HALF DUPLEX VRFs A SCALABLE HUB SPOKE IMPLEMENTATION

HALF DUPLEX VRFs (HDV) Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All

Why Half Duplex VRFs? Problem • Only way to implement hub and spoke topology is to put every spoke into a single and unique VRF Ensures that spokes do not communicate directly • Single VRF model, which does not include HDV, impairs the ability to bind traffic on the upstream ISP Hub Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 3

Why Half Duplex VRFs? Solution • HDV allows the wholesale Service Provider to provide true hub and spoke connectivity to subscribers, who can be connected to the: Same or different PE-router(s) Same or different VRFs, via the upstream ISP Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 4

Technical Justification • Problem PE requires multiple VRF tables for multiple VRFs to push spoke traffic via hub If the spokes are in the same VRF (no HDV), traffic will be switched locally and will not go via the hub site • Solution HDVs allows all the spoke site routes in one VRF • Benefit Scalability for RA to MPLS connections Reduces memory requirements by using just two VRF tables Simplifies provisioning, management, and troubleshooting by reducing the number of Route Target and Route Distinguisher configuration Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 5

Hub & Spoke Connectivity Without HDV Requires Dedicated VRF Tables Per Spoke Site PE A PE VPNport B MPLS CORE VPNport CE HUB Site PE ISP HUB Spoke A VRF Spoke B VRF • All the spokes in the same VPN (yellow) • Dedicated (separate) VRF per spoke is needed to push all traffic through upstream ISP Hub Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 6

Hub & Spoke Connectivity Without HDV Using A Single VRF A B Spoke Site PE PE Service Loopback VPN port VPNport MPLS CORE VPN port Hub Site PE CE ISP HUB Single VRF table • If two subscribers of the same service terminate on the same PE-router, then traffic between them can be switched locally at the PE-router (as shown), which is undesirable • All inter-subscriber traffic needs to follow the default route via the Home Gateway (located at upstream ISP). Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 7

Terminology • Upstream VRF Used to forward packets from Spokes to Hub Contains a static default route • Downstream VRF Use to forward packets from Hub to Spoke Contains a /32 route to a subscriber (installed from PPP) Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 8

Hub & Spoke Connectivity With HDV Using A Single VRF Spoke Site PE A PE VPN port VPNport B MPLS CORE VPN port HUB Site PE CE ISP HUB Single VRF table • If two subscribers of the same service terminate on the same PE-router, traffic between them is not switched locally • All inter-subscriber traffic follows the default route via the Home Gateway (located at upstream ISP) Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 9

Half Duplex VRF Functionality 1. HDVs are used in only one direction by incoming traffic Ex: upstream toward the MPLS VPN backbone or downstream toward the attached subscriber 2. PPP client dial, and is authenticated, authorized, and assigned an IP address. 3. Peer route is installed in the downstream VRF table One single downstream VRF for all spokes in the single VRF 4. To forward the traffic among spokes (users), upstream VRF is consulted at the Spoke PE and traffic is forwarded from a Hub PE to Hub CE Return path: downstream VRF is consulted on the Hub PE before forwarding traffic to appropriate spoke PE and to the spoke (user) 5. Source address look up occurs in the downstream VRF, if unicast RPF check is configured on the interface on which HDV is enabled Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 10

Subscriber Connection Process Wholesale Service Provider AAA Server PPP User Subscriber-A PE-Whole. Sale Provider-LAC MPLS Core ISP-A AAA Server PE-ISP 1. PPP user initiates a session with PPP session using a name Subscriber-A@ISP-A. com and password 2. LAC/PE-router sends username information to the Wholesale. Service. Provider Radius Server 3. ISP-A (service name) is used to index into a profile that contains information on the IP address of the Radius server of the ISP-A 4. Subscriber-A@ISP-A. com and password is then forwarded from the Wholesale Provider Radius server (which acts as a "proxy-radius"), towards the ISP Radius server 5. ISP-A Radius server authenticates and assigns IP address 6. ISP-A Radius server sends "Access-Accept" to Wholesale Service Provider Radius Server 7. The wholesale Service Provider Radius server adds authorization information to the Access -Accept, (based on the domain or servicename)and the VRF to be used by Subscriber-A, and forwards it to PE-Wholesale. Provider-LAC router 8. PE-Wholesale. Provider-LAC router creates temporary Virtual-Access interface (with associated /32 IP address) and places it into the appropriate VRF Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 11

Configuration Command ! interface <> ip vrf forwarding <vrf-name 1> [downstream <vrfname 2>] ! vrf-name 1: First VRF that the interface is associated with. vrf-name 2: This is the downstream VRF. PPP peer route and per-user routes from AAA server are installed in this VRF. Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 12

Sample Configuration • Each VRF is created on the Spoke PE-router (LAC) before PPPo. A or PPPo. E client connections are established ip vrf Internet-ISPA-upstream rd 10: 26 route-target import 10: 26 ! ip vrf Internet-ISPA-downstream rd 10: 27 route-target export 10: 27 • Upstream VRF only requires a route-target import statement Imports the default route from the hub PE router (@Whole. Sale Provider) • Downstream VRF only requires a route-target export command Half Duplex VRFs, 12/03 Used to export all of the /32 (virtual-access ints) addresses toward the hub PE-router © 2003 Cisco Systems, Inc. All rights reserved. 13

Reverse Path Forwarding Check • Reverse Path Forwarding (RPF) Used by Service Provider determine the source IP address of an incoming IP packet and ascertain whether it entered the router via the correct inbound interface • Concern HDV populates a different VRF than the one used for “upstream” forwarding • Solution Extend the RPF mechanism so the “downstream” VRF is checked • To enable RPF extension, configure: ip verify unicast reverse-path <downstream vrfname> Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 14

HDV Supported Features • IP unnumbered any point-to-point interfaces, including virtual access/template interfaces • Spokes connected to Spoke PE or the Hub PE • Subscriber usingle or multiple ISPs • Reverse Path Forwarding Check Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 15

HDV Support: Cisco IOS Software Images • HDV-1 Base image: Release 12. 2(14. 6)T 1 No unicast RPF support • HDV-2 Base image: Release 12. 2(15)T Unicast RPF support added • HDV-3 Base image: Release 12. 2(15)T 2 Handles cases when downstream VRF is deleted Added support for distributed hardware; unicast RPF HDV info is propagated to linecards show ip vrf detail show ip interface show ip cef interface internal • HDV-4 Half Duplex VRFs, 12/03 Same as HDV-3; based on Release 12. 3(3) © 2003 Cisco Systems, Inc. All rights reserved. 16

Restrictions • Software Only supports Virtual Access/Template interfaces – Must be configured with IP unnumbered – "ip address. . . " is not allowed on HDV interfaces PE-CE link: supports only static routing • Hardware Release 12. 3: feature will be available only on Cisco 6400 Series (NRP and NRP 2 router blades) Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 17

Show Commands • These commands highlight upstream / downstream VRFs bound to particular interfaces and give detailed information about VRFs PE-router# sh ip int vi 3 Virtual-Access 3 is up, line protocol is up Interface is unnumbered. Using address of Loopback 2 (2. 0. 0. 8) VPN Routing/Forwarding "U" Downstream VPN Routing/Forwarding "D" IP multicast fast switching is disabled Partial output highlighting only HDV related information Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 18

Show Commands (Cont. ) PE-router#sh ip vrf detail D VRF D; default RD 1: 8; default VPNID <not set> Description: Downstream VRF - to spokes No interfaces Interfaces using this VRF as downstream: Virtual-Access 3 Virtual-Access 4 Connected addresses are not in global routing table Export VPN route-target communities RT: 1: 100 No Import VPN route-target communities No import route-map No export route-map PE-router# sh cef interface vi 3 int Virtual-Access 3 is up (if_number 35) Subblocks: ip verify: via=rx, acl=0, drop=0, sdrop=0, downstream VRF D Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 19

CASE STUDY Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.

Case Study • Scenario Wholesale Service Provider and ISPs are offering services in partnership to the subscribers Subscribers connect to the Wholesale Service Provider network, which directs them to the appropriate ISP based on the Subscribed services • Network topology and specification Multiple Spoke sites are connected to the same PE router in a Hub/Spoke topology over PPPo. E Hub-PE is a separate PE router This topology serves PPP clients, who are authenticated and authorized by a Radius server via LNS (Spoke. Site. PE) Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 21

Topology Subscribers AAA Radius Server Hub. Site. PE ISP 1_Hub_CE Spoke. Site. PE (LNS 1) Spoke. Site. CE 1(LAC 1) Subscriber 1 MPLS Core Spoke. Site. CE 2(LAC 2) Subscriber 2 Subscribers Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 22

Topology (Cont. ) AAA Radius Server ip vrf HUB rd 1: 20 route-target export 1: 0 route-target import 1: 100 ip vrf U rd 1: 0 Subscriber 1 route-target import 1: 0 Hub. Site. PE Spoke. Site. PE (LNS 1) MPLS Core Spoke. Site. CE 1 (LAC 1) ISP 1_Hub_CE ip vrf D rd 1: 8 route-target export 1: 100 Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. Spoke. Site. CE 2 (LAC 2) Subscriber 2 23

Configuration Steps To Enable HDV • Hub. Site. PE Regular VRF and VPNv 4 configuration associated with HUB VRF • Spoke. Site. PE (LNS) Create upstream & downstream VRFs Configure VPDN & AAA related configuration as usual Configure VPNv 4 and VRFs as in basic MPLS VPN including upstream and downstream VRFs VPNv 4 address-families • Spoke. Site. CE (LAC) Create upstream & downstream VRFs Configure VPDN & AAA related configuration as usual Bind VRF on appropriate interfaces (Virtual. Template, Loopback) • Radius Server Half Duplex VRFs, 12/03 Configure user profiles on a Radius Server © 2003 Cisco Systems, Inc. All rights reserved. 24

Radius Server Configuration DEFAULT Service-Type == Framed-User Framed-Protocol = PPP, cisco-avpair += "lcp: interface-config=ip vrf forwarding U downstream D", cisco-avpair += "lcp: interface-config=ip unnumbered loopback 2", cisco-avpair += "ip: addr-pool=U-pool", Fall-Through = Yes subscriber 1 Auth-Type : = Local, User-Password == “subscriber 1" cisco-avpair += "ip: route=2. 0. 0. 5 255" subscriber 2 Auth-Type : = Local, User-Password == “subscriber 2" cisco-avpair += "ip: route=2. 0. 0. 2 255" Spokes will inherit the default configuration Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 25

Configuration: Hub. Site. PE ip vrf HUB rd 1: 20 route-target export 1: 0 route-target import 1: 100 ! ! address-family ipv 4 vrf HUB neighbor 1. 20. 1. 2 remote-as 100 neighbor 1. 20. 1. 2 activate no auto-summary no synchronization exit-address-family ! Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. ! router bgp 1 no bgp default ipv 4 -unicast bgp log-neighbor-changes neighbor 100. 0. 0. 34 remote-as 1 neighbor 100. 0. 0. 34 update-source Loopback 0 no auto-summary ! address-family ipv 4 multicast no auto-summary exit-address-family ! address-family vpnv 4 neighbor 100. 0. 0. 34 activate neighbor 100. 0. 0. 34 send-community extended no auto-summary exit-address-family ! address-family ipv 4 no auto-summary no synchronization exit-address-family ! 26

Configuration: Spoke. Site. PE(LNS) hostname Spoke. Site. PE aaa new-model ! aaa group server radius R server 22. 0. 26 auth-port 1812 acct-port 1813 ! aaa authentication ppp default group radius aaa authorization network default group radius ! ip vrf D description Downstream VRF - to spokes rd 1: 8 route-target export 1: 100 ! ip vrf U description Upstream VRF - to hub rd 1: 0 route-target import 1: 0 ! ip cef vpdn enable ! vpdn-group U accept-dialin protocol pppoe virtual-template 1 ! Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. interface Loopback 2 ip vrf forwarding U ip address 2. 0. 0. 8 255 ! interface ATM 2/0 description Mze ATM 3/1/2 no ip address no atm ilmi-keepalive pvc 0/16 ilmi ! pvc 3/100 protocol pppoe ! pvc 3/101 protocol pppoe ! interface Virtual-Template 1 no ip address ppp authentication chap ! router bgp 1 no synchronization no bgp default ipv 4 -unicast bgp log-neighbor-changes neighbor 100. 0. 0. 34 remote-as 1 neighbor 100. 0. 0. 34 update-source Loopback 0 no auto-summary 27

Configuration: Spoke. Site. PE(LNS) ! address-family ipv 4 multicast no auto-summary no synchronization exit-address-family ! address-family vpnv 4 neighbor 100. 0. 0. 34 activate neighbor 100. 0. 0. 34 send-community extended no auto-summary exit-address-family ! address-family ipv 4 vrf U no auto-summary no synchronization exit-address-family ! address-family ipv 4 vrf D redistribute static no auto-summary no synchronization exit-address-family ! ip local pool U-pool 2. 8. 1. 100 ! radius-server host 22. 0. 26 auth-port 1812 acct-port 1813 radius-server key cisco Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 28

Show Log: Spoke. Site. PE(LNS) Both subscribers available on the Spoke. Site. PE#sh run int virtual-access 3 Building configuration. . . Current configuration : 92 bytes ! interface Virtual-Access 3 ip vrf forwarding U downstream D ip unnumbered Loopback 2 end Spoke. Site. PE#sh run int virtual-access 4 Building configuration. . . Current configuration : 92 bytes ! interface Virtual-Access 4 ip vrf forwarding U downstream D ip unnumbered Loopback 2 end Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 29

Show Log: Spoke. Site. PE(LNS) (Cont. ) Shows downstream VRF table Spoke. Site. PE#sh ip route vrf D Routing Table: D Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N 1 - OSPF NSSA external type 1, N 2 - OSPF NSSA external type 2 E 1 - OSPF external type 1, E 2 - OSPF external type 2 i - IS-IS, L 1 - IS-IS level-1, L 2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set U S U C C 2. 0. 0. 0/8 is variably subnetted, 5 subnets, 2 masks 2. 0. 0. 2/32 [1/0] via 2. 8. 1. 1 2. 0. 0. 0/8 is directly connected, Null 0 2. 0. 0. 5/32 [1/0] via 2. 8. 1. 2/32 is directly connected, Virtual-Access 4 2. 8. 1. 1/32 is directly connected, Virtual-Access 3 Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 30

Show Log: Spoke. Site. PE(LNS) (Cont. ) Shows upstream VRF table Spoke. Site. PE#sh ip route vrf U Routing Table: U Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N 1 - OSPF NSSA external type 1, N 2 - OSPF NSSA external type 2 E 1 - OSPF external type 1, E 2 - OSPF external type 2 i - IS-IS, L 1 - IS-IS level-1, L 2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 100. 0. 0. 20 to network 0. 0 C B* 2. 0. 0. 0/32 is subnetted, 1 subnets 2. 0. 0. 8 is directly connected, Loopback 2 0. 0/0 [200/0] via 100. 0. 0. 20, 1 w 5 d Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 31

Show Log: Spoke. Site. PE(LNS) (Cont. ) Spoke. Site. PE#sh ip int vi 3 Virtual-Access 3 is up, line protocol is up Interface is unnumbered. Using address of Loopback 2 (2. 0. 0. 8) Broadcast address is 255 Peer address is 2. 8. 1. 1 MTU is 1492 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is enabled IP Flow switching is disabled IP CEF switching is enabled IP Feature Fast switching turbo vector IP VPN CEF switching turbo vector VPN Routing/Forwarding "U" Downstream VPN Routing/Forwarding "D" IP multicast fast switching is disabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. Spoke. Site. PE#sh cef interface vi 3 int Virtual-Access 3 is up (if_number 35) Corresponding hwidb fast_if_number 35 Corresponding hwidb firstsw->if_number 35 Internet address is 0. 0/0 Unnumbered interface. Using address of Loopback 2 (2. 0. 0. 8) ICMP redirects are always sent Per packet load-sharing is disabled IP unicast RPF check is enabled Inbound access list is not set Outbound access list is not set IP policy routing is disabled BGP based policy accounting is disabled Interface is marked as point to point interface Hardware idb is Virtual-Access 3 Fast switching type 7, interface type 21 IP CEF switching enabled IP Feature Fast switching turbo vector IP VPN Feature CEF switching turbo vector VPN Forwarding table "U" Input fast flags 0 x 5000, Output fast flags 0 x 0 ifindex 23(23) Slot -1 Slot unit 3 Unit 3 VC -1 Transmit limit accumulator 0 x 0 (0 x 0) IP MTU 1492 Subblocks: ip verify: via=rx, acl=0, drop=0, sdrop=0, downstream VRF D Spoke. Site. PE#sh ip vrf detail D VRF D; default RD 1: 8; default VPNID <not set> Description: Downstream VRF - to spokes No interfaces Interfaces using this VRF as downstream: Virtual-Access 3 Virtual-Access 4 Connected addresses are not in global routing table Export VPN route-target communities RT: 1: 100 No Import VPN route-target communities No import route-map No export route-map 32

Configuration: Spoke. Site. CE(LAC 1) username subscriber 1 password 0 subscriber 1 username subscriber 2 password 0 subscriber 2 ! ip vrf D rd 1: 8 route-target export 1: 100 ! ip vrf U rd 1: 0 route-target import 1: 0 ! ip cef vpdn enable ! vpdn-group U accept-dialin protocol pppoe virtual-template 1 ! interface Loopback 2 ip vrf forwarding U ip address 2. 0. 0. 8 255 ! Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. ! interface ATM 2/0 description Mze ATM 3/1/2 no ip address no atm ilmi-keepalive pvc 0/16 ilmi ! pvc 3/100 protocol pppoe ! pvc 3/101 protocol pppoe ! ! interface Virtual-Template 1 ip vrf forwarding U downstream D ip unnumbered Loopback 2 peer default ip address pool U-pool ppp authentication chap ! ip local pool U-pool 2. 8. 1. 100 33

BACKUP SLIDES Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved.

Topology I: Hub and Spoke Connectivity Between Distributed PE-Routers • Upstream traffic (ie: traffic toward the upstream ISP or toward another subscriber) is sent to the hub PE-router and forwarded across the link between the wholesale SP and the ISP • Subscriber traffic follows a default route within the VRF • Traffic is forwarded towards and received from the wholesale Service Providers PE-router and the subscriber SPOKE 1 A PE vpn port Service Loopback SPOKE 2 B PE Service Loopback Half Duplex VRFs, 12/03 vpn port © 2003 Cisco Systems, Inc. All rights reserved. MPLS CORE Home Gateway vpn port PE CE ISP HUB 35

Topology II: Hub and Spoke Connectivity Between Subscribers Of Different Services • Data flow between two subscribers that belong to different services goes through the hub location of the Service Provider • Data will traverse through a network exchange point, either public or private, by following a default route within the subscriber VRF Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 36

Topology III: Hub and Spoke Connectivity Via the Same PE-Router (Different Services) • If two subscribers are terminated on the same PE-router and belong to different services, the data is required to traverse through the home gateways of both services. Half Duplex VRFs, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 37