IEATC-SPv3 Part 05 MPLS L3VPN

CCIE Service Provider Ver. 3.
0
Advanced Technologies Class
MPLS L3VPNs
http://www.INE.com
What is a VPN?
Virtual Private Network
Network connection between devices that do not
literally share a physical cable
Examples:
Layer 2 VPNs
Ethernet VLANs
Frame Relay & ATM PVCs
Layer 3 VPNs
GRE Tunnel
IPsec Tunnel
MPLS VPN
Copyright www.INE.com
VPN Models: Overlay vs. Peer-to-Peer

Overlay VPNs
Service Provider does not participate in customer routing
Must be provisioned prior to communication

Frame Relay & ATM PVCs
Leased lines
GRE Tunnels
Overlay suffers from (n*(n-1))/2 scalability issues

Allows customers to use flexible addressing scheme
VPN Models: Overlay vs. Peer-to-Peer

Peer-to-Peer VPNs
Service Provider does participate in customer routing
No static provisioning required

Service Provider required to keep customer
traffic separate through route filtering and
access-lists
Does not allow customers to use flexible
addressing
Problems with default routing
MPLS Layer 3 VPNs

Best of both worlds from overlay and peer-to-peer
VPNs
No static provisioning required
Adding new sites doesnt necessarily require
reconfiguration of other sites
Service provider keeps separate routing tables per

customer
Allows flexibility in customer addressing
Manual route and ACL filtering not required in SP
Customers can use default routing as needed
How MPLS L3VPNs Work

MPLS L3VPNs have two basic components
Separation of customer routing information
VRF Virtual Routing and Forwarding Instance
Different customers have different virtual routing tables
IGP/BGP run inside the VRF between the customer and SP
Exchange of customers routing information inside SP

MP-BGP through the SP network
Traffic is label switched towards BGP next-hops
Virtual Routing and Forwarding Instances

VRFs create virtual routers inside IOS
Creating a VRF
Specify locally significant VRF name
ip vrf [name]
IPv4 only
vrf definition [name]
Supports both IPv4 and IPv6
Specify route distinguisher

rd [ASN:nn | IP-address:nn]
More on this in MP-BGP
Apply VRF to interface

ip vrf forwarding [name] | vrf forwarding [name]
Removes IP address from interface
This minimum configuration is called VRF Lite

VRFs on IOS XR
VRF defined globally
vrf [name]
VRF applied at interface

interface GigabitEthernet0/1/0/0
vrf [name]
Route Distinguisher defined under BGP

router bgp [ASN]
vrf [name]
rd [value]
VRF Routing Tables

Each VRF has its own routing table
IOS show ip route vrf [name | * ]
IOS XR show route vrf [name | all] ipv4
Addressing can overlap in different VRFs

Interfaces not in a VRF are in the global table
Global table is your normal show ip route
One VRF cant talk to another VRF or global routes by default
VRF aware commands
ping vrf
traceroute vrf
telnet [host] /vrf
Etc.
VRF Aware Routing

Routing inside a VRF can be through
VRF aware static routes
VRF aware dynamic routing
RIP
EIGRP
OSPF
IS-IS
MP-BGP
Policy Routing
VRF Aware Static Routes

! IOS
ip route vrf A 10.0.0.0 255.255.255.0 1.2.3.4
! IOS XR
router static
vrf A
address-family ipv4 unicast
10.0.0.0/24 1.2.3.4
IOS VRF Aware RIP

router rip
!
address-family ipv4 vrf VRF1
network 10.0.0.0
no auto-summary
version 2
exit-address-family
IOS XR VRF Aware RIP

router rip
vrf VRF1
VRF Aware EIGRP

router eigrp 65535
!
network 10.0.0.0
no auto-summary
autonomous-system 1
exit-address-family
IOS XR VRF Aware EIGRP

router eigrp 65535
vrf VRF1
address-family ipv4
autonomous-system 1
!
IOS VRF Aware OSPF

ip vrf VRF1
rd 1:1
!
ip vrf VRF2
rd 2:2
!
router ospf 1 vrf
network 10.0.0.1
!
router ospf 2 vrf
network 20.0.0.1
VRF1
0.0.0.0 area 0
VRF2
0.0.0.0 area 0
IOS XR VRF Aware OSPF

router ospf 1
vrf VRF1
address-family ipv4 unicast
area 0
IOS VRF Aware IS-IS

interface FastEthernet1/0
ip vrf forwarding VRF1
ip address 10.0.0.1 255.255.255.0
ip router isis 1
!
router isis 1
vrf VRF1
net 49.0001.0000.0000.0001.00
IOS VRF Aware BGP

router bgp 1
!
neighbor 10.0.0.2 remote-as 10
neighbor 10.0.0.2 activate
network 10.0.0.0 mask 255.255.255.0
exit-address-family
!
neighbor 20.0.0.2 remote-as 20
neighbor 20.0.0.2 activate
network 20.0.0.0 mask 255.255.255.0
exit-address-family
IOS XR VRF Aware BGP

router bgp 1
address-family ipv4
unicast
!
address-family vpnv4
unicast
!
vrf A
rd 1:1
address-family ipv4
unicast
network 10.0.0.0/24
!
neighbor 1.2.3.4
remote-as 2
address-family ipv4
unicast
route-policy PASS in
route-policy PASS out
!
route-policy PASS
pass
end-policy
10
VRF Lite vs. MPLS VPNs

In VRF lite all devices in transit path must carry
all routes in all VRF tables
In MPLS VPNs only PE routers need customer
routes
Accomplished through
VPNv4 BGP
RD + Prefix makes VPN routes globally unique
MPLS VPN tag/label

P routers only need to know how to reach BGP next-hop
Uses BGP free core logic
MPLS VPN Logic
11
MPLS VPN Label Advertisement Logic

R2 advertises implicit null to R3 for R2s
Loopback
R3 advertises label L1 to R4 for R2s Loopback
R6 advertises label L4 to XR1 for R2s Loopback
Reverse advertisement occurs as well
XR1s Loopback to R6 > R5 > R4 > R3 > R2
MPLS VPN PE-CE Routing Logic

R2 learns X via R1 from IGP, BGP, or static
R2 advertises X to XR1 via MP-BGP with
Next-hop of R2s Loopback0
VPN label of V1
XR2 learns X via XR1 from IGP, BGP, or

static
Reverse advertisement occurs as well
12
MPLS VPN Traffic Flow Logic
XR2 sends IPv4 packet to XR1 destined for X

XR1 does routing lookup on X and sees R2s Loopback as BGP next-hop
Since XR1 has an LSP for R2, it
Imposes VPN label V1
Imposes transport label L4
Forwards packet to R6
R6 swaps L4 with L3 and forwards to R5

R3 pops L1 and forwards to R2
R2 pops V1 and forwards IPv4 to R1
Multiprotocol BGP
How do PE routers exchange VRF info?
RFC 4364 BGP/MPLS IP Virtual Private Networks (VPNs)
MP-BGP defines AFI 1 & SAFI 128 as VPN-IPv4 or

VPNv4
8 byte Route Distinguisher (RD)
Unique per VPN or per VPN site
ASN:nn or IP-address:nn
4 byte IPv4 address

Unique per VPN
Implies globally unique routes
VPNv4 includes MPLS VPN label

13
Transport Label vs. VPN Label

L3VPN needs at least 2 labels to deliver traffic
Can be more with applications like MPLS TE, FRR, etc.
Transport Label
Tells the SP core routers which PE traffic is destined to
Typically derived from LDP
Sometimes called the IGP label
VPN Label
Tells the PE router which CE traffic is destined to
Derived from VPNv4 advertisements of PEs
Configuring VPNv4 BGP

Uses address-family like VRF aware BGP
address-family vpnv4 unicast
Neighbors must be defined under global BGP process

then activated under VPNv4
Attributes are applied under address-family
Next-hop processing
Send-community
Extended communities are required
Route reflection
Route-map
Etc.
14
Controlling VPNv4 Routes

Route distinguisher used solely to make route unique
Allows for overlapping IPv4 addresses between customers
New BGP extended community route-target used to

control what enters/exits VRF table
export route-target
What routes will be go from VRF into BGP
import route-target
What routes will go from BGP into VRF
Allows granular control over what sites have what routes

import map and export map allow control on a per prefix
basis
Route Distinguisher vs. Route Target

Route Distinguisher
Makes the route unique
Route Target
Controls the routes VPN membership(s)
15
VPNv4 Route Targets

8 byte field per RFC 4360 BGP Extended
Communities Attribute
Format similar to route distinguisher
ASN:nn or IP-address:nn
VPNv4 speakers only accept VPNv4 routes with

a route-target matching a local VRF
Route reflection exception
no bgp default route-target filter
VPNv4 Route Targets (cont.)

VPNv4 routes can have more than one route target
Allows complex VPN topologies
Full mesh
Import and export same everywhere
Hub and Spoke

Spokes import only hubs routes
Central services
Multiple VPNs can import routes from a central site or from a central
server
Management VPNs
Management Loopback on CE routers can be exported into special
management VPN
16

IEATC-SPv3 Part 05 MPLS L3VPN

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IEATC-SPv3 Part 05 MPLS L3VPN

Uploaded by

Copyright:

Available Formats

CCIE Service Provider Ver. 3.

VPN Models: Overlay vs. Peer-to-Peer

Must be provisioned prior to communication

Overlay suffers from (n*(n-1))/2 scalability issues

VPN Models: Overlay vs. Peer-to-Peer

No static provisioning required

MPLS Layer 3 VPNs

Service provider keeps separate routing tables per

How MPLS L3VPNs Work

Exchange of customers routing information inside SP

Virtual Routing and Forwarding Instances

Specify route distinguisher

Apply VRF to interface

This minimum configuration is called VRF Lite

VRF applied at interface

Route Distinguisher defined under BGP

VRF Routing Tables

Addressing can overlap in different VRFs

VRF aware commands

VRF Aware Routing

VRF Aware Static Routes

IOS VRF Aware RIP

IOS XR VRF Aware RIP

VRF Aware EIGRP

IOS XR VRF Aware EIGRP

IOS VRF Aware OSPF

IOS XR VRF Aware OSPF

IOS VRF Aware IS-IS

IOS VRF Aware BGP

IOS XR VRF Aware BGP

VRF Lite vs. MPLS VPNs

MPLS VPN tag/label

MPLS VPN Logic

MPLS VPN Label Advertisement Logic

MPLS VPN PE-CE Routing Logic

XR2 learns X via XR1 from IGP, BGP, or

MPLS VPN Traffic Flow Logic

XR2 sends IPv4 packet to XR1 destined for X

R6 swaps L4 with L3 and forwards to R5

MP-BGP defines AFI 1 & SAFI 128 as VPN-IPv4 or

4 byte IPv4 address

Implies globally unique routes

VPNv4 includes MPLS VPN label

Transport Label vs. VPN Label

Configuring VPNv4 BGP

Neighbors must be defined under global BGP process

Controlling VPNv4 Routes

New BGP extended community route-target used to

Allows granular control over what sites have what routes

Route Distinguisher vs. Route Target

VPNv4 Route Targets

VPNv4 speakers only accept VPNv4 routes with

VPNv4 Route Targets (cont.)

Hub and Spoke

You might also like