Escolar Documentos
Profissional Documentos
Cultura Documentos
Mitrabh Shukla
National IP Manager
Objectives
Upon completion of this chapter you will be able to:
Describe MPLS VPN mechanisms
Use the command line interface to configure a VPN
Verify VPN functionality
Agenda
What is a VPN?
How Do MPLS VPNs Work?
What Are Some Scaling Techniques?
How Do I Configure MPLS VPNs?
VPN C
Provider
Backbone
VPN B
VPN B
VPN C
MPLS-VPN Terminology
VPN A
VPN-Aware network
Site1
AS100
Provider Network
P router
AS200
Border Router
PE router
Site1
VPN A
Customer Network
Site
CE router
For internal use
5
Nokia Siemens Networks
Site2
Site2
VPN B
MPLS / Mitrabh Shukla
Agenda
What is a VPN?
How do MPLS VPNs Work?
Control Plane
Forwarding Plane
What Are Some MPLS VPN Scaling Techniques?
How Do I Configure MPLS VPNs?
VPN A
MP-iBGP sessions
CE
10.2.0.0
VPN B
CE
P
11.5.0.0
CE
10.2.0.0
CE
PE
VPN A
PE
CE
VPN A
PE
PE
11.6.0.0
10.1.0.0
CE
VPN B
CE
VPN B
10.1.0.0
VPN A
10.3.0.0
1. MPLS Forwarding
P1
PE1
VRF
P2
PE2
VRF
VRF
PE2s perspective
PE1s perspective
Global routing table entries to reach
CE
Yellow
PE
Site-1
CE
Green
CE - Router
MPLS VPN Backbone
PE Router
CE - Router
PE-routers:
Exchange VPN routes with CE-routers via per-VPN
routing protocols
Exchange core routes with P-routers and PE-routers via
core IGP
Exchange VPNv4 routes with other PE-routers via
multi- protocol IBGP sessions
PE-routers can run standard IPv4 BGP in the global routing table
Exchange Internet routes with other PE routers
CE-routers do not participate in Internet routing
P-routers do not need to participate in Internet routing
For internal use
13
Nokia Siemens Networks
VRF CE Routing
and Sharing
Site-1
CE to PE Routing
CE
Yellow
PE
Site-1
CE
Green
Sharing
Site-1
CE
Green
PE
Same VPN
(OSPF, IS-IS)
Site-2
CE
Green
Animated
BGP
EIGRP
RIP
Static
Routing
Contexts
VRF Routing
Tables
VRF Forwarding
Tables
OSPF
OSPF
VPN A
VPN B
Site4
VPN C
Site1
Site5
Site2
Site3
VPN A
Same Addresses
CE
10.2.0.0
VPN B
P
CE
PE
PE
PE
11.6.0.0
10.1.0.0
CE
VPN B
CE
VPN B
10.1.0.0
Route
Distinguisher provides the separation
VPN A
PE
CE
VPN A
VPN A
11.5.0.0
CE
10.2.0.0
CE
10.3.0.0
P1
PE1
P2
PE2
Why MP-iBGP?
VPN yellow
CE2 Site-2
P2
PE2
VPN-IPv4 update:
RD1:Net1, Next-hop=PE1
SOO=Site1, RT=Yellow, Label=10
VPN-IPv4 update:
RD2:Net1, Next-hop=PE1
SOO=Site1, RT=Green, Label=12
For internal use
25
Nokia Siemens Networks
Why MP-iBGP?
MP-iBGP session
VPN yellow
Site-1 CE1
VPN yellow
CE2 Site-2
P1
PE1
P2
PE2
VPN-v4 update:
RD:1:27:152.12.4.0/24
NH=PE1, RT=1:1,
VPN Label=(29)
PE1
P1
LDP Update:
Next hop=PE1
Label=(imp-null)
PE2
P2
LDP Update:
Next hop=P1
Label=(41)
LDP Update:
Next hop=P2
Label=(32)
VPN B
152.12.4.0/24
For internal use
28
Nokia Siemens Networks
CE2
VPN B
Animated
LFIB lookup
for label 29
= vrf VPN B
29 152.12.4.6
PE1
41 29 152.12.4.6
P1
VRF lookup
for 152.12.4.6
NH=CE1
LSP/MPLS Label
VPN Label
Label Swap
32 29 152.12.4.6
P2
PE2
152.12.4.6
CE1
VPN B
152.12.4.0/24
For internal use
29
Nokia Siemens Networks
VRF lookup
for 152.12.4.6
NH=PE1
VPN Label=(29)
CE2
VPN B
Animated
Agenda
What is a VPN?
How Do MPLS VPNs Work?
What Are Some Scaling Techniques?
How Do I Configure MPLS VPNs?
Scaling MPLS-VPN
Route Reflectors
Green
Yellow
Yellow
Yellow
Green
Yellow
Yellow
Green
Green
MPLS-VPN Scaling
BGP Automatic Route Filtering (ARF)
Import RT=yellow
VPN-IPv4 update:
RD:Net1, Next-hop=PE-X
SOO=Site1, RT=Green, Label=XYZ
PE
MP-iBGP sessions
Import RT=green
VPN-IPv4 update:
RD:Net1, Next-hop=PE-X
SOO=Site1, RT=Red, Label=XYZ
MPLS-VPN Scaling
Route Refresh
Import RT=yellow
PE
Import RT=green
2. PE issues a Route-Refresh to
all neighbors in order to ask for
re-transmit
VPN-IPv4 update:
RD:Net1, Next-hop=PE-X
SOO=Site1, RT=Green, Label=XYZ
VPN-IPv4 update:
RD:Net1, Next-hop=PE-X
SOO=Site1, RT=Red, Label=XYZ
Import RT=red
3. Neighbors re-send updates and red route-target is now accepted
Route-Refresh
Label VPN packets with LDP label for egress PErouter, forward labeled packets across MPLS
backbone??
P-routers perform label switching, packet reaches
egress PE-router.
However, egress PE-router does not know which
VRF to use for packet lookuppacket is dropped.
Agenda
What is a VPN?
How Do MPLS VPNs Work?
What Are Some Scaling Techniques?
How Do I Configure MPLS VPNs?
1. Configure VRFs
2. associate interfaces with VRFs
3. Configure MP-iBGP routing
4. Configure CE to PE routing
5. Verify VPN operation
Configure VRF
Logical name of the VPN
use something that makes sense
ip vrf <vrf-symbolic-name>
rd <route-distinguisher-value>
route-target export <community>
route-target import <community>
The extended community string
you will RECEIVE and put into your vrf
The extended community string
you will SEND with your routes
Number to uniquely id the prefix value
Convention is ASN:xxxx
For internal use
45
Nokia Siemens Networks
Configure VRF
VPN red
CE
VPN blue
CE
E1/0
PE
E2/0
Case sensitive
Configure RD
VPN red
CE
VPN blue
CE
E1/0
PE
E2/0
ASN:variable
or
IP:variable
PE1(config)#ip vrf blue
PE1(config-vrf)#rd 100:20
VPN red
CE
E1/0
PE
E2/0
VPN blue
CE
RD to RT matching
just makes it easy
VRF Options
VPN red
CE
VPN blue
CE
E1/0
PE
E2/0
CE1
100:1
100:1
warning-only
VPN red
CE
E1/0
PE
E2/0
VPN blue
CE
Configure interfaces to
belong to the VRF
Also,
can only assign 1 VRF to an interface
For internal use
51
Nokia Siemens Networks
PE1
MP-BGP
PE1
VPN Backbone
IGP
PE1(config)#router bgp 100
PE1(config-router)#neighbor 10.131.63.252 remote-as 100
PE1(config-router)#neighbor 10.131.63.252 desc MP-BGP to PE2
PE1(config-router)#neighbor 10.131.63.252 update-source Loopback0
PE1
MP-BGP
PE1
VPN Backbone
IGP
MPLS Core
VPN1
VPN2
VPN1
VPN2
Site A
Site A
Site B
Site B
BGP AS100
CE-1A
CE-2A
CE-1B
CE-2B
OSPF Area 0
lo0 172.16.1.1/24
s0/0
172.16.2.1/30
s1/0 172.16.2.2/30
lo0
s0172.16.1.1/24
172.16.2.1/30
lo0
s0 172.17.1.1/24
172.17.2.1/30
s1/1 172.16.2.2/30
s1/0 172.17.2.2/30
lo0172.17.2.1/30
172.17.1.1/24
s0/0
s1/1 172.17.2.2/30
VPN2 RD 100:2
PE-B lo0 200.200.0.12
PE-A(config-vrf)#rd 100:1
PE-A(config-vrf)#route-target export 100:10
PE-A(config-vrf)#route-target import 100:10
VPN1 RD 100:1
MPLS Core
VPN1
VPN2
VPN1
VPN2
Site A
Site A
Site B
Site B
BGP AS100
CE-1A
CE-2A
CE-1B
CE-2B
OSPF Area 0
lo0 172.16.1.1/24
s0/0
172.16.2.1/30
s1/0 172.16.2.2/30
S1/0
lo0
s0172.16.1.1/24
172.16.2.1/30
s1/1 172.16.2.2/30
lo0
s0 172.17.1.1/24
172.17.2.1/30
s1/0 172.17.2.2/30
PE-A(config)#interface Serial1/0
VPN1 RD 100:1
VPN2 RD 100:2
PE-B lo0 200.200.0.12
lo0172.17.2.1/30
172.17.1.1/24
s0/0
s1/1 172.17.2.2/30
Configure MP-BGP
AS number
VPN1
send-community extended
activate
send-community extended
VPN2
VPN1
VPN2
Site A
Site A
Site B
Site B
CE-1A
CE-2A
CE-1B
CE-2B
lo0 172.16.1.1/24
s0/0
172.16.2.1/30
s1/0 172.16.2.2/30
lo0
s0172.16.1.1/24
172.16.2.1/30
s1/1 172.16.2.2/30
lo0
s0 172.17.1.1/24
172.17.2.1/30
s1/0 172.17.2.2/30
lo0172.17.2.1/30
172.17.1.1/24
s0/0
s1/1 172.17.2.2/30
PE-B lo0 200.200.0.12
MPLS Core
BGP AS100
OSPF Area 0
VPN1 RD 100:1
VPN2 RD 100:2
CE config
PE config
VPN1
VPN2
VPN1
VPN2
Site A
Site A
Site B
Site B
BGP AS100
CE-1A
CE-2A
CE-1B
CE-2B
OSPF Area 0
lo0 172.16.1.1/24
s0/0
172.16.2.1/30
s1/0 172.16.2.2/30
lo0
s0172.16.1.1/24
172.16.2.1/30
lo0
s0 172.17.1.1/24
172.17.2.1/30
s1/1 172.16.2.2/30
s1/0 172.17.2.2/30
lo0172.17.2.1/30
172.17.1.1/24
s0/0
s1/1 172.17.2.2/30
VPN1 RD 100:1
VPN2 RD 100:2
PE-B lo0 200.200.0.12
lo0 200.200.0.1
lo0 200.200.0.2
PE-A(config)#ip P-A
route
vrf VPN1 172.16.1.0P-B
255.255.255.0
172.16.2.1
PE-A(config)#ip route vrf VPN2 172.16.1.0 255.255.255.0 172.16.2.1
PE-A(config)#router bgp 100
PE-A(config-router)#address-family ipv4 vrf VPN1
PE-A(config-router-af)#network 172.16.1.0 mask 255.255.255.0
PE-A(config-router-af)#network 172.16.2.0 mask 255.255.255.252
PE-A(config-router-af)#exit-address-family
PE-A(config-router)#address-family ipv4 vrf VPN2
PE-A(config-router-af)#network 172.16.1.0 mask 255.255.255.0
PE-A(config-router-af)#network 172.16.2.0 mask 255.255.255.252
ForPE-A(config-router-af)#exit-address-family
internal use
61
show
show
show
show
show
ip
ip
ip
ip
ip
Verify Labels
Chapter Summary
You should now be able to:
Describe MPLS VPN mechanisms
Use the command line interface to configure a VPN
Verify VPN functionality