Virtualizace podnikové sítě -...
Transcript of Virtualizace podnikové sítě -...
© 2011 Cisco and/or its affiliates. All rights reserved. 1
Virtualizace podnikové sítě
Miroslav [email protected]
16.02. 2012
© 2011 Cisco and/or its affiliates. All rights reserved. 2
• Why Virtualize your Network Infrastructure
• What are the Virtualization Components
• How can you Deploy Network Virtualization
• MPLS VPN
• VRF-lite
or
• Recent Cisco Innovations in Virtualization
• Easy Virtual Network (EVN)
• Locator/ID Separation Protocol (LISP)
© 2011 Cisco and/or its affiliates. All rights reserved. 3
Guest Access
Virtual Network
Creates Logical Partitions
• Allows the use of unique security policies per logical domain
• Provides traffic isolation per application, group, service etc…
• The logical separation of traffic using one physical infrastructure
Virtual Private Network
Actual Physical Infrastructure
Virtual Network
Merged Company
Virtual Network
Isolated Service(s)
© 2011 Cisco and/or its affiliates. All rights reserved. 4
• Cost Reduction
Allowing a single physical network the ability to support multiple users and virtual networks
• Groups and services are logically separated
Guest/partner access
Department separation
Telephony systems
Building control and video surveillance
• Security Policies are unique to each virtual group/service
PCI compliance
© 2011 Cisco and/or its affiliates. All rights reserved. 5
Key Building Blocks
Access Control Path Isolation Services Edge
WAN – MAN – Campus
Functions
Branch – Campus Data Center – Internet Edge
VRFs
GRE MPLS
Authenticate client (user, device, app) attempting to gain network access
Authorize client into a partition (VLAN/VPN)
Deny access to unauthenticated clients
Maintain traffic partitioned over shared Layer 2/3 infrastructure
Map Layer 3 isolated path to VLANs / VRFs in access and services edge
Provide access to services
Shared
Dedicated
Apply policy per partition
Isolate application environments if necessary
Service
IP MPLS
802.1q
Internet
Data
Center
© 2011 Cisco and/or its affiliates. All rights reserved. 6
Device Virtualization
“Virtualizing” the Routing and Forwarding of the Device
One physical device
Switch
Router
Firewall
Etc…
VLAN
VRF: Virtual Routing and Forwarding
VDC (Virtual Device Context)
VRF
VRF
VRF
© 2011 Cisco and/or its affiliates. All rights reserved. 7
Data Path Virtualization
Hop-by-Hop
VRF-Lite End-to-End EVN (Easy Virtual Network)
802.1q for Separation
Multi-Hop
VRF-Lite + GREGRE for Separation
LISP
Multi-Hop
MPLS-VPNMPLS Labels for Separation
Extending and Maintaining the “Virtualized” Devices over Any Media
© 2011 Cisco and/or its affiliates. All rights reserved. 8
© 2011 Cisco and/or its affiliates. All rights reserved. 9
• Layer 3 or Layer 2 VPN/Segmentation using Labels
L3 MPLS VPN (RFC 2547bis)
L2 VPN: VPLS or EoMPLS
• Provides Any-to-Any connectivity
• QoS Capabilities
• IP Multicast (per VPN/VRF)
• Transport of IPv6 over an IPv4
SP L2
Service
MPLS
LAN/MAN
MPLS
Enabled
Links
E-P
E-PE
E-PE E-PE
E-PE
Remote
Branches
RR RR
© 2011 Cisco and/or its affiliates. All rights reserved. 10
PE
VPN Backbone IGP
MP-iBGP – VPNv4
Label Exchange
PE
P P
P P
Configuration Example (IOS)
VRF Blue
VRF Green
EBGP, OSPF, RIPv2, Static
CE
CE
VPN 1
VPN 2
! PE router
router bgp 65100
neighbor 192.168.100.4 remote-as 65100
!
address-family vpnv4
neighbor 192.168.100.4 activate
neighbor 192.168.100.4 send-community extended
exit-address-family
!
address-family ipv4 vrf blue
neighbor 172.20.10.1 remote-as 65111
neighbor 172.20.10.1 activate
exit-address-family
!
address-family ipv4 vrf green
neighbor 172.20.20.1 remote-as 65110
neighbor 172.20.20.1 activate
exit-address-family
! PE Router – Multiple VRFs
ip vrf blue
rd 65100:10
route-target import 65100:10
route-target export 65100:10
ip vrf green
rd 65100:20
route-target import 65100:20
route-target export 65100:20
!
interface GigabitEthernet0/1.10
ip vrf forwarding blue
interface GigabitEthernet0/1.20
ip vrf forwarding green
VRF Configuration (PE) MP-iBGP Configuration (PE)
© 2011 Cisco and/or its affiliates. All rights reserved. 11
Summary
• Large-scale VRF’s solution
• Leverages standard based L2 transports (no overlay)
• Allows full deployment of MPLS services
L2 VPN, QoS, Multicast, IPv6, MPLS TE, TE-FRR
• Offers tight control for QoS Service Level requirements
• Offers rapid deployment for virtualization “turn up”
• Extremely scalable but requires a higher level of Operational
expertise
© 2011 Cisco and/or its affiliates. All rights reserved. 12
© 2011 Cisco and/or its affiliates. All rights reserved. 13
• Not all networks are MPLS
Enterprise wants to turn on their own MPLS VPN service (on their “CE”) while using an SP managed MPLS VPN service
SP not offering a “Carrier Supporting Carrier” service for buildingenterprise own MPLS VPN service
• IP Only Transit Option Between MPLS Islands (i.e. networks)
Core/transit network not owned by Enterprise, and IP transport is only option
Source/Destination Network “islands” are IP only
IP VPN Service from SP is only offering available
© 2011 Cisco and/or its affiliates. All rights reserved. 14
MPLS VPN over DMVPN
• DMVPN is a Cisco IOS Software solution for building IPSec + GRE VPNs in an easy, dynamic and scalable manner
• Relies on two proven technologies
Next Hop Resolution Protocol (NHRP) (RFC 2332)
Creates a distributed (NHRP) mapping database of all the spoke’s tunnel to real (public interface) addresses
Multipoint GRE Tunnel Interface
Single GRE interface to support multiple GRE/IPsec tunnels
Simplifies size and complexity of configuration
What Is Dynamic Multipoint VPN?
© 2011 Cisco and/or its affiliates. All rights reserved. 15
Data Center/HQ
MPLS VPN over a DMVPN (2547oDMVPN)
P
Remote
Branches
IP
Transport
Shared
VRF
Campus
RR
C-PE
C-PE
C-PE
VRF-Lite or
MPLS
VPN in
Campus
Branch LAN
802.1q Trunk
Physical Cable
MPLS/LDP
and VPNv4
over mGRE Tunnel
• Hub acts as a “P” router
• Spokes act as a “PE” router
• IGP and LDP is running over the entire MPLS network
• Leverages NHRP for dynamic tunnel endpoint discovery
• Data path for spoke-to-spoke traffic transits the Hub (“P” function)
• Data traffic can be easily encrypted
• Multicast replication is done at the Hub (even is source is at spoke)
Internet
Single mGRE
Tunnel Running
LDP
© 2011 Cisco and/or its affiliates. All rights reserved. 16
Data Center/HQ
MPLS VPNs over Multipoint GRE Using BGP for End Point Discovery
• Leverages SP IP transport while
overlaying self deployed MPLS VPN
• Leverages multipoint GRE (mGRE)
• No LDP and NHRP required
• BGP replaces LDP and NHRP
• Offers dynamic Tunnel Endpoint
Discovery via BGP
• Dynamic spoke-to-spoke access
PE
Remote
Branches
IP
Transport
Shared
VRF
Campus
Internet
RR
C-PE
C-PE
C-PE
VPNv4 Label
over mGRE Encapsulation
VRF-Lite or
MPLS
VPN in
Campus
Multipoint
GRE
Interface
Branch LAN
802.1q Trunk
Physical Cable
© 2011 Cisco and/or its affiliates. All rights reserved. 17
Feature Components
• mGRE is a multipoint bi-directional GRE tunnel
• Control Plane is based on RFC 4364 using MP-BGP
Signaling VPNv4 routes, VPN labels, and tunnel endpoints
• VPNv4 label and VPN payload is carried in mGRE tunnel encap
• New encapsulation profile in CLI offers dynamic endpoint discovery:
(1) Sets IP encapsulation for next-hop, (2) Installs Rx prefixes to tunnel
• Solution does NOT require manual GRE interfaces or the configuration of LDP on
any interface(s)
IP
Service
PE1
PE2PE3
PE4
PE5PE6
172.16.255.4
172.16.255.3172.16.255.2
172.16.255.1
172.16.255.5172.16.255.6
Multipoint
GRE Tunnel (mGRE)1
1
2
mGRE Encapsulation of
VPNv4 Label + VPN Payload3
Tunnel Endpoint
172.16.255.6
172.16.255.5
172.16.255.3
172.16.255.2
172.16.255.1
View for PE 44
3
4
2
© 2011 Cisco and/or its affiliates. All rights reserved. 18
eBGP
AS 65000
172.16.1.1
MPLS
Campus/MAN
E-PE
Branch Site
RRE-PE
mGREiBGP
SP Cloud
AS 1
Interface Loopback0
ip address 10.100.1.201 255.255.255.255
router bgp 65000
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.100.1.204 remote-as 65000
neighbor 10.100.1.204 update-source Loopback0
neighbor 172.16.1.1 remote-as 1
neighbor 172.16.1.1 update-source Ethernet0/0
!
address-family ipv4
no synchronization
redistribute connected metric 1
neighbor 172.16.1.1 activate
no auto-summary
exit-address-family
!
address-family vpnv4
neighbor 10.100.1.204 activate
neighbor 10.100.1.204 send-community both
neighbor 10.100.1.204 route-map mgre_v4 in
exit-address-family
eBGP Peer to SP
Address Family for eBGP to SP
iBGP Peer for MP-BGP (VPNv4)
Address Family for MPLS-VPN
over IP (i-BGP)
Configuration Example
© 2011 Cisco and/or its affiliates. All rights reserved. 19
interface Loopback0
ip address 10.0.0.4 255.255.255.255
!
l3vpn encapsulation ip Vegas
transport ipv4 source Loopback0
!
router bgp 100
. . .
address-family vpnv4
neighbor 10.0.0.1 activate
neighbor 10.0.0.1 send-community extended
neighbor 10.0.0.1 route-map next-hop-TED in
exit-address-family
. . .
!
route-map next-hop-TED permit 10
set ip next-hop encapsulate l3vpn Vegas
Configuration Example
CE2PE1 PE4
eBGP eBGP
IPv4 Cloud
Lo0: 10.0.0.1Lo0: 10.0.0.4
Target Address
mGRE
Apply Route-Map to Received
Advertisement from Remote iBGP
Neighbor
Sets mGRE Encapsulation
“Profile” for BGP Next-Hop
Use IP Encap (GRE) for Next-Hop
and Install Prefix in VPN Table as
Connected Tunnel Interface
CE1
10.0.9.9
Example for PE4
© 2011 Cisco and/or its affiliates. All rights reserved. 20
Summary and Configuration Notes
• Leverages SP IP transport while overlaying self deployed MPLS VPN
• Solution leverages standard MP-BGP control plane (RFC 4364)
• Tunnel endpoint discovery is done via i-BGP
• E-BGP can/is still used for route exchange with the SP
• Solution does not requires GRE tunnel configuration or LDP
• Supports multicast VPN and IPv6 per MPLS VPN model (MDT and
6vPE respectfully)
• Supports IPSec for PE-PE encryption (GET VPN or manual SA)
Branch LAN
VPNv4 Label
over mGRE Encapsulation
© 2011 Cisco and/or its affiliates. All rights reserved. 21
© 2011 Cisco and/or its affiliates. All rights reserved. 22
LAN/WAN
VRF
VRF
VRF
Per VRF:Virtual Routing TableVirtual Forwarding Table
VRF
VRF
VRF
802.1q, DLCI, VPI/VCI, GRE
• Leverages “Virtual” encapsulation for separation:
• Ethernet/802.1Q in campus LAN, ATM or Frame Realy PVCs in
WAN
• Frame Relay encapsulation can be used to virtualize a leased line
• The routing protocol is also “VRF aware”
• EIGRP, OSPF, BGP, RIP/v2, static (per VFR)
• Layer 3 VRF interfaces cannot belong to more than a single VRF
© 2011 Cisco and/or its affiliates. All rights reserved. 23
VRF-Lite Subinterface Config
ip vrf red
!
ip vrf green
!
interface TenGigabitEthernet1/1
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
!
interface TenGigabitEthernet1/1.101
description Subinterface for Red VRF
encapsulation dot1Q 101
ip vrf forwarding red
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
!
interface TenGigabitEthernet1/1.102
description Subinterface for green VRF
encapsulation dot1Q 102
ip vrf forwarding green
ip address 10.122.5.1 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
ip vrf red
!
ip vrf green
!
interface TenGigabitEthernet1/1
ip address 10.122.5.2 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
!
interface TenGigabitEthernet1/1.101
description Subinterface for red VRF
encapsulation dot1Q 101
ip vrf forwarding red
ip address 10.122.5.2 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
!
interface TenGigabitEthernet1/1.102
description Subinterface for green VRF
encapsulation dot1Q 102
ip vrf forwarding green
ip address 10.122.5.2 255.255.255.252
ip pim query-interval 1
ip pim sparse-mode
© 2011 Cisco and/or its affiliates. All rights reserved. 24
OSPF Examplerouter ospf 1
network 10.0.0.0 0.255.255.255 area 0
passive-interface default
no passive-interface vlan 2000
!
router ospf 100 vrf green
network 11.0.0.0 0.255.255.255 area 0
no passive-interface vlan 2001
!
router ospf 200 vrf red
network 12.0.0.0 0.255.255.255 area 0
no passive-interface vlan 2002
router eigrp 100
network 10.0.0.0 0.255.255.255
passive-interface default
no passive-interface vlan 2000
no auto-summary
!
address-family ipv4 vrf green autonomous-system 100
network 11.0.0.0 0.255.255.255
no auto-summary
exit-address-family
!
address-family ipv4 vrf red autonomous-system 100
network 12.0.0.0 0.255.255.255
no auto-summary
exit-address-family
EIGRP Example
© 2011 Cisco and/or its affiliates. All rights reserved. 25
• Leverages VRF in router (RIB/FIB, interface) and “virtual”
encapsulation on interface for segmentation
• No MPLS, LDP, or BGP required
• Easy implementation in campus architecture
• Optimal solution when VRF count is small (~ <8)
• Provisioning challenges in large campus networks
• Supports multicast and QoS solutions
Sub Interface per
VRF Branch LAN
© 2011 Cisco and/or its affiliates. All rights reserved. 26
© 2011 Cisco and/or its affiliates. All rights reserved. 27
IGP per VRF
IGP per VRF
IPv4
Service
Branch Site
Multi-
VRF CE
IGP per VRF
BGP/Static BGP/Static
Enterprise Routing
Routing to SP
mGRE Tunnel
per VRF Data Center/HQ
PE
Shared
VRF
Internet Campus
VRF-Lite or
VPNv4 to
Campus
VRF-Lite or MPLS
VPN in PE
• Each VRF uses a unique GRE tunnel
• GRE tunnel interface is “VRF aware”
• Routing protocol process created per VRF (each end)
• Offers virtualized segmentation within a single interface
VRF-Lite over GRE
© 2011 Cisco and/or its affiliates. All rights reserved. 28
IP
Transport
Branch Site
VRF-Lite or
VPNv4 to
Campus
Data Center/HQ
PE
Shared
VRF
Internet
VRF-Lite or MPLS
VPN in PE
Campus
DC/HQ ConfigurationBranch Configuration
interface Loopback100
ip address 172.16.100.50 255.255.255.255
!
interface Tunnel100
Description GRE to PE router 201
ip vrf forwarding blue
ip address 11.1.0.2 255.255.255.0
tunnel source Loopback100
tunnel destination 172.16.100.10
!
interface Ethernet0/0
ip address 172.16.5.2 255.255.255.0
!
router eigrp 1
!
address-family ipv4 vrf blue autonomous-system 1
network 11.0.0.0
no auto-summary
exit-address-family
no auto-summary
interface Loopback100
ip address 172.16.100.10 255.255.255.255
!
interface Tunnel100
Description GRE to PE router 201
ip vrf forwarding blue
ip address 11.1.0.1 255.255.255.0
tunnel source Loopback100
tunnel destination 172.16.100.50
!
interface Ethernet0/0
ip address 172.16.6.2 255.255.255.0
!
router eigrp 1
!
address-family ipv4 vrf blue autonomous-system 1
network 11.0.0.0
no auto-summary
exit-address-family
no auto-summary
11.1.0.x
Physical: 172.16.5.2 (E0/0)
Lo0: 172.16.100.50
Manually Configured Tunnelip vrf blue
rd 2:2
VRF
Command
Applied per
GRE Tunnel
Prefix Advertised to SP
© 2011 Cisco and/or its affiliates. All rights reserved. 29
Data Center/HQ• Allows virtualization over DMVPN
framework
• A Multipoint GRE (mGRE) interface is
enabled per VRF (1:1)
• Solution allows spoke-to-spoke data
forwarding per VRF
• Unique RIB, FIB, and mGRE interface
per VRF
• Routing to the provider is based on the
“global” address space
• Each VRF uses a unique network ID for
each NHRP server
VRF-Lite or
MPLS
VPN in
CampusPE
Remote
Branches
Multi-
VRF CE
Multipoint
GRE Tunnel
per VRF
IP
Transport
Branch LAN
Shared
VRF
Campus
C-PE
C-PE
C-PE
Internet
GRE Tunnel per
VRF
© 2011 Cisco and/or its affiliates. All rights reserved. 30
IGP per VRF
IGP per VRF
IPv4
ServiceBranch Site
IGP per VRF
BGP/Static BGP/Static
Enterprise Routing
Routing to SP
Multipoint GRE per VRF
• Unique RIB, FIB, and mGRE interface per VRF
• Routing to the provider is based on the “global” address space
• Each VRF uses a unique network ID for each NHRP server
Per-VRF
NHRP
Server
mGRE Tunnel
per VRF Data Center/HQ
PE
Shared
VRF
Internet
VRF-Lite or MPLS
VPN in Campus
CampusBranch Site
mGRE Tunnel
per VRF
mGRE Tunnel
per VRF
Tunnels Are
Multipoint
© 2011 Cisco and/or its affiliates. All rights reserved. 31
IP
Transport
Branch Site
Multi-
VRF CE
Config Example (IOS)
Per-VRF
NHRP
Server
mGRE Tunnel
per VRF Data Center/HQ
PE
Shared
VRF
Internet
VRF-Lite or MPLS
VPN in Campus
Campus
Hub Configuration
ip vrf blue
!
interface Loopback0
ip address 10.126.100.1 255.255.255.255
!
interface Tunnel0
description mGRE for blue
ip vrf forwarding blue
ip address 11.1.1.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 100
tunnel source Loopback0
tunnel mode gre multipoint
ip vrf blue
!
interface Loopback0
ip add 10.123.100.1 255.255.255.255
!
interface Tunnel0
description GRE to hub
ip vrf forwarding blue
ip address 11.1.1.10 255.255.255.0
ip nhrp network-id 100
ip nhrp nhs 11.1.1.1
tunnel source Loopback0
tunnel destination 10.126.100.1
!
interface Vlan10
description blue Subnet
ip vrf forwarding blue
ip address 11.1.100.1 255.255.255.0
Spoke Configuration
Unique “network-id” Parameter per
VRF
Branch SitemGRE Tunnel
per VRF
© 2011 Cisco and/or its affiliates. All rights reserved. 32
IP
Transport
Branch Site
Multi-
VRF CE
Config Example (IOS)
Per-VRF
NHRP
Server
mGRE Tunnel
per VRF Data Center/HQ
PE
Shared
VRF
Internet
VRF-Lite or MPLS
VPN in Campus
Campus
Hub Configuration
ip vrf blue
!
interface Loopback0
ip address 10.126.100.1 255.255.255.255
!
interface Tunnel0
description mGRE for blue
ip vrf forwarding blue
ip address 11.1.1.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 100
tunnel source Loopback0
tunnel mode gre multipoint
ip vrf blue
!
interface Loopback0
ip add 10.123.100.1 255.255.255.255
!
interface Tunnel0
description GRE to hub
ip vrf forwarding blue
ip address 11.1.1.10 255.255.255.0
ip nhrp network-id 100
ip nhrp nhs 11.1.1.1
tunnel source Loopback0
tunnel destination 10.126.100.1
!
interface Vlan10
description blue Subnet
ip vrf forwarding blue
ip address 11.1.100.1 255.255.255.0
Spoke Configuration
ip vrf Green
!
interface Loopback1
ip add 10.123.101.1 255.255.255.255
!
interface Tunnel1
description GRE to hub
ip vrf forwarding Green
ip address 11.1.2.10 255.255.255.0
ip nhrp network-id 101
ip nhrp nhs 11.1.2.1
tunnel source Loopback0
tunnel destination 10.126.101.1
!
interface Vlan10
description Green Subnet
ip vrf forwarding Green
ip address 11.1.101.1 255.255.255.0
ip vrf Green
!
interface Loopback1
ip address 10.126.101.1 255.255.255.255
!
interface Tunnel1
description mGRE for Green
ip vrf forwarding Green
ip address 11.1.2.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 101
tunnel source Loopback0
tunnel mode gre multipoint
Branch SitemGRE Tunnel
per VRF
© 2011 Cisco and/or its affiliates. All rights reserved. 33
Summary • Leverages VRF in router (RIB/FIB, interface) and interface for
segmentation
• No MPLS, LDP, or BGP required
• Optimal solution when VRF count is small (~ <8)
• Recommended for hub-and-spoke requirements
• Ideal solution when spoke-to-spoke traffic patterns are required (bypass
Hub), per VRF
• Redundant Hub configurations can also be added for high availability
• Multicast is supported, but must traverse hub (traffic pattern is source
hub spoke)
• Tunnels in different VRF’s cannot share the same source address
Branch LAN
Multipoint GRE
Tunnel per VRF
over DMVPN
© 2011 Cisco and/or its affiliates. All rights reserved. 34
© 2011 Cisco and/or its affiliates. All rights reserved. 35
VRF
VRF
VRF
Per VRF:Virtual Routing TableVirtual Forwarding Table
VRF
VRF
VRF
Offers a dynamic way to configure the “VNET trunk” between two
devices for carrying multiple VRF’s instead of 802.1q subinterfaces
EVN, like VRF-Lite, still leverages:
VRF aware routing (RIB) and forwarding (FIB)
VRF aware routing protocol processes (EIGRP, OSPF, BGP, RIPv2, static)
Simplifies route replication configuration where a “shared” VRF is
required (vs. complex BGP import/export)
VNET Trunk
© 2011 Cisco and/or its affiliates. All rights reserved. 36
VRF-Lite Subinterface Config
interface TenGigabitEthernet1/1
ip address 10.122.5.31 255.255.255.254
ip pim query-interval 333 msec
ip pim sparse-mode
logging event link-status
interface TenGigabitEthernet1/1.101
description Subinterface for Red VRF
encapsulation dot1Q 101
ip vrf forwarding Red
ip address 10.122.5.31 255.255.255.254
ip pim query-interval 333 msec
ip pim sparse-mode
logging event subif-link-status
interface TenGigabitEthernet1/1.102
description Subinterface for Green VRF
encapsulation dot1Q 102
ip vrf forwarding Green
ip address 10.122.5.31 255.255.255.254
ip pim query-interval 333 msec
ip pim sparse-mode
logging event subif-link-status
VNET Trunk Config
interface TenGigabitEthernet1/1
vnet trunk
ip address 10.122.5.32 255.255.255.254
ip pim query-interval 333 msec
ip pim sparse-mode
logging event link-status
Global Config:vrf definition red
vnet tag 101
vrf definition green
vnet tag 102
Both Routers Have VRFs Defined
VNET Router Has Tags
ip vrf red
rd 101:101
ip vrf green
rd 102:102
© 2011 Cisco and/or its affiliates. All rights reserved. 37
Campus Core
Layer 2 Trunks
VLAN 21 Red
VLAN 22 Green
VLAN 23 Blue
VLAN 31 Red
VLAN 32 Green
VLAN 33 Blue
g1/0
g1/1interface vlan 21
vrf forwarding red
interface vlan 22
vrf forwarding green
interface vlan 23
vrf forwarding blue
interface vlan 31
vrf forwarding red
interface vlan 32
vrf forwarding green
interface vlan 33
vrf forwarding blue
SiSi SiSiLayer 3
Layer 2
vrf definition red
vnet tag 101
vrf definition green
vnet tag 102
vrf definition blue
vnet tag 103
interface g1/0
vnet trunk
© 2011 Cisco and/or its affiliates. All rights reserved. 38
VRF-Lite Subinterfaces EVN (VNET) Trunks
interface TenGigabitEthernet1/1.101
description 10GE to core 3
encapsulation dot1Q 101
ip vrf forwarding Red
ip address 10.122.5.31 255.255.255.254
ip pim query-interval 333 msec
ip pim sparse-mode
logging event subif-link-status
interface TenGigabitEthernet1/1.102
description 10GE to core 3
encapsulation dot1Q 102
ip vrf forwarding Green
ip address 10.122.5.31 255.255.255.254
ip pim query-interval 333 msec
ip pim sparse-mode
logging event subif-link-status
interface TenGigabitEthernet1/1
description 10GE to core 3
vnet trunk
ip address 10.122.5.31 255.255.255.254
ip pim query-interval 333 msec
ip pim sparse-mode
logging event link-status
1 Point-to-Point
Subinterface Configuration,
per VRF per Physical
Interfaces
1 Point-to-Point Trunk
Configuration per
Physical Interface
Virtual
NetworksNeighbors
VRF
Subinterfaces
VNET
Trunks
4 4 16 4
10 4 40 4
20 4 80 4
30 4 120 4
© 2011 Cisco and/or its affiliates. All rights reserved. 39
R2
R3
Yellow VRF
Green VRF
Red VRF
Green VRF
Red VRF
Yellow VRF
Red VRF
R1
R6
R4 R5
R7
vrf list group-a
member red
member yellow
interface g1/0
vnet trunk vrf-list group-a
vrf list group-b
member red
member green
interface g2/0
vnet trunk vrf-list group-bGroup B
Group A
VRF lists can filter
traffic carried over
VNET trunks
© 2011 Cisco and/or its affiliates. All rights reserved. 40
Services that you don’t want to duplicate:
Internet Gateway
Firewall and NAT - DMZ
DNS
DHCP
Corporate Communications - Hosted Content
Requires IP Connectivity between VRFs
This Is Usually Accomplished Through Some Type of Extranet Capability:
Leverage the BGP route-target mechanism for route leaking
Deployment of a fusion router
© 2011 Cisco and/or its affiliates. All rights reserved. 41
Before: Sharing Services in
Existing Technologies
Route-Replication Advantage:
• No BGP required
• No Route Distinguisher required
• No Route Targets required
• No Import/Export required
• Simple Deployment
• Supports both Unicast/Mcast
vrf definition SHARED
address-family ipv4
route-replicate from vrf RED unicast all route-map red-map
route-replicate from vrf GREEN unicast all route-map grn-map
After: Simple Shared Service Definition
vrf definition RED
address-family ipv4
route-replicate from vrf SHARED unicast all
vrf definition GREEN
address-family ipv4
route-replicate from vrf SHARED unicast all
ip vrf SHARED
rd 3:3
route-target export 3:3
route-target import 1:1
route-target import 2:2
!
ip vrf RED
rd 1:1
route-target export 1:1
route-target import 3:3
!
ip vrf GREEN
rd 2:2
route-target export 2:2
route-target import 3:3
!
router bgp 65001
bgp log-neighbor-changes
!
address-family ipv4 vrf SHARED
redistribute ospf 3
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf RED
redistribute ospf 1
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf GREEN
redistribute ospf 2
no auto-summary
no synchronization
exit-address-family
!
© 2011 Cisco and/or its affiliates. All rights reserved. 42
EVN
Yellow VRF
Green VRF
Red VRF
EVN
Yellow VRF
Green VRF
Red VRF
IP Service
eBGPeBGP
L3VPNoMGREMP-BGP
EVN
Yellow VRF
Green VRF
Red VRF
EVN
Yellow VRF
Green VRF
Red VRFMPLS-VPN
eBGPeBGP
Multi-VRF
EVN
Yellow VRF
Green VRF
Red VRF
EVN
Yellow VRF
Green VRF
Red VRF
IP Service
eBGPeBGP
LISP
EVN
Yellow VRF
Green VRF
Red VRF
EVN
Yellow VRF
Green VRF
Red VRF
IP Service
eBGPeBGP
DMVPNEncryption
Single VRF
Single VRF
Single VRF
Options
© 2011 Cisco and/or its affiliates. All rights reserved. 43
Summary
• Easy integration with VRF-Lite
• Any to any connectivity within VPNs
• LAN (VNET) Trunks
• VLAN-ID reuse
• Significant configuration simplitication
• VRFs are pre-provisioned on Trunk
• Enhanced Troubleshooting and Usability
• Route replication simplifies deployment
• Works with IGPs without any additional protocol
• Supports VRF Global and Global VRF
• Optimal solution for campus LAN/MANs when VRF count
is medium (~ <30)
• Supports multicast and QoS solutions
© 2011 Cisco and/or its affiliates. All rights reserved. 44
© 2011 Cisco and/or its affiliates. All rights reserved. 45
EID (Endpoint Identifier) is the IP address of a host – just as it is today
RLOC (Routing Locator) is the IP address of the LISP router for the host
Mapping is the distributed architecture that maps EIDs to RLOCs
ITR is Ingress Tunnel Router that receives packets from site-facing interfaces and encap to remote LISP sites
ETR is Egress Tunnel Router that receives packets from core-facing interfaces and decap to deliver packets to local EIDs at site
Prefix Next-hopw.x.y.1 e.f.g.h
x.y.w.2 e.f.g.h
z.q.r.5 e.f.g.h
z.q.r.5 e.f.g.h
Non-LISP
RLOC Space
Mapping
DB
xTR
EID SpacexTR
EID RLOCa.a.a.0/24 w.x.y.1
b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5
MS/MR
PxTR
xTR
EID RLOCa.a.a.0/24 w.x.y.1
b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5
EID RLOCa.a.a.0/24 w.x.y.1
b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5
EID Space
© 2011 Cisco and/or its affiliates. All rights reserved. 46
IP Network
West
DC
LISP Site
Legacy Site Legacy Site Legacy Site
East
DC
PxTR
Mapping
DB
24-bit LISP Instance-ID segments control plane and data plane, with VRF binding to the Instance-ID
Very high scale segmentation
IP-based “overlay” solution, transport independent
Mapping DB and LISP Cache on xTRs is “instance ID -aware”
On xTRs use VRFs as map cache contexts
© 2011 Cisco and/or its affiliates. All rights reserved. 47
IPv4/IPv4
IPv4
Outer
Header
IPv4
Inner
Header
UDP
LISP
LISP Data packet
© 2011 Cisco and/or its affiliates. All rights reserved. 48
hostname Left!ipv6 unicast-routing!vrf definition PURPLEaddress-family ipv4exitaddress-family ipv6exit!vrf definition GOLDaddress-family ipv4exitaddress-family ipv6exit!interface Ethernet0/0ip address 10.0.0.2 255.255.255.0!interface Ethernet1/0.1encapsulation dot1q 101vrf forwarding PURPLEip address 192.168.1.1 255.255.255.0ipv6 address 2001:DB8:A:A::1/64!interface Ethernet1/0.2encapsulation dot1q 102vrf forwarding GOLDip address 192.168.1.1 255.255.255.0ipv6 address 2001:DB8:B:A::1/64!
router lispeid-table vrf PURPLE instance-id 101database-mapping 192.168.1.0/24 10.0.0.2 priority 1 weight 1database-mapping 2001:DB8:A:A::/64 10.0.0.2 priority 1 weight 1 eid-table vrf GOLD instance-id 102database-mapping 192.168.1.0/24 10.0.0.2 priority 1 weight 1database-mapping 2001:DB8:B:A::/64 10.0.0.2 priority 1 weight 1 exit!ipv4 itr map-resolver 10.0.2.2ipv4 itripv4 etr map-server 10.0.2.2 key Left-keyipv4 etripv6 itr map-resolver 10.0.2.2ipv6 itripv6 etr map-server 10.0.2.2 key Left-keyipv6 etrexit!ip route 0.0.0.0 0.0.0.0 10.0.0.1ipv6 route ::/0 Null0
© 2011 Cisco and/or its affiliates. All rights reserved. 49
hostname MSMR!interface Ethernet0/0ip address 10.0.2.2 255.255.255.0!router lisp!site Leftauthentication-key Left-keyeid-prefix instance-id 101 192.168.1.0/24eid-prefix instance-id 101 2001:DB8:A:A::/64eid-prefix instance-id 102 192.168.1.0/24eid-prefix instance-id 102 2001:DB8:B:A::/64 exit!site Rightauthentication-key Right-keyeid-prefix instance-id 101 192.168.2.0/24eid-prefix instance-id 101 2001:DB8:A:B::/64eid-prefix instance-id 102 192.168.2.0/24eid-prefix instance-id 102 2001:DB8:B:B::/64 exit!ipv4 map-serveripv4 map-resolveripv6 map-serveripv6 map-resolver exit!ip route 0.0.0.0 0.0.0.0 10.0.2.1
Note: VRF’s are not
required to be defined
on the Map-Sever.
Virtualization in the LISP
control plane is handled
by LISP IIDs.
© 2011 Cisco and/or its affiliates. All rights reserved. 50
Summary
• Leverages IP transport while overlaying self
deployed IP VPN
• Any to any connectivity within VPNs
• No MPLS, LDP, or BGP required
• Offers rapid deployment for virtualization “turn
up”
• Supports IPv4/IPv6 MPLS VPNs
• Extremely scalable
© 2011 Cisco and/or its affiliates. All rights reserved. 51
• VRF-Lite is a reasonable solution with <8 VRFs and no MPLS requirements
• EVN is a manageable IP base solution for up to 30 VRFs
• MPLS-VPN is the most scalable way to deploy Network Virtualization >32 VRFs today
• Consider Cisco innovations (EVN, LISP) for simplifying network virtualization
• The ability to transport VRF-Lite and MPLS-VPN over IP allows flexible transport options
• MPLS VPN over mGRE offers simpler, and more scalable, deployment that reduces the need for LDP, manual GRE, and works with GET VPN
• VRF-Lite, EVN, MPLS-VPN and LISP are completely compatible
© 2011 Cisco and/or its affiliates. All rights reserved. 52
www.cisco.com/go/networkvirtualization
lisp.cisco.com
Cisco Confidential 53© 2010 Cisco and/or its affiliates. All rights reserved.
Srdečně Vás zvemena konferenciCisco Expo 201225. – 26.4. 2012, hotel Clarion, Praha
Registrační stránky připravujeme