp advertisement works always MP-IBGP VPNv4 unicast, multicast VPNv6 unicast, multicast MP-EBGP labelled IPv4 PE1 loop +label B +NH=1.1 MP-EBGP (w/ no-next-hop change) VPNv4 unicast + label + NH=PE1 loop. MP-EBGP labelled IPv4 PE1 loop +label D +NH=2.1 VPN RR PE2 OpCos_ G-Net VPN RR OpCos_2 PE PE1 RSVP/LDP PE1 loop + label A MP-EBGP labelled IPv4 PE1 loop +label C +NH= RSVP 2.1 loop 3.1 MP-EBGP labelled IPv4 PE1 loop +label E +NH=3.2 RSVP/LDP 3.1 loop VPN RR OpCos_ G-Net VPN RR OpCos_2 PE PE Copyright 2009 Juniper Networks, Inc. label swap label swap label swap A <-- B B <-- C C <-- D label swap D <-- E

19 SERVICES ARCHITECTURE L2VPN Inter AS VPN OPTION C (RFC4364) The G-NET internal LSP signalling using RSVP Inter-Provider Global Tunnel signalling is E-BGP Labelled IPv4 NLRI (AFI=1 SAFI=4) provides label to PE (IPv4 address) binding. In effect every PE knows label to use to reach every other PE. NNI nodes act as s have to know label binding for proper handling of MPLS traffic on NNI links. No need for global ebgp full mesh. Service signalling Targeted LDP w/ FEC 128 None of G-NET nodes take a part of this signalling. Service signalling depends on OpCo who shares given pseudo-wire, and their PE capabilities. T-LDP w/ FEC 128 most popular, common denominator. Safe choice. Other options possible. T-LDP provides VPN (VC) demux label for each pseudo-wire to stake holders PEs. NNI nodes do not participate in this signalling. 19 Copyright 2009 Juniper Networks, Inc.

20 OPTION C L2VPN SERVICE PROVISIONING (USING TARGETED LDP) Targeted LDP FEC 128 (L2vpn/VPLS pseudowire + labl + neighbour PE1 MP-EBGP labelled IPv4 PE1 loop +label B +NH=1.1 MP-EBGP labelled IPv4 PE1 loop +label D +NH=2.1 OpCos_ G-Net OpCos_2 PE PE1 RSVP/LDP PE1 loop + label A MP-EBGP labelled IPv4 PE1 loop +label C +NH= RSVP 2.1 loop 3.1 MP-EBGP labelled IPv4 PE1 loop +label E +NH=3.2 RSVP/LDP 3.1 loop OpCos_ G-Net OpCos_2 PE PE label swap label swap label swap A 20 Copyright <-- B 2009 B Juniper <-- C Networks, Inc. C <-- D label swap D <-- E

21 PRE-REQUIREMENTS

22 PRE-REQUIREMENTS Autonomous System Numbers of OpCo have to be unique among all OpCos and G-NET. GGIPVP uses public ASN. OpCo should use public ASN guarantee uniqueness today and in future (acquisitions) There is possible work-a-round showed later Depends on OpCo s capabilities IP addresses on PE s and s have to be unique among all OpCos and G-NET. s of GGIPVP uses public addresses. Use Public address for PE and loopbacks guarantee uniqueness today and in future (acquisitions) Other addresses in OpCo network (links, other loopbacks) can be private. There is possible work-a-round showed later Depends on OpCo s capabilities All PEs and s have to support Inter-AS VPN option C. Including but not limited to: 3-ple label push Resolving L3VPN and L2VPN routes NH by labeled BGP routes. There is possible work-a-round the same as for non-unique PE loopback addresses. 26 Copyright 2009 Juniper Networks, Inc.

23 LIMITATIONS

24 LIMITATIONS VPLS Not a design requirement Work with ingress replication of BUM traffic. Bandwidth inefficient. Suitable when majority of traffic is unicast. For scaled BUM handling, P2MP LSP needed across AS border. Multicast VPN Not a Design requirement No well established standard for Inter-AS MVPN operation. Draft-rosen do not discuss it. Will be not standardized as RFC. Inter-AS NG-MVPN define it. This technology is not established in industry. 28 Copyright 2009 Juniper Networks, Inc.

25 LIVE EXAMPLE DESIGN OpCo1 OSPF area 0 LDP LDP to ebgp export ibgp full mesh VPNv4 IPv4 LU RT ASN 100 VRF RT 100:1 OpCo2 OSPF area 0 RSVP Lo0.0 export to ebgp LU ibgp w/ RR VPNv4 IPv4 LU RT ASN 200 VRF RT 100:1 29 Copyright 2009 Juniper Networks, Inc.

26 LIVE EXAMPLE TOPOLOGY OpCo1 ASN: 100 loopback: x/32 p2p: 81.x.y.z/30 OpCo3 ASN: 300 loopback: x/32 p2p: 83.x.y.z/30 O3C13 O3C14 OpCo1 ASN: 200 loopback: x/32 p2p: 82.x.y.z/30 em3 br19 em3 em1 em1 br17 br18 O1PE1 em1 em3 br3 O1A3 em3 em1 em4 br5 A5 em1 em5 em3 em4 br8 em5 em4 em3 em1 A7 br11 O2A9 em1 em3 em4 br14 O2PE11 em1 em3 br1 br4 br7 br10 br13 br15 em1 O1PE2 em3 br2 em4 O2A9 loopback: O1PE2 loopback: O1A3-O1A4: O2A9-A7: em3 em1 O1A4 br6 A6 em1 em3 em4 br9 GGIPVPN ASN: 8888 loopback: x/32 p2p: 188.x.y.z/30 em3 em4 A8 em1 br12 em3 em5 br16 em1 em4 O2A10 em1 O2RR12 30 Copyright 2009 Juniper Networks, Inc.

27 CONFIGS [protocols bgp ]! group internal {! type internal;! local-address ;! family inet {! labeled-unicast {! rib-group bgp-lu;! rib {! inet.3;! family inet-vpn {! any;! multipath;! neighbor ;! neighbor ;! neighbor ;! group external {! family inet {! labeled-unicast {! rib-group bgp-lu;! rib {! inet.3;! export LDP;! neighbor {! peer-as 8888;! [policy-options policy-statement LDP ]! Term PE_lo0 {! from protocol ldp;! then {! community + To-all-opco ;! accept;! Term this lo0 {! from interface lo0.0;! then {! community + To-all-opco ;! accept;! 31 Copyright 2009 Juniper Networks, Inc.

28 CONFIGS [ protocols bgp]! group internal {! multipath;! neighbor ;! [policy-options ] type internal;! local-address ;! advertise-inactive;! family inet {! group external {! advertise-inactive;! family inet {! policy-statement own-lo0 {! term this_node_lo0 {! from interface lo0.0;! then {! labeled-unicast {! rib-group bgp-lu;! rib {! inet.3;! labeled-unicast {! rib-group bgp-lu;! rib {! inet.3;! community + To-allopco ;! accept;! family inet-vpn {! any;! export own-lo0;! export own-lo0;! neighbor {! peer-as 8888;! 32 Copyright 2009 Juniper Networks, Inc.

29 INSPECTION run show route receive-protocol bgp detail! inet.0: 22 destinations, 28 routes (22 active, 0 holddown, 0 hidden)! * /32 (2 entries, 1 announced)! Accepted! Route Label: ! Nexthop: ! AS path: I! inet.3: 19 destinations, 24 routes (19 active, 0 holddown, 0 hidden)! * /32 (2 entries, 1 announced)! Accepted! Route Label: ! Nexthop: ! AS path: I! 33 Copyright 2009 Juniper Networks, Inc.

30 INSPECTION run show route ! inet.0: 22 destinations, 28 routes (22 active, 0 holddown, 0 hidden)! + = Active Route, - = Last Active, * = Both! /32 *[BGP/170] 00:07:35, localpref 100! AS path: I! > to via em1.0, Push ! [BGP/170] 00:07:19, localpref 100, from ! AS path: I! > to via em4.0, Push ! inet.3: 19 destinations, 24 routes (19 active, 0 holddown, 0 hidden)! + = Active Route, - = Last Active, * = Both! /32 *[BGP/170] 00:07:35, localpref 100! AS path: I! > to via em1.0, Push ! [BGP/170] 00:07:19, localpref 100, from ! AS path: I! > to via em4.0, Push ! 34 Copyright 2009 Juniper Networks, Inc.

31 INSPECTION run show route table inet.3! inet.3: 17 destinations, 22 routes (17 active, 0 holddown, 0 hidden)! + = Active Route, - = Last Active, * = Both! /32 *[BGP/170] 00:11:02, localpref 100, from ! AS path: I! > to via em3.0, Push ! [BGP/170] 00:11:18, localpref 100, from ! AS path: I! > to via em3.0, Push , Push (top)! root@o1pe2# run show route table inet.3! inet.3: 17 destinations, 22 routes (17 active, 0 holddown, 0 hidden)! + = Active Route, - = Last Active, * = Both! [...]! /32 *[LDP/9] 00:31:44, metric 1! > to via em3.0, Push ! 35 Copyright 2009 Juniper Networks, Inc.

32 INSPECTON run ping source ! PING ( ): 56 data bytes! 64 bytes from : icmp_seq=0 ttl=59 time= ms! 64 bytes from : icmp_seq=1 ttl=59 time=7.926 ms! run traceroute source ! traceroute to ( ) from , 30 hops max, 40 byte packets! ( ) ms ms ms! MPLS Label= CoS=0 TTL=1 S=1! ( ) ms ms ms! MPLS Label= CoS=0 TTL=1 S=1! ( ) ms ( ) ms ( ) ms! MPLS Label= CoS=0 TTL=1 S=1! ( ) ms ( ) ms ( ) ms! MPLS Label= CoS=0 TTL=1 S=1! ( ) ms ( ) ms ( ) ms! MPLS Label= CoS=0 TTL=1 S=1! 36 Copyright 2009 Juniper Networks, Inc.

33 REALITY CHECK Unique ASN? NO Unique IP on loopbacks? NO Option C / RFC3107 / 3-tple push on OpCo s PE? NO And one of OpCo use Kompella, BGP L2VPN J 38 Copyright 2009 Juniper Networks, Inc.

34 LIVE EXAMPLE DESIGN OVERLAPPING AS OpCo1 OSPF area 0 LDP LDP to ebgp export ibgp full mesh VPNv4 IPv4 LU RT ASN 100 VRF RT 100:1 OpCo2 OSPF area 0 RSVP Lo0.0 export to ebgp LU ibgp w/ RR VPNv4 IPv4 LU RT ASN 100 VRF RT 100:1 39 Copyright 2009 Juniper Networks, Inc.

35 !!!!!!! THE OVERLAPPING AS PROBLEM sh route protocol bgp Missing OpCo run show route 82/8! [edit]! run show route 82/8! [edit]! run show route 81/8! [edit]! But exist on G-NET s root@a8#...show route 81/6 table inet.3 terse match "inet.3 A Des \*"! inet.3: 20 destinations, 29 routes (20 active, 0 holddown, 0 hidden)! + = Active Route, - = Last Active, * = Both! A Destination P Prf Metric 1 Metric 2 Next hop AS path! * /32 B I! * /32 B I! * /32 B > I! * /32 B > I! * /32 B > I! * /32 B > I! * /32 B > I! * /32 B > I! root@a8# run show route advertising-protocol bgp ! inet.3: 20 destinations, 29 routes (20 active, 0 holddown, 0 hidden)! Prefix Nexthop MED Lclpref AS path! * /32 Self 250 I! * /32 Self 250 I! * /32 Self 250 I! * /32 Self I!! 40 Copyright 2009 Juniper Networks, Inc.

36 THE OVERLAPPING ASN SOLUTION (1) In BGP ASN is used in 3 places In BGP OPEN message. Each compares ASN received from given peer in OPEN message, with ASN locally configured for this peer. If not match, session will not be established. In AS PATH attribute. When advertise prefix by ebgp, it prepends own ASN to string of ASN on AS PATH attribute. Each BGP speaker compare ASN on as-path of reciver NLRI with own AS. If find match, NLRI is considered looped back, and dropped. JUNOS has local-as autonomous-system <loops number> <private alias> no-prepend-global-as knob. Use it on OpCo on MP-eBGP session. Change ASN in OPEN message to unique local one. Control inclusion/exclusion of global/local ASNs in AS Path. 41 Copyright 2009 Juniper Networks, Inc.

37 THE OVERLAPPING ASN SOLUTION (2) IP: a.a.a.a/32 Label: As-path 100$ IP: b.b.b.b/32 Label: As-path $ PE1 Lo0: a.a.a.a AS 100 AS 8888 AS 100 PE40 Lo0: b.b.b.b/32 Local-as 200 NLRI for IP b.b.b.b/32 discarded due to as loop 1 st AS on as-path == own global AS NLRI for IP a.a.a.a/32 discarded due to as loop last AS on as-path == own global AS 42 Copyright 2009 Juniper Networks, Inc.

38 INSPECTION run show route 81/8 hidden detail table inet.3! inet.3: 20 destinations, 24 routes (16 active, 0 holddown, 5 hidden)! /32 (1 entry, 0 announced)! BGP! Next hop type: Router! Next-hop reference count: 2! Source: ! Next hop: via em1.0, selected! root@a5# run show route advertising-protocol bgp /8! inet.3: 22 destinations, 30 routes (22 active, 0 holddown, 0 hidden)! Prefix Nexthop MED Lclpref AS path! * /32 Self 200 I! * /32 Self 200 I! * /32 Self I! Label operation: Push ! State: <Hidden Ext>! Local AS: 100 Peer AS: 8888! Age: 40! Task: BGP_8888_ ! AS path: I (Looped: 100)! Route Label: ! Router ID: ! Secondary Tables: inet.0! All OpCo1 prefixes was hidden due to AS loop * /32 Self I! root@o1a3# run show route protocol bgp 82/8 terse table inet.3! inet.3: 18 destinations, 18 routes (18 active, 0 holddown, 0 hidden)! + = Active Route, - = Last Active, * = Both! A Destination P Prf Metric 1 Metric 2 Next hop AS path! * /32 B > I! * /32 B > I! Missing 2 prefixes was silently discarded due to AS loop 43 Copyright 2009 Juniper Networks, Inc.

39 THE OVERLAPPING ASN SOLUTION (2) IP: a.a.a.a/32 Label: As-path 100$ IP: b.b.b.b/32 Label: As-path 200 $ PE1 Lo0: a.a.a.a AS 100 AS 8888 AS 100 PE40 Lo0: b.b.b.b/32 Local-as 200 alias accepted NLRI for IP a.a.a.a/32 discarded due to as loop last AS on as-path == own global AS 44 Copyright 2009 Juniper Networks, Inc.

40 !! INSPECTION run show route protocol bgp 82/8 terse table inet.3! inet.3: 18 destinations, 24 routes (18 active, 0 holddown, 0 hidden)! + = Active Route, - = Last Active, * = Both! A Destination P Prf Metric 1 Metric 2 Next hop AS path! * /32 B > I! B I! > ! * /32 B > I! B I! > ! * /32 B > I! B I! > I! B I! > ! root@a8# run show route advertising-protocol bgp /8! inet.3: 20 destinations, 29 routes (20 active, 0 holddown, 0 hidden)! Prefix Nexthop MED Lclpref AS path! * /32 Self 100 I! * /32 Self 100 I! * /32 Self 100 I! * /32 Self 100 I! root@o2a10# run show route table inet.3 81/8! > ! * /32 B [edit]! Missing 2 prefixes was silently discarded due to AS loop 45 Copyright 2009 Juniper Networks, Inc.

41 THE OVERLAPPING ASN SOLUTION (2) IP: a.a.a.a/32 Label: As-path 400$ IP: b.b.b.b/32 Label: As-path 200 $ PE1 Lo0: a.a.a.a AS 100 AS 8888 AS 100 PE40 Lo0: b.b.b.b/32 Local-as 400 alias Local-as 200 alias accepted accepted 46 Copyright 2009 Juniper Networks, Inc.

42 CONFIGURATION show routing-options autonomous-system neighbor! ;! 100;! neighbor ;! show protocols bgp group internal! type internal;! show routing-options autonomous-system! 100;! local-address ;! family inet {! labeled-unicast {! [...]! family inet-vpn {! any;! multipath;! neighbor ;! show protocols bgp group external! family inet {! labeled-unicast {! [...]! export LDP;! neighbor {! peer-as 8888;! local-as 400 alias;! 47 Copyright 2009 Juniper Networks, Inc.

43 INSPECTION run show route table inet.3 81/8 terse! inet.3: 22 destinations, 32 routes (22 active, 0 holddown, 0 hidden)! + = Active Route, - = Last Active, * = Both! A Destination P Prf Metric 1 Metric 2 Next hop AS path! * /32 B > I! B > I! * /32 B > I! B > I! * /32 B > I! root@o2pe11# run show route table inet.3 81/8 terse! inet.3: 18 destinations, 21 routes (18 active, 0 holddown, 0 hidden)! + = Active Route, - = Last Active, * = Both! A Destination P Prf Metric 1 Metric 2 Next hop AS path! * /32 B > I! * /32 B > I! * /32 B > I! * /32 B > I! B > I! * /32 B > I! B > I! 48 Copyright 2009 Juniper Networks, Inc.

44 INSPECTION run ping source count 3! PING ( ): 56 data bytes! 64 bytes from : icmp_seq=0 ttl=60 time=1.318 ms! 64 bytes from : icmp_seq=1 ttl=58 time=1.043 ms! 64 bytes from : icmp_seq=2 ttl=60 time=0.900 ms! ping statistics ---! 3 packets transmitted, 3 packets received, 0% packet loss! round-trip min/avg/max/stddev = 0.900/1.087/1.318/0.173 ms! 49 Copyright 2009 Juniper Networks, Inc.

45 ! THE OVERLAPPING IP PROBLEM Let assume of OPCO 2 learns same prefix ( ) form: IGP/LDP in own AS 100 MP-EBGP LU from G-NET. The as-path is It selects IGP as best route. The O1PE1 in OpCo 1 is not reachable from OpCo2. root@o2a9# run show route table inet.3!! inet.3: 19 destinations, 23 routes (19 active, 0 holddown, 0 hidden)! + = Active Route, - = Last Active, * = Both!! /32 *[LDP/9] 00:00:28, metric 1! > to via em4.0! [BGP/170] 00:00:23, localpref 100, from ! AS path: I! > to via em4.0!! root@o1a4# run show route table inet.3!! inet.3: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)! + = Active Route, - = Last Active, * = Both!! /32 *[LDP/9] 00:41:19, metric 1! > to via em3.0, Push ! to via em4.0, Push !!!!! root@a8# run show route terse table inet.3 inet.3: 19 destinations, 29 routes (19 active, 0 holddown, 0 hidden)! + = Active Route, - = Last Active, * = Both! A Destination P Prf Metric 1 Metric 2 " Next hop AS path! * /32 B " " > I! B " " > I! " " ! B " " > I! " " ! B " " > I! " " ! 50 Copyright 2009 Juniper Networks, Inc.

46 THE OVERLAPPING IP SOLUTION (1) Re-addressing is ultimate way but Make OpCo aware about VPN LSP, and force them to switch traffic base on. Do not advertise PE s loopback (because of overlapping) ß VPNv4: v.v..v.v/32 NH: a.a.a.a PE1 Lo0: a.a.a.a 1 Lo0: b.b.b.b Local-as 400 alias IP: b.b.b.b/32 Label: As-path 400$ 5 Lo0: c.c.c.c AS 100 AS 8888 AS 100 Local-as 200 alias PE40 Lo0: a.a.a.a VPNv4: v.v..v.v/32 NH: a.a.a.a Label: As-path I $ Local-as 400 alias VPNv4: v.v.v.v/32 NH: b.b.b.b Label: As-path 400 $ VPNv4: v.v..v.v/32 NH: c.c.c.c Label: As-path 400 $ Local-as 200 alias 51 Copyright 2009 Juniper Networks, Inc.

47 OVERLAPING AS AND IP LIVE PRESENTATION OpCo1 ASN: 100 loopback: x/32 p2p: 81.x.y.z/30 OpCo3 ASN: 300 loopback: x/32 p2p: 83.x.y.z/30 O3C13 O3C14 OpCo1 ASN: 100 loopback: x/32 p2p: 81.x.y.z/30 em1 em3 em3 br19 em1 br17 br18 O1PE1 em1 em3 br3 O1A3 em3 em1 em4 br5 A5 em1 em5 em3 em4 br8 em5 em4 em3 em1 A7 br11 O2A9 em1 em3 em4 br14 O2PE11 em1 em3 br1 br4 br7 br10 br13 br15 em1 O1PE2 em3 br2 em4 em3 em1 O1A4 br6 A6 em1 em3 em4 GGIPVPN ASN: 8888 loopback: x/32 p2p: 188.x.y.z/30 br9 em3 em4 A8 em1 br12 em3 em5 br16 em1 em4 O2A10 em1 O2RR12 52 Copyright 2009 Juniper Networks, Inc.

48 INSPECTION ping source count 3 routing-instance test-vpn! PING ( ): 56 data bytes! 64 bytes from : icmp_seq=0 ttl=64 time=0.857 ms! 64 bytes from : icmp_seq=1 ttl=64 time=0.895 ms! 64 bytes from : icmp_seq=2 ttl=64 time=1.345 ms! ping statistics ---! 3 packets transmitted, 3 packets received, 0% packet loss! 55 Copyright 2009 Juniper Networks, Inc.

49 THE OVERLAPPING IP SOLUTION (2) Re-addressing is ultimate way but Make OpCo aware about pseudo-wire LSP, and force them to switch traffic base on it. Local PW stitching is not defined by standard platform dependent. PE1 Lo0: a.a.a.a 1 Lo0: b.b.b.b IP: b.b.b.b/32 Label: As-path 300 $ 5 Lo0: c.c.c.c AS 100 AS 8888 AS 100 PE40 Lo0: a.a.a.a T-LDP PE1-1 FEC128: Local PW xconnect/ stitch T-LDP 1-5 FEC128: T-LDP 5-PE40 FEC128: Copyright 2009 Juniper Networks, Inc.

50 THE OVERLAPPING IP SOLUTION (3) Only IP of loopback of OpCo (b.b.b.b), used for multihop VPN MP-eBGP session has to be unique across OpCos. The must handle multihop MP-eBGP session for VPNv4/6. The must preform NHS policy on MP-iBGP session for VPNv4/6. Note. PE do not need to support Inter-As option C at all. Note II. Special care need to be given for RD if they are based on IPv4 (or auto-rd). Overlaping IP may lead to assigning same RD value to different VPNs by different OpCo. If customer IP address space also overlap, there is risk of dropping prefix of one of VPNs. This is because VPNv4 addresses may happen to be equal in both VPNs. 57 Copyright 2009 Juniper Networks, Inc.

51