MPLS VPN. MPLS/BGP VPNs Goals MPLS/BGP VPN Features Implementation Conclusions.
MPLS Part 3.ppt
Transcript of MPLS Part 3.ppt
-
8/11/2019 MPLS Part 3.ppt
1/63
MPLS Part 3
-
8/11/2019 MPLS Part 3.ppt
2/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-2
Configuring Small-Scale
Routing Protocols BetweenPE and CE Routers
-
8/11/2019 MPLS Part 3.ppt
3/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-3
PE-CE Routing Protocols
PE-CE routing protocols are configured for individual VRFs.
Per-VRF routing protocols can be configured in two ways:
Per-VRF parameters are specified in routing contexts, which are selected
with the address-family command.
A separate OSPF process has to be started for each VRF.
-
8/11/2019 MPLS Part 3.ppt
4/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-4
Configuring the VRF Routing ContextWithin BGP
Select the per-VRF BGP context with the address-family command.
Configure CE External Border Gateway Protocol neighbors in VRF
context, not in global BGP configuration.
All non-BGP per-VRF routes have to be redistributed into a per-VRF
BGP context to be propagated by MP-BGP to other PE routers.
-
8/11/2019 MPLS Part 3.ppt
5/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-5
Configuring Per-VRF Static Routes
This command configures per-VRF static routes.
The route is entered in the VRF table. You must specify a next-hop IP address if you are not using a point-to-
point interface.
Sample router configuration:
-
8/11/2019 MPLS Part 3.ppt
6/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-6
Summary
The per-VRF routing protocols can be configured in two ways: as
individual address families belonging to the same routing process or as
separate routing processes.
Use the address-family ipv4 vrf vrf-name command to select the VRF
routing context.
Use the ip route vrf command to establish static routes.
Use the address-family ipv4 vrf vrf-name command to start the
configuration of individual routing context.
Use the redistribute command to configure the metric that is copied into
the MED attribute of the BGP route.
-
8/11/2019 MPLS Part 3.ppt
7/63 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-7
Configuring RIP PE-CE Routing:Example
-
8/11/2019 MPLS Part 3.ppt
8/63 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-8
Configuring EIGRP PE-CE Routing:Example
-
8/11/2019 MPLS Part 3.ppt
9/63 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-9
Monitoring MPLS VPNOperations
-
8/11/2019 MPLS Part 3.ppt
10/63 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-10
Monitoring VRFs
Displays the list of all VRFs configured in the router
Displays detailed VRF configuration
Displays interfaces associated with VRFs
-
8/11/2019 MPLS Part 3.ppt
11/63 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-11
Monitoring VRFs:show ip vrf
-
8/11/2019 MPLS Part 3.ppt
12/63 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-12
Monitoring VRFs:show ip vrf detail
-
8/11/2019 MPLS Part 3.ppt
13/63 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-13
Monitoring VRFs:show ip vrf interfaces
-
8/11/2019 MPLS Part 3.ppt
14/63 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-14
Monitoring VRF Routing
Displays the routing protocols configured in a VRF
Displays the VRF routing table
Displays per-VRF BGP parameters
-
8/11/2019 MPLS Part 3.ppt
15/63 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-15
Monitoring VRF Routing:show ip protocols vrf
-
8/11/2019 MPLS Part 3.ppt
16/63 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-16
Monitoring VRF Routing:show ip route vrf
-
8/11/2019 MPLS Part 3.ppt
17/63 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-17
Monitoring VRF Routing:show ip bgp vpnv4 vrf neighbors
-
8/11/2019 MPLS Part 3.ppt
18/63 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-18
Monitoring MP-BGP Sessions
This command displays global BGP neighbors and the protocols
negotiated with these neighbors.
-
8/11/2019 MPLS Part 3.ppt
19/63 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-19
Monitoring MP-BGP Sessions:show ip bgp neighbors
-
8/11/2019 MPLS Part 3.ppt
20/63 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-20
Monitoring MP-BGP Sessions:show ip bgp neighbors (Cont.)
-
8/11/2019 MPLS Part 3.ppt
21/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-21
Monitoring an MP-BGP VPNv4 Table
Displays whole VPNv4 table.
Displays only BGP parameters (routes or neighbors) associated with
specified VRF.
Any BGP showcommand can be used with these parameters.
Displays only BGP parameters (routes or neighbors) associated with
the specified RD.
-
8/11/2019 MPLS Part 3.ppt
22/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-22
Monitoring an MP-BGP VPNv4 Table:show ip bgp vpnv4 vrf-name
-
8/11/2019 MPLS Part 3.ppt
23/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-23
Monitoring an MP-BGP VPNv4 Table:show ip bgp vpnv4 rd route-distinguisher
-
8/11/2019 MPLS Part 3.ppt
24/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-24
Monitoring per-VRF CEF and LFIBStructures
Displays per-VRF CEF table
Displays details of an individual CEF entry, including label stack
Displays labels allocated by an MPLS VPN for routes in the specified VRF
-
8/11/2019 MPLS Part 3.ppt
25/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-25
Monitoring per-VRF CEF and LFIBStructures (Cont.)
The show ip cef command can also display the label stack associated with the
MP-IBGP route.
-
8/11/2019 MPLS Part 3.ppt
26/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-26
Monitoring per-VRF CEF and LFIBStructures
-
8/11/2019 MPLS Part 3.ppt
27/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-27
Monitoring Labels Associatedwith VPNv4 Routes
Displays labels associated with VPNv4 routes
-
8/11/2019 MPLS Part 3.ppt
28/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-28
Other MPLS VPN Monitoring Commands
Performs PE-CE Telnet through specified VRF
Performs ping based on VRF routing table
Performs VRF-based traceroute
-
8/11/2019 MPLS Part 3.ppt
29/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-29
Summary
Use the following commands to monitor VRF information:
show ip vrf
show ip vrf detail
show ip vrf interfaces
Use the following commands to monitor VRF routing:show ip protocols vrf vrf-name
show ip route vrf vrf-name
show ip bgp vpnv4 vrf vrf-name
Use the show ip bgp neighbors command to monitor MPBGP sessions.
-
8/11/2019 MPLS Part 3.ppt
30/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-30
Summary
Use the show ip bgp vpnv4 command to monitor an MP-BGP VPNv4table.
Use these commands to monitor the per-VRF CEF and LFIB
structures:
show ip cef vrf
show ip cef vrf detail
show mpls forwarding vrf vrf-name
Use the show ip bgp vpnv4 all labels command to monitor MP-BGP VPNv4
labels.
Other commands to monitor MPLS VPN are as follows:
telnet ip-address /vrf vrf-name
ping vrf vrf-name ip-address
trace vrf vrf-name ip-address
-
8/11/2019 MPLS Part 3.ppt
31/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-31
MPLS L3VPN - OSPF
-
8/11/2019 MPLS Part 3.ppt
32/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-32
OSPF Hierarchical Model
OSPF divides a network into areas, all of them linked through
the backbone (Area 0).
Areas could correspond to individual sites from an MPLS
VPN perspective.
-
8/11/2019 MPLS Part 3.ppt
33/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-33
OSPF in an MPLS VPN Routing Model
From the customer perspective, an MPLS VPN-based
network has a BGP backbone with IGP running at
customer sites. Redistribution between IGP and BGP is performed to
propagate customer routes across the MPLS VPN
backbone.
OSPF i MPLS VPN R ti M d l
-
8/11/2019 MPLS Part 3.ppt
34/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-34
OSPF in an MPLS VPN Routing Model:OSPF-BGP Redistribution Issue
OSPF i MPLS VPN R ti M d l
-
8/11/2019 MPLS Part 3.ppt
35/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-35
OSPF in an MPLS VPN Routing Model:Classic OSPF-BGP Redistribution
OSPF route type is not preserved when the OSPF route is redistributed into
BGP.
All OSPF routes from a site are inserted as external (type 5 LSA) routes into
other sites.
Result: OSPF route summarization and stub areas are hard to implement.
Conclusion: MPLS VPN must extend the classic OSPF-BGP routing model.
OSPF S b kb
-
8/11/2019 MPLS Part 3.ppt
36/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-36
OSPF Superbackbone:OSPF-BGP Hierarchy Issue
OSPF Area 0 might extend into individual sites. The MPLS VPN backbone has to become a super-backbone for OSPF.
OSPF i MPLS VPN
-
8/11/2019 MPLS Part 3.ppt
37/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-37
OSPF in MPLS VPNs:Goals
OSPF between sites shall not use normal OSPF-BGP redistribution.
OSPF continuity must be provided across the MPLS VPN backbone:
Internal OSPF routes should remain internal OSPF routes.
External routes should remain external routes.
OSPF metrics should be preserved.
OSPF S perbackbone
-
8/11/2019 MPLS Part 3.ppt
38/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-38
OSPF Superbackbone:Route Propagation Example
OSPF S b kb
-
8/11/2019 MPLS Part 3.ppt
39/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-39
OSPF Super-backbone:Rules
OSPF super-backbone behaves exactly like Area 0 in regular OSPF:
PE routers are advertised as Area Border Routers.
Routes redistributed from BGP into OSPF appear as inter-area summary
routes or as external routes (based on their original LSA type) in other
areas.
Routes from Area 0 at one site appear as inter-area routes in Area 0 atanother site.
OSPF cost is copied into MED attribute.
-
8/11/2019 MPLS Part 3.ppt
40/63
OSPF S perbackbone:
-
8/11/2019 MPLS Part 3.ppt
41/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-41
OSPF Superbackbone:External Routes
External OSPF routes are propagated in the same way as internal OSPF
routes across the super-backbone.
External metric and route type are preserved.
-
8/11/2019 MPLS Part 3.ppt
42/63
-
8/11/2019 MPLS Part 3.ppt
43/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-43
Configuring PE-CE OSPF Routing (Cont.)
This command starts the per-VRF OSPF routing process.
The total number of routing processes per router is limited to 32.
This command redistributes MP-BGP routes into OSPF. The subnets
keyword is mandatory for proper operation.
-
8/11/2019 MPLS Part 3.ppt
44/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-44
Configuring PE-CE OSPF Routing (Cont.)
OSPF-BGP route redistribution is configured with the redistribute command
under the proper address-familycommand.
Without the OSPF matchkeyword specified, only internal OSPF routes are
redistributed into OSPF.
OSPF Down Bit:
-
8/11/2019 MPLS Part 3.ppt
45/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-45
OSPF Down Bit:Routing Loops between MP-BGP and OSPF
OSPF Down Bit:
-
8/11/2019 MPLS Part 3.ppt
46/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-46
OSPF Down Bit:Loop Prevention
An additional bit (down bit) has been introduced in the options field of the
OSPF LSA header.
PE routers set the down bit when redistributing routes from MP-BGP into
OSPF.
PE routers never redistribute OSPF routes with the down bit set into MP-
BGP.
-
8/11/2019 MPLS Part 3.ppt
47/63
-
8/11/2019 MPLS Part 3.ppt
48/63
-
8/11/2019 MPLS Part 3.ppt
49/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-49
Loop prevention
- All LSA redistribute from BGP have special "Down bit" set in LSA header
If receive "Down bit" -> drop this LSA -> prevent routing loop for multi-
home sites.
- But when CE configure with multi-VRF: need disable this loop prevention
feature. Have three ways
. Use "capability vrf-lite" on CE
. PE with different "domain-ID" -> all redistribute route becomes external ->
bypass down bit check
. Can use route tagging: route redistributes from PE carry OSPF route tag
with BGP AS number -> compare with local AS number.
-
8/11/2019 MPLS Part 3.ppt
50/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-50
Disable Loop prevention
Routing Bit Set on this LSA
LS age: 66
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 172.16.8.8 (External Network Number )
Advertising Router: 155.1.67.6LS Seq Number: 80000001
Checksum: 0xD4F5
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
TOS: 0Metric: 2
Forward Address: 0.0.0.0
External Route Tag: 3489661028
-
8/11/2019 MPLS Part 3.ppt
51/63
-
8/11/2019 MPLS Part 3.ppt
52/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-52
OSPF route-type
R6-PE1#show bgp vpnv4 unicast vrf VPN_A 172.16.8.8
BGP routing table entry for 100:1:172.16.8.8/32, version 31
Paths: (1 available, best #1, table VPN_A)
Flag: 0xA00
Not advertised to any peer
Local150.1.5.5 (metric 3) from 150.1.5.5 (150.1.5.5)
Origin incomplete, metric 2, localpref 100, valid, internal, best
Extended Community: RT:100:1 OSPF DOMAIN ID:0x0005:0x000000050200
OSPF RT:0.0.0.1:2:0OSPF ROUTER ID:155.1.58.5:0
mpls labels in/out nolabel/21
If not configure domain-id, by default it will be 640200
-
8/11/2019 MPLS Part 3.ppt
53/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-53
Summaryconfiguration example
router ospf 100 vrf VPN_A
domain-id 0.0.0.5
redistribute bgp 100 subnets
network 0.0.0.0 255.255.255.255 area 1
!
router bgp 100
address-family ipv4 vrf VPN_A
redistribute ospf 100 vrf VPN_A match internal external 1 external 2
If same ospf process number -> must different "domain-id"
-
8/11/2019 MPLS Part 3.ppt
54/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-54
Sham Link
-
8/11/2019 MPLS Part 3.ppt
55/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-55
Sham Link
OSPF prefers intra-area paths to inter-area paths.
The path over a backdoor link will always be selected.
-
8/11/2019 MPLS Part 3.ppt
56/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-56
Sham Link (Cont.)
A logical intra-area link.
Carried by the super-backbone.
A sham link is required only between two VPN sites that belong to the
same area and have a backdoor link for backup purposes.
OSPF adjacency is established across the sham link.
LSA flooding occurs across the sham link.
-
8/11/2019 MPLS Part 3.ppt
57/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-57
Sham Link (Cont.)
-
8/11/2019 MPLS Part 3.ppt
58/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-58
Configuring a Sham Link
A separate /32 address space is required in each PE router for each sham
link.
This /32 address space:
Is required so that OSPF packets can be sent over the VPN backbone to
the remote end of the sham link
Must belong to the VRF
Must not be advertised by OSPF
Must be advertised by BGP
-
8/11/2019 MPLS Part 3.ppt
59/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-59
Configuring a Sham Link (Cont.)
The sham link belongs to the specified area.
Sham-link packets sent across the MPLS VPN backbone will have the
specified source and destination addresses. When the SPF algorithm is executed, the sham link will have the specified
cost.
-
8/11/2019 MPLS Part 3.ppt
60/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-60
Sample Sham-Link Configuration
-
8/11/2019 MPLS Part 3.ppt
61/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-61
Features
By default, traceroute from customer, expose all the label link within provider's
network -> don't need to display
- Use "no mpls ip propagate-ttl"
. forwarded(default): hide from customer
. local: hide from LSRs
-
8/11/2019 MPLS Part 3.ppt
62/63
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.03-62
Show command
show mpls ldp binding 7.7.7.0 255.255.255.0
-> LIB
show mpls forwarding-table
-> LFIB
show ip route
-> RIB
show ip cef
-> FIB
-
8/11/2019 MPLS Part 3.ppt
63/63
End!