CISCO Networkers 2003 - Deploying MPLS-VPN PDF

Deploying MPLS-VPN
Session RST-2061
RST-2061
8181_05_2003_c2 © 2003, Cisco Systems, Inc. All rights reserved. 2
Copyright © 2003, Cisco Systems, Inc. All rights reserved. Printed in USA.
8181_05_2003_c2
Agenda
• Prerequisites
• Background
• Theory
• Practice
• Route Reflectors
• Carrier’s Carrier
• Inter-AS
• Import/Export Maps
RST-2061
Prerequisites
• Must understand basic IP routing,

especially BGP
• Must understand MLPLS basics (push,
pop, swap, label stacking)
RST-2061
8181_05_2003_c2
Recommended Reading
• MPLS and VPN

Architectures by Jim
Guichard and Ivan
Pepelnjak
ISBN: 1-58705-002-1
RST-2061
Agenda
• Prerequisites
• Background
• Theory
• Practice
• Inter-AS
RST-2061
8181_05_2003_c2
Background—Why Have MPLS-VPNs?
• Tag switching came about from Ipsilon’s IP
switching
• Cisco’s tag switching begat MPLS
• One of the fundaments of tag switching was
label stacking
• Label stacking allows the network to transport
data across it without needing routing
information in the core
Like a frame relay network doesn’t need IP routing
• MPLS-VPN = label stacking + BGP extensions
RST-2061
Overlay vs. Peer Networks
• Overlay network: customer’s IP network is

overlaid on top of the provider’s network
Provider’s IP transport (FR, ATM, etc.) creates
private IP network for customer
Most technologies that carry IP are p2p
Large p2p networks are hard to maintain
N^2 provisioning vs. inefficient routing
Even with hub and spoke, need lots of stuff
at the hub
RST-2061
8181_05_2003_c2
Overlay Network
• Provider sells a circuit service
• Customers purchases circuits to
connect sites, runs IP Provider
(FR, ATM, etc.)
• N sites, (N*(N-1))/2 circuits for
full mesh—expensive
• The big scalability issue
here is routing peers—
N sites, each site has N-1 peers
• Hub and spoke is popular,
suffers from the same N-1
number of routing peers
• Hub and spoke with static routes
is simpler, still buying N-1
circuits from hub to spokes
• Spokes distant from hubs could
mean lots of long-haul circuits
RST-2061
Peer Network
• Provider and customer exchange IP routing
information directly
Customer only has one routing peer per site
• Need to separate customer’s IP network from
provider’s network
Customer A and Customer B need to not talk to
each other
Customer A and Customer B may have the same
address space (10.0.0.0/8, 161.44.0.0/16, etc.)
• VPN is provisioned and run by the provider
• MPLS-VPN does this without p2p connections
RST-2061
8181_05_2003_c2
Peer Network
• Provider sells an MPLS-VPN service

Provider
• Customers purchases circuits to
connect sites, runs IP (MPLS-VPN)
• N sites, N circuits into provider
• Access circuits can be any media
at any point (FE, POS, ATM, T1,
dial, etc.)
• Full mesh connectivity without full
mesh of L2 circuits
• Hub and spoke is also easy to build
• Spokes distant from hubs connect
to their local provider’s POP, lower
access charge because of
provider’s size
• The Internet is a large peer network
RST-2061
Terminology, 1/2
• RR—Route Reflector
A router (usually not involved in packet forwarding) that distributes BGP routes
within a provider’s network
• PE—Provider Edge router
The interface between the customer and the MPLS -VPN network; only PEs (and
maybe RRs) know anything about MPLS-VPN routes
• P—Provider router
A router in the core of the MPLS-VPN network, speaks LDP/RSVP but not VPNv4
• CE—Customer Edge router
The customer router which connects to the PE; does not know anything about
labels, only IP (most of the time)
• LDP—Label Distribution Protocol
Distributes labels with a provider’s network that mirror the IGP, one way to get
from one PE to another
• LSP—Label Switched Path
The chain of labels that are swapped at each hop to get from one PE to another
RST-2061
8181_05_2003_c2
Terminology, 2/2
• VPN—Virtual Private Network

A network deployed on top of another network, where the two netw orks are
separate and never communicate
• VRF—Virtual Routing and Forwarding instance

Mechanism in IOS used to build per-interface RIB and FIB
• VPNv4
Address family used in BGP to carry MPLS-VPN routes
• RD
Route Distinguisher, used to uniquely identify the same network/mask from
different VRFs (i.e., 10.0.0.0/8 from VPN A and 10.0.0.0/8 from VPN B)
• RT
Route Target, used to control import and export policies, to build arbitrary VPN
topologies for customers
RST-2061
Agenda
• Prerequisites
• Background
• Theory
• Practice
• Inter-AS
RST-2061
8181_05_2003_c2
Theory
• Virtual Routing and Forwarding instances

• Carrying VPN routes in BGP
• Packet forwarding
RST-2061
VRFs
• A VRF is associated to one or more

interfaces on a router
• VRF is essentially a per-interface routing
table and the necessary forwarding
stuff (CEF)
• Not virtual routers, just virtual routing
and forwarding
• VRFs are IP only (no Appletalk-VRF,
although in theory it’s certainly possible)
RST-2061
8181_05_2003_c2
VRFs
• Within a VRF, provider speaks a routing protocol with
their customer
• Most protocols are supported
Static routes
RIP
BGP
EIGRP
OSPF
• No IS-IS support yet (haven’t seen the demand)

• No IGRP or EGP support either (same idea)
• Routes flow between VRF IGP/BGP and provider BGP
(see VPNv4)
RST-2061
Virtual Routing and

Forwarding Instances
• Define a VRF for
interface 0
195.12.2.0/24
• Define a different VRF VPN- A CE
CE
for interface 1 VRF for VPN -A
0
• Packets will never go VPN-A
between int. 0 and 1
1
unless allowed by
VRF policy VRF for VPN -B
VPN-B
CE
CE
Will explain this policy 146.12.7.0/24
146.12.7.0/24
in the next section
• No MPLS yet…
RST-2061
8181_05_2003_c2
Carrying VPN Routes in BGP
• VRFs by themselves aren’t all that useful

• Need some way to get the VRF routing
information off the PE and to other PEs
• This is done with BGP
RST-2061
Additions to BGP to
Carry MPLS-VPN Info
• RD: Route Distinguisher

• VPNv4 address family
• RT: Route Target
• Label
…all defined in RFC2547 and –bis draft
RST-2061
8181_05_2003_c2
Route Distinguisher
• To differentiate 10.0.0.0/8 in VPN-A from
10.0.0.0/8 in VPN-B
• 64-bit quantity
• Configured as ASN:YY or IPADDR:YY
Almost everybody uses ASN
• Purely to make a route unique
Unique route is now RD:IPAddr (96 bits) plus a mask on
the IPAddr portion
So customers don’t see each others routes
So route reflectors make a bestpath decision on
something other than 32-bit network + 32-bit mask
RST-2061
VPNv4
• In BGP for IP, 32-bit address + mask makes a unique

announcement
• In BGP for MPLS-VPN, (64-bit RD + 32-bit address) + 32-bit
mask makes a unique announcement
• Since the route encoding is different, need a different
address family in BGP
• VPNv4 = VPN routes for IPv4
As opposed to IPv4 or IPv6 or multicast-RPF, etc…
• VPNv4 announcement carries a label with the route

“If you want to reach this unique address, get me packets with this
label on them”
RST-2061
8181_05_2003_c2
Route Target
• To control policy about who sees what routes
• 64-bit quantity (2 bytes type, 6 bytes value)
• Carried as an extended community
• Typically written as ASN:YY
• Each VRF ‘imports’ and ‘exports’ one or
more RTs
Exported RTs are carried in VPNv4 BGP
Imported RTs are local to the box
• A PE that imports an RT installs that route in its
routing table
RST-2061
Putting It All Together—Control Plane
VPN C/Site 2
CEA2 12.1/16
VPN B/Site 1
CE1B1 Static CEB2
16.1/16 RIPv2
16.2/16
RIPv2
P1 PE2
CE2B1
VPN B/Site 2
BGP
RIPv2 PE1
P2 IGP/EBGP CE
Step 3 Net=16.1/16 A3
Step 1 Step 4
IGP/EBGP OSPF
Net=16.1/16
OSPF Step 2
CEA1 VPN-IPv4
Step 5 16.2/16
P3
Net=RD:16.1/16 BGP PE3
NH=PE1 CEB3 VPN A/Site 2
Route Target
16.1/16 Label=42
VPN C/Site 1
12.2/16
VPN A/Site 1
RST-2061
8181_05_2003_c2
MPLS-VPN Packet Forwarding
• Between PE and CE, regular IP packets

(for now)
• Within the provider network—label stack
Outer label: “get this packet to the egress PE”
Inner label: “get this packet to the egress CE”
RST-2061
Where Do Labels Come From?
• Within a single network, can use LDP or

RSVP to distribute IGP labels
• LDP follows the IGP path
• RSVP (for TE) deviates from IGP shortest
path, see “Deploying MPLS-TE”, RST-2062
• Which IGP label distribution method you
use is independent of any VPN label
distribution
RST-2061
8181_05_2003_c2
Putting It All Together—
Forwarding Plane
VPN-IPv4
Net=RD:16.1/16
NH=PE1
Label=42
P1 PE2
BGP
PE1
P2 IP
CEA3
IP Dest=16.1.1.1
Dest=16.1.1.1 Step 3
Step 4 Label 42
CEA1
16.2/16
Dest=CEa1
P3 Step 2 PE3 Step 1
IP Label N
Dest=16.1.1.1 Dest=PE1 VPN A/Site 2
Label 42
16.1/16 Dest=CEa1
IP
VPN A/Site 1 Dest=16.1.1.1
RST-2061
Import/Export Policies
• Full mesh:
All sites import X:Y and export X:Y
• Hub and spoke:

Hub exports X:H and imports X:S
Spokes export X:S and import X:H
RST-2061
8181_05_2003_c2
Full Mesh
VPN A/Site 2
CEA2 16.5/16
All Clients Get All 16.Z/16
Routes Because All Sites CEB2
Import and Export X:Y 16.4/16
PE2 VPN A/Site 2

PE1 Net=X:Y:16.Z/16
CEA3
CEA1
16.2/16
P3 PE3
CEB3 VPN A/Site 2
16.1/16
VPN A/Site 1
VPN A/Site 1 16.3/16
RST-2061
Hub and Spoke
1) Hub Exports: VPN A/Site 2

CEA2 16.5/16
Net=X:H:0/0
CEB2
2) Spokes Export:
Net=X:S:16.X/16 16.4/16
3) Hub Imports PE2 VPN A/Site 2

All X:S Routes PE1
CEA3
4) Spokes Import Net=X:H:0/0
All X:H Routes
CEA1
16.2/16
PE3
CEB3 VPN A/Site 2
16.1/16
VPN A/Site 1
RST-2061
8181_05_2003_c2
Hub and Spoke

CEA2 16.5/16
Net=X:H:0/0
CEB2
2) Spokes Export:
Net=X:S:16.X/16 16.4/16
3) Hub Imports Net=X:S:16.5/16 PE2 VPN A/Site 2

Net=X:S:16.4/16
All X:S Routes PE1
CEA3
4) Spokes Import Net=X:S:16.2/16
All X:H Routes Net=X:S:16.3/16
CEA1
16.2/16
PE3
CEB3 VPN A/Site 2
16.1/16
VPN A/Site 1
RST-2061
Hub and Spoke

CEA2 16.5/16
Net=X:H:0/0
CEB2
2) Spokes Export:
Net=X:S:16.X/16 16.4/16

All X:S Routes PE1
CEA3
4) Spokes Import
All X:H Routes
CEA1 All 16.Z/16 Routes
16.2/16
PE3
CEB3 VPN A/Site 2
16.1/16
VPN A/Site 1
RST-2061
8181_05_2003_c2
Hub and Spoke

CEA2 16.5/16
Net=X:H:0/0
0/0 CEB2
2) Spokes Export: 0/0
Net=X:S:16.X/16 16.4/16

All X:S Routes PE1
CEA3
4) Spokes Import
0/0
All X:H Routes
CEA1
16.2/16
PE3
0/0
CEB3 VPN A/Site 2
16.1/16
VPN A/Site 1
RST-2061
Things to Note
• Core does not run VPNv4 BGP!

Same principle can be used to run a BGP-free core
for an IP network
• CE does not know it’s in an MPLS-VPN

• Outer label is from LDP/RSVP
Getting packet to egress PE is orthogonal to
MPLS-VPN
• Inner label is from BGP
Inner label is there so the egress PE can have the same
network in multiple VRFs
RST-2061
8181_05_2003_c2
Things to Note
• Need /32s for all PEs if using LDP

Outer label says “get me to this prefix”
If the prefix has a mask shorter than /32, can’t
guarantee we won’t hit summarization at some point in
the network
What does the summarization point do with the packet?
Label 42
PE1: 1.1.1.1/32 Dest=PE1
VRF Label
? Dest=CEa1
P1 PE3
1.1.1.0/24, L:42
PE2: 1.1.1.2/32
RST-2061
Agenda
• Prerequisites
• Background
• Theory
• Practice
• Inter-AS
RST-2061
8181_05_2003_c2
Prerequisites
Global Config on PE
ip cef {distributed}
mpls ip (on by default)
CE1 PE1
RST-2061
Build a VRF
Global Config on PE
ip vrf foo
rd 100:1
route-target import 247:1
route-target export 247:1
CE1 PE1
RST-2061
8181_05_2003_c2
Attach a VRF to a Customer Interface
interface Serial0
ip vrf forwarding foo
ip address 10.1.1.1 255.255.255.0
CE1 PE1
10.1.1.2
10.1.1.1
RST-2061
Run an IGP within a VRF—RIP
router rip
address-family ipv4 vrf foo
version 2
no auto-summary
network 10.0.0.0
exit-address-family
CE1 PE1
10.1.1.2
10.1.1.1
RST-2061
8181_05_2003_c2
Run an IGP within a VRF—EIGRP
router eigrp 1
network 10.1.1.0 0.0.0.255
autonomous-system 1
exit-address-family
CE1 PE1
10.1.1.2
10.1.1.1
RST-2061
Run an IGP within a VRF—OSPF
router ospf 1 vrf foo

network 10.1.1.0 0.0.0.255 area 0
CE1 PE1
10.1.1.2
10.1.1.1
RST-2061
8181_05_2003_c2
Run BGP within a VRF
router bgp 3402

neighbor 10.1.1.2 remote-as 1000
neighbor 10.1.1.2 activate
exit-address-family
CE1 PE1
AS1000 AS3402
10.1.1.2
10.1.1.1
RST-2061
Enable VPNv4 BGP in the Backbone
router bgp 3402

neighbor 1.2.3.4 update-source loopback 0
address-family vpnv4
neighbor 1.2.3.4 activate
neighbor 1.2.3.4 send-community both
PE1 iBGP
iBGP VPNv4
VPNv4 PE2
RST-2061 1.2.3.4
8181_05_2003_c2
Get Routes from
Customer Routing to VPNv4
• If CE routing is not BGP, need to redistribute into BGP
• NOTE: this means you *need* an IPv4 VRF BGP context to get
routes into the PE backbone, even if you don’t have any BGP
neighbors in the VRF
• IGP metric is usually carried as MED, unless changed
EIGRP is an exception, carries the 5-part metric as BGP extended communities
router bgp 3402

neighbor 1.2.3.4 update-source loopback 0
address-family ipv4 vrf test
redistribute {rip|connected|static|eigrp|ospf}
Routes from CE1
CE1 PE1 iBGP

iBGP VPNv4
VPNv4 PE2
RST-2061 1.2.3.4
Get Routes from

VPNv4 to Customer Routing
• If CE routing is not BGP, need to redistribute from VPNv4 to CE routing
• Redistributing BGP into IGP makes some people nervous; don’t worry
about it, it’s hard to screw up
Please note that “hard” != “impossible”…:)
• Metric is important when going from MED to RIP or EIGRP

Can also use default-metric or route-map
router rip
version 2
redistribute bgp 3402 metric 1
no auto-summary
network 10.0.0.0
exit-address-family
Routes from PE2

CE1 PE1 iBGP
iBGP VPNv4
VPNv4 PE2
10.1.1.2
10.1.1.1
RST-2061
8181_05_2003_c2
Diagnostics on the PE
• Many commands have a ‘vrf’ keyword

Ping, traceroute, telnet, etc
Pretty much every diagnostic command that
makes sense
ping vrf test 10.1.1.1

trace vrf test 10.1.1.1
telnet 10.1.1.1 /vrf test
RST-2061
Diagnostics on the PE
show ip route vrf test

show ip cef vrf test
…etc…
See the session on “Troubleshooting MPLS-VPN” -
(RST-3061) for more information
RST-2061
8181_05_2003_c2
Agenda
• Prerequisites
• Background
• Theory
• Practice
• Inter-AS
RST-2061
Route Reflectors
• Biggest scaling hurdle with MPLS-VPN is BGP
• Luckily, we have lots of experience scaling BGP
• Can use confederations or route reflectors
Confederations falling out of favor
• RRs make more sense when not every router needs

all routes (i.e., PEs)
• Scaling is a little different
Currently ~120k Internet routes
Some customers are asking for 500k-1M VPNv4 routes
Largest in reality is closer to 200k-250k, but be prepared
RST-2061
8181_05_2003_c2
Route Reflectors
• Full iBGP mesh is a lot of neighbors
to maintain on every router
• N^2 provisioning when a PE is
added, and VPN networks are
growing constantly
• Route Reflector takes routes from

neighbors, gives them to other
Route
neighbors Reflector
• Can build a dedicated RR that isn’t

used for forwarding, but which can
hold lots of routes
• 1GB Memory, ~1,000,000 routes
RST-2061
Route Reflectors—
Basic Configuration
Client
neighbor 1.2.3.4 update-source loopback0
PE1 iBGP
iBGP VPNv4
VPNv4
RR
1.2.3.6 1.2.3.4
Reflector On by Default
router bgp 3402 If Configured
[no bgp default route-target import] with RR-clients
neighbor 1.2.3.6 update-source loopback0
neighbor 1.2.3.6 route-reflector-client
RST-2061
8181_05_2003_c2
Route Reflectors—Peer Groups
• Use peer groups for a tremendous
convergence improvement
• On the RR
neighbor foo peer-group
neighbor 1.2.3.6 peer-group foo
• …then apply a common output policy to
neighbor foo
• See the deploying BGP session for more
details and knobs (RST-3003)
RST-2061
Route Reflectors—Other Tweaks
• Peer-groups are such a powerful enhancement

that the RR can be overwhelmed by ACKs from
lots of clients
• Increase input hold-queue to hold these ACKs
Router(config-if)# hold-queue <x> in
• Default is 75, consider 500, 1,000, etc (max is 4,096)
• Memory consumed is (Qsize * ifMTU), so 1500byte
MTU @1,000-packet depth = 1.5Mbyte per interface
If you can’t spare the 1.5Mb/interface, you probably shouldn’t
be a Route Reflector
RST-2061
8181_05_2003_c2
• TCP MSS (max segment size) is 536

by default
• All backbone links now are MTU 1500 or
higher (most ~4k)
• ‘ip tcp path-mtu-discovery’ to
increase tcp MSS to fix in MTU
• Benefit: get BGP routes to peers faster,
less protocol overhead
RST-2061
• See “Complex Deployment and Analysis

of BGP” (RST-3003) for more details
• Don’t underestimate the power of
performance tuning
RST-2061
8181_05_2003_c2
Agenda
• Prerequisites
• Background
• Theory
• Practice
• Inter-AS
RST-2061
BGP + Label
• RFC3107 defines a way to exchange a

label with an IPv4 (not VPNv4) BGP route
• This is useful to exchange label
reachability for IPv4 prefixes
between ASes
• Also used in Carrier’s Carrier and Inter-AS
• Under IPv4 (or IPv4 VRF) address-family:
neighbor 1.2.3.4 send-label
RST-2061
8181_05_2003_c2
Carrier’s Carrier: The Problem
• MPLS-VPN works well for carrying

customer IGPs
• Platforms, network scale to
N*O(IGP) routes
• What if the CE wants the PE to carry
all their BGP routes?
• Or if CE wants to run their own
VPN service?
RST-2061
Carrier’s Carrier: The Problem (Internet)
P1 PE2
BGP
PE1 IP
P2 Dest=Internet
CEA3
CEA1 P3 Step 1
PE3
ISP A/Site 2
iBGP IPv4
ISP A/Site 1
Internet
RST-2061
8181_05_2003_c2
Carrier’s Carrier: The Problem (VPN)
Label (iBGP VPnv4)

P1 PE2 Dest=VRF A
BGP
PE1 IP
P2 Dest=1.2.3.4
CEA3
CEA1 P3 Step 1
PE3
ISP A/Site 2
iBGP VPNv4
ISP A/Site 1 VRF A

1.2.3.0/24
RST-2061
Carrier’s Carrier: The Solution
• MPLS between PE and CE

Either IGP+LDP or BGP+Label
• CEs exchange labels for their IGP routes

with the PEs
• CEs iBGP peer with each other
• PEs are back to O(IGP) information
RST-2061
8181_05_2003_c2
Carrier’s Carrier: The Solution (Internet)
P1 PE2
Label (LDP/BGP+Label)
BGP Dest=CEa1
PE1
IP P2 IP
CEA3
Dest=Internet
Dest=Internet Step 3
Step 2
Step 4 Label (VPNv4)
Dest=CEa1
CEA1 Step 1
IP
Label (LDP/TE) PE3
P3 Dest=PE1
Dest=Internet
Label (VPNv4/IBGP)
VPN A/Site 2
Dest=CEa1
IP
Dest=Internet
VPN A/Site 1 Internet
RST-2061
Carrier’s Carrier: The Solution (VPN)
Label (LDP/BGP)
Dest=CEa1
P1 PE2 Label (iBGP VPNv4)
Label (VPNv4) BGP Dest=VPN1
Dest=VPN1 PE1 IP
P2 Dest=VPN1-Cust CEA3
IP
Dest=VPN1-Cust Step 3
Step 2
Step 4 Label (VPnv4)
Dest=CEa1
CEA1 Step 1
Label (LDP/TE) PE3
Label (VPNv4) P3
Dest=PE1
Dest=VPN1 VPN A/Site 2
IP Label (VPnv4)
Dest=VPN1-Cust Dest=CEa1
Label (VPNv4)
Dest=VPN1
VPN A/Site 1 VPN1-Cust
IP
Dest=VPN1-Cust
RST-2061
8181_05_2003_c2
Agenda
• Prerequisites
• Background
• Theory
• Practice
• Inter-AS
RST-2061
Inter-AS MPLS VPN

• VPN sites may be geographically dispersed
Requiring connectivity to separate MPLS VPN
service providers
• Transit between VPN sites may pass through

multiple providers’ MPLS backbones
This implies exchange of VPN routing information
between providers
Provider backbones may or may not provide VPN
service directly
• Referred to as inter-AS VPN

RST-2061
8181_05_2003_c2
VPN Client Connectivity
VPN-v4 Update:
RD:1:27:149.27.2.0/24, Edge
Edge Router1
Router1 Edge
Edge Router2
Router2
NH=PE-1
RT=1:231, Label=(28)
VPN- A VRF
AS #2 Import Routes with
PE-1
PE-1 AS #1 Route-target 1:231
PE2
PE2
How to Distribute
BGP, OSPF, RIPv2 Routes between
149.27.2.0/24,NH=CE-1
CE-1
SPs?
CE-1 CE2
CE2
VPN- A-1
VPN- A-2
149.27.2.0/24
149.27.2.0/24
VPN Sites Attached to Different MPLS VPN

Service Providers
RST-2061
VPNv4 Distribution Options
PE-
PE-ASBR-1
ASBR-1 PE-
PE-ASBR-2
ASBR-2
MP-eBGP for VPNv4
Multihop MP-eBGP
between RRs
PE-1
PE-1 AS #1 AS #2
PE-2
PE-2
CE-1
CE-1 CE-2
CE-2
VPN- A-1 VPN- A-2
Other Options Available,

These Two Are the Most Sensible
RST-2061
8181_05_2003_c2
EBGP VPNv4
• Gateway PE-ASBRs exchange routes directly
using BGP
External MP-BGP for VPNv4 prefix exchange; no LDP or IGP
• MP-BGP session with next-hop set to

advertising PE-ASBR
Next-hop and labels are rewritten when advertised across the
inter-provider MP-BGP session
• PE-ASBR stores all VPN routes that need to be

exchanged
But only within the BGP table
No VRFs; labels are populated into the LFIB of the PE-ASBR
RST-2061
EBGP VPNv4
• Receiving gateway PE-ASBRs may allocate new

label if desired
Controlled by configuration of next-hop-self
(default is off)
• Receiving PE-ASBR will automatically create a
/32 host route for its PE-ASBR neighbor
Which must be advertised into receiving IGP if next-
hop-self is not in operation to maintain the LSP
• PE-ASBRs need to hold all inter-AS
VPN routes
RST-2061
8181_05_2003_c2
EBGP VPNv4
EBGP
EBGP for
for VPNv4
VPNv4
PE-
PE-ASBR-1
ASBR-1 PE-
PE-ASBR-2
ASBR-2
Label Exchange
between Gateway
AS #1 PE- ASBR Routers AS #2
PE-1 Using EBGP
PE-1
PE-2
PE-2
CE-1
CE-1 CE-2
CE-2 CE-3
CE-3 CE-4
CE-4
VPN- A-1 VPN-B-1

VPN-B-1 VPN-B-2
VPN-B-2 VPN- A-2
MP-BGP VPNv4 Prefix Exchange between

Gateway PE-ASBRs
RST-2061
EBGP VPNv4
PE-
PE-ASBR-1
ASBR-1 PE-
PE-ASBR-2
ASBR-2
VPN-v4 Update: VPN-v4 Update:

RD:1:27: 152.12.4.0/24, RD:1:27: 152.12.4.0/24,
NH=PE-1 NH=PE-ASBR-2
VPN-v4 Update: RT=1:222, Label=(L3)
RT=1:222, Label=(L1)
RD:1:27: 152.12.4.0/24,
NH=PE-ASBR-1
AS #1 RT=1:222, Label=(L2) AS #2
PE-1
PE-1
PE-2
PE-2
BGP, OSPF, RIPv2

BGP, OSPF, RIPv2 CE-2
CE-2 CE-3
CE-3 152.12.4.0/24,NH=PE-2
152.12.4.0/24,NH=CE-2
VPN-B-1
VPN-B-1 VPN-B-2
VPN-B-2
152.12.4.0/24
152.12.4.0/24
RST-2061
8181_05_2003_c2
EBGP VPNv4
LDP PE-1 Label

L1
152.12.4.1 L3 152.12.4.1
PE-
PE-ASBR-1
ASBR-1 PE-
PE-ASBR-2
ASBR-2
152.12.4.1 L1 LDP PE-ASBR-2

L2 152.12.4.1 Label L 3
152.12.4.1
PE-1
PE-1
PE-2
PE-2
152.12.4.1 CE-3
CE-3 152.12.4.1
CE-2
CE-2
VPN-B-1
VPN-B-1 VPN-B-2
VPN-B-2
152.12.4.0/24
152.12.4.0/24
RST-2061
Multihop EBGP VPNv4 between RRs
• MPLS VPN providers exchange VPNv4 prefixes

via their route reflectors
Requires multihop MP-eBGP (VPNv4 routes)
• Next-hop-self must be disabled on route reflector
Preserves next-hop and label as allocated by the
originating PE router
• Providers exchange IPv4 routes with labels
between directly connected ASBRs using eBGP
Only PE loopback addresses exchanged as these are
BGP next-hop addresses
RST-2061
8181_05_2003_c2
Multihop
Multihop EBGP
EBGP for
for
RR-1
RR-1 VPNv4
VPNv4 with
with Next-
Next- RR-2
RR-2
hop-unchanged
hop-unchanged
ASBR-1
ASBR-1 ASBR-2
ASBR-2
AS #1 AS #2
PE-1
PE-1
eBGP
eBGP IPv4
IPv4 ++ Labels
Labels PE-2
PE-2
ASBRs Exchange BGP
Next-hop Addresses
with Labels
CE-1
CE-1 CE-2
CE-2 CE-3
CE-3 CE-4
CE-4
VPN- A-1 VPN-B-1

VPN-B-1 VPN-B-2
VPN-B-2 VPN- A-2
Multihop MP-eBGP VPNv4 Prefix Exchange between

Route Reflectors
RST-2061
VPN-v4 Update:
RD:1:27: 152.12.4.0/24,
RR-1
RR-1 NH=PE-1 RR-2
RR-2
RT=1:222, Label=(L1)
VPN-v4 Update: VPN-v4 Update:
RD:1:27: 152.12.4.0/24, RD:1:27: 152.12.4.0/24,
NH=PE-1 NH=PE-1
ASBR-1
ASBR-1 ASBR-2
ASBR-2
RT=1:222, Label=(L1) RT=1:222, Label=(L1)
Network=PE-1
NH=ASBR-2
Label=(L3)
PE-1
PE-1
Network=PE-1
NH=ASBR-1 PE-2
PE-2
Label=(L2)
BGP, OSPF, RIPv2 CE-2 BGP, OSPF, RIPv2
CE-2 CE-3
CE-3
152.12.4.0/24,NH=CE-2 152.12.4.0/24,NH=PE-2
VPN-B-1
VPN-B-1 VPN-B-2
VPN-B-2
152.12.4.0/24
152.12.4.0/24
RST-2061
8181_05_2003_c2
RR-1
RR-1 RR-2
RR-2
LDP PE-1 Label ASBR-1

ASBR-1 ASBR-2
ASBR-2
L3 L1 152.12.4.1 LDP PE-ASBR-2 Label
L1 152.12.4.1 L1
152.12.4.1 L3
L1
PE-1
PE-1 152.12.4.1
L2 L1 152.12.4.1
PE-2
PE-2
152.12.4.1 CE-2
CE-2 CE-3
CE-3 152.12.4.1
VPN-B-1
VPN-B-1 VPN-B-2
VPN-B-2
152.12.4.0/24
152.12.4.0/24
RST-2061
One Way of Configuring Inter-AS
• Best practices:
Next-hop-self on ASBRs
BGP+Label between ASBRs in RR
peering case
VPNv4 next-hops are not redistributed into
IGP, but passed around in BGP+Label
RST-2061
8181_05_2003_c2
EBGP VPNv4
EBGP
EBGP VPNv4
VPNv4
PE-
PE-ASBR-1
ASBR-1 PE-
PE-ASBR-2
ASBR-2
IBGP
IBGP VPNv4
VPNv4 IBGP
IBGP VPNv4
VPNv4
AS #1 AS #2
PE-1
PE-1
PE-2
PE-2
CE-1
CE-1 CE-4
CE-4
VPN- A-1 VPN- A-2

Gateway PE-ASBRs
RST-2061
EBGP VPNv4
EBGP
EBGP VPNv4
VPNv4
PE-
PE-ASBR-1
ASBR-1 PE-
PE-ASBR-2
ASBR-2
IBGP
IBGP VPNv4
VPNv4 IBGP
IBGP VPNv4
VPNv4
AS #1 AS #2
PE-1
PE-1
PE-2
PE-2
router bgp 1
no bgp default route-target filter
CE-1
CE-1 address-family vpnv4 CE-4
CE-4
neighbor <PE-1> next-hop-self
VPN- A-1 neighbor <PE-ASBR2>
VPN- A-2

Gateway PE-ASBRs
RST-2061
8181_05_2003_c2
EBGP VPNv4
EBGP
EBGP VPNv4
VPNv4
PE-
PE-ASBR-1
ASBR-1 PE-
PE-ASBR-2
ASBR-2
IBGP
IBGP VPNv4
VPNv4 IBGP
IBGP VPNv4
VPNv4
AS #1 AS #2
PE-1
PE-1
PE-2
PE-2
router bgp 2
no bgp default route-target filter
CE-1
CE-1 address-family vpnv4 CE-4
CE-4
neighbor <PE-2> next-hop-self
VPN- A-1 neighbor <PE-ASBR1>
VPN- A-2

Gateway PE-ASBRs
RST-2061
EBGP VPNv4
EBGP
EBGP VPNv4
VPNv4
PE-
PE-ASBR-1
ASBR-1 PE-
PE-ASBR-2
ASBR-2
IBGP
IBGP VPNv4
VPNv4 IBGP
IBGP VPNv4
VPNv4
AS #1 AS #2
PE-1
PE-1
PE-2
PE-2
CE-1
CE-1 Good: Easy, Simple to Do CE-4
CE-4
Bad: ASBRs Hold All Inter-AS Routes

VPN- A-1 VPN- A-2
RST-2061
8181_05_2003_c2
BGP+Label Within and Between ASes
Multihop
Multihop EBGP
EBGP for
for
RR-1
RR-1 VPNv4
VPNv4 with
with Next-
Next- RR-2
RR-2
hop-unchanged
hop-unchanged
ASBR-1
ASBR-1 ASBR-2
ASBR-2
AS #1 AS #2
PE-1
PE-1
BGP
BGP IPv4
IPv4 ++ Labels
Labels PE-2
PE-2
CE-1
CE-1 CE-4
CE-4
router bgp <1|2>
address-family ipv4
VPN- A-1 neighbor <ASBR> send-label VPN- A-2
BGP+Label within and between ASes

to Build LSP from PE-2 to PE-2;
Also Need to Leak Host Route for PE-1 to AS #2
RST-2061
(and Vice Versa)
RR-1
RR-1 RR-2
RR-2
ASBR-1
ASBR-1 ASBR-2
ASBR-2
AS #1 AS #2
PE-1
PE-1
PE-2
PE-2
CE-1
CE-1 router bgp 1 CE-4
CE-4
neighbor <RR-2> remote-as 2
VPN- A-1 neighbor <RR-2> activate VPN- A-2
neighbor <RR-2> next-hop-unchanged
Multihop BGP VPNv4 Prefix Exchange

between Route Reflectors
RST-2061
8181_05_2003_c2
Multihop
Multihop EBGP
EBGP for
for
RR-1
RR-1 VPNv4
VPNv4 with
with Next-
Next- RR-2
RR-2
hop-unchanged
hop-unchanged
ASBR-1
ASBR-1 ASBR-2
ASBR-2
AS #1 AS #2
PE-1
PE-1
BGP
BGP IPv4
IPv4 ++ Labels
Labels PE-2
PE-2
CE-1
CE-1 CE-4
CE-4
Good: Scales Much Better,

VPN- A-1 ASBRs Can Concentrate on VPN- A-2
Packet Forwarding
Bad: More Complex
RST-2061
Agenda
• Prerequisites
• Background
• Theory
• Practice
• Inter-AS
RST-2061
8181_05_2003_c2
Import/Export Maps
• So far, the only config we’ve seen forces a

few things:
All routes exported from a VRF have the
same RTs
All routes matching the ‘route-target
import’ value are imported into a VRF,
regardless of the network/mask of the
route itself
• Route-target import and export maps

provide more granular control in this area
RST-2061
Import/Export Maps: The Problem
16.1/16 Needs to Go to Site A2

16.2/16 Needs to Go to Site A3
How Do I Do This?
VPN- A-2
CE-2
CE-2
PE-2
PE-2
PE-1
PE-1 AS42
PE-3
PE-3
CE-1
CE-1
CE-3
CE-3
VPN- A-1
16.1.0.0/16
VPN- A-3
16.2.0.0/16
RST-2061
8181_05_2003_c2
Import/Export Maps: Theory
Export 16.1/16 with RT 100:2

Export 16.1/16 with RT 100:3
VPN- A-2
CE-2
CE-2
PE-2
PE-2
PE-1
PE-1 AS42
PE-3
PE-3
CE-1
CE-1
CE-3
CE-3
VPN- A-1
16.1.0.0/16
VPN- A-3
16.2.0.0/16
RST-2061
Import/Export Maps: Practice
ip prefix -list to-A2 seq 5 permit 16.1.0.0/16

Define the Prefixes to Match
ip prefix -list to-A3 seq 5 permit 16.2.0.0/16
route-map VPN-A permit 10

match ip address prefix-list to-A2
Build a Route-map to set extcommunity rt 100:2
Set Export Policy route-map VPN-A permit 20

match ip address prefix-list to-A3
PE-1 set extcommunity rt 100:3
PE-1
ip vrf lab
Apply Export-map rd 100:1
CE-1
CE-1 to a VRF export map VPN-A
VPN- A-1
16.1.0.0/16
16.2.0.0/16
RST-2061
8181_05_2003_c2
Import/Export Maps
• Same thing for import, except

‘import map foo’
RST-2061
Conclusion
• MPLS-VPN simplifies networking for customers

• Offloads work onto the SP
• Straightforward to configure basic MPLS-VPN
• CSC and Inter-AS get a little more complex, are
more powerful services
• MPLS-VPN scales as BGP
• Complex customer topologies can be replicated
using Route Target import/export maps
RST-2061
8181_05_2003_c2
Recommended Reading
MPLS and VPN

Architectures, CCIP Edition
ISBN: 1587050811
MPLS and VPN

Architectures, Vol II
ISBN: 1587051125
Advanced MPLS Design and

Implementation
ISBN: 158705020X
Available on-site at the Cisco Company Store

RST-2061
Please Complete Your

Evaluation Form
Session RST-2061
RST-2061
8181_05_2003_c2
RST-2061
8181_05_2003_c2

CISCO Networkers 2003 - Deploying MPLS-VPN PDF

Uploaded by

Copyright:

Available Formats

You might also like

CISCO Networkers 2003 - Deploying MPLS-VPN PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISCO Networkers 2003 - Deploying MPLS-VPN PDF

Uploaded by

Copyright:

Available Formats

Deploying MPLS-VPN

• Must understand basic IP routing,

• MPLS and VPN

Overlay vs. Peer Networks

• Overlay network: customer’s IP network is

• Provider sells an MPLS-VPN service

• VPN—Virtual Private Network

• VRF—Virtual Routing and Forwarding instance

• Virtual Routing and Forwarding instances

• A VRF is associated to one or more

• No IS-IS support yet (haven’t seen the demand)

Virtual Routing and

• VRFs by themselves aren’t all that useful

• RD: Route Distinguisher

• In BGP for IP, 32-bit address + mask makes a unique

• VPNv4 announcement carries a label with the route

Putting It All Together—Control Plane

• Between PE and CE, regular IP packets

Where Do Labels Come From?

• Within a single network, can use LDP or

• Hub and spoke:

PE2 VPN A/Site 2

Hub and Spoke

1) Hub Exports: VPN A/Site 2

3) Hub Imports PE2 VPN A/Site 2

1) Hub Exports: VPN A/Site 2

3) Hub Imports Net=X:S:16.5/16 PE2 VPN A/Site 2

Hub and Spoke

1) Hub Exports: VPN A/Site 2

3) Hub Imports PE2 VPN A/Site 2

1) Hub Exports: VPN A/Site 2

3) Hub Imports PE2 VPN A/Site 2

• Core does not run VPNv4 BGP!

• CE does not know it’s in an MPLS-VPN

• Need /32s for all PEs if using LDP

Run an IGP within a VRF—RIP

Run an IGP within a VRF—OSPF

router ospf 1 vrf foo

router bgp 3402

Enable VPNv4 BGP in the Backbone

router bgp 3402

router bgp 3402

Routes from CE1

CE1 PE1 iBGP

Get Routes from

• Metric is important when going from MED to RIP or EIGRP

Routes from PE2

• Many commands have a ‘vrf’ keyword

ping vrf test 10.1.1.1

show ip route vrf test

• RRs make more sense when not every router needs

• Route Reflector takes routes from

• Can build a dedicated RR that isn’t

Route Reflectors—Other Tweaks

• Peer-groups are such a powerful enhancement

• TCP MSS (max segment size) is 536

Route Reflectors—Other Tweaks

• See “Complex Deployment and Analysis