A company with several securityconscious departments that exchange data between their servers

The two typical uses for overlapping VPNs are as follows Companies that use MPLS VPNs to implement both intranet and extranet services might use overlapping VPNs. In this scenario, each company participating in the extranet VPN would probably deploy a security mechanism on its customer edge (CE) routers to prevent other companies participating in the VPN from gaining access to other sites in the customer VPN. A security-conscious company might decide to limit visibility between different...

A route map can be configured in a VRF to make the route import more specific

All rights reserved. MPLS v2.1 6-4 Selective route import into a VRF allows you to narrow the route import criteria. Selective route import uses a route map that can filter the routes selected by the RT import filter. The routes imported into a VRF are Border Gateway Protocol (BGP) routes, so you can use match conditions in a route map to match any BGP attribute of a route. These attributes include communities, local preference, multi-exit discriminator (MED),...

A separate link for Internet access is a perfect match for this customer type

The classical Internet access setup for a VPN customer is based on a separated Internet access design model. This design model is thus a perfect match for customers looking for classical Internet access service. 7-30 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be...

Adding flexibility to client service selection

All rights reserved. MPLS v2.1 6-5 Cisco MPLS for Managed Shared Services eliminates many of the problems such as inefficiency in resource utilization, high traffic loads, and management complexity commonly associated with delivering advanced services to MPLS VPN customers. The Cisco MPLS technology incorporates features for more effectively managing shared IP services, delivering multicast-based services, and adding flexibility to client service selection. The Cisco...

Address families routing protocol contexts are used to configure these three tasks in the same BGP process

Independently from the MPLS VPN architecture, the PE router can use BGP IPv4 route updates to receive and propagate Internet routes in scenarios where the PE routers are also used to provide Internet connectivity to customers. The MPLS VPN architecture uses the BGP routing protocol in these two different ways VPNv4 routes are propagated across an MPLS VPN backbone using MP-BGP between the PE routers. BGP can be used as the PE-CE routing protocol to exchange VPN routes between the PE routers and...

Addressfamily

To enter the address family submode for configuring routing protocols, such as BGP, RIP, and static routing, use the address-family command in global configuration mode. To disable the address family submode for configuring routing protocols, use the no form of this command. address-family vpnv4 unicast no address-family vpnv4 unicast address-family ipv4 unicast no address-family ipv4 unicast IPv4 unicast with CE router address-family ipv4 unicast vrf vrf-name no address-family ipv4 unicast vrf...

Addressfamily ipv4

To enter address family configuration mode for configuring routing sessions (such as BGP) that use standard IPv4 address prefixes, use the address-family ipv4 command in router configuration mode. To disable address family configuration mode, use the no form of this command. address-family ipv4 multicast unicast vrf vrf-name no address-family ipv4 multicast unicast vrf vrf-name This table describes the parameters for the address-family ipv4 command. Syntax Description (Optional) Specifies IPv4...

Advanced VRF Features

This features allows you to specify additional criteria for importing routes into the VRF. This features allows you to specify additional RTs attached to exported routes. This features allows you to specify the maximum number of routes in a VRF to prevent memory exhaustion on PE routers or denial-of-service attacks. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 6-3 These advanced VRF features allow you to deploy advanced MPLS VPN topologies or increase the stability of the MPLS VPN...

All Internet routes are carried as VPN routes full Internet routing cannot be implemented because of scalability

All rights reserved. MPLS v2.1 7-6 The major benefit of implementing Internet access as a separate VPN is increased isolation between the provider backbone and the Internet which results in increased security. The flexibility of MPLS VPN topologies also provides for some innovative design options that allow the service providers to offer services that were simply not possible to implement with pure IP routing. The obvious drawback of running the Internet as a VPN in...

All nonBGP perVRF routes have to be redistributed into perVrf Bgp context to be propagated by MPBGP to other PE routers

All rights reserved. MPLS v2.1 5-4 Select the VRF routing context with the address-family ipv4 vrf vrf-name command in the RIP and BGP routing processes. All per-VRF routing protocol parameters (network numbers, passive interfaces, neighbors, filters, and so on) are configured under this address family. Note Common parameters defined in router configuration mode are inherited by all address families defined for this routing process and can be overridden for each...

Allowasin The Issue

Not a usual setup (traffic between VPNs should not flow over the customer site) Sometimes used for enhanced security In some security-conscious implementations, customer VPNs are linked by a customer router that performs security functions, such as access filtering or access logging. Note This setup is not usual because it deviates from the basic goal of MPLS VPN replacing the hub-and-spoke routing of a traditional overlay VPN with optimum any-to-any routing. Copyright 2004, Cisco Systems, Inc....

Allowasin The Issue Cont

VPN perspective VPN-A is connected to VPN-B via CE-BGP-A1. Physical topology The CE router is connected to PE routers. MPLS VPN perspective The CE router has two links into the P-network. BGP perspective The CE router has two connections to AS 115. The setup in which a customer router links two VPNs in an MPLS VPN backbone can be viewed from several different perspectives, as follows From the VPN perspective, a CE router links two VPNs. From the physical perspective, the CE router is connected...

Alternatively only the internal OSPF routes can be redistributed into MPBGP on the PE routers

Ospf Router Types Hidden Premises

The OSPF tag field is present only in the external OSPF routes (type 5 LSA or type 7 LSA). This technique, therefore, cannot detect cross-domain loops involving internal OSPF routes. Here are the two manual methods that you can use to overcome this OSPF limitation You can set the tag field manually on the router, redistributing routes between OSPF domains using the redistribute ospf source-process-id tag value command. The PE router can be configured to redistribute only internal OSPF routes...

Are CE routes received by the PE router

Verify with the show ip route vrf vrf-name command on PE-1. Perform traditional routing protocol troubleshooting if needed. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 5-5 Troubleshooting routing information flow requires the verification of end-to-end routing information propagation between CE routers. The first step is to check the routing information exchange from CE routers to PE routers. Use the show ip route vrf vrf-name command to verify that the PE router receives customer...

Are large labeled packets propagated across the MPLS backbone maximum transmission unit issues

Before you start in-depth MPLS VPN troubleshooting, you should ask the following standard MPLS troubleshooting questions Is CEF enabled on all routers in the transit path between the PE routers Are labels for BGP next hops generated and propagated Are there any maximum transmission unit (MTU) issues in the transit path (for example, LAN switches not supporting a jumbo Ethernet frame) MPLS VPN troubleshooting consists of these two major steps Verifying the routing information flow using the...

Are routes redistributed into MPBGP with proper extended communities

Verify with the show ip bgp vpnv4 vrf vrf-name ip-prefix command on PE-1. Troubleshoot with debug ip bgp commands. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 5-6 The CE routes received by the PE router need to be redistributed into MP-BGP otherwise, they will not get propagated to other PE routers. Common configuration mistakes in this step include the following Failing to configure redistribution between the PE-CE routing protocol and the per-VRF routing context of the BGP Using...

Are VPNv4 routes inserted into VRFs on PE2

Verify with the show ip route vrf command. Troubleshoot with the show ip bgp ip-prefix and show ip vrf detail command. Perform additional BGP troubleshooting if needed. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 5-9 The VPNv4 routes received by the PE router have to be inserted into the proper VRF. This insertion can be verified with the show ip route vrf command. Common configuration mistakes in this step include the following The wrong import RTs are configured in the VRF. The...

Are VPNv4 routes propagated to other CE routers

Verify with the show ip route command on CE spoke. Alternatively, do CE spokes have a default route toward PE-2 Perform traditional routing protocol troubleshooting if needed. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 5-11 Last but not least, the routes redistributed into the PE-CE routing protocol have to be propagated to CE routers. You may also configure the CE routers with a default route toward the PE routers (see note). Use standard routing protocol troubleshooting...

Are VPNv4 routes redistributed from BGP into the PECE routing protocol

Verify redistribution configuration is the IGP metric specified Perform traditional routing protocol troubleshooting. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 5-10 Finally, the BGP routes received via MP-BGP and inserted into the VRF need to be redistributed into the PE-CE routing protocol. A number of common redistribution mistakes can occur here, starting with missing redistribution metrics. Refer to the Building Scalable Cisco Internetworks (BSCI) and Cisco Internetwork...

AS pathbased BGP loop prevention is bypassed with the ASoverride and allowasin features

All rights re Most aspects of BGP loop prevention are bypassed when either the AS-override feature or the allowas-in feature is used. The routing information loops can still be detected by manually counting occurrences of an AS number in the AS path in an end-to-end BGP routing scenario then ensuring that the number field in the neighbor allowas-in command is set low enough to prevent loops. The ability to still detect loops can present a particular problem when BGP is...

ASOverride ASPath Prepending

Router bgp 115 address-family ipv4 vrf Customer_A neighbor 10.200.2.1 remote-as 213 neighbor 10.200.2.1 activate neighbor 10.200.2.1 as-override router bgp 115 address-family ipv4 vrf Customer_A neighbor 10.200.2.1 remote-as 213 neighbor 10.200.2.1 activate neighbor 10.200.2.1 as-override PE-Site-Y replaces all occurrences of AS 213 with AS 115 in the AS path, prepends another copy of AS 115 to the AS path, and propagates the prefix. PE-Site-Y replaces all occurrences of AS 213 with AS 115 in...

ASOverride The Issue

The customer wants to reuse the same AS number on several sites CE-BGP-A1 announces network 10.1.0.0 16 to PE-Site-X. The prefix announced by CE-BGP-A1 is propagated to PE-Site-Y as an internal route through MP-BGP. PE-Site-Y prepends AS 115 to the AS path and propagates the prefix to CE-BGP-A2. CE-BGP-A2 drops the update because AS 213 is already in the AS path. 2004 Cisco Systems, Inc. All rights re Here are the two ways that an MPLS VPN customer can deploy BGP as the routing protocol between...

Assign interfaces to VRFs

All rights reserved. Configuring a VRF table and starting deployment of an MPLS VPN service for a customer consists of these four mandatory steps Assign a unique RD to the VRF. Note You must assign a unique RD to every VRF created in a PE router. The same RD might be used in multiple PE routers, based on customer connectivity requirements. The same RD should be used on all PE routers for simple VPN service. Specify import and export RTs for the VRF. Note Import and...

Assigning an Interface to a VRF Table

This topic describes how to assign an interface to a VRF table. This topic describes how to assign an interface to a VRF table. This command associates an interface with the specified VRF. The existing IP address is removed from the interface when interface is put into VRF the IP address must be reconfigured. CEF switching must be enabled on the interface. ip vrf forwarding Customer ABC ip address 10.0.0.1 255.255.255.252

Benefits

The classical design is a simple, well-known setup. Only a single point needs to be secured. Drawback All Internet traffic from all sites goes across the central site. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 7-5 There are a number of benefits associated with the classical design, including the following It is a well-known setup used worldwide for Internet connectivity from a corporate network. Access to expertise needed to implement such a setup is thus simple and...

Benefits and Limitations of Separate Internet Access

Supports all customer requirements Allows all Internet services implementation, including a BGP session with the customer This design model requires separate physical link or specific WAN encapsulation. PE routers must be able to perform Internet routing (and potentially carry full Internet routing). Wholesale Internet access or central firewall service cannot be implemented with this model. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 7-9 The benefits of a separate Internet access...

Can support all customer requirements including a BGP session with the customer accomplished through advanced BGP setup

All rights reserved. MPLS v2.1 7-11 Internet access implemented as a separate VPN has the following drawbacks Full Internet routing cannot be carried inside a VPN therefore, default routing toward the Internet gateways has to be used, potentially resulting in suboptimal routing. Note With future MPLS VPN extensions called recursive VPN, or Carrier's Carrier model even full Internet routing will be able to be propagated across a VPN. The Internet backbone is positioned...

CE routers run standard OSPF software

Here are the goals that have to be met by the OSPF superbackbone The superbackbone shall not use standard OSPF-BGP redistribution. OSPF continuity must be provided between OSPF sites, as follows Internal OSPF routes must remain internal OSPF routes. External OSPF routes must remain external OSPF routes. Non-OSPF routes redistributed into OSPF must appear as external OSPF routes in OSPF. OSPF metrics and metric types (external 1 or external 2) have to be preserved. The OSPF superbackbone shall...

Central Firewall Service Addressing

All customers have to use coordinated addresses, which can also be private. The central firewall provides NAT for all customers. 2004 Cisco Systems, Inc. All rights re The central firewall, hosted by the service provider, has to use public addresses for the Internet. Private addresses can be used between the central firewall and the individual customers. However, these addresses need to be coordinated between the service provider and the customers to prevent routing conflicts and overlapping...

Central Services VPN

Clients need access to central servers. Servers can communicate with each other. Clients can communicate with all servers, but not with each other. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 6-3 A central services VPN is a topology with the following characteristics Some sites (server sites) can communicate with all other sites. All the other sites (client sites) can communicate only with the server sites. This topology can be used in the following situations The service provider...

Central Services VPN and Simple VPN Requirements

Only A-Central and B-Central need access to central servers. This situation results in a combination of rules from overlapping VPN and central services VPN. In this design, some of the customer sites need access to the central server. All other sites just need optimal intra-VPN access. The design is consequently a mixture of simple VPN topology and central services VPN topology. Copyright 2004, Cisco Systems, Inc. Complex MPLS VPNs 6-31 The PDF files and any printed representation for this...

Central Services VPN and Simple VPN Requirements Cont

For all sites participating in a simple VPN, configure a separate VRF per set of sites participating in the same VPNs per PE router. For sites that are only clients of central servers, create a VRF per site. Create one VRF for central servers per PE router. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 6-10 When integrating a central services VPN with a simple VPN, you need one VRF per VPN for sites that have access to other sites in the customer VPN but no access to the central...

Central Services VPN Data Flow Model

Client VRFs contain server routes clients can talk to servers. Server VRFs contain client routes servers can talk to clients. Client VRFs do not contain routes from other clients clients cannot communicate. Make sure that there is no client-to-client leakage across server sites. In the central services VPN topology, the client VRF contains only routes from the client site and routes from the server sites. This setup precludes the client sites from communicating with other client sites. A server...

Classical Internet Access for a VPN Customer

The VPN customer connects to the Internet only through a central site (or a few central sites). A firewall between the customer VPN and the Internet is deployed only at the central site. 2004 Cisco Systems, Inc. All rights re Classical Internet access is implemented through a (usually central) firewall that connects the customer network to the Internet in a secure fashion. The private network of the customer (or VPN if the customer is using a VPN service) and the Internet are connected only...

Command Modes

Use this command in global configuration mode. 5-116 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study. A sham link is used only to affect the OSPF intra-area path...

Conclusion Mpls Vpn must extend the classic Ospfbgp routing model

With the traditional OSPF-BGP redistribution, the OSPF route type (internal or external route) is not preserved when the OSPF route is redistributed into BGP. When that same route is redistributed back into OSPF, it is always redistributed as an external OSPF route. The following identifies some of the caveats associated with external OSPF routes External routes cannot be summarized. External routes are flooded across all OSPF areas. External routes could use a different metric type that is not...

Configuration of Mpibgp sessions

Define a loopback interface that will serve as the BGP next hop for VPNv4 routes and as the source address for the IBGP session. Configure the remote PE router as the global BGP neighbor. Specify the source address for the TCP session. Activate the remote PE router for VPNv4 route exchange. Disable next-hop processing for VPNv4 route exchange. This action guarantees that the loopback 0 interface will always be the BGP next hop for VPNv4 routes propagated by this router to its MP-IBGP neighbors....

Configuring MPIBGP

This topic describes how to configure MP-IBGP in an MPLS VPN environment. This topic describes how to configure MP-IBGP in an MPLS VPN environment. router bgp as-number neighbor ip-address remote-as as-number neighbor ip-address update-source loopback-type interface number All MP-BGP neighbors have to be configured under global BGP routing configuration. MP-IBGP sessions have to run between loopback interfaces. This command starts configuration of MP-BGP routing for VPNv4 route exchange. The...

Configuring RDs in a Central Services and Simple VPN

Configure a unique RD for every set of VRFs with unique membership requirements - A-Spoke-1 and A-Spoke-2 can share the same RD. - B-Spoke-1 and B-Spoke-2 can share the same RD. Configure one RD for all central server VRFs. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 6-11 For this design, you need two RDs per VPN, as follows One RD for simple VPN sites (The same value should also be used for import and export RTs.) One RD for the central services VRFs Copyright 2004, Cisco Systems,...

Configuring Selective VRF Import Cont

A configuration similar to this one could be used to accomplish the following Deploy advanced MPLS VPN topologies (for example, a managed router services topology) Increase the security of an extranet VPN by allowing only predefined subnetworks to be inserted into a VRF, thus preventing an extranet site from inserting unapproved subnetworks into the extranet Note A similar function is usually not needed in an intranet scenario because all customer routers in an intranet are usually under common...

Data Mdt Mdt group created on demand for mVPN SG pairsusually highbandwidth traffic

VPN-aware multicast technology has introduced a new set of terminology. Multicast VPNs introduce multicast routing information to the VRF table. When a PE router receives multicast data or control packets from a CE router, forwarding is performed according to information in the multicast virtual routing and forwarding instance (MVRF). A set of MVRFs that can send multicast traffic to each other constitutes a multicast domain. For example, the multicast domain for a customer that wanted to send...

Defaults

No import or export lists are associated with a VRF. No route maps are associated with a VRF. Copyright 2004, Cisco Systems, Inc. MPLS VPN Implementation 5-19 The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study.

DHCP Relay Shared DHCP Server

Mpls Implementation

DHCP relay agent adds VPN information at PE router (cable or DSL headend Layer 2 access) Server assigns address based on option 82 data and replies DHCP relay agent adds VPN information at PE router (cable or DSL headend Layer 2 access) Server assigns address based on option 82 data and replies 2004 Cisco Systems, Inc. All rights re 2004 Cisco Systems, Inc. All rights re Typical network topology for a shared DHCP server involves a bridged access to the remote location via DSL or cable modem...

Disabling IPv4 Route Exchange

This topic describes how to disable IPv4 route exchange in an MPLS VPN environment. This topic describes how to disable IPv4 route exchange in an MPLS VPN environment. The exchange of IPv4 routes between BGP neighbors is enabled by default every configured neighbor will also receive IPv4 routes. This command disables the default exchange of IPv4 routes neighbors that need to receive IPv4 routes have to be activated for IPv4 route exchange. Use this command when the same router carries Internet...

Displays labels allocated by an Mpls Vpn for routes in the specified VRF

All rights reserved. MPLS v2.1 5-17 The following three commands can be used to display per-VRF FIB and LFIB structures The show ip cef vrf command displays the VRF FIB. The show ip cef vrf detail command displays detailed information about a single entry in the VRF FIB. The show mpls forwarding vrf command displays all labels allocated to VPN routes in the specified VRF. 5-76 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any...

Each interface assignable to only one VRF

The routes received from VRF routing protocol instances or from dedicated VRF routing processes are inserted into the IP routing table contained within the VRF. This IP routing table supports exactly the same set of mechanisms as the standard Cisco IOS software routing table. These mechanisms include filter mechanisms (distribute lists or prefix lists) and interprotocol route selection mechanisms (administrative distances). The per-VRF forwarding table (FIB) is built from the per-VRF routing...

Every customer that needs Internet access is assigned to the same VPN as the Internet gateway

MPLS VPN architecture suggests an obvious solution to Internet access for VPN customers define the Internet as another VPN and use various MPLS VPN topologies to implement various types of Internet access. Under this design model, the Internet gateways appear as CE routers to the MPLS VPN backbone, and customer Internet access is enabled by combining an Internet VPN with a customer VPN in the VRFs of the customer (overlapping VPN topology). The Internet VPN should not contain the full set of...

Example ASOverride

In this figure, customer sites A and B use BGP to communicate with the MPLS VPN backbone. Both sites use AS 213. Site B would drop the update sent by site A without the AS-override mechanism. router bgp 115 address-family ipv4 vrf Customer_A neighbor 10.200.2.1 remote-as 213 neighbor 10.200.2.1 activate neighbor 10.200.2.1 as-override router bgp 115 address-family ipv4 vrf Customer_A neighbor 10.200.2.1 remote-as 213 neighbor 10.200.2.1 activate neighbor 10.200.2.1 as-override PE-Site-Y...

Example BGP Route Propagation Outbound

The routes illustrated here are being copied into the MP-BGP table for further propagation to other PE routers. The IP prefixes are prepended with the RD, and the set of RTs (extended BGP communities) configured as export RTs for the VRF is attached to the resulting VPNv4 route. Note The difference between the per-VRF BGP table and the global MP-BGP table holding VPNv4 routes is displayed only to illustrate the steps in the route propagation process. In reality, there is no separate per-VRF BGP...

Example Central Services VPN Routing

The figure illustrates the MPLS VPN routing model that is used to implement a central services VPN and is described as follows Client 1 and client 2 have their own RTs (100 101, 100 102) that they import and export they also export networks with RT 100 303 and import networks with RT 100 203. Note Client-specific RTs were introduced to comply with the implementation requirements of Cisco IOS Release 12.0 T, in which each VRF has to have at least one of its export RTs configured as its import...

Example Configuring a Central Services VPN

The figure shows a fraction of the configuration according to the RD and RT numbering scheme presented in the tables. 6-30 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual...

Example Configuring a Default RD for Two VRFs

The following example shows how to configure a default RD for two VRFs. The example illustrates the use of both AS-relative and IP-address-relative RDs Router(config) ip vrf vrf_blue Router(config-vrf) rd 100 3 Router (config-vrf) exit Router(config) ip vrf vrf_red Router(config-vrf) rd 173.13.0.12 200 Copyright 2004, Cisco Systems, Inc. MPLS VPN Implementation 5-75 The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco...

Example Configuring Overlapping Vpn Vrfs

The figure shows only VRF configuration and does not show VPN routing or Multiprotocol Border Gateway Protocol (MP-BGP) routing between the provider edge (PE) routers. Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than...

Example Configuring perVrf Bgp Routing Context

The figure shows BGP that is activated on the CE router, and the PE router is defined as a BGP neighbor. Similarly, the CE router is defined as a BGP neighbor and activated under the address-family ipv4 vrf Customer A command. 5-122 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed...

Example Configuring VRFs

An export route map is used to match one part of the IP address space and attach an additional RT to the routes within this address space (CE router loopback addresses). Note The routing protocol between PE and CE routers has to be secured (with distribute lists or prefix lists) to prevent customers from announcing routes in the address space dedicated to network management otherwise, customers can gain two-way connectivity to the network management station....

Example Configuring VRFs in a Central Services and Simple VPN

The example shows a fraction of the configuration according to the RD and RT numbering scheme presented in the tables. 6-36 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual...

Example DHCP Relay Configuration

The figure presents an example of a typical DHCP relay configuration. The DHCP server address is configured using the ip helper-address vrf command. The configuration would be placed on the PE router for bridged headend access through DSL or cable modem. If the customer is using other connectivity, place the configuration directly on the CE router. The configuration on the CE router only creates the DHCP packet with VPN ID option 82 information. The actual packet labeling and switching remains...

Example DHCP Relay Corporate DHCP Server

In this two-VPN example, a corporate DHCP server and a DHCP client have been added to VPN-A. The client broadcasts a DHCP request to the local relay. The local relay converts the broadcast to a unicast request for the DHCP server and adds the VPN ID. This request is forwarded to the egress PE router based upon the DHCP server address. From the egress PE router, the request is forwarded to the DHCP server. The DHCP server assigns the client an address and replies to the DHCP relay, which in turn...

Example Disabling IPv4 Route Exchange

In the figure, the default propagation of IPv4 routes is thus disabled. IPv4 route exchange and VPNv4 route exchange is manually activated on a neighbor-by-neighbor basis. Copyright 2004, Cisco Systems, Inc. MPLS VPN Implementation 5-41 The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be...

Example Limiting the Total Number of VRF Routes

In this figure, the network designer has decided to limit the number of routes in a VRF to 4, with the warning threshold being set at 75 percent (or 3 routes). When the first two routes are received and inserted into the VRF, the router accepts them. When the third route is received, a warning message is generated, and the message is repeated with the insertion of the fourth route. Note The syslog messages are rate-limited to prevent indirect denial-of-service attacks on the When the PE router...

Example Mpls Vpn Network

The figure illustrates a configuration of the PE router in a sample network with two VPN customers. Customer A (with four sites) is using BGP and RIP as the provider edge-customer edge (PE-CE) routing protocol, and customer B (with two sites) is using only RIP. Both customers use private IP address space (subnetworks of network 10.0.0.0). 5-24 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property...

Example NAT Implementation with Multiple NAT Pools

The figure presents an example of VPN-aware NAT configuration for two VPNs, A and B. NAT services are being configured on the PE router connected to the shared services. NAT pools are configured with a standard NAT configuration command ip nat pool. Only one NAT pool is required however, in this example, there are two pools, one for each VPN to allow for easy address administration. The NAT pools are assigned to their respective VPNs using the ip nat inside pool command. NAT services are...

Example Network Address Translation

The figure presents an example of VPN-aware NAT. CE-A1, CE-A2, CE-B1, and CE-B2 are clients in VRF-A and VRF-B. Packets from these clients destined for the shared service are routed to the inside interface of the NAT PE router over their respective VPNs. At the NAT PE router, the address translation process replaces the inside source address with the outside source address from the NAT table and forwards the packet to the shared service. 6-52 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004,...

Example Optimizing of Packet Forwarding

Consider, for example, the network in the figure. This table indicates a typical flow for routing updates. Process Steps for Routing Update Flow The PE router redistributes the OSPF route into MP-BGP. The route is propagated to other PE routers as an MP-BGP route. The route is also redistributed into other OSPF areas. The redistributed OSPF route is propagated across the OSPF area with the down bit set. The ingress PE router receives an MP-IBGP route with an administrative distance of 200 and...

Example OSPF Down

OSPF developers took many precautions to avoid routing loops between OSPF areas for example, intra-area routes are always preferred over interarea routes. These rules do not work when the superbackbone is introduced. Consider, for example, the network in the figure, where the receiving OSPF area has two PE routers attached to it. This table indicates the process steps that could produce a routing loop. Process Steps in a Routing Loop The sending PE router receives an intra-area OSPF route. The...

Example OSPF Tag Field

The routing loop in this network occurs as part of the steps outlined in this table. Process Steps for Routing Loops Across OSPF Domains The PE router redistributes a non-OSPF route into an OSPF domain as an external route. The down bit is set because the route should not be redistributed back into MP-BGP. A CE router redistributes the OSPF route into another OSPF domain. The down bit is lost if the CE router does not understand this OSPF extension. The OSPF...

Example OSPF Tag Field Routing Loop Prevention

This table lists the steps in this process. Process Steps to Prevent Routing Loops A non-OSPF route is redistributed as an external OSPF route by a PE router. The tag field is set to the BGP AS number, and the down bit is set. The redistributed route is propagated across the OSPF domain. When the route is redistributed into another OSPF domain, the tag field is propagated, but the down bit is cleared. Another PE router receives the external OSPF route and...

Example Sample Sham Link Configuration

The PE router also uses the information received from MP-BGP to set the outgoing label stack of incoming packets and to decide to which egress PE router to label-switch the packets. The figure shows a sample MPLS VPN topology in which a sham-link configuration is necessary. A VPN client has two sites connected by a backdoor link. A sham link has been configured between the two PE routers. Copyright 2004, Cisco Systems, Inc. MPLS VPN Implementation The PDF...

Example Sham Link

The figure illustrates the backdoor paths between VPN sites. If these sites belong to the same OSPF area, the path over a backdoor link will always be selected because OSPF prefers intra-area paths to interarea paths. (PE routers advertise OSPF routes learned over the VPN backbone as interarea paths.) For this reason, OSPF backdoor links between VPN sites must be taken into account so that routing is performed based on policy. Because each site runs OSPF within the same Area 1 configuration,...

Export map

To apply a route map to filter and modify exported routes, use the export map command in VRF configuration mode. To remove the route map from the VRF, use the no form of this command. This table describes the parameters for the export map command. Specifies the name of the route map to be used.

Fast Switching and IP Multicast

Fast switching of IP multicast packets is enabled by default on all interfaces including GRE and Distance Vector Multicast Routing Protocol (DVMRP tunnels with one exception It is disabled and not supported over X.25 encapsulated interfaces. Note the following properties of fast switching If fast switching is disabled on an incoming interface for a multicast routing table entry, the packet is sent at the process level for all interfaces in the outgoing interface list. If fast switching is...

For other routing protocols the SOO attribute can be applied to routes learned through a particular VRF interface

Here are the two ways to set the SOO attribute on a BGP route For routes received from BGP-speaking CE routers, the SOO attribute is configured by the incoming route map on the PE router. For all other routes, a route map setting the SOO attribute is applied to the incoming interface. The SOO attribute, as set by the route map, is attached to the BGP route when an IGP route received through that interface is redistributed into BGP. Outgoing filters based on the SOO attribute also depend on the...

Here ACentral talks to BCentral

All rights reserved. MPLS v2.1 6-3 When two VPN customers want to share some information, they may decide to interconnect their central sites. To achieve this, two simple VPNs are created, each containing a customer central site and its remote sites. Then a third VPN, which partially overlaps with the customer VPNs but connects only their central sites, is created. The central sites can talk to each other. The central sites can also talk to the remote sites in their...

High Bandwidth BGP Backbone

All rights re The implementation results in optimum packet flow. 5-114 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual self-study.

Independent perinstance router variables for each instance

Routing contexts were introduced in Cisco IOS software to support the need for separate isolated copies of VPN routing protocols. Routing contexts can be implemented as separate routing processes (OSPF), similar to traditional Cisco IOS software implementation, or as separate isolated instances of the same routing protocol. If the routing contexts are implemented as instances of the same routing protocol, each instance contains its own independent routing protocol parameters. Examples would...

Internet access as a separate VPN

Network designers who want to offer Internet access and MPLS VPN services in the same MPLS backbone can choose between these two major design models Internet routing that is implemented through global routing on the provider edge (PE) routers Internet routing that is implemented as yet another VPN in the ISP network 7-20 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,...

Internet Access from Every Customer Site

CE-Site-1 CE-Site-2 CE-Site-3 CE-Central CE-Site-1 CE-Site-2 CE-Site-3 CE-Central Customers want to gain access to the Internet directly from every site. - There is optimum traffic flow to and from Internet sites. - Each site has to be secured against unauthorized Internet access. - It is easier to achieve in extranet scenarios, because every site is already secured against other sites. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 7-7 To bypass the limitations of Internet access...

Internet access is implemented via separate interfaces that are not placed in any VRF traditional Internet access setup

Implementing Internet access through global routing is identical to building an IP backbone offering Internet services. IP version 4 (IPv4) Border Gateway Protocol (BGP) is deployed between the PE routers to exchange Internet routes, and the global routing table on the PE routers is used to forward the traffic toward Internet destinations. VPN customers can reach the global routing table by this method The customers can use a separate logical link for Internet access. This method is equivalent...

Internet Access Through a Central Firewall Service

An Internet access VPN is implemented as a central services VPN, resulting in no connectivity between customers. An Internet access VPN is implemented as a central services VPN, resulting in no connectivity between customers. Connectivity between the central firewall and the Internet is implemented in the same way as for classical Internet access customers. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 7-9 The central managed firewall service should be implemented with the central...

Internet Access Through a Dedicated Subinterface Traffic Flow

All rights 2004 Cisco Systems, Inc. All rights Example Internet Access Through a Dedicated Subinterface Traffic Flow The Internet traffic flow in this setup is identical to the traditional Internet traffic flow when a packet is received from the CE router through the Internet subinterface, a lookup is performed in the global Forwarding Information Base (FIB) on the PE router and the packet is forwarded toward the BGP next hop. Copyright 2004, Cisco Systems, Inc....

Internet Access Through Central Firewall Service

Mpls Implementation

Some customers want a service-provider-managed firewall to the Internet. Using a central firewall is the most cost-effective way to provide this service. 2004 Cisco Systems, Inc. All rights re For customers who do not want the complexity of managing their own firewall, a managed firewall service offered by the service provider is a welcome relief. These customers typically want the service provider to take care of the security issues of their connection to the Internet. The service provider can...

Ip route vrf

To establish static routes for a VRF, use the ip route vrf command in global configuration mode. To disable static routes, use the no form of this command. ip route vrf vrf-name prefix mask next-hop-address interface interface-number global distance permanent tag tag no ip route vrf vrf-name prefix mask next-hop-address interface interface-number global distance permanent tag tag Copyright 2004, Cisco Systems, Inc. MPLS VPN Implementation 5-47 The PDF files and any printed representation for...

Ip vrf sitemap

To set the SOO extended community attribute, use the ip vrf sitemap command in interface configuration mode. To delete the entry, use the no form of this command. ip vrf sitemap route-map-name no ip vrf sitemap route-map-name This table describes the parameters for the ip vrf sitemap command. Syntax Description Sets the name of the route map to be used.

Is the CEF entry correct on the ingress PE router

Display the CEF entry with the show ip cef vrf vrf-name ip-prefix length detail command. Verify the label stack in the CEF entry. 2004 Cisco Systems, Inc. All rights reserved. MPLS v2.1 5-15 If CEF switching is enabled on the ingress interface, you can verify the validity of the CEF entry and the associated label stack with the show ip cef vrf vrf-name ip-prefix detail command. The top label in the stack should correspond to the BGP next-hop label as displayed by the show tag forwarding...

Is the LFIB entry on the egress PE router correct

After you have verified proper route exchange, start MPLS VPN data flow troubleshooting using the checks listed in the next figures. Copyright 2004, Cisco Systems, Inc. MPLS VPN Implementation 5-157 The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual...

It can limit the total number of routes in a VRF

All rights reserved. MPLS v2.1 5-5 MPLS VPN architecture achieves a tight coupling between the customer and the service provider network, resulting in a number of advantages. The tight coupling might also result in a few disadvantages, because the service provider network is exposed to design and configuration errors in customer networks, and a number of new denial-of-service attacks based on routing protocol behavior. To limit the effect of configuration errors and...

Limiting the Total Number of VRF Routes Cont

Maximum routes limit warn threshold warn-only This command configures the maximum number of routes accepted into a VRF - The limit parameter is the route limit for the VRF. - The warn threshold parameter is the percentage value over which a warning message is sent to syslog. - The warn-only parameter the PE continues accepting routes after the configured limit. Syslog messages generated by this command are rate-limited.

LSA flooding occurs across the sham link

If the backdoor links between sites are used only for backup purposes and do not participate in the VPN service, the default route selection shown in the preceding figure is not acceptable. To reestablish the desired path selection over the MPLS VPN backbone, you must create an additional OSPF intra-area (logical) link between ingress and egress VRFs on the relevant PE routers. This link is called a sham link. A sham link is required between any two VPN sites that belong to the same OSPF area...

Managed CE Routers

Central server NMS needs access to loopback addresses of all CE routers Very similar to central services and simple VPN - All of the CE routers participate in central services VPN. - Only the loopback addresses of the CE routers need to be exported into central services VPN. 2004 Cisco Systems, Inc. All rights reserved MPLS v2.1 6-3 If the service provider is managing the customer routers, it is convenient to have a central point that has access to all CE routers but doe not have access to the...

Managed Services Overview

All rights 2004 Cisco Systems, Inc. All rights In modern networks, many end users have a need to connect to common services, such as email, DHCP servers, and so on. Typically, these services have been provided by individual enterprises as part of their network. Cisco MPLS for Managed Shared Services is a set of features delivered in Cisco IOS software for enabling managed shared services for MPLS VPNs. Building on leading Cisco MPLS capabilities, service providers now...

Maximum design flexibility Internet access totally independent from Mpls Vpns

Internet access can always be implemented with the traditional implementation model with two links between the customer site or sites and the service provider network a VPN link and an Internet link. The two links can be implemented with one physical link if you use a Layer 2 encapsulation that supports subinterfaces (Frame Relay, ATM, or a VLAN). The traditional Internet access implementation model provides maximum design flexibility, because the Internet access is completely separated from...

Maximum routes

To limit the maximum number of routes in a VRF to prevent a PE router from importing too many routes, use the maximum routes command in VRF configuration submode. To remove the limit on the maximum number of routes allowed, use the no form of this command. maximum routes limit warn threshold warn-only This table describes the parameters for the maximum routes command. Specifies the maximum number of routes allowed in a VRF. You may select from 1 to 4,294,967,295 routes to be allowed in a VRF....

Module Objectives

Upon completing this module, you will be able to configure, monitor, and troubleshoot VPN operations. This ability includes being able to meet these objectives Describe the usage of VRF tables in an MPLS VPN environment Configure MP-BGP sessions between PE routers Configure small-scale routing protocols (static, RIP, and EIGRP) between CE and PE routers Monitor MPLS VPN operations Configure OSPF as the routing protocol between CE and PE routers Configure BGP as the routing protocol between CE...

Module Self Check

Use the questions here to review what you learned in this module. The correct answers and solutions are found in the Module Self-Check Answer Key. Q1) In an MPLS VPN implementation, what is a VRF (Source Using MPLS VPN A) the routing and forwarding instance for all sites belonging to a single customer B) the routing and forwarding instance for all sites belonging to a single customer location C) the routing and forwarding instance for all sites using a common routing protocol D) the routing and...

Module Summary

The VRF table is a virtual routing and forwarding instance separating sites with the same connectivity requirements. Configuring VRF tables requires defining the VRF name, RD, and import and export RTs. MP-BGP configuration must define the neighbors, address family for VPNv4 routing, and finally activate the neighbors. RIPv2 and EIGRP routing for PE to CE requires use of the address-family ipv4 command to define the routing context. Redistribution is also required between IGP and BGP. 2004...

Module Summary Cont

Monitoring MPLS VPN operations includes monitoring MP-BGP neighbor status, VRF routing process, and CEF and LFIB status. The MPLS VPN routing model implements MP-BGP as the superbackbone for OSPF. PE to CE OSPF routing is defined as a new routing process via the VRF name. The MPLS VPN routing model implements BGP routing between PE and CE as bGp instances using the command address-family ipv4. MPLS VPN troubleshooting uses a systematic process starting at the ingress PE router and moving to...

Monitoring an Mpbgp Vpnv4 Table

This topic describes how to monitor an MP-BGP VPNv4 table. Displays only BGP parameters (routes or neighbors) associated with specified VRF. Any BGP show command can be used with these parameters. show ip bgp vpnv4 rd route-distinguisher Displays only BGP parameters (routes or neighbors) associated with specified RD. 1 Cisco Systems, Inc. All rights reserved. MPLS v2.1 The show ip bgp vpnv4 command displays IPv4 BGP information and VPNv4 BGP information. To display VPNv4 BGP information, use...

Monitoring Labels Associated with VPNv4 Routes

This topic describes how to monitor labels associated with VPNv4 routes. Monitoring Labels Associated with VPNv4 Routes show ip bgp vpnv4 all rd value vrf-name tags Displays labels associated with VPNv4 routes. Network Next Hop In tag Out tag Route Distinguisher 100 1 (vrf1) 2.0.0.0 10.20.0.60 34 notag 10.0.0.0 10.20.0.60 35 notag 12.0.0.0 10.20.0.60 2 6 notag 10.20.0.60 26 notag 13.0.0.0 10.15.0.15 notag 26 2004 Cisco Systems, Inc. All rights reserved. You can use the show ip bgp vpnv4 tags...

Monitoring Mpbgp Sessions

This topic describes how to monitor MP-BGP sessions. This command displays global BGP neighbors and the protocols negotiated with these neighbors. 04 Cisco Systems, Inc. All rights reserved. MPLS v2.1 The show ip bgp neighbors command is described in detail in Cisco IOS documentation. This command is used to monitor BGP sessions with other PE routers and the address families negotiated with these neighbors.

Monitoring Mpbgp Sessions show ip bgp neighbors

All rights reserved MPLS v2.1 5-12 2004 Cisco Systems, Inc. All rights reserved MPLS v2.1 5-12 5-68 Implementing Cisco MPLS (MPLS) v2.1 Copyright 2004, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual...