1 / 96

DEPLOYING MPLS-VPN

DEPLOYING MPLS-VPN. SESSION RST-2602. Rajiv Asati (rajiva@cisco.com). Agenda. MPLS VPN Definition? Technology Configuration MPLS-VPN Services Providing load-shared traffic to the multihomed VPN sites Providing Hub&Spoke service to the VPN customers

garima
Download Presentation

DEPLOYING MPLS-VPN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DEPLOYING MPLS-VPN SESSION RST-2602 Rajiv Asati (rajiva@cisco.com)

  2. Agenda • MPLS VPN Definition? • Technology • Configuration • MPLS-VPN Services • Providing load-shared traffic to the multihomed VPN sites • Providing Hub&Spoke service to the VPN customers • Providing MPLS VPN Extranet service • Providing Internet access service to VPN customers • Providing VRF-selection based services • Providing Remote Access MPLS VPN • Providing VRF-aware NAT services • Advanced MPLS VPN Topics • Inter-AS MPLS-VPN • CsC Carrier Supporting Carrier • Best Practices • Conclusion.

  3. Prerequisites • Must understand basic IP routing, especially BGP • Must understand MPLS basics (push, pop, swap, label stacking) • Must finish the evaluation • http://www.networkers04.com/desktop

  4. Terminology: • LSR : Label Switch Router • LSP : Label Switched Path • The chain of labels that are swapped at each hop to get from one LSR to another • VRF : VPN Routing and Forwarding • Mechanism in IOS used to build per-interface RIB and FIB • MP-BGP : Multi-Protocol BGP • PE : Provider Edge router Interfaces with CE routers • P : Provider (core) router, without knowledge of VPN • VPNv4 : Address family used in BGP to carry MPLS-VPN routes • RD : Route Distinguisher • Distinguish same network/mask prefix in different VRFs • RT : Route Target • Extended Community attribute used to control import and export policies of VPN routes • LFIB : Label Forwarding Information Base • FIB : Forwarding Information Base (FIB)

  5. Agenda • MPLS VPN Definition? • Technology • Configuration • MPLS-VPN Services • Providing load-shared traffic to the multihomed VPN sites • Providing Hub&Spoke service to the VPN customers • Providing MPLS VPN Extranet service • Providing Internet access service to VPN customers • Providing VRF-selection based services • Providing Remote Access MPLS VPN • Providing VRF-aware NAT services • Advanced MPLS VPN Topics • Inter-AS MPLS-VPN • CsC Carrier Supporting Carrier • Best Practices • Conclusion.

  6. MPLS-VPN Operation’s Theory • VPN definition: VRF instance • VPN Route Propagation (Control Plane) • VPN Packet forwarding (Data Plane)

  7. P P PE PE • VPN Backbone IGP P P MP-iBGP session MPLS VPN Connection Model • PE routers • Edge Routers • Use MPLS with P routers • Uses IP with CE routers • Connects to both CE and P routers. • Distribute VPN information through • MP-BGP to other PE router with • VPN-IPv4 addresses, Extended • Community, Label P Routers P routers are in the core of the MPLS cloud P routers do not need to run BGP and doesn’t need to have any VPN knowledge Forward packets by looking at labels P and PE routers share a common IGP

  8. The Global routing table Populated by the MPLS backbone IGP In PE routers may contain the BGP Internet routes (standard ipv4 routes) MPLS VPN: Separate Routing Tables in PE CE vpn site 2 PE • EBGP,OSPF, RIPv2,Static CE • MPLS Backbone IGP (OSPF, ISIS) vpn site 1 • VRF routing table • Routing (RIB) and Forwarding table (CEF) associated with one or more directly connected sites (CEs) • The routes the PE receives from CE • Routers are installed in the appropriate • VRF routing table(s) • blue VRF routing table or green VRF routing table

  9. CE vpn site 2 PE • EBGP,OSPF, RIPv2,Static CE • MPLS Backbone IGP (OSPF, ISIS) vpn site 1 VRF: Virtual Routing and Forwarding Instance VRF green • What’s a VRF ? • Associates to one or more interfaces on PE • Privatize an interface i.e. coloring of the interface • Has its own routing table and forwarding table (CEF) • VRF has its own instance for the routing protocol • (static ,RIP,BGP,EIGRP,OSPF) • CE router runs standard routing software VRF blue

  10. CE vpn site 2 PE • EBGP,OSPF, RIPv2,Static CE • MPLS Backbone IGP (OSPF, ISIS) vpn site 1 VRF: Virtual Routing and Forwarding Instance • PE installs the routes, learned from CE routers, in the appropriate VRF routing table(s) • PE installs the IGP (backbone) routes in the global routing table • VPN customers can use overlapping IP addresses.

  11. 8 Bytes 8 Bytes 3 Bytes 4 Bytes 1:1 10.1.1.0 RD Route-Target IPv4 Label VPNv4 MP-iBGP update with RD, RT, and Label Additions in BGP: MPLS-VPN Info BGP • RD: Route Distinguisher • VPNv4 routes • RT: Route Target • Label

  12. 8 Bytes 3 Bytes Route-Target Label MP-IBGP update with RD, RT, and Label MPLS VPN Control PlaneMP-BGP Update Components: VPNv4 address 8 Bytes 4 Bytes 1:1 10.1.1.0 RD IPv4 VPNv4 • To convert an IPv4 address into a VPNv4 address, RD is appended to the IPv4 address i.e 1:1:10.1.1.0 • Makes the customer’s IPv4 route globally unique. • Each VRF must be configured with an RD at the PE • RD is what that defines the VRF ! ip vrf v1 rd 1:1 !

  13. 8 Bytes 3 Bytes 4 Bytes 1:1 10.1.1.0 RD IPv4 Label VPNv4 MP-IBGP update with RD, RT, and Label MPLS VPN Control Plane MP-BGP Update Components: Route-Target 8 Bytes 2:2 Route-Target • Route-target (RT): Identifies the VRF for the received VPNv4 prefix. It is an 8-byte extended Community (a BGP attribute) • Each VRF is configured with RT(s) at the PE • RT helps to color the prefix ! ip vrf v1 route-target import 1:1 route-target export 1:2 !

  14. 8 Bytes Route-Target MP-IBGP update with RD, RT, and Label MPLS VPN Control PlaneMP-BGP Update Components:Label 8 Bytes 3 Bytes 4 Bytes 2:2 1:1 10.1.1.0 50 RD IPv4 Label VPNv4 • The Label (for the VPNv4 prefix) is assigned only by the PE whose address is the Next-Hop attribute • PE routers re-write the Next-Hop with their own address (loopback) • “Next-Hop-Self” towards MP-iBGP neighbors by default • PE addresses used as BGP Next-Hop must be uniquely known in the backbone IGP • DO NOT summarize the PE loopback addresses in the core

  15. MPLS VPN Control Plane: Putting It All Together MP-iBGP update:RD:10.10.1.0 Next-hop=PE-1RT=Green, Label=100 Site 2 3 Site 1 CE1 CE2 10.1.1.0/24 P P PE1 PE2 10.10.1.0/24 Next-Hop=CE-1 P P 1 MPLS Backbone • 1) PE1 receives an IPv4 update (eBGP,OSPF,EIGRP) • 2) PE1 translates it into VPNv4 address • Assigns an RT per VRF configuration • Re-writes Next-Hop attribute to itself • Assigns a label based on VRF and/or interface • 3) PE1 sends MP-iBGP UPDATE to other PE routers

  16. MPLS VPN Control Plane: Putting It All Together MP-iBGP update:RD:10.10.1.0 Next-hop=PE-1RT=Green, Label=100 10.1.1.0/24 Next-Hop=PE-2 5 Site 2 3 Site 1 CE1 CE2 10.1.1.0/24 P P PE1 PE2 10.1.1.0/24 Next-Hop=CE-1 P P 1 MPLS Backbone • 4) PE2 receives and checks whether the RT=green is locally configured within any VRF, if yes, then • 5) PE2 translates VPNv4 prefix back into IPv4 prefix, • Installs the prefix into the VRF Routing table • Updates the VRF CEF table with label=100 for 10.1.1.0/24 • Advertise this IPv4 prefix to CE2 (EBGP, OSPF, EIGRP)

  17. The Global Forwarding table (show ip cef) • PE routers store IGP routes • Associated labels • Label distributed through LDP/TDP MPLS VPN Forwarding Plane: e Site 2 Site 1 CE1 CE2 10.1.1.0/24 P1 P2 PE1 PE2 VRF Green forwarding Table Dest->NextHop 10.1.1.0/24-PE1, label: 100 P P Global routing/forwarding tableDest->Next-Hop PE2  P1, label: 50 Global routing/forwarding tableDest->NextHopPE1  P2, label: 25 • VRF Forwarding table (show ip cef vrf <vrf>) • PE routers store VPN routes • Associated labels • Labels distributed through MP-BGP

  18. 10.1.1.1 MPLS VPN Forwarding Plane: e Site 2 Site 1 CE1 CE2 10.1.1.0/24 P P PE1 PE2 10.1.1.1 100 10.1.1.1 P P 50 100 10.1.1.1 100 10.1.1.1 25 PE2 imposes TWO labels for each packet going to the VPN destination 10.1.1.1 • The top label is LDP learned and Derived from an IGP route • Represents LSP to PE address (exit point of a VPN route) • The second label is learned via MP-BGP • Corresponds to the VPN address

  19. Agenda • MPLS VPN Definition? • Technology • Configuration • MPLS-VPN Services • Providing load-shared traffic to the multihomed VPN sites • Providing Hub&Spoke service to the VPN customers • Providing MPLS VPN Extranet service • Providing Internet access service to VPN customers • Providing VRF-selection based services • Providing Remote Access MPLS VPN • Providing VRF-aware NAT services • Advanced MPLS VPN Topics • Inter-AS MPLS-VPN • CsC Carrier Supporting Carrier • Best Practices • Conclusion.

  20. Site 1 ip vrf VPN-A rd 1:1 route-target export 100:1 route-target import 100:1 CE1 10.1.1.0/24 PE1 Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A 192.168.10.1 Interface Serial1 ip address 130.130.1.1 255.255.255.252 mpls ip P PE1 s1 router ospf 1 network 130.130.1.0 0.0.0.3 area 0 MPLS VPN Sample Configuration VRF Definition PE1 Se0 PE-P Configuration Se0 PE1

  21. router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback 0 address-family vpnv4 neighbor 1.2.3.4 activate neighbor 1.2.3.4 send-community both RR PE1 PE2 router bgp 1 no bgp default route-target filter neighbor 1.2.3.6 remote-as 1 neighbor 1.2.3.6 update-source loopback0 address-family vpnv4 neighbor 1.2.3.6 route-reflector-client Neighbor 1.2.3.6 activate RR PE1 PE2 MPLS VPN Sample Configuration PE: MP-IBGP PE1 RR: MP-IBGP RR

  22. Site 1 Site 1 router bgp 1 ! address-family ipv4 vrf VPN-A neighbor 192.168.10.2remote-as 2 neighbor 192.168.10.2activate exit-address-family ! CE1 CE1 10.1.1.0/24 10.1.1.0/24 PE1 PE1 192.168.10.2 192.168.10.2 192.168.10.1 192.168.10.1 router ospf 1 ! router ospf 2 vrf VPN-A network 192.168.10.0 0.0.0.255 area 0 ! MPLS VPN Sample Configuration PE-CE BGP PE1 PE-CE OSPF PE1

  23. Site 1 Site 1 CE1 CE1 router rip address-family ipv4 vrf VPN-A version 2 no auto-summary network 192.168.10.0 exit-address-family 10.1.1.0/24 10.1.1.0/24 PE1 PE1 192.168.10.2 192.168.10.2 192.168.10.1 192.168.10.1 router eigrp 1 address-family ipv4 vrf VPN-A network 192.168.10.0 0.0.0.255 autonomous-system 1 exit-address-family MPLS VPN Sample Configuration PE-CE RIP PE-CE EIGRP

  24. Site 1 CE1 10.1.1.0/24 PE1 ip route vrf VPN-A 10.1.1.0 255.255.255.0 192.168.10.2 192.168.10.2 192.168.10.1 router rip address-family ipv4 vrf VPN-A version 2 redistribute bgp 1 metric 1 no auto-summary network 192.168.10.0 exit-address-family Site 1 RR PE1 CE1 MPLS VPN Sample Configuration PE-CE Static PE-CE MB-iBGP routes to VPN If PE-CE protocol is non BGP then redistribution of other sites VPN routes from MP-IBGP is required.

  25. router bgp 1 neighbor 1.2.3.4 remote-as 1 neighbor 1.2.3.4 update-source loopback 0 address-family ipv4 vrf VPN-A redistribute {rip|connected|static|eigrp|ospf} Site 1 RR PE1 CE1 MPLS VPN Sample Configuration PE-RR (VPN routes to VPNv4) If PE-CE protocol is non BGP then redistribution of other sites VPN routes into MP-IBGP is required.

  26. Agenda • MPLS VPN Definition? • Technology • Configuration • MPLS-VPN Services • Providing load-shared traffic to the multihomed VPN sites • Providing Hub&Spoke service to the VPN customers • Providing MPLS VPN Extranet service • Providing Internet access service to VPN customers • Providing VRF-selection based services • Providing Remote Access MPLS VPN • Providing VRF-aware NAT services • Advanced MPLS VPN Topics • Inter-AS MPLS-VPN • CsC Carrier Supporting Carrier • Best Practices • Conclusion.

  27. RR PE11 CE2 PE2 CE1 171.68.2.0/24 PE12 Site A Site B MPLS Backbone Route Advertisement MPLS VPN Services:1. Loadsharing for the VPN traffic • VPN sites (such as Site A) could be multihomed • VPN customer may demand the traffic to the multihomed sites be loadshared

  28. RR RR PE11 PE11 CE2 CE2 PE2 PE2 CE1 CE1 171.68.2.0/24 171.68.2.0/24 PE12 PE12 CE2 Site A Site B Site B MPLS Backbone MPLS Backbone Site A Traffic Flow Traffic Flow MPLS VPN Services:1. Loadsharing for the VPN traffic: Cases 1 CE 2 PEs 2 CEs  2 PEs

  29. MPLS VPN Services:1. Loadsharing for the VPN Traffic: Deployment How to deploy the loadsharing ? • Configure different VRFs i.e RDs for multihomed site/interfaces. • Enable BGP multipath within the relevant BGP VRF address-family at Remote/Receiving PE2. 2 1 router bgp 1 address-family ipv4 vrf green maximum-paths eibgp2 ip vrf green rd 300:11 route-target both 1:1 RR PE11 CE2 PE2 CE1 171.68.2.0/24 PE12 Site A MPLS Backbone Site B 1 ip vrf green rd 300:12 route-target both 1:1 ip vrf green rd 300:13 route-target both 1:1 1

  30. RR Route Advertisement PE11 CE2 PE2 CE1 171.68.2.0/24 PE12 Site A Site B MPLS Backbone MPLS VPN Services:1. Loadsharing for the VPN Traffic(实验) • RR must advertise all the paths learned via PE11 and PE12 to the remote PE routers With different RD per VRF, RR does the Best path calculation per RD and advertise them to remote PE • Watch out for the increased (~20%) memory consumption (within BGP) due to multipaths at the PEs • “eiBGP multipath” implicitly provides eBGP and iBGP multipath for VPN paths

  31. MPLS-VPN Services: 2. Hub & Spoke Service to the VPN Customers • Traditionally, VPN deployments are Hub&Spoke. • Spoke to spoke communication is via Hub site only. • Despite MPLS VPN’s implicit any-to-any i.e full-mesh connectivity, Hub&Spoke service can easily be offered. • Done with import and export of Route-Target (RT).

  32. ip vrf green-spoke1 description VRF for SPOKE A rd 300:111 route-target export 1:1 route-target import 2:2 ip vrf HUB-OUT description VRF for traffic from HUB rd 300:11 route-target import 1:1 ip vrf HUB-IN description VRF for traffic to HUB rd 300:12 route-target export 2:2 ip vrf green-spoke2 description VRF for SPOKEB rd 300:112 route-target export 1:1 route-target import 2:2 MPLS-VPN Services:2. Hub & Spoke Service - Configuration Spoke A PE-SA CE-SA 171.68.1.0/24 Eth0/0.1 PE-Hub Eth0/0.2 PE-SB Spoke B CE-SB MPLS VPN Backbone 171.68.2.0/24

  33. VRF HUB-OUT RT and LFIB Destination NextHop Label 171.68.1.0/24 PE-SA 40 171.68.2.0/24 PE-SB 50 VRF RT and LFIB at PE-SA 0.0.0.0 PE-Hub 35 171.68.1.0/24 CE-SA VRF HUB-OUT VRF RT and LFIB at PE-SB 0.0.0.0 PE-Hub 35 171.68.2.0/24 CE-SB PE-Hub VRF HUB-IN VRF HUB-IN Routing Table Destination NextHop 0.0.0.0 CE-H1 Adv 171.68.1.0/24 Label 40 Route-Target 1:1 Adv 171.68.2.0/24 Label 50 Route-Target 1:1 Adv 0.0.0.0 Label 35 Route-Target 2:2 MPLS-VPN Services:2. Hub & Spoke Service – Control Plane MPLS Backbone Spoke A CE-SA PE-SA 171.68.1.0/24 171.68.2.0/24 PE-SB CE-SB Spoke B • All traffic between spokes must pass through the Hub/Central Site. • Hub Site could offer FireWall, NAT like applications. • Two VRF solution at the PE-Hub: • VRF HUB_OUT would have knowledge of every spoke routes. • VRF HUB_IN only have Default Route and advertise that to Spoke PEs. • Import and export Route-Target within a VRF must be different.

  34. 171.68.1.1 171.68.1.1 171.68.1.1 40 35 LA LH 171.68.1.1 MPLS-VPN Services(实验内容):2. Hub & Spoke Service – Forwarding Plane MPLS Backbone Spoke A PE-SA CE-SA 171.68.1.0/24 VRF HUB-OUT PE-Hub VRF HUB-IN PE-SB Spoke B CE-SB 171.68.2.0/24

  35. MPLS-VPN Services3. Extranet VPN • MPLS VPN, by default, isolates one VPN customer from another. • Separate Virtual Routing Table for each VPN customer • Communication between VPNs may be required i.e. Extranet. • External Inter-company communication (dealers with manufacturer, Retailer with wholesale provider etc) • Management VPN, Shared-service VPN etc. • Needs right import and export route-target (RT) values configuration within the VRFs • export-map or import-map should be used

  36. P 3. MPLS-VPN Services: Extranet VPNGoal: Only VPN_A site#1 to be reachable to VPN_B MPLS Backbone 192.6.0.0/16 • VPN_A Site#2 • VPN_A Site#1 PE1 PE2 171.68.0.0/16 so 180.1.0.0/16 • VPN_B Site#1 ip vrf VPN_A rd 3000:111 export map VPN_A_Export import map VPN_A_Import route-target import 3000:111 route-target export 3000:111 route-target import 3000:1 ! route-map VPN_A_Export permit 10  match ip address 1  set extcommunity rt  3000:2 ! route-map VPN_A_Import permit 10  match ip address 2 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0 ip vrf VPN_B rd 3000:222 export map VPN_B_Export import map VPN_B_Import route-target import 3000:222 route-target export 3000:222 route-target import 3000:2 ! route-map VPN_B_Export permit 10  match ip address 2 set extcommunity rt  3000:1 ! route-map VPN_B_Import permit 10  match ip address 1 ! access-list 1 permit 171.68.0.0 0.0.0.0 access-list 2 permit 180.1.0.0 0.0.0.0 Only Site#1 of both VPNs will communicate to each other, Site#2 won’t.

  37. MPLS-VPN Services4. Internet Access Service to VPN Customers • Could be provided as another value-added service. • Security mechanism must be in place at both provider network and customer network • To protect from the Internet vulnerabilities • VPN customers benefit from the single point of contact for both Intranet and Internet connectivity

  38. MPLS-VPN Services4. Internet Access: Different Methods of Service • Four ways to provide the Internet service • VRF Specific default route with “global” keyword • Separate PE-CE sub-interface (nonVRF) • Extranet with Internet-VRF • VRF-aware NAT

  39. MPLS-VPN Services(实验内容)4. Internet Access: Different Methods of Service • VRF Specific default route • 1.1 Static default route to move traffic from VRF to Internet (global routing table) • 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF • Separate PE-CE sub-interface (non VRF) • May run BGP to propagate Internet routes between PE and CE • Extranet with Internet-VRF • VPN packets never leave VRF context ; issue with Overlapping VPN address • Extranet with Internet-VRF along with VRF-aware NAT • VPN packets never leave VRF context; works well with overlapping VPN address

  40. Internet ip vrf VPN-A rd 100:1 route-target both 100:1 Interface Serial0 ip address 192.168.10.1 255.255.255.0 ip vrf forwarding VPN-A Router bgp 100 no bgp default ipv4-unicast redistribute static neighbor 192.168.1.1 remote 100 neighbor 192.168.1.1 activate neighbor 192.168.1.1 next-hop-self neighbor 192.168.1.1 update-source loopback0 P ip route vrf VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 global ip route 171.68.0.0 255.255.0.0 Serial0 MPLS-VPN Services:4.1 Internet access:VRF Specific Default Route (Config) MPLS Backbone Site1 CE1 171.68.0.0/16 PE1 so 192.168.1.2 ASBR 192.168.1.1 Internet GW • A default route, pointing to the ASBR, is installed into the site VRF at each PE • A single label is used for packets forwarded according to the default route • The label is the IGP label corresponding to the IP address of the ASBR known via the IGP • The static route, pointing to the VRF interface, is installed in the global routing table and redistributed into BGP

  41. Internet Label = 30 IP packetD=Cisco.com Label = 35 IP packetD=171.68.1.1 IP packetD=171.68.1.1 IP packetD=171.68.1.1 IP packetD=Cisco.com IP packetD=Cisco.com Pros Different Internet gateways can be used for different VRFs PE routers need not to hold the Internet table Simple Configuration • Cons • Using default route for Internet • routing does NOT allow any other • default route for intrA_VPN routing • Increasing size of global routing • Table by leaking VPN routes. • Static configuration P MPLS-VPN Services:4.1 Internet access:VRF Specific Default Route(Forwarding) MPLS Backbone Site1 171.68.0.0/16 so PE1 PE2 so 192.168.1.2 192.168.1.1 Global Routing/FIB Table Destination Label/Interface 192.168.1.1/32 Label=30 171.68.0.0/16 Serial 0 Global Table and LFIB Destination Label/Interface 192.168.1.2/32 Label=35 171.68.0.0/16 192.168.1.2 Internet Serial 0 VRF Routing/FIB Table Destination Label/interface 0.0.0.0/0 192.168.1.1 (global) Site-1 Serial 0

  42. MPLS-VPN Services4.2 Internet Access • VRF Specific default route • 1.1 Static default route to move traffic from VRF to Internet (global routing table) • 1.2 Static routes for VPN customers to move traffic from Internet (global routing table) to VRF • Separate PE-CE sub-interface (non VRF) • May run BGP to propagate Internet routes between PE and CE • Extranet with Internet-VRF • VPN packets never leave VRF context ; Overlapping VPN addresses could be a problem • Extranet with Internet-VRF alongwith VRF-aware NAT • VPN packets never leave VRF context; works well with overlapping VPN addresses

  43. Internet ip vrf VPN-A rd 100:1 route-target both 100:1 Interface Serial0.1 ip vrf forwarding VPN-A ip address 192.168.20.1 255.255.255.0 frame-relay interface-dlci 100 ! Interface Serial0.2 ip address 171.68.10.1 255.255.255.0 frame-relay interface-dlci 200 ! Router bgp 100 no bgp default ipv4-unicast [snip]… neighbor 171.68.10.2 remote 502 P 4.2 Internet Access Service to VPN CustomersUsing Separate Sub-Interface (Config) Site1 171.68.0.0/16 MPLS Backbone CE1 • Internet BGP-4 S0.2 PE1 ASBR 192.168.1.1 192.168.1.2 S0.1 Internet GW • One sub-interface for VPN routing associated to a VRF • Another sub-interface for Internet routing associated to the global routing table. • Could advertise full Internet Routes or a default route to CE. • The PE will need to advertise VPN routes to the Internet (via global routing table)

  44. Internet Label = 30 IP packetD=Cisco.com IP packetD=Cisco.com Pros CE could dual home and perform optimal routing. Traffic separation done by CE. Cons PE to hold full Internet routes. BGP complexities introduced in CE. P Internet Access Service to VPN Customers4.2 Using Separate Sub-Interface (Forwarding) Site1 171.68.0.0/16 MPLS Backbone IP packetD=cisco.com S0.2 PE1 PE2 192.168.1.1 192.168.1.2 S0.1 CE routing table VPN routes Serial0.1 Internet routes Serial0.2 PE-Internet GW PE Global Table and FIB Internet routes 192.168.1.1 192.168.1.1 Label=30

  45. Internet Access Service4.3 Extranet with Internet-VRF • The internet routes could be placed within the VRF at the Internet-GW i.e. ASBR • VRFs for customers could ‘extranet’ with the internet VRF and receive either default, partial or full internet routes • Be careful if duplicating the internet routes in each VRF • Works well when the VPN customers don’t have overlapping addresses

  46. Internet Access Service4.4 Internet Access using VRF-aware NAT • If the VPN customers need Internet access without internet routes, then VRF-aware NAT can be used at the Internet-GW i.e. ASBR • The Internet GW doesn’t need to have internet routes either • Overlapping VPN addresses is not a problem • More in the “VRF-aware NAT” slides,…..

  47. MPLS VPN Service5. VRF-Selection • The common notion is that the VRF must be associated to an interface • “VRF-selection” breaks this association and associate multiple VRFs to an interface • Each packet on the PE-CE interface could be handled (based on certain criteria) via different VRF routing tables • Criteria such as source/dest IP address, ToS, TCP port etc. specified via route-map • Voice and Data can be separated out into different VRFs at the PE

  48. MPLS VPN Service5. VRF-Selection – Based on Source IP Address VPN Brown VRF Interfaces Global Interface RR 33.3.0.0/16 Cable Setup MPLS Backbone (Cable Company) PE1 PE2 CE1 33.3.14.1 VPN Blue Se0/0 44.3.0.0/16 66.3.1.25 Traffic Flows VPN Green 44.3.12.1 66.3.0.0/16 ip vrf brown rd 3000:111 route-target export 3000:1 route-target import 3000:1 ! ip vrf blue rd 3000:222 route-target export 3000:2 route-target import 3000:2 ! ip vrf green rd 3000:333 route-target export 3000:3 route-target import 3000:3 interface Serial0/0 ip address 215.2.0.6 255.255.255.252 ip policy route-map PBR-VRF-Selection ip receive brown ip receive blue ip receive green access-list 40 permit 33.3.0.0 0.0.255.255 access-list 50 permit 44.3.0.0 0.0.255.255 access-list 60 permit 66.3.0.0 0.0.255.255 route-map PBR-VRF-Selection permit 10 match ip address 40 set vrf brown route-map PBR-VRF-Selection permit 20 match ip address 50 set vrf blue route-map PBR-VRF-Selection permit 30 match ip address 60 set vrf green

  49. MPLS VPN Service6. Remote Access Service • Remote access users i.e. dial users, IPSec users could directly be terminated in VRF • PPP users can be terminated into VRFs • IPSec tunnels can be terminated into VRFs • Remote Access services integration with MPLS VPN opens up new opportunities for Providers

  50. Internet Cisco IOS VPN Routers or Cisco Client 3.x or higher IPSec Session MPLS VPN MPLS VPN Service6. Remote Access Service– IPSec to MPLS VPN SP Shared Network Corporate Intranet BranchOffice Access SP AAA Customer AAA PE+IPSec Aggregator SOHO Internet VPN A Customer A head office PE PE IP/MPLS/Layer 2 Based Network Local or Direct Dial ISP VPN B PE Customer B Cable/DSL/ISDN ISP VPN C VPN A Remote Users/ Telecommuters Customer C Customer A branch office IP IP

More Related