Advanced MPLS VPN Solutions

(1)

AMVS

Advanced MPLS

VPN Solutions

Volume 1

Version 1.0

Student Guide

Text Part Number: 97-0624-01

(2)

The products and specifications, configurations, and other technical information regarding the products in this manual are subject to change without notice. All statements, technical information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind, express or implied. You must take full responsibility for their application of any products specified in this manual.

LICENSE

PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE MANUAL, DOCUMENTATION, AND/OR SOFTWARE (“MATERIALS”). BY USING THE MATERIALS YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT AGREE WITH THE TERMS OF THIS LICENSE, PROMPTLY RETURN THE UNUSED MATERIALS (WITH PROOF OF PAYMENT) TO THE PLACE OF PURCHASE FOR A FULL REFUND.

Cisco Systems, Inc. (“Cisco”) and its suppliers grant to you (“You”) a nonexclusive and nontransferable license to use the Cisco Materials solely for Your own personal use. If the Materials include Cisco software

(“Software”), Cisco grants to You a nonexclusive and nontransferable license to use the Software in object code form solely on a single central processing unit owned or leased by You or otherwise embedded in equipment provided by Cisco. You may make one (1) archival copy of the Software provided You affix to such copy all copyright, confidentiality, and proprietary notices that appear on the original. EXCEPT AS EXPRESSLY AUTHORIZED ABOVE, YOU SHALL NOT: COPY, IN WHOLE OR IN PART, MATERIALS; MODIFY THE SOFTWARE; REVERSE COMPILE OR REVERSE ASSEMBLE ALL OR ANY PORTION OF THE SOFTWARE; OR RENT, LEASE, DISTRIBUTE, SELL, OR CREATE DERIVATIVE WORKS OF THE MATERIALS.

You agree that aspects of the licensed Materials, including the specific design and structure of individual programs, constitute trade secrets and/or copyrighted material of Cisco. You agree not to disclose, provide, or otherwise make available such trade secrets or copyrighted material in any form to any third party without the prior written consent of Cisco. You agree to implement reasonable security measures to protect such trade secrets and copyrighted Material. Title to the Materials shall remain solely with Cisco.

This License is effective until terminated. You may terminate this License at any time by destroying all copies of the Materials. This License will terminate immediately without notice from Cisco if You fail to comply with any provision of this License. Upon termination, You must destroy all copies of the Materials.

Software, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. You agree to comply strictly with all such regulations and acknowledge that it has the responsibility to obtain licenses to export, re-export, or import Software.

This License shall be governed by and construed in accordance with the laws of the State of California, United States of America, as if performed wholly within the state and without giving effect to the principles of conflict of law. If any portion hereof is found to be void or unenforceable, the remaining provisions of this License shall remain in full force and effect. This License constitutes the entire License between the parties with respect to the use of the Materials

Restricted Rights - Cisco’s software is provided to non-DOD agencies with RESTRICTED RIGHTS and its supporting documentation is provided with LIMITED RIGHTS. Use, duplication, or disclosure by the U.S. Government is subject to the restrictions as set forth in subparagraph “C” of the Commercial Computer Software - Restricted Rights clause at FAR 52.227-19. In the event the sale is to a DOD agency, the U.S. Government’s rights in software, supporting documentation, and technical data are governed by the restrictions in the Technical Data Commercial Items clause at DFARS 252.227-7015 and DFARS 227.7202.

DISCLAIMER OF WARRANTY. ALL MATERIALS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall Cisco’s or its suppliers’ liability to You, whether in contract, tort (including negligence), or otherwise, exceed the price paid by You. The foregoing limitations shall apply even

(3)

the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular

installation.

You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes

interference to radio or television reception, try to correct the interference by using one or more of the following measures:

• Turn the television or radio antenna until the interference stops. • Move the equipment to one side or the other of the television or radio. • Move the equipment farther away from the television or radio.

• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses.) Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.

The following third-party software may be included with your product and will be subject to the software license agreement:

CiscoWorks software and documentation are based in part on HP OpenView under license from the Hewlett-Packard Company. HP OpenView is a trademark of the Hewlett-Hewlett-Packard Company. Copyright © 1992, 1993 Hewlett-Packard Company.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

Point-to-Point Protocol. Copyright © 1989, Carnegie-Mellon University. All rights reserved. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission.

The Cisco implementation of TN3270 is an adaptation of the TN3270, curses, and termcap programs developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981-1988, Regents of the University of California.

Cisco incorporates Fastmac and TrueView software and the RingRunner chip in some Token Ring products. Fastmac software is licensed to Cisco by Madge Networks Limited, and the RingRunner chip is licensed to Cisco by Madge NV. Fastmac, RingRunner, and TrueView are trademarks and in some jurisdictions registered trademarks of Madge Networks Limited. Copyright © 1995, Madge Networks Limited. All rights reserved. XRemote is a trademark of Network Computing Devices, Inc. Copyright © 1989, Network Computing Devices, Inc., Mountain View, California. NCD makes no representations about the suitability of this software for any purpose.

The X Window System is a trademark of the X Consortium, Cambridge, Massachusetts. All rights reserved. Access Registrar, AccessPath, Any to Any, Are You Ready, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cisco logo, Cisco Certified Internetwork Expert logo, CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, the Cisco Technologies logo, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, IQ Breakthrough, IQ Expertise, IQ FastTrack, IQ Readiness Scorecard, The IQ Logo, Kernel Proxy, MGX, Natural Network Viewer, NetSonar, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, Precept, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast, SMARTnet, SVX, The Cell, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router, Workgroup Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, The Internet Economy, and The New Internet Economy are service marks; and Aironet, ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems, the Cisco Systems logo, the Cisco Systems Cisco Press logo, CollisionFree, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch, GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any of its resellers. (0005R)

Advanced MPLS VPN Solutions, Revision 1.0: Student Guide Copyright  2000, Cisco Systems, Inc.

(4)

(5)

Copyright  2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions v

Volume 1

ADVANCED MPLS VPN SOLUTIONS 1-1 Overview 1-1 Course Objectives 1-2

Course Objectives – Implementation 1-3 Course Objectives – Solutions 1-4

Prerequisites 1-5 Participant Role 1-7 General Administration 1-9 Sources of Information 1-10 MPLS VPN TECHNOLOGY 2-1 Overview 2-1 Objectives 2-1

Introduction to Virtual Private Networks 2-2

Objectives 2-2

Summary 2-8

Review Questions 2-8

Overlay and Peer-to-Peer VPN 2-9

Objectives 2-9 Overlay VPN Implementations 2-13 Summary 2-23 Review Questions 2-24 Major VPN Topologies 2-25 Objectives 2-25 VPN Categorizations 2-25 Summary 2-38 Review Questions 2-38 MPLS VPN Architecture 2-39 Objectives 2-39 Summary 2-60 Review Questions 2-61 MPLS VPN Routing Model 2-62 Objectives 2-62 Summary 2-78 Review Questions 2-78 MPLS VPN Packet Forwarding 2-79 Objectives 2-79 Summary 2-91 Review Questions 2-91 Lesson Summary 2-92

Answers to Review Questions 2-93

Introduction to Virtual Private Networks 2-93 Overlay and Peer-to-Peer VPN 2-93

(6)

Major VPN Topologies 2-94

MPLS VPN Architecture 2-94

MPLS VPN Routing Model 2-95

MPLS VPN Packet Forwarding 2-96

MPLS/VPN CONFIGURATION ON IOS PLATFORMS 3-1

Overview 3-1

Objectives 3-1

MPLS/VPN Mechanisms in Cisco IOS 3-2

Objectives 3-2

Summary 3-16

Configuring Virtual Routing and Forwarding Table 3-17

Objectives 3-17

Summary 3-26

Configuring a Multi-Protocol BGP Session Between the PE Routers 3-27

Objectives 3-27

Summary 3-43

Configuring Routing Protocols Between PE and CE Routers 3-44

Objectives 3-44 Summary 3-55 Review Questions 3-55 Monitoring MPLS/VPN Operation 3-56 Objectives 3-56 Summary 3-82 Review Questions 3-82 Troubleshooting MPLS/VPN 3-83 Objectives 3-83 Summary 3-100 Review Questions 3-100

Advanced VRF Import/Export Features 3-101

Objectives 3-101

Summary 3-115

Advanced PE-CE BGP Configuration 3-116

Objectives 3-116

Summary 3-134

USING OSPF IN AN MPLS VPN ENVIRONMENT 4-1

Overview 4-1

Objectives 4-1

(7)

Copyright  2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions vii

Summary 4-36

Using OSPF as the PE-CE Protocol in an MPLS VPN Environment 4-37 Configuring and Monitoring OSPF in an MPLS VPN Environment 4-37

Volume 2

MPLS VPN TOPOLOGIES 5-1

Overview 5-1

Objectives 5-1

Simple VPN with Optimal Intra-VPN Routing 5-2

Objectives 5-2

Summary 5-17

Using BGP as the PE-CE Routing Protocol 5-18

Objectives 5-18

Summary 5-23

Overlapping Virtual Private Networks 5-24

Objectives 5-24

Summary 5-33

Central Services VPN Solutions 5-34

Objectives 5-34 Summary 5-47 Review Questions 5-47 Hub-andSpoke VPN Solutions 5-48 Objectives 5-48 Summary 5-54 Review Questions 5-54

Managed CE-Router Service 5-55

Objectives 5-55

Summary 5-60

Chapter Summary 5-60

INTERNET ACCESS FROM A VPN 6-1

Overview 6-1

Objectives 6-1

Integrating Internet Access with the MPLS VPN Solution 6-2

Objectives 6-2

Summary 6-16

Design Options for Integrating Internet Access with MPLS VPN 6-17

Objectives 6-17

Summary 6-23

Leaking Between VPN and Global Backbone Routing 6-24

Objectives 6-24

Usability of Packet Leaking for Various Internet Access Services 6-32 Redundant Internet Access with Packet Leaking 6-36

Summary 6-38

(8)

Separating Internet Access from VPN Service 6-39

Objectives 6-39

Usability of Separated Internet Access for Various Internet

Access Services 6-44

Summary 6-46

Internet Access Backbone as a Separate VPN 6-47

Objectives 6-47

Usability of Internet in a VPN Solution for Various Internet

Access Services 6-52 Summary 6-56 Review Questions 6-57 Chapter Summary 6-57 MPLS VPN DESIGN GUIDELINES 7-1 Overview 7-1 Objectives 7-1

Backbone and PE-CE Link Addressing Scheme 7-2

Objectives 7-2

Summary 7-15

Backbone IGP Selection and Design 7-17

Objectives 7-17

Summary 7-30

Route Distinguisher and Route Target Allocation Schemes 7-32

Objective 7-32

Summary 7-37

End-to-End Convergence Issues 7-38

Objectives 7-38

Summary 7-52

Backbone and PE-CE Link Addressing Scheme 7-54 Backbone IGP Selection and Design 7-55 Route Distinguisher and Route Target Allocation Scheme 7-56 End-to-End Convergence Issues 7-56

LARGE-SCALE MPLS VPN DEPLOYMENT 8-1

Overview 8-1

Objectives 8-1

MP-BGP Scalability Mechanisms 8-2

(9)

Copyright  2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions ix MPLS VPN MIGRATION STRATEGIES 9-1 Overview 9-1 Objective 9-1 Infrastructure Migration 9-2 Objective 9-2 Summary 9-9 Review Questions 9-9

Customer Migration to MPLS VPN service 9-10

Objective 9-10

Generic Customer Migration Strategy 9-11 Migration From Layer-2 Overlay VPN 9-13 Migration from GRE Tunnel-Based VPN 9-16 Migration from IPSec-Based VPN 9-19 Migration from L2F-Based VPN 9-20 Migration From Unsupported PE-CE Routing Protocol 9-22

Summary 9-26

INTRODUCTION TO LABORATORY EXERCISES A-1

Overview A-1

Physical And Logical Connectivity A-2

IP Addressing Scheme A-5

Initial BGP Design A-7

Notes Pages A-8

LABORATORY EXERCISES—FRAME-MODE MPLS CONFIGURATION B-1

Overview B-1

Laboratory Exercise B-1: Basic MPLS Setup B-2

Objectives B-2

Command list B-2

Task 1: Configure MPLS in your backbone B-2 Task 2: Remove BGP from your P-routers B-2

Verification: B-3

Review Questions B-4

Laboratory Exercise B-2: Disabling TTL Propagation B-5

Objective B-5

Command list B-5

Task: Disable IP TTL Propagation B-5

Verification B-5

Laboratory Exercise B-3: Conditional Label Advertising B-6

Objective B-6

Command list B-6

Task: Configure Conditional Label Advertising B-6

Verification B-6

(10)

LABORATORY EXERCISES—MPLS VPN IMPLEMENTATION C-1

Overview C-1

Laboratory Exercise C-1: Initial MPLS VPN Setup C-2

Objectives C-2

Background Information C-2

Command list C-3

Task 1: Configure multi-protocol BGP C-3 Task 2: Configure Virtual Routing and Forwarding Tables C-4

Additional Objective C-5

Task 3: Configuring Additional CE routers C-5

Verification C-6

Laboratory Exercise C-2: Running OSPF Between PE and CE Routers C-9

Objectives C-9

Visual Objective C-9

Command list C-10

Task 1: Configure OSPF on CE routers C-10 Task 2: Configure OSPF on PE routers C-10

Verification C-11

Task 3: Configure OSPF connectivity with additional CE routers C-11

Verification C-12

Laboratory Exercise C-3: Running BGP Between the PE and CE Routers C-13

Objectives C-13

Background Information C-13

Command list C-14

Task 1: Configure Additional PE-CE link C-14 Task 2: Configure BGP as the PE-CE routing protocol C-14

Verification C-15

Task 3: Select Primary and Backup Link with BGP C-16

Verification: C-16

Task 4: Convergence Time Optimization C-17

Verification C-17

LABORATORY EXERCISES—MPLS VPN TOPOLOGIES D-1

Overview D-1

Laboratory Exercise D-1: Overlapping VPN Topology D-2

Objective D-2

Visual Objective D-2

Command list D-3

Task 1: Design your VPN solution D-4 Task 2: Remove WGxA1/WGxB1 from existing VRFs D-4 Task 3: Configure new VRFs for WGxA1 and WGxB1 D-4

Verification: D-4

Laboratory Exercise D-2: Common Services VPN D-8

(11)

Copyright  2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions xi

Verification D-13

Laboratory Exercise D-3: Internet Connectivity Through Route Leaking D-14

Objective D-14

Command list D-15

Task 1: Cleanup from the previous VPN exercises D-15 Task 2: Configure route leaking between customer VPN and

the Internet D-15

Verification D-16

Additional exercise: Fix intra-VPN routing D-17 Laboratory Exercise D-4: Separate Interface for Internet Connectivity D-18

Objective D-18

Command list D-20

Task 1: Cleanup from the previous exercise D-20

Verification D-21

Task 2: Establishing connectivity in the global routing table D-21 Task 3: Routing between the PE-router and the CE-router D-21

Verification D-22

Laboratory Exercise D-5: Internet in a VPN D-23

Objective D-23

Command list D-24

Task 1: Design your Internet VPN D-24 Task 2: Migrate Internet routers in a VPN D-24

Verification D-25

Additional Task: Direct Internet connectivity for all CE-routers D-26

Verification D-26

INITIAL LABORATORY CONFIGURATION E-1

Overview E-1

Laboratory Exercise E-1: Initial Core Router Configuration E-2

Objective E-2

Task: Configure Initial Router Configuration E-2

Verification E-3

Laboratory Exercise E-2: Initial Customer Router Configuration E-4

Objective E-4

Task: Configure Customer Routers E-4

Verification E-5

Laboratory Exercise E-3: Basic ISP Setup E-6

Objective E-6

Task 1: Configure IS-IS in your backbone E-6 Task 2: Configure BGP in your backbone E-6 Task 3: Configure Customer Routing E-6 Task 4: Peering with other Service Providers E-7 Task 5: Establishing Network Management Connectivity E-7

Verification E-7

INITIAL ROUTER CONFIGURATION F-1

Overview F-1

Router WGxPE1 F-2

(12)

Router WGxPE3 F-6 Router WGxPE4 F-8 Router WGxP F-10 Router WGxA1 F-12 Router WGxA2 F-14 Router WGxB1 F-15 Router WGxB2 F-17

(13)

1

Advanced MPLS

VPN Solutions

Overview

Advanced MPLS VPN Solutions (AMVS) is an instructor-led course presented by Cisco training partners to their end-user customers. This four-day course focuses on using Virtual Private Networks (VPN) implemented with Multi-Protocol Label Switching (MPLS) technology.

Upon completion of this training course, you will be able to design, implement and troubleshoot MPLS VPN networks.

This chapter outlines the course prerequisites and course highlights, as well as some administrative issues. It includes the following topics:

■ Course Objectives ■ Course Topics ■ Prerequisites ■ Participant Role ■ General Administration ■ Sources of Information ■ Course Syllabus ■ Graphic Symbols

(14)

Course Objectives

This section lists the course objectives.

Course Objectives

Technology

Course Objectives

Technology

Upon completion of this course, you

will be able to perform the following tasks:

• Identify major VPN categories and topologies, their

applications and technologies that can be used to

implement them

• Describe MPLS/VPN terminology and architecture

• Describe the routing and forwarding model of

MPLS/VPN

(15)

Copyright  2000, Cisco Systems, Inc. Advanced MPLS VPN Solutions 1-3

Course Objectives – Implementation

Course Objectives

Implementation

Course Objectives

Implementation

Upon completion of this course, you

will be able to perform the following tasks:

• Configure Virtual Routing and Forwarding tables

• Configure Multi-protocol BGP in MPLS/VPN backbone

and the PE-CE routing protocols

• Configure advanced MPLS/VPN features

• Monitor and troubleshoot MPLS/VPN operations

• Describe the specifics of OSPF operation inside a VPN

network

(16)

Course Objectives – Solutions

Course Objectives

Solutions

Course Objectives

Solutions

Upon completion of this course, you

will be able to perform the following tasks:

• Design and implement various MPLS/VPN topologies

• Connect your VPN customers to the Internet

• Design and implement MPLS/VPN backbone

• Build large-scale MPLS VPN backbones

• Develop a migration strategy toward MPLS/VPN from

a wide range of existing network infrastructures

(17)

Prerequisites

This section lists the course prerequisites.

Advanced MPLS VPN Solutions Advanced MPLS VPN Solutions

Prerequisites

Successful completion of:

• Building Scalable Cisco

Networks (BSCN)

• Configuring BGP on Cisco

Routers

• One of the MPLS technology

courses

You will be able to gain more practical experience from the course if already have work experience and router configuration skills. These skills are best demonstrated through Cisco career certifications Cisco Certified Networking Professional (CCNP) or Cisco Certified Internetworking Expert (CCIE). In-depth knowledge of Open Shortest Path First (OSPF) or Integrated Intermediate System – Intermediate System (IS-IS) routing protocol will help you perform the laboratory exercises

(18)

better. MPLS Traffic Engineering and MPLS Quality of Service knowledge will help you understand how these technologies relate to MPLS VPN.

(19)

Participant Role

This section discusses your responsibilities as a student.

Student role

• Meet prerequisites • Introduce yourself • Ask and answer questions

Participant Role

To take full advantage of the information presented in this course, you should meet the prerequisites for this class.

Introduce yourself to the instructor and other students who will be working with you during the five days of this course.

You are encouraged to ask any questions relevant to the course materials. If you have pertinent questions concerning other Cisco features and products not covered in this course, please bring these topics up during breaks or after class, and the instructor will try to answer the questions or direct you to an appropriate information source.

(20)

Welcome: Please

Introduce Yourself

Welcome: Please

Introduce Yourself

• Your name and work location

• Your job responsibilities

• Your internetworking experience

• Your objectives for this week

Introduce yourself, stating your name and the job function you perform at your work location.

Briefly describe what experience you have with installing and configuring Cisco routers, attending Cisco classes, and how your work experience helped you meet the prerequisites highlighted earlier.

(21)

General Administration

This section highlights miscellaneous administrative tasks that must be addressed.

General Administration

Class-related

• Sign-in sheet

• Length and times

• Participant materials

• Attire

Facilities-related

• Rest rooms

• Site emergency

procedures

• Break and lunch

room locations

• Communications

The instructor will discuss the administrative issues in detail so you will know exactly what to expect from both the class and facilities. The following items will be discussed:

■ Recording your name on a sign-in sheet

■ The starting and anticipated ending time of each class day ■ What materials you can expect to receive during the class ■ The appropriate attire during class attendance

■ Rest room locations

■ What to do in the event of an emergency ■ Class breaks and lunch facilities

(22)

Sources of Information

This section identifies additional sources of information.

Sources of Information

• Student kit

• www.cisco.com

• CD-ROMs

• Cisco Press

Most of the information presented in this course can be found on the Cisco Systems Web site or on CD-ROM. These supporting materials are available in HTML format and as manuals and release notes.

To learn more about the subjects covered in this course, feel free to access the following sources of information:

■ Cisco Documentation CD-ROM ■ ITM CD-ROM

■ Cisco IOS 12.1 Configuration Guide ■ Cisco IOS 12.1 Command Reference Guide

Many of these documents can be found at the following URL: http://www.cisco.com

Cisco Press books and documents can be found at the following URL: http://www.ciscopress.com

(23)

Course Syllabus

MPLS VPN Technology MPLS VPN Topologies Internet Access from a VPN MPLS VPN Design Guidelines Large-Scale MPLS VPN Deployment MPLS VPN Migration Strategies

Technology Implementation Solutions

MPLS VPN Configuration on IOS platforms Running OSPF in an MPLS VPN Environment

The following schedule reflects the recommended structure for this course. This structure allows enough time for your instructor to present the course information to you and for you to work through the laboratory exercises. The exact timing of the subject materials and labs depends on the pace of your specific class.

Module 1, MPLS VPN Technology (0,5 day)

The purpose of this module is to introduce you to the concept of Virtual Private Networks and MPLS VPN Architecture. The module also discusses routing and data forwarding model of MPLS VPN. Module 1 includes the following chapters:

■ Chapter 1, “Introduction”

■ Chapter 2, “MPLS VPN Technology” Module 2, MPLS VPN Implementation (1,5 day)

The purpose of this module is to describe the operation and configuration of MPLS VPN on Cisco IOS™ platforms. Module 2 includes the following chapters:

■ Chapter 3, “MPLS VPN Configuration on IOS Platforms” ■ Chapter 4, “Using OSPF in an MPLS VPN Environment” Module 3, MPLS VPN Solutions (2 days)

The purpose of the module is to describe typical MPLS VPN usage scenarios and give you design and implementation guidelines needed to deploy these scenarios in your network.

Module 3 includes the following chapters: ■ Chapter 5, “MPLS VPN Topologies” ■ Chapter 6, “Internet Access from a VPN”

(24)

■ Chapter 7, “MPLS VPN Design Guidelines” ■ Chapter 8, “Large-Scale MPLS VPN Deployment” ■ Chapter 9, “MPLS VPN Migration Strategies”

(25)

2

MPLS VPN Technology

Overview

This lesson introduces Virtual Private Networks (VPN) and two major VPN design options – overlay VPN and peer-to-peer VPN. VPN terminology and topologies are introduced.

The lesson then describes MPLS VPN architecture, operations and terminology. It details CE-PE routing from various perspectives and BGP extensions (route targets, and extended community attributes) that allow I-BGP to transport customer routes over a provider network. The MPLS VPN forwarding model is also covered together with its integration with core routing protocols

Objectives

Upon completion of this lesson, you will be able to perform the following tasks: ■ Identify major Virtual Private network topologies, their characteristics and

usage scenarios

■ Describe the differences between overlay VPN and peer-to-peer VPN ■ List major technologies supporting overlay VPNs and peer-to-peer VPNs ■ Position MPLS VPN in comparison with other peer-to-peer VPN

implementations

■ Describe major architectural blocks of MPLS VPN

(26)

Introduction to Virtual Private Networks

Objectives

Upon completion of this section, you will be able to perform the following tasks: ■ Describe the concept of VPN

(27)

Copyright  2000, Cisco Systems, Inc. MPLS VPN Technology 2-3

Traditional Router-Based

Networks

Traditional Router-Based

Networks

Traditional router-based networks connect

customer

sites

through

routers

connected via

dedicated point-to-point links

Site C Site B Site A

Site D

Traditional router-based networks were implemented with dedicated point-to-point links connecting customer sites. The cost of such an approach was comparatively high for a number of reasons:

■ The dedicated point-to-point links prevented any form of statistical

infrastructure sharing on the Service Provider side, resulting in high costs for the end-customer

■ Every link required a dedicated port on a router, resulting in high equipment costs.

(28)

Service Provider Network

Virtual Private Networks

• Virtual Private Networks replace dedicated

point-to-point links with emulated point-to-point-to-point-to-point links sharing

common infrastructure

• Customers use VPNs primarily to reduce their

operational costs

Customer site

Customer Premises

router (CPE) Large customer site

CPE router Other customer

routers Provider edge device

(Frame Relay switch) PE device Provider core device PE device CPE router Virtual Circuit (VC) #2 Virtual Circuit (VC) #1

Virtual Private Networks (VPNs) were introduced very early in the history of data communications with technologies like X.25 and Frame Relay, which use virtual circuits to establish the end-to-end connection over a shared service provider infrastructure. These technologies, although sometimes considered legacy and obsolete, still share the basic business assumptions with the modern VPN approaches:

■ The dedicated links are replaced with common infrastructure that emulates point-to-point links for the customer, resulting in statistical sharing of Service Provider infrastructure

■ Statistical sharing of infrastructure enables the service provider to offer the connectivity for lower price, resulting in lower operational costs for the end customers.

The statistical sharing is illustrated in the graphic, where you can see the CPE router on the left has one physical connection to the service provider with two virtual circuits provisioned. Virtual Circuit 1 (VC # 1) provides connectivity to the top CPE router on the right. Virtual Circuit 2 (VC #2) provides the connectivity to the bottom CPE router on the right.

(29)

Customer site

Large customer site

VPN Terminology

Customer Network (C-Network): the part of the network still under customer control

Provider Network (P-Network): the Service Provider infrastructure used to provide VPN services

Customer Site: a contiguous part of customer network (can encompass many physical locations)

There are many conceptual models and terminologies describing various Virtual Private Network technologies and implementations. In this section we’ll focus on the terminology introduced by MPLS VPN architecture. As you’ll see, the terminology is generic enough to cover any VPN technology or implementation and is thus extremely versatile.

The major parts of an overall VPN solution are always:

■ The Service Provider network (P-network): the common infrastructure the Service Provider uses to offer VPN services to the customers

■ The Customer network (C-network): the part of the overall customer network that is still exclusively under customer control.

■ Customer sites: contiguous parts of customer network.

A typical customer network implemented with any VPN technology would

contain islands of connectivity completely under customer control (customer sites) connected together via the Service Provider infrastructure (P-network).

(30)

Customer site

Large customer site

VPN Terminology

Customer Edge (CE) device: the device in the C-network with link into P-network. Also called Customer Premises Equipment (CPE)

Provider Edge (PE) device: the device in the P-network to which the CE-devices are connected

Provider core (P) device: the device in the P-network with no customer connectivity

The devices that enable the overall VPN solution are named based on their position in the network:

■ Customer router that connected the customer site to the Service Provider network is called a Customer Edge router (CE-router). Traditionally this device is called Customer Premises Equipment (CPE).

Note If the CE device is not a router, but, for example, a Packet Assembly and Disassembly (PAD) device, we can still use a generic term CE-device.

■ Service Provider devices where the customer devices are attached are called Provider Edge (PE) devices. In traditional switched Wide Area Network (WAN) implementations, these devices would be Frame Relay or X.25 edge switches.

■ Service Provider devices that only provide data transport across the Service Provider backbone and have no customers attached to them are called Provider (P) devices. In traditional switched WAN implementations these would be core (or transit) switches.

(31)

Customer site

Customer Premises

Router (CPE) Large customer site

CPE router Other customer

routers Provider edge device

(Frame Relay switch)

PE device Provider core device PE device CPE router Virtual Circuit (VC) #2 Virtual Circuit (VC) #1

VPN Terminology

Specific to Switched WAN

VPN Terminology

Specific to Switched WAN

• Permanent Virtual Circuit (PVC) is established through out-of-band means (network management) and is always active

• Switched Virtual Circuit (SVC) is established through CE-PE signaling on demand from the CE device

Virtual Circuit (VC): emulated point-to-point link established across shared layer-2 infrastructure

Switched WAN technologies introduced a term Virtual Circuit (VC), which is an emulated point-to-point link established across layer-2 infrastructure (for example, Frame Relay network). The virtual circuits are further differentiated into

Permanent Virtual Circuits (PVC) which are pre-established by means of

network management or manual configuration and Switched Virtual Circuits

(SVC) which are established on demand through a call setup request from the CE

(32)

Summary

Virtual Private Networks were introduced by Service Providers to offer a more cost-effective alternative to traditional customer network design, which relied on dedicated point-to-point links between customer sites.

The overall network implemented with a VPN solution is divided into the

Customer network (C-network), which is exclusively under customer’s control

and the Provider network (P-network), the shared infrastructure used to offer the VPN services. A contiguous part of the C-network is called a customer site. The device linking a customer site with the P-network is called Customer Edge (CE) device. Most commonly this is a router, called CE-router. This component was traditionally named Customer Premises Equipment (CPE).

The edge device in Service Provider network, to which the customers are attached, is called Provider Edge (PE) device. The device inside the Provider network with no customer connectivity is a Provider (P) device.

Review Questions

Answer the following questions:

■ Why are customers interested in Virtual Private Networks? ■ What is the main role of a VPN?

■ What is a C-network? ■ What is a customer site? ■ What is a CE-router? ■ What is a P-network?

(33)

Overlay and Peer-to-Peer VPN

Objectives

Upon completion of this section, you will be able to perform the following tasks: ■ Describe the differences between overlay and peer-to-peer VPN

■ Describe the benefits and drawbacks of each VPN implementation option ■ List major technologies supporting overlay VPNs

(34)

VPN Implementation

Technologies

VPN Implementation

Technologies

VPN services can be offered based on

two major paradigms:

• Overlay Virtual Private Networks where the

Service Provider provides virtual

point-to-point links between customer sites

• Peer-to-Peer Virtual Private Networks where

the Service Provider participates in the

customer routing

Traditional VPN implementations were all based on the overlay paradigm – the Service Provider sells virtual circuits between customer sites as a replacement for dedicated point-to-point links. The overlay paradigm has a number of drawbacks that will be identified in this section. To overcome these drawbacks (particularly in IP-based customer networks), a new paradigm called peer-to-peer VPN was introduced where the Service Provider actively participates in customer routing.

(35)

Overlay VPN Implementation

(Frame Relay Example)

Overlay VPN Implementation

(Frame Relay Example)

Customer Site Router A Customer Site Router B Customer Site Router C Customer Site Router D Provider Edge Device

(Frame Relay Switch)

Frame Relay Edge Switch Frame Relay Edge Switch Frame Relay Edge Switch Virtual Circuit (VC) #3 Virtual Circuit (VC) #2 (VC) #1

The diagram above shows a typical overlay VPN, implemented by a Frame Relay network. The customer needs to connect three sites (site Alpha being the central site – the hub) and orders connectivity between Alpha (Hub) and Beta (Spoke) and between Alpha (Hub) and Gamma (Spoke). The Service Provider implements this request by providing two PVCs across the Frame Relay network.

(36)

Layer-3 routing in Overlay

VPN implementation

Layer-3 routing in Overlay

VPN implementation

• Service Provider infrastructure appears as

point-to-point links to customer routes

• Routing protocols run directly between customer

routers

• Service Provider does not see customer routes and is

responsible only for providing point-to-point

transport of customer data

Router A

Router B Router C Router D

From the layer-3 perspective, the Service Provider network is invisible – the customer routers are linked with emulated point-to-point links. The routing

protocol is run directly between customer routers that establish routing adjacencies and exchange routing information.

The Service Provider is not aware of customer routing and has no information about customer routes. The responsibility of the Service Provider is purely the point-to-point data transport between customer sites.

(37)

Overlay VPN Implementations

There are a number of different overlay VPN implementations, ranging from traditional Time Division Multiplexing (TDM) to highly complex technologies running across IP backbones. In the following slides, we’ll introduce major VPN technologies and implementations.

Overlay VPN

Layer-1 Implementation

Overlay VPN

Layer-1 Implementation

This is the traditional TDM solution:

• Service Provider establishes physical-layer

connectivity between customer sites

• Customer takes responsibility for all higher layers

ISDN E1, T1, DS0 SDH, SONET

PPP HDLC

IP

In layer-1 overlay VPN implementation, the Service Provider sells layer-1 circuits (bit pipes) implemented with technologies like ISDN, DS0, E1, T1, SDH or SONET. The customer takes responsibility for layer-2 encapsulation between customer devices and the transport of IP data across the infrastructure.

(38)

Overlay VPN

Layer-2 Implementation

Overlay VPN

Layer-2 Implementation

This is the traditional Switched WAN solution:

• Service Provider establishes layer-2 virtual circuits

between customer sites

• Customer takes responsibility for all higher layers

X.25 Frame Relay ATM

IP

Layer-2 VPN implementation is the traditional switched WAN model, implemented with technologies like X.25, Frame Relay, ATM or SMDS. The Service Provider is responsible for transport of layer-2 frames between customer sites and the customer takes responsibility for all higher layers.

(39)

Overlay VPN

IP Tunneling

Overlay VPN

IP Tunneling

VPN is implemented with IP-over-IP tunnels

• Tunnels are established with GRE or IPSec

• GRE is simpler (and quicker), IPSec provides

authentication and security

Generic Route Encapsulation

(GRE) IP Security (IPSec)

Internet Protocol (IP) Internet Protocol (IP)

With the success of Internet Protocol (IP) and associated technologies, some Service Providers started to implement pure IP backbones to offer VPN services based on IP. In other cases, the customers want to take advantage of low cost and universal availability of Internet to build low-cost private networks over it. Whatever the business reasons behind it, overlay Layer 3 VPN implementation over IP backbone always involves tunneling (encapsulation of protocol units at a certain layer of OSI model into protocol units at the same or higher layer of OSI model).

Two well-known tunneling technologies are IP Security (IPSEC) and Generic Route Encapsulation (GRE). GRE is fast and simple to implement and supports multiple routed protocols, but provides no security and is thus unsuitable for deployment over the Internet. An alternate tunneling technology is IPSec, which provides network layer authentication and optional encryption to make data transfer over the Internet secure. IPSec only supports the IP routed protocol.

(40)

Overlay VPN

Layer-2 Forwarding

Overlay VPN

Layer-2 Forwarding

VPN is implemented with PPP-over-IP tunnels

• Usually used in access environments (dial-up, DSL)

Layer-2 Transport

Protocol (L2TP)

Internet Protocol (IP) Point-to-Point Protocol (PPP)

Layer-2 Forwarding (L2F)

Point-to-Point Tunneling (PPTP) Internet Protocol (IP)

Yet another tunneling technique that was first implemented in dial-up networks, where the Service Providers wanted to tunnel customer dial-up data encapsulated in point-to-point protocol (PPP) frames over an IP backbone to the customer’s central site. To make the Service Provider transport transparent to the customer, PPP frames are exchanged between the customer sites (usually a dial-up user and a central site) and the customer is responsible for establishing layer-3 connectivity above PPP.

There are three well-known PPP forwarding implementations: ■ Layer 2 Forwarding (L2F)

■ Layer 2 Transport Protocol (L2TP) ■ Point-to-Point Tunneling Protocol (PPTP)

(41)

Peer-to-Peer VPN Concept

Customer Site Router A Customer Site Router B Customer Site Router C Customer Site Router D Provider Edge (PE)

Router

(PE) Router (PE) Router

(PE) Router

Routing information is exchanged between customer and service-provider routers

Service Provider routers exchange customer routes

through the core network

Finally, the customer routes propagated through the service-provider network are

sent to other customer routers

Overlay VPN paradigm has a number of drawbacks, most significant of them being the need for the customer to establish point-to-point links or virtual circuits between sites. The formula to calculate how many point-to-point links or virtual circuits you need in the worst case is ((n)(n-1))/2, where n is the number of sites you need to connect. For example, if you need to have full–mesh connectivity between 4 sites, you will need a total of 6 point-to-point links or virtual circuits. To overcome this drawback and provide the customer with optimum data transport across the Service Provider backbone, the peer-to-peer VPN concept was

introduced where the Service Provider actively participates in the customer routing, accepting customer routes, transporting them across the Service Provider backbone and finally propagating them to other customer sites.

(42)

Peer-to-Peer VPN with

Packet Filters

Peer-to-Peer VPN with

Packet Filters

Service provider network Customer A Site #1 Customer A Site #2 Customer B Site #1 Point-of-Presence Shared router

POP router carries all customer routes Isolation between customers is achieved with packet filters on PE-CE interfaces

The first peer-to-peer VPN solutions appeared several years ago. Architectures similar to the Internet were used to build them and special provisions had to be taken in account to transform the architecture, which was targeted toward public backbones (Internet) into a solution where the customers would be totally isolated and able to exchange their corporate data securely.

The more common peer-to-peer VPN implementation uses packet filters on the PE-routers to isolate the customers. The Service Provider allocates portions of its address space to the customers and manages the packet filters on the PE-routers to ensure full Reachability between sites of a single customer and isolation between customers.

(43)

Peer-to-Peer VPN with

Controlled Route Distribution

Peer-to-Peer VPN with

Controlled Route Distribution

Service provider network Customer A Site #1 Customer A Site #2 Customer B Site #1 Point-of-Presence PE-router Customer-A PE-router Customer-B P-router Uplink

Each customer has a dedicated PE router that only carries its routes

The P-router contains all customer routes

Customer isolation is achieved through lack of routing

information on PE router

Maintaining packet filters is a mundane and error-prone task. Some Service Providers thus implemented more innovative solutions based on controlled route distribution. In this approach, the core Service Provider routers (the P-routers) would contain all customer routes and the PE-routers would only contain routes of a single customer, requiring a dedicated PE-router per customer per Point-of-Presence (POP). The customer isolation is achieved solely through lack of routing information on the PE-router. Using route filtering between the P-router and the PE-routers, the PE-router for Customer A will only learn routes belonging to Customer A, and the PE-router for Customer B will only learn routes belonging to Customer B. Border Gateway Protocol (BGP) with BGP communities is usually used inside the Provider backbone since it offers the most versatile route filtering tools.

Note Default routes used anywhere in the customer or Service Provider network break isolation between the customers and have to be avoided.

(44)

Benefits of Various VPN

Implementations

Benefits of Various VPN

Implementations

Overlay VPN

• Well-known and easy to

implement

• Service Provider does

not participate in

customer routing

• Customer network and

Service Provider

network are well isolated

Peer-to-Peer VPN

• Guarantees optimum

routing between

customer sites

• Easier to provision an

additional VPN

• Only the sites are

provisioned, not the

links between them

Each VPN paradigm has a number of benefits:

■ Overlay VPNs are well known and easy to implement, both from customer and Service Provider perspective

■ The Service Provider does not participate in customer routing in overlay VPNs, making the demarcation point between the Service Provider and the customer easier to manage.

On the other hand, the peer-to-peer VPN give you:

■ Optimum routing between customer sites without any special design or configuration effort

■ Easy provisioning of additional VPNs or customer sites, as the Service Provider only needs to provision individual sites, not the links between individual customer sites.

(45)

Drawbacks of Various VPN

Implementations

Drawbacks of Various VPN

Implementations

Overlay VPN

• Implementing optimum

routing requires

full-mesh of virtual circuits

• Virtual circuits have to

be provisioned manually

• Bandwidth must be

provisioned on a

site-to-site basis

• Always incurs

encapsulation overhead

Peer-to-Peer VPN

• Service Provider

participates in customer

routing

• SP becomes responsible

for customer

convergence

• PE routers carry all

routes from all

customers

• SP needs detailed IP

routing knowledge

Each VPN paradigm also has a number of drawbacks:

■ Overlay VPNs require a full mesh of virtual circuit between customer sites to provide optimum inter-site routing

■ All the virtual circuits between customer sites in an overlay VPN have to be provisioned manually and the bandwidth must be provisioned on a site-to-site basis (which is not always easy to achieve).

■ The IP-based overlay VPN implementations (with IPSEC or GRE) also incur high encapsulation overhead (ranging from 20 to 80 bytes per transported datagram).

The major drawbacks of peer-to-peer VPN arise from the Service Provider’s involvement in customer routing:

■ The Service Provider becomes responsible for correct customer routing and for fast convergence of customer network following a link failure.

■ The Service Provider P-routers have to carry all customer routes that were hidden from the Service Provider in the overlay VPN paradigm.

■ The Service Provider needs detailed IP routing knowledge, which is not readily available in traditional Service Provider teams.

(46)

Drawbacks of Traditional

Peer-to-Peer VPNs

Drawbacks of Traditional

Peer-to-Peer VPNs

Shared PE router

• All customers share the

same (provider-assigned

or public) address space

• High maintenance costs

associated with packet

filters

• Lower performance—

each packet has to pass

a packet filter

Dedicated PE router

• All customers share the

same address space

• Each customer requires

a dedicated router at

each POP

The pre-MPLS VPN implementations of peer-to-peer VPNs all shared a common drawback – the customers have to share the same address space, either using public IP addresses in their private networks or relying on service provider-assigned IP addresses. In both cases, connecting a new customer to a peer-to-peer VPN service usually requires IP renumbering inside the customer network – an operation, which most customers are reluctant to perform.

The peer-to-peer VPNs based on packet filters also incur high operational costs associated with packet filter maintenance as well as performance degradation due to heavy usage of packet filters.

The peer-to-peer VPNs implemented with per-customer PE-routers are easier to maintain and can give you optimum routing performance, but are usually more expensive since every customer requires a dedicated router in every POP. This approach is thus usually used in scenarios where the Service Provider only provides service to a small number of large customers.

(47)

Summary

VPN Taxonomy

Virtual Networks

Virtual Dialup Networks Virtual LANs Virtual Private Networks Peer-to-Peer VPN Access Lists (Shared Router) Split Routing (Dedicated Router) MPLS VPN Overlay VPN Layer 2 VPN Layer 3 VPN X.25 F/R ATM IPSec GRE

There are a number of different Virtual Networking concepts present in the data communications fields:

■ The Virtual Local Area Networks (VLAN) allow you to implement isolated LANs over the same physical infrastructure

■ Virtual Private Dialup Networks (VPDN) allow customers to use dial-in infrastructure of a Service Provider for their private dial-up connections ■ Virtual Private Networks (VPN) allow customers to use shared infrastructure

of a Service Provider to implement their private networks. There are two major VPN paradigms:

■ Overlay VPN, where the Service Provider gives the customer emulated point-to-point links across Service Provider backbone and

■ Peer-to-peer VPN, where the Service Provider becomes actively involved in customer routing and acts as the core layer-3 backbone of the customer network.

The overlay VPNs are implemented with a number of technologies, ranging from traditional layer-1 technologies (ISDN, SDH, SONET) and layer-2 technologies (X.25, Frame Relay, ATM) to modern IP-based solutions (GRE and IPSec).

(48)

The overlay VPNs, although well known and easy to implement, are harder to operate due to higher maintenance costs:

■ Every individual virtual circuit needs to be provisioned

■ Optimum routing between customer sites requires a full mesh of virtual circuits between sites

■ Bandwidth has to be provisioned on site-to-site basis.

Traditional peer-to-peer VPNs are implemented with packet filters on shared PE-routers or with dedicated per-customer PE-PE-routers. Along with high maintenance costs (for packet-filter approach) or equipment costs (for dedicated per-customer PE-router approach), both methods require customer to accept the Service

Provider assigned address space or use public IP addresses in the private customer network.

MPLS VPN, introduced in the next sections, provides all the benefits of peer-to-peer VPNs and alleviates most of the peer-to-peer-to-peer-to-peer VPN drawbacks (for example, the need for common customer address space).

Review Questions

Answer the following questions: ■ What is an overlay VPN?

■ Which routing protocol runs between the customer and the service provider in an overlay VPN?

■ Which routers are routing protocol neighbors of a CE-router in overlay VPN? ■ List three IP-based overlay VPN technologies.

■ What is the major benefit of peer-to-peer VPN as compared to overlay VPN? ■ List two traditional peer-to-peer VPN implementations?

(49)

Major VPN Topologies

Objectives

Upon completion of this section, you will be able to perform the following tasks: ■ Identify the three major categorizations of VPN

■ Identify the three Overlay VPN topologies

■ Understand the implications of using overlay VPN approach with each topology

■ List sample usage scenarios for each topology

■ Identify the three VPN categorization based on business needs ■ Identify the three VPN categorization based on connectivity needs

VPN Categorizations

There are three major VPN categorizations:

■ Topology categorization, which only applies to overlay VPNs

■ Business categorization, which categorizes VPNs based on the business needs they fulfill

■ Connectivity categorization, which classifies VPNs based on their connectivity requirements.

(50)

VPN Topology Categorization

Overlay VPNs are categorized based on

the topology of the virtual circuits:

• (Redundant) Hub-and-spoke topology

• Partial-mesh topology

• Full-mesh topology

• Multi-level topology—combines several levels

of overlay VPN topologies

The oldest VPN categorization was based on the topology of point-to-point links in an overlay VPN implementation:

■ Full-mesh topology provides a dedicated virtual circuit between any two CE-routers in the network

■ Partial-mesh topology reduces the number of virtual circuits, usually to the minimum number that still provides optimum transport between major sites ■ Hub-and-spoke topology is the ultimate reduction of partial-mesh – many

sites (spokes) are only connected with the central site(s) (hubs) with no direct connectivity between the spokes. To prevent single points of failure, the hub-and-spoke topology is sometimes extended to redundant hub-hub-and-spoke topology.

Large networks usually deploy a layered combination of these technologies, for example:

■ Partial mesh in the network core

■ Redundant hub-and-spoke for larger branch offices (spokes) connected to distribution routers (hubs)

■ Simple hub-and-spoke for non-critical remote locations (for example, home offices).

(51)

Overlay VPN

Hub-and-Spoke Topology

Overlay VPN

Hub-and-Spoke Topology

Central site (HUB)

Remote site (spoke)

Remote site (spoke) Central site

router

The hub-and-spoke topology is the simplest overlay VPN topology – all remote sites are linked with a single virtual circuit to a central CE-router. The routing is also extremely simple – static routing or distance-vector protocol like RIP are more than adequate. If you are using dynamic routing protocol like RIP, split-horizon must be disabled at the hub router, or you must use point-to-point sub-interfaces at the hub router to overcome the split-horizon problem.

(52)

Overlay VPN

Redundant Hub-And-Spoke

Overlay VPN

Redundant Hub-And-Spoke

Central site (HUB)

Remote site (spoke) Redundant

Central site router

Remote site (spoke) Redundant

Central site router

A typical redundant hub-and-spoke topology introduces central site redundancy (more complex topologies might also introduce router redundancy at spokes). Each remote site is linked with two central routers via two virtual circuits. The two virtual circuits can be used for load sharing or in a primary/backup configuration.

(53)

Overlay VPN

Partial Mesh

Overlay VPN

Partial Mesh

Moscow Sydney Guam Berlin Hong Kong New York

Virtual circuits (Frame Relay DLCI)

Partial mesh is used in environments where the cost or complexity factors prevent a full-mesh between customer sites. The virtual circuits in a partial mesh can be established based on a wide range of criteria:

■ Traffic pattern between sites

■ Availability of physical infrastructure ■ Cost considerations

Advanced MPLS VPN Solutions

AMVS

Advanced MPLS

VPN Solutions

Volume 1

Student Guide

Table of Contents

Volume 1

Volume 2

1

Advanced MPLS

VPN Solutions

Overview

Course Objectives

Course Objectives

Technology

Course Objectives

Technology

Upon completion of this course, you

will be able to perform the following tasks:

•

Identify major VPN categories and topologies, their

applications and technologies that can be used to

implement them

•

Describe MPLS/VPN terminology and architecture

•

Describe the routing and forwarding model of

MPLS/VPN

Course Objectives – Implementation

Course Objectives

Implementation

Course Objectives

Implementation

Upon completion of this course, you

will be able to perform the following tasks:

•

Configure Virtual Routing and Forwarding tables

•

Configure Multi-protocol BGP in MPLS/VPN backbone

and the PE-CE routing protocols

•

Configure advanced MPLS/VPN features

•

Monitor and troubleshoot MPLS/VPN operations

•

Describe the specifics of OSPF operation inside a VPN

network

Course Objectives – Solutions

Course Objectives

Solutions

Course Objectives

Solutions

Upon completion of this course, you

will be able to perform the following tasks:

•

Design and implement various MPLS/VPN topologies

•

Connect your VPN customers to the Internet

•

Design and implement MPLS/VPN backbone

•

Build large-scale MPLS VPN backbones

•

Develop a migration strategy toward MPLS/VPN from

a wide range of existing network infrastructures

Prerequisites

Prerequisites

Prerequisites

Successful completion of:

Recommended:

Participant Role

Participant Role

Participant Role

Welcome: Please

Introduce Yourself

Welcome: Please

Introduce Yourself

•

Your name and work location