MPLS VPN TOI eosbornecisco com Course Number PresentationID

Agenda • How MPLS VPN works • What Code Is MPLS VPN In? •

How MPLS-VPN Works • • TOI-VPN eosborne Concepts and goals Terminology Connection model Forwarding

MPLS-VPN What is a VPN ? • An IP network infrastructure delivering private network services over a public infrastructure Use a layer 3 backbone Scalability, easy provisioning Global as well as non-unique private address space Qo. S Controlled access Easy configuration for customers TOI-VPN eosborne © 2001, Cisco Systems, Inc. 4

VPN Models - The Overlay model • Private trunks over a TELCO/SP shared infrastructure Leased/Dialup lines FR/ATM circuits IP (GRE) tunnelling • Transparency between provider and customer networks • Optimal routing requires full mesh over backbone TOI-VPN eosborne © 2001, Cisco Systems, Inc. 5

VPN Models - The Peer model • Both provider and customer network use same network protocol • CE and PE routers have a routing adjacency at each site • All provider routers hold the full routing information about all customer networks • Private addresses are not allowed • May use the virtual router capability Multiple routing and forwarding tables based on Customer Networks TOI-VPN eosborne © 2001, Cisco Systems, Inc. 6

VPN Models - MPLS-VPN: The True Peer model • Same as Peer model BUT !!! • Provider Edge routers receive and hold routing information only about VPNs directly connected • Reduces the amount of routing information a PE router will store • Routing information is proportional to the number of VPNs a router is attached to TOI-VPN eosborne • MPLS is used within the backbone to switch packets (no need of full routing) © 2001, Cisco Systems, Inc. 7

Agenda • • TOI-VPN eosborne Concepts and goals Terminology Connection model Forwarding Mechanisms Topologies

MPLS-VPN Terminology • Provider Network (P-Network) The backbone under control of a Service Provider • Customer Network (C-Network) Network under customer control • CE router Customer Edge router. Part of the Cnetwork and interfaces to a PE router TOI-VPN eosborne © 2001, Cisco Systems, Inc. 9

MPLS-VPN Terminology • Site Set of (sub)networks part of the C-network and co-located A site is connected to the VPN backbone through one or more PE/CE links • PE router Provider Edge router. Part of the PNetwork and interfaces to CE routers • P router TOI-VPN eosborne Provider (core) router, without knowledge of VPN © 2001, Cisco Systems, Inc. 10

MPLS-VPN Terminology • Border router Provider Edge router interfacing to other provider networks • Extended Community BGP attribute used to identify a Routeorigin, Route-target • Site of Origin Identifier (SOO) 64 bits identifying routers where the route has been originated TOI-VPN eosborne © 2001, Cisco Systems, Inc. 11

MPLS-VPN Terminology • Route-Target 64 bits identifying routers that should receive the route • Route Distinguisher Attributes of each route used to uniquely identify prefixes among VPNs (64 bits) VRF based (not VPN based) • VPN-IPv 4 addresses TOI-VPN eosborne Address including the 64 bits Route Distinguisher and the 32 bits IP address © 2001, Cisco Systems, Inc. 12

MPLS-VPN Terminology • VRF VPN Routing and Forwarding Instance Routing table and FIB table Populated by routing protocol contexts • VPN-Aware network A provider backbone where MPLS-VPN is deployed TOI-VPN eosborne © 2001, Cisco Systems, Inc. 13

MPLS VPN Connection Model • A VPN is a collection of sites sharing a common routing information (routing table) • A site can be part of different VPNs • A VPN has to be seen as a community of interest (or Closed User Group) • Multiple Routing/Forwarding instances (VRF) on PE routers TOI-VPN eosborne © 2001, Cisco Systems, Inc. 15

MPLS VPN Connection Model Site-4 Site-1 VPN-C VPN-A Site-3 Site-2 VPN-B • A site belonging to different VPNs may or MAY NOT be used as a transit point between VPNs TOI-VPN eosborne • If two or more VPNs have a common site, address space must be unique among these VPNs © 2001, Cisco Systems, Inc. 16

MPLS VPN Connection Model • The VPN backbone is composed by MPLS LSRs PE routers (edge LSRs) P routers (core LSRs) • PE routers are faced to CE routers and distribute VPN information through MP-BGP to other PE routers VPN-IPv 4 addresses, Extended Community, Label • P routers do not run BGP and do not have any VPN knowledge TOI-VPN eosborne © 2001, Cisco Systems, Inc. 17

MPLS VPN Connection Model VPN_A i. BGP sessions 10. 2. 0. 0 CE CE VPN_B 10. 2. 0. 0 CE PE P P 11. 5. 0. 0 VPN_A PE CE 10. 1. 0. 0 VPN_A 11. 6. 0. 0 CE VPN_B PE PE CE VPN_B 10. 3. 0. 0 10. 1. 0. 0 CE • P routers (LSRs) are in the core of the MPLS cloud • PE routers use MPLS with the core and plain IP with CE routers TOI-VPN eosborne • P and PE routers share a common IGP © 2001, Cisco Systems, Inc. 18

MPLS VPN Connection Model C E Site-1 PE EBGP, OSPF, RIPv 2, Static CE Site-2 • PE and CE routers exchange routing information through: EBGP, OSPF, RIPv 2, Static routing TOI-VPN eosborne • CE router run standard routing software © 2001, Cisco Systems, Inc. 19

MPLS VPN Connection Model C E Site-1 PE EBGP, OSPF, RIPv 2, Static CE VPN Backbone IGP (OSPF, ISIS) Site-2 • PE routers maintain separate routing tables The global routing table With all PE and P routes Populated by the VPN backbone IGP (ISIS or OSPF) VRF (VPN Routing and Forwarding) Routing and Forwarding table associated with one or more directly connected sites (CEs) VRF are associated to (sub/virtual/tunnel)interfaces Interfaces may share the same VRF if the connected sites may share the same routing information TOI-VPN eosborne © 2001, Cisco Systems, Inc. 20

MPLS VPN Connection Model C E Site-1 PE CE Site-2 • Different site sharing the same routing information, may share the same VRF • Interfaces connecting these sites will use the same VRF TOI-VPN eosborne • Sites belonging to the same VPN may share same VRF © 2001, Cisco Systems, Inc. 21

MPLS VPN Connection Model C E Site-1 PE EBGP, OSPF, RIPv 2, Static VPN Backbone IGP CE Site-2 • The routes the PE receives from CE routers are installed in the appropriate VRF • The routes the PE receives through the backbone IGP are installed in the global routing table TOI-VPN eosborne • By using separate VRFs, addresses need NOT to be unique among VPNs © 2001, Cisco Systems, Inc. 22

MPLS VPN Connection Model • The Global Routing Table is populated by IGP protocols. • In PE routers it may contain the BGP Internet routes (standard BGP 4 routes) • BGP-4 (IPv 4) routes go into global routing table • MP-BGP (VPN-IPv 4) routes go into VRFs TOI-VPN eosborne © 2001, Cisco Systems, Inc. 23

MPLS VPN Connection Model P P PE PE VPN Backbone IGP P P i. BGP session • PE and P routers share a common IGP (ISIS or OSPF) • PEs establish MP-i. BGP sessions between them TOI-VPN eosborne • PEs use MP-BGP to exchange routing information related to the connected sites and VPNs © 2001, Cisco Systems, Inc. 24

MPLS VPN Connection Model MP-BGP Update • VPN-IPV 4 address Route Distinguisher 64 bits Makes the IPv 4 route globally unique RD is configured in the PE for each VRF RD may or may not be related to a site or a VPN IPv 4 address (32 bits) • Extended Community attribute (64 bits) Site of Origin (SOO): identifies the originating site Route-target (RT): identifies the set of sites the route has to be advertised to TOI-VPN eosborne © 2001, Cisco Systems, Inc. 25

MPLS VPN Connection Model MP-BGP Update Any other standard BGP attribute Local Preference MED Next-hop AS_PATH Standard Community. . . A Label identifying: The outgoing interface The VRF where a lookup has to be done (aggregate label) The BGP label will be the second label in the label stack of packets travelling in the core TOI-VPN eosborne © 2001, Cisco Systems, Inc. 26

MPLS VPN Connection Model MP-BGP Update - Extended community • BGP extended community attribute Structured, to support multiple applications 64 bits for increased range • General form <16 bits type>: <ASN>: <32 bit number> Registered AS number <16 bits type>: <IP address>: <16 bit number> Registered IP address TOI-VPN eosborne © 2001, Cisco Systems, Inc. 27

MPLS VPN Connection Model MP-BGP Update - Extended community • The Extended Community is used to: Identify one or more routers where the route has been originated (site) Site of Origin (SOO) Selects sites which should receive the route Route-Target TOI-VPN eosborne © 2001, Cisco Systems, Inc. 28

MPLS VPN Connection Model MP-BGP Update • The Label can be assigned only by the router which address is the Next-Hop attribute PE routers re-write the Next-Hop with their own address (loopback interface address) “Next-Hop-Self” BGP command towards i. BGP neighbors Loopback addresses are advertised into the backbone IGP • PE addresses used as BGP Next-Hop must be uniquely known in the backbone IGP No summarisation of loopback addresses in the core TOI-VPN eosborne © 2001, Cisco Systems, Inc. 29

MPLS VPN Connection Model P P PE-2 PE-1 BGP, RIPv 2 update for Net 1, Next. Hop=CE-1 Site-1 CE-1 VPN-IPv 4 update is translated into IPv 4 address (Net 1) put into VRF green since RT=Green and advertised to CE-2 VPN Backbone IGP P P CE-2 Site-2 VPN-IPv 4 update: RD: Net 1, Next-hop=PE 1 SOO=Site 1, RT=Green, Label=(int. CE 1) PE routers receive IPv 4 updates (EBGP, RIPv 2, Static) TOI-VPN eosborne PE routers translate into VPN-IPv 4 Assign a SOO and RT based on configuration Re-write Next-Hop attribute Assign a label based on VRF and/or interface Send MP-i. BGP update to all PE neighbors © 2001, Cisco Systems, Inc. 30

MPLS VPN Connection Model P P PE-2 PE-1 BGP, OSPF, RIPv 2 update for Net 1 Next-Hop=CE-1 Site-1 CE-1 VPN Backbone IGP P P VPN-IPv 4 update is translated into IPv 4 address (Net 1) put into VRF green since RT=Green and advertised to CE-2 Site-2 VPN-IPv 4 update: RD: Net 1, Next-hop=PE 1 SOO=Site 1, RT=Green, Label=(int. CE 1) Receiving PEs translate to IPv 4 Insert the route into the VRF identified by the RT attribute (based on PE configuration) The label associated to the VPN-IPv 4 address will be set on packet forwarded towards the destination TOI-VPN eosborne © 2001, Cisco Systems, Inc. 31

MPLS VPN Connection Model • Route distribution to sites is driven by the Site of Origin (SOO) and Route-target attributes BGP Extended Community attribute • A route is installed in the site VRF corresponding to the Route-target attribute Driven by PE configuration • A PE which connects sites belonging to multiple VPNs will install the route into the site VRF if the Route-target attribute contains one or more VPNs to which the site is associated TOI-VPN eosborne © 2001, Cisco Systems, Inc. 32

MPLS Forwarding Packet forwarding • PE and P routers have BGP next-hop reachability through the backbone IGP • Labels are distributed through LDP (hopby-hop) corresponding to BGP Next-Hops • Label Stack is used for packet forwarding Top label indicates BGP Next-Hop (interior label) Second level label indicates outgoing interface or VRF (exterior label) TOI-VPN eosborne © 2001, Cisco Systems, Inc. 34

MPLS Forwarding Packet forwarding • MPLS nodes forward packets based on the top label • P routers do not have BGP (nor VPN) knowledge No VPN routing information No Internet routing information TOI-VPN eosborne © 2001, Cisco Systems, Inc. 35

MPLS Forwarding Penultimate Hop Popping • The upstream LDP peer of the BGP next-hop (PE router) will pop the first level label The penultimate hop will pop the label • Requested through LDP • The egress PE router will forward the packet based on the second level label which gives the outgoing interface (and VPN) TOI-VPN eosborne © 2001, Cisco Systems, Inc. 36

MPLS Forwarding - Penultimate Hop Popping P routers switch the packets based on the IGP label (label on top of the stack) CE 1 IP packet PE 1 Penultimate Hop Popping P 2 is the penultimate hop for the BGP nexthop P 2 remove the top label This has been requested through LDP by PE 2 receives the packets with the label corresponding to the outgoing interface (VRF) One single lookup Label is popped and packet sent to IP neighbor CE 2 IGP Label(PE 2) VPN IP Label IP packet PE 1 receives IP packet Lookup is done on site VRF BGP route with Next-Hop and Label is found BGP next-hop (PE 2) is reachable through IGP route with associated label TOI-VPN eosborne © 2001, Cisco Systems, Inc. P 1 IGP Label(PE 2) VPN IP Label VPN Label P 2 IP packet PE 2 packet CE 3 37

MPLS VPN Forwarding VPN_A 10. 2. 0. 0 CE CE VPN_B 10. 2. 0. 0 CE PE 2 P P 11. 5. 0. 0 VPN_A PE CE 10. 1. 0. 0 VPN_A 11. 6. 0. 0 CE VPN_B 10. 1. 0. 0 CE © 2001, Cisco Systems, Inc. VPN_B 10. 3. 0. 0 <RD_B, 10. 1>, , i. BGP next hop PE 1, T 2 <RD_B, 10. 2> NH= PE 2 T 1 T 7 T 8 • PE router does “IP Longest Match” from VPN_B FIB , find i. BGP next hop PE 2 and impose a stack of labels: exterior Label T 2 + Interior Label T 8 TOI-VPN eosborne Data CE PE 1 • Ingress PE receives normal IP Packets from CE router T 8 T 2 Data <RD_B, 10. 2> , i. BGP next hop PE 2 T 2 <RD_B, 10. 3> , i. BGP next hop PE 3 T 3 <RD_A, 11. 6> , i. BGP next hop PE 1 T 4 <RD_A, 10. 1> , i. BGP next hop PE 4 T 5 T 6 <RD_A, 10. 4> , i. BGP next hop PE 4 T 7 <RD_A, 10. 2> , i. BGP next hop PE 2 T 8 T 9 T 7 TB TB T 8 38

MPLS VPN Forwarding VPN_A 10. 2. 0. 0 CE Data T 2 Data VPN_B 10. 2. 0. 0 CE PE 2 CE TB T 2 Data P VPN_A 11. 6. 0. 0 P CE VPN_B 10. 1. 0. 0 CE P TAT 2 Data P 11. 5. 0. 0 VPN_A PE CE 10. 1. 0. 0 T 8 T 2 Data CE PE 1 VPN_B 10. 3. 0. 0 in / out T 7 Tu T 8, T 8 TA Tw T 9 Tx Ta Ty Tb Tz • All Subsequent P routers do switch the packet Solely on Interior Label • Egress PE router, removes Interior Label • Egress PE uses Exterior Label to select which VPN/CE to forward the packet to. TOI-VPN eosborne • Exterior Label is removed and packet routed to CE router © 2001, Cisco Systems, Inc. 39

MPLS VPN mechanisms VRF and Multiple Routing Instances • VRF: VPN Routing and Forwarding Instance VRF Routing Protocol Context VRF Routing Tables VRF CEF Forwarding Tables TOI-VPN eosborne © 2001, Cisco Systems, Inc. 41

MPLS VPN mechanisms VRF and Multiple Routing Instances • VPN aware Routing Protocols • Select/Install routes in appropriate routing table • Per-instance router variables • Not necessarily per-instance routing processes • e. BGP, OSPF, RIPv 2, Static TOI-VPN eosborne © 2001, Cisco Systems, Inc. 42

MPLS VPN mechanisms VRF and Multiple Routing Instances • VRF Routing table contains routes which should be available to a particular set of sites • Analogous to standard IOS routing table, supports the same set of mechanisms • Interfaces (sites) are assigned to VRFs One VRF per interface (sub-interface, tunnel or virtual-template) Possible many interfaces per VRF TOI-VPN eosborne © 2001, Cisco Systems, Inc. 43

MPLS VPN mechanisms VRF and Multiple Routing Instances Routing processe s BGP RIP Static • Routing processes run within specific routing contexts Routing contexts VRF Routing tables VRF Forwarding tables TOI-VPN eosborne © 2001, Cisco Systems, Inc. • Populate specific VPN routing table and FIBs (VRF) 44

MPLS VPN mechanisms VRF and Multiple Routing Instances Site-4 Logical view Site-1 VPN-C VPN-A Site-3 Site-2 VPN-B Multihop MP-i. BGP P P PE VRF for site-1 Site-1 routes Site-2 routes VRF for site-2 Site-1 routes Site-2 routes Site-3 routes Site-1 TOI-VPN eosborne Routing view PE Site-2 © 2001, Cisco Systems, Inc. VRF for site-3 Site-2 routes Site-3 routes Site-4 routes Site-3 VRF for site-4 Site-3 routes Site-4 45

Agenda • • Concepts and goals Terminology Connection model Forwarding Mechanisms Topologies Scaling BGP-4 Enhancements Cap. Negotiation, MPLS, Route Refresh, ORF • Configuration TOI-VPN eosborne © 2001, Cisco Systems, Inc. 46

MPLS VPN Topologies i. BGP sessions VPN_A 10. 2. 0. 0 CE CE VPN_B 10. 2. 0. 0 CE PE P P 11. 5. 0. 0 VPN_A PE CE 10. 1. 0. 0 VPN_A 11. 6. 0. 0 CE VPN_B PE PE CE VPN_B 10. 3. 0. 0 10. 1. 0. 0 CE • VPN-IPv 4 address are propagated together with the associated label in BGP Multiprotocol extension • Extended Community attribute (route-target) is associated to each VPN-IPv 4 address, to populate the site VRF TOI-VPN eosborne © 2001, Cisco Systems, Inc. 47

MPLS VPN Topologies VPN sites with optimal intra-VPN routing • Each site has full routing knowledge of all other sites (of same VPN) • Each CE announces his own address space • MP-BGP VPN-IPv 4 updates are propagated between PEs • Routing is optimal in the backbone Each route has the BGP Next-Hop closest to the destination • No site is used as central point for connectivity TOI-VPN eosborne © 2001, Cisco Systems, Inc. 48

MPLS VPN Topologies VPN sites with optimal intra-VPN routing Site-3 N 3 Routing Table on CE 3 N 1, PE 3 N 2, PE 3 N 3, Local EBGP/RIP/Static N 3 NH=CE 3 Int. CE 3 PE 3 VRF for site-1 N 1, NH=CE 1 N 2, NH=PE 2 N 3, NH=PE 3 Routing Table on CE 1 N 1, Local N 2, PE 1 N 3, PE 1 VRF for site-3 N 1, NH=PE 1 N 2, NH=PE 2 N 3, NH=CE 3 VPN-IPv 4 updates exchanged between PEs RD: N 1, NH=PE 1, Label=Int. CE 1, RT=Blue RD: N 2, NH=PE 2, Label=Int. CE 2, RT=Blue RD: N 3, NH=PE 3, Label=Int. CE 3, RT=Blue Int. CE 1 PE 2 EBGP/RIP/Static Int. CE 2 VRF for site-2 N 1, NH=PE 1 N 2, NH=CE 2 N 3, NH=PE 3 N 2, NH=CE 2 Site-2 N 2 Routing Table on CE 2 N 1, NH=PE 2 N 2, Local N 3, NH=PE 2 N 1 NH=CE 1 Site-1 TOI-VPN eosborne N 1 © 2001, Cisco Systems, Inc. 49

MPLS VPN Topologies VPN sites with Hub & Spoke routing • One central site has full routing knowledge of all other sites (of same VPN) Hub-Site • Other sites will send traffic to Hub-Site for any destination Spoke-Sites • Hub-Site is the central transit point between Spoke-Sites TOI-VPN eosborne Use of central services at Hub-Site © 2001, Cisco Systems, Inc. 50

MPLS VPN Topologies VPN sites with Hub & Spoke routing VPN-IPv 4 update advertised by PE 1 RD: N 1, NH=PE 1, Label=Int. CE 1, RT=Hub Site-1 CE 1 N 1 Site-2 N 2 CE 2 Int. CE 1 VRF (Import RT=Spoke) (Export RT=Hub) N 1, NH=CE 1 (exported) N 2, NH=PE 3 (imported) N 3, NH=PE 3 (imported Int. CE 2 VRF (Import RT=Spoke) (Export RT=Hub) N 1, NH=PE 3 (imported) N 2, NH=CE 2 (exported) N 3, NH=PE 3 (imported) BGP/RIPv 2 PE 1 PE 3 PE 2 VPN-IPv 4 update advertised by PE 2 RD: N 2, NH=PE 2, Label=Int. CE 2, RT=Hub Int. CE 3 -Hub VRF (Import RT=Hub) Site-3 CE 3 -Hub N 1, NH=PE 1 N 2, NH=PE 2 Int. CE 3 -Spoke VRF N 3 (Export CE 3 -Spoke RT=Spoke) N 1, NH=CE 3 Spoke BGP/RIPv 2 N 2, NH=CE 3 Spoke VPN-IPv 4 N 3, NH=CE 3 updates advertised by PE 3 Spoke RD: N 1, NH=PE 3, Label=Int. CE 3 -Spoke, RT=Spoke RD: N 2, NH=PE 3, Label=Int. CE 3 -Spoke, RT=Spoke RD: N 3, NH=PE 3, Label=Int. CE 3 -Spoke, RT=Spoke • Routes are imported/exported into VRFs based on RT value of the VPN-IPv 4 updates • PE 3 uses 2 (sub)interfaces with two different VRFs TOI-VPN eosborne © 2001, Cisco Systems, Inc. 51

MPLS VPN Topologies VPN sites with Hub & Spoke routing Site-1 CE 1 N 1 Int. CE 1 VRF (Import RT=Spoke) (Export RT=Hub) N 1, NH=CE 1 (exported) N 2, NH=PE 3 (imported) N 3, NH=PE 3 (imported PE 1 PE 3 Site-2 N 2 Int. CE 3 -Hub VRF (Import RT=Hub) N 1, NH=PE 1 N 2, NH=PE 2 CE 2 PE 2 Int. CE 2 VRF (Import RT=Spoke) (Export RT=Hub) N 1, NH=PE 3 (imported) N 2, NH=CE 2 (exported) N 3, NH=PE 3 (imported) Int. CE 3 -Spoke VRF (Export RT=Spoke) N 1, NH=CE 3 Spoke N 2, NH=CE 3 Spoke N 3, NH=CE 3 Spoke BGP/RIPv 2 CE 3 -Hub Site-3 N 3 CE 3 -Spoke BGP/RIPv 2 • Traffic from one spoke to another will travel across the hub site • Hub site may host central services TOI-VPN eosborne Security, NAT, centralised Internet access © 2001, Cisco Systems, Inc. 52

MPLS VPN Topologies VPN sites with Hub & Spoke routing • If PE and Hub-site use BGP the PE should not check the received AS_PATH The update the Hub-site advertise contains the VPN backbone AS number By configuration the AS_PATH check is disabled Routing loops are detected through the SOO attribute • PE and CE routers may use RIPv 2 and/or static routing TOI-VPN eosborne © 2001, Cisco Systems, Inc. 53

MPLS VPN Internet Routing • In a VPN, sites may need to have Internet connectivity • Connectivity to the Internet means: Being able to reach Internet destinations Being able to be reachable from any Internet source • Security mechanism MUST be used as in ANY other kind of Internet connectivity TOI-VPN eosborne © 2001, Cisco Systems, Inc. 54

MPLS VPN Internet Routing • The Internet routing table is treated separately • In the VPN backbone the Internet routes are in the Global routing table of PE routers • Labels are not assigned to external (BGP) routes • P routers need not (and will not) run BGP TOI-VPN eosborne © 2001, Cisco Systems, Inc. 55

MPLS VPN Internet routing VRF specific default route • A default route is installed into the site VRF and pointing to a Internet Gateway • The default route is NOT part of any VPN A single label is used for packets forwarded according to the default route The label is the IGP label corresponding to the IP address of the Internet gateway Known in the IGP TOI-VPN eosborne © 2001, Cisco Systems, Inc. 56

MPLS VPN Internet routing VRF specific default route • PE router originates CE routes for the Internet Customer (site) routes are known in the site VRF Not in the global table The PE/CE interface is NOT known in the global table. However: A static route for customer routes and pointing to the PE/CE interface is installed in the global table This static route is redistributed into BGP-4 global table and advertised to the Internet Gateway • The Internet gateway knows customer routes and with the PE address as next-hop TOI-VPN eosborne © 2001, Cisco Systems, Inc. 57

MPLS VPN Internet routing VRF specific default route • The Internet Gateway specified in the default route (into the VRF) need NOT to be directly connected • Different Internet gateways can be used for different VRFs • Using default route for Internet routing does NOT allow any other default route for intra-VPN routing As in any other routing scheme TOI-VPN eosborne © 2001, Cisco Systems, Inc. 58

MPLS VPN Internet routing VRF specific default route 192. 168. 1. 1 BGP-4 Internet PE-IG MP-BGP PE 192. 168. 1. 2 PE Serial 0 Site-1 Network 171. 68. 0. 0/16 Site-2 TOI-VPN eosborne © 2001, Cisco Systems, Inc. ip vrf VPN-A rd 100: 1 route-target both 100: 1 ! Interface Serial 0 ip address 192. 168. 10. 1 255. 0 ip vrf forwarding VPN-A ! Router bgp 100 no bgp default ipv 4 -unicast network 171. 68. 0. 0 mask 255. 0. 0 neighbor 192. 168. 1. 1 remote 100 neighbor 192. 168. 1. 1 activate neighbor 192. 168. 1. 1 next-hop-self neighbor 192. 168. 1. 1 update-source loopback 0 ! address-family ipv 4 vrf VPN-A neighbor 192. 168. 10. 2 remote-as 65502 neighbor 192. 168. 10. 2 activate exit-address-family ! address-family vpnv 4 neighbor 192. 168. 1. 2 activate exit-address-family ! ip route 171. 68. 0. 0 255. 0. 0 Serial 0 ip route vrf VPN-A 0. 0 192. 168. 1. 1 glob 59

MPLS VPN Internet routing VRF specific default route 192. 168. 1. 1 IP packet D=cisco. co m Internet PE-IG Label = 3 IP packet D=cisco. co m 192. 168. 1. 2 PE PE Serial 0 IP packet D=cisco. co m Global Table and LFIB 192. 168. 1. 1/32 Label=3 192. 168. 1. 2/32 Label=5. . . Site-2 VRF 0. 0/0 192. 168. 1. 1 (global) Site-1 routes Site-2 routes Site-1 Network 171. 68. 0. 0/16 Site-2 TOI-VPN eosborne © 2001, Cisco Systems, Inc. 60

MPLS VPN Internet routing VRF specific default route • PE routers need not to hold the Internet table • PE routers will use BGP-4 sessions to originate customer routes • Packet forwarding is done with a single label identifying the Internet Gateway IP address More labels if Traffic Engineering is used TOI-VPN eosborne © 2001, Cisco Systems, Inc. 61

MPLS VPN Internet Routing Separated (sub)interfaces • If CE wishes to receive and announce routes from/to the Internet A dedicated BGP session is used over a separate (sub) interface The PE imports CE routes into the global routing table and advertise them to the Internet The interface is not part of any VPN and does not use any VRF Default route or Internet routes are exported to the CE TOI-VPN eosborne PE needs to have Internet routing table © 2001, Cisco Systems, Inc. 62

MPLS VPN Internet Routing Separated (sub)interfaces • The PE uses separate (sub)interfaces with the CE One (sub)interface for VPN routing associated to a VRF Can be a tunnel interface One (sub)interface for Internet routing Associated to the global routing table TOI-VPN eosborne © 2001, Cisco Systems, Inc. 63

MPLS VPN Internet Routing Separated (sub)interfaces 192. 168. 1. 1 BGP-4 Internet PE-IG PE MP-BGP 192. 168. 1. 2 PE Serial 0. 1 Serial 0. 2 BGP-4 Site-1 Network 171. 68. 0. 0/16 Site-2 TOI-VPN eosborne © 2001, Cisco Systems, Inc. ip vrf VPN-A rd 100: 1 route-target both 100: 1 ! Interface Serial 0 no ip address ! Interface Serial 0. 1 ip address 192. 168. 10. 1 255. 0 ip vrf forwarding VPN-A ! Interface Serial 0. 2 ip address 171. 68. 10. 1 255. 0 ! Router bgp 100 no bgp default ipv 4 -unicast neighbor 192. 168. 1. 1 remote 100 neighbor 192. 168. 1. 1 activate neighbor 192. 168. 1. 1 next-hop-self neighbor 192. 168. 1. 1 update-source loopback 0 neighbor 171. 68. 10. 2 remote 502 ! address-family ipv 4 vrf VPN-A neighbor 192. 168. 10. 2 remote-as 502 neighbor 192. 168. 10. 2 activate exit-address-family ! address-family vpnv 4 neighbor 192. 168. 1. 2 activate exit-address-family 64

MPLS VPN Internet Routing Separated (sub)interfaces 192. 168. 1. 1 IP packet D=cisco. co m Internet PE-IG Label = 3 IP packet D=cisco. co m 192. 168. 1. 2 PE PE Serial 0. 1 Site-1 PE Global Table Internet routes ---> 192. 168. 1. 1, Label=3 Serial 0. 2 IP packet D=cisco. co m Serial 0. 2 CE routing table Site-2 routes ----> Serial 0. 1 Network 171. 68. 0. 0/16 Internet routes ---> Serial 0. 2 Site-2 TOI-VPN eosborne © 2001, Cisco Systems, Inc. 65

Scaling • Existing BGP techniques can be used to scale the route distribution: route reflectors • Each edge router needs only the information for the VPNs it supports Directly connected VPNs • RRs are used to distribute VPN routing information TOI-VPN eosborne © 2001, Cisco Systems, Inc. 67

Scaling • Very highly scalable: Initial VPN release: 1000 VPNs x 1000 sites/VPN = 1, 000 sites Architecture supports 100, 000+ VPNs, 10, 000+ sites BGP “segmentation” through RRs is essential !!!! • Easy to add new sites configure the site on the PE connected to it the network automagically does the rest • See also platform issues, later on TOI-VPN eosborne © 2001, Cisco Systems, Inc. 68

MPLS-VPN Scaling BGP Route Reflectors VPN_A RR 10. 2. 0. 0 VPN_B VPN_A VPN_B CE 11. 5. 0. 0 CE 10. 2. 0. 0 CE 11. 6. 0. 0 VPN_A RR PE 2 CE 10. 1. 0. 0 CE PE 1 P P PE PE VPN_A CE 10. 1. 0. 0 CE VPN_B 10. 3. 0. 0 • Route Reflectors may be partitioned Each RR store routes for a set of VPNs • Thus, no BGP router needs to store ALL VPNs information • PEs will peer to RRs according to the VPNs they directly connect TOI-VPN eosborne © 2001, Cisco Systems, Inc. 69

MPLS-VPN Scaling BGP updates filtering i. BGP full mesh between PEs results in flooding all VPNs routes to all PEs Scaling problems when large amount of routes. In addition PEs need only routes for attached VRFs Therefore each PE will discard any VPN-IPv 4 route that hasn’t a route-target configured to be imported in any of the attached VRFs This reduces significantly the amount of information each PE has to store TOI-VPN eosborne Volume of BGP table is equivalent of volume of attached VRFs (nothing more) © 2001, Cisco Systems, Inc. 70

MPLS-VPN Scaling BGP updates filtering VPN-IPv 4 update: RD: Net 1, Next-hop=PEX SOO=Site 1, RT=Green, Label=XYZ Import RT=yellow PE VRFs for VPNs yellow green MP-i. BGP sessions Import RT=green VPN-IPv 4 update: RD: Net 1, Next-hop=PEX SOO=Site 1, RT=Red, Label=XYZ Each VRF has an import and export policy configured Policies use route-target attribute (extended community) PE receives MP-i. BGP updates for VPN-IPv 4 routes If route-target is equal to any of the import values configured in the PE, the update is accepted Otherwise it is silently discarded TOI-VPN eosborne © 2001, Cisco Systems, Inc. 71

MPLS-VPN Scaling Route Refresh Import RT=yellow PE 2. PE issue a Route. Refresh to all neighbors in order to ask for retransmission Import RT=green Import RT=red 1. PE doesn’t have red routes (previously filtered out) VPN-IPv 4 update: RD: Net 1, Next-hop=PEX SOO=Site 1, RT=Green, Label=XYZ VPN-IPv 4 update: RD: Net 1, Next-hop=PEX SOO=Site 1, RT=Red, Label=XYZ 3. Neighbors re-send updates and “red” route-target is now accepted Policy may change in the PE if VRF modifications are done • New VRFs, removal of VRFs However, the PE may not have stored routing information which become useful after a change PE request a re-transmission of updates to neighbors • Route-Refresh TOI-VPN eosborne © 2001, Cisco Systems, Inc. 72

MPLS-VPN Scaling Outbound Route Filters - ORF Import RT=yellow PE 2. PE issue a ORF message to all neighbors in order not to receive red routes Import RT=green 1. PE doesn’t need routes VPN-IPv 4 update: RD: Net 1, Next-hop=PEX SOO=Site 1, RT=Green, Label=XYZ VPN-IPv 4 update: RD: Net 1, Next-hop=PEX SOO=Site 1, RT=Red, Label=XYZ 3. Neighbors dynamically configure the outbound filter and send updates accordingly PE router will discard update with unused routetarget Optimisation requires these updates NOT to be sent Outbound Route Filter (ORF) allows a router to tell its neighbors which filter to use prior to propagate BGP updates TOI-VPN eosborne © 2001, Cisco Systems, Inc. 73

Agenda • • Concepts and goals Terminology Connection model Forwarding Mechanisms Topologies Scaling BGP-4 Enhancements Cap. Negotiation, MPLS, Route Refresh, ORF • Configuration TOI-VPN eosborne © 2001, Cisco Systems, Inc. 74

MPLS VPN - Configuration • VPN knowledge is on PE routers • PE router have to be configured for VRF and Route Distinguisher VRF import/export policies (based on Routetarget) Routing protocol used with CEs MP-BGP between PE routers BGP for Internet routers With other PE routers With CE routers TOI-VPN eosborne © 2001, Cisco Systems, Inc. 75

MPLS VPN - Configuration VRF and Route Distinguisher • RD is configured on PE routers (for each VRF) • VRFs are associated to RDs in each PE • Common (good) practice is to use the same RD for the same VPN in all PEs But not mandatory • VRF configuration command ip vrf <vrf-symbolic-name> rd <route-distinguisher-value> route-target import <community> route-target export <community> TOI-VPN eosborne © 2001, Cisco Systems, Inc. 76

CLI - VRF configuration ip vrf site 1 rd 100: 1 route-target export 100: 1 route-target import 100: 1 ip vrf site 2 rd 100: 2 route-target export 100: 2 route-target import 100: 1 route-target export 100: 1 Site-4 Site-1 VPN-A Site-2 TOI-VPN eosborne © 2001, Cisco Systems, Inc. VPN-B Site-3 Multihop MP-i. BGP P P PE 1 VRF for site-1 (100: 1) Site-1 routes Site-2 routes Site-1 ip vrf site 3 rd 100: 3 route-target export 100: 2 route-target import 100: 3 route-target export 100: 3 ip vrf site-4 rd 100: 4 route-target export 100: 3 route-target import 100: 3 VPN-C PE 2 VRF for site-2 (100: 2) Site-1 routes Site-2 routes Site-3 routes Site-2 VRF for site-3 (100: 3) Site-2 routes Site-3 routes Site-4 routes Site-3 VRF for site-4 (100: 4) Site-3 routes Site-4 77

MPLS VPN - Configuration PE/CE routing protocols • PE/CE may use BGP, RIPv 2 or Static routes • A routing context is used for each VRF • Routing contexts are defined within the routing protocol instance Address-family router sub-command Router rip version 2 address-family ipv 4 vrf <vrf-symbolicname> … any common router sub-command … TOI-VPN eosborne © 2001, Cisco Systems, Inc. 78

MPLS VPN - Configuration PE/CE routing protocols • BGP uses same “address-family” command Router BGP <asn>. . . address-family ipv 4 vrf <vrfsymbolic-name> … any common router BGP subcommand … • Static routes are configured per VRF TOI-VPN eosborne ip route vrf <vrf-symbolic-name> … © 2001, Cisco Systems, Inc. 79

MPLS VPN - Configuration PE router commands • All show commands are VRF based Show ip route vrf <vrf-symbolic-name>. . . Show ip protocol vrf <vrf-symbolicname> Show ip cef <vrf-symbolic-name> … … • PING and Telnet commands are VRF based telnet /vrf <vrf-symbolic-name> ping vrf <vrf-symbolic-name> TOI-VPN eosborne © 2001, Cisco Systems, Inc. 80

MPLS VPN - Configuration ip vrf site 1 rd 100: 1 route-target export 100: 12 route-target import 100: 12 ip vrf site 2 rd 100: 2 route-target export 100: 12 route-target import 100: 23 route-target export 100: 23 ! interface Serial 3/6 ip vrf forwarding site 1 ip address 192. 168. 61. 6 255. 0 encapsulation ppp ! interface Serial 3/7 ip vrf forwarding site 2 ip address 192. 168. 62. 6 255. 0 encapsulation ppp PE/CE routing protocols Site-4 Site-1 VPN-A Site-2 © 2001, Cisco Systems, Inc. Site-3 VPN-B Multihop MP-i. BGP PE 1 P P PE 2 VRF for site-1 (100: 1) Site-1 routes Site-2 routes Site-1 TOI-VPN eosborne VPN-C VRF for site-2 (100: 2) Site-1 routes Site-2 routes Site-3 routes Site-2 VRF for site-3 (100: 3) Site-2 routes Site-3 routes Site-4 routes Site-3 VRF for site-4 (100: 4) Site-3 routes Site-4 routes ip vrf site 3 rd 100: 3 route-target export 100: 23 route-target import 100: 34 route-target export 100: 34 ip vrf site-4 rd 100: 4 route-target export 100: 34 route-target import 100: 34 ! interface Serial 4/6 ip vrf forwarding site 3 ip address 192. 168. 73. 7 255. 0 encapsulation ppp ! interface Serial 4/7 ip vrf forwarding site 4 ip address 192. 168. 74. 7 255. 0 encapsulation ppp Site-4 81

MPLS VPN - Configuration router bgp 100 no bgp default ipv 4 -unicast neighbor 7. 7 remote-as 100 neighbor 7. 7 update-source Loop 0 ! address-family ipv 4 vrf site 2 neighbor 192. 168. 62. 2 remote-as 65502 neighbor 192. 168. 62. 2 activate exit-address-family ! address-family ipv 4 vrf site 1 neighbor 192. 168. 61. 1 remote-as 65501 neighbor 192. 168. 61. 1 activate exit-address-family ! address-family vpnv 4 neighbor 7. 7 activate neighbor 7. 7 next-hop-self exit-address-family bgp 100 PE/CE routing protocols router no bgp default ipv 4 -unicast Site-4 Site-1 VPN-A © 2001, Cisco Systems, Inc. Site-3 Site-2 VPN-B Multihop MP-i. BGP PE 1 P P PE 2 VRF for site-1 (100: 1) Site-1 routes Site-2 routes Site-1 TOI-VPN eosborne VPN-C VRF for site-2 (100: 2) Site-1 routes Site-2 routes Site-3 routes Site-2 VRF for site-3 (100: 2) Site-2 routes Site-3 routes Site-4 routes Site-3 neighbor 6. 6 remote-as 100 neighbor 6. 6 update-source Loop 0 ! address-family ipv 4 vrf site 4 neighbor 192. 168. 74. 4 remote-as 65504 neighbor 192. 168. 74. 4 activate exit-address-family ! address-family ipv 4 vrf site 3 neighbor 192. 168. 73. 3 remote-as 65503 neighbor 192. 168. 73. 3 activate exit-address-family ! address-family vpnv 4 neighbor 6. 6 activate neighbor 6. 6 next-hop-self exit-address-family VRF for site-4 (100: 3) Site-3 routes Site-4 82

Summary • Supports large scale VPN services • Increases value add by the VPN Service Provider • Decreases Service Provider’s cost of providing VPN services • Mechanisms are general enough to enable VPN Service Provider to support a wide range of VPN customers • See RFC 2547 TOI-VPN eosborne © 2001, Cisco Systems, Inc. 83

Route Target P P PE-2 PE-1 VPN Backbone IGP BGP, RIPv 2 update for Net 1, Next-Hop=CE-1 Site-1 P P VPN-IPv 4 update is translated into IPv 4 address (Net 1) put into VRF green since RT=Green and advertised to CE-2 Site-2 CE-1 VPN-IPv 4 update: RD: Net 1, Next-hop=PE-1 SOO=Site 1, RT=Green, Label=(int. CE 1) ip vrf odd rd 100: 1 route-target export “Green” route-target import “Green” Receiving PE is inserting the route into the VRF identified by the RT attribute (based on PE configuration) In this example RT = Green. TOI-VPN eosborne © 2001, Cisco Systems, Inc. 84

Inbound Filtering • Proprietary feature PE creates a union of all configured RTs and automatically compares all incoming RTs for non null intersection Import RT=yellow VPN-IPv 4 update: RD: Net 1, Next-hop=PE-X SOO=Site 1, RT=Green, Label=XYZ PE VRFs for VPNs yellow green MP-i. BGP sessions Import RT=green VPN-IPv 4 update: RD: Net 1, Next-hop=PE-X SOO=Site 1, RT=Red, Label=XYZ VPN-IPv 4 update is silently rejected when it reaches PE since there isn’t any VRF configured with import RT = Red. Automatic (always on) rejection of all prefixes where at least one route target extended community attribute does not match any of route targets configured at the PE. Any VRF configuration change triggers “Route Refresh” TOI-VPN eosborne © 2001, Cisco Systems, Inc. 85

Route Refresh • Based on: draft-chen-bgp-route-refresh-01. txt • When the inbound policy has been modified, the BGP speaker sends a Route-Refresh message to its neighbors With AFI, Sub-AFI attributes • Neighbors will re-transmit all routes for that particular AFI and Sub-AFI • Routers not refresh capable will reset BGP session • Used for vpnv 4 sessions, for ipv 4 sessions manual soft refresh trigger: clear ip bgp neighbour x. x soft-in TOI-VPN eosborne © 2001, Cisco Systems, Inc. 86

Route Refresh and filtering Import RT=yellow PE 2. PE issue a Route-Refresh to all neighbors in order to ask for re-transmission Import RT=green Import RT=red 1. PE doesn’t have red routes (previously filtered out) VPN-IPv 4 update: RD: Net 1, Next-hop=PE-X SOO=Site 1, RT=Green, Label=XYZ VPN-IPv 4 update: RD: Net 1, Next-hop=PE-X SOO=Site 1, RT=Red, Label=XYZ 3. Neighbors re-send updates and “red” routetarget is now accepted • Policy may change in the PE if VRF modifications are done • New VRFs, removal of VRFs, RT addition or deletion • However, the PE may not have stored routing information which become useful after a change • PE request a re-transmission of updates to neighbors via Route-Refresh TOI-VPN eosborne © 2001, Cisco Systems, Inc. 87

Allow AS • One central site has full routing knowledge of all other sites (of same VPN) Hub-Site • Other sites will send traffic to Hub-Site for any destination Spoke-Sites • Hub-Site is the central transit point between Spoke -Sites Use of central services at Hub-Site TOI-VPN eosborne © 2001, Cisco Systems, Inc. 88

Allow AS VPN-IPv 4 update advertised by PE 1 RD: N 1, NH=PE 1, Label=Int. CE 1, RT=Hub Site-1 CE 1 N 1 Site-2 N 2 CE 2 Int. CE 1 VRF (Import RT=Spoke) (Export RT=Hub) N 1, NH=CE 1 (exported) N 2, NH=PE 3 (imported) N 3, NH=PE 3 (imported Int. CE 2 VRF (Import RT=Spoke) (Export RT=Hub) N 1, NH=PE 3 (imported) N 2, NH=CE 2 (exported) N 3, NH=PE 3 (imported) BGP/RIPv 2 Int. CE 3 -Hub VRF (Import RT=Hub) N 1, NH=PE 1 N 2, NH=PE 2 PE 1 PE 3 PE 2 VPN-IPv 4 update advertised by PE 2 RD: N 2, NH=PE 2, Label=Int. CE 2, RT=Hub CE 3 -Hub Site-3 N 3 Int. CE 3 -Spoke VRF (Export RT=Spoke) N 1, NH=CE 3 -Spoke N 2, NH=CE 3 -Spoke N 3, NH=CE 3 -Spoke BGP/RIPv 2 VPN-IPv 4 updates advertised by PE 3 RD: N 1, NH=PE 3, Label=Int. CE 3 -Spoke, RT=Spoke RD: N 2, NH=PE 3, Label=Int. CE 3 -Spoke, RT=Spoke RD: N 3, NH=PE 3, Label=Int. CE 3 -Spoke, RT=Spoke • Routes are imported/exported into VRFs based on RT value of the VPN-IPv 4 updates • PE 3 uses 2 (sub)interfaces with two different VRFs TOI-VPN eosborne © 2001, Cisco Systems, Inc. 89

Allow AS Site-1 CE 1 N 1 Int. CE 1 VRF (Import RT=Spoke) (Export RT=Hub) N 1, NH=CE 1 (exported) N 2, NH=PE 3 (imported) N 3, NH=PE 3 (imported PE 1 BGP/RIPv 2 CE 3 -Hub Site-3 N 3 PE 3 Site-2 N 2 Int. CE 3 -Hub VRF (Import RT=Hub) N 1, NH=PE 1 N 2, NH=PE 2 CE 3 -Spoke CE 2 PE 2 Int. CE 2 VRF (Import RT=Spoke) (Export RT=Hub) N 1, NH=PE 3 (imported) N 2, NH=CE 2 (exported) N 3, NH=PE 3 (imported) Int. CE 3 -Spoke VRF (Export RT=Spoke) N 1, NH=CE 3 -Spoke N 2, NH=CE 3 -Spoke N 3, NH=CE 3 -Spoke BGP/RIPv 2 • Traffic from one spoke to another will travel across the hub site • Hub site may host central services Security, NAT, centralised Internet access TOI-VPN eosborne © 2001, Cisco Systems, Inc. 90

Allow AS • If PE and Hub-site use BGP the PE should not check the received AS_PATH The update the Hub-site advertise contains the VPN backbone AS number By configuration the AS_PATH check is disabled Allow AS Routing loops are suppressed by the limit of occurrence of provider ASN in the AS_PATH Therefore, PE will REJECT the update if its ASN appears more than 3 times in the AS_PATH 3 is the default and can be overwritten with <opt> TOI-VPN eosborne © 2001, Cisco Systems, Inc. 91

Allow AS ASN: 251 ASN: 250 Site-1 ASN: 100 192. 168. 0. 5/32 CE 1 ASN: 252 CE 2 PE 2 CE 3 -Hub Site-3 N 3 PE 3 Site-2 N 2 e. BGP 4 update: 192. 168. 0. 5/32 AS_PATH: 100 251 PE 1 e. BGP 4 update: 192. 168. 0. 5/32 AS_PATH: 250 100 251 CE 3 -Spoke ! address-family ipv 4 vrf Hub neighbor 192. 168. 73. 3 remote-as 250 neighbor 192. 168. 73. 3 activate neighbor 192. 168. 74. 4 remote-as 250 neighbor 192. 168. 74. 4 activate neighbor 192. 168. 74. 4 allowas-in <opt> no auto-summary no synchronization exit-address-family ! TOI-VPN eosborne © 2001, Cisco Systems, Inc. 92

Allow AS with ASN override ASN: 250 e. BGP 4 update: 192. 168. 0. 5/32 AS_PATH: 250 Site-1 192. 168. 0. 5/32 CE 1 ASN: 250 e. BGP 4 update: 192. 168. 0. 5/32 AS_PATH: 100 100 Site-2 N 2 CE 2 Now the AS_PATH contains four occurrences of the provider ASN. This update will not be accepted anymore if the CE re-advertise it back to any PE TOI-VPN eosborne VPN-IPv 4 RD: 192. 168. 0. 5/32, ASN: 100 AS_PATH: 250 © 2001, Cisco Systems, Inc. PE 1 VPN-IPv 4 PE 3 RD: 192. 168. 0. 5/32, AS_PATH: 250 100 PE 2 ASN: 250 e. BGP 4 update: 192. 168. 0. 5/32 AS_PATH: 100 CE 3 -Hub Site-3 N 3 e. BGP 4 update: 192. 168. 0. 5/32 AS_PATH: 250 100 CE 3 -Spoke ! address-family ipv 4 vrf Hub neighbor 192. 168. 73. 3 remote-as 250 neighbor 192. 168. 73. 3 activate neighbor 192. 168. 74. 4 remote-as 250 neighbor 192. 168. 74. 4 activate neighbor 192. 168. 74. 4 allowas-in <opt> neighbor 192. 168. 74. 4 as-override no auto-summary no synchronization exit-address-family 93

ASN Override When BGP is used between PE and CE routers, the customer VPN may want to re-use ASN in different sites Private ASN procedures already exist in order to strip the private ASN from the AS_PATH However, these procedures have following constraints: Private ASN is stripped if only private ASN are present in the AS_PATH Private ASN is stripped if NOT equal to the neighbouring ASN Private ASN procedures do NOT allow the re-use of same ASN in a MPLS-VPN environment TOI-VPN eosborne © 2001, Cisco Systems, Inc. 94

ASN Override New procedures have been implemented in order to re-use the same ASN on all VPN sites The procedures allows the use of private as well as public ASN Same ASN may be used for all sites, whatever is their VPN TOI-VPN eosborne © 2001, Cisco Systems, Inc. 95

ASN Override • With ASN override configured the PE does following If the last ASN in the AS_PATH is equal to the neighbouring one, it is replaced by the provider ASN If last ASN has multiple occurrences (due to AS_PATH prepend) all the occurrences are replaced with provider-ASN value After this operation, normal e. BGP operation occur: Provider ASN is added to the AS_PATH TOI-VPN eosborne © 2001, Cisco Systems, Inc. 96

ASN Override • ASN override feature is used in conjunction with SOO in order to prevent routing loops In case of multihomed sites • SOO is not needed for stub sites Sites connected to a single PE • Multi-homed sites need to use SOO TOI-VPN eosborne © 2001, Cisco Systems, Inc. 97

ASN Override ASN: 100 PE-1 CE-1 192. 168. 0. 5/32 ASN: 250 TOI-VPN eosborne © 2001, Cisco Systems, Inc. PE-2 CE-2 192. 168. 0. 3/32 ASN: 250 ip vrf odd rd 100: 1 route-target export 100: 3 route-target import 100: 3 ! interface Serial 1 ip vrf forwarding odd ip address 192. 168. 73. 7 255. 0 ! router bgp 100 no synchronization no bgp default ipv 4 -unicast neighbor 192. 168. 0. 6 remote-as 100 neighbor 192. 168. 0. 6 update-source Loop 0 neighbor 192. 168. 0. 6 activate neighbor 192. 168. 0. 6 next-hop-self no auto-summary ! address-family ipv 4 vrf odd neighbor 192. 168. 73. 3 remote-as 250 neighbor 192. 168. 73. 3 activate neighbor 192. 168. 73. 3 as-override no auto-summary no synchronization exit-address-family ! address-family vpnv 4 neighbor 192. 168. 0. 6 activate neighbor 192. 168. 0. 6 send-community extended no auto-summary exit-address-family ! 98

ASN Override 7200 -1#sh ip bgp vpn all Network Next Hop Metric Loc. Prf Weight Path Route Distinguisher: 100: 1 (default for vrf odd) *>i 192. 168. 0. 3/32 192. 168. 0. 7 0 0 250 i *> 192. 168. 0. 5/32 192. 168. 65. 5 0 0 250 i PE-2 performs following actions: 1 - Replace last ASN with its own ASN 2 - Update AS_PATH with its own ASN 3 - Forward the update to CE-2 VPN-IPv 4 update: RD: 192. 168. 0. 5/32 AS_PATH: 250 PE-1 PE-2 ASN: 100 e. BGP 4 update: 192. 168. 0. 5/32 AS_PATH: 250 CE-1 TOI-VPN eosborne © 2001, Cisco Systems, Inc. 3640 -5#sh ip b Network Next Hop Metric Loc. Prf Weight Path *> 192. 168. 0. 5/32 192. 168. 73. 7 0 100 i *> 192. 168. 0. 3/32 0. 0 0 i CE-2 192. 168. 0. 5/32 192. 168. 0. 3/32 ASN: 250 99

ASN Override with AS_PATH prepend 7200 -1#sh ip bgp vpn all Network Next Hop Metric Loc. Prf Weight Path Route Distinguisher: 100: 1 (default for vrf odd) *>i 192. 168. 0. 3/32 192. 168. 0. 7 0 0 250 i *> 192. 168. 0. 5/32 192. 168. 65. 5 0 0 250 250 i PE-2 performs following actions: 1 - Replace all occurrences of last ASN with its own ASN 2 - Update AS_PATH with its own ASN 3 - Forward the update to CE-2 VPN-IPv 4 update: RD: 192. 168. 0. 5/32 AS_PATH: 250 250 PE-1 PE-2 ASN: 100 e. BGP 4 update: 192. 168. 0. 5/32 AS_PATH: 100 100 e. BGP 4 update: 192. 168. 0. 5/32 AS_PATH: 250 250 CE-1 TOI-VPN eosborne © 2001, Cisco Systems, Inc. 3640 -5#sh ip b Network Next Hop Metric Loc. Prf Weight Path *> 192. 168. 0. 5/32 192. 168. 73. 7 0 100 100 i *> 192. 168. 0. 3/32 0. 0 0 i CE-2 192. 168. 0. 5/32 192. 168. 0. 3/32 ASN: 250 100

Site of Origin • Used to identify the site • Extended Community type • Used to prevent loops when AS_PATH cannot be used When BGP is used between PE and multihomed sites A BGP route is NOT advertised back to the same site Even through different PE/CE connections TOI-VPN eosborne © 2001, Cisco Systems, Inc. 101

Site of Origin • SOO for e. BGP learned routes SOO is configured through a route-map command • SOO can be applied to routes learned through a particular VRF interface (without the use of BGP between PE and CE) SOO is then configured on the interface SOO is propagated into BGP during redistribution TOI-VPN eosborne © 2001, Cisco Systems, Inc. 102

Site of Origin Site-1 192. 168. 0. 5/32 CE 7200 -1#sh ip route vrf odd C 192. 168. 65. 0/24 is directly connected, Serial 2 B 192. 168. 0. 5 [20/0] via 192. 168. 65. 5, 00: 08: 44, Serial 2 7200 -1#sh ip bgp vpn all Network Next Hop Metric Loc. Prf Weight Path Route Distinguisher: 100: 1 (default for vrf odd) *> 192. 168. 0. 5/32 192. 168. 65. 5 0 0 250 i 7200 -1#sh ip bgp vpn all 192. 168. 0. 5 BGP routing table entry for 100: 1: 192. 168. 0. 5/32, version 17 Paths: (1 available, best #1) Advertised to non peer-group peers: 192. 168. 0. 7 250 192. 168. 65. 5 from 192. 168. 65. 5 (192. 168. 0. 5) Origin IGP, metric 0, localpref 100, valid, external, best Extended Community: So. O: 100: 65 RT: 100: 3 7200 -1# TOI-VPN eosborne © 2001, Cisco Systems, Inc. PE ip vrf odd rd 100: 1 route-target export 100: 3 route-target import 100: 3 ! interface Serial 1 ip vrf forwarding odd ip address 192. 168. 65. 6 255. 0 ! router bgp 100 no synchronization no bgp default ipv 4 -unicast neighbor 192. 168. 0. 7 remote-as 100 neighbor 192. 168. 0. 7 update-source Loop 0 neighbor 192. 168. 0. 7 activate neighbor 192. 168. 0. 7 next-hop-self no auto-summary ! address-family ipv 4 vrf odd neighbor 192. 168. 65. 5 remote-as 250 neighbor 192. 168. 65. 5 activate neighbor 192. 168. 65. 5 route-map setsoo in no auto-summary no synchronization exit-address-family ! address-family vpnv 4 neighbor 192. 168. 0. 7 activate neighbor 192. 168. 0. 7 send-community extended no auto-summary exit-address-family ! route-map setsoo permit 10 set extcommunity soo 100: 65 103

Site of Origin VPN-IPv 4 update: RD: 192. 168. 0. 5/32, Next-hop=PE-1 SOO=100: 65, RT=100: 3, Label=(int. CE 1) PE-1 PE-2 int. CE 1 e. BGP 4 update: 192. 168. 0. 5/32 PE-2 will not propagate the route since the update SOO is equal to the one configured for the site e. BGP 4 update: 192. 168. 0. 5/32 CE-1 192. 168. 0. 5/32 TOI-VPN eosborne © 2001, Cisco Systems, Inc. Site-1 SOO=100: 65 CE-2 104

Selective Export • PE may have to export VRF routes with different route-targets Example: export management routes with particular RT • Export command accept route-map Route-map configured into VRF Route-map match or deny statements with extended community list TOI-VPN eosborne © 2001, Cisco Systems, Inc. 105

Selective Export Site-1 PE 192. 168. 0. 5/32 VPN-IPv 4 update: RD: 192. 168. 0. 5/32 RT=100: 3 CE VPN-IPv 4 update: RD: 192. 168. 50. 0/24 RT=100: 4 192. 168. 50/24 ip vrf odd rd 100: 1 export map RTMAP route-target import 100: 3 ! … … ! access-list 10 permit 192. 168. 0. 5 0. 0 access-list 11 permit any ! route-map RTMAP permit 10 match ip address 10 set extcommunity rt 100: 3 ! route-map RTMAP permit 20 match ip address 11 set extcommunity rt 100: 4 ! TOI-VPN eosborne © 2001, Cisco Systems, Inc. 106

Selective Import • PE may have to import routes based on other criteria than only Route-Target • Import command accept route-map Route-map configured into VRF Route-map match or deny statements TOI-VPN eosborne © 2001, Cisco Systems, Inc. 107

Selective Import Site-1 192. 168. 0. 5/32 PE VPN-IPv 4 update: RD: 192. 168. 30. 3/32 RT=100: 3 CE VPN-IPv 4 update: RD: 192. 168. 30. 0/24 RT=100: 4 192. 168. 50/24 B 192. 168. 30. 0 [200/0] via 192. 168. 0. 7, 02: 17: 48 ip vrf odd rd 100: 1 import map RTMAP route-target export 100: 3 ! … … ! access-list 10 permit 192. 168. 30. 0 ! route-map RTMAP permit 10 match ip address 10 ! TOI-VPN eosborne © 2001, Cisco Systems, Inc. 108

Extended route-maps • Added support for extended communities in route-maps Route-Map match/set statements: route-map <Name> permit 10 [no] match extcommunity <1 -99> [no] set extcommunity [rt|soo] <ASN: nn | IP-address: nn> Defining Extended Community access list: [no] ip extcommunity-list 1 [permit|deny] [rt|soo] <ASN: nn | IP-address: nn> TOI-VPN eosborne © 2001, Cisco Systems, Inc. 109

Internet routing - VRF specific default route • The PE installs a default route into the site VRF • PE router originates CE routes for the Internet • The default route points to the Internet router of the VPN backbone Possibility to use different Internet gateways per VRF • No VPN default route allowed TOI-VPN eosborne © 2001, Cisco Systems, Inc. 110

MPLS VPN Topologies Internet routing - VRF specific default route Global routing table with Internet routes Internet PE-IG Label=PE-IG IP packet D=cisco. com Global routing table with Internet routes PE Site-1 VRF Site-1 routes Site-2 routes Destination cisco. com is covered by the default route to PE-IG PE Site-2 VRF Site-1 routes Site-2 routes 0. 0/0 PE-IG IP packet D=cisco. com Site-1 Ip route vrf <Name> 0. 0 PE-IG global TOI-VPN eosborne © 2001, Cisco Systems, Inc. Site-2 111

Direct Import (RT intersection) • EBGP received prefixes are now added to the vrf table in the router thread itself. • Requirement to have a non null intersection between RTs for every VRF has been removed. TOI-VPN eosborne © 2001, Cisco Systems, Inc. 112

CE to CE convergence • New BGP mechanism to be used in order to improve convergence time between sites • BGP update origination, validation and advertisement • Other mechanisms in order to improve import and export processes • BGP update next-hop validation (done at scanner on PE) - scan-time adjustment. • BGP validates updates by verifying next-hop reachability (first rule on PATH selection) • By default the next-hop validation is done once every 60 seconds • New command that allows to configure the timer bgp scan-time <5 -60> TOI-VPN eosborne © 2001, Cisco Systems, Inc. 113

CE to CE convergence • BGP update advertisement interval (default): • EBGP updates are propagated once every 30 seconds • i. BGP updates are propagated once every 5 seconds Default can be changed on a per neighbor basis neighbor <ip_address> advertisement-interval <0 -600> • BGP import/export process (IBGP learned into vrf on remote PE) • By default import/export actions are performed once every 60 seconds Command to modify the timer: bgp scan-time import <5 -60> Timer is configurable ONLY under address-family vpnv 4 TOI-VPN eosborne © 2001, Cisco Systems, Inc. 114

VRF Size Limit/Warning • New VRF level configuration command: • (config-vrf)# maximum routes <number> { <warn percent> | warn-only } • When <warn-percent> of <number> is reached then a SYSLOG error message is issued • If the number of routes in the VRF routing table reaches <number> then no more routes will be added, a SYSLOG error message will be issued when an attempt is made to add a route which is rejected, throttled to one message per-VRF in 10 minutes. TOI-VPN eosborne © 2001, Cisco Systems, Inc. 115

What Code Is MPLS VPN In? • Introduced in 12. 0(5)T and 12. 0(9)ST

Things That Make Up MPLS-VPN • MPLS Forwrding – ENG-59293 • TAG VPN Functional Spec – ENG 17513 • MPLS VPN on GSR E 2 cards – ENG 59451 …as a reference to a HW implementation TOI-VPN eosborne © 2001, Cisco Systems, Inc. 119

Software-based platforms • If you are developing a new softwarebased platform (like 2600, 3600, 4500, etc), should be pretty simple • Concentrate on testing different packet paths and interface types TOI-VPN eosborne © 2001, Cisco Systems, Inc. 120

Hardware-based platforms • Label Imposition: could be 0, 1, or 2 labels • Label Exposition: need to deal with aggregate label, very likely 2 lookups on the same packet TOI-VPN eosborne © 2001, Cisco Systems, Inc. 121

Label Imposition (Push) CE 2 P 1 PE 3 CE 1 • PE 1 CE 3<->CE 4: PE 3 imposes 0 labels, does regular FIB lookup in VRF table • CE 3 ->CE 1: PE 3 imposes 1 label (VPN label), IGP label is effectively PHP’d • CE 3 ->CE 2: PE 3 imposes 2 labels: (IGP label to PE 2, VPN label) • Explicit-null mitigates PHP TOI-VPN eosborne © 2001, Cisco Systems, Inc. CE 3 CE 4 122

Label Exposition (Pop) • VPN advertises “aggregate label” for scalability • Aggregate label leads to 2 lookups on egress PE (1 LIB, 1 FIB) • Label lookup turns aggregate label into IP address within a VRF, IP lookup necessary to figure out correct L 2 encap TOI-VPN eosborne © 2001, Cisco Systems, Inc. 123

Aggregate Label VPN label = 42 IP packet Dst = 3. 3 CE 1 1. 2. TOI-VPN eosborne PE 3 does MPLS lookup on VPN label, finds outgoing VRF PE 3 does IP lookup in VRF routing table, finds L 2 encap, sends packet © 2001, Cisco Systems, Inc. PE 3 CE 3 PE 1 Label VRF 42 Red CE 4 IP Address Port 3. 3. 3. 0/24 POS 1/0 124

Sizing Provider Edge (PE) Routers Platform Specific Considerations QOS Considerations CPU Considerations PE Memory

Sizing Provider Edge (PE) Considerations Amount of provisioned QOS P-4 BG CPU # of provisioned VRFs # of backbone BGP peers PE to CE Connectivity Type PF OS IC AT ST # of VPN clients/routes Packet forwarding CEF vs. process Several factors determine CPU Usage TOI-VPN eosborne © 2001, Cisco Systems, Inc. 126

Platform Processor Types TOI-VPN eosborne Platform Processor Type Internal Clock Speed NPE 225 RM 5271 262 MHz NPE 300 R 7000 262 MHz NPE 400 R 7000 350 MHz RSP 4 R 5000 200 MHz RSP 8 R 7000 250 MHz GRP R 5000 200 MHz © 2001, Cisco Systems, Inc. 127

Baseline (No Traffic) CPU Comparison Small VPN: 500 VRFs (11 routes per-VRF) NPE 225

Sizing Provider Edge (PE) Memory Considerations P-4 BG # of local VPN routes # of provisioned VRFs # of backbone BGP peers (paths) # of neighbors and type of connectivity PF OS IC AT ST Spread of IP addressing structure # of remote VPN routes Unique or non-unique RD allocation ? Several factors determine Memory Usage TOI-VPN eosborne © 2001, Cisco Systems, Inc. 129

Sizing Provider Edge (PE) Memory Considerations BGP Memory Routing Table CEF MPLS IDB Several

Sizing Provider Edge (PE) BGP Memory ndc-brighton# show ip bgp v a s BGP Memory BGP router identifier 10. 3. 1. 9, local AS number 2 BGP table version is 21, main routing table version 21 1 network entries and 2 paths using 189 bytes of memory 2 BGP path attribute entries using 108 bytes of memory 2 BGP AS-PATH entries using 48 bytes of memory 1 BGP extended community entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP activity 8/58 prefixes, 8/6 paths, scan interval 15 secs Mp = (N*128) + (P*60) + (Pa * 24) + (Ec * 24) Mp = Total memory used by PE in Bytes N = Number of BGP network entries P = Number of path entries Pa = Number of AS_PATH entries Ec = Number of Extended Community entries TOI-VPN eosborne © 2001, Cisco Systems, Inc. 131

Sizing Provider Edge (PE) Routing Table Memory ndc-brighton# show memory summary | include IP: Control Block 0 x 60567 BB 0 33184 101 3351584 IP: Control Block ndc-brighton# show ip route vrf testing summary IP routing table name is testing(1) Source Networks Subnets Overhead Memory (bytes) connected 0 1 64 144 External: 0 Internal: 0 Local: 0 internal 1 1164 Total 1 64 1308 Each VRF consumes : • 1 IP control block -> 33, 184 bytes • 1 Network Descriptor Block (NDB) per route (64 bytes) • 1 Routing Descriptor Block (RDB) per path (144 bytes) TOI-VPN eosborne © 2001, Cisco Systems, Inc. 132

Sizing Provider Edge (PE) MPLS Memory ndc-brighton# show memory allocating-process total | include TFIB tag_ MPLS Memory 0 x 60 DC 5 D 54 8101672 125 TFIB tag_rewrite chunk 0 x 60 DC 5 DB 4 4141564 64 TFIB tag_info chunk 0 x 60 DC 5 DA 4 65540 1 TFIB tag_info chunk 0 x 60 DC 5 D 44 65540 1 TFIB tag_rewrite chunk ndc-brighton# show memory allocating-process total | include TIB 0 x 60 FC 7 E 10 24228 134 TIB entry MPLS forwarding memory (TFIB) consumes one 'taginfo‘ (64 bytes) per route, plus one forwarding entry (104 bytes) for each path TOI-VPN eosborne © 2001, Cisco Systems, Inc. 133

Sizing Provider Edge (PE) IDB Memory ndc-brighton# show memory summary | include IDB Software IDB 0 x 602 F 88 E 8 4692 9 42228 *Hardware IDB* 0 x 602 F 8904 2576 9 23184 *Software IDB* Hardware IDB Interface Description Block Hardware IDB: 4692 bytes (One per physical interface) Software IDB: 2576 bytes (One per interface and per sub-interface) Note: The amount of memory required will differ from platform to platform TOI-VPN eosborne © 2001, Cisco Systems, Inc. 134

PE VRF Memory Sizing NO VPN routes Used Memory 8, 187, 968 MB TOI-VPN

VPN Memory Comparison TOI-VPN eosborne © 2001, Cisco Systems, Inc. 136

PE Memory Sizing Design Rules • ~ 60 -70 K per VRF 33 K for base VRF control block, other memory such as CEF, TFIB overhead, IDBs and so on • ~800 -900 bytes per route (includes CEF, TFIB and RIB Memory in BGP) • Remember IOS uses memory! • Remember Internet Routes! • Remember to leave transient memory Recommended to leave ~ 20 MB free TOI-VPN eosborne © 2001, Cisco Systems, Inc. 137

PE Memory Sizing Design Observations • 128 MB platforms are very limited (NPE 225, 3640 *NOT* suitable for full Internet table and VPNs!!!) • 256 MB Minimum recommended on PE devices • Limit the number of RDs per VRF in the same VPN unless you require i. BGP load balancing with RRs TOI-VPN eosborne © 2001, Cisco Systems, Inc. 138

VRF and Route Limits Summary • VRF Limits Constrained mainly by CPU Between 500 & 1000 VRFs for static routing (depending on platform – 10 routes per VRF) Between 250 & 500 VRFs if using EBGP or RIPv 2 (depending on platform - 500 routes per VRF) • VPN & Global Route Limits Constrained mainly by available memory With 256 MB, 200, 000 routes total (IPv 4 and VPNv 4) If Internet table is present, this reduces the memory available for VPNs (Current calculations are near 65 Meg for 100 K Internet routes – with tightly packed attributes) TOI-VPN eosborne © 2001, Cisco Systems, Inc. 139