INTERAUTONOMOUS SYSTEM MPLS VPN December 2003 MPLS VPN

INTER-AUTONOMOUS SYSTEM MPLS VPN December 2003 MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 1

Agenda • Inter-Autonomous System (Inter-AS) Multiprotocol Label Switching (MPLS) VPN Overview • Inter-AS Control Plane • Inter-AS Forwarding Plane • Inter-AS Connectivity Models • Inter-AS Summary MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 2

Inter-AS MPLS VPN is a scalable mechanism for exchanging prefix and label information between two Service Provider networks. It is an extension of the basic MPLS VPN architecture (RFC 2547 bis). MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 3

Why Inter-AS? • Enables communication between networks under separate autonomous systems • Provides traffic separation and maintain end-to-end privacy while traffic traverses multiple MPLS VPN backbones in a scalable manner • Allows VPN information to pass between MPLS VPN Service Providers so that they can successfully route traffic for a particular VPN • Extends MPLS VPN services across geographical boundaries, so Service Providers can support their customer base in geographical locations that do not have POPs • Allows a single Service Provider to partition its network into multiple domains for scalability and inter-departmental privacy • Uses MPLS to forward the traffic end-to-end across the systems MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 4

Inter-AS Deployment • More than ten Service Providers globally • Hardware Cisco 7200 and 7500 Series Routers Cisco 10000 and 12000 Series Internet Routers • Popular Inter-AS connectivity models Back-to-Back VRF MP-e. BGP between ASBRs and MP-e. BGP between RRs MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 5

Inter-AS Topology Overview Shared Services for VPNs Internet Interne-GW PE-ASBR-2 AS #100 AS #200 PE-ASBR-1 PE-2 PE-1 CE-R 1 CE-B 1 VPN-R-1 HUBv CE-B 2 VPN-G-1 VPN-B-1 Shared Services for VPNs MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. VPN-R-3 Spoke CE-4 CE-3 VPN-G-2 VPN-B-2 VPN-R-2 Spoke Shared Services for VPNs 6

Inter-AS Functionality • MPLS VPN providers exchange routes across VRF interfaces • Each PE-ASBR router treats the other as a CE • Provider edge routers are gateways used for VPNv 4 route exchange • PE-ASBR to PE-ASBR link may use any supported PE-CE routing protocol MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 7

Routing For Each Service Provider Domain • Each AS operates under different administrative control and runs different IGP • No IGP routing information exchange between the domains • All routing information exchange between the domains is via Exterior Routing Protocol • Routing policies may differ between the exchange points • Customer VPN routes are distributed into VRFs at the ingress PE of the ISP • Each PE assigns labels for the routes to establish connections MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 8

INTER-AS CONTROL PLANE MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 9

Inter-AS Control Plane • Establishes EBGP session between the PE-ASBRs • Distribute IPv 4 routes for the VPNs in the form of VPNv 4 addresses • PE-ASBRs re-write Next-hop and labels when a route is distributed to a neighbor • PE-ASBRs store ALL VPN routes that need to be exchanged • Routes are in the MP-BGP table but not in any other routing tables PE-ASBRs do not have any VRF MP-e. BGP labels are used in LFIB MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 10

Inter-AS Control Plane Route Exchange Route=VPN Blue Site 1 Via: Static EBGP OSPF EIGRP RIPv 2 CE-B-1 ASBR-SP 2 PE 1 -SP 1 MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. CE-B-2 SP 2 MPLS Core SP 1 MPLS Core IBGP Route=Site 2 Next hop=ASBR-SP 2 Label=L’ PE 1 -SP 2 EBGP Route=Site 2 Next hop=ASBR-SP 2 Label=L’ IBGP Route=Site 2 Next hop=PE 1 -SP 2 Label=L’ 11

Inter-AS Control Plane SP 1 Network=RD 1: N Next-hop=PE 1 Label=L 1 RR-1 Network=RD 1: N Core of P LSRs Next-hop=PE 1 Label=L 1 PE-ASBR 1 RR-2 Network=RD 1: N Next-hop=PE-ASBR 1 Label=L 2 Network=RD 1: N Next-hop=PE-ASBR 2 Label=L 3 Core of P LSRs Network=RD 1: N Next-hop=PE-ASBR 2 Label=L 3 PE-2 SP 2 PE-3 PE-ASBR 2 Network=N Next-hop=PE 3 Network=N Next-hop=CE 2 CE-1 CE-5 CE-3 CE-4 MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 12

INTER-AS FORWARDING PLANE MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 13

External MP-BGP for VPNv 4 Forwarding Plane LDP PE-1 Label L 1 152. 12. 4. 1 PE-ASBR-1 L 1 PE-ASBR-2 L 3 LDP PE-ASBR-2 Label L 3 152. 12. 4. 1 PE-1 152. 12. 4. 1 PE-2 CE-3 VPN-B-1 152. 12. 4. 1 VPN-B-2 152. 12. 4. 0/24 MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 14

Inter-As Forwarding Plane SP 1 L 3 RR-1 RR-2 152. 12. 4. 1 SP 2 Core of P LSRs L 1 152. 12. 4. 1 PE-1 L 2 152. 12. 4. 1 PE-2 PE-ASBR 1 PE-3 PE-ASBR 2 152. 12. 4. 1 CE-2 CE-1 CE-5 CE-3 CE-4 MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 15

Inter-AS VPNv 4 TFIB Entries • A VPNv 4 TFIB entry corresponds to VPNv 4 RD+Prefix MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 16

Inter-AS Basic Configuration • Create a loopback address on participating ASBRs • Setup ASBRs for VPNv 4 route distribution • Setup ASBRs for IPV 4 route distribution • Disable automatic route filtering feature • Set ASBR as Next-Hop-Self MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 17

Inter-AS Memory and Performance Impact • Similar to that of basic VPNv 4 for the same number of VRFs and router per VRF MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 18

VPN Client Connectivity VPN-v 4 update: RD: 1: 27: 149. 27. 2. 0/24, NH=PE-1 RT=1: 231, Label=(28) Edge Router 1 AS #100 PE-1 BGP, OSPF, RIPv 2 149. 27. 2. 0/24, NH=CE-1 Edge Router 2 AS #200 How to distribute routes between SPs ? VPN-A VRF Import routes with route-target 1: 231 PE 2 CE 2 VPN-A-1 VPN-A-2 149. 27. 2. 0/24 VPN Sites attached to different MPLS VPN Service Providers MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 19

VPNv 4 Distribution Options in Inter-AS PE-ASBR-1 Back-to-back VRFs PE-ASBR-2 MP-e. BGP for VPNv 4 AS #100 PE-1 Multihop MP-e. BGP AS #200 PE-2 Multihop MP-e. BGP between RRs CE-1 Non-VPN Transit Provider CE-2 VPN-A-1 VPN-A-2 Several options available for distribution of VPNv 4 prefix information MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 20

INTER-AS CONNECTIVITY MODELS MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 21

Inter-AS Connectivity Models • Back-to-back VRFs • External MP-e. BGP for VPNv 4 • Multihop MP-e. BGP between RRs • Non-VPN Transit Provider MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 22

Option 1: Back-to-Back VRF Connectivity • Recommended for fewer VRFs requiring simpler connectivity when ASBRs are directly connected over a physical interface • Sub-interface per VRF is created and mapped • Packet is forwarded as an IP packet between the ASBRs • Each PE-ASBR router treats the other as a CE • PE-ASBR to PE-ASBR link may use any supported PE-CE routing protocol • Scalability issues if need to support large numbers of VRFs MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 23

Back-to-Back VRF Connectivity PE-ASBR-1 AS #100 PE-ASBR-2 One logical interface & VRF per VPN client AS #200 PE-1 CE-1 VPN-A-1 PE-2 CE-3 VPN-B-1 VPN-B-2 CE-4 VPN-A-2 VRF to VRF Connectivity between PE-ASBRs MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 24

Back-to-Back VRF Connectivity Control Plane PE-ASBR-1 VPN-v 4 update: RD: 1: 27: 152. 12. 4. 0/24, NH=PE-1 RT=1: 222, Label=(29) VPN-B VRF Import routes with route-target 1: 222 PE-ASBR-2 VPN-v 4 update: RD: 1: 27: 152. 12. 4. 0/24, NH=PE-ASBR-2 RT=1: 222, Label=(92) BGP, OSPF, RIPv 2 152. 12. 4. 0/24 NH=PE-ASBR 1 VPN-B VRF Import routes with route-target 1: 222 PE-1 BGP, OSPF, RIPv 2 152. 12. 4. 0/24, NH=CE-2 CE-3 VPN-B-1 PE-2 BGP, OSPF, RIPv 2 152. 12. 4. 0/24, NH=PE-2 VPN-B-2 152. 12. 4. 0/24 VRF to VRF Connectivity between PE-ASBRs MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 25

Back-to-Back VRF Connectivity Forwarding Plane PE-ASBR-1 PE-ASBR-2 LDP PE-1 Label 29 152. 12. 4. 1 LDP PE-ASBR-2 Label 92 152. 12. 4. 1 PE-1 152. 12. 4. 1 PE-2 CE-3 VPN-B-1 152. 12. 4. 1 VPN-B-2 152. 12. 4. 0/24 VRF to VRF Connectivity between PE-ASBRs MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 26

Option 2: External MP-BGP for VPNv 4 Prefix Exchange • Recommended when a larger number of VRFs need to be supported • ASBRs are directly connected and belong to only couple service providers • Traffic will be crossing only single hop network MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 27

External MP-BGP for VPNv 4 Prefix Exchange (Cont. ) • Gateway PE-ASBRs exchange routes directly using BGP External MP-BGP for VPNv 4 prefix exchange No LDP or IGP • MP-BGP session with next-hop set to advertising PE-ASBR Next-hop and labels are rewritten when advertised across the Inter-Provider MP-BGP session • PE-ASBR stores all VPN routes that need to be exchanged Only within the BGP table (no VRFs) Labels are populated into the LFIB of the PE-ASBR MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 28

External MP-BGP for VPNv 4 • Receiving Gateway PE-ASBRs may allocate new label if desired Controlled by configuration of next-hop-self (default is off) • Receiving PE-ASBR will automatically create a /32 host route for its PE-ASBR neighbor Which must be advertised into receiving IGP if next-hop-self is NOT in operation to maintain the LSP; • PE-ASBRs need to hold all Inter-AS VPN routes MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 29

External MP-BGP for VPNv 4 PE-ASBR-1 AS #100 MP-e. BGP for VPNv 4 PE-ASBR-2 Label exchange between Gateway PEASBR routers using MP-e. BGP AS #200 PE-1 CE-1 VPN-A-1 PE-2 CE-3 VPN-B-1 VPN-B-2 CE-4 VPN-A-2 MP-BGP VPNv 4 prefix exchange between Gateway PE-ASBRs MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 30

External MP-BGP for VPNv 4 Control Plane PE-ASBR-1 VPN-v 4 update: RD: 1: 27: 152. 12. 4. 0/24, NH=PE-1 RT=1: 222, Label=(L 1) PE-ASBR-2 VPN-v 4 update: RD: 1: 27: 152. 12. 4. 0/24, NH=PE-ASBR-2 RT=1: 222, Label=(L 3) VPN-v 4 update: RD: 1: 27: 152. 12. 4. 0/24, NH=PE-ASBR-1 RT=1: 222, Label=(L 2) PE-1 PE-2 BGP, OSPF, RIPv 2 152. 12. 4. 0/24, NH=CE-2 CE-3 VPN-B-1 BGP, OSPF, RIPv 2 152. 12. 4. 0/24, NH=PE-2 VPN-B-2 152. 12. 4. 0/24 MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 31

External MP-BGP for VPNv 4 Forwarding Plane LDP PE-1 Label L 1 152. 12. 4. 1 PE-ASBR-1 L 1 PE-ASBR-2 L 3 LDP PE-ASBR-2 Label L 3 152. 12. 4. 1 PE-1 152. 12. 4. 1 PE-2 CE-3 VPN-B-1 152. 12. 4. 1 VPN-B-2 152. 12. 4. 0/24 MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 32

Option 3: Multi-Hop External MP-BGP for VPNv 4 • Useful for exchanging a large number of routes with the same or multiple service providers; traffic crosses more than one hop • External MP-BGP between PE-ASBR routers (Option 2) • PE-ASBR routers exchange routes across a Multi-hop BGP session External MP-BGP for VPNv 4 prefix exchange • IGP and LDP required between PE-ASBR routers to maintain the end-to-end internal LSP Can use static routing to interface addresses • No /32 host route created for adjacent PE-ASBR routers MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 33

Multi-Hop External MP-BGP for VPNv 4 PE-ASBR-1 Multi-Hop MP-e. BGP for VPNv 4 AS #1 IGP & LDP PE-ASBR-2 AS #2 PE-1 PE-2 CE-1 CE-4 VPN-A-1 VPN-A-2 Multi-Hop session between Gateway PE-ASBRs MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 34

Multi-Hop External MP-BGP for VPNv 4 Control Plane PE-ASBR-1 VPN-v 4 update: RD: 1: 27: 152. 12. 4. 0/24, NH=PE-1 RT=1: 222, Label=(L 1) IGP & LDP exchange of PE-ASBR-1 PE-ASBR-2 VPN-v 4 update: RD: 1: 27: 152. 12. 4. 0/24, NH=PE-ASBR-2 RT=1: 222, Label=(L 3) VPN-v 4 update: RD: 1: 27: 152. 12. 4. 0/24, NH=PE-ASBR-1 RT=1: 222, Label=(L 2) PE-1 PE-2 BGP, OSPF, RIPv 2 152. 12. 4. 0/24, NH=CE-2 CE-3 VPN-B-1 BGP, OSPF, RIPv 2 152. 12. 4. 0/24, NH=PE-2 VPN-B-2 152. 12. 4. 0/24 MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 35

Multi-Hop External MP-BGP for VPNv 4 Forwarding Plane LDP PE-1 Label L 1 152. 12. 4. 1 L 1 PE-ASBR-2 L 3 LDP PE-ASBR-1 Label L 2 152. 12. 4. 1 LDP PE-ASBR-2 Label L 3 152. 12. 4. 1 PE-1 152. 12. 4. 1 PE-2 CE-3 VPN-B-1 152. 12. 4. 1 VPN-B-2 152. 12. 4. 0/24 MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 36

Option 4: Multihop MP-e. BGP for VPNv 4 between RRs: Application Note • Multi-Hop MP-e. BGP with RR is useful for off-loading VPNv 4 routes to RR for scalability purpose. ASBRs will not need to maintain VPNv 4 routes. • MPLS VPN providers exchange VPNv 4 prefixes via their Route Reflectors Requires Multihop MP-e. BGP (VPNv 4 routes) • Next-hop-self MUST be disabled on Route Reflector Preserves next-hop and label as allocated by the originating PE router • Providers exchange IPv 4 routes with labels between directly connected ASBRs using e. BGP Only PE loopback addresses exchanged as these are BGP next-hop addresses MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 37

Multihop MP-e. BGP for VPNv 4 between RRs Multihop MP-e. BGP for VPNv 4 with no next-hop-self RR-1 ASBR-2 AS #100 PE-1 CE-1 VPN-A-1 RR-2 AS #200 e. BGP IPv 4 + Labels ASBRs exchange BGP next-hop addresses with labels CE-2 VPN-B-1 PE-2 CE-3 VPN-B-2 CE-4 VPN-A-2 Multihop MP-e. BGP VPNv 4 prefix exchange between Route Reflectors MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 38

Multihop MP-e. BGP for VPNv 4 between RRs: Control Plane RR-1 VPN-v 4 update: RD: 1: 27: 152. 12. 4. 0/24, NH=PE-1 RT=1: 222, Label=(L 1) ASBR-1 RR-2 VPN-v 4 update: RD: 1: 27: 152. 12. 4. 0/24, NH=PE-1 RT=1: 222, Label=(L 1) ASBR-2 Network=PE-1 NH=ASBR-2 Label=(L 3) SP #2 PE-1 PE-2 Network=PE-1 NH=ASBR-1 Label=(L 2) BGP, OSPF, RIPv 2 152. 12. 4. 0/24, NH=CE-2 CE-3 VPN-B-1 BGP, OSPF, RIPv 2 152. 12. 4. 0/24, NH=PE-2 VPN-B-2 152. 12. 4. 0/24 MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 39

Multihop MP-e. BGP for VPNv 4 between RRs: Forwarding Plane RR-2 RR-1 L 1 152. 12. 4. 1 LDP PE-1 Label L 1 152. 12. 4. 1 ASBR-1 PE-1 152. 12. 4. 1 L 3 L 1 152. 12. 4. 1 LDP PE-ASBR-2 Label L 3 L 1 152. 12. 4. 1 L 2 CE-2 ASBR-2 L 1 152. 12. 4. 1 PE-2 CE-3 VPN-B-1 152. 12. 4. 1 VPN-B-2 152. 12. 4. 0/24 MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 40

Option 5: Non-VPN Transit Provider • Two MPLS VPN providers may exchange routes via third parties (non-VPN transit backbones running MPLS) • Multihop MP-e. BGP deployed between edge providers With the exchange of BGP next-hops via the transit provider • Providers may change the AS# within each region Transit network is not part of the AS path • Requirement to propagate BGP next-hops and also build end-to-end LSPs • Options for end-to-end LSP creation Merge IGPs of all AS’s including the transit network Redistribute PE host routes between AS’s Use static routes across boundaries; redistribute to IGP Use IPv 4 + labels MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 41

Non-VPN Transit Provider e. BGP IPv 4 + Labels ASBR-1 ASBR-2 e. BGP IPv 4 + Labels Non-VPN MPLS Transit Backbone MPLS VPN Provider #100 RR-1 PE-1 ASBR-3 NO next-hop-self e. BGP IPv 4 + Labels ASBR-4 CE-2 VPN-B-1 Multihop MP-e. BGP or MP-i. BGP for VPNv 4 RR-2 MPLS VPN Provider #200 PE-2 CE-3 e. BGP IPv 4 + Labels MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. VPN-B-2 42

Non-VPN Transit Provider Control Plane End-to-End LSP (Forwarding Path) Network=PE-1 NH=ASBR-1 Label=(L 2) ASBR-1 ASBR-2 Network=PE-1 NH=ASBR-2 Label=(L 3) Non-VPN MPLS Transit Backbone RR-1 152. 12. 4. 0/24, NH=PE 1 RT=1: 222, Label=(L 1) PE 1 BGP, OSPF, RIPv 2 152. 12. 4. 0/24, NH=CE-2 ASBR-3 Network=PE-1 NH=ASBR-3 Label=(L 4) ASBR-4 CE-2 152. 12. 4. 0/24, NH=PE 1 RT=1: 222, Label=(L 1) RR-2 VPN-B-1 152. 12. 4. 0/24 Network=PE-1 MPLS VPN Provider NH=ASBR-4 #2 Label=(L 5) PE 2 CE-3 Inner Label Exchange MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 152. 12. 4. 0/24, NH=PE 1 RT=1: 222, Label=(L 1) VPN-B-2 43

Non-VPN Transit Provider Forwarding Plane LDP PE-1 Label L 1 152. 12. 4. 1 L 1 ASBR-1 L 2 152. 12. 4. 1 L 1 152. 12. 4. 1 ASBR-2 LDP PE-ASBR-2 Label L 1 152. 12. 4. 1 Non-VPN MPLS L 3 Transit Backbone RR-1 PE 1 ASBR-3 BGP, OSPF, RIPv 2 152. 12. 4. 0/24, NH=CE-2 L 4 L 1 152. 12. 4. 1 ASBR-4 CE-2 LDP PE-ASBR-4 Label L 5 L 1 152. 12. 4. 1 RR-2 VPN-B-1 152. 12. 4. 0/24 PE 2 152. 12. 4. 1 CE-3 VPN-B-2 MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 44

Why IPV 4 BGP Label Distribution? • Allows a VPN service provider network to exchange IPv 4 routes with MPLS labels • Use BGP to distribute labels associated with the routes at the same time it distributes the routes ASBR-1 ASBR-2 AS #100 AS 1_PE 1 AS #200 e. BGP IPv 4 + Labels AS 2_PE 1 Benefits: • Eliminate the need for any other Label distribution protocol between the two ASBRs • Allow a non-VPN core network to act as a transit network for VPN traffic MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 45

IPV 4 BGP Label Distribution Architecture • Subsequent Address Family Identifier (value 4) field is used to indicate that the NLRI contains a label • If a BGP peer indicates, through BGP Capability Advertisement, that it can process Update messages with the specified SAFI field, a BGP speaker can use BGP to send labels • No specific procedures are enforced in RFC when the BGP peers are non-adjacent • Accept labels from only trusted source to assure proper security MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 46

IPV 4 BGP Label Distribution Configuration • ASBRs (and RR if in use) address-family ipv 4 ! Redistributing IGP into BGP neighbor <neighbors loopback add> send-label • AS 1_PE 1 neighbor <RR> send-label neighbor <ASBR-1> send-label • RR neighbor <ASBR-1> send-label neighbor <AS 1_PE 1> send-label MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 47

Summary: Back-to-back VRF Connectivity • Scalability is an issue with many VPNs One VRF & logical interface required per VPN client; Gateway PE-ASBR must hold ALL routing information • PE-ASBR must filter & store VPNv 4 prefixes Plus import into VRFs thus increasing MPLS, CEF & routing table memory • No MPLS label switching required between providers Standard IP between gateway PE-ASBRs; No exchange of routes using MP-e. BGP; Simple solution, works today but limited in deployment scope MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 48

Summary: MP-e. BGP for VPNv 4 Prefix Exchange • Scalability less of an issue when compared to back-to-back VRF connectivity Only one interface required between PE-ASBR routers; No VRF requirement on any PE-ASBR router interfaces • Automatic Route Filtering must be disabled Hence filtering on RT values essential, and good filtering policy must be applied on EVERY PE-ASBR; Import of routes into VRFs is not required which reduces the memory impact on PE-ASBR routers • MPLS label switching required between providers Routes exchanged using MP-e. BGP; Still simple, more scalable & works today MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 49

Summary: Multi-hop MP-e. BGP for VPNv 4 • More scalable than back-to-back VRF or MP-e. BGP for VPNv 4 As ALL VPNv 4 routes held on route reflectors and NOT PE-ASBR routers • Route Reflectors hold VPNv 4 information Each provider utilizes route reflectors locally for VPNv 4 prefix distribution; e. BGP connection added for exchange with external peer • BGP next-hop addresses exchanged between providers across PE-ASBR links using IPv 4 + labels Separation of forwarding & control planes; IPv 4 + labels MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 50

INTER-AS SAMPLE CONFIGURATIONS MPLS VPN Inter-AS, 12/03 Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 51

Multihop and Label Distribution with RR: Network Topology Goal: distribute the VPNv 4 and IPv 4 routes, and the MPLS labels of remote PEs/RRs to local PEs and RRs aa. aa RR-1 Multihop MP-e. BGP for VPNv 4 with no next-hop-self ASBR-1 AS #200 ww. ww ee. ee RR-2 ASBR-2 AS #100 PE-1 bb. bb xx. xx e. BGP IPv 4 + Labels PE-2 ff. ff ASBRs exchange BGP next-hop addresses with labels MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 52

Network Specifications and Requirements • AS 100 uses the route reflectors to distribute the IPv 4/VPNv 4 routes and MPLS labels from the ASBR to the PE • In AS 200, the IPv 4 routes that ASBR 2 learned are redistributed into IGP • IP Addressing: RR 1: aa. aa RR 2: bb. bb ASBR-1: ww. ww ASBR-2: xx. xx PE 1: ee. ee PE 2: ff. ff MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 53

Network Specifications and Requirements • RR 1 exchanges VPNv 4 routes with RR 2, using multiprotocol, multihop EBGP • VPNv 4 next hop information and VPN label are preserved across the autonomous systems • RR 1 reflects to PE 1 the VPNv 4 routes learned from RR 2 and the IPv 4 routes and MPLS labels learned from ASBR 1 MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 54

Route Reflector 1 Configuration (Cont. ) ip subnet-zero ip cef ! interface Loopback 0 ip address aa. aa. aa 255 no ip directed-broadcast router bgp 100 bgp cluster-id 1 bgp log-neighbor-changes timers bgp 10 30 neighbor ee. ee. ee remote-as 100 neighbor ee. ee. ee update-source neighbor ww. ww. ww remote-as 100 neighbor ww. ww. ww update-source neighbor bb. bb. bb remote-as 200 neighbor bb. bb. bb ebgp-multihop neighbor bb. bb. bb update-source no auto-summary ! MPLS VPN Inter-AS, 12/03 Loopback 0 255 Loopback 0 © 2003 Cisco Systems, Inc. All rights reserved. ! address-family ipv 4 neighbor ee. ee. ee activate neighbor ee. ee. ee route-reflector-client !IPv 4+labels session to PE 1 neighbor ee. ee. ee send-label neighbor ww. ww. ww activate neighbor ww. ww. ww route-reflector-client !IPv 4+labels session to ASBR 1 neighbor ww. ww. ww send-label no neighbor bb. bb. bb activate no auto-summary no synchronization exit-address-family ! address-family vpnv 4 neighbor ee. ee. ee activate neighbor ee. ee. ee route-reflector-client !VPNv 4 session with PE 1 neighbor ee. ee. ee send-community extended neighbor bb. bb. bb activate neighbor bb. bb. bb next-hop-unchanged !MH-VPNv 4 session with RR 2 neighbor bb. bb. bb send-community extended next-hop-unchanged exit-address-family ! 55

Route Reflector 2 Configuration (Cont. ) • RR 2 exchanges VPNv 4 routes with RR 1 through multihop, multiprotocol EBGP • Next-hop and the VPN label are preserved across the autonomous systems ip subnet-zero ip cef ! interface Loopback 0 ip address bb. bb. bb 255 no ip directed-broadcast ! router bgp 200 bgp cluster-id 1 bgp log-neighbor-changes timers bgp 10 30 neighbor aa. aa. aa remote-as 100 neighbor aa. aa. aa ebgp-multihop 255 neighbor aa. aa. aa update-source Loopback 0 neighbor ff. ff. ff remote-as 200 neighbor ff. ff. ff update-source Loopback 0 no auto-summary ! address-family vpnv 4 neighbor aa. aa. aa activate neighbor aa. aa. aa next-hop-unchanged !Multihop VPNv 4 session with RR 1 neighbor aa. aa. aa send-community extended next-hop-unchanged neighbor ff. ff. ff activate neighbor ff. ff. ff route-reflector-client !VPNv 4 session with PE 2 neighbor ff. ff. ff send-community extended exit-address-family ! MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 56

ASBR-1 Configuration ASBR 1 exchanges IPv 4 routes and MPLS labels with ASBR 2 ip subnet-zero mpls label protocol tdp ! interface Loopback 0 ip address ww. ww. ww 255 no ip directed-broadcast no ip route-cache no ip mroute-cache ! access-list 1 permit ee. ee. ee log !Set up the access lists. access-list 2 permit ff. ff. ff log access-list 3 permit aa. aa. aa log access-list 4 permit bb. bb. bb log route-map IN permit 10 !Setting up the route maps. match ip address 2 match mpls-label address-family ipv 4 ! Redistributing IGP into BGP redistribute ospf 10 ! so that PE 1 & RR 1 loopbacks neighbor aa. aa. aa activate ! get into the BGP table neighbor aa. aa. aa send-label neighbor hh. 0. 0. 1 activate neighbor hh. 0. 0. 1 advertisement-interval 5 neighbor hh. 0. 0. 1 send-label neighbor hh. 0. 0. 1 route-map IN in !accepting routes from route-map IN. neighbor hh. 0. 0. 1 route-map OUT out !distributing routes from route-map OUT. no auto-summary !ASBR 1 should accept PE 2's route (ff. ff) with labels and no synchronization !RR 2's route (bb. bb) without labels. exit-address-family ! route-map IN permit 11 address-family vpnv 4 match ip address 4 neighbor aa. aa. aa activate neighbor aa. aa. aa send-community extended !ASBR 1 should distribute PE 1's route (ee. ee) with labels and exit-address-family !RR 1's route (aa. aa) without labels. MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. route-map OUT permit 12 match ip address 3 ! route-map OUT permit 13 match ip address 1 set mpls-label 57

ASBR-2 Configuration • ASBR 2 and ASBR 1 exchange IPv 4 routes and MPLS labels • ASBR 2 does not use the RR to reflect IPv 4 routes and MPLS labels to PE 2 • ASBR 2 redistributes the IPv 4 routes and MPLS labels learned from ASBR 1 into IGP • PE 2 can now reach the prefixes MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 58

ASBR-2 Configuration (Cont. ) ip subnet-zero ip cef ! ! interface Loopback 0 access-list 1 permit ff. ff. ff log !Setting up the access lists. ip address xx. xx. xx 255 access-list 2 permit ee. ee. ee log no ip directed-broadcast access-list 3 permit bb. bb. bb log ! access-list 4 permit aa. aa. aa log router bgp 200 route-map IN permit 11 !Setting up the route maps. bgp log-neighbor-changes match ip address 2 timers bgp 10 30 match mpls-label neighbor bb. bb. bb remote-as 200 ! neighbor bb. bb. bb update-source Loopback 0 neighbor hh. 0. 0. 2 remote-as 100 no auto-summary ! address-family ipv 4 redistribute ospf 20 !Redistributing IGP into BGP neighbor hh. 0. 0. 2 activate !so that PE 2 & RR 2 loopbacks neighbor hh. 0. 0. 2 advertisement-interval 5 !will get into the BGP-4 table. neighbor hh. 0. 0. 2 route-map IN in neighbor hh. 0. 0. 2 route-map OUT out ! neighbor hh. 0. 0. 2 send-label route-map IN permit 12 no auto-summary match ip address 4 no synchronization ! exit-address-family route-map OUT permit 10 ! match ip address 1 address-family vpnv 4 set mpls-label neighbor bb. bb. bb activate ! neighbor bb. bb. bb send-community extended route-map OUT permit 13 exit-address-family match ip address 3 ! MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 59

INTER-AS SUMMARY MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 60

Inter-AS Summary • Service Providers have deployed Inter-AS for: Scalability purposes Partitioning the network based on services or management boundaries • Some contract work is in progress amongst Service Providers to establish partnership and offer end-end VPN services to the common customer base • Service Provider networks are completely separate Do not need to exchange internal prefix or label information • Each Service Provider establishes a direct MP-e. BGP session with the others to exchange VPN-IPv 4 addresses with labels • /32 route to reach the ASBR is created by default so ASBRs can communicate without a need for IGP Must be redistributed in the receiving Service Provider’s IGP MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 61

Inter-AS Summary (Cont. ) • IGP or LDP across ASBR links is not required Labels are already assigned to the routes when exchanged via MP-e. BGP Interface used to establish MP-e. BGP session does not need to be associated with a VRF • Direct e. BGP routes and labels can be exchanged. • Next-Hop self can be turned on on ASBRs, enabling the ASBR to use its own address for next-hop • Using the next-hop self requires an additional entry in the TFIB for each VPNv 4 route (about 180) bytes • If the Service Provider wishes to hide the Inter-AS link then use the next-hop-self method otherwise use the redistribute connected subnets method MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 62

Inter-AS Summary (Cont. ) • Multi-hop MP-e. BGP sessions can be passed between Service Providers without conversions to VPNv 4 routes • Configuration of VRFs is not required on the ASBRs because bgp default route-target filter (automatic route filtering feature) has been disabled • To conserve memory on both sides of the boundary and implement a simple form of security, always configure inbound route-maps to filter only routes that need to be passed to the other AS MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 63

References • Inter-AS for MPLS VPNs CCO Documentation: www. cisco. com/univercd/cc/td/doc/product/software/ios 121/%0 B 12 1 newft/121 t 5/interas. htm • MPLS and VPN architectures Jim Guichard/Ivan Pepelnjak ISBN 1 -58705 -002 -1: www. ciscopress. com/book. cfm? book=168 • Support for Inter-provider MPLS VPN ENG-48803 Dan Tappan, (internal only) MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 64

MPLS VPN Inter-AS, 12/03 © 2003 Cisco Systems, Inc. All rights reserved. 65