MPLS Summary
MPLS Concepts
1) IP Routing Drawbacks
a) Router protocols with full routing information are required on all routers
b) Router make a destination-based forwarding decision only
c) Router must make a routing lookup on every hop
d) List of mayor drawbacks of traditional IP :
- Hop by hop routing lookups
- Destination based routing lookups
- Full routing information in all routers
e) Router do forward IP packet based on destination address
f) Policy-based routing can be used to forward in others parameters
g) It is not scalable and has performance limitations
2) MPLS Concepts
a) MPLS architecture is divided in two parts:
- Control panel that takes care of the routing information (OSPF , ISIS, BGP) and also maintain the FIB table, label propagation (TDP, LDP, BGP, RSVP) and also maintains the content of the Label Switching Table or LFIB. LFIB is used to forward the packets.
- Data panel which takes care of the forwarding of packets
b) MPLS has two modes:
- Frame-mode MPLS that is used on all frame-based media
- Cell-mode MPLS that is used in MPLS-enabled ATM networks
c) The MPLS network use the following devices:
- Label Switch Router (LSR) to forward the packets based on 32 bits label
- Edge LSR to forward labeled packets, insert labels or remove labels on IP packets
- ATM LSR to forward cells based on labels encoded into the VPI/VCI fields in the ATM header
- ATM Edge LSR that segment labeled or unlabeled packets into ATM cells where a label is encoded into VPI/VCI fields in the ATM header
- How can the MPLS solve the IP drawbacks:
1. Hop by hop routing is reduced to a simple swapping of label
2. Destination routing is replaced by label switching where labels may correspond to parameters others than just IP destination networks
3. LSRs do not need a full routing table information as long as they have the right labels
4. LSR uses the IGP and LDP to propagate routing and labels informations. The LSR primary forward the label packet.
5. Types of LSRs
a. LSR
b. Edge LSR
c. ATM LSR (If MPLS enable, the forwarding can only be done based on labels)
d. ATM Edge LSR
6. There are two modes of MPLS, Frame-mode and Cell-mode
7. Edge LSR primary label the IP packet and the LSR swap the labels
8. ATM LSR uses cell-modes MPLS where labels are encoded into ATM header’s VPI/VCI
d) MPLS x IP over ATM
- Layer 2 device run a layer 3 routing protocol
- There is no need to manually establish the virtual circuit
- MPLS provide a full mesh network
e) Traffic Engineering
- Traffic can be forwarded based on other parameters (QoS, source IP, etc)
- Load sharing across unequal path can be achieved
f) MPLS Modes Operation:
- Frame mode 32 bits (20 bits label, 3 bits Experimental Bits, 1 bit stackbit = last label in the stack and 8 bits TTL)
- Cell mode a label cannot be inserted on every cell. MPLS uses the VPI/VCI fields in the ATM header as label. Cell mode uses the VPI/VCI field for forwarding decisions while the 32 bit label is still preserved in the frame but not used in the ATM network. The original label is only present in the first cell of the packet. The first cell has AAL5 header + Label (32bits) + IP Header + payload
g) Forwarding Configurations:
- IP to IP
- IP to Label
- Label to IP
- Label is dropped if the label is not found in the LFIB table even if the IP destination exists in the FIB table
- IP packet is dropped if the destination is not found in the FIB table even if there is a label switch path available for the destination.
3) MPLS Labels and Label Stack
a) MPLS uses 32 bits label that contains the following fields:
- 20 bits label
- 3 bits experimental bits
- Bottom-of-stack bit
- 8 bit TTL field
b) MPLS support multiples labels (Label Stack)
c) Bottom of stack bit is used to determine the last label in the stack
d) The receiving router knows if the packet is label or not is based on the protocol identifier (or ethertype) field
e) The receiving router knows if there is another label if the bottom-of-stack bit is set to Zero.
f) Applications with more than simple IP Unicast routing, require additional labels to describe more detailed Forwarding Equivalence Classes
g) The major differences between Cell-Mode and Frame-Mode:
- Frame Mode uses 32 bits label to forwarding
- Cell Mode uses the VPI/VCI fields to forwarding
- Cell Mode does not support concurrent IP forwarding and MPLS
h) Protocol Identifier in Layer 2 header is used to identify layer-3 protocols with most layer-2 encapsulations:
- Unlabeled IP Unicast : PID=0×0800 identifies that the frame payload is an IP packet
- Label IP Unicast : PID=0×8847 identifies that the frame payload is a unicast IP Packet with at least one label
- Label IP Multicast : PID=0×8848 identifies that the frame payload is a multicast IP Packet with at least one label
i) MPLS Forwarding
- An LSR can perform the following:
1. Insert (impose) a label on ingress
2. Swap a label with the next hop label
3. Remove (pop) a label on egress
Obs: The ATM LSR can only swap a label with one label or the top label.
j) The major difference between frame mode and cell mode MPLS is that ATM LSRs are not capable of forwarding IP Packets
4) MPLS Applications
a) MPLS support the following applications:
- Unicast IP routing
- Multicast IP routing
- Quality of Service
- Traffic Engineering
- MPLS/VPN
b) Different applications differ in the mechanism used in the control panel, but the forward mechanism is the same data plane
c) Today the MPLS is used in Unicast/Multicast routing, Differentiated QoS, Traffic Engineering and MPLS/VPNs
d) MPLS can be potentially used in others layer 3 protocols (IPX, etc)
e) All the applications use the same label forwarding engine in the data plane
f) Regardless of the application, the functionality is always split into control and data plane:
- The applications differs only in the control plane
- They all use the same data plane
- Edge LSR layer 3 data plane may differ
- In general a label is assigned to a Forwarding Equivalence Class (FEC)
- FEC is used to describe the packet that are using the same Label Switch Path (LSP)
g) FEC for different Applications:
- Unicast IP Routing, FEC corresponds to an IP destination network
- Multicast IP Routing, FEC is equal to a destination Multicast Addresses, stored in Multicast Routing Table. PIM version 2 with extension for MPLS is necessary to propagate routing information and as well labels.
- MPLS Traffic Engineering, requires OSPF or ISIS as IGP and RSVP or CR-LDP are used to establish Traffic Engineering tunnels and propagate labels
- Quality of Service, can be achieved by using MPLS Experimental bits or creating separate LSPs for different classes. Extensions to TDP or LDP are used to create multiple LSPs for the same destination (one for each class). FEC corresponds to the combination of the destination network and class of service.
- VPN, FEC correspond to a VPN destination network. MPLS VPN uses an additional label to determine the VPN and the corresponding VPN destination network. BGP Multiprotocol extension is used to propagate VPN routing information and label across the MPLS domain.
5) Difference between Tag Switching and MPLS
a) Tag switching is compatible in the data plane, but not in the control plane
b) TDP is used with Tag Switching and LDP is used with MPLS
c) The Tag Switching and MPLS can be combined as long any two peers support the same label exchange protocol.
d) TDP is the default label exchange protocol on Cisco Routers
e) MPLS is available since 11.1CT with TDP and name Tag switching
f) TDP uses UDP and TCP port number 711
g) LDP uses UDP and TCP port number 646
Label Assignment a Distribution
1) LDP role in Unicast IP Routing
a) A new protocol is introduced into MPLS enabled networks to exchange labels assigned to IP destination networks. The Label Distribution Protocol (LDP) exchange local significant labels between adjacent routers. Labels, received from LDP peers, are bound to IP destination networks in the FIB table and local labels in the LFIB table.
b) LDP/TDP is needed to exchange labels assigned to IP destinations
c) IP Destination Network specifies a Forwarding Equivalence Class
d) The FEC is taken from the routing table
e) The output of the LDP and TDP are entries in the Label Forwarding Information Base (LFIB)
2) Typical Label Distribution in Packet-Mode MPLS
a) Every LSR assign a label for every destination in the IP routing table
b) Labels are assigned once per LSR per platform
c) Every LSR advertise its label assignments to all neighbors
d) Every LSR stores all advertise labels in the LIB
e) Local Labels are advertised to adjacent routers
f) Labels received from the downstream neighbors are stored in the LIB table. They are used in the FIB table to forward and label IP packets and in the LFIB table to forward labeled packets
g) Received labels are stored in the Label Information Base (LIB Base)
h) LFIB table is used to forward label packets
i) FIB table is used to forward no label packets
j) If the next hop label is not in the FIB table, the packet is dropped.
k) Only one label used is assign to each destination network
l) There are two alternatives of assigning label:
- Per platform allocation
o Benefits: Smaller LFIB and Quick Label exchange
o Drawbacks: Insecure , any neighbor LSR can send packets with any label in the LFIB
3) Convergence in Packet-Mode MPLS
a) The convergence time in MPLS networks is influenced mainly by the convergence time of the IGP that is used in the networks. LDP convergence, however, must be considered from two perspectives:
- Upon link failure, LDP usually already has labels for secondary paths. LSP convergence, therefore, depends solely on the IGP convergence.
- Upon link recovery, LDP session must be re-established adding to the overall convergence of LSPs
b) LDP does not add any time to overall convergence when a link fails
c) An LDP session must be re-established once a link become available again
d) MPLS convergence in packet mode, after Link failure: The overall convergence time depends on the convergence time of the IGP Protocol. MPLS convergence occurs immediately after routing protocol convergence , based on labels already stored in LIB.
e) MPLS convergence after a link recovery, LIB might not contain the label from the new next hop by the time the IP convergence is complete. End to end MPLS connectivity might be broken after link recovery. LDP session must be re-established
f) FIB and LFIB are also rebuilt, but the label information might be lacking for while.
g) Use the MPLS traffic engineering for make-before-break recovery.
4) Typical Label Distribution over LC-ATM Interfaces and VC-Merge
a) MPLS-aware ATM Switches use an IP routing protocol and LDP to exchange routing information and labels. VPI/VCI fields in the ATM header are used to encoded MPLS labels.
b) ATM LSRs use the downstream on demand allocation of labels where an ordered sequence of request is sent to the other end of the ATM network (per edge LSR allocation of VCs) or the first ATM that already has the next hop label (VC-Merge)
c) VC-Merge is used to minimize the number of required labels because most router and ATM Switches only support a limited number of Virtual Circuits. VC-Merge on the other hand introduces grater delay to packets because its cells may be buffered in the ATM Switches.
d) An ATM Switching matrix in MPLS terminology is called a Label Forwarding Information Base (LFIB)
e) It is necessary to enable ATM LSRs to create a complete entry in the LFIB table to have the next hop label before propagating the local label
f) The VC-Merge minimizes the overall number of virtual circuits on an ATM LSR
g) The Drawbacks of VC-Merge buffer cells, which results in greater average delay and jitter of packets traversing the ATM network.
h) MPLS Label is encoded as VPI/VCI value in cell-mode MPLS environments.
i) Each VPI/VCI combination represents a Virtual Circuit in ATM.
j) The number of Virtual Circuit is severely limited.
k) Labels in cell mode MPLS are scarce resource.
l) A Router request a label for every destination in the routing table with next hop reachable over an LC-ATM interface.
m) DOWNSTREAM ON DEMAND is the reply of the incoming request , allocating a incoming label (in the ATM switch) or next-hop viewing from the router which requested the label.
n) Cell Interleaving Issue when there is a reuse of downstream label:
- Allocating a separate downstream label for every upstream request
- Virtual Circuit Merge : Prevent Cell Interleave by blocking incoming cells until a whole frame is collected. Reduce the numbers of VCs required, it can reuse the same downstream label for multiples upstream LSRs, but increase the jitter, delay, ATM network is transformed in a frame network.
o) Per interface label allocation:
- The benefits of the per interface label is that prevent label spoofing and malicious packets
- Cell mode MPLS forward cells based on the incoming interface and the label (VPI/VCI)
5) MPLS Label Allocation , Distribution and Retention Mode
a) There are two available label space schemes:
- Per interface label space where labels must be unique for a specific input interface.
- Per platform label space where labels must be unique for the entire platform
b) There are two available propagation schemes:
- Unsolicited downstream distribution of labels is used on frame-mode MPLS where all routers can asynchronously generate their local labels and propagate them to adjacent routers.
- Downstream on demand distribution of labels is used where ATM LSRs must request a label for destinations found in the IP table.
c) There are two available types of label propagation control:
- Frame-mode MPLS uses Independent control mode where all routers can start propagating labels independently of each other.
- Cell-mode MPLS requires LSRs to already have the next hop label if they want to generate and propagate their own local labels. This is called Ordered control mode
d) There are two available label retention schemes:
- Frame-mode MPLS may result in multiple labels being received but only one used. Unused labels are kept and this is usually referred to as Liberal Retention Mode
- Cell-mode MPLS on the other hand only keeps label which it previously requested. This called Conservative Retention Mode.
e) Downstream on demand is usually used in cell-mode MPLS environments
f) The Liberal Retention mode provides faster convergence upon link failure but requires more memory
g) Per platform label space yields a smaller LIB and LFIB tables but is vulnerable to label spoofing
h) Per-interface label space is needed because ATM switches regard VPI/VCI values to be per-interface significant
2) LDP Neighbor Discovery
a. LDP and TDP use a multicast IP Address to periodically send Hello messages to all routers reachable through an interface.
b. The LDP session itself uses TCP to provide reliability
c. Both UDP and TCP use a well-known port number 646 (LDP) or 711 (TDP)
d. Routers periodically send LDP Hello messages to find peers
e. UDP multicast packets are used to find adjacency neighbors
f. TCP is used to provide a reliable exchange of labels
g. ATM LSRs establish a session across the control virtual circuit
h. LDP Session between non-adjacent peers use directed unicast hello messages to initiate the LDP session
i. UDP is used for hello messages. It is target at all router on this subnet multicast address (224.0.0.2)
j. TCP is used to establish the session
k. Content of the LDP Hello Packet
- IP Header (source ip addresss, 224.0.0.2)
- UDP header (source port=1150,destination port=646)
- Transport address=source ip address (optional TLV used to identify the source IP Address for LDP session)
- LDP Identifier (6 bytes TLV identifying the router and label space)
Obs: Per platform label space requires only one LDP session. Per platform label space is announced by setting the label space ID to zero (Ex. LDP ID 10.0.0.1:0)
l. LDP Neighbor discovery . LDP Session is established from router with high IP address. After establish the TCP, they still send the LDP hello message to discovery new peers.
m. LDP discovery of non adjacency neighbors use the UNICAST IP Addresses instead of Multicast Addresses.
3) Penultimate Hop Popping
- Penultimate Hop Popping slightly increase the MPLS performance by eliminating one LFIB lookup. PHP uses a well-known label value of 3, which represents a POP label. This label instructs neighbors to remove labels when doing label switching on particular LSP.
- Penultimate Hop Popping can only be used in frame-mode environments. Labels in ATM networks are not removable because they are part of the ATM header (VPI/VCI)
- Penultimate hop popping optimizes MPLS performance by eliminating one LFIB lookup
- If the next hop label is POP a router must remove the label before it forward the packet
Advance MPLS Terminology
1) Label Switch Path
a) Label Switch Paths (LSP) in Unicast IP Routing is a sequence of LSRs that forward labeled packets for particular Forwarding Equivalence Class (FEC)
b) In MPLS Unicast IP forwarding Forwarding Equivalence Classes are determined by destination networks found in the main routing table
c) Summarization causes LSPs to break into two LSPs
d) An LSP is a sequence of LSRs used for a particular Forwarding Equivalence Class
e) An IP routing protocol determines the path in MPLS for Unicast forwarding.
f) If the IP aggregation (summarization) is used, an LSP is broken into two LSPs requiring the summarization routers to the use the FIB table instead of the LFIB table to forward packets from one LSP to other.
g) LSPs are unidirectional
h) Label Switch Path (LSP) is a sequence of LSRs that forward labeled packet of certain FEC.
i) LSP building: IP routing protocol determines the path and LDP/TDP propagate labels to convert the path to a LSP.
j) Impacts of the IP aggregation on LSP
1. IP Aggregation breaks an LSP into two segments
2. Router in the middle is forwarding packets based on Layer 3 information.
3. ATM LSRs must not aggregate because they cannot forward IP packets
4. Aggregation should not be used where end to end LSPs are required (MPLS VPN)
2) Explicit Label Switch Paths (Traffic Engineering)
a. MPLS Traffic Engineering can be used to create explicit LSPs that appear as point to point links between non-adjacent routers
b. MPLS/TE tunnels can be used to provide load balancing across unequal paths for better link utilization
c. MPLS/TE uses OSPF or IS-IS with MPLS/TE extension to propagate the information about available resources and constraints in the network
d. RSVP or CR-LDP is used to set up explicit LSPs and propagate labels
e. An Explicit LSPs are used to provide load balancing across unequal paths
f. MPLS Traffic Engineering uses explicit LSPs to establish MPLS/TE tunnels
g. LDP uses directed Hello messages to find neighbors across MPLS/TE tunnels
h. Cisco Routers use RSVP with MPLS/TE extension to set up tunnels and exchange labels
i. RSVP uses downstream on demand propagation of labels
j. LSP are usually determined by IP routing protocols
k. MPLS TE can be used to diverge from the IGP protocols.
l. CR-LDP or RSVP with extensions for Traffic Engineering is used to establish LSPs
m. LSPs can also be configured manually
3) Loop Detection in Packet Mode MPLS
a) MPLS primary relies on IP routing protocols to prevent routing loops. There are, however, additional loop prevention mechanism built into MPLS Architecture such as the TTL field in the MPLS label header
b) MPLS uses the TTL field in the label header to prevent indefinite looping of forwarded packets. By default, the value of IP TTL field is copied into the TTL field in the label header resulting in total transparency to the end user. If however, the TTL propagation is disable, the service provide is able to hide core routers from end users
c) IP routing protocols prevent routing loops in MPLS networks
d) The TTL field is used to prevent indefinite looping of labeled packets
e) TTL propagation is the term used for the copying of IP TTL into Label’s TTL field
f) The label’s TTL field is set to the value of 255 if TTL propagation is disabled
g) If some LSRs have the TTL propagation disabled and some not, the traceroute application can cause the wrong results
h) LDP and TDP relies on loop-detection mechanisms built into IGPs that are used to determine the path, however misconfiguration with static route, the TTL field in the label header is used to prevent indefinite looping of packets.
i) The TTL value of IP header is copied into the TTL field label, this is called TTL PROPAGATION
j) Labeled packets are dropped when TTL is decrement to Zero.
k) DISABLE TTL Propagation
- IP TTL is not copied into the Label TTL and Label TTL is not copied back into IP TTL
- Instead, the value 255 is assigned to the label header TTL field on the ingress LSR
- Disabling TTL propagation hides core routers in the MPLS domain.
- Traceroute across an MPLS domain does not show any core routers
- If the TTL propagation is disabled it must be disabled on all routers in an MPLS domain.
4) Loop Detection in Cell-Mode MPLS
a) MPLS primary relies on loop-detection mechanisms built into IGPs
b) Hop count TLV is used to simulate TTL functionality on ATM LSRs with the help of edge ATM LSRs
c) Path vector is used to prevent loops in the LDP updates
d) Cell-mode MPLS with LDP uses a Path Vector TLV and Hop Count TLV to prevent loops LDP
e) TTL field in the 32 bits label used to prevent indefinite looping of packets if there is a loop in the network.
f) The Path Vector TLV prevent loops within LDP. Most loops , however, should still be prevented by the IP routing protocol used in the network.
g) The Path Vector TLV and the Hop Count TLV combined with the maximum number of hops can be used to prevent loops in the LDP.
h) LDP’s Hop Count TLV determines the number of hops in the ATM part of the network. The number is used to subtract from the TTL value on the Ingress ATM edge LSR.
i) LDP uses a hop count TLV (type-length value) to count hops in the ATM part of the MPLS domain
- The TLV count the number of hops in the LSP and decrease hop count TLV in the ATM Edge LSR instead decrementing the TTL value.
j) LDP Path Vector TLV is another safeguard that prevent loops in LDP.
- TLV is used to carry router Ids of all ATM LSRs in the path
- If an LSR receives an LDP update with its own router ID in the Path Vector TLV, the update is ignored
- The Path Vector is not present in TDP
5) MPLS – BGP Interaction
a) Labels that are assigned to BGP-Derived networks are the same as those assigned to their next-hop addresses.
b) This approach allows a new way of designing BGP networks. Not all core routers are required to run BGP (depending on the topology of the network)
c) Transit Autonomous Systems benefit from using MPLS by reducing the number of routers that have to run BGP. Core routers usually do not have run BGP and can be hidden by disabling TTL propagation. Private address can also be used in the core if TTL propagation is disabled.
d) The design requirements for MPLS based transit AS, the core routers do not need BGP and summarization of BGP next hop addresses should not be configured.
e) If the BGP next hop addresses are summarized then the summarizing routers are required to have BGP to enable IP-based forwarding.
f) Benefits of MPLS based Transit AS
a) Simplified BGP topology (only AS Edge routers are required to BGP with full internet routes)
b) The Core routers do not require a lot of memory (100.000 routes may require more than 50M of memry)
c) Change in the internet does not impact core routers
d) Allow private addresses to be used in the core if TTL propagation is disabled.
g) The following precautions must be taken when combining BGP and MPLS
- Do not summarize BGP next hop addresses because summarization breaks LSPs into two LSPs.
- If summarization is configured then the router doing the summarizations should also run BGP to be able to forward IP packets based on the IP destinations
Configuring Cell-Mode MPLS on IOS Platform
1) Configuring LC-ATM MPLS
a) The configuration of the LC-ATM MPLS is very similar to the frame-mode. The main differences are:
a) Set the type of ATM interface to tag-switching
b) Some ATM specific parameters are accessed through tag-switching atm command , for example: Control VC, VPI range, VC-Merge and the maximum number of hops across the ATM network
b) The steps needed to configure LC-ATM interface on a router:
c) Enable CEF switching
d) Enter atm subinterface configuration mode by specifying the tag-switching interface type
e) Enable tag-switching on the subinterface
c) The steps needed to configure LC-ATM interface on an ATM switch:
f) Enter ATM interface configuration mode
g) Enable tag-switching on a subinterface
d) In addition to enabling MPLS on an ATM interface you can also change some default parameters:
h) VPI and VCI can be changed by using the tag-switching atm control-vc command
i) VPI range used for LVCs can be changed by using the tag-switching atm vpi command
j) VC-Merge feature can be disabled on a switch by using the no tag-switching vc-merge command
k) TDP can be replaced with LDP by using the mpls label-protocol ldp command
2) Configuring LC-ATM MPLS over ATM virtual path
a) Virtual Path is useful when trying to cross an ATM network that does not support MPLS. Typically used when migrating from standard ATM to IP+ATM or not when interconnecting sites across a public ATM network.
b) A Virtual Path can be established between two switches or a router and switch. It is not recommended connecting two routers with virtual path.
c) Configuration of a switch requires a PVP configuration. Configuration of a router does not require anything special (Virtual Path is Transparent)
d) There are two major reasons for deploying MPLS across virtual path:
l) MPLS is needed but parts of the network cross a public ATM network
m) To ease the migration by connecting an MPLS-enabled ATM network to the old ATM network
e) The virtual path is more or less transparent to the routers and switches connected by it. The only thing is needed to be configured is the VPI/VCI parameters of the control VC and the VPI range for labels.
f) All combinations are supported across an ATM virtual path, however, only those that have at least one switch are used.
g) An alternative method of connecting two routers across a public ATM network instead using a virtual path and cell-mode , uses frame-mode MPLS across a PVC.
h) The steps to configure the Virtual Path
n) Configure a virtual path (switches only)
o) Put the control VC into the virtual path
p) Set the VPI range to match the value of the virtual path
6) The ATM virtual path number has to match between LC-ATM peers , because the the two TDP/LDP peers are using this value in their negotiation of label space
3) Monitoring LC-ATM MPLS on IOS Platform
a) Cisco IOS software include a large list of show commands that can ease troubleshooting the MPLS networks:
a) Show tag-switching atm-tdp summary
b) Show tag-switching atm-tdp binding
c) Show tag-switching atm-tdp capability
b) Show tag-switching atm-tdp capability display the LC-ATM capabilities
c) Unidirectional label allocation indicates that the peer device can, within a single VPI support the binding of the same VCI to different prefixes on different directions of the link.
d) You can identify an ATM switching by looking at the show tag-switching atm-tdp binding looking for words transit or switch in the output.
e) You can display the Label Switched Paths that have not yet been fully established by using the command show tag-switching atm-tdp summary command also list all LVCs that are in the process of being established.
4) Configuration on Routers X ATM Switches in Cell Mode
a) Router config
a. Create sub interface an LC-ATM
b. Enable TDP/LDP on the sub interface instead configure point to point or point to multipoint
c. COMMANDS:
- Interface atm “0/0.1” tag-switching
- Tag-switching ip or mpls ip
- Mpls label protocol (ldp, tdp or both)
b) ATM Config (ATM does not need to configure because only runs cell mode)
a. Configure Tag Switching on the ATM interface
b. COMMANDS:
- Interface atm 0
- Tag-switching ip or mpls ip
- Mpls label protocol (ldp, tdp or both)
c) By default VC 0/32 is used for label control protocol and VP 1 for label allocation for dynamically establish LVCs (LVC-Label Virtual Circuits)
d) Tag-switching vc-merge is used to merge multiples sources to use the same destination label, by buffering the incoming cells in the ATM switch and forwarding them when the complete frame has been assembled. The only drawback is that because of the store and forward, incurred by the ATM switch.
e) Command: TAG-SWITCHING ATM VC-MERGE (GLOBAL CONFIG) – Defaulf is enable.
f) TAG-Switching atm vc-merge has to be disable to allow cell interleaving
g) Tag-switching atm maxhops (Global Config) is very important in the TDP , because TDP does only relies exclusively on hop-count carried in the TDP request and reply packets to detect loops during the downstream on demand label allocation. OBS: Router ID (LDP Path Vector) can be used in the LDP to detect routing information loops in ATM networks during the downstream on demand label allocation process.
h) Tag-switching atm control-vc “vpi/vci” is used to change the VC Control (Interface Command)
i) Tag-switching atm vpi “start vpi - [end vpi] “ Default vpi is 1 and end VPI is optional (Interface Command)
5) ATM Virtual Path
d) ATM Virtual Path is a collection of VCs with a common VPI. ATM Switches are forwarding based on VPI only. It is mandatory that the same VPI be used on both ends of the path because the VPI value is part of the LDP VP-range negotiation.
e) Virtual Path Usages:
1. Connecting two LC-ATM domain across a public network:
a. ATM PVC can be used to connect two routers
b. ATM Virtual path has to be used to connect an ATM Switch to another Switch or Router.
2. Network Migration toward IP+ATM, a Virtual Paths can be established from an MPLS-enabled switch to all devices connected to ATM Switch that do not support MPLS.
f) Virtual Path scenarios:
1. ATM Switch to ATM Switch
2. ATM Switch to a Router
3. Router to router, not advisable, use frame mode MPLS over ATM PVC instead.
g) COMMANDS Virtual path ATM SWITCH – Tag Switching over VP 17:
1. interface atm 0/1/3
2. atm pvp 17
3. interface atm 0/0.17 point-to-point
4. ip unnumbered loopback 0
5. tag-switching ip
h) COMMANDS Virtual path ROUTER – Tag Switching over VP 17:
1. interface atm 0/0.2 tag-switching
2. ip unnumbered loopback 0
3. tag-switching atm control-vc 17/32
4. tag-switching atm vpi 17-17
5. tag-switching ip
i) Monitoring
1. Show tag-switching atm-tdp summary (Display summary of ATM-TDP and Show All the LVCs in process of being established)
2. Show tag-switching atm-tdp bindings (Display ATM-TDP LIB and can identify if it is a transit, tailend or headend type of switch)
3. Show tag-switching atm-tdp capabilities (Display the LC-ATM capabilities of this LSR and peering LSRs). Allocation Scheme can be UNIDIR indicates that the peer device can, within a single VPI, support binding of the same VCI to different prefixes on different directions of the link and BIDIR indicates that within a single VPI, a single VCI can appear in one binding only. In this case, one peer device allocates bindings in the even VCI and the other in odd VCI. The system with lower TDP identifier will assign even-numbered VCIs.
7) MPLS Loop Detection and Prevention
a) Frame-mode Data Plane Loop Detection use the TTL in an IP Network. The TTL is copied into TTL from the IP Packet
b) Frame-mode Control Plane is based in the IGP protocol
c) Cell-mode Data Plane Loop Detection: After the Label Request, the ATM-LSR learn the hop-count TLV from the ATM-LSR destination. Prior to SAR process, the TTL field in the IP header is decreased by the number learned in the label request and the destination will reassemble with correct TTL value.
d) Cell-mode Control Plane Loop Detection is based on Hop-count TLV, each hop decrease one from the maximum in the configuration. The default configuration of the max hop is 254 and it could increase the time to find the loop, so it can be changed by the configuration TAG-SWITCHING ATM MAXHOPS command and reduce the maximum number of hop before detect the loop.
Configuring Frame-mode MPLS IOS platform
2) CEF Switching Review
a) CEF Switching is one of many different switching mechanisms supported by Cisco IOS software. It combines good performance with support for the advanced features needed in the modern networks
b) The CEF switching table (FIB table) contains all the information that is in the routing table and, therefore, is not packet-triggered cache mechanism. On the other hand it incorporates a fast lookup mechanism to provide excellent performance.
c) Use the IP CEF global command to enable CEF Switching on all interfaces that support it. Use no ip route-cache cef interface command to disable CEF switching on an interface.
d) Use the command show ip cef to view the contents of the FIB table and show adjacency to view the contents of the adjacency table.
e) There are 3 types of layer 3 switching mechanism available:
e) Process Switching based on routing table switching
f) Fast Switching/Optimum Switching is based on cache switching
g) CEF is based on forwarding table switching
f) The fast switching does cache-based lookup and fall back on IP routing lookup if the destination is not in the fast switching cache and CEF perform lookup on forwarding table that contain all destinations and therefore needs no fallback mechanism.
g) The main structures used by CEF are the forwarding Information Base (FIB) and adjacency table.
h) If the destination subnet is not in the forwarding Information Base, the packet is dropped as the FIB should contain all known routes.
3) Configuring MPLS on Cisco IOS – Frame-Mode interfaces
a) To enable the MPLS on an interface use the tag-switching ip command or the mpls ip command on Cisco IOS softwares. To enable the LDP use the mpls label-protocol command
b) When label packet transverse the core network the TTL field within the label header is treated in the same way as normal IP packet. To prevent no-edge routers from replying with ICMP Time to Live Exceeded messages disable the TTL propagation. This effectively hides the core routers from outside users. Use no tag-switching ip propagate-ttl global command to accomplish this or no mpls ip propagate-ttl on Cisco IOS software.
c) Labeled packet increase in size due to the imposition of the label header and may cause problems on certain media and equipment. Use the tag-switching mtu interdace command to specify the maximum size of labeled IP packet.
d) To prevent labeling packets for all destinations disable label propagation and enable conditional label propagation by using the tag-switching advertise-tags global command.
e) The mandatory configuration steps needed to enable MPLS on IOS platform are ip cef and configure mpls or tag-switching on desire interface.
f) The TDP/LDP process is started automatically the moment MPLS is enable on the first interfaces in the router.
g) TDP and LDP can be used in the same router. Every interface can support any combination of these two label distribution protocols.
h) If you disable the TTL propagation, the end-users will not be able to see the inside structure of an MPLS network with the traceroute command or equivalent.
i) You should configure the MPLS MTU on LAN interfaces in scenarios where the labeled IP packets should not be fragmented.
j) Labeled packets that exceed the MTU size will be fragmented. If the labeled IP Packet contains the Don’t Fragment (DF) bit, the packet is dropped and an ICMP report is sent back to the originating device.
k) You can use the conditional label distribution in environments where ….
4) Configuring Frame-mode MPLS on Switched WAN Media
a) If ATM is used within the MPLS network but the ATM switches do not support MPLS, standard PVCs can be used to interconnect routers and frame-mode MPLS can be used across the PVCs. PVC information is used to perform cell switching within the ATM network and a shim header is used to perform label switching on the routers.
b) The configuration task is equal to those on other frame based interfaces. Use the tag-switching ip or mpls ip command to enable frame-mode MPLS on point-to-point (sub) interfaces.
c) Frame-mode over ATM is most commonly used in migration scenarios and in situations where labeled packets have to traverse ATM networks which does not support MPLS.
d) MPLS can runs between routers connected by a Frame Relay PVC, not between the router and adjacent Frame Relay Switch.
e) The steps to configure MPLS over an ATM PVC:
h) Configure point to point or multi point ATM subinterface
i) Configure ATM PVC on the subinterface
j) Enable MPLS on the subinterface
5) Monitoring MPLS on Cisco IOS Frame-Mode Interfaces
a) Show tag switching and show ip cef commands to diagnose problems in a MPLS-enabled network.
b) Show tag-switching tdp neighbor will display the list of TDP/LDP neighbors.
c) Show tag-switching tdp neighbor detail will display the TDP router ID of your neighbor.
d) Show tag-switching tdp bindings will display the content of the LIB
e) Show tag-switching forwarding-table will display the content of the LFIB
f) Show ip cef destination detail will display the label information attached to the packet during Layer 3 lookup
g) Debug tag-switching tdp will help to troubleshoot TDP session establishment and label distribution.
h) Debug tag packet changes the MPLS switching mechanism to PROCESS SWITCHING , significantly reducing the MPLS performance on the device.
MPLS VPN Technology
1) Introduction to VPN
a) VPN were introduced by service provider to offer a more cost effective alternative to traditional customer design, which relied on dedicated point to point links between customer sites. The overall network implemented with VPN solution divided into the Customer Network, which is exclusively under customer control and the Provider Network (P-Network) share the same infrastructure used to offer the VPN services. The device linking a customer site with the P-Network is called Customer Edge (CE) device. This component was traditionally named CPE. The Edge device in Service Provider network, to which the customers are attached, is called Provider Edge (PE) device. The device inside the provider network with no customer connected is a Provider (P) device.
b) Customers use VPNs to reduce their connectivity costs
c) VPN replace private point to point links with connectivity over statistically shared infrastructure.
d) The C-network is part of the network under customer control
e) Customer site is a contiguous part of the C-network
f) The CE-router is a router in the C-Network with a link to the service provider
g) P-network is part of the network under service provider control
h) Customers are attached only to PE-router and not to P-Router
2) Overlay and Peer to Peer VPN
a) There are a number of different Virtual Networking concepts present in the data communications fields:
k) The VLAN allow you to implement isolated LANs over the same physical infrastructure
l) The VPDN (Virtual Private Dialup Network) allow customers to use dial-in infrastructure of the service provider for their private dialup connections
m) VPN allow customers to use share infrastructure of the service provider to implement their private network
b) The VPN paradigms:
n) Overlay VPN where the Service Provider gives the customer emulated point to point links across service provider backbone
o) Peer to peer VPN where the service provider becomes actively involved in the customer routing and acts as the core layer-3 backbone of the customer
c) The overlay VPNs are implemented with number of technologies, ranging from traditional layer-1 technologies (ISDN, SDH, SONET) and layer-2 technologies (X.25, Frame Relay, ATM) to modern IP Based solutions (GRE and IPSec)
d) Overlay VPNs, although well known and easy to implement are harder to operate due the higher maintenance costs:
p) Every individual virtual circuit needs to be provisioned
q) Optimum routing between customer sites requires a full mesh of virtual circuits between sites
r) Bandwidth has to be provisioned on site to site basis
e) Traditional peer-to-peer VPNs are implemented with packets filters on shared PE-Routers or with Dedicated per customer PE-routers. Along with high maintenance costs or cost of equipment, both methods require customer to accept the service provider assigned space or use public IP Addresses in the private customer network.
f) MPLS VPN introduced in the next sections, provide all the benefits of peer to peer VPNs and alleviates most of the peer to peer VPN drawbacks
g) An overlay VPN is a VPN providing emulated point to point links to the customers
h) In an overlay VPN the customer routing protocol in not extended to the Service Provider. The only routing protocol running between the customer and the service provider is the routing protocol needed to implement underlying Service Provider connectivity
i) In overlay VPN implementations , the CE-routers peer directly
j) There are 3 IP based overlay VPN technologies : Generic Route Encapsulation (GRE), IP Security (IPSec), and PPP forwarding (L2F, L2TP, PPTP).
k) Peer to peer VPN guarantee optimum routing between customer sites without the need for full mesh of virtual circuits
l) Peer to peer VPN can be implemented with IP packet filters on shared PE-routers or split routing with dedicated per-customer PE-routers
m) The customers cannot use private IP address in traditional peer to peer VPN implementations
3) Major VPN Topologies
1) There are 3 major categorization of VPN:
s) Topology categorization, which classifies the VPNs based on the topology of point to point connections in overlay VPN implementation
t) Business categorization, which classifies VPNs into Intranets, Extranets, and niche solutions like VPDN.
u) Connectivity categorization, which classifies VPNs based on the connectivity needs
2) The topology categorization ranges VPNs from full mesh, where there is a direct virtual circuit between any two sites, to partial mesh, which is built based on a number of constraints and finally hub-spoke where central side acts as transit point between all spokes sites. Real life large networks are usually implemented with a combination of these topologies.
3) The connectivity categorization divide VPNs into simple VPNs (any to any connectivity) , overlay VPNs where a single site have limited connectivity and network Management VPNs, which are really only a special case of Central Services VPN.
4) The major overlay VPN technologies are hub-spoke, partial mesh and full mesh.
5) Connectivity cost usually dictate use of partial mesh.
6) Every customer site can exchange traffic with every other customer site in simple VPN. In central services VPN, the client sites can only exchange traffic with servers sites.
7) Clients can only talk to the server sites.
4) MPLS VPN Architecture
a) The MPLS VPN architecture combines the benefits of peer to peer VPN paradigm with benefits of the overlay VPN paradigm while avoiding most of the drawbacks of both of them:
v) Like to peer to peer VPNs, MPLS VPN is easier to provision and provides automatic optimum routing between customers sites
w) Like the overlay VPNs, MPLS VPN allow overlapping customer address space through the use of ROUTE DISTIGHISHERS, 64 bit quantities that make overlapping customer addressing globally unique when prepended to them.
b) Another building block of the MPLS VPN architecture , ROUTE TARGETS, allow to you build complex VPN topologies that far surpass anything that can be built with peer to peer VPNs.
c) MPLS VPN supports overlapping customer address spaces by using independent per-VPN routing tables.
d) Multi Protocol BGP is used to exchange customers routes across the P-network
e) The route-distinguisher as a 64-bit prefix prepended to customer IPv4 address to make it globally unique.
f) The RD cannot be used as VPN identifier since it cannot support complex VPN topologies where a single site belongs to multiple VPNs.
g) Route targets were introduced in MPLS VPN architecture to support complex VPN topologies.
h) Router target is 64 bits value attached to a BGP route as extended BGP community.
i) Every customer route exported from a VRF is tagged with appropriate export route targets. VPN routes received by a PE-router are matched against import route targets configured in a VRF.
j) Complex VPN topologies might require more than one VRF per VPN.
5) MPLS VPN Routing Model
a) MPLS VPN routing model differs widely based on the perspective you take:
b) The CE-routers do not see any difference between a private network and a network built with MPLS VPN technology
c) The customer network designer perceives the MPLS VPN backbone as the BGP backbone of the enterprise network
d) The P-routers do not see customers on their VPN routing, they only propagate subnets of the MPLS backbone
e) The PE-router, however , run a variety of routing protocol with VPN customers, propagate customer routes via MP-BGP updates to other PE-routers and at the same time participate in core IGP and internet routing.
f) These differences in perspective satisfy the routing requirements of an MPLS VPN solution:
g) The CE-router shall run standard IP software and shall not be MPLS VPN aware
h) The P-router shall not be MPLS VPN aware and shall not carry customer routes
i) The PE-router shall support core IGP and internet routing together with the MPLS VPN service
j) The CE-router are not MPLS VPN aware
k) The customers perceives the MPLS VPN backbone as BGP backbone in own network
l) A PE-router has a global routing table and several virtual routing tables.
m) The P-router only has the global routing table.
n) The global routing table in the PE-router is filled with information from the backbone IGP and the global BGP process.
o) The VRF table is filled with information from VRF routing protocols running between the PE-routers and the CE-routers and with the information received by the PE-routers through MP-BGP.
p) Internet routing is still supported in the global IP routing table.
q) PE-router exchange VPN routing information with MP-BGP
r) The updates that are always present in a MP-BGP:
s) Every MP-BGP update carries VPNv4 prefix,
t) Route-targets
u) MPLS Label and all mandatory BGP attributes (AS-path, origin, BGP next hop)
v) Any other discretionary or optional BGP attribute can be present in MP-BGP update
w) Route target control the import of VPNv4 routes into VRFs
x) Site-of-origin controls the distribution of VPN routes torward CE routers
6) MPLS VPN Packet Forwarding
a) Customer VPN packets are forwarded across MPLS VPN backbone encapsulated in an MPLS label stack composed of two labels:
b) The top label in the stack in the LDP-assigned label toward the egress PE-router
c) The second label in the stack is the VPN label assigned by the egress PE-router and propagated to other PE-routers in the MP-BGP update together with VPNv4 route
d) Successful forwarding of customer data packet across MPLS VPN backbone can only happen if the label switched path between ingress and egress PE-router is unbroken and if the router that is specified as the BGP next hop assigns the VPN label. There are number of scenarios that can cause MPLS VPN connectivity to break:
e) BGP next hop is the IP address of the CE-router – fix by specifying next-hop-self on the PE-router
f) BGP next hop is changed inside autonomous system – fix by removing next-hop-self on BGP confederation boundary or by removing set next-hop from inbound route-maps
g) BGP next hop is changed when the MP-BGP update crosses autonomous system boundary – this is the default BGP behavior that cannot be changed, use IOS release that supports inter-AS MPLS VPN
h) Label switched path broken between the PE-routers, for example due to route summarization in the MPLS core.
i) The VPN packet are propagated across MPLS VPN backbone as labeled packets with two labels in the MPLS label stack.
The P-router only perform label lookup and never see the VPN packets
9) VPN labels are attached to the VPNv4 routes in MP-BGP updates
10) The egress PE-router assigns the VPN label
11) All other PE-routers use the VPN label assigned by the PE-router as the second label in the MPLS label stack.
12) MPLS VPN connectivity is broken unless the MPLS VPN label is re-originated
13) Router propagating MP-BGP updates across AS-Boundary have to re-originate the MPLS VPN labels
14) MPLS VPN connectivity is broken if the BGP next hops are summarized in the network core.
1) Overlay VPN Implementations:
a) Layer 1, traditional TDM, ISDN, SDH, etc. The service provider only sell the pipes
b) Layer 2, the service provider is in charge of the layer 2 and the customer is responsible for the higher layer. Ex. X.25, Frame Relay and ATM.
c) Layer 3, the service provider implement tunnels via GRE and IPSec
d) Layer 2 Forwarding, where we can implement the PPP forwarding :
1. Layer 2 Forwarding (L2F)
2. Layer 2 Transport Protocol (L2TP)
3. Point to point Tunneling Protocol (PPTP)
2) Overlay Benefits and Drawbacks
a) Easy implementation
b) Service Provider does not participate in the customer routing
c) The networks are isolated
d) Optimum routing require full mesh
e) Virtual Circuit have to be configured manually
f) Bandwidth must be configured site to site basis
g) Always have encapsulation overhead
3) Peer to Peer concepts
a) Routing information is exchange between customer and service provider
b) Shared PE router (Low performance, because of the ACL, the SP has to manage all the IP address from the customer as well)
c) Dedicated PE router (All the customer needs a dedicated router in each POP)
4) Peer to peer Benefits and Drawbacks
a) Guarantees optimum routing between customer sites
b) Easier to provisioning an additional VPN site
c) Only the sites are provisioned, not the links between them.
d) Service provider participate in the customer routing
e) SP become responsible for the convergence of the network
f) PE router, carry all routes from all customers
g) SP needs detailed IP routing knowledge
5) Mayor VPN Topologies
a) HUB and Spoke
b) Partial Mesh
c) Full Mesh
d) Multi-level
6) VPN Business Categorization
a) Intranet VPN
b) Extranet VPN
c) Access VPN
7) VPN Connectivity Categorization
a) Simple VPN
b) Overlapping VPN
c) Central Services VPN
d) Managed Network
MPLS VPN Architecture combine the best features of Overlay and Peer to Peer
a) PE Routers participate in customer routing, guaranteeing optimum routing between sites easy provisioning
b) PE routers carry a separate sets of router for each customer
c) Customer can use overlapping addresses
9) Routing Information Propagation Across P-Network
a) Run a single routing protocol that will carry all customers routes between PE Routers. Use MPLS label to exchange packets between PE routers. P-Routers do not carry customer routes, the solution is scalable.
b) BGP is used to exchange customer routes directly between PE routers
c) Customer addresses are extended with 64bit prefix (Route Distinguish-RD) to make them unique. Unique 96 bits addresses are exchange between PE routers. This 96 bits address is called VPNv4 address. VPNv4 addresses are only exchanged via BGP between PE routers.
d) RD, there is no special meaning, it is only used to make potentially overlapping IPv4 address globally unique.
e) Simple VPN topologies require only one RD per customer, but this design could not support all topologies required by the customers.
f) ROUTE TARGETS: Some sites have to participate in more than one VPN – Route Distinguisher cannot identify participation in VPN. Route Targets were introduced in the MPLS architecture to support complex VPN topologies.
g) Extended BGP communities (64bits)are used to encode the Route Target attributes. ANY NUMBER of ROUTE Targets can be attached to a single route.
h) Impact of Complex VPN Topologies on Virtual Routing Tables.
1. A Virtual Routing Table in a PE router can only be used for sites with identical connectivity requirements
2. Complex VPNs requires more than one Virtual Routing per VPN
3. Each Virtual Routing Table requires a distinct RD value, the number of RD in the network increase.
i) MPLS VPN BENEFITS
1. Easy provisioning
2. Optimal routing
3. Route Distinguisher enable IP Address overlapping
4. Route Target enable other VPN topologies
10) MPLS VPN Routing Model
a) MPLS VPN Routing supported in the CE are EBGP, RIPv2, OSPF and Static Route
b) Customer perspective
1. PE router appears as Core Router connected via BGP backbone
2. Usual BGP/IGP design rules
3. P-routers are hidden from the customer
c) P router perspective
1. P router do not participate in the MPLS VPN routes
2. P router run IGP with the PE-routers and exchange information about global subnets
d) PE router perspective
1. Exchange VPN routes with CE routers
2. Exchange core routes with P and PE routers via IGP
3. Exchange the VPNv4 routes with other PE router via MP-BGP sessions
e) Support for Internet Routing
1. PE router can run standard IPv4 BGP in the Global Routing Table
2. Only exchange with anothers PE routers
3. CE and P do not participate in Internet Routing
f) Routing tables on PE routers
1. Global Routing Table – Core IGP routes and Internet Routes filled with IPv4 BGP
2. Virtual Routing and Forwarding (VRF) – From CE routers and MP-BGP information from others PE routers
g) MP-BGP update contains:
1. VPNv4 address
2. Extended BGP communities (route target, soo, ) is 64 bits long, where 16 could be Route Target, Site of Origin, OSPF Type , plus 48 bits
3. Label used for VPN packet forwarding
4. Any other BGP attribute (MED, AS-path , etc) – Mandatory
11) MPLS VPN Packet Forwading
a) P routers perform label switching , packet reaches egress PE-router.
b) Egress PE router performs lookup on the VPN label and forwards the packet toward the CE Router
c) Forwarding Penultimate Hop Popping
1. PHP on the LDP label can be performed on the last P router
2. The egress router performs only label lookup on VPN, resulting in faster and simpler label lookup
3. IP lookup is performed only once in ingress PE router
4. The PE gets the second label stack from the egress router via MP-BGP VPNv4 routing updates.
d) Impacts of MPLS VPN label Propagation
1. BGP next hop should not be changed in MP-BGP update propagation
2. PE router has to be BGP next hop
3. Label has to be re-originated if the next hop is changed. A New label is assigned every time the MP-BGP update crosses AS-Boundary where next hop is changed
4. Configure NEXT-HOP-SELF on the MP-BGP sessions between PE-routers to make sure that the BGP next hop is always the other PE instead the CE in case the CE run BGP.
e) Impacts of MPLS VPN Packet Forwarding
1. VPN label is only understood by the egress PE-router
2. End to end LSP is required between ingress and egress PE-router
3. BGP next hops shall not be announced as BGP routes
4. BGP next hops announced in IGP shall not be summarized in the core network because breaks the LSP
MPLS VPN Configuration in Cisco IOS
1) MPLS VPN Configuration in Cisco IOS
a) MPLS VPN enabled network separates network the layer 3 routing task by splitting a single physical router into a number of virtual router. Router’s basic function is switching packets between interfaces. Virtual routing and forwarding or VRF is used to create a virtual router that contains its own routing table, CEF cache and interfaces.
b) To optimize performance single BGP process or RIP process is used for all VRFs. A Route Distinguisher is used to distinguish between IP version 4 networks belongings to different VPNs. We need, however, a separate OSPF process for every VRF configured.
c) To send information from one CE router to another CE router an update is sent using one of the supported routing protocols. The update is received by the PE router that has to redistribute the information into BGP. The information is translated into MP-BGP format where, upon export, a Route target is added. This information is then sent to other PE routers where it is imported into VRFs that are using the same Route Target. The other PE and the CE routers and send it to the CE routers.
d) The VRF are associated with Routing table and FIB table.
e) There are no limit of interfaces associated one VRF.
f) Only one VRF can be associated to one interface.
g) Routing Protocol Context is how to separate isolated copies of VPN routing protocols are created.
h) A separate instance of single RIP process is used for each VPN when using routing protocol context.
i) A separate OSPF process is used for each VPN when using routing protocol context.
j) RIP route is propagated into MP-BGP through redistributed into the appropriate address family in BGP and exported.
k) When MP-BGP route is inserted into a VRF , it is redistributed into the appropriate address family in RIP.
2) Configuring Virtual Routing and Forwarding
a) To create a virtual router or a VRF use the IP VRF global command where the VRF is identify by case-sensitive name.
b) Within the configuration mode use the rd command to set the Route Distinguisher is very important to a VRF become operational.
c) If site belonging to the same VPN are connected to different PE routers you have to specify at least one Route Target extended community for import and export. Use the route-target import, route target export or route-target both commands to set Route Target extended communities for import and export.
d) The last step in the configuration is specifying the interfaces that belong to the virtual router. Use the ip forwarding vrf interface command to assign an interface to a VRF.
e) When you associate the VRF to an existing interface, the configuration ip address of the interface is removed.
f) Any number of Route Targets can be configured on a VRF
3) Configuring a Multi-Protocol BGP Session Between the PE Routers
a) MP-BGP is used to propagate VPN specific information between PE Routers. Standard BGP version 4 can also be used with CE routers. Address families are used to tell the BGP process which routing table to use to find neighbor and where to put the received updates. There is a separate address family for each VRF and one address family for VPN IPv4updates.
b) Other PE routers are configured as standard BGP neighbors in the global part of the BGP configuration and have to be activated in the vpn_ipv4 address family.
c) Extended communities are propagated while standard communities are not. Use the neighbor neighbor send-community command to change the default.
d) You should use the neighbor neighbor next-hop-self command to make sure the PE loopbacks are used as the next hop address.
e) The BGP address family is the routing protocol context.
f) It must be configure one BGP address families for all MP-IBGP session and one for each VRF.
g) The mandatory command that you have to configure on MP-BGP neighbor is neighbor ip activate
h) There is no need to additional parameters to be configured to support MP-EBGP neighbors.
i) The command to enable community propagation for VPNv4 MP-BGP session is neighbor ip send-community standard.
j) If you disable the propagation of IPv4 routing updates between MP-BGP neighbors , you will avoid unnecessary memory, bandwidth and CPU consumption, by sending all the internet routes to those PE routers that don’t use them, IPv4 route propagation can be selectively disabled.
k) The command to disable the propagation of IPv4 routing updates between MP-BGP neighbors is no bgp default ipv4 unicast in the global configuration mode.
4) Configuring routing protocol between PE and CE routers
a) There is a limit range of routing protocols that can be used between PE and CE routers – static routes, RIP version 2, external BGP and OSPF.
b) RIP and BGP are fully VPN aware routing protocols where the configuration split into address families representing VRFs. OSPF, on the other hand, is not fully VPN aware and , therefore, has to be enabled per VRF.
c) All VRF specific routing information except BGP has to be redistributed into BGP.
d) To configure routing context in RIP use the command address-family ipv4 vrf in the RIP configuration mode.
e) To configure routing context in OSPF, start the OSPF process by using the router ospf pid vrf vrf command.
f) The MPLS VPN PE router can support up to 28 VPN OSPF processes simultaneously.
g) To configure CE EBGP neighbor, configure in the customer VRF IPv4 address family (customer VRF).
h) To propagate static VRF routes between PE routers, use redistributing static routes into BGP.
i) RIP hop count is automatically copied into BGP MED attribute, propagating RIP metric across an MPLS VPN backbone.
5) Monitoring MPLS VPN
a) A number of monitoring commands is available to support management and troubleshooting of MPLS VPN networks.
b) Use the command show ip route vrf vrf_name to verify the content of vrf routing table.
c) Use the command show ip cef vrf vrf_name ip_prefix to display an individual entry in a VRF CEF table.
d) VPN routes are always imported and exported using BGP .
e) Use the command show ip cef vrf vrf_name ip_address detail to inspect a label stack associated with remote MPLS VPN route.
f) Use the command show ip bgp neighbor to verify an VPNv4 information exchange with MP-BGP.
g) Use the command show ip bgp vpnv4 rd route-distinguisher to display all routes with a specified route distinguisher.
h) Use the command show tag-switching forwarding vrf vrf-name to display all labels associated with VRF.
6) Troubleshooting MPLS VPN
a) To verify the proper operation of the MPLS VPN network first perform the internal connectivity tests within the core network by pinging between the loopbacks of the PE routers. Make sure that ICMP packets were label-switched. In the second step you should verify the propagation of customer network through MP-BGP and installation of VPN labels into the forwarding table. Pinging between the CE routers should confirm that VPN is functional.
b) Preliminary steps to troubleshooting the MPLS VPN
a) Verify if the CEF is enable
b) Verify that there are labels for the BGP next hop address
c) Verify if there is no MTU issue in the path
c) Verify the routing information exchange between PE routers using the show ip bgp vpnv4
d) To verify redistribution of VPNv4 routes into PE-CE routing protocol, verify the routing table in the routing protocol.
e) Use the traceroute from PE to PE router and verify that each hop is tag-switched.
f) To verify that the CE routes is redistributed into MP-BGP with proper route targets, use the command show ip bgp vpnv4 vrf vrf_name ip_prefix to display all assigned.
g) To check the potencial MTU size issues on the path, use ping within the VRF, from PE to PE with packet size set to smallest MTU along the path and DF bit set.
7) Advanced VRF Import/Export Features
a) Route maps can be used to filter routes to be imported and exported. Route maps used import routes can match on standard and extended BGP parameters. Route maps used to export routes can match on standard BGP parameters.
b) To prevent the CE Routers from flooding the PE routers with excessive number of routes, a limit can be set on the number of updates accepted from BGP neighbors.
c) A limit can also be set for the number of routing entries in the VRF.
d) The need of selective VRF import is to import only a subset of the otherwise imported routes.
e) The imported route-map is used in combination with the route-target testing to decide whether to import routes or not.
f) The need of selective VRF export is to assign a route-target to only a subset of the otherwise imported routes.
g) The exporte route-map is used in combination with an export route-target assigment.
h) Only the route-target attributes from BGP can be set by export route-map
i) You need the VRF route limit to protect the PE-router from running out of memory due to misconfigured in the customer network.
j) The IOS offers two VRF route-limiting.
k) You need the BGP maximum-prefix parameter to protect the PE-router from being overwhelmed with BGP routes from misconfigured in the customer network.
Advanced PE-CE Configuration BGP Configuration
a) External BGP can be used with CE routers to exchange routing information.
b) If the CE sites are all using the same AS number, the information coming from one site is regarded as a routing loop on the other sites. AS-Override feature should be enabled on all neighborships with CE routers to overcome this problem.
c) If there is a multihomed site that needs to be able to re-announce the information back into the core (Hub-Spoke Design), the PE routers will regard this as a routing loop. Allowas-in feature should be used to overcome this problem. This may, however, cause routing loops and an additional extended community Site Of Origin can be used to prevent them.
d) The AS-override is needed to overcome the standard BGP loop prevention when the customer is using the same AS number at several sites.
e) The AS-override feature working in the PE-router replacing leading occurrences of the AS number in the AS-Path with the service provider AS number before sending the routes to the CE router.
f) The allowas is needed when a customer site is connected to two different VPNs and forward routes between them.
g) The AS-override operates on ongoing routes and hence would have to applied on the CE router.
h) The Site OF Origin (SOO) is extended community BGP attribute which could be used to tag routes received from a particular site and filter them out before sending them back to the same site , preventing BGP loops when using AS-Override.
i) To prevent BGP loops when using Allowas-in , when the local AS number occur several times in the AS path and exceeds a defined maximum, the routes are dropped.
9) Routing Context is the Routing Protocol running in one VRF
a) Support BGP, OSPF, RIP2 and Static route
b) Implement several instances of a single routing process (BGP, RIP2) or several routing process (OSPF)
10) Configuration VRF
a) Ip vrf name. It is only operational if configure the RD
b) Rd asn:xx or ip:xx – Each VRF in the PE has to have a unique RD
c) Route-target import export both RT
d) Route-target-ext-community ?
e) IP VRF Forwarding vrf_name (Interface level)
11) Configuration MP-BGP
a) Global BGP routes are exchanged as in traditional BGP Setup
b) VPNv4 prefixes are exchanged through MP-BGP
c) VPN routes are exchanged with CE routers through per-VRF EBGP
d) Address-Family are used to configure the 3 items above in the same BGP Process.
e) COMMANDS:
1. router bgp as-number
2. address-family ipv4 vrf vrf_name ( Configure the PE-CE EBGP)
3. address-family vpnv4 (Configure vpnv4 exchange under MP-BGP sessions)
f) Configuration of the NEIGHBORS
1. Under Address-Family vpnv4, NEXT-HOP-SELF has to be configured on MP-BGP session for proper MPLS VPN configuration if you are running EBGP with CE. To disable Next Hop Processing of BGP updating to avoid the router select the next hop the CE
g) By the default, the router ignore VPNv4 routers that do not match any configured imported route. BGP DEFAULT ROUTE-TARGET FILTER
h) NO BGP DEFAULT IPV4UNICAST, will disable the exchange of the IPV4 routes and the IPV4 route has to be manually activated for each global BGP neighbor
12) Configuring Routing Protocols between PE-CE
a) The number of process is limited to 32 in the PE Router. For proper operation of BGP and Backbone IGP, the number of PE-CE routing process is limited to 28.
b) Configuring RIP
1. Router rip (MP-BGP to RIP)
2. address-family ipv4 vrf vrf_name
3. redistribute bgp metric transparent (BGP MED is copied into RIP hop count, resulting in consistent end to end RIP count)
4. router bgp 3 (RIP to MP-BGP)
5. address-family ipv4 vrf vrf_name
6. redistribute rip
c) Configuring OSPF
1. A separate OSPF routing process is configured for each VRF running OSPF
2. OSPF route attributes are attached as extended BGP communities to OSPF routes redistributed into MP-BGP
3. Routes redistributed from MP-BGP into OSPF get proper OSPF attributes (no additional config is needed)
4. COMMAND: Router ospf 3 vrf vrf_name
5. network 0.0.0.0 255.255.255.255 area 0
6. redistribute bgp 12
7. router bgp 12
8. address-family ipv4 vrf vrf_name
9. redistribute ospf 3
d) Configuring Static Routes
1. ip route vrf name static route parameters
2. ip route vrf vrf_name 10.0.0.0 255.0.0.0 10.250.0.2 serial 0/0 global
3. router bgp 12
4. address-family ipv4 vrf vrf_name
5. redistribute static
e) Monitoring VRF
1. show ip vrf (Display the list of all VRFs configured in the router)
2. show ip vrf detail (Display detailed VRF configuration)
3. show ip vrf interfaces (Display interfaces associated with VRFs)
4. show ip protocol vrf vrf_name (Display the routing protocols configured in a VRF)
5. show ip route vrf vrf_name (Display the VRF table)
6. show ip bgp vpnv4 vrf vrf_name (Display per VRF the BGP parameters, neighbors, etc). It could be remote AS or remote Router ID or Local ID router IP address.
7. show ip bgp neighbor (Display global BGP neighbors and the protocols negotiated with these neighbors). It could be remote AS or remote Router ID and Local IP Host and Local Port.
8. show ip bgp vpnv4 all (Display whole VPNv4 table)
9. show ip bgp vpnv4 rd 100:10 (Display only BGP parameters associated with specified RD).
10. show ip cef vrf vrf_name (Display CEF per VRF)
11. show ip cef vrf vrf_name prefix detail (Display details of individual CEF entry, including label Stack)
12. show tag-switching forwarding vrf vrf_name (Display labels allocated by MPLS/VPN for routes in specific VRF)
f) Advanced VRF features
1. Selective Import
- Ip vrf vpna
- Rd 115:10
- Import map RTMAP
- Route-target both 115:10
- Access-list 10 permit 192.168.30.0 0.0.0.255
- Route-map RTMAP permit 10
- Match ip address 10
2. Selective export
- Ip vrf vpna
- Rd 115:10
- Export map RTMAP
- Route-target both 115:10
- Access-list 10 permit 192.168.30.0 0.0.0.255
- Route-map RTMAP permit 10
- Match ip address 10
- Set extcommunity rt 115:20 additive (Add the extended community to the already existing extended community)
3. VRF Limit is useful to :
- Prevent the memory exhaustion on PE router
- Denial of Service attacks.
Obs: If the routes exceed the route-limit, SYSLOG Message is generated or new routes are not inserted in the table
4. BGP Maximum-prefix , limit the number of routes that an individual BGP peer can send.
5. For both VRF limit and BGP maximum prefix to limit the effect of configuration errors as well as malicious user behaviour and consequently resource consumption at the PE.
g) Advanced PE-CE BGP Configuration
1. AS-Override , allow the customer to link discontiguous AS to be linked when they are using the same AS number. The prevent loop block the link between discontiguous AS.
2. Under address-family ipv4, configure NEIGHBOR IP ADDRESS AS-OVERRIDE
3. Allowas-in, disable the AS_Path check on the PE Router. The limit has to be configured, and the PE router will only reject the update if its AS number appears in the AS_Path more than the configured limit.
4. Under router config, configure NEIGHBOR IP ADDRESS ALLOWAS-IN LIMIT
5. Site of Origin, can be used to prevent loops in the scenario for multihomed sites, because the AS-Override and Allowas-in bypassed the loop prevention. Site of Origin, can not prevent loop that only have stub sites.
6. SOO running inbound EBGP update
7. Under Global config
8. route-map name permit seq
9. match conditions
10. set extcommunity soo value
11. Under Address-Family
12. neighbor ip address route-map name in
13. SOO running inbound Routing updates
14. Under Global config
15. route-map name permit seq
16. match conditions
17. set extcommunity soo value
18. Under interface
19. ip vrf sitemap route-map-name
20. SOO running outbound EBGP update
21. Under Global config
22. ip extcommunity-list number permit soo value
23. route-map name deny seq
24. match extcommunity number
25. route-map name permit 9999
26. Under Address-Family
27. neighbor ip address route-map name out
MPLS VPN OSPF Inside
13) Using OSPF as the PE-CE Protocol in an MPLS VPN enviroment
a) The superbackbone is needed to ensure that the internal OSPF routes are not inserted as external OSPF routes into other customer sites.
b) The superbackbone just appear as just another OSPF area to the routers in the OSPF backbone (area 0)
c) The superbackbone appears as area 0 to non-backbone OSPF routers
d) OSPF area, route type , and metric type are propagated in an extended BGP community. OSPF cost or external metric is propagated in the BGP MED attribute.
e) The down bit prevent redistribution loops between MP-BGP and OSPF. It also ensures proper route selection in the PE-Routers.
f) OSPF routes with Down bit set are never entered in the routing table. This ensures that the MP-IBGP routes from which the OSPF routes were derived will be used for packet forwarding even though the IBGP routes have a higher administrative distance than the OSPF routes .
g) OSPF-BGP Redistribution Issue, whenever a route is redistributed into OSPF from another routing protocol, it is redistributed as external OSPF route. The OSPF routes received by one PE-router would be propagated across the MPLS Backbone and redistributed as external OSPF routes (LSA 5 Type)
h) Results: The route types are not preserved. OSPF route summarization is hard to implement
i) There are a number of caveats associated with external routes:
1. External routes cannot be summarized
2. External routes are flooded across all OSPF areas
3. External routes could not use a different metric type that is not comparable to OSPF cost
4. External routes are not inserted in STUB or NOT SO STUB AREA (NSSA) areas
5. Internal routes are always preferred over external routes.
j) Because of this caveats, the MPLS/VPN must support a transparent migration to OSPF customers.
1. OSPF area 0 might extended into individual sites
2. MPLS VPN backbone has to become a SUPER-BACKBONE for OSPF
3. MPLS VPN Goals:
- OSPF between sites should not use normal OSPF-BGP redistribution
- OSPF continuity must be provided across MPLS VPN backbone
a. Internal routes should remain internal
b. External routes should remain external
c. OSPF Metrics should be preserved
- CE runs standard OSPF software
4. MPLS VPN Backbone Appears as backbone above area 0 = OSPF SUPERBACKBONE
5. PE routers act as OSPF Area Border Router (ABR)
- They also appear as AS Boundary Routers (ASBR) in non-stub areas.
6. The CONTINUITY of OSPF routing
- The OSPF intra-area route is inserted into OSPF Superbackbone by redistributing the OSPF route into MP-BGP. Route summarization can be performed on the redistribution boundary by PE Router.
- Since the Superbackbone appears as another area behind the PE-router, MP-BGP route derived from intra-route is always inserted as inter-area route and because of that, the route can be propagated into OSPF areas by ABRs within the customer site.
7. The MPLS VPN OSPF superbackbone RULES:
- The superbackbone act exactly as like area 0 in regular OSPF
- PE-router are advertise as ABR
- Route redistributed from BGP into OSPF appear as inter-area summary routes or as external routes in other areas
- Route from area 0 in one site appear as inter-area routes in area 0 at another site.
8. OSPF Superbackbone implementation
- Extended BGP Communities are used to propagate OSPF route type across BGP backbone. OSPF ROUTE IS COPIED INTO EXTENDED BGP.
1. The BGP community has 8 bytes, 2 bytes for community type, 4 bytes OSPF area, 1 byte for LSA type and 1 byte as OPTION ( used for external metric type)
- OSPF cost is copied into MED attribute
9. Mixing Routing Protocols, if the RIP protocol in one site is redistributed into MP-BGP(but not in the Extended BGP Communities) and inserted into OSPF topology as type 5 External routes or type 7 for External routes for NSSA areas) and the metric won’t be transported by MED.
10. OSPF Down bit is used to prevent loop redistribution between PE and CE.
- A Down Bit has been introduced into the OSPF LSA header
- The PE-router set the Down bit when redistributing routes from MP-BGP into OSPF
- PE-router never redistribute OSPF routes with down bit set into MP-BGP
11. OSPF Down bit can prevent loop redistribution between MP-BGP and OSPF, but NEVER between multiple OSPF domains.
12. OSPF Tag Field is used to prevent loop introduced by the multiple OSPF domains redistribution.
- The Tag Field in external OSPF routes is used to detect cross-domain routing loops
- PE routers set the TAG field into the AS-number when redistributing NON-OSPF routes from MP-BGP into OSPF.
- The TAG field is propagate between OSPF domain when the external OSPF routes are redistributed between OSPF domains.
- Internal OSPF routes have no Tag Field. The Tag Field can be set manually on the router redistributing routes between OSPF domains.
- PE-routers never redistribute OSPF routes with Tag field equal to their BGP AS-number into MP-BGP.
- Two ways to implements the limitation of the Internal OSPF routes: COMMAND : redistribute ospf “process ID” tag “value” (TAG value has to match the AS-number of the BGP Backbone) , or the PE router can be configured to redistribute only internal OSPF routes into MP-BGP.
13. Routing bit is used to prevent the customer sites acting as a transit part of the MPLS VPN network
- MP-IBGP has the administrative distance of 200 and OSPF has 110, that’s why it is very important the Routing bit.
- PE router ignore OSPF routes with down bit set for routing purposes, as these routes originated in the MP-BGP backbone and the MP-BGP route should be used as the optimum route toward the destination
- The rule is implemented with the routing bit in the OSPF LSA for routes with the down bit set, the routing bit is cleared and these routes never enter the IP routing table.
14. CONFIGURATION
- Configure VRF per OSPF – Redistribution of MP-BGP to OSPF
i. Router ospf “3” vrf “name” obs: total of 32 process per router.
ii. Redistribute bgp “3” SUBNETS(Very important- Mandatory)
d. Configure route redistribution OSPF to MP-BGP
i. Router bgp “3”
ii. Address-family ipv4 vrf “name”
iii. Redistribute ospf “3” match internal external 1 external 2(optional) default is all routes
15. MONITORING
- Show ip ospf (Show if the OSPF process is attached to a MPLS VPN)
- Show ip ospf database summary “IP network address”(Display the down bit in the LSA, and you can see the option DOWNWARD for down bit set and UPWARD for down bit not set)
- Show ip bgp vpnv4 vrf “name” “IP network address”( Display the OSPF Extended BGP Communities)
15) Configuring and Monitoring OSPF in an MPLS VPN enviroment
a) The OSPF process in a VRF is started with the router ospf process vrf name command. As the overall number of routing processes per router is limited to 32, a single PE-router can serve only a small number of VRFs.
b) Two-way redistribution between BGP and OSPF is usually configured. The redistribution is safe because of additional attributes introduced with the superbackbone architecture.
c) By default, only major networks are redistributed into OSPF. Redistribution of subnets needs to be configured with the redistribute… subnets command.
d) By default, only internal OSPF routes are distributed from OSPF into MP-BGP. Redistribution of external routes has to be configured with the redistribute….match route-type-list command.
e) The show ip ospf command will display whether a router is a PE router connected to MPLS VPN backbone. The details printouts from show ip ospf database command will display the value of the down bit. The detailed printouts from the show ip bgp command will display the OSPF-Specific extended BGP community.
MPLS VPN Topologies
1) Simple VPN with Optimal Intra-VPN Routing
a) A MPLS solution requires MPLS to be enabled on all core routers, MP-BGP to propagate the information about customer network and an IGP within the core to find the shortest path to the loopbacks of the PE routers.
b) To learn about the customer networks we can use static routes for simple setup sites, RIPv2 for large stub sites or sites that are not managed by the service provider, BGP for multi-homed sites and OSPF only if really necessary.
c) When an update is received from CE router, a PE router has to redistribute and export it into MP-BGP with at least one Route Target extended community. The Route Target is used to identify the appropriate VRF on other PE Routers where the update is imported and redistributed back into the routing protocol used within the VPN.
d) Any site can talk to any other site and optimal routing is provided across the backbone.
e) The usage of traditional routing protocols for simple VPN service such as Static Routing, RIPv2, OSPF or BGP.
f) RIPv2 is the Routing Protocol PE-CE that I would use for simple VPN Service.
g) It is needed to implement one VRF per PE router in the simple VPN service.
h) If I am using the RIPv2 from CE to PE site, the CE routes are redistributed into MP-BGP, transported across backbone and redistributed back into PE-CE routing protocol.
i) For a single connection site with one IP Prefix, it would be better use the Static Route.
j) When the CE routers has one single connection to the MPLS VPN backbone, it will be possible to use default routing from PE toward CE.
k) For large VPN customers where the customers insist on using OSPF for migration or intra-site routing process.
l) The drawback of offering OSPF as the PE-CE routing protocol to your customers is the number of VRFs that can support OSPF on a single PE-Router is limited by the overall process number 32.
2) Use the BGP as the PE-CE routing protocol
a) BGP is primarily used with those CE sites that have multiple connections to the MPLS VPN core. Using any other routing protocol can cause some traffic to be sub-optimally routed through the multi-homed site. BGP will normally prevent this from happening without any special configuration.
b) When a customer has a large number of sites (more than 100 sites) and there are not enough private AS numbers available or if the customer is an ISP with its own AS number, it is used the BGP between the PE-CE as routing protocol.
c) If the VPNs do not overlay and do not have more than 1024 sites you would use a different AS number for every site.
d) The BPG feature used to support the customers that use the same AS number at multiple sites for multihomed using hub-and-spoke is AllowAS-in.
e) The BPG feature used to support the customers that use the same AS number at multiple sites to be able to propagate routes from one site to another site.
3) Overlapping VPN
a) Overlapping VPNs are usually used when two separate VPNs want to interconnect parts of their networks. A third VPN is created within the MPLS VPN network that contains sites from both VPNs. A new Route Target extended community is used for networks originating in sites that are also in the new VPN. This action may also require a new Route Distinguisher.
b) Network originating in these sites are exported with two routes target extended communities – one for its VPN and one for the overlapping VPN.
c) Separating an enterprise network into VPNs, which have access only to central VPN. Interconnecting two or more enterprise network by using an extranet VPN.
d) It is required an additional VPN for overlapping sites.
e) The expected data flow within overlapping is routing for data flow between any pair of sites (if permitted) is still optimal. Data flow between two sites is permitted if they are part of the same VPN.
f) To create a 3 overlapping VPN, there are necessary to create one VRF per set of sites with the same VPN membership per PE router, one RD per VRF (3), and at least 2 Route Target.
g) Overlapping VPN does not influence the design criteria for selecting the IGP.
4) Central Services VPN Solutions
a) Central Services is used when more VPNs need to share a common set of servers. These servers reside in the Central Site VPN and all other VPNs have access to this VPN. Those VPNs, however, are not able to see one another
b) The central services VPN is implemented using two Route Target extended communities where one is used to import networks into the VPN and the other to export networks. The client sites do the opposite. Two Route Target extended communities are needed to prevent client sites from exchanging routing information.
5) HUB and SPOKE VPN Solutions
a) One of the major benefits of the MPLS VPN solution is that it provides a full mesh between the CE sites with optimal routing in the core. There is no longer any need for a central site. If, however, there is a need for all the packets to go through a central site, a special design is needed for the VPN.
b) To force the packet to go through the central site, we need two links for the central site , one is importing other CE’s routes, the other is exporting them . To prevent spoke CE sites from exchanging routing information the PE router to which to the spoke CE sites from exchanging routing information the PE routers to which the spoke sites are attached have to export routing updates from CE sites with a different Route Target extended community from the one they import. This also requires each CE site to have its own VRF.
c) Routing is no longer optimal because all packets between spoke CE sites have to transverse the core network twice.
d) If the BGP is used between the PE router and the hub site’s CE router we have to use Allow-AS features to prevent returning routing updates from being ignored on the PE router.
e) You would select a routing protocol to use in an HUB-SPOKE topology when the customer want all the traffic going through central site.
f) The main difference between Central Services VPN topology and HUB and SPOKE topology is the fact that Central Services does not forward packet between client sites.
g) The main difference between Single VPN topology and HUB and Spoke topology is the fact that Single VPN topology will always send the data through best routing.
h) Spoke can only exchange routing information through the hub site. Spoke routes are imported into Hub VRF on the PE router. Spoke routes are announced to the hub site and announced over a different hub router and PE-CE interface to PE. Spokes routes from hub site are imported into spoke VRF on the hub site. Spoke routes are announced to other spokes and imported into spoke VRFs.
i) The routing protocol used between the P-network and Hub site is BGP.
j) The BGP as the routing protocol at the hub site, there are necessary the following BGP features in the HUB site: Allowas-in on the eBGP session at the PE router connecting to the Hub site and only standard features ath the CE sites.
k) The BGP as the routing protocol at the spoke site, there are necessary the following BGP features in the Spoke sites: AS-Override feature on all eBGP sessions between PE and CE spoke routers and only standard features ath the CE sites.
6) Managed CE-Router Service
a) A separate Management VPN can be used by the service provider to manage the CE routers of all the VPNs.
b) A pair of Route Target extended communities is used to accomplish this. One is used to export CE routers’ loopback addresses and is imported into the VRF of the management VPN. The other Route Target is used to export the network form the management VRF and import them into all other VRFs.
c) When the service provider manages CE routers , needs access to all of them from a single point.
d) Central Service model is used except that only loopback address are imported into the CS-VPN.
e) The main difference between managed CE router service and usual central services VPN is that export maps are used to tag loopback addresses to be imported into Management VPN.
1) Simple VPN requirements
a) Any site talk to any site
b) Optimum routing Across the Network
2) Simple VPN Data and Routing Flow
a) Each VRF belongs to simple VPN contains all VPN routes
b) Data flow is optimal in the backbone
c) No central site needed for connectivity
3) Simple VPN Basic Rules
a) Config one VRF per PE
b) Config the same RD for all VRFs
c) Configure one import/export route target
4) Simple VPN with static route
a) CE to PE è Default gateway configuration: ip route 0.0.0.0 0.0.0.0 serial 0
b) PE to CE è Static route : ip route vrf VPNA 192.168.1.0 255.255.255.0 192.168.250.7 serial 0/0. Router BGP 123, address-family ipv4 vrf VPNA, redistribute static
5) Simple VPN with Routing protocols
a) CE to PE è Rip version 2
b) PE to CE è Commands below:
c) Router rip
d) Version 2
e) address-family ipv4 vrf VPNA
f) network 192.168.250.0
g) redistribute bgp metric transparent
h) Router bgp 123
i) address-family ipv4 vrf VPNA
j) redistribute rip
7) Simple VPN Routing
a) RIPv2, OSPF, BGP
b) RIP for stub sites when the convergence is not a issue
c) OSPF only as exception , very large customer or migrating OSPF customer
d) BGP in complex routing scenarios, multihomed sites, and many routes exchanged
BGP between PE-CE Routing Protocol
a) Benefits of using PE-CE
- BGP allows continuity of policies between sites
- Use of private AS numbers for VPN sites allows easier configuration and saves AS number
- No redistribution involved
- Standard communities for routing policies between sites
- Route-map and filters based on BGP attributes
- Customer may control his own policy
- BGP sessions can be authenticated
- PE can limit the total number of prefixes the CE is allowed to announce. Avoid impact of CE misconfiguration
b) PE-CE Design Models
- Use different Private AS number for every site
- Reuse the same AS number for several customer sites. May require usage of AS-override feature due to BGP loop prevention mechanism.
9) Overlapping Network it is a network where CE routes participate in simple VPN
a) Typical application are companies where central sites participate in corporate network and in extranet. Some several security conscious department that exchange data.
b) Overlapping VPN Basic Rules
- Configure one VRF per set of sites with same VPN membership per PE
- For every site with the same VPN membership use the same RD
- Configure proper the Route Targets based on VPN membership of sites in each VRF. The overlay sites, create a new RD with new RT as well for each site and import/export RT with both between overlay sites and the VPN_A and VPN_B for example
|
VRF |
RD |
Import RT |
Export RT |
|
VPNA |
123:750 |
123:750 |
123:750 |
|
VPNB |
123:760 |
123:760 |
123:760 |
|
VPNA_C |
123:751 |
123:750 123:1000 |
123:750 123:1000 |
|
VPNB_C |
123:761 |
123:760 123:1000 |
123:760 123:1000 |
10) Central Services Configuration
a) Central Services requirement
- Clients need access to Central Site
- Server can communicate with each other
- Clients communicate with all servers, but not with each other
b) Central Services Basic Rules
- Configure a separate VRF per client site
- Configure one VRF per server site
- Configure a unique RD on each client site
- Configure the same Route-target both with the same number of RD
- Create an Import RT and Export RT in the Central Site
- Export and Import to all Clients according to the table bellow:
- Example of config:
|
VRF |
RD |
Import RT |
Export RT |
|
Client 1 |
123:101 |
123:101 123:203 |
123:101 123:303 |
|
Client2 |
123:102 |
123:102 123:203 |
123:102 123:303 |
|
Client3 |
123:111 |
123:111 123:203 |
123:111 123:303 |
|
Client4 |
123:112 |
123:112 123:203 |
123:112 123:303 |
|
Server |
123:103 |
123:103 123:303 |
123:103 123:203 |
11) Overlapping +Central Services
a) Example of Config:
|
VRF |
RD |
Import RT |
Export RT |
|
VPNA |
123:750 |
123:750 |
123:750 |
|
VPNB |
123:760 |
123:760 |
123:760 |
|
VPNA_C |
123:751 |
123:750 123:101 |
123:750 123:100 |
|
VPNB_C |
123:761 |
123:760 123:101 |
123:760 123:100 |
|
SERVER |
123:101 |
123:101 123:100 |
123:101 |
12) HUB and Spoke configuration
a) Hub and Spoke topology
- One central site has full knowledge of all network
- We need two separate VRFs in the HUB site, one for propagate routes from the HUB to the Spokes and another VRF to collect routes from the Spoke sites.
- Other sites will send traffic to the Hub site for any destination
- Hub site is the transit point between Spoke sites:
1. Security services
2. Traffic logging
3. Intrusion Detection System
- Drawback is that it is difficult the scalability and the optimum inter site traffic
b) Hub and Spoke Routing
- Spokes routes are imported to Hub VRF
- Spokes routes are announced to the Hub site and announced over a different hub router and PE-CE Interface
- Spokes routes from HUB site are imported into Spoke VRF on the HUB site
- Spokes routes are announced to other spokes and imported into spoke VRFs
Obs: We need a different VRF for each spoke when connected to the same PE to prevent from exchanging routing information directly
- Allowas-in in Hub and Spoke Topology
1. Router bgp 100
2. address-family ipv4 vrf spoke
3. neighbor 192.168.74.4 remote-as 250
4. neighbor 192.168.74.4 activate
5. neighbor 192.168.74.4 allowas-in 4
6. no summarization
7. no synchronization
8. exit-address-family
Obs: In the case where the customer is using BGP, the service provider does not accept updates coming from the hub site, if they have previously been sent to the Hub site through the other BGP session. This regarding a routing loop prevent. To overcome this process, the allowas-in can set the limit of times that the number of occurrences of our own AS number in the AS path. In this case the Service Provider will accept 4 times.
- AS-override: If the customer is using the same AS number to all sites, the AS-override can overcome this problem.
1. Router bgp 100
2. address-family ipv4 vrf hub
3. neighbor 192.168.74.3 remote-as 250
4. neighbor 192.168.74.3 activate
5. neighbor 192.168.74.3 AS-override
6. address-family ipv4 vrf spoke
7. neighbor 192.168.74.4 remote-as 250
8. neighbor 192.168.74.4 activate
9. neighbor 192.168.74.4 allowas-in 4
13) Managed CE Router
a) Managed CE Requirements:
- Central Services NMS need the access to all CE loopback address
- Very similar to Central Services + Simple VPN
- All CE participate in the Central Services VPN
- Only loopback addresses of CE routers need to be exported into Central Services VPN
b) Managed CE Basic Rules
- Create one VRF per customer VPN
- Assign the same RD to each customer VRF in the same VPN
- Create NMS VRF on each PE-CS router
- Assign unique RD to NMS VRF
Example Config:
Ip vrf VPNA
Rd 123:750
Route-target both 123:750
Route-target import 123:101
Export route-map NMS
Route-map NMS
Match ip access-list 10
Set extcommunity rt 123:100 additive
Access-list 10 permit 199.12.0.0 0.0.7.255
Ip vrf NMS
Rd 123:101
Route-target both 123:101
Route-target import 123:100
Internet Access from VPN
1) Integrate Internet Access with the MPLS VPN
a) Traditionally, corporate Internet access was implemented by mean of a central firewall located at the customer’s central site. Internet traffic from all customer sites would have to pass this central firewall, resulting in tight security.
b) Some customers find the traffic flow limitations of the central firewall setup too limiting and opt for designs where every site (or major sites) has it own internet access. The internet traffic flow of this solution is optimal, but this gain is offset by the increased complexity of managing a firewall at every customer site.
c) A large number of customers find the task of deploying and managing their own firewall too cumbersome. These customers appreciate managed firewall service from their service provider. The internet service provider can optimize the cost of providing managed firewall service by deploying a central firewall infrastructure serving many customers.
d) With the advent of new transport technologies (ADSL, Cable, Wireless), the Service Providers deploying these technologies have started looking for new business models that might differentiate them from pure connectivity providers. Wholesale Internet Access with flexible selection of upstream ISP is one these innovative options \
e) There are 4 major customer requirements for Internet Access Services:
- Classical Internet Access implemented through a central firewall
- Internet Access from Every VPN Site, where each customer has its own independent Internet Access
- Internet Access through a central firewall service (Internet Access VPN)
- Wholesale Internet Access Service, where an ISP uses IP transport infrastructure of another Service Provider to reach the end-users
f) The addressing requirement for classical Internet Access Service is Private Address on the inside of the firewall, public addresses on the outside and the firewall doing the NAT.
g) It is hard to implement and maintain a single security policy for entire VPN. VPN sites could possibly use the internet as transit between themselves.
h) The addressing requirements when every VPN site has direct Internet Access, each customer site needs public IP Addresses. Some public IP addresses and NAT between the customer private IP addresses and the public IP addresses.
i) The benefits of giving Internet Access to every VPN site as compared to having a central exit point to the Internet, the Service Provider backbone does not need to carry the traffic twice. The access line to the central site needs not carry the entire VPN’s Internet traffic. Response time will benefit since the traffic is optimally routed.
j) The benefits of central firewall service is managed by Service Provider releaving the customer of that task in more cost effective way.
k) The addressing requirement of central firewall service is the use of private addresses must be coordinated by service provider just like public addresses are.
l) To the customers use private address space using the central firewall service, private addresses must be coordinated by the service provider to ensure that addresses do not overlap between VPN using the same central firewall service.
m) The benefits of Wholesale Internet Access service, the upstream ISP can use the infrastructure of the access service provider to reach the end user.
n) The upstream ISP assign the customer address space in the wholesale internet access setup.
2) Design Options for Integration Internet Access with MPLS VPN
a) There are two major design model you can use for combining Internet Access with MPLS VPN
- Internet Access can be implemented as a separate VPN
- Internet Access can be implemented through global routing in the PE routers
b) Internet Access in a VPN is more secure, as there is better isolation between the MPLS VPN backbone and the Internet. MPLS VPN also offers better topology options than pure IP routing. The drawback of this approach is the inability to offer full internet routing to the customers.
c) Internet access through global routing is implemented in the same way as a traditional ISP backbone. Customers can be connected to the Internet through separate physical links, identical to the traditional way of the providing Internet access to the VPN customers.
d) Alternatively , packet leaking between VRF and global routing table can be used to provide internet access for customers that are limited by their choice of access method.
e) The benefits of running an Internet backbone inside a VPN, the provider backbone is isolated from the internet, which gives increased security.
f) The benefits of running an internet backbone in the global routing table is the better scalability when full internet routing is required compared to using a VPN for all Internet routes
g) The major implementation options for implementing Internet access in the global routing table:
- Internet access via a separate interface that is not placed in any VRF
- Packet leaking between a VRF and the global table
3) Leaking between VPN and Global Backbone Routing
a) The packet leaking is implemented using two mechanisms in Cisco IOS:
- Leaking from VRF into the global address space is configured using per-VRF static route with global next hop.
- A Global static route pointing toward a PE-CE interface is used to forward packet from global address space toward a CE router.
b) The packet leaking mechanism is well suited for customers that need internet access from every site and for wholesale Internet Access Services.
c) The IOS mechanisms used to implement packet leaking between a VRF and a global address space is Static Route.
d) The leaking from a VRF into the global address space accomplished is by a static route in the VRF with a next hop in the global routing table.
e) Configure leaking from Global Address Space toward a CE router by a static route to the customer’s public address prefix pointing to an interface belonging to the customer’s VRF.
f) The static route which is used to leak packets from the VRF into the global routing table is configured as default route pointing to a next-hop address where the Internet can be reached.
g) The TDP/LDP derived label is used to forward packets toward a global next-hop
h) Wholesale Internet Access offer Internet Access from every site
i) Classical Internet Access Service and Internet Access through central firewall service cannot be implemented with packet leaking.
4) Separating Internet Access from VPN Services
a) Drawbacks
- Require separate physical link or specific WAN encapsulation
- PE routers must be able to perform internet routing
- Wholesale internet access or Central Firewall service cannot be implemented with this model
b) Benefits
- Well known model
- Support all customers requirements
- Allow all internet services implementation, including a BGP session with the customer
5) One of the sub interfaces is connected to the VRF and the other is not connected to any VRF which implicitly means that it is connected to the global routing table.
6) The ATM and Frame Relay can be used to avoid using 2 physical links.
7) Internet Access through a central firewall service, Wholesale Internet Access, Internet Access from every site, Internet Access backbone as a separate VPN cannot be implemented in this model.
Internet is separate from the MPLS VPN backbone , resulting in increased security when provide the internet access through a VPN.
9) Internet Services that can be implemented by running the Internet in a separate VPN:
- Internet Access through a central firewall service
- Wholesale Internet Access
- Internet Access from every site
- Classical Internet access service
10) You can implement redundant Internet Access when running the internet in a VPN, by configuring multiple Internet gateways connected to the MPLS VPN backbone. All those Internet gateway advertise the default route to the PE routers and local Internet routes to the upstream ISP, using traditional methods to favor the desired primary path (most notably MED).
11) Full Internet routing cannot be carried in the VPN.
14) Internet Access Backbone as a Separate VPN
1) Drawbacks
- Full internet routing cannot be carried in the VPN, default routes are needed that can lead to suboptimal routing.
- Internet backbones act as CE routers to the VPN backbone, implementing overlapping internet + VPN backbone is tricky
2) Benefits
- Support all internet access service types
- Can support all customer requirements, including BGP session with the customer, accomplished through advanced BGP session
1) Internet Access Types
- Classical Internet Access (Centralized)
- Internet Access Everywhere
- Internet Access through Internet Access VPN with Centralized Firewall
- Wholesale Internet Access
2) Internet Access with VPN Services
a) Internet offered through another VPN:
- Benefits, Backbone is isolated from the internet
- Drawback all internet routes are carried as VPN routes, having scaling problems.
b) Internet Access is offered through the Global Routing in the PE routers, there are two options:
- Internet implemented via separate interface or subinterface:
1. Benefits, Easy, well known setup, equivalent to classical service
2. Drawbacks, Require a separate interface or WAN that support subinterface
- Packet leaking between a VRF and Global table is achieved through configuration:
1. Benefits, Can be implemented over any LAN or WAN interface
2. Drawbacks, Internet and VPN traffic is mixed over the same link, security issues arise and more complex Internet connectivity options to implement.
3) Configuring Packet Leaking
a) ip route vrf vrf_name prefix mask next-hop global
b) ip route prefix mask interface
4) Packet Leaking Design
a) Public address is assigned to an internet VPN customer
b) Global static route for an assigned address block is configured in the PE
c) Default route toward a Global Internet exit point is installed in the VRF
Obs: When you use the default route, you will not be able to use any other default route for the intra-VPN routing
5) Usability of the Packet Leaking in various Internet Access
a) Classical Internet does not need packet leaking
b) Internet Access everywhere is ideal solution for this customer requirement
c) Internet Access through Internet Access VPN with Centralized Firewall is not appropriated to this service, because unprotected customer packet are traversing the Internet VPN without protection
d) Wholesale Internet Access, this service can be implemented with packet leaking, different customer will have different global next hops configured in their default routes
6) Redundant Internet Access with Packet Leaking
a) A default route with next hop in a neighboring AS is used as primary default route
b) Second default route with next hop in the Service Provider network is used as a backup
7) Usability of the Separate Internet Access for Various Internet Access
a) Classical Internet Access is ideal to use the Separate Internet Access
b) Internet Access Everywhere using separate links for Internet Access will result in a complex setup for the customer. Every CE will need two interfaces or subinterfaces
Usability of the Internet Access through VPN
a) Classical Internet Access (Centralized) , can be easily implemented with internet configured as VPN over MPLS VPN
b) Internet Access Everywhere, Simple setup using overlapping VPNs
c) Internet Access through Internet Access VPN with Centralized Firewall
d) Wholesale Internet Access, separate VPN is created for each upstream ISP, each ISP announces the default route to the VPN, customer is assigned into VRF that corresponds to the VPN of the desire ISP
e) Benefits:
- Support all internet access service types
- Can support all customer requirements
f) Drawbacks:
- Full internet routing cannot be carried in the VPN, default route is needed that can lead in an suboptimal routing
- Internet Backbone act as CE router to the VPN backbone, implementing overlapping internet + VPN backbone is tricky
MPLS VPN Design Guidelines
Backbone and PE-CE Link Addressing Scheme
a) Use Public addresses when possible, otherwise use private addresses
b) Prefer numbered links for current Traffic Engineering
c) PE loopback addresses should be taken from a contiguous block of address space
d) PE Loopback addresses should be host routes
e) In transit phase, bind labels only for significant addresses such as PE loopback addresses.
f) Use unique PE/CE addresses within a PE router. Re-use the same address block on each PE router.
g) The drawbacks of using unnumbered links individual in WAN Interfaces are no longer reachable by ping or telnet
h) Unnumbered links are recommended in the ATM parts of the MPLS backbone
i) Using unnumbered links between PE and CE routes is highly discouraged. There are, however, applications like dial up access that benefits from unnumbered links.
j) IP Backbone usually only use private address space if there is no public address space available.
k) Traceroute across a public IP Backbone using private address space usually does not work.
l) The PE loopback addresses should be allocated from a separate block to make sure they are not accidentally summarized in the backbone.
m) Registered addresses should be used on PE-CE links to prevent potential overlap with the address space the customer is using.
n) You should not reuse addresses between VRFs, as a customer connected to wrong interface might gain connectivity within VPN of another customer.
o) You can reuse the same address range on several PE routers if you don’t redistribute connected routes into MP-BGP.
9) Backbone IGP Selection and Design
a) The major factors to be taken into account when selecting the right IGP for an MPLS/VPN Backbone are:
- Convergence vs. Stability
- Impact of redistribution
- Scalability and Multi area support
- Support for Traffic Engineering
- Usually the choice are OSPF and IS-IS
b) Higher convergence speed always reduces network stability
c) OSPF convergence can be fine tuned by changing neighbor dead timeout and SPF timer.
d) Many IS-IS parameters can be fine tuned, from neighbor dead timeout to SPF timers, retransmission timers, LSP origination timeouts, etc.
e) Redistributed routes appear as separate LSA type 5 objects in OSPF, they appear as part of the router LSP in IS-IS.
f) You cannot summarize the redistributed OSPF routes
g) Routes redistributed into IS-IS can be summarized between Level 1 and Level 2 IS-IS areas.
h) You include connected interfaces in the OSPF process and make them passive to avoid redistribution of connected interfaces.
i) MPLS Traffic Engineering is supported by OSPF and IS-IS
j) EIGRP cannot support MPLS Traffic Engineering, because TE tunnels require full knowledge of the network and only Link State protocol provide.
k) You can use the EIGRP with MPLS VPN backbone as long as you don’t plan to deploy MPLS Traffic Engineering.
l) Route summarization might break MPLS VPN connectivity if you summarize VPNv4 BGP next hops.
m) Many large Service Provider use IS-IS, therefore there is more experience with running IS-IS in large networks.
10) Route Distinguisher and Route Target Allocation Schemes
a) This section described the Route Distinguisher and Route Target numbering option and made recommendations for their allocation. A numbering plan for Route Targets and Route Distinguisher should be part of any MPLS/VPN design document. A good numbering of scheme may ease troubleshooting in an MPLS/VPN Network.
b) Route Distinguisher is used to make overlapping IPv4 addresses globally unique.
c) You can use the same route distinguisher as long as VRFs on the PE routers have the same connectivity requirement.
d) Hub-and-Spoke topology requires a different value route distinguisher for every site.
e) Route Target controls the import of VPNv4 routes into VRFs.
f) Route Target can be different from Route Distinguisher.
11) End to End Convergence Issues
a) The responsibility for fine tuning this convergence falls mainly on the service provider.
b) To improve convergence in a MPLS VPN network, the following factors to determine whether there are any opportunities for fine tunning:
- Time to realize a failure
- Time to propagate a change in IGP
- Time to redistribute between protocols
- Time to propagate a change in BGP
- Time to import/Export between MP-BGP and VRF
- Time to recalculate a new path in IGP or BGP
c) The Service Provider PE-router perform the most complex routing.
d) Failure in a provider network shall not influence MPLS VPN routing, as long as the IGP in the P-network converges fast enough.
e) The overall convergence is affected only by the convergence speed of IGP used in the P-Network.
f) A PE-router can detect neighbor loss through BGP hold timer timeout or through loss BGP next hop.
g) BGP neighbor timers and BGP scan-time affect MPLSVPN convergence after a PE-Router failure.
h) PE router could detect the PE-CE link failure through layer1 and layer2 signaling.
i) The convergence steps need to be taken after PE-CE link failure:
- VRF route is removed from the VRF routing table
- VRF route is removed from the VPNv4 BGP table
- Withdrawal of VPNv4 route is propagated to other PE routers
- Other PE-Routers select a new best BGP route
- The newly selected BGP route is imported into the VRFs on other PE-router
- Addressing scheme
a) Private x Public in the backbone MPLS VPN. Private can be used, backbone will not be accessible from other SP and can disable the TTL propagation
b) Registered IP Address in the Backbone could be easier management, and reduce the risk of the duplicate addresses, but the most common solution is registered addresses at the Edge and private addresses in the core
c) Do not use unnumbered PE-CE Link, the management and troubleshooting is more difficult
d) Do not use private address for PE-CE links, can result in conflict with IP network from the customer, but the customer network can be used any private address.
e) Reusing registering IP Address is dangerous, because customers might establish VPN connectivity if they are connected to a wrong physical interface. Duplicate addresses are allowed even within a VPN as long they are NOT redistribute into MP-BGP.
f) Recommendations for Registered IP Address Reuse:
- Do not redistribute subnets into MP-BGP
- Prevent misconnection of CE interfaces
- No risk of customer overlapping
- Drawback: You cannot ping remote serial, trace across network may duplicate address and customer using RIP.
g) Use registered addresses when possible
h) PE loopback should be the host routes
Large Scale MPLS VPN Deployment
1) MP-BGP Scalability Mechanism
a) Large scale MPLS VPN Deployments are usually faced with number of scalability issues:
- The number of PE routers in the network is large and the corresponding MP-IBGP full-mesh does not scale.
- The amount of VPNv4 routing information in the network exceeds the scaling capabilities of BGP routers.
b) Scalable MP-IBGP design can be implemented using standard BGP scalability tools – BGP route reflectors or BGP confederations
c) The amount of VPNv4 routing information held by a PE router is reduced with automatic inbound filters. These discard all routes that are not relevant to the PE router.
d) Configuration change on the PE router might change the automatic inbound filter. As BGP router don’t send periodic routing information refreshments, a mechanism is needed to request missing information from other BGP routers – the bgp route-refresh functionality.
e) Outbound route filters are an additional optimization of automatic inbound filters. Through this function, a BGP router can download its inbound filter as an outbound filter of its neighbor, reducing its CPU utilization and the amount of BGP traffic in the network.
f) If the number of the routes in very large MPLS VPN network may result in exceeding the resources of the PE routers. MPLS VPN use the internal BGP to propagate the VPNv4 routes, experiencing the same scaling limitations as known in the traditional BGP networks.
g) The most recent IOS releases provide the automatic route filtering of incoming MP-BGP updates. A bit modified BGP route refresh feature, requesting a resend of all VPNv4 MP-BGP routes from its neighbor.
h) A PE router does not keep routing information for VPN not connected it
i) Route Reflector do not filter anything because they forward routing information to other PE routers.
j) You need route refresh functionality to minimize the volume of BGP traffic after a change in routing policy. Router can request a resend of BGP updates from its neighbor, instead of storing extra copies of neighbor BGP routes.
k) In case of a new VRF is configured on PE router and the update that was previously ignored is now needed to gain connectivity for this new VRF.
l) ÒRF (Outbound Route Filter) are used to further minimize the number of updates by uploading a filter to the neighbor.
m) The ORF are used by the receiving PE router to make sure that the sending PE router will discard all the routes that would be discarded by the receiving router, prior to sending the information to the receiving router.
2) Partitioned Route Reflector
a) Large MPLS VPN backbone might easily exceed the scaling limits of the BGP route reflector. Further reduction of BGP routing information on any single route reflector, through partitioned route reflectors, is therefore needed to facilitate additional growth of the MPLS VPN backbone.
b) Partitioning of BGP routing information can be performed based on the address-family. Additional partitioning of VPNv4 routing information can be performed based on route-targets attached to VPNv4 routes based on route-targets, the BGP RR-GROUP configuration command provides the optimal means of configuring the partitioning.
c) The basic function of the partitioned route reflector is the segmentation of VPNv4 information.
d) The benefit of the partitioned route reflector is the scalability. Each independent route reflector stores only a portion of overall VPNv4 routing information
e) You can implement partitioned ro