A different method is needed in which a set of identifiers can be attached to a route

All right, icrvcd. MPLS .20-4-31 The RD (again, a single entity prepended to an IPv4 route) cannot indicate that a site participates in more than one VPN. A method is needed in which a set of VPN identifiers can be attached to a route to indicate its membership in several VPNs. RTs were introduced into the MPLS VPN architecture to support this requirement. Route Targets (Cont.) What Are They Mirni mini limn nil hum mini limn

A label can be removed one hop earlier

All rights reserved The figure illustrates how labels are propagated and used in a typical frame-mode MPLS network. The check marks show which tables are used on individual routers. The egress router in this example must do a lookup in the LFIB table to determine whether the label must be removed and if a further lookup in the FIB table is required. PHP removes the requirement for a double lookup to be performed on egress LSRs.

A label is removed on the router before the last hop within an MPLS domain

All right* reserved The figure illustrates how a predefined label pop, which corresponds to the pop action in the LFIB, is propagated on the first hop or the last hop, depending on the perspective. The term pop means to remove the top label in the MPLS label stack instead of swapping it with the next-hop label. The last router before the egress router therefore removes the top label. PHP slightly optimizes MPLS performance by eliminating one LFIB lookup.

A route is installed in the site VRF that matches the RT attribute

All right* reserve* MPLS .20-4-15 VPNv4 routes are installed into VRFs on the receiving PE router the incoming VPNv4 route is imported into the VRF only if at least one RT attached to the route matches at least one import RT configured in the VRF. The SOO attribute attached to the VPNv4 route controls the IPv4 route propagation to the CE routers. A route inserted into a VRF is not propagated to a CE router if the SOO attached to the route is equal to the SOO attribute...

A route that is matched by the export route map will have additional RTs attached

All right* reserved. MPLS v2.0 -12 To apply a route map in order to filter and modify exported routes, use the export map command in VRF configuration mode. To remove the route map from the VRF, use the no form of this command no export map route-> mip Specifies the name of the route map to be used. W 2003, Cisco System*, Inc. All right* reserved The example here mirrors the earlier example in this lesson. This time the configuration is implemented with an export...

A router requests a label for every destination in the routing table with the next hop reachable over an LCATM interface

All rights reserved. In the example here, a request is sent from router A to the ATM switch C. Because the ATM switch cannot perform IP lookups, the switch is not allowed to reply with the local label unless it already has the next-hop label. If switch C does not have the next-hop label, it must forward the request to the next downstream neighbor, ATM switch D. If switch D does not have the next-hop label, it must forward the request to the next downstream neighbor....

Access Vpn Vpdn provides dialup access into a customer network

All rights n MVML MPLS v2O 4- Another very popular VPN category classifies VPNs based on the business needs that they fulfill Intranet VPN Intranet VPNs connect sites within an organization. Security mechanisms are usually not deployed in an intranet, because all sites belong to the same organization. Extranet VPN Extranet VPNs connect different organizations. Extranets usually rely on security mechanisms to ensure the protection of participating individual...

After this operation the provider AS number is prepended to the AS path

All right* twerved. MPLS v2.0-5-M The modified AS path update procedure is called AS-override and is extremely simple The procedure is used only if the first AS number in the AS path is equal to the AS number of the receiving BGP router. In this case, all leading occurrences of the AS number of the receiving BGP router are replaced with the AS number of the sending BGP router. Occurrences further down the AS path of the AS number of the receiving router are not...

Aggregation should not be used where endtoend LSPs are required Mpls Vpn

All right i erved. MPLS V2.0-2-22 When cell-mode MPLS is used, ATM switches are IP-aware they run an IP routing protocol, and LDP or TDP, and are generally seen as IP routers. In reality, however, ATM switches are capable of forwarding only cells, not IP packets. Aggregation (or summarization) should not be used on ATM LSRs because it breaks LSPs in two, which means that ATM switches would have to perform Layer 3 lookups. Aggregation should also not be used where an...

All Internet traffic from all sites goes across the central site

All right reserved. MPLS V20-7-4 There are a number of benefits associated with the classical design It is a well-known setup used worldwide for Internet connectivity from a corporate network. Access to expertise needed to implement such a setup is thus simple and straightforward. There is only one interconnection point between the secure customer network and the Internet. Security of the Internet access needs to be managed only at this central point. The major...

All loopback interfaces are in one contiguous address block 192168254024

All right immvmL MPLS V2.0-3-17 The example here describes where conditional label advertising can be used. The existing network still performs normal IP routing, but the MPLS LSP tunnel between the loopback interfaces of the LSR routers is needed to enable MPLS Virtual Private Network (VPN) functionality. Using one contiguous block of IP addresses for loopbacks on provider edge (PE) routers can simplify the configuration of conditional advertising.

All nonBGP perVRF routes have to be redistributed into perVrf Bgp context to be propagated by MPBGP to other PE routers

All right* r MtvML MPLS .20-7-5 Select the VRF routing context with the address-family ipv4 vrf vrf-name command in the RIP and BGP routing processes. All per-VRF routing protocol parameters (network numbers, passive interfaces, neighbors, filters, and so on) are configured under this address family. Note Common parameters defined in router configuration mode are inherited by ail address families defined for this routing process and can be overridden for each individual...

Allocating a Label

Rnuti nq TaMp of A Rout1 ng Tabla of C Routing Tab la Df D Rnuti nq TaMp of A Rout1 ng Tabla of C Routing Tab la Df D The LFIB la actt-ally the AT-M jinitcliiiisriBtiriK- The LFIB la actt-ally the AT-M jinitcliiiisriBtiriK- The cgreEE ATM edge LSR allocates a Inhel und replied I'D the request An ATM KR can allocate in incoming label aftnr neMiviny sr omaolii ) It be l. Implies with Flloc TEri label tc the incoming mrjuest. The cgreEE ATM edge LSR allocates a Inhel und replied I'D the request W...

Allocating a Label Allocation Requests Additional LSRs

Routing Table of A Routing Ta hie of C Ru ntlng TeNs ol D Routing Table of A Routing Ta hie of C Ru ntlng TeNs ol D Each hp-summit. LSR will rrq jest from r ATM LSR a IdL> rI far The ATM LS R con I d rc use an I re a d y all tsted d miritr& arn I a be I f r the Each hp-summit. LSR will rrq jest from r ATM LSR a IdL> rI far The ATM LS R con I d rc use an I re a d y all tsted d miritr& arn I a be I f r the W 2003, Cisco Systems, Inc. All rights reserved The figure shows how another...

Allowasin The issue

Not a usual setup-traffic between VPNs should not flow over the customer site. Sometimes used for enhanced security. 2003, Cisco Systems, Inc. All rights reserved In some security-conscious implementations, customer VPNs are linked by a customer router that performs security functions such as access filtering or access logging. Note This setup is not usual because it deviates from the basic goal of MPLS VPN replacing the hub-and-spoke routing of a traditional...

Alternatively only internal OSPF routes can be redistributed into MPBGP on the PE routers

All right. reserved MPLS .20-5-4 The OSPF tag field is present only in the external OSPF routes (type 5 LSA or type 7 LSA). This technique, therefore, cannot detect cross-domain loops involving internal OSPF routes. There are two manual methods that you can use to overcome this OSPF limitation You can set the tag field manually on the router, redistributing routes between OSPF domains using the redistribute ospf source-process-id tag value command. The PE router can be...

An ICMP timetolive exceeded message is sent to the source from router A

All right reserved. MPLS v20-2- The first traceroute packet (ICMP or User Datagram Protocol UDP ) that reaches the MPLS network is dropped on the first router (A), and an ICMP reply is sent to the source. This action results in an identification of router A by the traceroute application. Traceroute with Disabled TTL Propagation (Cont.)

An ICMP timetolive exceeded message is sent to the source from router D

All right icawved The traceroute application increases the initial TTL for every packet that it sends. The second packet, therefore, would be able to reach one hop farther (router B in the example). However, the TTL value is not copied into the TTL field of the label. Instead, router A sets the TTL field of the label to 255. Router B decreases the TTL of the label, and router C removes the label without copying it back into the IP TTL. Router D then decreases the...

An LSP can take a different path from the one chosen by an IP routing protocol MPLS Traffic Engineering

All right reserved. MPLS v2.0-2-14 An LSP is a sequence of LSRs that forward labeled packets for a particular FEC. Each LSR swaps the top label in a packet traversing the LSP. An LSP is similar to Frame Relay or ATM virtual circuits. In cell-mode MPLS, an LSP vi a virtual circuit. In MPLS unicast IP forwarding, the FECs are determined by destination networks found in the main routing table. Therefore, an LSP is created for each entry found in the main routing table....

Any number of RTs can be attached to a single route

All right* raMtved MPLS v2.0 -32 RTs are attributes that are attached to a VPNv4 BGP route to indicate its VPN membership. The extended BGP communities of a routing update is used to carry the RT of that update, thus identifying which VPN the update belongs to. As with standard BGP communities, a set of extended communities can be attached to a single BGP route, satisfying the requirements of complex VPN topologies. Extended BGP communities are 64-bit values. The...

Any other BGP attribute for example AS path local preference MED standard community

All right reserved. MPLS v2.0-4-13 An MP-BGP update exchange between PE routers contains the following Extended BGP communities (RTs required Site of Origin, or SOO, optional) Label used for VPN packet forwarding (the MPLS VPN Packet Forwarding lesson follows this lesson and explains how the label is used) Mandatory BGP attributes (for example, AS path) Optionally, the MP-BGP update can contain any other BGP attribute for example, local preference, multi-exit...

Are CE routes received by PE

Verify with show ip route vrf vrf-name on PE-1. Perform traditional routing protocol troubleshooting if needed. 2003, Chco Syatema, Inc. All right raerved. MPLS V2.0 -7 Routing information flow troubleshooting requires the verification of end-to-end routing information propagation between CE routers. The first step is to check the routing information exchange from CE routers to PE routers. Use the show ip route vrf vrf-name command to verify that the PE router receives customer routes from the...

Are large labeled packets propagated across the MPLS backbone maximum transmission unit issues

All right metved MPLS v20-5-5 Before you start in-depth MPLS VPN troubleshooting, you should ask the following standard MPLS troubleshooting questions Is CEF enabled on all routers in the transit path between the PE routers Are labels for BGP next hops generated and propagated Are there any maximum transmission unit (MTU) issues in the transit path (for example, LAN switches not supporting a jumbo Ethernet frame) MPLS VPN troubleshooting consists of two major steps...

Are VPNv4 routes inserted into VRFs on PE2

Troubleshoot with show ip bgp ip-prefix and show ip vrf detail. Perform additional BGP troubleshooting if needed. 2003, Ctaco System , Inc. All right reserved. MPLS v20-6-11 The VPNv4 routes received by the PE router have to be inserted into the proper VRF. This insertion can be verified with the show ip route vrf command. Common configuration mistakes in this step include the following The wrong import RTs are configured in the VRF. The route map configured as...

Are VPNv4 routes propagated to other CE routers

Verify with show ip route on CE Spoke. Alternatively, does CE Spoke have a default route toward PE-2 Perform traditional routing protocol troubleshooting if needed. 2003, Chco Systems, Inc. All right* reserved. MPLS v2.0 -13 Last but not least, the routes redistributed into the PE-CE routing protocol have to be propagated to CE routers. You may also configure the CE routers with a default route toward the PE routers (see note). Use standard routing protocol troubleshooting techniques in this...

Are VPNv4 routes propagated to other PE routers

Verify with show ip bgp vpnv4 all ip-prefix length. Troubleshoot PE-to-PE connectivity with traditional BGP troubleshooting tools. 2043, Ctaco System*, Inc. All right* reserved. MPLS v20-5-9 The CE routes redistributed into MP-BGP need to be propagated to other PE routers. Verify proper route propagation with the show ip bgp vpnv4 all ip-prefix command on the remote PE router. Note Routes sent by the originating PE router might not be received by a remote PE router because of automatic RT-based...

Areas could correspond to individual sites from Mpls Vpn perspective

All rl ts reserved The Open Shortest Path First (OSPF) routing protocol was designed to support hierarchical networks with a central backbone. The network running OSPF is divided into areas. All areas have to be directly connected to the backbone area (Area 0). The whole OSPF network (backbone area and any other areas connected to it) is called the OSPF domain. The OSPF areas in the customer network could correspond to individual sites, but there are also other...

As each virtual routing table requires a distinct RD value the number of RDs in the Mpls Vpn network increases

All right raMtved MPLS V20-4-3S A single virtual routing table can be used only for sites with identical connectivity requirements. Complex VPN topologies, therefore, require more than one virtual routing table per VPN. Note If sites with different requirements are associated with the same virtual routing table, some of them might be able to access destinations that should not be accessible to them. Because each virtual routing table requires a distinctive RD, the...

AS pathbased BGP loop prevention is bypassed with ASoverride and allowasin features

All right* reterved Most aspects of BGP loop prevention are bypassed when either the AS-override or the allowas-in feature is used. The routing information loops can still be detected by manually counting occurrences of an AS number in the AS path in an end-to-end BGP routing scenario then ensuring that the number field in the neighbor allowas-in command is set low enough to prevent loops. This ability to still detect loops can present a particular problem when BGP is...

Assigning an Interface to a VRF Table

This topic identifies the command syntax required to assign an interface to a VRF table. * Associates an interface with the specified VRF. * Existing IP address removed from the interface when interface is put into VRF IP address must be reconfigured. * CEF switching must be enabled on the interface. 2003, Cisco System , Inc. All right* reserved

ATM Virtual Path Usages Cont Example

All right* reserved W 2003, CImo Syatern*, Inc. All right* reserved To enable cell-mode MPLS across a virtual path, the control virtual circuit should use the VPI of the virtual path. A router or a switch will then establish an adjacency with a router or a switch on the other end of the virtual path. It is mandatory that the same VPI be used on both ends of the path because the VPI value is part of the LDP virtual path range negotiation. - Router to router (not...

Basic MPLS Concepts Cont Example

Only edge routers must perform a routing lookup. Core routers switch packets based on simple label lookups and swap labels. W 2003, Cisco System , Inc. All right reserved The figure illustrates a situation where the intermediary router does not have to perform a time-consuming routing lookup. Instead, this router simply swaps a label with another label (25 is replaced by 23) and forwards the packet based on the received label (23). In larger networks, the result of MPLS labeling is that only...

Benefits and Drawbacks of VC Merge

The merging ATM LSR can reuse the same downstream label for multiple upstream LSRs. Buffering requirements increase on the ATM LSR. Jitter and delay across the ATM network increase. The ATM network is effectively transformed into a framemode MPLS network. 2043, Ctaco System*, Inc. All right* reserved. MPLS v20-2-30 The major benefit of VC merge is that it minimizes the number of labels (VPI VCI values) needed in the ATM part of the network. As identified in the first topic in this lesson,...

BGP Route Propagation Outbound Cont

Route distinguisher is prepended during route export to the BGP routes from VRF instance of BGP process to convert them into VPNv4 prefixes. Route targets are attached to these prefixes. VPNv4 prefixes are propagated to other PE routers. Route distinguisher is prepended during route export to the BGP routes from VRF instance of BGP process to convert them into VPNv4 prefixes. Route targets are attached to these prefixes. VPNv4 prefixes are propagated to other PE routers. W 2003, Cisco System ,...

Bit TTL equal to the TTL in IP header

All right* reserved. MPLS v2.0 1-5 2003, Cisco System , Inc. All right* reserved. MPLS v2.0 1-5 A label contains these fields Label Fields Used to define a class of service (CoS) (IP precedence). MPLS allows multiple labels to be inserted this bit determines if this label is the last label in the packet. If this bit is set (1 ), it indicates that this is the last label. Has the same purpose as the TTL field in the IP header.

Both TCP and UDP use wellknown LDP port number 646 711 for TDP

All right reserved. MPLS v2.0-2-4 LDP is a standard protocol used to exchange labels between adjacent routers. TDP) is a Cisco proprietary protocol that has the same functionality as LDP. Although the remainder of this lesson will focus on LDP, it should be noted that TDP, as the predecessor of LDP, works in a similar fashion. LDP periodically sends hello messages. The hello messages use UDP packets with a multicast destination address of 224.0.0.2 (all routers on a...

Break and lunchroom locations

All right reserved The instructor will discuss the administrative issues noted here so you know exactly what to expect from the class. Starting and anticipated ending times of each class day Class breaks and lunch facilities Appropriate attire during class Materials you can expect to receive during class What to do in the event of an emergency How to send and receive telephone and fax messages This topic covers the suggested flow of the course materials. This topic...

Cell Interleave Issues Cont Additional Label Allocation

Routing) TsBle at A Routing TEble-sic Ranting able et D Routing) TsBle at A Routing TEble-sic Ranting able et D Routing Tabla nf B jJMwwt I una nap X C Thft ATV1 LSR nsiiiiFst.i- a new la hfl I from (Jowiisbnea m LSPa tor eve-y Up5l T5iri requit ThR iTI fgnws miit r has tri Unn tz a urLqu* Jabel tor every ATM in y re s s m gier for every d9 Sti n 31 Ion- W 2003, CI*co Sy tem , Inc. All right* reserved The figure illustrates the first option, where an additional LSP tunnel is created for the...

Central Firewall Service Addressing

All customers have to use coordinated addresses, which can also be private. Central firewall provides NAT for all customers. W 2DOS, Cisco Systems, Inc. All rights reserved. The central firewall, hosted by the service provider, has to use public addresses toward the Internet. Private addresses can be used between the central firewall and the individual customers. However, these addresses need to be coordinated between the service provider and the customers to prevent routing conflicts and...

Central Services Extranet

Serried ekmiffei fcKi. unL-i lirftiEirnKtum W 2003, Cisco Systems, Inc. All rights reserved. The figure shows a central services extranet implementing international Voice over IP (VoIP) service. Every customer of this service can access voice gateways in various countries but cannot access other customers using the same service. Hybrid (Overlay + Peer-to-Peer) Implementation in mini mini mini nil iiiiiii mini iiiiiii ii c r The network diagram shows an interesting scenario where peer-to-peer...

Central Services VPN Data Flow Model

This topic describes the data flow within a central services VPN. This topic describes the data flow within a central services VPN. W 2003, Cisco Systems, Inc. All rights reserved. Client VRFs contain server routes clients can talk to servers. Server VRFs contain client routes servers can talk to clients. Client VRFs do not contain routes from other clients clients cannot communicate. Make sure there is no client-to-client leakage across server sites. W 2003, Cisco Systems, Inc. All rights...

Central Services VPN Routing

This topic describes the routing characteristics of a central services VPN. This topic describes the routing characteristics of a central services VPN. W 2003, Cisco Systems, Inc. All rights reserved. Client routes need to be exported to server site. Server routes need to be exported to client and server sites. No routes are exchanged between client sites. W 2003, Cisco Systems, Inc. All rights reserved. The figure illustrates the MPLS VPN routing model that is used to implement a central...

Check BGP connectivity with the show ip bgp summary command on the CE routers CEpop Ash ip bgp sum

BGP router identifier lO.l.pop.49, local AS number 65Opop BGP table version is lO, main routing table version lO 9 network entries and 9 paths using ll97 bytes of memory 2 BGP path attribute entries using l2O bytes of memory l BGP AS-PATH entries using 24 bytes of memory O BGP route-map cache entries using O bytes of memory O BGP filter-list cache entries using O bytes of memory BGP activity 9 30 prefixes, 9 0 paths, scan interval 60 sees Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ...

Classical Internet Access for a VPN Customer

A separate link for Internet access is a perfect match for this customer type. W 2003, Cisco System , Inc. All right* reserved. The classical Internet access setup for a VPN customer is based on a separated Internet access design model. This design model is thus a perfect match for customers looking for classical Internet access service.

Clients can communicate with all servers but not with each other

All rights reserved. A central services VPN is a topology with the following characteristics Some sites (server sites) can communicate with all other sites All the other sites (client sites) can communicate only with the server sites This topology can be used in the following situations The service provider offers services to all customers by allowing them access to a common VPN. Two (or more) companies want to exchange information by sharing a common set of servers....

Command List

The commands used in this exercise are described in the table here. access-list access-list-number permit deny type-code wild-mask address mask no access-list access -list-number permit deny type-code wild-mask address mask To configure the access list mechanism for filtering frames by protocol type or vendor code, use the access-list global configuration command. To remove the single specified entry from the access list, use the no form of this command. To enable Cisco Express Forwarding (CEF)...

Complex VPN topologies are supported by multiple virtual routing tables on the PE routers

With the introduction of complex VPN topologies, the definition of a VPN has needed to be changed. A VPN is simply a collection of sites sharing common routing information. In traditional switched WAN terms (for example, in X.25 terminology), such a concept would be called a closed user group (CUG). In the classic VPN, all sites connected to a VPN shared a common routing view. In complex VPNs, however, a site can be part of more than one VPN. This results in differing routing requirements for...

Conclusion Mpls Vpn must extend the classic Ospfbgp routing model

All right* moved. MPLS .20-5-11 With the traditional OSPF-BGP redistribution, the OSPF route type (internal or external route) is not preserved when the OSPF route is redistributed into BGP. When that same route is redistributed back into OSPF, it is always redistributed as an external OSPF route. There are a number of caveats associated with external OSPF routes External routes cannot be summarized. External routes are flooded across all OSPF areas. External routes...

Configuration of Mpibgp sessions

Define a loopback interface that will serve as the BGP next hop for VPNv4 routes and as the source address for the IBGP session. Configure the remote PE router as the global BGP neighbor. Specify the source address for the TCP session. Activate the remote PE router for VPNv4 route exchange. Disable next-hop processing for VPNv4 route exchange. This action guarantees that the loopback 0 interface will always be the BGP next hop for VPNv4 routes propagated by this router to its MP-IBGP neighbors....

Configuration steps on CEwg2A

CEwg2A(config) int s0 0.113 point-to-point CEwg2A(config-subif) ip address 150.wg.y.49 255.255.255.240 CEwg2A(config-subif) frame-relay interface-dlci 113 CEwg2A(config-fr-dlci) no shut CEwg2A(config) router bgp 650wg1 CEwg2A(config-router) nei 150.wg.wg1.50 remote-as 65001 Configuration steps on PEwgl PEwg1(config) interface s0 0.113 point-to-point PEwg1(config-subif) ip vrf forwarding Customer_A PEwg1(config-subif) ip address 150.wg.y.50 255.255.255.240 PEwg1(config-subif) frame-relay...

Configuration steps on CEwg2B router

CEwg2B(config-router) no passive-interface Serial0 0.ll4 CEwg2B(config-router) no network l50.wg.0.0 0.0.255.255 area 0 CEwg2B(config-router) router bgp 650wg2 CEwg2B(config-router) no net 0.0.0.0 CEwg2B(config-router) nei l50.wg.wg2.65 remote 6500l CEwg2B(config-router) no ip route 0.0.0.0 0.0.0.0 Serial0 0.ll4 Configuration steps on PEwg2 routers PEwg2(config) no ip route l0.2.wgl.0 255.255.255.0 l50.wg.wg2.66 PEwg2(config) no ip route l0.2.wg2.0 255.255.255.0 l50,wg.wg2.66...

Configuration steps on CEwglB

CEwg1B(config) int sO O.113 point-to-point CEwg1B(config-subif) ip address 150.wg.x.49 255.255.255.240 CEwg1B(config-subif) frame-relay interface-dlci 113 CEwg1B(config-fr-dlci) no shut CEwg1B(config) router bgp 6500wg CEwg1B(config-router) nei 150.wg.wg2.50 remote-AS 65001 Configuration steps on PEwg2 PEwg2(config) interface s0 0.113 point-to-point PEwg2(config-subif) ip vrf forwarding Customer_B PEwg2(config-subif) ip address 150. wg.pop.50 255.255.255.24 0 PEwg2(config-subif) frame-relay...

Configuration steps on PE routers

PEpop(config) int s0 0.ll4 point-to-point PEpop(config-subif) ip add l50.wg.pop.65 255.255.255.240 PEpop(config-subif) frame-relay interface-dlci ll4 PEpop(config-subif) ip router isis PEpop(config-subif) router isis s0 0.ll4 Task 2 Establishing Routing Between the Customer and the Internet Configuration steps on PEwgrl routers PEwgrl(config) ip route l0.l.wgl.0 255.255.255.0 l50.wg.wgl.66 PE grl(config) ip route l0.l.wg2.0 255.255.255.0 l50.wg.wgl .66 PEwgrl(config) router bgp 6500l PE...

Configuration steps on PEwg2

Note Depending on which router has issued the no router eigrp command, you will see the *Mar 6 14 59 15.110 DUAL-5-NBRCHANGE IP-EIGRP(0) 1 Neighbor l92.l68.wg.65 (Serial0 0.lll) is down interface down *Mar 6 14 59 15.110 DUAL-5-NBRCHANGE IP-EIGRP(0) 1 Neighbor l92.l68.wg.ll3 (Serial0 0.ll2) is down interface down PEwg2(config-router) net 49.0001.0000.0000.01wg2.00 PEwg2(config-router) is level-2-only PEwg2(config-router) metric-style wide PEwg2(config) int s0 0.111 PEwg2(config-subif) ip router...

Configuration steps on PEwgl

PEwgl(config) no tag-switching ip propagate-ttl Configuration steps on Pwgl Pwgl(config) no tag-switching ip propagate-ttl Configuration steps on Pwg2 Pwg2(config) no tag-switching ip propagate-ttl Configuration steps on PEwg2 PEwg2(config) no tag-switching ip propagate-ttl Task 3 Configuring Conditional Label Distribution Note There are different ways to construct an access list to accomplish the desired result. This is one way. The key, however, is to meet the task objective.

Configuration steps on PEwgl for Customer A

PEwg1(config) ip vrf Customer_A PEwg1(config-vrf) export map NMS_Cus_A PEwg1(config-vrf) route-target import 101 500 PEwg1(config) ip vrf A_Central PEwg1(config-vrf) export map NMS_Cus_A PEwg1(config-vrf) route-target import 101 500 PEwg1(config) route-map NMS_Cus_A permit 10 PEwg1(config-route-map) match ip address access-list 10 PEwg1(config route-map) set extcommunity rt 101 501 add PEwg1(config) access-list 10 permit host 10.1.41.49 PEwg1(config) access-list 10 permit host 10.1.42.49

Configuration steps on PEwgl for Customer B

PEwg1(config) ip vrf Customer_B PEwg1(config-vrf) export map NMS_Cus_B PEwg1(config-vrf) route-target import 101 500 PEwg1(config) route-map NMS_Cus_B permit 10 PEwg1(config-route-map) match ip address 20 PEwg1(config route-map) set extcommunity rt 101 501 add PEwg1(config) access-list 20 permit host 10.2.41.49 PEwgrl(config) access-list 20 permit host l0.2.42.49 Configuration steps on PEwg2 for Customer B PEwg2(config) ip vrf Customer_B PEwg2(config-vrf) export map NMS_Cus_B PEwg2(config-vrf)...

Configuration steps on PEwgl routers

PEwgl(config) no ip route l0.l.wgl.0 255.255.255.0 l50.wg.wgl.66 PEwgl(config) no ip route l0.l.wg2.0 255.255.255.0 l50.wg.wgl.66 PEwgl(config-router) nei l50.wg.wgl.66 remote 650wgl Configuration steps on CEwg2A router CEwg2A(config-router) nei l50.wg.wg2.l29 remote 6500l Configuration steps on PEwg2 routers PEwg2(config-router) nei l50.wg.wg2.l30 remote 650wgl Xeam B

Configuration Tasks for MPLS on Lcatm Interfaces

This topic lists the configuration tasks for configuring MPLS on LC-ATM interfaces. This topic lists the configuration tasks for configuring MPLS on LC-ATM interfaces. Configuration Tasks for MPLS on LC-ATM Interfaces Configuration tasks on Catalyst 8510 and Catalyst 8540 ATM switches - Configure MPLS on the ATM interface Configure additional LC-ATM parameters 2003, Cisco System , Inc. All right reserved. Configuration of cell-mode MPLS differs from configuration of frame-mode MPLS. An...

Configure redistribution of OSPF into MPBGP

To configure OSPF as a PE-CE routing protocol, you need to start a separate OSPF process for each VRF in which you want to run OSPF. The per-VRF OSPF process is configured in the same way as a standard OSPF process. You can use all OSPF features available in Cisco IOS software. You need to redistribute OSPF routes into BGP and redistribute BGP routes into OSPF if necessary. Alternatively, you can originate a default route into a per-VRF OSPF process by using the default-information originate...

Configuring Additional Lcatm Parameters Cont

All right* reterved W 2003, Cltco Syttent, Inc. All right* reterved The example shows how to change the default VPI range from 1-1 to 5-6. The control virtual circuit can also use the VPI value used for LVCs. In this example, the control virtual circuit is using VPI 5 and VCI 32. Note that the values must match on each neighbor.

Configuring an Lcatm Interface on a Catalyst ATM Switch

* Enables LC-ATM control on an ATM interface * Default control VC 0 32, label allocation uses VPI 1 2OO1, Ctaco Systems, Inc. All rights n Mve L MPLS v2O -4 Use these commands to enable MPLS on an interface of a Catalyst ATM switch. Cell-mode MPLS is implied. Enabling both distribution protocols can be useful in a mixed environment when the supported protocol for every device connected to the switch does not need to be determined. When the LDP or TDP adjacency is established (over virtual...

Configuring an Lcatm Interface on a Router

Interface atm number.sub-number mpls * Creates an LC-ATM subinterface. * By default, this subinterface uses VC 0 32 for label control protocols and VP 1 for label allocation. mpls label protocol ldp tdp both * Enables MPLS on an LC-ATM subinterface * Starts LDP on an LC-ATM subinterface 2003, Chco System*, Inc. All right* reserved. MPLS .2.0-3-5 On Cisco IOS platform routers, subinterfaces are typically used. Use the mpls keyword to specify the type of subinterface when you are entering...

Configuring Eigrp Pece Routing Cont

The EIGRP configuration in this sample network is exceedingly simple The EIGRP routing process is configured. The EIGRP version is configured as the global EIGRP parameter. The EIGRP routing context is configured for every VRF where you want to run EIGRP as the PE-CE routing protocol. The directly connected networks (configured on interfaces in the VRF) over which you want to run EIGRP are specified to have standard EIGRP configuration. Redistribution from BGP into EIGRP with metric propagation...

Configuring MPLS over ATM Virtual Path Routers

This topic shows how to configure MPLS over ATM VP for routers. An LC-ATM interface is created. The ATM VPI value is set to the virtual path number. < The control virtual circuit needs to be established within the virtual path. The virtual path number has to match between peers. An LC-ATM interface is created. The ATM VPI value is set to the virtual path number. < The control virtual circuit needs to be established within the virtual path. The virtual path number has to match between peers....

Configuring MPLS over ATM Virtual Path Routers Cont

When you connect a router and a switch through a virtual path, you need to set only the parameters for the control virtual circuit and the label range on the router. The router is unaware that the control virtual circuit is not terminated on the directly connected switch. The public ATM network simply forwards all cells based on the VPI value to the other endpoint, where an MPLS-enabled switch continues forwarding based on VPI and VCI values.

Configuring MPLS over ATM Virtual Path Switches Cont

This example shows the configuration of both MPLS-enabled ATM switches connected by a virtual path across a public ATM network. The VPI value has to be the same on the first and last hop in the path. The ATM provider can use any VPI on any other link. The example shows that the subinterface that is created, on both switches, has a subinterface number equal to the VPI number. Note The example does not change the parameters of the control virtual circuit. PVCs will need to be established for the...

Configuring Pece Ospf Routing Cont

Redistribute ospf process-id match internal external-1 external-2 OSPF-BGP route redistribution is configured with the redistribute command under the proper address-family. Without the OSPF match keyword specified, only internal OSPF routes are redistributed into OSPF. 2003, Cisco Systems, Inc. All right* reserved. MPLS v2.0 -2S Use the standard BGP redistribution commands.

Configuring PerVRF Static Routes

This topic identifies the command syntax used to configure per-VRF static routes. This topic identifies the command syntax used to configure per-VRF static routes. ip route vrf name static route parameters This command configures per-VRF static routes. The route is entered in the VRF table. You must always specify the outgoing interface, even if you specify the next hop. ip route vrf u tomer-AS l ., ., ., serial router- fegp address-family ipv4 vrf eusto er_AB redistribute static 2003, Cisco...

Configuring RDs in a Central Services and Simple VPN

miiiiiii mini mini mini nil mini mini limn i it Configure a unique RD for every set of VRFs with unique membership requirements - A-Spoke-1 and A-Spoke-2 can share the same RD. - B-Spoke-1 and B-Spoke-2 can share the same RD. Configure one RD for all central server VRFs. 2003, Ctaco System*, Inc. All rights reserved. MPLS v20- -19 Configure a unique RD for every set of VRFs with unique membership requirements - A-Spoke-1 and A-Spoke-2 can share the same RD. - B-Spoke-1 and B-Spoke-2 can share...

Configuring RTs in a Central Services and Simple VPN

Configure customer VPN import-export route target in all VRFs participating in customer VPN Configure a unique import-export route target in every VRF that is only a client of central servers Configure central services import and export route targets in VRFs that participate in central services VPN 2003, Cisco Systems, Inc. All rl t* reserved This table shows an RD and RT numbering scheme for PE-1 This table shows an RD and RT numbering scheme for PE-2. PE-2 RD and RT Numbering Scheme This...

Configuring Selective VRF Import

Mmmmmmmmmmmw mini mini mini mini iiiim mini 1111 5 0 VRF import criteria might be more specific than just the match on the RT for example Import only routes with specific BGP attributes (community, and so on). Import routes with specific prefixes or subnet masks (only loopback addresses). A route map can be configured in a VRF to make route import more specific. 2003, Chco System*, Inc. All right* reserved. MPLS v2.0 -5 Selective route import into a VRF allows you to narrow the route import...

Connect to CEwgA2 and try to ping CEwg2B or CEwglB Those routers should not be reachable from CEwgA2 For subgroup B

Sending 5, 100-byte ICMP Echos to 10.2.pop.49, timeout is 2 seconds Sending 5, 100-byte ICMP Echos to 10.2.pop.49, timeout is 2 seconds Sending 5, 100-byte ICMP Echos to 10.1.pop.49, timeout is 2 seconds Sending 5, 100-byte ICMP Echos to 10.1.pop.49, timeout is 2 seconds

Connect to CEwgAl and perform ping and trace to the loopback address of CEwg2B or vice versa The other router should be

CEwgrlA ping 10.1. wgr2 . 49 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.wg2.49, timeout is 2 seconds Success rate is 100 percent (5 5) , round-trip min avg max 148 148 149 ms CEpopAB trace 10.1.pop.4 9 Type escape sequence to abort. Tracing the route to 10.1.pop.4 9 1 150.wg.pop.34 16 msec 16 msec 12 msec 2 150.wg.pop.17 AS 6500wg 72 msec 76 msec * CEpopA ping 10.2.pop.49 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.pop.49, timeout is 2...

Customer uses only public IP addresses in the private networknot realistic for many customers

All rights reserved. In order to gain Internet access from every site, each site requires at least some public IP addresses. Two methods can be used to achieve this goal A small part of public address space can be assigned to each customer site. NAT between the private IP addresses and the public IP addresses needs to be performed at each site. If the customer is already using public IP addresses in the VPN, NAT functionality is not needed. Unfortunately, this option...

Customers can use overlapping addresses

All right* reserved. MPLS v20-4-4 The MPLS VPN architecture offers service providers a peer-to-peer VPN architecture that combines the best features of overlay VPNs (support for overlapping customer address spaces) with the best features of peer-to-peer VPNs PE routers participate in customer routing, guaranteeing optimum routing between customer sites. PE routers carry a separate set of routes for each customer, resulting in perfect isolation between customers....

Data plane Forwards packets based on labels

Control plane contains complex mechanisms to exchange routing information, such as OSPF, EIGRP, IS-IS, and BGP, and to exchange labels, such as TDP, LDP, BGP, and RSVP. Data plane has a simple forwarding engine. 2003, Chco System , Inc. All right reserved. MPLS V20-4-18 MPLS consists of two major components Control plane Takes care of the routing information exchange and the label exchange between adjacent devices Data plane Takes care of forwarding based on either destination addresses or...

Debug mpls atmldp routes

The debug mpls atm-ldp routes command displays information about the state of the routes for which VCI requests are being made. When there are many routes and system activities (shutting down interfaces, learning new routes, and so on), the debug mpls atm-ldp routes command displays extensive information that might interfere with system timing. Most commonly, this interference affects normal LDP operation. To avoid this problem, increase the LDP hold time with the mpls ldp holdtime command.

Designing Internet Access Separated from VPNs

Customer Internet access is implemented over different interfaces than VPN access is Represents the traditional Internet access implementation model Requires separate physical links or separate subinterfaces Maximum design flexibility Internet access is totally independent from MPLS VPNs 2003, Chco Systems, Inc. All rights reserved. MPLS V20-7-4 Internet access can always be implemented with the traditional implementation model, with two links between the customer site(s) and the service...

Destinationbased routing lookup is needed on every hop

All right* reserved. MPLS v20-1-< The figure shows how routers in a service provider network forward packets based on their destination addresses. The figure also shows that all the routers need to run a routing protocol (Border Gateway Protocol, or BGP) to get the entire Internet routing information. Every router in the path performs a destination-based routing lookup in a large forwarding table. Forwarding complexity is usually related to the size of the...

DHCP Relay Cont Corporate DHCP Server

End station makes DHCP Request DHCP relay agent notes VPN info and forwards request to correct server Server assigns address and replies W 2003, Cisco System , Inc. All right* reserved W 2003, Cisco System , Inc. All right* reserved In this two-VPN example, a corporate DHCP server and a DHCP client have been added to VPN A. The client broadcasts a DHCP request to the local relay. The local relay converts the broadcast to a unicast request for the DHCP server and adds the VPN ID. This request...

DHCP Relay DHCP Today

All right* reserved Current implementations of DHCP suffer from a couple issues Even if they are collocated, there is a replication of DHCP servers per VPN. There is no added value from the service provider. 2003, Ctaco Systems, Inc. All rights reserved. MPLS v20 -20 Service providers can take advantage of another centralized service to support DHCP clients. DHCP Relay for MPLS VPNs enables a DHCP relay agent to forward information about the DHCP request and the VPN...

Drawbacks of Traditional Peerto Peer VPNs

- All customers share the same (provider-assigned or public) address space. - High maintenance costs are associated with packet filters. - Performance is lower each packet has to pass a packet filter. - All customers share the same address space. - Each customer requires a dedicated router at each POP. 2003, Chco Systems, Inc. All rights reserved. MPLS v 20-4-1 Pre-MPLS VPN implementations or peer-to-peer VPNs all share a common drawback. Customers have to share the same global address space,...

Drawbacks of VPN Implementations

- Implementing optimum routing requires full mesh of virtual circuits. - Virtual circuits have to be provisioned manually. - Bandwidth must be provisioned on a site-to-site basis. - Overlay VPNs always incur encapsulation overhead. - Service provider participates in customer routing. - Service provider becomes responsible for customer convergence. - PE routers carry all routes from all customers. - Service provider needs detailed IP routing knowledge. 2003, Chco System*, Inc. All right*...

Each interface assignable to only one VRF

All right raetved. MPLS V20-S-7 The routes received from VRF routing protocol instances or from dedicated VRF routing processes are inserted into the IP routing table contained within the VRF. This IP routing table supports exactly the same set of mechanisms as the standard Cisco IOS software routing table. These mechanisms include filter mechanisms (distribute lists or prefix lists) and interprotocol route selection mechanisms (administrative distances). The per-VRF...

Easier to achieve in extranet scenarios because every site is already secured against other sites

All rights reserved. To bypass the limitations of Internet access through a central firewall, some customers are turning toward designs in which each customer site has its own independent Internet access. While this design clearly solves all traffic flow issues, the associated drawback is higher exposure each site has to be individually secured against unauthorized Internet access. This design is applicable primarily for larger sites (concentrating traffic from...

Edge LSRs that receive the label from their next hop also store the label information in the FIB

All right reserved. Upon receiving an LDP update, router A can fill in the missing piece in its LIB, LFIB, and FIB tables Label 25 is stored in the LIB table as the label for network X received from LSR B. Label 25 is attached to the IP forwarding entry in the FIB table to enable the MPLS edge functionality (incoming IP packets are forwarded as labeled packets). The local label in the LFIB table is mapped to outgoing label 25 instead of the pop action (incoming...

Even if the two topologies overlap the hubandspoke topology is usually used because of easier management

All right* reserved. The figure shows a worst-case scenario where Layer 2 and Layer 3 topologies do not overlap. The result is that a single packet, which could be propagated with three Layer 2 hops, instead requires seven hops. The reason is that Layer 2 devices have static information about how to interconnect Layer 3 devices. Routers use a routing protocol to propagate Layer 3 routing information through the intermediary router. Drawbacks of Traditional IP...

Every LSR builds its Lib Lfib and FIB data structures based on received labels

All right re Mve L MPLS v2.0 -23 Unicast IP routing and MPLS functionality can be divided into the following steps Routing information exchange using standard or vendor-specific IP routing protocols (OSPF, IS-IS, EIGRP, and so on). Generation of local labels. One locally unique label is assigned to each IP destination found in the main routing table and stored in the LIB table. Propagation of local labels to adjacent routers, where these labels might be used as...

Example

The following is sample output from the show ip bgp neighbors command Router sh ip bgp nei 192.168.100.129 BGP neighbor is 192.168.100.129, remote AS 65001, internal link BGP version 4, remote router ID 192.168.100.129 BGP state Established, up for 5d01h Last read 00 00 56, hold time is 180, keepalive interval is 60 seconds Route refresh advertised and received(old & new) Address family IPv4 Unicast advertised and received Address family VPNv4 Unicast advertised and received The following...

Example of Internet Access Through a Dedicated Subinterface

Mu mini nun mini mini ninii nun mini ram -E day ir.tiarf aixi -Hej. 102 ir Adds* 171 66.ID. L -25 5.-25 .2SE Crnrni cLj-i lr.t.rrir. cLLcJ. litl ip Kld Arf 1W litt HLi -1 - - s-t .htitlphjm*- nily ijrri vrt vra-a ML-rjaror IDE.i .2D. activai ram -E day ir.tiarf aixi -Hej. 102 ir Adds* 171 66.ID. L -25 5.-25 .2SE Crnrni cLj-i lr.t.rrir. cLLcJ. litl ip Kld Arf 1W litt HLi -1 - - s-t .htitlphjm*- nily ijrri vrt vra-a ML-rjaror IDE.i .2D. activai 2003, Cisco Systems, Inc. All rights reserved. The...

Exercise Verification

You have completed this exercise when you attain these results On your PE routers, check BGP connectivity to all workgroups with the show ip bgp summary and show ip bgp neighbor commands on CE routers. BGP router identifier 192.168.wg.33, local AS number 65001 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ 192.168.100.129 4 65001 25 25 1 0 0 Note The following command output has been edited. BGP neighbor is 150.wg.pop.17, vrf Customer_A,...

Extranet VPNs Cont Peerto Peer VPN Implementation

All right reserved MPLS V20-4-10 Peer-to-peer VPN implementation of an extranet VPN is very simple compared with overlay VPN implementation all sites are connected to the P-network, and optimum routing between sites is enabled by default. The cost model of peer-to-peer implementation is also simpler usually every organization pays its connectivity fees for participation in the extranet and gets full connectivity to all other sites.

FIBs are built based on IP routing tables with no labeling information

All rl t* r t rv d The figure illustrates how all routers learn about network X via an IGP such as OSPF, IS-IS, or EIGRP. The FIB table on router A contains the entry for network X that is mapped to the IP next-hop address B. At this time a next-hop label is not available, which means that all packets are forwarded in a traditional fashion (as unlabeled packets).

For other routing protocols the SOO can be applied to routes learned through a particular VRF interface during the

There are two ways to set the SOO attribute on a BGP route For routes received from BGP-speaking CE routers, the SOO is configured by the incoming route map on the PE router. For all other routes, a route map setting the SOO is applied to the incoming interface. The SOO, as set by the route map, is attached to the BGP route when an IGP route received through that interface is redistributed into BGP. Outgoing filters based on the SOO attribute also depend on the routing protocol used Where EBGP...

Forwarded IP packets are labeled only on the path segments where the labels have already been assigned

All rl t* re*erved The figure shows how an unlabeled IP packet is forwarded based on the information found in the FIB table on router A. Label 25 found in the FIB table is used to label the packet. Router B must remove the label because LSR B has not yet received any next-hop label (the action in the LFIB is pop). Router A performs an IP lookup (CEF switching), whereas router B performs a label lookup (label switching) in which the label is removed and a normal IP...

GRE is simpler and quicker IPSec provides authentication and security

All right* reserved With the success of IP and associated technologies, some service providers started to implement pure IP backbones to offer VPN services based on IP. In other cases, customers wanted to take advantage of the low cost and universal availability of the Internet to build low-cost private networks over it. Whatever the business reasons behind it, Layer 3 VPN implementations over the IP backbone always involve tunneling encapsulation of protocol units at...

Here ACentral talks to BCentral

All right* reserved. MPLS v20 -4 When two VPN customers want to share some information, they may decide to interconnect their central sites. To achieve this, two simple VPNs are created, each containing a customer central site and its remote sites. Then a third VPN that partially overlaps with the customer VPNs but connects only their central sites is created . The central sites can talk to each other. They can also talk to the remote sites in their simple VPN, but not...

Huband Spoke Overlay VPN Topology

This topic describes the characteristics of the hub-and-spoke overlay VPN topology category. W 2003, Cisco System , Inc. All right* reserved. The hub-and-spoke topology is the simplest overlay VPN topology all remote sites are linked with a single virtual circuit to a central CE router. The routing is also extremely simple static routing or a distance vector protocol such as Routing Information Protocol (RIP) is more than adequate. If a dynamic routing protocol such as RIP is used,...

Impact of Complex VPN Topologies on Virtual Routing Tables Cont

To illustrate the requirements for multiple virtual routing tables, consider a VoIP service with three VPNs (customer A, customer B, and a VoIP VPN). The virtual routing table needs of this service are as follows All sites of customer A (apart from the central site) can share the same virtual routing table because they belong to a single VPN. The same is true for all sites of customer B (apart from the central site). The VoIP gateways participate only in the VoIP VPN and can belong to a single...