A company with several securityconscious departments that exchange data between their servers

The two typical uses for overlapping VPNs are as follows Companies that use MPLS VPNs to implement both intranet and extranet services might use overlapping VPNs. In this scenario, each company participating in the extranet VPN would probably deploy a security mechanism on its customer edge (CE) routers to prevent other companies participating in the VPN from gaining access to other sites in the customer VPN. A security-conscious company might decide to limit visibility between different...

A route map can be configured in a VRF to make the route import more specific

All rights reserved. MPLS v2.1 6-4 Selective route import into a VRF allows you to narrow the route import criteria. Selective route import uses a route map that can filter the routes selected by the RT import filter. The routes imported into a VRF are Border Gateway Protocol (BGP) routes, so you can use match conditions in a route map to match any BGP attribute of a route. These attributes include communities, local preference, multi-exit discriminator (MED),...

Adding flexibility to client service selection

All rights reserved. MPLS v2.1 6-5 Cisco MPLS for Managed Shared Services eliminates many of the problems such as inefficiency in resource utilization, high traffic loads, and management complexity commonly associated with delivering advanced services to MPLS VPN customers. The Cisco MPLS technology incorporates features for more effectively managing shared IP services, delivering multicast-based services, and adding flexibility to client service selection. The Cisco...

Address families routing protocol contexts are used to configure these three tasks in the same BGP process

Independently from the MPLS VPN architecture, the PE router can use BGP IPv4 route updates to receive and propagate Internet routes in scenarios where the PE routers are also used to provide Internet connectivity to customers. The MPLS VPN architecture uses the BGP routing protocol in these two different ways VPNv4 routes are propagated across an MPLS VPN backbone using MP-BGP between the PE routers. BGP can be used as the PE-CE routing protocol to exchange VPN routes between the PE routers and...

Allowasin The Issue

Not a usual setup (traffic between VPNs should not flow over the customer site) Sometimes used for enhanced security In some security-conscious implementations, customer VPNs are linked by a customer router that performs security functions, such as access filtering or access logging. Note This setup is not usual because it deviates from the basic goal of MPLS VPN replacing the hub-and-spoke routing of a traditional overlay VPN with optimum any-to-any routing. Copyright 2004, Cisco Systems, Inc....

Allowasin The Issue Cont

VPN perspective VPN-A is connected to VPN-B via CE-BGP-A1. Physical topology The CE router is connected to PE routers. MPLS VPN perspective The CE router has two links into the P-network. BGP perspective The CE router has two connections to AS 115. The setup in which a customer router links two VPNs in an MPLS VPN backbone can be viewed from several different perspectives, as follows From the VPN perspective, a CE router links two VPNs. From the physical perspective, the CE router is connected...

Alternatively only the internal OSPF routes can be redistributed into MPBGP on the PE routers

Ospf Router Types Hidden Premises

The OSPF tag field is present only in the external OSPF routes (type 5 LSA or type 7 LSA). This technique, therefore, cannot detect cross-domain loops involving internal OSPF routes. Here are the two manual methods that you can use to overcome this OSPF limitation You can set the tag field manually on the router, redistributing routes between OSPF domains using the redistribute ospf source-process-id tag value command. The PE router can be configured to redistribute only internal OSPF routes...

Are CE routes received by the PE router

Verify with the show ip route vrf vrf-name command on PE-1. Perform traditional routing protocol troubleshooting if needed. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 5-5 Troubleshooting routing information flow requires the verification of end-to-end routing information propagation between CE routers. The first step is to check the routing information exchange from CE routers to PE routers. Use the show ip route vrf vrf-name command to verify that the PE router receives customer...

Are routes redistributed into MPBGP with proper extended communities

Verify with the show ip bgp vpnv4 vrf vrf-name ip-prefix command on PE-1. Troubleshoot with debug ip bgp commands. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 5-6 The CE routes received by the PE router need to be redistributed into MP-BGP otherwise, they will not get propagated to other PE routers. Common configuration mistakes in this step include the following Failing to configure redistribution between the PE-CE routing protocol and the per-VRF routing context of the BGP Using...

Are VPNv4 routes inserted into VRFs on PE2

Verify with the show ip route vrf command. Troubleshoot with the show ip bgp ip-prefix and show ip vrf detail command. Perform additional BGP troubleshooting if needed. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 5-9 The VPNv4 routes received by the PE router have to be inserted into the proper VRF. This insertion can be verified with the show ip route vrf command. Common configuration mistakes in this step include the following The wrong import RTs are configured in the VRF. The...

Are VPNv4 routes redistributed from BGP into the PECE routing protocol

Verify redistribution configuration is the IGP metric specified Perform traditional routing protocol troubleshooting. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 5-10 Finally, the BGP routes received via MP-BGP and inserted into the VRF need to be redistributed into the PE-CE routing protocol. A number of common redistribution mistakes can occur here, starting with missing redistribution metrics. Refer to the Building Scalable Cisco Internetworks (BSCI) and Cisco Internetwork...

ASOverride ASPath Prepending

Router bgp 115 address-family ipv4 vrf Customer_A neighbor 10.200.2.1 remote-as 213 neighbor 10.200.2.1 activate neighbor 10.200.2.1 as-override router bgp 115 address-family ipv4 vrf Customer_A neighbor 10.200.2.1 remote-as 213 neighbor 10.200.2.1 activate neighbor 10.200.2.1 as-override PE-Site-Y replaces all occurrences of AS 213 with AS 115 in the AS path, prepends another copy of AS 115 to the AS path, and propagates the prefix. PE-Site-Y replaces all occurrences of AS 213 with AS 115 in...

ASOverride The Issue

The customer wants to reuse the same AS number on several sites CE-BGP-A1 announces network 10.1.0.0 16 to PE-Site-X. The prefix announced by CE-BGP-A1 is propagated to PE-Site-Y as an internal route through MP-BGP. PE-Site-Y prepends AS 115 to the AS path and propagates the prefix to CE-BGP-A2. CE-BGP-A2 drops the update because AS 213 is already in the AS path. 2004 Cisco Systems, Inc. All rights re Here are the two ways that an MPLS VPN customer can deploy BGP as the routing protocol between...

Assigning an Interface to a VRF Table

This topic describes how to assign an interface to a VRF table. This topic describes how to assign an interface to a VRF table. This command associates an interface with the specified VRF. The existing IP address is removed from the interface when interface is put into VRF the IP address must be reconfigured. CEF switching must be enabled on the interface. ip vrf forwarding Customer ABC ip address 10.0.0.1 255.255.255.252

Can support all customer requirements including a BGP session with the customer accomplished through advanced BGP setup

All rights reserved. MPLS v2.1 7-11 Internet access implemented as a separate VPN has the following drawbacks Full Internet routing cannot be carried inside a VPN therefore, default routing toward the Internet gateways has to be used, potentially resulting in suboptimal routing. Note With future MPLS VPN extensions called recursive VPN, or Carrier's Carrier model even full Internet routing will be able to be propagated across a VPN. The Internet backbone is positioned...

CE routers run standard OSPF software

Here are the goals that have to be met by the OSPF superbackbone The superbackbone shall not use standard OSPF-BGP redistribution. OSPF continuity must be provided between OSPF sites, as follows Internal OSPF routes must remain internal OSPF routes. External OSPF routes must remain external OSPF routes. Non-OSPF routes redistributed into OSPF must appear as external OSPF routes in OSPF. OSPF metrics and metric types (external 1 or external 2) have to be preserved. The OSPF superbackbone shall...

Central Firewall Service Addressing

All customers have to use coordinated addresses, which can also be private. The central firewall provides NAT for all customers. 2004 Cisco Systems, Inc. All rights re The central firewall, hosted by the service provider, has to use public addresses for the Internet. Private addresses can be used between the central firewall and the individual customers. However, these addresses need to be coordinated between the service provider and the customers to prevent routing conflicts and overlapping...

Central Services VPN

Clients need access to central servers. Servers can communicate with each other. Clients can communicate with all servers, but not with each other. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 6-3 A central services VPN is a topology with the following characteristics Some sites (server sites) can communicate with all other sites. All the other sites (client sites) can communicate only with the server sites. This topology can be used in the following situations The service provider...

Central Services VPN and Simple VPN Requirements

Only A-Central and B-Central need access to central servers. This situation results in a combination of rules from overlapping VPN and central services VPN. In this design, some of the customer sites need access to the central server. All other sites just need optimal intra-VPN access. The design is consequently a mixture of simple VPN topology and central services VPN topology. Copyright 2004, Cisco Systems, Inc. Complex MPLS VPNs 6-31 The PDF files and any printed representation for this...

Central Services VPN and Simple VPN Requirements Cont

For all sites participating in a simple VPN, configure a separate VRF per set of sites participating in the same VPNs per PE router. For sites that are only clients of central servers, create a VRF per site. Create one VRF for central servers per PE router. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 6-10 When integrating a central services VPN with a simple VPN, you need one VRF per VPN for sites that have access to other sites in the customer VPN but no access to the central...

Classical Internet Access for a VPN Customer

The VPN customer connects to the Internet only through a central site (or a few central sites). A firewall between the customer VPN and the Internet is deployed only at the central site. 2004 Cisco Systems, Inc. All rights re Classical Internet access is implemented through a (usually central) firewall that connects the customer network to the Internet in a secure fashion. The private network of the customer (or VPN if the customer is using a VPN service) and the Internet are connected only...

Configuration of Mpibgp sessions

Define a loopback interface that will serve as the BGP next hop for VPNv4 routes and as the source address for the IBGP session. Configure the remote PE router as the global BGP neighbor. Specify the source address for the TCP session. Activate the remote PE router for VPNv4 route exchange. Disable next-hop processing for VPNv4 route exchange. This action guarantees that the loopback 0 interface will always be the BGP next hop for VPNv4 routes propagated by this router to its MP-IBGP neighbors....

Configuring MPIBGP

This topic describes how to configure MP-IBGP in an MPLS VPN environment. This topic describes how to configure MP-IBGP in an MPLS VPN environment. router bgp as-number neighbor ip-address remote-as as-number neighbor ip-address update-source loopback-type interface number All MP-BGP neighbors have to be configured under global BGP routing configuration. MP-IBGP sessions have to run between loopback interfaces. This command starts configuration of MP-BGP routing for VPNv4 route exchange. The...

Configuring RDs in a Central Services and Simple VPN

Configure a unique RD for every set of VRFs with unique membership requirements - A-Spoke-1 and A-Spoke-2 can share the same RD. - B-Spoke-1 and B-Spoke-2 can share the same RD. Configure one RD for all central server VRFs. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 6-11 For this design, you need two RDs per VPN, as follows One RD for simple VPN sites (The same value should also be used for import and export RTs.) One RD for the central services VRFs Copyright 2004, Cisco Systems,...

Configuring Selective VRF Import Cont

A configuration similar to this one could be used to accomplish the following Deploy advanced MPLS VPN topologies (for example, a managed router services topology) Increase the security of an extranet VPN by allowing only predefined subnetworks to be inserted into a VRF, thus preventing an extranet site from inserting unapproved subnetworks into the extranet Note A similar function is usually not needed in an intranet scenario because all customer routers in an intranet are usually under common...

Data Mdt Mdt group created on demand for mVPN SG pairsusually highbandwidth traffic

VPN-aware multicast technology has introduced a new set of terminology. Multicast VPNs introduce multicast routing information to the VRF table. When a PE router receives multicast data or control packets from a CE router, forwarding is performed according to information in the multicast virtual routing and forwarding instance (MVRF). A set of MVRFs that can send multicast traffic to each other constitutes a multicast domain. For example, the multicast domain for a customer that wanted to send...

DHCP Relay Shared DHCP Server

Mpls Implementation

DHCP relay agent adds VPN information at PE router (cable or DSL headend Layer 2 access) Server assigns address based on option 82 data and replies DHCP relay agent adds VPN information at PE router (cable or DSL headend Layer 2 access) Server assigns address based on option 82 data and replies 2004 Cisco Systems, Inc. All rights re 2004 Cisco Systems, Inc. All rights re Typical network topology for a shared DHCP server involves a bridged access to the remote location via DSL or cable modem...

Disabling IPv4 Route Exchange

This topic describes how to disable IPv4 route exchange in an MPLS VPN environment. This topic describes how to disable IPv4 route exchange in an MPLS VPN environment. The exchange of IPv4 routes between BGP neighbors is enabled by default every configured neighbor will also receive IPv4 routes. This command disables the default exchange of IPv4 routes neighbors that need to receive IPv4 routes have to be activated for IPv4 route exchange. Use this command when the same router carries Internet...

Displays labels allocated by an Mpls Vpn for routes in the specified VRF

All rights reserved. MPLS v2.1 5-17 The following three commands can be used to display per-VRF FIB and LFIB structures The show ip cef vrf command displays the VRF FIB. The show ip cef vrf detail command displays detailed information about a single entry in the VRF FIB. The show mpls forwarding vrf command displays all labels allocated to VPN routes in the specified VRF. 5-76 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any...

Example Configuring VRFs in a Central Services and Simple VPN

The example shows a fraction of the configuration according to the RD and RT numbering scheme presented in the tables. 6-36 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual...

Example DHCP Relay Corporate DHCP Server

In this two-VPN example, a corporate DHCP server and a DHCP client have been added to VPN-A. The client broadcasts a DHCP request to the local relay. The local relay converts the broadcast to a unicast request for the DHCP server and adds the VPN ID. This request is forwarded to the egress PE router based upon the DHCP server address. From the egress PE router, the request is forwarded to the DHCP server. The DHCP server assigns the client an address and replies to the DHCP relay, which in turn...

Example Mpls Vpn Network

The figure illustrates a configuration of the PE router in a sample network with two VPN customers. Customer A (with four sites) is using BGP and RIP as the provider edge-customer edge (PE-CE) routing protocol, and customer B (with two sites) is using only RIP. Both customers use private IP address space (subnetworks of network 10.0.0.0). 5-24 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property...

Example NAT Implementation with Multiple NAT Pools

The figure presents an example of VPN-aware NAT configuration for two VPNs, A and B. NAT services are being configured on the PE router connected to the shared services. NAT pools are configured with a standard NAT configuration command ip nat pool. Only one NAT pool is required however, in this example, there are two pools, one for each VPN to allow for easy address administration. The NAT pools are assigned to their respective VPNs using the ip nat inside pool command. NAT services are...

Example Network Address Translation

The figure presents an example of VPN-aware NAT. CE-A1, CE-A2, CE-B1, and CE-B2 are clients in VRF-A and VRF-B. Packets from these clients destined for the shared service are routed to the inside interface of the NAT PE router over their respective VPNs. At the NAT PE router, the address translation process replaces the inside source address with the outside source address from the NAT table and forwards the packet to the shared service. 6-52 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004,...

Example Optimizing of Packet Forwarding

Consider, for example, the network in the figure. This table indicates a typical flow for routing updates. Process Steps for Routing Update Flow The PE router redistributes the OSPF route into MP-BGP. The route is propagated to other PE routers as an MP-BGP route. The route is also redistributed into other OSPF areas. The redistributed OSPF route is propagated across the OSPF area with the down bit set. The ingress PE router receives an MP-IBGP route with an administrative distance of 200 and...

Example OSPF Down

OSPF developers took many precautions to avoid routing loops between OSPF areas for example, intra-area routes are always preferred over interarea routes. These rules do not work when the superbackbone is introduced. Consider, for example, the network in the figure, where the receiving OSPF area has two PE routers attached to it. This table indicates the process steps that could produce a routing loop. Process Steps in a Routing Loop The sending PE router receives an intra-area OSPF route. The...

Example OSPF Tag Field

The routing loop in this network occurs as part of the steps outlined in this table. Process Steps for Routing Loops Across OSPF Domains The PE router redistributes a non-OSPF route into an OSPF domain as an external route. The down bit is set because the route should not be redistributed back into MP-BGP. A CE router redistributes the OSPF route into another OSPF domain. The down bit is lost if the CE router does not understand this OSPF extension. The OSPF...

Example OSPF Tag Field Routing Loop Prevention

This table lists the steps in this process. Process Steps to Prevent Routing Loops A non-OSPF route is redistributed as an external OSPF route by a PE router. The tag field is set to the BGP AS number, and the down bit is set. The redistributed route is propagated across the OSPF domain. When the route is redistributed into another OSPF domain, the tag field is propagated, but the down bit is cleared. Another PE router receives the external OSPF route and...

Example Sham Link

The figure illustrates the backdoor paths between VPN sites. If these sites belong to the same OSPF area, the path over a backdoor link will always be selected because OSPF prefers intra-area paths to interarea paths. (PE routers advertise OSPF routes learned over the VPN backbone as interarea paths.) For this reason, OSPF backdoor links between VPN sites must be taken into account so that routing is performed based on policy. Because each site runs OSPF within the same Area 1 configuration,...

Fast Switching and IP Multicast

Fast switching of IP multicast packets is enabled by default on all interfaces including GRE and Distance Vector Multicast Routing Protocol (DVMRP tunnels with one exception It is disabled and not supported over X.25 encapsulated interfaces. Note the following properties of fast switching If fast switching is disabled on an incoming interface for a multicast routing table entry, the packet is sent at the process level for all interfaces in the outgoing interface list. If fast switching is...

For other routing protocols the SOO attribute can be applied to routes learned through a particular VRF interface

Here are the two ways to set the SOO attribute on a BGP route For routes received from BGP-speaking CE routers, the SOO attribute is configured by the incoming route map on the PE router. For all other routes, a route map setting the SOO attribute is applied to the incoming interface. The SOO attribute, as set by the route map, is attached to the BGP route when an IGP route received through that interface is redistributed into BGP. Outgoing filters based on the SOO attribute also depend on the...

High Bandwidth BGP Backbone

All rights re The implementation results in optimum packet flow. 5-114 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study.

Internet access as a separate VPN

Network designers who want to offer Internet access and MPLS VPN services in the same MPLS backbone can choose between these two major design models Internet routing that is implemented through global routing on the provider edge (PE) routers Internet routing that is implemented as yet another VPN in the ISP network 7-20 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,...

Internet Access from Every Customer Site

CE-Site-1 CE-Site-2 CE-Site-3 CE-Central CE-Site-1 CE-Site-2 CE-Site-3 CE-Central Customers want to gain access to the Internet directly from every site. - There is optimum traffic flow to and from Internet sites. - Each site has to be secured against unauthorized Internet access. - It is easier to achieve in extranet scenarios, because every site is already secured against other sites. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 7-7 To bypass the limitations of Internet access...

Internet Access Through a Central Firewall Service

An Internet access VPN is implemented as a central services VPN, resulting in no connectivity between customers. An Internet access VPN is implemented as a central services VPN, resulting in no connectivity between customers. Connectivity between the central firewall and the Internet is implemented in the same way as for classical Internet access customers. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 7-9 The central managed firewall service should be implemented with the central...

Internet Access Through a Dedicated Subinterface Traffic Flow

All rights 2004 Cisco Systems, Inc. All rights Example Internet Access Through a Dedicated Subinterface Traffic Flow The Internet traffic flow in this setup is identical to the traditional Internet traffic flow when a packet is received from the CE router through the Internet subinterface, a lookup is performed in the global Forwarding Information Base (FIB) on the PE router and the packet is forwarded toward the BGP next hop. Copyright 2004, Cisco Systems, Inc....

Internet Access Through Central Firewall Service

Mpls Implementation

Some customers want a service-provider-managed firewall to the Internet. Using a central firewall is the most cost-effective way to provide this service. 2004 Cisco Systems, Inc. All rights re For customers who do not want the complexity of managing their own firewall, a managed firewall service offered by the service provider is a welcome relief. These customers typically want the service provider to take care of the security issues of their connection to the Internet. The service provider can...

Ip route vrf

To establish static routes for a VRF, use the ip route vrf command in global configuration mode. To disable static routes, use the no form of this command. ip route vrf vrf-name prefix mask next-hop-address interface interface-number global distance permanent tag tag no ip route vrf vrf-name prefix mask next-hop-address interface interface-number global distance permanent tag tag Copyright 2004, Cisco Systems, Inc. MPLS VPN Implementation 5-47 The PDF files and any printed representation for...

Ip vrf sitemap

To set the SOO extended community attribute, use the ip vrf sitemap command in interface configuration mode. To delete the entry, use the no form of this command. ip vrf sitemap route-map-name no ip vrf sitemap route-map-name This table describes the parameters for the ip vrf sitemap command. Syntax Description Sets the name of the route map to be used.

Managed CE Routers

Central server NMS needs access to loopback addresses of all CE routers Very similar to central services and simple VPN - All of the CE routers participate in central services VPN. - Only the loopback addresses of the CE routers need to be exported into central services VPN. 2004 Cisco Systems, Inc. All rights reserved MPLS v2.1 6-3 If the service provider is managing the customer routers, it is convenient to have a central point that has access to all CE routers but doe not have access to the...

Managed Services Overview

All rights 2004 Cisco Systems, Inc. All rights In modern networks, many end users have a need to connect to common services, such as email, DHCP servers, and so on. Typically, these services have been provided by individual enterprises as part of their network. Cisco MPLS for Managed Shared Services is a set of features delivered in Cisco IOS software for enabling managed shared services for MPLS VPNs. Building on leading Cisco MPLS capabilities, service providers now...

Module Self Check

Use the questions here to review what you learned in this module. The correct answers and solutions are found in the Module Self-Check Answer Key. Q1) In an MPLS VPN implementation, what is a VRF (Source Using MPLS VPN A) the routing and forwarding instance for all sites belonging to a single customer B) the routing and forwarding instance for all sites belonging to a single customer location C) the routing and forwarding instance for all sites using a common routing protocol D) the routing and...

Monitoring an Mpbgp Vpnv4 Table

This topic describes how to monitor an MP-BGP VPNv4 table. Displays only BGP parameters (routes or neighbors) associated with specified VRF. Any BGP show command can be used with these parameters. show ip bgp vpnv4 rd route-distinguisher Displays only BGP parameters (routes or neighbors) associated with specified RD. 1 Cisco Systems, Inc. All rights reserved. MPLS v2.1 The show ip bgp vpnv4 command displays IPv4 BGP information and VPNv4 BGP information. To display VPNv4 BGP information, use...

Monitoring Labels Associated with VPNv4 Routes

This topic describes how to monitor labels associated with VPNv4 routes. Monitoring Labels Associated with VPNv4 Routes show ip bgp vpnv4 all rd value vrf-name tags Displays labels associated with VPNv4 routes. Network Next Hop In tag Out tag Route Distinguisher 100 1 (vrf1) 2.0.0.0 10.20.0.60 34 notag 10.0.0.0 10.20.0.60 35 notag 12.0.0.0 10.20.0.60 2 6 notag 10.20.0.60 26 notag 13.0.0.0 10.15.0.15 notag 26 2004 Cisco Systems, Inc. All rights reserved. You can use the show ip bgp vpnv4 tags...

Monitoring Mpbgp Sessions

This topic describes how to monitor MP-BGP sessions. This command displays global BGP neighbors and the protocols negotiated with these neighbors. 04 Cisco Systems, Inc. All rights reserved. MPLS v2.1 The show ip bgp neighbors command is described in detail in Cisco IOS documentation. This command is used to monitor BGP sessions with other PE routers and the address families negotiated with these neighbors.

Monitoring Mpbgp Sessions show ip bgp neighbors

All rights reserved MPLS v2.1 5-12 2004 Cisco Systems, Inc. All rights reserved MPLS v2.1 5-12 5-68 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual...

Monitoring VRF Routing show ip bgp vpnv4 vrf neighbors

Router show ip bgp vpnv4 vrf SiteB neighbors BGP neighbor is 150.1.32.34, vrf SiteB, remote AS 65032, external link BGP version 4, remote router ID 203.2.10.1 BGP state Established, up for 02 01 41 Last read 0 0 00 56, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities Route refresh advertised and received Address family IPv4 Unicast advertised and received Received 54 9 messages, 0 notifications, 0 in queue Sent 64 6 messages, 0 notifications, 0 in queue Route refresh...

Monitoring VRF Routing show ip protocols vrf

Router show ip protocol vrf SiteX Routing Protocol is rip Sending updates every 3 0 seconds, next due in 10 seconds Invalid after 18 0 seconds, hold down 18 0, flushed after 240 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing rip, bgp 3 Default version control send version 2, receive version 2 Interface Send Recv Triggered RIP Key-chain 192.168.22.0 Routing Information Sources Gateway Distance Last Update The show ip protocols...

Multicast VPNs Today Data MDT

A high-bandwidth source for the customer starts sending traffic. Interested receivers 1 and 2 join that high-bandwidth source. A data MDT is formed for this high-bandwidth source. Multicast VPNs also support the dynamic creation of MDTs for high-bandwidth transmission. Data MDTs are a feature unique to Cisco IOS software. Data MDTs are intended for high-bandwidth sources, such as full-motion video inside the VPN, to ensure optimal traffic forwarding in the MPLS VPN core. The threshold at which...

Multicast VPNs Today Default MDT

All rights Customer CE devices join the MPLS core through provider PE devices. The MPLS core forms a default MDT for a given customer. 2004 Cisco Systems, Inc. All rights Multicast VPNs establish a static default multicast distribution tree (MDT) for each multicast domain. The default MDT defines the path used by PE routers to send multicast data and control messages to every other PE router in the multicast domain. Example Multicast VPNs Default MDT In the example, a...

Multicast VPNs Today Solution Concept

P and PE must be routers multicast-enabled. Global multicast routing tables are created in the provider network. Globally, PE routers configured to run PIM (global instance) with adjacent P routers. P and PE must be routers multicast-enabled. Global multicast routing tables are created in the provider network. Globally, PE routers configured to run PIM (global instance) with adjacent P routers. Multicast-enabled VPNs have a VPN multicast routing table (MVRF). There is no requirement to run...

Network Address Translation Implentation

The inside interface can be any type of interface (both MPLS and non-MPLS). - The outside interface can be part of a VRF or a regular generic physical or logical interface. - MPLS label switching cannot be enabled on these interfaces. NAT can be configured on one or more PE routers for redundancy - The shared service does not need to be physically connected to the PE device performing NAT. NAT will inspect all traffic routed VRF to VRF or VRF to global routing table. VPN-aware NAT maintains...

Network Address Translation Today

Mpls Implementation

- Leased links and router ports for Internet connectivity - Operations expenses and manageability of NAT No revenues for service providers for NAT services or other shared services 2004 Cisco Systems, Inc. All rights re In modern MPLS networks, enterprises have to pay for leased links and router ports for Internet connectivity in addition to VPN connectivity, and also the operational expenses associated with internally managing NAT. While service providers can currently provide NAT services to...

No other set operations can be performed by this route map

Some advanced MPLS VPN topologies are easiest to implement if you can attach a variety of RTs to routes exported from the same VRF. This capability allows only a subset of the routes exported from a VRF to be imported into another VRF. Most services in which customer routers need to connect to a common server (for example, network management stations, voice gateways, and application servers) fall into this category. The export route map function provides exactly this functionality. A route map...

NonBGP Route Propagation Outbound

RIP-speaking CE routers announce their prefixes to the PE router via RIP. The instance of RIP process associated with the VRF to which the PE-CE interface belongs collects the routes and inserts them into the VRF routing table. RIP-speaking CE routers identify the correct instance of RIP on the PE router when an inbound PE interface is associated with a VRF. This association allows CE routers to announce their networks to the appropriate per-VRF routing table. Copyright 2004, Cisco Systems,...

Note Because of current limitations with route redistribution backdoor links are not supported

Network Routing Table Explained

MPLS VPN support for EIGRP between PE and CE provides EIGRP with the capability to redistribute routes through a BGP VPN cloud. This feature is configured only on PE routers, requiring no upgrade or configuration changes to customer equipment. This feature also introduces EIGRP support for MPLS and BGP extended community attributes. Note Because of current limitations with route redistribution, backdoor links are not supported. If a backdoor link is implemented, it may become active and...

OnDemand Address Pools Address Pool Management

The end station makes the DHCP request. The DHCP server fulfills request from pool reaches 90 percent. The ODAP pool manager requests expansion. The server allocates another subnetworks and replies. The PE router adds subnetworks routing information to the VRF. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 6-19 The PE router will honor DHCP requests and assign addresses until its address pool is 90 percent depleted. At this point, the PE router will request an extension of the...

OnDemand Address Pools IP Address Management Today

Today, service providers face the following challenges concerning efficient management of IP address space for customers Address management is independent but inefficient. Providers need to manage addresses manually and allocate them to RADIUS or DHCP servers. Once site thresholds are reached, new addresses have to be manually allocated. 6-60 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of...

Only RIPv2 is supported

Configuring RIP as the PE-CE routing protocol is even easier than configuring BGP. Start the configuration of individual routing context with the address-family ipv4 vrf vrf-name command in router configuration mode. You can enter all standard RIP parameters in the per-VRF routing context. Global RIP parameters entered in the scope of RIP router configuration are inherited by each routing context and can be overwritten if needed in each routing context. Note Only RIP version 2 (RIPv2) is...

Optimizing of Packet Forwarding Across the Mpls Vpn Backbone Cont

With the new route OSPF selection rules in place, the packet forwarding in the network shown in the figure follows the desired path. The process steps are described in this table. Process Steps for Optimizing Packet Forwarding The OSPF route is redistributed into MP-BGP by a PE router and propagated to other PE routers. The receiving PE routers redistribute the MP-BGP route into OSPF. Other PE routers might receive the MP-BGP and OSPF routes but will ignore the OSPF route for routing purposes...

OSPF Hierarchical Model

OSPF divides a network into areas, all of them linked through the backbone (Area 0). Areas could correspond to individual sites from an MPLS VPN perspective. The OSPF routing protocol was designed to support hierarchical networks with a central backbone. The network running OSPF is divided into areas. All areas have to be directly connected to the backbone area (Area 0). The whole OSPF network (backbone area and any other connected areas) is called the OSPF domain. The OSPF areas in the...

OSPF in an Mpls Vpn Routing Model

From the customer perspective, an MPLS VPN-based network has a BGP backbone with IGP running at customer sites. Redistribution between IGP and BGP is performed to propagate customer routes across the MPLS VPN backbone. The MPLS VPN routing model introduces a BGP backbone into the customer network. Isolated copies of IGP run at every site, and MP-BGP is used to propagate routes between sites. Redistribution between customer IGP running between PE routers and CE routers and the backbone MP-BGP,...

OSPF Superbackbone Ospfbgp Hierarchy Issue

OSPF Area 0 might extend into individual sites. The MPLS VPN backbone has to become a superbackbone for OSPF. 2004 Cisco Systems, Inc. All rights re The MPLS VPN architecture extends the OSPF architecture by introducing another backbone above OSPF Area 0, the superbackbone. The OSPF superbackbone is implemented with MP-BGP between the PE routers but is otherwise completely transparent to the OSPF routers. The architecture even allows disjointed OSPF backbone areas (Area 0) at MPLS VPN customer...

PE Router

VRF-A Routing Table BGP Routing Process Two VPNs are attached to the same PE router. Each VPN is represented by a VRF. Two VPNs are attached to the same PE router. Each VPN is represented by a VRF. 2004 Cisco Systems, Inc. All rights re This figure and the following figures illustrate the interactions between VRF instances of routing processes, VRF routing tables, and the global VPNv4 BGP routing process.

PE routers never redistribute OSPF routes with the down bit set into MPBGP

The following two mechanisms were introduced to prevent route redistribution loops between OSPF (running between PE and CE routers) and MP-BGP running between PE routers One of these mechanisms is the BGP Site of Origin (SOO), which is covered in the Introducing MPLS VPN Routing Model lesson of the MPLS Virtual Private Network Technology module and detailed further in the Configuring BGP as the Routing Protocol Between PE and CE Routers lesson of the MPLS VPN Implementation module. The other...

Redundant Internet Access

Multiple CE-Internet routers can be used for redundancy - All CE-Internet routers advertise default route. - The Internet VPN will recover from CE-Internet router failure. - Preferred default route can be indicated via MED attribute. The default route should be advertised conditionally to achieve higher resilience. Redundant Internet access is easy to achieve when the Internet service is implemented as a VPN in the MPLS VPN backbone, as described here Multiple Internet gateways (acting as CE...

Redundant Internet Access Cont

Ip route 0.0.0.0 0.0.0.0 172.16.0.1 router bgp 2 network 0.0.0.0 neighbor 10.0.0.1 remote-as 1 PE router neighbor neighbor 172.17.1.1 remote-as 2 Another Inet router neighbor 172.17.1.1 prefix-list NoDef out ip prefix-list DefOnly permit 0.0.0.0 0 ip prefix-list NoDef permit 0.0.0.0 0 ge 1 ip prefix-list DefOnly permit 0.0.0.0 0 ip prefix-list NoDef permit 0.0.0.0 0 ge 1 The figure shows a sample configuration of a CE-Intemet router with conditional default route advertisement. Router CE-Inet-A...

Route Propagation Inbound

VPNv4 prefixes are received from other PE routers. The VPNv4 prefixes are inserted into proper VRF routing tables based on their route targets and import route targets configured in VRFs. The route distinguisher is removed during this process. As other PE routers start originating VPNv4 routes, the MP-BGP process in the PE router here receives the routes. The routes are filtered based on RT attributes attached to them, and are inserted into the proper per-VRF IP routing tables based on the...

Route Propagation Inbound Cont

MP-IBGP routes imported into a VRF are redistributed into the instance of RIP configured for that VRF. Redistribution between BGP and RIP has to be configured for end-to-end RIP routing between CE routers. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 5-14 The MP-IBGP routes, although they are inserted in the per-VRF IP routing table, are not propagated to RIP-speaking CE routers automatically. To propagate these MP-IBGP routes to the RIP-speaking CE routers, you must manually...

Routes from Area 0 at one site appear as interarea routes in Area 0 at another site

All rights reserved. MPLS v2.1 5-10 Here is a summary of the OSPF superbackbone rules PE routers advertise themselves as ABRs. The superbackbone appears as another area to the CE routers. Routes redistributed into MP-BGP from OSPF will appear as interarea routes in other OSPF sites if the original route was an intra-area or interarea route and as external routes if the original route was an external route. As a consequence of the second rule, routes from the backbone...

Set extcommunity

To set the extended communities attribute, use the set extcommunity command in route map configuration mode. To delete the entry, use the no form of this command. set extcommunity rt extended-community-value additive soo extended-community-value set extcommunity extcommunity-type community-number additive no set extcommunity extcommunity-type community-number additive 5-142 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for...

Show cef interface

To display detailed CEF information for all interfaces, use the show cef interface command in EXEC mode show cef interface type number statistics detail . This table describes the parameters for the show cef interface command. Displays interface type and number for CEF information. (Optional) Displays switching statistics for the line card. (Optional) Displays detailed CEF information for the specified interface type and number.

Show ip bgp neighbors

To display information about the TCP and BGP connections to neighbors, use the show ip bgp neighbors command in EXEC mode show ip bgp neighbors neighbor-address received-routes routes advertised-routes paths regexp dampened-routes . This table describes the parameters for the show ip bgp neighbors command. (Optional) Address of the neighbor whose routes you have learned from. If you omit this argument, all neighbors will be displayed. (Optional) Displays all received routes (both accepted and...

Show ip bgp vpnv4

To display VPN address information from the BGP table, use the show ip bgp vpnv4 command in EXEC mode show ip bgp vpnv4 all rd route-distinguisher vrf vrf-name ip-prefix length longer-prefixes output-modifiers network-address mask longer-prefixes output-modifiers cidr-only community community-list dampened-paths filter-list flap-statistics inconsistent-as neighbors paths line peer-group quote-regexp regexp summary labels . This table describes the parameters for the show ip bgp vpnv4 command....

Show ip bgp vpnv4 rd routedistinguisher

To display all VPNv4 routes that contain a specified RD, use the show ip bgp vpnv4 rd command in privileged EXEC mode show ip bgp vpnv4 rd route-distinguisher ip-prefix length longer-prefixes output-modifiers network-address mask longer-prefixes output-modifiers cidr-only community community-list dampened-paths filter-list flap-statistics inconsistent-as paths line quote-regexp regexp summary tags . This table describes the syntax for the show ip bgp vpnv4 rd route-distinguisher command....

Show ip bgp vpnv4 vrf neighbors

To display BGP neighbors configured in a VRF, use the show ip bgp vpnv4 vrf neighbors command in privileged EXEC mode show ip bgp vpnv4 all vrf vrf-name neighbors. This table describes the parameters for the show ip bgp vpnv4 vrf neighbors command. Syntax Description Displays the complete VPNv4 database. Displays neighbors associated with the named VRF. Displays details about TCP and BGP neighbor connections.

Show ip protocols vrf

To display the routing protocol information associated with a VRF, use the show ip protocols vrf command in EXEC mode show ip protocols vrf vrf-name. This table describes the parameters for the show ip protocols vrf command. Syntax Description 5-62 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or...

Show ip vrf

To display the set of defined VRFs and associated interfaces, use the show ip vrf command in EXEC mode show ip vrf brief detail interfaces vrf-name output-modifiers . This table describes the parameters for the show ip vrf command. (Optional) Displays concise information on the VRF (or VRFs) and associated interfaces. (Optional) Displays detailed information on the VRF (or VRFs) and associated interfaces. (Optional) Displays detailed information about all interfaces bound to a particular VRF or...

Show mpls forwarding vrf

To display label-forwarding information for advertised VRF routes, use the show mpls forwarding vrf command in EXEC mode. To disable the display of label-forwarding information, use the no form of this command. show mpls forwarding vrf vrf-name ip-prefix length mask detail output-modifiers no show mpls forwarding vrf vrf-name ip-prefix length mask detail output-modifiers This table describes the parameters for the show mpls forwarding vrf command. Syntax Description Displays NLRI prefixes...

Simple setup using overlapping VPNs

The customer and Internet routes are imported into the customer VRF. All customer routes are exported into the customer VPN. The public customer routes are exported into the Internet VPN. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 7-8 Internet access from every customer site is best implemented with an overlapping VPN solution, as described here Customer routes are marked with a customer-specific (customer) route target (RT). Internet routes are marked with a special (Internet)...

Some customers would like to optimize traffic flow and gain access to the Internet from every site

All rights re The traffic flow issue becomes even more pronounced when the customer VPN (based on, for example, MPLS VPN services) and the Internet traffic share the same service provider backbone. In this case, the traffic from a customer site may have to traverse the service provider backbone as VPN traffic and then return into the same backbone by the corporate firewall, ending up at a server very close to the original site. Based on this analysis, the drawbacks of...

Summary Cont

PE routers have to ignore all OSPF routes with the down bit set. This is because these routes originated in the MP-BGP backbone and the MP-BGP route should be used as the optimum route toward the destination. The OSPF tag field prevents routing loops of external routes between different OSPF domains. The tag field is set to the AS number of the originating MP-BGP router to deny the packets return. A sham link is required between any two VPN sites that belong to the same OSPF area and share an...

Syntax Description

VPNv4 routes that contain an extended community value that matches the route-target-ext-community field that will be imported into the VRF. The value in the route-target-ext-community field that will be inserted into the extended community for routes exported from the VRF to VPNv4. Sets the value used by both the import and export process to the valued indicated in the route-target-ext-community field. The RT extended community attribute for the VRF. Copyright 2004, Cisco Systems, Inc. MPLS VPN...

The forwarding information from the MPBGP route is used

A cost is configured with each sham link. This cost is used to decide whether traffic will be sent over the backdoor path or the sham-link path. When a sham link is configured between PE routers, the PE routers can populate the VRF routing table with the OSPF routes learned over the sham link. Because the sham link is seen as an intra-area link between PE routers, an OSPF adjacency is created and database exchange (for the particular OSPF process) occurs across the link. The PE router can then...

This setup could lead to security leaks because global packets could end up in VPN space

All rights reserved. MPLS V2.1 7-4 In situations where the cost factor prohibits separate physical links for VPN and Internet traffic, subinterfaces can be used to create two logical links over a single physical link. Subinterfaces can be configured only on WAN links using Frame Relay or ATM encapsulation (including xDSL) and on LAN links using any VLAN encapsulation Inter-Switch Link Protocol (ISL or 802.1q. For all other encapsulation types, a tunnel interface can be...

Two addressing options

Every CE router performs NAT functionality a small part of the public address space has to be assigned to each Ce router. The customer uses only public IP addresses in the private network (not realistic for many customers). To gain Internet access from every site, each site requires at least some public IP addresses. The following two methods can be used to achieve this goal A small part of public address space can be assigned to each customer site. NAT between the private IP addresses and the...

Usage Guidelines

This command is available on routers that have route processor (RP) cards and line cards. The detail keyword displays more CEF information for the specified interface. You can use this command to show the CEF state on an individual interface. Copyright 2004, Cisco Systems, Inc. MPLS VPN Implementation 5-159 The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed...

Validating CEF Status

Is CEF enabled on the ingress PE router interface Verify with the show cef interface command. MPLS VPN needs CEF enabled on the ingress PE router interface for proper operation. CEF might become disabled because of additional features deployed on the interface. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 5-13 One of the most common configuration mistakes related to data flow is the failure to enable CEF in the ingress PE router interface. The presence of CEF can be verified with the...

Validating the Endto End Label Switched Path

Check summarization issues BGP next hop should be reachable as host route. Is there an end-to-end LSP tunnel between PE routers Check summarization issues BGP next hop should be reachable as host route. Quick check if TTL propagation is disabled, the trace from PE-2 to PE-1 should contain only one hop. If needed, check LFIB values hop by hop. Check for MTU issues on the path MPLS VPN requires a larger label header than pure MPLS. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 5-16 If...

Volume

Using MPLS VPN Mechanisms of Cisco IOS Platforms What Is a Virtual Routing and Forwarding Table What Is the Need for Routing Protocol Contexts What Are VPN-Aware Routing Protocols Example BGP Route Propagation Outbound Example BGP Route Propagation Outbound Propagating Non-BGP Routes Outbound What Are the VRF Configuration Tasks Creating VRF Tables and Assigning RDs Assigning an Interface to a VRF Table Typical Configuration to Enable VRFs Configuring an MP-BGP Session Between PE Routers...