MPLS and VPN architectures [Volume 2] 1587051125, 1587050021

Citation preview

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

ser v ices b ased on MPLS VPN t ech nology in a secur e and scalab le w ay. This b ook is par t of t he Net w ork ing Technology Ser ies fr om Cisco Pr ess, w h ich off ers net w or kin g p rof essionals v aluable in for m at ion f or const r uct ing eff icient net w ork s, un derst an ding new t echnolog ies, and bu ild ing su ccessf ul car eer s.

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Copy right

Wit h MPLS and About th e AutVPN h ors Ar chit ect u res, Volum e I I , y ou' ll lear n : About th e Tech nical Rev iewer s About Conegr t en tat Rev How th t oe int e iewer v ar iou s Ack ts sernowledgmen v ice t o m any

r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN d iff er ent t yp es of cu st om er s

I n tr oduct ion

The n ew CE rThis out Book? in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Who ShouPEld Read Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How This Book I s Organized I con s Used in Th is Book

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he Com axwConvent custman omderSynt net ork ions Part I . I nt rodu ction

TheCha latpter est1.MPLS VPNArchit secur y Ov f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN MPLS VPN ectuitre er view back bone MPLS VPN Termin ology Con nect ion-Orient ed VPNs

How t o carr y cust om er m ult icast t r aff ic insid e a VPN Con nect ionless VPNs

MPLS-Based The lat est in t erVPNs - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent MPLS VPN Dev elopm entserv s of intNew er - car r ier MPLS VPN ices Sum mar y

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Part I I . Advan ced PE-CE Con nect ivit y Cha pter 2. Remot e Access t o an MPLS VPN

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Featu re Enha ncemen f or MPLS Access Ar ch it ect u res, Volum e I ( 1ts- 587 05- 0VPN 02-Rem 1) , ote f rom Cisco Pr ess. Ex t endin g int o m or e adv anced of ent Access Prot ocols and t opics an dOverv d ep iew loy m archit ect ur es,Procedu Volures m e I I pr ovid es r eader s w it h t he necessar y t ools Dia l-and I n Access an MPLS VPN e, hig hly av ailab le VPN. t hey n eed Providing t o d ep loy m aint ot ain a secur Providing Dia l- Out Access via LSDO

MPLS and Providing VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Dia l- Out Access With out LSDO (Direct I SDN) Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Providing Dia l Backup for MPLS VPN Access ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Prov iding DSL Access t o an MPLS VPN pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o iding Cable Access int egr at e tProv h ese f eat ur es in t ot ot hane MPLS VPNVPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Adv anced es fo r MPLS Remot ey Access includin g secu r it y ,Feat ouur t lining t he VPN n ecessar st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he y at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow back bone Sum andmar any m or e adv anced and g. cem This t also er s ures m ult i- car r ier MPLS VPN Cha pter 3. t op PE-ologies CE Rout ing Protfilt ocolerin En han entpar s and Ad vancov ced Feat deploy m enPEt s.CEFin ally Par I V pr ov id es a m et hodology for ad van ced MPLS VPN Conn ect, ivit y: tOSPF t r oub leshoot . ect ivit y: I nt egrat ed I S- I S PE- ing CE Conn PE- CE Conn ect ivit y: EI GRP

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Sum mar y int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Cha pter 4. Vir tu al Rou t er Con nect ivit y Con figur in g Virt ua l Rout ers on CE Rout ers Lin kin g t h e Vir tu al Rou t er wit h t he MPLS VPN Backbone VRF Select ion Based on Sour ce I P Address Perf ormin g NAT in a Virt ual Rout er Environ ment Sum mar y Part I I I . Ad van ced Deploym ent Scen arios

• •

Table of Content s

Cha pter 5. Prot ect ing th e MPLS-VPN Back bone

I ndex

I n herent Secur it y Capabilities MP LS and V PN Ar chi te ctur e s, V olum e I I Neighb or Aut h en t icat io n By Jim Guichard , I van Pepelnjak , Jeff Apcar CE- t o-CE Aut h en t icat io n Con tr ol of Rou tes That Are I n ject ed int o a VRF Pub lish er: Cisco Press PE t o CE Circuit s Pub Dat e: Ju ne 06, 2 00 3 Ex t ran et Access I SBN: 1- 58 705 -1 12 -5 I n tern et Access Pages: 50 4 I PSec ov er MPLS Sum mar y Cha pter 6. Lar ge- Scale Rout in g an d Mult iple Service Prov id er Conn ect ivit y La rge Scale Rou tin g: Carrier' s Car rier Solut ion Overview Carrier Ba ckb one Con nect iv it y

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : La bel Dist ribu t ion Prot ocols o n PE-CE Links BGP- 4 Bet ween PE/ CE Rout ers

How Hierarchical t o int egr at e v ar iou s r Carr em ot access VPNs: Carrier's ier eMPLS VPNs t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s VPN Conn ect iv it y Bet ween Dif ferent Serv ice Prov iders Sum mar y

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN pter 7. Mu lt icast VPN NetCha w ork Ad dr ess Tr an slat ion ( PE- NAT) I n tr oduct ion t o I P Mu lt icast

How En VRFs canMube ex tinended intProv o aider cust om sit e t o pr ov ide sep ar at ion inside t he t er prise lt icast a Serv ice Env ironer ment cust om er Arch net w ork m VPN itect u re MDTs

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Case St ud y of m VPN Operat ion in Su per Com back bone Sum mar y Chat pter 8. y I P cust Version Tran Across Backbon e How o carr om6er msport ult icast t r an affMPLS ic insid e a VPN I Pv 6 Business Drivers

The lat est inent t erof- car enhing ancem ent Dep loy m I Pv6rier in Exist Net work s s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Quick I nt roduction t o I Pv6

I n -Dep th 6 PEblesh Operatoot ion ing an d tCon figuiques rat ion includ in g r ou t er out pu t s t o en su re high av ailab ilit y Adv anced t rou echn Com plex 6PE Deploym ent Scena rios

MPLS and Sum VPNmar Arychit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch itPart ect uI V.res, Volum eing I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Trou bleshoot t opics anCha d dpter ep 9. loyTrou m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools blesh oot ing of MPLS- Based Solut ions t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. I n tr oduct ion t o Tr oubleshoo tin g of MPLS-Based Solu t io ns

MPLSVolum Back boneeI I , b eg in s w it h a br ief ref resher of t he MPLS VPN MPLS and Trou VPNbleshoot Ar chiting ectt he u res, Ot her Quick s ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Ar ch it ect u re. Par t I I Check descr MPLS Con tr ol Planteechn Trou blesh ser v ice pr ovider access ologoot iesing( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols (MPLS I S- I Dat S, aEIPlan GRP, and OSPF) e Trou bleshoot ing , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e tMPLS h eseVPN f eat ur es inoot t oing t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Troub lesh includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he I n -Dep th MPLS VPN Trou bleshoot ing back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Sum mar y m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN I n dex deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Copyright Cop yr igh t © 2 003 Cisco Sy st em s, I nc. Cisco Pr ess log o is a t rad em ar k of Cisco Sy st em s, I nc. • Table of Content s •

I ndex

Pub lished by : MP LS and V PN Ar chi te ctur e s, V olum e I I Cisco Pr ess By Guichard , I van Pepelnjak 20Jim 1W est 103 rd St r eet , Jeff Apcar I ndian apolis, I N 462 90 USA Pub lish er: Cisco Press

All rPub ightDat s e: reserv ed. No par t of t h is book m ay b e repr od uced or t r ansm it t ed in an y for m or b y Ju ne 06, 2 00 3 any m eans, elect r onic or mechan ical, includ in g phot ocopy ing, r ecor ding, or by an y I SBN: 1- 58 705 -1 12 -5 inf orm at ion st or age and r et riev al syst em , w it hout w r it t en p er m ission fr om t h e pu blish er , Pages: 50 4 except for t he inclusion of b rief qu ot at ions in a r eview . Pr int ed in t h e Un it ed St at es of Am erica 1 2 3 4 5 6 7 8 9 0 Lib rar y of Con gr ess Cat aloging- in - Publicat ion Num ber: 61 947 205 1122 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Warning and Disclaimer How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN v ice t o m any er ov entide t ypinf esorof cuion st om s MPLS an d VPN ar ch it ect u res. Ev ery ef for t This bser ook is desig ned dt oiffpr mat aberout has been m ade t o m ake t his book as com p let e an d as accur at e as possib le, b ut no w ar r ant y The nisew CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN or f it ness imPEp lied. Net w ork Ad dr ess Tr an slat ion ( PE- NAT) The in for m at ion is p r ovided on an " as is" basis. The au t hor s, Cisco Pr ess, and Cisco Sy st em s, How hVRFs ex t ended introespon a cust e t o person pr ov ideorsep aritat inside t he t o any I nc. shall ave ncan eit hbe er liab ilit y n or sibom iliter y tsit o any ent y ion w it h r espect cust om er net w ork loss or dam ages ar isin g fr om t h e infor m at ion con t ained in t h is book or f r om t he u se of t he discs or pr ogr am s t h at m ay accomp any it . The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone The op inions ex pr essed in t his b ook belong t o t he aut hor s and ar e not necessarily t h ose of Cisco Sy st em s, I nc. How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Trademark Acknowledgments of int er - car r ier MPLS VPN serv ices t rou ootbing t erem outarpu en su remar high ailab All t erAdv ms anced ment ion edblesh in t his ookt echn t hat iques ar e kninclud ow n tin o gber ou t rad k st sort oserv ice k sav hav e ilit y been ap pr opr iat ely cap it alized. Cisco Press or Cisco Sy st em s, I nc. cann ot at t est t o t h e MPLSr acy andofVPN chit m ectatuion. res, Use Volum , m b uilds on bt he - sellin g MPLS an dded VPN accu t h isArinfor of ea ItIer in t his ookbest should not be r egar as aff ect in g Ar it ect u yres, Volum e I ( 1ark - 587 f rom t hechvalidit of an y t r adem or05ser0 v02ice1)m, ar k. Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Feedback Information

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of At Cisco Press, our g oal is t o cr eat e in- d ep t h t echn ical book s of t he h ig hest qu alit y and v alu e. ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Each book is cr aft ed w it h car e an d p recision , und er g oin g r igor ous developm ent t hat in volv es pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o t he uniqu e exp er t ise of m em ber s f rom t he pr of essional t echnical com m unit y . int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin r it y , ou n ecessar y stof eps the v ice Ipf rov m ust o p rot Reader s'g fsecu eed back is at lining n at ur talhecont inu at ion t his prser ocess. y ouider h ave anyt ake comtment s ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow r eg ar ding how w e cou ld im pr ov e t he q ualit y of t his b ook, or ot her w ise alt er it t o b et t er su it m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS VPN y our n eeds, y ou can cont act us t h rou gh e- mail at feedback @ciscopr ess. com . Please mak e deploy t s.deFin , Parttit IleV an pr ov es ainmyet hodology sur e t ominen clu t hally e book d Iid SBN our m essagfor e. ad van ced MPLS VPN t r oub leshoot ing .

Credits

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

We g reat ly app r eciat e y our assist an ce.

Pub lisher

John Wait

Ed it or- I n - Chief

John Kane

Cisco Repr esent at ive

Ant h ony Wolf en den

•

Table of Content s

ogr am Manager • Cisco Pr ess IPr ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

Man ager, Mar ket ing Com m unicat ions, Cisco Sy st ems

Sonia Torr es Ch avez Scot t Miller

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Cisco Mar k et in g Pr og ram Manager

Ed ie Quir oz

Pub lishions er: Cisco Press Acquisit Edit or

Am y Moss

Pub Dat e: Ju ne 06, 2 00 3

Pr oduct ion Manag er

Pat r ick Kanouse

Pages:ent 50 4 Edit or Dev elopm

Gr ant Mun r oe

Pr oject Edit or

Lor i Lyon s

Cop y Edit or

Kar en A. Gill

I SBN: 1- 58 705 -1 12 -5

Tech nical Ed it ors Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Con t en t Edit or

Mat t Birk ner , Dan Tap pan Mon iq ue Mor r ow

t odinat int egr e back bone p r ovidin g VPN TeamHow Coor or at e v ar iou s r em ot e access t echn ologies in t o t h Tam m i Ross ser v ice t o m any d iff er ent t yp es of cu st om er s Book Designer Gina Rex rod e The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Cov er Desig ner Lou isa Adair Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Pr oduct ion Team Mar k Shir ar How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he I ndexcust er om er net w ork Tim Wr ight The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Corpor a dqua rt er sVPN serv ices of at inteerH- ecar r ier MPLS Cisco Sy st em s, I nc. 17 0 WAdv estanced Tasm an ive oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y t rouDrblesh San Jose, CA 9 513 4- 17 06 USA MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN w wchwit.cisco. comVolum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Ar ect u res, 40an 8 d 5260 ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tTel: opics d ep400 loy m 553t o- NETS ( 638 t hey8 00 n eed d ep loy and7)m ain t ain a secur e, hig hly av ailab le VPN. Fax: 40 8 5 26- 4 100 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Eur H ea dq rt e rsibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Ar chope it ectan u re. Par t ua I I descr Cisco stovider em s I nt er nat ional ser v iceSypr access t echnBV olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Haar ler ber( gpar k EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o pr ot ocols I S- I S, Haar egf eat 1 3-ur 19es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues int egrler atber e t hgw ese 11 01 CHg Am strerd includin secu it y ,am ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he The Net h erand lands back bone any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow ww rop e. cisco. m orwe- eu adv anced t opcom ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Tel: 31m0en 20t s.35Fin 7 ally 100,0Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN deploy Fax: 0 20ing 35.7 1 100 t r oub31 leshoot Am e riand ca s VPN H e adq ua rt e ursres, Volum e I I , also int rod uces t he lat est adv ances in cu st omer MPLS Ar chit ect Cisco Syion, st emsecur s, I nc. int egr at it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

17 0 W est Tasm an Dr ive San Jose, CA 9 513 4- 17 06 USA w w w .cisco. com Tel: 40 8 526- 766 0 Fax: 40 8 5 27- 0 883 Asia Pa ci fi c H e adq ua rt e rs • Table of Content s Cisco Sy st em s, I nc. • I ndex Cap it al Tow er MP LS and V PN Ar chi te ctur e s, V olum e I I 16 8 Robinson Road By Jim- 01 Guichard , I van # 22 to # 2 9- 01Pepelnjak , Jeff Apcar Singap or e 068 912 www .cisco. Pub lish er: com Cisco Press Tel:Pub + 65 17 Dat 63 e: Ju ne 777 06, 2700 3 Fax: + I65 63 17 779 9 SBN: 1- 58 705 -1 12 -5 Pages: 50 4 Cisco Sy st em s h as m ore t han 200 of fices in t h e follow ing cou nt r ies and r eg ion s. Addr esses, ph one nu m bers, an d f ax nu m bers ar e list ed on t h e Cisco.com W eb sit e a t w w w .cisco. com / go/ of fices.

Ar gent ina • Au st r alia • Aust r ia • Belgiu m • Br azil • Bulgar ia • Canad a • Chile • China PRC • Colom bia •and Cost a Rica • ect Cr uoat ia •Volum Czech blic De nmnar Wit h MPLS VPN Ar chit res, e I IRepu , y ou' ll lear : k • D ubai, UAE • Finland • Fr ance • Ger man y • Greece • Hong Kon g SAR • Hu ngar y • I ndia • I nd onesia • I r eland • I sr ael • I t aly Japan • Korea • Lu xem bou rg • Malaysia • Mex ico • eTh Net h er land s • New Zealand • Nor w ay t o ilipp int egr at e• v Poland ar iou s r•emPor ot et ugal access t echn to th back p r ovidin g VPN • PerHow u • Ph ines Puert o Ric oologies • Rom in ania • eRu ssiabone • Saud i Ar abia • ser v •iceSing t o mapor anyed•iff Slov er entakt ia yp •es Slov of cuenia st om• erSout s Afr Scot land h ica • Spain • Sw eden Sw it zer land • Taiw an • Thailand • Tur key • Uk r aine • Un it ed Kingd om • Un it ed St at es • Ven ezu ela • The •n ew PE-abw CE er out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Viet nam Zimb Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Cop yr igh t © 200 3 Cisco Sy st ems, I n c. All rig ht s r eser v ed . CCI P, CCSP, t h e Cisco Ar row logo, How Pow VRFs canNet bewex o aCisco cust om sit e t o pr ov ide ar at ion t he Me t he Cisco ered ort kended m ar k,intt he Syer st em s Ver ified logsep o, Cisco Uninside it y, Follow cust,om ermSh net are, w orkiQ Net Readin ess Scor ecar d, Net w or kin g Academ y, and Script Shar e Br ow sing For ar e t r adem ark s of Cisco Sy st em s, I nc. ; Chang in g t he Way W e Wor k, Live, Play , an d Lear n, Theest lat est VPN secur it y I fneat an d ient d esign s aim ed atStpr The Fast WayMPLS t o I ncrease Your t erunres et Quot , and iQuick udot y ect ar eing sert hv e iceMPLS m ar kVPN s of back bone Cisco Sy st em s, I nc. ; and Air onet , ASI ST, BPX, Cat alyst , CCDA, CCDP, CCI E, CCNA, CCNP, Cisco, t he Cisco Cer t if ied I nt er net w ork Ex pert logo, Cisco I OS, t he Cisco I OS logo, Cisco How t o carr y cust om er m ult icast t r aff ic insid e a VPN Pr ess, Cisco Sy st em s, Cisco Sy st em s Capit al, t he Cisco Syst em s logo, Emp ow er ing t he I nt er net er pr enh ise/ Solv er ,ent Et sherChann her Swand it ch m , Fast St ep, Gigd aSt ack , ent TheGener lat estatinion, t er - Ent car rier ancem t o allow el, f or Et easier or e scalable ep loym I nt er net Qu ot ien t , I OS, I P/ TV, iQ Ex per t ise, t he iQ log o, Lig ht St r eam, MGX, MI CA, t he of int er - car r ier MPLS VPN serv ices Net w ork ers logo, Net w ork Regist rar , Packet , PI X, Post - Rout ing , Pr e- Rout ing , Rat eMUX, RegistAdv r ar,anced Slid eCast , SMARTn et , t echn St ratiques aViewinclud Plu s, inStgrat m,t erSwit TeleRout er ,av ailab ilit y t rou blesh oot ing r ou outchPr pu t sob t oe,en su re high Tr ansPat h, and VCO are regist ered t r adem ark s of Cisco Sy st em s, I nc. an d/ or it s af filiat es in t he U. and S. anVPN d cer couVolum nt r ies.e I I , b uilds on t he best - sellin g MPLS an d VPN MPLS Art ain chitot ecthuerres, Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced ot h er t rad em s m en t ioned ines, t hisVolu d ocum t or W es eb rsit e ar se w t he opert y of t heir tAll opics an d d ep loyarmk ent archit ect ur m e Ien I pr ovid eader it hptrhe necessar y t ools espect iv e tow e use of ttain he wor d par er hly d oes not im ly a par t n er ship relat ionship tr hey n eed o dners. ep loyTh and m ain a secur e,t nhig av ailab lepVPN. bet w een Cisco an d an y ot her com pany . ( 0 303 R) MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Pr int ed t h ePar USA Ar ch it ectinu re. t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Toormeyadv w ifanced e Sadie, put t inand g u pfiltwit h g. m eThis w r itpar ing t anot he rlon lon ely n ight s m t opfor ologies erin alsoher covberook s mand ult i- tcar ier gMPLS VPN associat t ak y hodology childr en Aim Thom as, w ho alw ay s h elp t o deploy med en twit s. hFinsuch ally , an Parund t I Verpr oving. id esTo a m et for ee ad and van ced MPLS VPN k m e smiling. t reep oub leshoot ing . —Jim

Dedications

To m yand w if eVPN Kar Ar men, w as Volum alw ayes It Iher e w hen I needed emances ent orinsupp . To m y MPLS chit wh ect o u res, , also int rod uces t heencour lat estag adv cu stort omer childr Maj asecur an ditMonik ho wait ed ing pat ient f oressent m y atial t entt oion oniding t oo mt hany int egren at ion, y, anda,t rwoubleshoot feat ly u res p rov e adv anced

occasions. —I van To m y w if e Anne, w h o is an except ional person in ev ery w ay . To m y ch ild r en Cait lin, Conor , and especially Ron an: D espit e h is const ant ef for t s t o r eb oot m y PC, I m anag ed t o lose a dr aft only on ce. —Jeff

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

About the Authors Ji m Guicha rd , CCI E N o. 2 0 6 9 , is a Tech nical Leader I I w it hin t he I nt er net Techn ologies Div ision ( I TD) at Cisco Sy st em s. Du r in g t he past six y ear s at Cisco an d pr ev iously at I BM, Jim has been invTable olvedofin t he design, im p lem ent at ion, and plannin g of m any lar g e- scale WAN an d • Content s LAN net w ork s. His br eadt h of ind ust ry kn ow ledg e, hand s- on ex perience, and un derst an ding • I ndex of comp lex in t er n et w or k in g archit ect ur es hav e enabled him t o pr ovid e valu ed assist an ce t o MP LS and V PN Ar chi te ctur e s, V olum e I I m any of Cisco's lar ger ser vice pr ov ider cu st omer s. His pr evious pub licat ions in clu de MPLS By Jim Guichard , I van Pepelnjak , Jeff Apcar and VPN Ar chit ect u res , b y Cisco Pr ess. I v an nj a kPress , CCI E N o. 1 3 5 4 , is t h e Ch ief Tech nology Ad visor and m em ber of t he b oard PubPep lish er:elCisco w it hPub NIDat L Dat e: JuaneCom 06, 2m 00un 3 icat ions ( w w w .NI L. si) , a high - t ech dat a comm u nicat ion s comp any t hat f ocu ses on pr ov iding high - valu e ser v ices in new - wor ld ser v ice p r ovider t echnolog ies. I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

I van h as m ore t han 10 y ear s of exp er ience in design ing, in st alling , t r oub leshoot ing , and oper at ing larg e corp orat e and ser v ice p r ovider WAN and LAN net w ork s, sev er al of t hem alr ead y deploy in g MPLS- based vir t ual pr ivat e net w ork s ( VPNs) . He is t he aut h or or lead dev elop er of a nu mb er of highly successfu l adv anced I P cour ses cov er ing MPLS/ VPN, BGP, OSPF, and I P QoS, and he is t he ar chit ect of NI L' s rem ot e lab solu t ion. I v an' s pr evious Witblicat h MPLS VPN Ar chit ect u res, I I ,u yres ou'an ll lear : pu ionand s include MPLS and VPNVolum Ar chiteect d EInGRP Net w or k Design Solu t ion s, b y Cisco Pr ess. at e vDesign ar iou s rConsult em ot e ing access t echn ologies in t o Pacific t h e back p r ovidin g VPN Je ff AHow pcart oisint a egr Senior Engineer in t he Asia Adbone van ced Ser v ices ice t o Syst m any iffHe er ent t yp es st om er s consult an t s on MPLS in t he r eg ion an d gr oupser at vCisco emds. is one of of t h ecuCisco lead has design ed MPLS n et w or k s for man y ser v ice p rov ider s in AsiaPac u sin g p ack et - based an d The n MPLS. ew PE- Jef CEf r has out inalso g opdtesigned ions as wand ell as ot her advlarg anced f eat urer es,n includ percell- based m aint ained e IP r out et w or king s ( 50 0+VPN Net w ork Ad dr ess Tr an slat ion ( PENAT) nod es) and has a br oad and deep r ang e of sk ills cover ing man y facet s of net w or k in g com mu nicat ion s. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he net w24 orkyear s of exp er ience in dat a com m unicat ions an d holds D ip . Tech Jeff h cust as mom oreert han ( I nf orm at ion Pr ocessin g) and B.Ap p. Sc ( Com p ut ing Science) ( Hon s) fr om t he Univ er sit y of The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Tech nology , Sy dney , Aust r alia. back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

About the Technical Reviewers Ma t t h ew H . Birk n er , CCI E No. 371 9, is a Techn ical Leader at Cisco Sy st ems, sp ecializin g in I P an d MPLS n et w or k d esign. He has in fluenced m ult ip le lar g e car r ier and en t erp rise designs w t has spok en • or ld w ide. Mat Table of Content s at Cisco Net w ork er s on MPLS VPN t ech nologies in bot h t he U. S. and EMEA ov er t he past f ew year s. A " d ouble CCI E" , h e has p ublished t he Cisco Pr ess book , • I ndex Cisco I nt er net w ork Design . Mat a BSEE f rom Tuft s Un iver sit y , w her e he maj or ed in MP LS and V PN Ar chi te ctur e s, V olum et I holds I elect r ical en gineering . By Jim Guichard , I van Pepelnjak , Jeff Apcar

D a n Ta ppa n is a dist ingu ish ed engin eer at Cisco Sy st em s. He has 2 0 year s of exp er ien ce w it hPub inlish t ern w orPress k ing, hav in g wor k ed on t h e ARPANET t r ansit ion f rom NCP t o TCP at Bolt , er: et Cisco Beran , e: anJudne New an. Pubek Dat 06, m 2 00 3 For t h e past sev er al y ears, D an has been t he t echnical lead f or Cisco'sI SBN: im plem en t at ion 1- 58 705 -1 12 -5 of MPLS ( t ag sw it ching) and MPLS/ VPNs. Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

About the Content Reviewer Mon iqu e Mor row is cu rr ent ly CTO Con sult ing Eng ineer at Cisco Sy st em s, I nc. She has 20 y ear s of ex perience in I P int er net w ork ing t h at includ es d esign , im plem ent at ion of com plex sersv ice d ev elopm en t f or ser v ice pr ovider s. Moniq ue has been inv olved •cust om er pr oject Table s, of and Content in developing m anag ed net w or k ser v ices such as r em ot e access and LAN sw it ching in a • I ndex ser v ice pr ovider env ir onm t . eShe MP LS and V PN Ar chi te ctur e s, Ven olum I I has w or ked for bot h ent erp r ise an d ser vice pr ov ider com panies in t he Unit ed St at es and in Eur ope. She led t he Engineer in g Proj ect t eam for one By Jim Guichard , I van Pepelnjak , Jeff Apcar of t he fir st Eu rop ean MPLS- VPN deploy m en t s in 199 9 f or a Eur opean ser v ice p r ovider . Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Acknowledgments Ev ery maj or pr oj ect is a r esu lt of t eam w ork , an d t his book is n o ex cept ion . We'd like t o t h ank ever yon e w ho help ed u s in t he long w r it in g pr ocess: our developm ent ed it or , Gr ant Munr oe, w s w itofh Content t he intsr icacies of w r it ing a book ; t he r est of t he ed it orial t eam fr om Cisco • ho helped u Table Pr ess; an d especially ou r r ev iewer s, Dan Tapp an, Mat t Bir kn er , an d Monique Mor row . They • I ndex not only cor rect ed ou r err or s an d om ission s, but t hey also included sev eral useful su ggest ions MP LS and V PN Ar chi te ctur e s, V olum e I I t o im p rov e t h e qualit y of t h is pub licat ion. By Jim Guichard , I van Pepelnjak , Jeff Apcar

Jeff w ould like t o t h ank his m an agement t eam Tony Sim onsen, Mich ael Lim , and St eve Sm it h , lish er: for Pub pr ovid in Cisco g t hePress t im e and encour agem ent t o do t he b ook. Also sp ecial t h ank s t o t he gu ys in t he Pub AsiaPac Lab Grou Dat e: Ju ne 06, 2 00p, 3 Nick St at h akis, Ron Masson, an d Geor g e Leran t ges, w ho let him hog lot s of Igear . Last , Jef f SBN: 1- 58 705 -1 12 -5w ould lik e t o t han k Jim and I van f or inv it ing him t o collab orat e wit h t hem . Pages: 50 4 Finally, t his book w ou ld n ev er hav e been wr it t en w it hout t he cont in uous su ppor t and pat ience of our fam ilies, esp ecially our w iv es, Sad ie, Kar m en, an d An ne.

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Introduction Since our fir st MPLS book ( MPLS and VPN Ar chit ect u res ) was pub lished by Cisco Pr ess a f ew y ear s ag o, MPLS has m at u red fr om a hot lead ing- edg e t ech nology —supp ort in g I nt er net ser leased - lin e– based VPN solut ion —t o a set of solu t ions t h at ar e successfu lly • v ices an dTable of Content s deploy ed in lar gescale ser v ice pr ovid er n et wor k s w or ldw ide. A n um ber of add it ion al • I ndex solut ions h ad t o be developed t o sup por t t h e need s of t hese net w or ks, an d man y addit ion al MP LS and V PN Ar chi te ctur e s, V olum e I I I OS ser vices w er e m ade VPN- aw ar e t o enable t h e ser v ice p rov ider s t o d ep loy t he ser vices Jim Guichard , I van Pepelnjak , Jeff Apcar tBy hey w er e already offer ing w it hin t he n ew archit ect ur al f r amew or k. Theref ore, it w as a nat u r al st ep t o con t inue on t h e pat h w e char t ed w it h t h e fir st b ook and descr ibe t he Pub lish er:ent Cisco enhan cem s mPress ade t o MPLS ar chit ect u re or it s im plem ent at ion in Cisco I OS in MPLS and VPNPub Ar Dat chite:ect Ju ne u res 06,: 2Volu 00 3 m e I I . I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Who Should Read This Book? This b ook is not desig ned t o be an in t rod uct ion t o Mu lt ip r ot ocol Label Sw it ching ( MPLS) or v irt u al pr iv at e net w or ks ( VPNs) ; Volum e I ( MPLS and VPN Ar chit ect u res ) pr ovides y ou w it h t hat k now led ge. This b ook is int end ed t o t rem endou sly incr ease you r kn ow ledg e of adv anced •MPLS VPN d ep Table of ent Content s loym scenar ios and enable y ou t o d ep loy MPLS and MPLS VPN solut ions in a •v ariet y of com I ndex plex desig ns. Any one w h o is inv olved in design , deploy m en t , or MP LS and V PN ing Ar chiof te adv ctur eanced s, V olum II t r oub leshoot ore larg e- scale MPLS or MPLS VPN net w ork s shou ld r ead it . By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

How This Book Is Organized Alt hou gh t his book cou ld b e r ead cover - t o- cov er , it is desig ned t o be flexible an d allow you t o easily m ov e bet w een chapt er s and sect ion s of chapt er s t o cov er ju st t he mat er ial t h at y ou need m or e inf or mat ion on. I f y ou do int end t o r ead t hem all, t he ord er in t h e book is an •excellent seqTable of Content uence t o use.s •

I ndex

MP PN Ar chi teion ctur e s, P arLSt and I : I Vnt r oduct

V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Ch apt er 1, " MPLS VPN Archit ect ur e Ov er view ," ser v es as a r efr esh er t o t h e inf orm at ion cont ained w it hin MPLS and VPN Ar chit ect u res. I t d oes not descr ibe t h e MPLS or MPLS VPN Pub lish er: Cisco Press t echnology in det ail; if y ou need b aseline MPLS or MPLS VPN kn ow ledg e, read MPLS and VPN Datur e: es: Ju neVolu 06, 2me 00 3 I fir st . Ar chPub it ect I SBN: 1- 58 705 -1 12 -5

P ar t I Pages: I : Adv 50a 4 nced PE- CE Conne ct iv it y Ch apt er 2, " Rem ot e Access t o an MPLS VPN," discusses int eg rat ion of access t echnologies such as dial, DSL, and cable int o an MPLS VPN back bone. Th is ch apt er show s how y ou can int egr at e v ar ious access t echnologies int o t he backb one, t her eb y pr ov iding VPN serv ice t o m any t y pes of cust om ers. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Ch apt er 3, " PE- CE Rout in g Prot ocol Enhan cem ent s an d Ad van ced Feat u res, " bu ild s on Volum e 1 of t he MPLS and VPN Ar chit ect u res b ook and int r odu ces m or e adv anced opt ions/ feat u res f or How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN OSPF conn ect iv it y as w ell as supp ort f or I S- I S and EI GRP r out ing pr ot ocols. ser v ice t o m any d iff er ent t yp es of cu st om er s Ch apt er 4, " Vir t ual Rout er Connect ivit y , " d iscusses t he use of t h e VRF const r uct s t o bu ild The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN v irt u al r out er t y pe conn ect iv it y, ex t end in g t he VRF con cept t o t he CE r out er . This chap t er also Net w ork Ad dr ess Tr an slat ion ( PE- NAT) discusses n ew VRF- relat ed f eat ur es, in clu ding VRF- lit e and PE- b ased net w or k addr ess t r anslat ionVRFs ( PE- NAT) . ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he How can be cust om er net w ork P ar t I I I : Adv a nced D e ploy m en t Sce na ri os The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Ch apt er 5, " Pr ot ect ing t he MPLS- VPN Back bone, " look s at var ious secur it y issues w it hin t he back bone back bone and descr ibes t he n ecessar y st eps t h at a ser v ice p rov ider m ust t ake t o p rot ect t he back bone any at t ached es. t r aff ic insid e a VPN How and t o carr y cust om er VPN m ultsit icast Ch aptThe er 6,lat" est Largine-t er Scale Routenh ing ancem and Mu lt ip v icef orPreasier ov ider and Con m nect it y ," descr ibes t h eent - car rier ent s le t o Ser allow or eiv scalable d ep loym adv anced feat ur es, design s, and t opologies t h at w er e m ade possible w it h t he enhan cem ent s of int er - car r ier MPLS VPN serv ices t o Cisco I OS since t he f ir st MPLS and VPN Ar chit ect ur es book w as w r it t en . Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Ch apt er 7, " Mult icast VPN," discusses t h e deploy ment of I P m ult icast b et w een VPN client sit es. and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN MPLS Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced apt er P loy Vermsion Acr oss anes, MPLS " d iscusses ( 6 PE) t hat gives the tCh opics an8, d d" Iep ent 6archit ect ur VoluBack m e Ibone, I pr ovid es r eaderas m wodel it h t he necessar y t ools ser v ice pr ovider s an opt ion t o pr ovid e I Pv 6 connect ivit y acr oss an MPLSenab led I Pv4 t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. back bone. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Par V : uTrou blet shoot in ibes g Ar cht itIect re. Par I I descr adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Ch apt er 9, " Tr oub leshoot in g of MPLS- Based Solut ion s, " pr ovid es a st ream lined m et hod ology pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o for ident ify ing fau lt s in MPLS solut ion s and t r oub leshoot ing an MPLS VPN b ack bon e. int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Icons Used in This Book Thr oug hout t his b ook, you w ill see t he f ollow ing icons u sed for net w ork ing dev ices: •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) The f ollow in g icons are u sed for perip herals an d ot her dev ices: How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Theegr f ollow g icons are sed w ork s an d e. n etPart wor IkI Iconn ect ions: int at e tin h ese f eat ur esuin t o for t h e net VPN b ack bon det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Command Syntax Conventions The con vent ions used t o pr esent comm an d sy nt ax in t his b ook ar e t he sam e conv ent ions u sed in t he I OS Com m and Refer en ce. Th e Com m and Refer en ce d escr ibes t hese con vent ion s as follow s: • Table of Content s •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Vert ical b ars ( | ) separ at e alt er nat iv e, m u t ually exclusive elem en t s.

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Squ are br ack et s [ ] ind icat e op t ional element s. Pub lish er: Cisco Press

Br aces { } indicat e a requ ired choice.

Pub Dat e: Ju ne 06, 2 00 3

12 ack -5 et s [ { } ] in dicat e a r equir ed choice w it hin an opt ional elem en t . BrI SBN: aces1-w58it705 hin-1br Pages: 50 4

Boldf ace in dicat es com m ands and key w ord s t hat ar e ent er ed lit er ally as show n . I n act ual con figur at ion exam ples an d ou t put ( not gener al com man d sy nt ax ) , b oldface indicat es com man ds t h at ar e m anu ally in put by t h e user ( such as a show com m and ) . I t alics in dicat e ar gum ent s f or w hich you supp ly act ual v alues. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Part I: Introduction Ch apt er 1 MPLS VPN Ar ch it ect ur e Over view •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Chapter 1. MPLS VPN Architecture Overview •

Table of Content s

e n et w or k s ( VPNs) hav e r ecent ly receiv ed a lot of at t ent ion f rom eq uipm ent •Vir t ual p riv atI ndex m actVur consult net MPanuf LS and PNers, Ar chi te ctur ean s, Vt s, olum ew I I or k desig ners, serv ice pr ov id er s, lar ge ent er pr ises, an d end users due t o t h eir cost ad van t ages ov er t rad it ional ent er pr ise net w ork s. As w it h m ost By Jim Guichard , I van Pepelnjak , Jeff Apcar t echnologies, t he f oun dat ion for t od ay' s VPN net w ork s an d u nder lying t echnolog ies w as creat ed m ore t han 20 y ear s ago. Dur ing it s d ev elop m en t , end user s d iscov er ed t hat it m ade Pub lish er: Cisco Press fin ancial sen se t o r ep lace lin ks b et ween sit es in t heir ow n pr ivat e net w ork w it h v irt u al Pub Dat e: Juacr ne oss 06, 2 a 00shar 3 connect ions ed in fr ast ru ct ur e. The assum pt ion for d oing t his w as t h at a shar ed -1 12 -5is eq uiv alent in t erm s of secu rit y and pr ivacy t o t he n et w or k ( link s) it env ironI SBN: ment1- 58 ( or705VPN) w as r eplacin Pages: 50g. 4 This chap t er r ev iew s t he basic Mu lt ip r ot ocol Label Sw it ching ( MPLS) an d MPLS- based VPN concep t s and t er m in ologies t o ensur e an un derst an ding of t he t er m s used in t h is book . I t also cover s t he lat est developm ent s in t he MPLS VPN ar en a and h ow t hey enable t he ser v ice pr ov ider t o of fer n ew MPLS- b ased ser v ices, such as rem ot e access int o an MPLS- b ased VPN Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : or I nt er net Pr ot ocol ( I P) m ult icast w it hin a VPN. Th ese dev elop ment s are also descr ibed in dept h in lat er ch apt er s. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN

NOTE Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

You f ind m ore in -t ended dept h descr ionom s ofert hese t s and add ioninside al MPLS Howcan VRFs can be ex int o aipt cust sit e tcon o prcep ov ide sep ar atition t heor MPLS and VPN VPN b ack gr oun d in for m at ion in I v an Pepelnj ak and Jim Gu ich ard 's cust om er net w ork Ar ch it ect ur es ( Volu me I ) , pub lished by Cisco Pr ess, wh ich is a pr er equ isit e t o un derst an ding t his b ook. The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

MPLS VPN Terminology Since t he ear ly day s of X. 25 and Fr ame Relay ( t he t w o t ech nologies init ially used t o deploy VPN ser vices) , man y diff erent t ech nologies hav e been pr oposed as t he basis t o en able a VPN inf rast r uct ur e. Th ese r anged fr om Lay er 2 t echnolog ies ( X. 25 , Fram e Relay , an d •Asyn ch ron ous Table of Content s Tr ansf er Mode [ ATM] ) t o Lay er 3 t echn olog ies ( pr im ar ily I P) or ev en Layer 7 •t echnologies.I ndex I BM on ce h ad a pr odu ct t h at t r anspor t ed I P dat ag ram s ov er Sy st em s Net w or k MP LSitand chi te ctur s, V olum II Ar ch ect V u PN re (ArSNA) appe licat ion esession s, and TGV ( a com pany lat er acqu ired by Cisco SyJim st em s) h ad im plem en t ed t ran sp ort ov er DECnet sessions. Not su rp r ising ly , w it h such a By Guichard , I van Pepelnjak , JeffI P Apcar v ariet y of im plement at ion p rop osals, t h e ov er all t er m in ology in t he f ield has chan ged dr am at ically . Th is book uses t he t er m inology in t rod uced w it h t he MPLS- based VPN. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 MPLS VPN- based t er m inology is b ased on a clear dist in ct ion b et w een t he ser v ice pr ovid er 58w 705 -5 net w orIkSBN: ( P-1net or-1k12 ) and t h e cust omer n et wor k ( C- net w or k) , as sh ow n in Figur e 1- 1 . Pages: 50 4

Figu r e 1 - 1 . M PLS VPN- Ba se d Te r m in ology Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN The P-back net w ork is alw ay s t op olog ically cont igu ous, w her eas t he C- net w ork is usually clear ly bone delineat ed int o a num ber of sit es ( con t iguou s par t s of t h e cu st omer n et w or k t h at ar e connect ed tin somye cust w ayom ot er hermt ult h an t h r ough VPN v ice) . Not e t hat a sit e does not need How o carr icast t r aff ict he insid e aser VPN t o be geogr aph ically cont ain ed ; if t he cu st om er is using a VPN ser v ice for it s in t er nat ion al The lat in taersit - car rier enh s tcoun o allow connect ivit y est only, e could spancem an a went hole t ry . f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices The d ev ices t hat lin k t he cust om er sit es t o t h e P- net w or k ar e called cust om er ed ge ( CE) Advwanced t rou oot ing t echn includ in gich r out ht er outrpu t o con en su re high av ailab ilit y dev ices, her eas t heblesh ser vice pr ov ider iques devices t o wh e CE outt sers nect ar e called pr ov id er ed ge ( PE) dev ices. I n m ost cases, t h e P- net w or k is m ade up of m or e t han j ust t h e PE MPLS VPN Ar chit ect res, ar Volum e II P , bduilds on( or t he sellin MPLS an plem d VPN r out er and s. These ot her devuices e called ev ices , ifbest t h e- Pnet g w or k is im ent ed w it h Ar cherit ect res, Volum I ( 1t -er587 02- 1), ,t h f rom Cisco Pr ess. g int meorcust e adv Lay 3 t uech nology , Pe rou s) . 05Sim0 ilarly e addit ional Lay erEx3t endin devices inot h omanced er sit es tt opics anedndoep loy m ent archit ect me I I prare ovidcalled es r eader s werits. h t he necessar y t ools hat hav dir ect connect ivit y ur t oes, t heVolu P- net w ork C r out t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. VPN t echn olog ies h ave ev olved int o t w o m ajor appr oaches t ow ar d im p lem ent ing VPN MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN ser v ices: Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Conne ctIionnt and e d VOSPF) PN — ,The pr ov w ide u al leased lines pr ot ocols ( I SS, EIorie GRP, ar mPE in gdev t heices r eader it hv irt t he k now ledge of hbet owwteen o t he ualails circuit ( VCs) d . ep The can be ices.f eat These ir t o u al esbon aree.called int egrCE at edev t h ese ur es vin t h leased e VPN blin ack Part IvI irI tdet advsanced loyVCs m ent issues pergmsecu anent ou tn- ecessar of- b andy by t h e tser icev pice r ovider n et w k m anag entect t eam includin r it ,y ,est ouablished t lining t he st eps h e vser p rov ider mor ust t ake t oem p rot t he ( called perany m anent v irt ual cir cuit s, or Thailin ey can also por , est on back bone and at t ached VPN sit es, andPVCs) also .det g t he latbe est t em secu ritar y yf eat urab eslish t o ed allow and byt op t heologies CE devand icesfilt t herin rou gh a sign alin g p rot ocol hat dev ices un der st an d. m or e dem adv anced g. This par t also cov er s tm ultti-he carPE r ier MPLS VPN ( These e ,called it ched virat ual cuit s, or for SVCs) . ced MPLS VPN deploy m en t s.VCs Fin ar ally Par t I sw V pr ov id es m etcir hodology ad van t r oub leshoot ing . Conne ct ionl ess V PN — The PE dev ices par t icipat e in t he conn ect ionless dat a t r anspor t w een d evect ices. I t isVolum unn ecessar y for he serv ovest id eradv or ances t he cuin st om eromer to MPLSbet and VPN CE Ar chit u res, e I I , also intt rod ucesice t heprlat cu st ablish VCsit y, in and t h ese VPNs, except aps et w een PE and CEt h r out er sanced if t he int egrest at ion, secur t r oubleshoot ing perh feat u resbessent ialt he to p rov iding e adv

ser v ice pr ovider u ses sw it ched W AN as it s access n et w or k t echnolog y.

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Connection-Oriented VPNs Con nect ion - orient ed VPNs w ere t he f ir st on es t o b e int r oduced. Th ey off er a nu mb er of clear adv ant ag es, in clud ing t he f ollowin g: •

Table of Content s

• MP LS

The serIvice ndex pr ov ider does not need t o un derst an d t he cust om er ' s net w or k; t he ser vice pr ovVider ove ides vir teual and PN Arju chistte pr ctur s, V olum I I cir cuit s b et w een t he cust om er sit es.

By Jim Guichard , I van Pepelnjak , Jeff Apcar

The ser vice pr ov ider is not inv olved in t h e cust om er ' s r out ing ( as show n in Figur es 1- 2 and 1- 3 ) , an d it doesn't need t o k now wh ich Lay er 3 pr ot ocols t he cust om er is Pubdeploy lish er: Cisco ing. Press Consider , for ex am ple, t he n et wor k show n in Figur e 1- 2 . Th e VPN net w or k is Pub e: Juent ne 06, imDat plem ed 2w00it3h Fr am e Relay VCs; t herefor e, t h e ser v ice p rov ider is u naw are of t he r out I SBN: ing1- pr 58 705 ot ocols -1 12 -5t h at t h e cu st omer is u sin g. Fr om t he cu st om er 's r out in g perspect ive, tPages: he cu st 50om 4 er r out er s ar e dir ect ly ad jacent ( lin ked w it h v ir t ual p oint - t o- p oin t link s) , as show n in Figur e 1- 3 .

Figu r e 1 - 2 . Con ne ct i on- Or ie nt e d VPN: Phy si ca l Top ol ogy

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Figu r e 1 - 3 . Con ne ct i on- Or ie nt e d VPN: Cu st om er Rou t in g

spe vet er out pu t s t o en su re high av ailab ilit y Adv anced t rou blesh oot ing t echn iquesPer includ in ct g riou MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Con nect ion - orient ed VPNs also hav e sever al obv ious d isad van t ages: All VCs bet w een t he cust om er sit es h ave t o b e pr ovisioned, eit her m anu ally by t h e ser v ice pr ovider n et wor k m anag em ent t eam or by t he CE d ev ices. Even if t he VCs are est ablish ed aut om at ically by t h e CE dev ices, t hese dev ices need t o be con figu red w it h enoug h in for m at ion t o est ablish t he lin ks t hr ough t h e sig naling pr ot ocol of choice. • • MP LS

of sContent The CETable rou t er m u st sexchan ge t he rou t ing infor m at ion w it h ot her CE r out ers, r esult ing in mor eI ndex r out er ad jacencies, slow er con ver gence, and gener ally m or e com plex rou t ing and V PN Ar chi te ctur e s, V olum e I I set ups.

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

NOTE

I SBN: 1- 58 705 -1 12 -5

I fPages: you ar 50 4 e int er est ed in m or e of t h e adv ant ag es an d disad van t ages of connect ionor ien t ed or conn ect ionless VPNs, you can find t h em in Ch apt er 8, " Vir t ual Priv at e Net w ork ( VPN) I m plem ent at ion Op t ions," of Jim Gu ich ard an d I v an Pep elnj ak 's MPLS and VPN Ar chit ect u res ( Volu me I ) , pub lished by Cisco Pr ess, 200 2. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Mod er n con nect ion - or ient ed VPNs ar e im plement ed w it h a v ar iet y of d if fer ent t echn olog ies, includin g tthoe int follow ing: How egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s They be CE im plement it h tas r adit ional conn ionor ient edurLay 2 t echn The n can ew PEr out in g ed op twions w ell as ot herect adv anced f eat es,erinclud ingolog per-ies VPN (Net X. 25, Fr am e Relay , or ATM) or w it h con nect ion less Layer 2 t echnologies, such as vir t ual w ork Ad dr ess Tr an slat ion ( PE- NAT) LANs ( VLANs) . How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he They can cust om er also net wbe orkim plement ed w it h t un nels t hat are est ablished ov er pu blic Lay er 3 inf rast r uct ur e ( u sually over p ublic I P in fr ast ru ct ur e—m ost com m only t h e I nt ern et ) . These can uVPN se Lay er it 3 yov er uLay nels,ssuch asat gener The latVPNs est MPLS secur f eat reseran3 dt un d esign aim ed pr otic ectr out ing ing t h eencapsulat MPLS VPNion (back GRE) , w hich is descr ibed in RFC 27 84, or t un nels based on I P secu rit y ( I PSec) bone t echnology . Th ese VPNs can also use Lay er 2 over Layer 3 t u nnels, w hich ar e m ost com ly foun d in ial-muult p access etic wor ks e t oaimp lem ent vir t ual pr ivat e d ialu p How mon t o carr y cust omder icast t rnaff insid VPN net w or ks ( VPDNs) . The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Connectionless VPNs Con t rar y t o connect ion- or ien t ed VPNs, conn ect ionless VPNs pr opagat e indiv idual dat agr am s t hat t he CE devices sen d acr oss t he P- n et wor k . This appr oach, alt h ough high ly scalable as pr ov en b y t oday 's I n t er n et , does imp ose a nu m ber of lim it at ions on t he cust om er s: •

Table of Content s

•

I ndex

TheVcu om s can only MP LS and PNstAr chier te ctur e s, uVse olum e I I t he

Layer 3 p rot ocol t hat t he ser v ice pr ovid er su ppor t s. This w as a ser ious dr aw back a few y ears ago, bu t it is qu ick ly becom ing a m oot issu e By Jim Guichard , I van Pepelnjak , Jeff Apcar because m ost net w or kin g d ev ices now sup por t I Pv 4. PubThe lish er: cuCisco st omPress er s

m ust u se ad dr esses coord in at ed w it h t he ser vice p rov ider . I n a ev er y P device m ust b e able t o for w ar d ev ery in div id ual dat I SBN: ag r1am 58 705 t o -1 it 12 s final -5 dest in at ion ; t h er efor e, each d at agr am m ust hav e a u nique dest inat addr ess, kn own t o ever y P d ev ice, as sh ow n in Figur e 1- 4 . Pages: 50 ion 4

Pub Dat e: Juionless ne 06, 2 00 connect n3et wor k ,

Figu r e 1 - 4 . Pa ck e t Pr opa ga t i on on Conn ect ion le ss V PN s Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y The sim plicit y of CE rou t er config ur at ion in a con nect ion less VPN w or ld, as well as t he MPLS and chitt ect res, Volum e I Ivices , b uilds onher t hewbest - sellin an don VPN capabilit y tVPN o suAr ppor I P-ubased VPN ser t oget it h pu blic g I PMPLS ser v ices t h e com m on Ar it ect u res, e ed I ( 1m- any 587 050 02Pr ess. Ex g int m or e adv anced infch rast r uct ur e, Volum p rom pt serv ice 1) pr ,ovf rom id er sCisco t o consider t het endin r ollout of ocon nect ion less VPN tser opics an dHow d epever loy m ur es, e I I ices pr ovid es in r eader it h t he necessar v ices. , ent t he archit acceptect ance of tVolu h esemserv was it iallysqwuit e low b ecause yt hteools tcust heyom n eed d ep loy and ainr enum t ain absecur e, hig hlying avnet ailab le VPN. er s two er e unw illingmt o er t heir ex ist w ork in fr ast r uct ur e t o com ply w it h t he ser vice pr ov ider 's ad dr essing requ irem ent . Clear ly, a dif fer en t VPN t echn ology w as MPLS and VPN Arld chit ectbine u res,t he Volum e IitI s, of b ega inconn s w itect h ionless a br ief ref resher needed t hat wou com benef VPN ( simpoflet he CE MPLS r out erVPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at iona of conf ig ur at ion and lack of ex plicit pr ov isioning of t h e v ir t u al cir cuit s) w it h t h e benefit s of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in connect ion- or ien t ed VPN ( su ch as t he supp or t of ov er lapp ing addr ess sp aces an d t he g pr ot ocols I S-dat I S,a EI GRP, and in OSPF) , ar m in g t he simp licit y (of f orw ar ding t he P dev ices) . r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

MPLS-Based VPNs MPLS- based VPN t echn olog y uses a com binat ion of connect ion- or ien t ed an d con nect ion less VPN t echn olog ies, includ in g t he f ollow ing f eat u res: •

Table of Content s

• MP LS

The in t er f ace bet w een t he CE r out er s an d t h e PE r out ers is con nect ion less. No ad dit ional I ndex confVig urAr atchi ion is need on and PN te ctur e s, V ed olum e ItIhe CE devices.

By Jim Guichard , I van Pepelnjak , Jeff Apcar

The PE r out er s use a m odified I P for w ar ding par adig m; a d ist in ct I P r out ing an d for w ar ding t ab le ( called v ir t ual r out ing and f orw ar ding t able, or VRF) is cr eat ed f or each Pubcust lish er: omCisco er . Press Pub Dat e: Ju ne 06, 2 00 3

The cu1-st58 om er-1's12ad I SBN: 705 -5 dr esses are ex t ended w it h 64- b it r out e d ist inguish er s t o m ak e non uniqu Pages: 50 4 e 32 - bit I P addr esses glob ally u nique w it h in t he ser v ice pr ovid er s' backb one. The r esult ing 96 - bit ad dr esses ar e called VPNv 4 ad dr esses. A sing le rou t ing pr ot ocol is r un bet w een t h e PE rou t er s f or all VPN cu st om er s. Modif ied Bor der Gat ew ay Pr ot ocol ( BGP) w it h m ult ipr ot ocol ext en sions is used in t his f unct ion. Wit h MPLS and VPN chitMPLSect u res, Volum e (I Icalled , y ou' labelll lear sw n : it ched pat h s, or LSPs) t o t r anspor t The PE r out er sAr use based VCs t he cu st om er 's d at agr am s bet w een PE r out er s. Addit ional MPLS lab els ar e in ser t ed in fr on t of t h e cu st omer 's I P dat ag ram s t o ensur e t heir pr oper f or w ard in g fr om ing ress PE How at tehe v ar iou inat s r em e access r out ert os int t owegr ar d dest ionotCE r out er.t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The LSPs bet w een all PE r out er s ar e est ab lished aut om at ically based on t he I P t opology The n ew PE-wCE op tecessar ions as ywtell as figu ot her anced f eatest urablish es, includ ingpperVPN of t he P- net orkr out . I t in isgunn o con r e adv or m anually t h ese at hs. Net w ork Ad dr ess Tr an slat ion ( PE- NAT) The m ap ping bet w een t he cu st omer 's d est inat ion ad dr esses and LSPs leading t ow ar d How VRFs t ended a cust sit e t obased pr ov ide at ion inside t he eg ress can PE rbe outex ers is perfint or o med autom omer at ically on sep t he ar BGP n ex t - hop ts.he cust om er net w ork The f ollow in g sect ions w ill br iefly r ef r esh y our MPLS and MPLS VPN kn ow ledg e. For mor e inlat est MPLS secur it yMPLS f eat u VPN res an d d esign y, s aim ed atr efer pr ottect ing t hPr e ess's MPLSMPLS VPN dept hThe d iscussion of t h VPN e MPLS and t echnolog please o Cisco back bone and VPN Ar chit ect u res ( Volu me I ) . For mor e d et ails on ATM- b ased MPLS im plem ent at ion s, r ef er t o Adv anced M PLS Design and I m p lem en t at ion , p ublished b y Cisco Pr ess. How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent int er - car r ier MPLS VPN serv ices The ofMPLS Technology Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y I n essen ce, t h e MPLS t ech nology com bines t h e r ich ness of I P rou t ing and t he sim plicit y of hop - by - hop label sw it ch ing of Fr am e Relay or ATM t o p r ovide t he seamless int egr at ion of t he MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN connect ion- or ien t ed f or war d in g w it h t h e I P w or ld . Du e t o t h eir dual nat ur e ( t h ey operat e on Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced bot h t h e I P lay er as w ell as t he label- sw it ch in g lay er ) , t he MPLS d ev ices are called label t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools sw it ch r out ers ( LSRs) . Th is sect ion d escr ibes t he t y pical op er at ion of MPLS devices, focusing t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. on t he sim plest MPLS app licat ion: for w ar ding of I P dat agr ams acr oss an MPLS net w or k. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN All dev ices in an MPLS net w ork ru n I P rou t ing pr ot ocols on t heir cont r ol plane t o bu ild I P Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of r out ing t ab les. I n MPLS devices t hat supp ort I P f orw ar ding , t h e I P r out ing t ab les ar e used t o ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g bu ild I P f or war d in g t ables, also called for w ar ding inf or m at ion base ( FI B) . I n MPLS dev ices pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o t hat supp ort only lab el for w ard ing ( such as t he ATM swit ches w it h MPLS fu nct ionalit y ) , t he I P int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues r out ing FI B does n ot ex ist . Th e I P r out in g op er at ion of t he MPLS cont rol plane is show n in includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Figur e 1- 5 . back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

Figu r e 1 - 5 . LSRs Bu ild t h e I P Rou t i ng Tabl e

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Aft er t he I P r out in g t ables hav e been b uilt , MPLS labels ar e assign ed t o indiv idual en t ries in By Jim Guichard , I van Pepelnjak , Jeff Apcar t he I P r out ing t able ( in div id ual I P pr ef ixes) an d p rop agat ed t o ad jacent MPLS d ev ices t hr ough a Lab el Dist ribu t ion Pr ot ocol ( LDP) . Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

NOTE

I n usual MPLS op er at ion, lab els ar e n ot assigned t o BGP dest inat ions b ecause t h e r out er alw ay s reaches BGP dest in at ions t h rou gh r ecur sive look up on BGP next - hop. Ther ef or e, BGP d est inat ion s can b e r eached t hr oug h t he label t h at is associat ed Wit h MPLS VPNnex Ar chit ectfor u res, Volum e inat I I , yions. ou' ll lear n : w it h t and he BGP t - hop t hose dest How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN v icedev t o ice m any d iff entn tlocal yp es label of cu st om er sglob ally u nique lab els or cent ralized lab el Each ser MPLS u ses it serow space; assig nm en t is u nnecessar y, mak ing MPLS ext r em ely r obu st and scalable. Ev er y label The bn yewanPECE r device out in g is opent t ions as as w ell anced f eat ur includ ing perfores, w ard in g infor m atVPN ion assig ned MPLS er ed anas inpotuther labadv el in it s label Net w ork Ad dr ess Tr an slat ion ( PENAT) base ( LFI B) , w hich is t h e for w ar ding t able u sed for label swit chin g. Th e label assign m en t an d dist r ibut ion of an MPLS device ar e illust r at ed in Figur e 1- 6 . How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Figu r e 1 - 6 . Con t r ol Pla ne Ope r at i ons i n an LSR How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Most el VPN assign s,ubot local as as int t hose m adet he b y lat adjest acent ices, t ered MPLS lab and Ar ment chit ect res,h Volum e Iw I ,ell also rod uces adv dev ances in ar cuesten omer o a at t ab le called heand label inf or m at ioning base B) .essent The lab t he I P next - h op assigns for int egr ion, secur itty, t r oubleshoot feat( uLIres ialelt ot hat p rov iding t h e adv anced

a p ar t icu lar I P pr efix is ent er ed as an ou t put label in t he local LFI B t o enable p ur e label for w ar ding . I n devices t hat su ppor t I P for w ar ding , such a label is also ent er ed int o t he FI B t o supp ort I P- t o- label f orw ar din g. Aft er t he I P r out in g t ables, I P for w ar ding t ables, and label f orw ar ding t ab les h ave been bu ilt , t he MPLS devices can st ar t t o f orw ar d I P t r aff ic. All MPLS devices m ust sup por t lab el for w ar ding ; w henev er t hey r eceive a labeled pack et , t hey p er for m a label look up in t he LFI B, r ep lace t he inp ut lab el w it h t h e out p ut lab el, and for w ar d t h e labeled pack et t o t he n ex t - hop • Table of Content s LSR. Som e MPLS devices ( ingr ess LSRs) can r eceiv e I P dat ag r ams, p er f orm a look up in t h e • I ndex FI B, inser t an MPLS lab el st ack in fr ont of t he I P dat ag ram based on inf orm at ion st or ed in t he MP LS and V PN Ar chi te ctur e s, V olum e I I FI B, and for w ar d t he labeled p ack et t o t he n ex t - h op LSR. Th e PE rou t er w it hin t he MPLS VPN By , Jeff arJim ch itGuichard ect u re ,isI van an Pepelnjak ex am ple of Apcar such a dev ice. Ot hPub er lish MPLS devices er: Cisco Press ( eg r ess LSR) can r eceive lab eled packet s, per for m an LFI B look up , and ( based on t he absence of an out pu t lab el in t h e LFI B) r emov e t h e label fr om t he ing ress Pub Dat e: Ju ne 06, 2 00 3 labeled dat agr am and f orw ar d t he I P dat agr am t o t he next - h op I P r out er. I n m ost cases, all I SBN: 1- 58 705 -1 12 -5 LSRs in an MPLS n et w or k can act as b ot h in gr ess an d egr ess LSRs, t h e not ab le ex cep t ion Pages: 50 4 being ATM sw it ches act ing as LSRs. The v ar iou s pat h s t hat an I P dat ag r am or a lab eled dat ag r am can t ak e t h rou gh an LSR ar e displayed in Figur e 1- 7 .

Wit h MPLS and VPN Ar chit ect ee I I t, yFor ou' llwlear n : ng Figu r e u1res, - 7 .Volum Pa ck ar di

in a n LSR

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices The b asic pr in cip le of MPLS has been ex t ended t o a v ariet y of ot h er applicat ions, including t hese:Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN t r af fi c ene gin ri ng m odif ied Pr link - st at rou t ing prootm ocols ( OSPF an d Ar ch itMPLS ect u res, Volum I ( 1ee - 587 05-( TE) 0 02-—1)The , f rom Cisco ess. Exet endin g int or e adv anced used t o discover f ree r ces n es et wor k , labels e assig ned tyh rt ough t opicsI SI anS) d darepe loy m ent archit ect ur es,r esou Volu m e I Iinprt he ovid r eader s w it hart he necessar ools Resour celoy Reser ion t Pr ( RSVP) andavt hailab e global FI B is mod ified b ased on t hey nt he eed t o d ep andvat m ain ainotaocol secur e, hig, hly le VPN. MPLS TE labels. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN FI Bsadv ar eanced creat ed ( one or m ornect e per cu st in omer ) , and Ar ch itMPLS ect u re.VPN Par s— t I I Many descr ibes MPLS VPN con iv itVPN y includ g t he int egr at ion of Mupr lt ip rot ocol BGP is u sed t o ies d ist( rdial, ibu t eDSL, t he cu stle, omEt erher r out ing infdoramat iony an MPLS ser v ice ovider access t echn olog cab net ) an v ariet ofdr out in g labels across e netand w or OSPF) k. pr ot ocols ( I SI S, EIt hGRP, , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues MPLS qural se rv ice i nyAst TM onm e ntp s— The m stust andtard includin g secu it yit, youoft lining t he (nQoS) ecessar epse nv t h eirser v ice rov ider akeLD t oPpis rot ect t he m odified t o assign up t o f oursitlab f oralso each IP pr ef each lab ferent back bone and any at t ached VPN es,els and det ailin g ix, t hewit lathest secu ritely ser f eatvin ur gesa t dif o allow class. t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN m or e QoS adv anced deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN New app t r oubMPLS leshoot inglicat . ions ar e const an t ly em er ging. For ex am ple, one of t h e new MPLS app licat ions ( also cov ered in t his book ) en ables I Pv 6 t r anspor t acr oss an MPLS net w ork ; I Pv 6 rMPLS out ingand pr ot ocols ar eect used t o Volum bu ild IePvI I6, rou t ing t ables, e t adv h enances used as t he asis f or VPN Ar chit u res, also int rod uceswt hich he latarest in cu st b omer label assig nm ent an d dist rib ut ion. int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The lar ge var iet y of diff erent MPLS app licat ions st ill ad here t o t h e com m on fr am ewor k . Each app licat ion m ig ht hav e it s ow n " r out ing pr ot ocol," it s ow n LDP, and it s ow n for w ar ding dat ab ase. How ev er , t h e MPLS app licat ions all sh are a com mon LFI B, enab lin g t h e LSRs t o t r anspar ent ly int egr at e n ew MPLS applicat ions w it hou t af fect ing t he ex ist in g ser vices, as show n in Figur e 1- 8 .

• •

Table of Content s

Figu I ndexr e 1 - 8 . M ul t ip le M PLS Appli ca t i on s in a Sin gl e LSR

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

The The MPLS VPN n ew PECE rTechnology out in g op t ions as w ell as ot her adv anced

f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) As discussed pr eviou sly , MPLS- based VPNs u se a com binat ion of con nect ion less VPNs Howt hVRFs can besex t ended int opraovcust sit emtinim o pr izing ov idet he sepparrov at isioning ion insidecomp t he lex it y bet w een e cu st omer and serv ice id erom s ( er t hus cust) om net w orkion- or ien t ed VPNs in t he net w ork cor e ( r educing t he over head on t h e P and cost w iter h connect dev ices) . Fur t her mor e, sever al add it ion al m ech anism s h ave been im plement ed t o allow t he The MPLS secur it y ess f eatsp u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN cust om er slat t oest use ov erVPN lapp ing addr aces. back bone I n a t y pical MPLS- VPN net w or k, t he CE r out er s an d PE r out er s exchan ge t h e cust omer r out es t o itcarr y cust oming er mp ult r aff ic insid e aarVPN using How any su ab le I P r out roticast ocol. tTh ese r out es e insert ed int o VRFs on t he PE r out er s, w hich guar ant ees t he perf ect isolat ion bet w een cust om er s. Th is pr ocess is illust rat ed in The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Figur e 1- 9 , w hich det ails t he in t er nal st ru ct ur e of a PE r out er ( San Jose) t o w hich t w o VPN of int er - car r ier MPLS VPN serv ices cust om er s ar e conn ect ed ( Fast Food and Eur oBank ) and w hich also conn ect s t o a P r out er ( Washing t on) . Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced r e archit 1 - 9 . ect Vir uaVolu l Rout g ovid Ta ble s i n sa wPE t er y t ools t opics an d d epFigu loy m ent urtes, m e Iin I pr es r eader it h tRou he necessar t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s When cust om er rou t es are placed int o VRFs, t he PE r out er s allocat e a sep arat e MPLS label n ew PE- CEfor r out in gdat opat ions w ell as ot her cust advom anced f eat es, includ ing t hat wThe ill be n eeded VPN for was ar ding t o each er r ou t e.urThe cust om er perrou tVPN es and Neted w ork Ad dr ( PEassociat MPLS labess elsTr aran e slat t ranion sp ort edNAT) across t he P- net w or k using m ult ipr ot ocol BGP. The cust om er I P addr esses ar e aug m en t ed w it h a 6 4- bit r out e dist ing uisher befor e being insert ed How VRFs be ex o a cust omen er ess sit eoft opot pr en ov tide ar at ion inside t heer int o t he p rov idercan 's BGP t ot ended en su r eint global u niqu iallysep n onun ique cust om cust om er net w ork add resses. Add it ional BGP at t r ibut es ( ex t ended BGP com m unit ies) ar e used t o cont r ol t he exchan ge of r out es b et w een VRFs t o allow t h e ser v ice p rov ider s t o b uild VPN t opolog ies t h at The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN ar e alm ost im possible t o bu ild w it h any ot h er VPN t echnology . back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent

NOTE of int er - car r ier MPLS VPN serv ices

You can f ind det ailed descr ipt ion s of t hese t opologies and im plem en t at ion Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y gu id elines in t he MPLS and VPN Ar chit ect u res ( Volu me I ) book . MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools The ex t ended BGP com m unit ies ar e also used t o im plement add it ion al MPLS VPN f eat ur es, t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. includin g aut om at ic r out e f ilt er ing w it h t h e sit e- of - orig in ( SOO) com m unit y or aut om at ic pr opagand at ion of Ar Open Sh uorres, t est Volum Pat h Fir rou iburef t esresher acr oss b ack bon e. MPLS VPN chit ect e Ist I , (bOSPF) eg in s w it ht ea at brt rief oft he t he BGP MPLS VPN (Ar OSPF sup porPar t is t descr ibedibes in m or e det ailMPLS in ChVPN apt er 3,nect " PE-ivCE in in g gProt ch it ect u re. I I descr adv anced con it y Rout includ t heocol int egr at ion of En hancement s and Adv anced Featies ur es. " ) DSL, cab le, Et her net ) an d a v ariet y of r out in g ser v ice pr ovider access t echn olog ( dial, pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o VPN p ack et f or war d in g acr oss t he MPLS VPN back bone is im plem en t ed w it h MPLS for w ar ding int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues using an MPLS label st ack imp osed in t he I P d at agr am by t he ing ress PE r out er. The f irst includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he label in t he st ack is t h e label assig ned t o t he I P addr ess of t he egr ess PE r ou t er ( BGP n ex t back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow hop ) in t he ser vice pr ov ider core. Th e second label is t h e label assig ned t o t he cu st om er r out e m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN by t he egr ess PE r out er . The fir st label is u su ally r em oved one h op b ef or e t he egr ess PE deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN r out er t h rou gh a p rocess called penu lt im at e hop pop pin g. Th e egr ess PE r out er t h en per for m s t r oub leshoot ing . label look up on t he VPN lab el, rem oves t h e VPN label, an d f or war d s t he p ack et t o t he CE r out er and . TheVPN w h ole pr ocess is illust rateed Figur 1- 1uces 0. t he lat est adv ances in cu st omer MPLS Ar chit ect u res, Volum I I ,inalso interod int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Figu r e 1 - 1 0 . VPN Pack et Pr opag at ion in a n M PLS VPN Ne t w or k

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : An I P dat ag r am, sent fr om San Jose t o Ly on, is f or w ard ed acr oss t he serv ice pr ovid er back bone in a num ber of st eps: How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s 1 . An I P dat ag r am is sen t f rom t he CE r out er t o t h e PE r ou t er . The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN 2 . The p er fTr orm s anion I P (look up and p repend s an MPLS header consist ing of t w o Net wPE orkr out Ad er dr ess an slat PE- NAT) labels: a lab el assign ed v ia LD P ( also k now n as I GP lab el, or I L) , ident if y in g t he pat h be ex t ended o a cust er VPN sit e lab t o pr ide assigned sep ar at ion t he tHow ow arVRFs d t hecan egr ess PE r out er int ( Paris) ; anom d a el ov ( VL) by inside t he Par is PE rcust out om er . er net w ork secur y fser eatvice u respr anovd ider d esign atovpres ot tect e MPLS VPN 3 . The The lat p enest ult MPLS im at e VPN r out er in tithe netswaim or k ed rem heing I GPt hlab el, leav ing back bone only t h e VPN label in t h e MPLS header. t o ess carr PE y cust mfor ultm icast t r afflooku ic insid e at hVPN 4 . How The egr rouom t er er per s label p on e VPN label, r em oves t h e MPLS header, and f orw ar ds t he I P d at agr am t o t he Lyon CE r out er . The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

New MPLS VPN Developments Man y ser v ice p rov ider s w orld wid e hav e ent hu siast ically em br aced t h e MPLS and MPLS VPN t echnologies as t h ey en able t he ser vice pr ov iders t o deploy t he t w o most com m on app licat ions—I nt er net access an d VPN ser v ices—on a com mon n et w or k inf r ast r uct u re. Th e •div ersit y of tTable of Content s u r es, access lay er t ech nologies, and I P r out ing set ups, as w ell as h eir inf r ast ru ct •t he new ser vI ices ndex t h ese serv ice pr ov id er s w ou ld lik e t o d ep loy , h ave t rig gered t he MP andment V PN Ar te ctur V olum e I I relat ed feat ur es, in clu ding t hese: devLSelop ofchisev erale s,new MPLSBy Jim Guichard , I van Pepelnjak , Jeff Apcar

Tight int egr at ion of access t ech nologies such as dial- up, digit al sub scr iber line ( D SL) , and cable w it h MPLS VPN

Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3

New I SBN:r out 1- 58ing 705 -1 pr12 ot-5ocol op t ions and sup por t f or add it ion al VPN r ou t ing pr ot ocols Pages: 50 4

Tr anspor t of ad dit ional Lay er 3 p rot ocols ov er MPLS Each of t hese is discu ssed in t h e follow ing sect ions. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Access Technology Integration with MPLS VPN o int egrent at eatvion ar iou r em otVPN e access t echny ologies t o cu t hst e omer back bone r ovidin g VPN The inHow it ial timp lem of sMPLS t echnolog su ppor tined sit es pt hat w ere sered v ice t o ar m ily anyt od tiff entvtice yp es of cu st om erbon s e t hr oug h a per man en t conn ect ion. These connect p rim h er e ser p r ovider b ack connect ions w er e imp lem ent ed wit h Layer 2 t echnology , w hich w as w ell est ablished in t h e The nbase. ew PEr out g op t ions wasit hw skill, ell as supp ot heroradv anced f eat ur es, includ ing( most per- VPN I OS code AltCE houg h in y ou could, t ot h er access t echn ologies Net w ork Ad dr ess Tr an slat ion ( PENAT) not ab ly, dial- up user s) , a num b er of sup por t ing t ech nologies w ere n ot MPLS VPN- enab led , for cing t he ser vice pr ov iders t o accep t com pr om ises t h ey w ou ld r at her av oid. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust ork Tight er inom t eger r atnet ionwof MPLS VPN w it h access t echnolog ies w as im plem en t ed b y m aking sev er al addit ion al Cisco I OS ser vices VPN- aw are: The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Vir t ual- Pr ofile Cisco Ex pr ess For w ar ding ( CEF) How t o carr y cust om er m ult icast t r aff ic insid e a VPN Ov erlap ping addr ess pools The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of er - cardr ier MPLS VPN serv ices Onint - deman addr ess pools ( ODAP) Adv anced t rou ootar ing Fram ed Rout e blesh VRF Aw e t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLSPer andVRF VPNau Art hent chit ect u ion, res, Volum I I ,ion, b uilds t he best icat au t horeizat an don account in g- sellin ( AAA)g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opicsVRFan daw d ep m ent architdial ect ur Volu m e I I pr ovid es r eader s w it h t he necessar y t ools arloy e larg e- scale oues, t ( LSDO) t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. VPN- I D MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN r elay VPN por t Ar ch itDHCP ect u re. Par —MPLS t I I descr ibessup adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Allott hocols ese f(eat anGRP, d t heand access t echnology t egr at ion wwitithh tMPLS VPN is d escr pr I S-uIres S, EI OSPF) , ar m in g tinhe r eader he k now ledge of h ib owedt oin det ail Ch apt er 2, " Rem ot e Access t o an MPLS VPN." int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t opProtocol ologies andOptions filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN New Routing deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . New Cisco I OS r eleases ext end t h e r ange of I P rou t ing pr ot ocols t hat ar e su ppor t ed bet w een tMPLS he PEand r outVPN er s an d t hect e CE r outVolum er s. Enh GRP EI GRP) I ntadv egr ances at ed I nt Ar chit u res, e I Ianced , also Iint rod(uces t he and lat est in erm cu stediat omere Sy st em t oI nt er m ed iat e Syst em ( I nt eg rat ed I SI S) ar e supp ort ed, as w ell as addit ion int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv ancedal OSPF

connect ivit y opt ions, includin g v ir t ual OSPF link s bet w een PE rou t ers ( sham lin ks) . Fur t her mor e, Cisco I OS su ppor t s I P Mult icast inside t h e MPLS VPN and p er - VRF net w ork add ress t r anslat ion ( NAT) on t he PE r out er . These new f eat ur es are descr ibed in Ch apt ers 3, " PE- CE Rout ing Pr ot ocol En hancem en t s and Adv anced Feat ur es," 4, " Vir t ual Rout er Con nect iv it y ," and 7, " Mult icast VPN."

• Table of Content s New Layer-3 Protocols Transported Over MPLS •

I ndex

MP and V PN chi6) te ctur e s, kn V olum I I P: The Next Gener at ion ( I Pn g) , h as joined I Pv4 as I P LS v ersion 6 (ArI Pv , also ow ne Ias anot er Lay er 3 pPepelnjak r ot ocol t, Jeff hat Apcar can b e t r anspor t ed acr oss an MPLS backb one. MPLS supp ort for By JimhGuichard , I van globally r out ed I Pv6 is d escrib ed in Ch apt er 8, " I Pv 6 Acr oss an MPLS Back bon e. " Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Summary Man y ser v ice p rov ider s t hat w ant ed t o m inim ize t heir cost s of pr ov isioning an d op er at ions by off erin g all t heir ser v ices ( VPN an d pub lic I nt er net ) over a comm on inf rast r uct ur e h ave ent hu siast ically em br aced MPLS- based VPN net w or ks. Fur t her m ore, t hese ser vice pr ov iders •hav e achieved Table Content cost s sigofnificant saving s du e t o t he pr ov isionin g sim plicit y off er ed by MPLS •VPN's in t egr at I ndex ion w it h t he benefit s of b ot h con nect ion less and connect ion- or ien t ed VPN MP and V PN Ar chi te ctur e s, V olum e I I appLSroaches. By Jim Guichard , I van Pepelnjak , Jeff Apcar

An en d- t o- end MPLS VPN solut ion is, like any ot her VPN solu t ion, div ided in t o t he cen t r al Pnet w or k t o wh ich a lar ge num ber of cust om er sit es ( sit es in t he C- net w ork ) are at t ached. The Pub lish er: Cisco Press cust om er sit es ar e at t ached t o t he PE dev ices ( PE r out ers) t hr oug h CE d ev ices ( CE r out ers) . Pub Dat e: Ju ne 06, 2 00 3 Each PE rou t er con t ains sever al v irt ual r out in g an d f or w ard in g t ables ( VRFs) —at least one per I SBN: 58 705 -1 12 -5 VPN cust om1-er. These t ables ar e used t og et h er w it h Mult ipr ot ocol BGP ru n b et ween t he PE 50change 4 r out erPages: s t o ex cu st omer r out es an d t o pr opag at e cust om er dat agr am s acr oss t he MPLS VPN n et w or k . The PE r out er s p er for m t he label im posit ion ( in gr ess PE r out er ) an d rem oval ( egr ess PE r out er ) . Th e cent ral devices in t he MPLS VPN n et w or k ( P r out ers) per for m simp le label sw it ch ing. MPLSbased VPNs ave b een since Wit h MPLS and VPNhAr chit ect u sig res,nificant Volumly e Ienh I , yanced ou' ll lear n : t heir init ial r ollout . The new MPLS VPN f eat ur es allow bet t er int egr at ion of access t echn ologies, sup por t of ad dit ional PE- CE r out ing pr ot ocols, as w ell as supp ort of new t ran sp ort opt ion s across MPLS b ack bon es ( t r anspor I Pvegr 6 and echn olog ies)ologies . Howt tof o int at e vlegacy ar iou s Lay r emerot2e taccess t echn in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Part II: Advanced PE-CE Connectivity Ch apt er 2 Rem ot e Access t o an MPLS VPN • •

Ch apt er 3 PE- CE Rou t ing Prot ocol Enh ancem ent s an d Ad van ced Table of Content s Feat u r es I ndex

ChVapt 4 Vir t ual ere Connect ivit y MP LS and PN er Ar chi te ctur e s,Rout V olum II By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Chapter 2. Remote Access to an MPLS VPN •The in it ial ser Table v iceofofContent fer ingss f or Mu lt ip r ot ocol Label Sw it ching ( MPLS) v ir t ual p riv at e n et w or k s •( VPNs) w er eI ndex pr ovid ed t o cu st omer s t hr ou gh fix ed conn ect ions t o t he pr ovid er edg e ( PE) MP LSer and te cturologies e s, V olum I I as leased line, Fr ame Relay , Asy nchr onous Tran sf er Mode r out byV PN usinArgchi t echn suech ( ATM) per man en tPepelnjak v ir t ual cir cuApcar it s ( PVCs) , or last mile Et hern et . The p rov ision of r em ot e or of fBy Jim Guichard , I van , Jeff net access t o t h e MPLS VPN w as incum b en t u pon t he cust om er hav ing t he ap pr opr iat e access inf rast r uct ur e in place t o cat er t o his m ob ile or rem ot e w or kf or ce. Th er efor e, t he abilit y for an Pub lish er: Cisco Press MPLS VPN ser vice pr ov ider t o sup ply MPLS VPN v alue- add ed serv ices ( w h ich , in t ur n, Pub Dat e: Ju ne 06, 2 00 3 gener at es m ore r ev en ue) t o r em ot e u ser s w as com plet ely d ep en dent on t h e cust om er 's 1- 58 net 705 -1 -5 an d t he g eog rap hic cover age t h at t h e net w or k pr ov id ed . This is r em ot eI SBN: access w 12 ork Pages: 4 illust rat ed in50Figur e 2- 1 .

Figu r e 2 - 1 . Re m ot e Access Pr ovi de d by Cust om e r Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. IMPLS n t hisand scenar h e Sup Com net weork ovides ed -ref lin e access t he Eu roBan VPNio,Artchit ect uer res, Volum I I , pbreg in s w on it h lya fix br ief resher of t tohe MPLS VPN k and Fast cu st omer e ibes ( CE) adv r outanced er s. Remot access is priv ovitid b y using andof Ar chFood it ect us re. Par t I I edg descr MPLS eVPN con nect y ed includ in g t heEur intoBank egr at ion Fast Food s har dw ar e at t heir rem ot e locat ions. ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o To p r ovide a scalab le and com p let e end - t o- end VPN serv ice, t he serv ice pr ovid er mu st hav e a int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues net w or k inf rast r uct ur e t h at is capab le of int egr at ing r em ot e access d irect ly int o an MPLS VPN includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he net w or k. Such an inf r ast ru ct u r e can enab le rem ot e user s t o seam lessly access t heir cor p orat e back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow VPNs t h rou gh a serv ice pr ov id er point of pr esence ( POP) , not a cust om er POP. Th e adv ant age m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN of t his is t hat a ser v ice pr ovider can off er a v alue- add ser v ice by leasing w holesale dial access deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t o man y VPN cust om ers. Th e VPN cust om ers can be I SPs or larg e en t erp rises t hat w ant t o t r oub leshoot ing . pr ov ide access t o rem ot e u ser s bu t av oid t he need for m aint ain in g t heir ow n separ at e and exp en and siv e VPN access net w orukres, . The sam e ice pr r em ot elataccess net w or kincan be sold as a MPLS Ar chit ect Volum e ser I I , valso intovider rod uces t he est adv ances cu st omer un iq ue serv ice t o m an y VPN cust om er s ( b uild once, sell m any ) , w h ich decreases t he int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

cust om er ' s oper at ing cost s an d in cr eases t he r evenu e of t he serv ice pr ov id er . Th is is illust rat ed in Figur e 2- 2 .

Figu r e 2 - 2 . Re m ot e Access Pr ovi de d by a Se r vi ce Pr ovi der •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices I n t his scenar io, Su perCom pr ov ides r em ot e access serv ices t er m inat ing int o t he MPLS VPN net w or k. anced This r emot e access nettw ork iques allow sinclud an y Eur e user ectilit y Adv t rou blesh oot ing echn in g oBank r ou t er or outFast pu tFoods s t o enrem su reothigh av dir ailab access t o his VPNs, w hich alleviat es t h e need f or Eu r oBan k and Fast Food s t o p rov ide a MPLS and VPNotAr chit ect uinf res, sep arat e r em e access r astVolum ru ct u e r e.I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced iceanprdov id er w ent ill inv ar iably use e ormm t heesf ollow ings access to tServ opics d ep loys m archit ect ur es,on Volu e ore I I prof ovid r eader w it h t het echnolog necessaries y t ools ov ide r emot tpr hey n eed t o deepaccess loy andt oman ainMPLS t ain aVPN: secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN it ched Teleph one Net w or k MPLS ( PSTN) Ar ch itPub ect ulic re.Sw Par t I I descr ibes adv anced VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g I nt egr v ices and DigitOSPF) al Net,war orm k in ( IgSDN) pr ot ocols ( I at S-ed I S,Ser EI GRP, t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Asym m etrriticy ,digit al sub scr line ( ADSL) includin g secu ou t lining t heiber n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Dat a- ov er Cab le Ser v ice I n t er f ace Sp ecificat ions ( DOCSI S) , or sim ply called cable m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. tFin , Par t ar I Veprused ov id in es conj a m et hodology vanpr ced MPLS and VPNp rocedur es t o These access echally nologies unct ion w it hfor v arad ious ot ocols tpr r oub leshoot ing . ov ide t h e rem ot e access serv ice. The pr ot ocols and pr ocedur es include t he f ollow ing : MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egrPoint at ion, secur t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced - t oPoinitty,Prand ot ocol ( PPP)

Lay er 2 Tunn eling Pr ot ocol ( L2TP) Vir t ual p riv at e d ialu p n et w or k ( VPD N) Rem ot e Aut h en t icat ion Dial- I n User Serv ice ( RADI US) Dy nam ic Host Config ur at ion Pr ot ocol ( D HCP) •

Table of Content s

The f ir st par tI ndex of t his chapt er p rov ides an ov er v iew of each of t hese pr ot ocols and pr oced ur es • tMP o LS pr ovid e you w ittehctur a feound at ion and V PN Ar chi s, V olum e I If or u nder st an ding how rem ot e access is p rov ided t o an MPLS VPN. The second par t of t his chapt er cov er s t he f ollow ing r em ot e access scenar ios and By Jim Guichard , I van Pepelnjak , Jeff Apcar feat u res: Pub lish er: Cisco Press

Dialt o3 an Pub Dat e:inJuaccess ne 06, 2 00

MPLS VPN v ia VPD N ( L2 TP) or dir ect I SDN

I SBN: 1- 58 705 -1 12 -5

Lar ge- scale dial- out access fr om an MPLS VPN v ia L2TP or dir ect I SD N Pages: 50 4

Dial b ack up t o an MPLS VPN Digit al su bscr iber line ( DSL) access t o an MPLS VPN b y using v ariou s en cap sulat ion m et hods Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Cab le access t o an MPLS VPN Adv f eatat urees, chs as onot- edeman d addr pools,in tper AAA, and aw e Howanced t o int egr v arsu iou r em access t echness ologies o t -hVRF e back bone p rVRFovidin g ar VPN DHCP ser v icer elay t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Feature Enhancements for MPLS VPN Remote Access Sever al new f eat ur es and en hancem en t s w ere m ad e t o Cisco I OS so t hat MPLS VPN ser vices could be pr ov ision ed ov er var ious rem ot e access t echnologies. Most of t hese f eat ur es are •incor por at edTable s int o oft hContent e det ailed exam ples pr ov ided t hr ough out t his chapt er or ar e addr essed in •t he lat er sectI ndex ion, " Adv anced Feat ur es for MPLS VPN Rem ot e Access. " Th e feat ur es can be MP LSm and V PN Ar te cturs: e s, V olum e I I sum arized aschi follow By Jim Guichard , I van Pepelnjak , Jeff Apcar

V ir t ua l- prof il e Ci sco Exp re ss Forw a rd ing ( CEF) — PPP sessions t h at t er m inat e on a an L2TP t un nel or dir ect I SDN in t er f ace d o so v ia a v ir t u al- access Pub Ju ne The 06, 2 00 intDat ere:face. v ir3 t ual- access int er face is an inst ance of a vir t ual- p rof ile or a v ir t ualt em plat Each I SBN: 1- e. 58 705 -1 12sy -5 st em has a m axim um of 25 vir t ual- t em plat es; v irt ual- pr ofiles do not hav e t 50 h is4 lim it at ion; t her ef or e, t hey ar e pr efer red because t hey ar e m ore scalable an d Pages: flex ible. The v irt ual- pr ofile CEF feat u re allow s t h ese int er faces t o be CEF swit ched, w hich is a pr er eq uisit e for MPLS.

PubCisco lish er: rCisco Press out er t h rou gh

Ov er la pp ing a ddr ess pool s— Prev iously , p er - r out er local ad dr ess p ools cou ld on ly be specif ied in t he g lob al I P r out in g in st ance. This m ean t t h at all VRFs as w ell as all global Wit h MPLS and VPN ect ule res, Volum ou'idll elear n : face add resses f or PPP session s. The int er faces sharAr edchit a sing local poole tIoI ,pry ov int er ov er lapp in g pool f eat u r e allow s t he sam e I P add ress r ange t o be used concur r en t ly in dif ferten VRFs, bet t er tut ilizat ion of in t he ess sp ace. How o tint egr at teh verareby iou sprrov emiding ot e access echn ologies t o ItP h eaddr back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s On- de m and a ddr ess p ools ( OD A P) — I n st ead of config ur ing pool ad dr ess r ang es locally , t hPEe ODAP feat urop e allow aw cent al ot RADI v er tfoeat prur oves, ideinclud VRF- aw e pool The n ew CE r out in g t ions sas ell ras her US advser anced ingarperVPN add resses as requ ired. I n t h is way , t he local pool can exp and and cont r act b ased on Net w ork Ad dr ess Tr an slat ion ( PE- NAT) usage, an d t he RAD I US serv er can pr ovid e bet t er addr ess m anagem en t b y allocat in g subn s w here t hey e needint edo. a cust om er sit e t o pr ov ide sep ar at ion inside t he How et VRFs can be ex tar ended cust om er net w ork Fra m e d Rout e VR F aw a re — When a r em ot e CE rou t er dials int o a PE r out er v ia a PPP session, t hMPLS er e m ust a mitechan t he srem oted e sub net t o be ed intVPN o t he The lat est VPNbe secur y f eatism u rest oanallow d d esign aim at pr ot ect inginj t hect e MPLS VRF f or t h e dur at ion of t he call. This is done t h r ough t he Fr am ed Rout e RADI US back bone at t r ibut e or t he cor r esp onding cisco- av pair " ip : rou t e" at t r ibu t e. This at t r ibut e usually app lies o t he g lobal r out t ab le; how How t o tcarr y cust om er min ultgicast t r aff ic ever insid,eenhan a VPNcem ent s h ave b een m ade so t hat Cisco I OS can det er min e w het her it shou ld b e applied t o a VRF. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Per RF a ut h en t icatVPN ion,serv aut ices hori za t i on, a nd account i ng ( AAA ) — This feat u re of intVer - car r ier MPLS allow s RADI US inf orm at ion t o be sen t d irect ly t o a cust om er RADI US ser v er t hat is locat Adv anced ed w itthin rou blesh t he VRF. oot ing Pr ev t echn iously, iques t heinclud only in w ay g r ou t o tget er out t o pu a cust t s t oomer en suRADI re high US av serailab v er ilit y w as t o use a p rox y v ia t h e ser v ice p r ovider RADI US ser ver r each able in t he g lobal MPLSrand VPN Arle. chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN out ing t ab Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced RFem laent rg e-archit sca le iaes, l out ( LSD Thises feat u re allow e LSDO solut t opicsVan d adw epar loy ectdur Volu m e O) II — pr ovid r eader s w it sh tthhe necessar y tion oolst o t hey noper eed at t oe dwep it hin loy tand he cont m ain ext ain t of aa secur VRF. e, VRFhigaw hlyarav e ailab LSD O le allow VPN.s m ult iple VRFs t o use t h e sam e dialer in t erf ace on a r out er w it h indiv idual pr ofiles dow nloaded fr om an AAA MPLSser and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN v er. Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice V PN pr ovider - I D — This access featt echn u re allow olog ies s r emot ( dial,e DSL, access cabapplicat le, Et her ions netsuch ) an das a va ariet RADI y US of ror outDHCP in g pr ot ocols ( I SEItGRP, OSPF) ariginat m in ges t he eader it hDHCP t he k now ledge of hVPNow t oI D ser v er t oI S, id en if y t h eand VPN t h at ,or a rRADI USwor r equest . The int egrfeat at e ut re h ese f eat ur es t o t 268 h e VPN is based on in RFC 5. b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he D H CP R elany ay —M PLS VVPN PN Supp — also This det featailin u regallow s aest sinsecu gle DHCP ser er t o allow back bone and at t ached sit es,ort and t he lat rit y f eat urves if y andt op ser v ice mand an y filt VRFs in tg also ad drcov esses ist inr ier ct IMPLS P add VPN r ess pools. m or e ident adv anced ologies erinby g. sup Thisply par er s frmom ult i-d car Crmeat diffally erent nam esp w itah m in et t hhodology e ser v er separ es ced add MPLS ress pools. deploy ening t s. Fin , Par t IV praces ov id es for adatvan VPN Eit h er t he VRF nam e or t he VPN I D ident if ies t h ese n amespaces. The DHCP ser v er can r esid e in t h e t r oub leshoot ing . global r out ing t able or in an y cu st omer or sh ared ser v ices VRF. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Overview of Access Protocols and Procedures This sect ion b riefly d escr ib es t he t y pical pr ot ocols t h at ar e used in r emot e access t echnologies. I t serv es as a ref resher or an int r odu ct ion t o t hose of y ou w h o ar e not int im at ely fam iliar w it h t hese p rot ocols. For a mor e in- dept h descr ipt ion of r em ot e access •pr ot ocols and Table of Content s figu rat ion gu idelin es, p lease r ef er t o Cisco Connect Online Cisco I OS con •( w w w .cisco. com I ndex) und er t he Tech nologies sect ion. MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

PPP Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

PPP is Ifun dam t al t o-5t he d ep loym ent of nearly all t he r emot e access scenar ios discussed in SBN: 1- 58en 705 -1 12 t his chPages: apt er.50PPP pr ov ides a link lay er ser v ice ( Lay er 2 of t he OSI m od el) bet w een t w o 4 dev ices ( in t his case, t he cust om er dev ice an d t he PE r out er) , and it can oper at e ov er a v ariet y of p hy sical m edia such as I SDN, ADSL, leased lin e, and vir t ual cir cuit s such as ATM PVCs an d L2TP t unn els. PPP pr ov id es a dat agr am ser v ice on ly; r eliable t r ansp ort is t he r espon sib ilit y of t he hig her layer s in t he pr ot ocol st ack . The conn ect ion t hat PPP op er at es ov er can be eit h er f ixed or sw it ch ed ( d ial- u p) and r unnin g in asyn chr onous or sy nchr on ous Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : bit ser ial m ode. The only r eq uir em ent for PPP is t hat t he cir cuit p rov ided be f ull d uplex. An adv ant ag e of PPP is t hat it can sup por t m an y diff erent net w or k pr ot ocols ( Lay er 3 of t he OSI hier archy asatI P, Ap ot pleTalk , an tdechn OSIologies simu lt aneously overbone t h e same lin k. How) ,t osuch int egr e vDECnet ar iou s r, em e access in t o t h e back p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s PPP is a lay er ed p r ot ocol t hat has t h ree com ponent s: The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) An en cap sulat ion com pon en t t h at is u sed t o t ran sm it dat agr am s ov er t he specified ph ysical layer . How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork A Link Con t r ol Pr ot ocol ( LCP) t o est ab lish, con figu re, an d t est t he link as w ell as negot iat e cap abilit ies. The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone On e or m or e NCPs used t o n eg ot iat e opt ional con figu rat ion p aram et ers and facilit ies f or t he net w ork lay er. Ther e is one Net w or k Cont r ol Prot ocol ( NCP) f or each p rot ocol How t o carr y cust om er m ult icast t r aff ic insid e a VPN supp ort ed by PPP. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

NOTE

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN ev iceVolum t hat e t erm es05PPP sessions in aCisco serv Pr iceess. pr ov er netgw int orko is a anced Ar ch itThe ect udres, I ( 1inat - 587 0 021) , f rom Exidt endin m called or e adv serarchit v er ( NAS) A NAS of es t errm inat ing nect ion t opicsnet anwdordkepaccess loy m ent ect ur.es, Volu is m ecapab I I pr le ovid eader s w itmhany t hecon necessar y st ools er at ov ar ietloy y ofand p hymsical m edia. Am ong othly herav exailab am ples, a NAS could be a Cisco t hey ov n eed d ep ain t ain a secur e, hig le VPN. Sy st em s 72 00 act ing as a PE r out er w it h sw it ch ed I SDN conn ect ions or a Cisco st em s AS53 00ect univ ersal access cent mief inatref ing dial- in or anVPN alog MPLSSy and VPN Ar chit u res, Volum e I I con , b eg in sr at w or it h taerbr resher of ItSDN he MPLS odem Ar ch itmect u re. calls. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues To est ablish a rlink or t lining point - tt ocomm uneps icattion each t o topen he t he includin g secu it y , fou hepoint n ecessar y st h e ,ser v iceendp p rovoint ideruses m ustLCP t ake o p rott ect connect ion, n egany ot iat capabilit ies,sitan con figu t he linkg ap opr iatsecu ely . rit Exyam ples of t o allow back bone and atet ached VPN es,d and alsoredet ailin t heprlat est f eat ur es capabilit t hat tcan b e negot iatfilt ederin areg.t he m ax imt ualso m r eceive , com pr ession m or e advies anced op ologies and This par cov er s umnit ult(i-MRU) car r ier MPLS VPN of cer t ain PPP f ield s, and Passw or d Aut hent icat ion Prot ocol ( PAP) or Challen ge Hand shak e deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Aut h en t icat ion Pr ot ocol ( CHAP) . t r oub leshoot ing . Op t ionally, y ouAr can t heVolum link qeualit y t o dint etrod er muces ine wt he hetlat her net w or kinprcu otst ocols MPLS and VPN chitassess ect u res, I I , also estt he adv ances omercan b e act ivat ed. I f t he link q ualit y is not of accept ab le qualit y , t hen LCP can hold off passing int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced t o t h e

NCP phase. When t he LCP phase is com plet ed , t he relevan t NCP for t hat pr ot ocol m ust sep arat ely n eg ot iat e each net w or k layer p rot ocol. For ex am ple, t he NCP for I P called I nt ern et Pr ot ocol Con t rol Prot ocol ( I PCP) can negot iat e op t ions such as I P ad dr esses t o b e used at each end of t he lin k, DNS serv er add resses, and t h e comp ression pr ot ocol. LCP an d NCP ar e bot h ex t en sib le pr ot ocols; t her ef ore, n ew feat ur es and opt ion s can b e easily add ed w hen r eq uir ed . Figur e 2- 3 sh ows wh er e LCP and NCP f it in t he PPP m odel. •

Table of Content s

•

I ndex

Figu r e 2 - 3 . PPP M odel

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : The LCP lay er also pr ov ides t he op t ional au t hent icat ion fun ct ion , w hich is a f und ament al r eq uir em ent w hen p r ovidin g r em ot e access ser v ices. Aut h en t icat ion t ak es place aft er t h e link How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN has been est ablish ed and pr ior t o t he NCP n eg ot iat ion p hase. ser v ice t o m any d iff er ent t yp es of cu st om er s As pr ev iou sly m ent ion ed , LCP has t wo aut h en t icat ion pr ot ocols av ailab le: PAP an d CHAP. PAP The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN is a sim ple t w o- w ay h andshak e pr ot ocol. Th e user nam e/ passw ord is r epeat edly sen t acr oss Net w ork Ad dr ess Tr an slat ion ( PE- NAT) t he lin k fr om t h e or ig inat ing end unt il an ack now ledgem en t is r eceiv ed . PAP send s passwor ds in clear t exVRFs t ; t h er e isben oexpr ot ect ion play back ore ttroialpran er rsep or ar at tat ack ( such as How can t ended int fr o om a cust om er sit ovdide ions inside t het ry ing t o gu esscust p assw or ds f rom t he ou t sid e) . om er net w ork CHAPThe is alat m est or e MPLS r obustVPN aut hent ot ocol uses a t hr ayothan dshak t o ver VPN ify t h e securicat it y ion f eatpr u res an dt hat d esign s aim edeeatwpr ect ing t h ee MPLS ident itback y of bone t h e r em ot e end . The aut hent icat ion is done in it ially w h en t h e lin k is est ab lished and m ight be p er iodically r ep eat ed. CHAP is t h e pr efer red aut h en t icat ion m et hod and w ill be used How in ex amp lesy t cust h r ough chaptt rer The t hreeew ay h andshak e oper at es as f ollow s: t o carr om out er mt his ult icast aff. ic insid a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Theintlocal p eer challen of er - car r ier sends MPLS aVPN servge icesm essage t o t h e r em ot e p eer The r em ot e peer comb he challenge witin h ga rsh edout secr and r espon w it h ilit a y Adv anced t rou blesh ootines ing t techn iques includ ouar t er puet t s kt ey o en su re high ds av ailab v alue calcu lat ed by usin g a one- w ay hash fu nct ion ( su ch as a m essage- digest alg orit h m . MPLSMD5 and )VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced p eer t h enarchit comect parur eses, t heVolu r et m ur ened hash wit hswwhat exnecessar pect ed t oy receiv t opicsThe an dlocal d ep loy m ent I I pr ovidvalue es r eader it h it t he t ools e. ( I t calculat es it s ow n valu e by u sing t h e hash fun ct ion . ) t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. f t heVPN h ashArvchit alues at ch, t h e aut icat ow ledg ed ; otof h ert he w ise, t heVPN conn ect ion MPLSI and ect umres, Volum e I Ihent , b eg in sion w itish ackn a br ief ref resher MPLS is t er min at ed . Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he NOTE back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or eThe advpanced t op This parred t also ult i-t car ier MPLS VPN assw or d, ologies or " secrand et kfilt ey "erin as g. it is r efer t o, cov is n er evsermsen acrross t he link . On ly deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t he hashed r esponse of t h e secr et is t r ansm it t ed . Becau se CHAP can be used t o t r oubaut leshoot ing .e m any dif fer en t r emot e sy st ems, t he challen ge/ r espon se p acket can h en t icat also cont ain a n ame ( usually t he h ost nam e) t hat w ill be u sed t o in dex a list of MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer secr et k eys or passw or ds. int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Figur e 2- 4 illust r at es CHAP in op er at ion. A r em ot e Fast Foods u ser has dialed int o t he San Jose NAS. SanJose_NAS w ill send a challenge messag e t o t he Fast Food s_ Mobile1 PC ask in g for it s secr et . Fast Foods_Mobile1 w ill use inf or mat ion in t he challenge messag e as w ell as t h e secr et t h at is locally st or ed t o send a r esp onse back . The r esponse m essage will cont ain t h e nam e of t h e Fast Foods rem ot e user ( Fast Food s_ Mobile1) as w ell as t he encr yp t ed secr et (• w hat st hebuTable zz) . Th e SanJose_NAS w ill t h en com par e t he r esponse r eceived fr om of Content s Fast Food s_ Mobile1 w it h t he n am e/ secr et pair st or ed eit her locally on t h e NAS ser v er or on a • I ndex RADI US/ AAA serv er . I f t he encr yp t ed v ersions of t h e secr et s m at ch , t h en an accept m essage MP LS and V PN Ar chi te ctur e s, V olum e I I is sen t b ack and t he NCP layer can pr oceed. This han dshak e can b e per iod ically r epeat ed By , I van Pepelnjak , Jeff Apcar duJim rin Guichard g t h e call. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Figu re I SBN: 1- 58 705 -1 12 -5

2 - 4 . CH AP Th r ee - W a y Ha n dsh ak e

Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

L2TP

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone I n a t y pical PPP con nect ion , t he Layer 2 t er m in at ion p oint and t he PPP session end point y cust er dmev ult icast affam ic insid VPNcould obt ain a con nect ion t o t he NAS r esideHow on tthoecarr same phyom sical ice. Fort r ex ple, ea au ser by w ay of an an alog d ial- u p or I SD N connect ion and t hen ru n PPP ov er t hat con nect ion . I n The lat est in er t er2- car enh ancem w ent allow f ore easier orshow e scalable d ep loym t his case, t he Lay an rier d PPP session ousldt ot er m in at on t he and NASmas n in Figur e 2- 5ent . of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

. PPP En best dpoi nt sg MPLS an d VPN MPLS and VPN Ar chit ect u res, Figu VolumreeI I2, -b5uilds on t he - sellin Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . L2 TP allow s t he PPP session end point t o b e div or ced fr om t h e Lay er 2 t er m inat ion point . This MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer m ean s t hat a PPP session can be ex t ended acr oss t h e I nt ern et or an I SP n et w or k . While int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

t r av er sing an I P backb one, t he PPP session is car r ied inside an L2TP t u nnel. Th e PPP session can pass t hr oug h m an y int erm ediat e n odes befor e t er m in at ing on t he t ar get rem ot e access ser v er. L2TP allow s t he r emot e client t o com m unicat e w it h t he r emot e ser v er by using PPP as if t he t wo w er e d irect ly connect ed . The n et wor k in fr ast ru ct ur e is t r anspar en t t o eit her end of t he PPP session. Th e dev ice t h at t er m in at es t he Layer 2 conn ect ion and or ig inat es t he L2TP t un nel is called t he L2 TP Access Con cent rat or ( LAC) . Th e device t h at t er m in at es t he L2TP t un nel and t h e or ig inal PPP session f rom t he r em ot e client is called t he L2 TP Net w or k Ser v er (• LNS) . Th e LAC passes p acket s b et w een t h e r em ot e client an d t he LNS. Table of Content s •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

NOTE Pub lish er: Cisco Press

L2 TP allow s t he cr eat ion of a v ir t u al pr iv at e dialup net w or k ( VPDN) t o conn ect a r em ot e client t o it s cor por at e net w or k by usin g a shar ed inf r ast ru ct u r e, w h ich could I SBN: 1- 58 705 -1 12 -5 be t he I nt er net or a ser v ice pr ovid er 's net w ork . VPD Ns are descr ibed in t h e Pages: 50 4 follow ing sect ion.

Pub Dat e: Ju ne 06, 2 00 3

Figur e 2- 6 illust r at es t he basic con cept of an L2TP t un nel. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t Figu o int egr s r em otssion e accessTh t echn o t TP h e back bone p riovidin r eat2e -v6ar. iou PPP Se r ouologies gh a nin tL2 Conn e ct on g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent ofscenar int er - car ier MPLS ices e client called Fast Foods_Mob ile1 t hat need s t o I n t his io, rFast FoodsVPN has serv a r emot com mu nicat e dir ect ly w it h a ser ver t h at is locat ed at t he Fast Foods Lyon sit e. The n ear est anced t rou blesh oot ing t echnu iques in g by r ouSup t er er out pu t sint oSan en su re high ailab ilit y dial- inAdv POP t o t he Fast Foods m obile ser is includ p rov ided Com Jose. Theav Lyon ser v er is r eachab le t hr ough a Fast Foods r ou t er t hat is con nect ed dir ect ly t o t he Super Com MPLS Ar chit u res, e I IFoods_Mob , b uilds on ile1 t he calls best -int sellin d VPN net w orand k inVPN Paris. Therect efor e, wVolum hen Fast o t hgeMPLS Superan Com LAC in San Ar ch it tect res, Jose Volum e I w( 1ill- 587 05- 0ge 021) , m f rom Ciscow Pr t endin g intile1 o mand or e adv anced Jose, heuSan LAC exchan PPP essages it hess. FastEx Foods_Mob tcom opics d d ep loywmay entofarchit ur es, I I pr ovidwesit hr eader s w it h Ly t he necessar t ools muan nicat e by L2TPect r equ est sVolu an dmr eesponses Fast Food's on_LNS t o yset up an tL2 hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. TP t u nnel. The PPP session w ill b e est ab lished bet w een Fast Food s_ Mobile1 an d t he Ly on_ LNS. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar chfitr ect re.f r om Par tFast I I descr ibes adv anced VPNed con it y includLAC, in g t he PPP amues Foods_Mobile1 w ill MPLS be accept bynect t heivSanJose_ st r int ippegr ed at ofion anyof ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g link ed f ram ing or t ran sp arency b yt es, encapsulat ed in L2TP, an d f or war d ed ov er t he pr ot ocols ( I SI S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o app rop riat e t unn el t ow ard Lyon _LNS. Th e LNS w ill accept t hese L2TP fr am es, st r ip t he L2TP int egr at e t hion, ese an f eat ur ocess es in t ot he t h einVPN b ackPPP bonfre.am Part encapsulat d pr com ing es. I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN VPDNm en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN deploy t r oub leshoot ing . MPLS A VPDNand is aVPN net w Aror chit k tect hatu res, connect Volum s aerem I I , ot also e access int rod client uces t he t o alatprest iv at adv e net ances w or kin by cu st u sin omer ga int shar egr edator ion, public securI P it y, in fr and ast rt ruct oubleshoot ur e. A VPDN ing feat uses u res a t uessent nnel pial rottocol, o p rov such idingast hL2 e TP, adv Point anced- t o-

Point Tunn eling Pr ot ocol ( PPTP) , or Lay er 2 For w ar ding ( L2 F) t o ex t end t he Layer 2 and high er par t s of t h e net w ork con nect ion f rom a r emot e user acr oss an I SP net w or k t o a pr iv at e net w or k. VPDNs allow a ser vice pr ov ider t o sh are it s com m on r em ot e access in fr ast ru ct ur e am ong m any r emot e client s. Each client can dial in t o a ser v ice p rov ider NAS/ LAC an d b e connect ed t o t he pr iv at e cor por at e n et w or k b ased on t he logon dom ain nam e or t h e nu mb er t hat w as dialed ( by using t h e dialed n um ber ident if icat ion ser v ice, or D NI S) . Figur e 2- 7 d escr ibes t he VPD N pr ocess. I t is essen t ially t he sam e scenar io as d escr ib ed in • Table of Content s Figur e 2- 6 , ex cept t hat t he pr ot ocol exchan ges ar e fully d et ailed. I t uses a com binat ion of • I ndex PPP, L2TP, an d RADI US t o p rov ide t h e v ir t u al pr iv at e dial- in ser vice. MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

Figu r e 2 - 7 . VPDN Pr oce ss

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of intin erg- car r ier out MPLS The f ollow st eps line VPN w hatserv hapices pens du rin g t he VPDN pr ocess: Adv t rouFast blesh oot ing t echn iques includ in gar PPP ou t ercall outt oput ht se t Super o en suCom re high ailabLAC ilit y St eanced p 1 . The Foods r emot e client init iat es Sanav Jose v ia PSTN or I SD N. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect e Iot(e1 -client 587 050 02, f rom Cisco ess. Exet endin g tint o mb or e adv anced St eupres, 2 . Volum The r em and t h e1)LAC begin t o Pr n eg ot iat PPP op ions y using LCP. t opics This an d cov d eper loy ent archit Volu e I I icat pr ovid esetr eader s w it h or t he necessar y tession, ools sm element s suect ch ur ases, t he autmhent ion m hod ( CHAP PAP) , com pr t hey nand eed tt ho ed PPP ep loy m ain m and ult ilink . t ain a secur e, hig hly av ailab le VPN. MPLS and Ar chit e as I I , select b eg ined, s w tithhe aLAC br ief ref of t hee MPLS VPN St e pVPN 3 . Assu mect in gutres, hat Volum CHAP w sen dsresher a ch alleng m essage. Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v iceStpr ovider access t echn olog iese (client dial, DSL, cab ) aname d a v( ariet y of ep 4 . The Fast Foods r emot respon dsle,w itEthher it snet usern assum e itr out is in g pr ot ocols ( I SI S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o by m obile1 @fast f oods. com ) and passw or d. The LAC p art ially aut hent icat es t he user int egr at e t h ese eat in t oitt hhas e VPN b ack I I I r det adv anced d ep loy m ent issues using t he fin forurmes at ion receiv edbon in te. hePart CHAP espails onse. includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone any LAC at t ached sit es, det ailin g t ot hee lat est secu y fN eat ur es St e pand 5 . The ch eckVPN s w het her and t h e also Fast Foods r em client is a rit VPD user . I tto allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS VPN det er min es t his by ex am in ing t he u ser nam e ( m obile1) , d omain nam e ( f ast foods. com ) , deployor m en t s. Fin , Par t I VS)pr. ov id es a mmet for adbe vanstced VPN called nually m ber ( DNI This in for athodology ion can eit her or edMPLS locally ( config ur ed t r oub leshoot ing . st at ically ) on t h e LAC or it can be ret r iev ed fr om t h e Super Com RADI US ser ver . I n our exam ple, t h e inf orm at ion is for w ar ded via a RAD I US r equest t o t he Super Com RAD I US MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ser v er. int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

St e p 6 . The RADI US ser v er has an ent r y for t he d omain nam e of t h e Fast Foods rem ot e client ; t h er efor e, t he client is a VPDN user . Th e RADI US ser v er r ep lies t o t he LAC w it h a m essage cont ain ing t he I P addr ess of t he Fast Food s LNS and ot her inf orm at ion t o allow t he LAC t o cr eat e an L2TP t unn el t o t h e specif ic LNS.

• •

Table of Content s I ndex NOTE

MP LS and V PN Ar chi te ctur e s, V olum e I I

I f t,he ot e client w er e By Jim Guichard I vanr em Pepelnjak , Jeff Apcar

d et er m ined n ot t o be a VPDN clien t , t h en aut h en t icat ion w ould cont inu e on t he LAC. I n t his case, it w ould be lik ely t h at t his cu st om er w ould be sub scr ibing t o I n t ern et access or som e ot her Su perCom Pub lish er: Cisco Press com mon serv ice and w ould be connect ed d irect ly t o t he glob al r out ing space of Pub Dat e: Ju ne 06, 2 00 3 Sup er Com . I SBN: -1 12 -5 St e p 17 58 . I705 f t he L2TP t unn el does not already ex ist , t he San Jose_LAC builds a t un nel t o Pages: 50 4Foods Lyon _LNS by u sing L2TP cont rol messages. Only one t unn el is built for t he Fast each d omain. For ex am ple, all f ast f oods. com t hat subsequent ly d ial in u se t he sam e t un nel.

St e p 8 . L2 TP pr ov ides an opt ional CHAP- like au t hent icat ion mechanism d ur ing t unn el est ablish mentAr . The LNS can Volum ch eck et oI I see if tllhe LAC Wit h MPLS and VPN chit ect u res, , y ou' lear n : can op en a t unn el ( via local conf ig ur at ion) t o it and bot h t he LAC and LNS can aut h en t icat e each ot her u sin g a shar ed secr et conf igur ed locally or on a RADI US ser v er . Alt er nat iv ely , t h e LNS can How t o int at eelv ar s r em ot au e access t echn accept t heegr t unn w itiou hout any t hent icat ion.ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s St e p 9 . Aft er t he t u nnel is cr eat ed, a VPDN session is cr eat ed ov er t he L2TP t unn el for The ew Foods PE- CE rrem outot ineg client op t ions as wr ell her adv anced f eat per- VPN t he nFast . Each em as ot eotclient is associat ed ur w es, it h ainclud uniq ing ue VPDN Net w ork on Ad dr Tr an ion ( PE- NAT) session aness L2 TP t uslat nnel. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat NOTE est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone An L2TP t un nel can su ppor t man y VPDN sessions for t h e same dom ain. ef or any ur tm her ot ee clien t s t hat called int o t he San Jose How Ther t o carr y e, cust omf er ultFast icastFood t r affsicr em insid a VPN LAC w ould be f or w ard ed t h rou gh t he sam e L2 TP t u nnel t o t he Lyon LNS. The t er San - car rier ancem s tar o ds allow andhent m or e scalable loymse ent St e lat p 1est 0 . in The Joseenh LAC t h en ent f orw t he fporarteasier ially aut icat ed CHAPdrep espon of int er car r ier MPLS VPN serv ices fr om t he Fast Food s client . This includes t h e usern ame/ p assw or d in for m at ion ( m obile1 @fast f oods. com ) and t he LCP- negot iat ed par am et er s. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y St e p 1 1 . The LNS cr eat es a v ir t u al- access in t er f ace based on a v ir t ual- t em plat e f or t he MPLS and VPN Ar chit Volum e Iinfor I , b uilds on is t he best g MPLS d VPN VPDN session . ect Theu res, r em ot e user m at ion aut h en- tsellin icat ed by t h ean Fast Foods Radius Ar ch it ect u res, Volum e I ( 1 587 050 021) , f rom Cisco Pr ess. Ex t endin g int o or e adv ser v er ( or user nam e/ p assw or d in for m at ion con figu red st at ically on t hem LNS cananced be t opics used) an d d.ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. St e p 1 2 . The Fast Foods RAD I US ser ver r et ur ns t he app rop riat e response/ aut h orizat ion MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN and any ot her r elev ant in for m at ion. Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g St e p 1 3 . The Fast Foods Lyon LNS t hen send s a CHAP r esp onse back t o t he Fast Food s pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o r em ot e client t hr ough t h e L2TP t un nel. int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he St e p 1 4 . Aft er t he CHAP respon se is successf ul, t he NCP p hase, in t h is case u sing I PCP, back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow is per for m ed. Wh en t he PPP sessions ar e f unct ionin g, t h e LAC act s as a go- bet w een f or m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN t he Fast Foods r em ot e client and t he LNS. deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . The com binat ion of PPP, L2TP, an d VPDN ar e t h e basic buildin g b lock s f or enabling r em ot e MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer access t o MPLS VPNs. Som e m od if icat ion s and f eat u re en hancement s are requ ired t o sup por t int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

L2 TP dir ect ly in t o VRFs, an d t hese w ill b e discu ssed in d et ail in t h e r em ot e access t o MPLS VPN ex am ples lat er in t h is ch apt er.

RADIUS •RADI US p rovTable s t ed clien t / ser v er sy st em t hat pr event s unau t hor ized access t o ides ofa Content dist ribu •facilit ies, such I ndex as dial- in ser v ices or in divid ual host s. RADI US is a pr ot ocol t h at p rov ides AAA MP and tVoPN chiwteor ctur s, V olum serLS v ices a Ar n et k . eUser p eremI Iissions and con figu rat ion inf or mat ion ar e st or ed on a cen t r alized AAA ser By Jim GuichardRADI , I vanUS/ Pepelnjak , Jeffv er. Apcar Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 NOTE Pages: 50 4

I n t his chapt er , a RADI US ser v er r efer s t o an AAA ser v er t hat uses t he RAD I US pr ot ocol.

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : A NAS oper at es as a RAD I US client . Th e client is r espon sible f or p assing user inf orm at ion t o designat ed RADI US ser v ers and t hen act in g on t h e r espon se t hat is ret ur n ed . RADI US ser v ers ar e r espon le egr for at r eceiv ion rt equest s, aut hent t hbone e user, and ret rn ing How tsib o int e v aring iou suser r emcon ot enect access echn ologies in t o icat t h e ing back p r ovidin g uVPN all conf igur at ion infor m at ion t hat is necessary f or t h e client t o d eliv er ser v ice t o t he r em ot e ser v ice t o m any d iff er ent t yp es of cu st om er s access user . The RADI US ser ver can also pr ov id e accou nt ing serv ices t o m easu re t he am ount of r esour r em user Figur e 2- 8f eat sh ur ows t y pes RAD I US The ces n ewt hat PE- each CE r out inot g eopaccess t ions as w ellcon assu otmes. her adv anced es,t he includ ingofperVPN m essages. Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Figu r e 2 - 8 . RADI US M essage s The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The RADI US m essage t y pes ar e described as f ollow s: Access Re qu est — These p acket s ar e sent t o a RADI US ser v er . Th ey con vey inf orm at ion t hat is used t o det er m in e w het her a user is allow ed access t o a sp ecific NAS ( such as t he u ser nam e) an d an y special ser vices r eq uest ed for t hat user . • •

Access Accep t — These p acket s ar e sent b y t he RADI US ser v er . Th ey pr ovide sp ecific of in Content s ion in a ser ies of at t rib ut es t hat ar e necessary t o b eg in d eliv er y of conf ig urTable at ion for m at ser v ice I ndex t o t h e user .

MP LS and V PN Ar chi te ctur e s, V olum e I I

Access, IRe ct — These p acket s By Jim Guichard vanj ePepelnjak , Jeff Apcar

ar e sent b y t he RADI US ser v er t o r eject t h e accessr eq uest du e t o in valid infor m at ion in t he r eq uest . For ex am ple, a nonex ist ent usern ame or a bad passwor d w ould be r eject ed .

Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3

Access Cha ll eng e— These p acket s allow t h e RADI US serv er t o send t he user a I SBN: 1-ge 58 705 -1 12 ing -5 a r esp onse. challen r equir Pages: 50 4

Account i ng Re que st — These p acket s ar e sent f r om a client ( t yp ically a NAS or it s pr ox y) t o a RAD I US account in g ser ver . They conv ey infor m at ion t hat pr ov id es accou nt ing f or a u ser serv ice. Account i ng Re sp onse — These p acket s ar e sent f r om t he RADI US accou nt ing ser v er t o Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : t he client t o ack now led ge t h at t h e Accoun t ing Request h as been r eceiv ed an d r ecord ed successfully . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN The RADI US st andar d and it s ext en sions sp ecify a lar ge nu m ber of at t r ibut es t h at can be ser v ice t o m any d iff er ent t yp es of cu st om er s exchan ged bet w een a RAD I US client an d a RAD I US serv er ( w her e t hey ar e usu ally st or ed in t he ser vern dew at abase) These ibut es red as anced at t r ibut e vur alue AV) pair A RADI The PE- CE .r out in g at opt tr ions asar weellr efer as ot hert oadv f eat es, (includ ings.perVPN US r eq uest f rom t he NAS and t he cor respon ding r ep ly fr om t h e ser v er car r y a series of Net w ork Ad dr ess Tr an slat ion ( PE- NAT) at t r ibut es. Wit h in a RADI US pack et , t hese at t r ibut es ar e encoded using t he t yp e- lengt h- v alu e Figur e int 2- o9 .a cust om er sit e t o pr ov ide sep ar at ion inside t he ( TLV) How for mVRFs at , ascan sh ow int ended benex cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Figu r e 2 - 9 . RADI US At t r ib ut e For m at How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools amnples USand at t r m ibu t es are: tEx hey eed of t o RADI d ep loy ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN usern am e ( t y pe = 1 ; v alue is a st rin g) Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider t echn ies ( is dial, userpassw access or d ( t y pe = 2olog ; v alue a stDSL, rin g)cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egrfratam e teh ese eat ur( tes in t=o t7; h evalue VPN bcan ack be bon1e.f or Part I I I2det anced ep loy m ent issues pr otfocol y pe PPP, f orails SLIadv P, an d so don) includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back and any at t list ached VPN and also det ailin g tRADI he latUS est sp secu rit y ion f eatdet ur es t o allow For abone com pr ehensive of at t ribsit ut es, please r efer t o t he ecificat ailed in m or e213 adv8.anced opidologies erint g. par t also er s in mfor ultm i- car r ier tMPLS VPN RFC To prtov e specifand ic sufilt ppor forThis p rop r iet ar y vcov en dor at ion, h e RADI US deploy t s.inFin , Par V pr ov a meetwhodology ad van VPN st andarmden def es ally a v en dort - Ispecif icidates t r ibut it h a t yp eforv alu e ofced 26. MPLS Vendor - specif ic t r oub leshoot ing . allow vend or s t o sup por t t h eir own ex t en ded at t r ib ut es t hat ar e un su it able at t r ibut es ( VSAs) for general use. The st and ar d st at es t h at t h e infor m at ion w it hin t his at t r ibu t e should be MPLS andasVPN Ar chit ect of u res, e I I ,Cisco also int rod uces t hecomp lat estlies adv st omer encoded a sequence v enVolum dor TLVs. Syst em s I nc. wances it h t heinsucu ggest ed int it y, and feat u res for egr m atat , ion, an d secur t he Cisco VSAt risoubleshoot sh ow n in ing Figur e 21 0.essent ial t o p rov iding t h e adv anced

Figu r e 2 - 1 0 . Cisco VSA

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

The Vend or I D t akes it s v alue f r om t he SMI Net wor k Managem en t Pr iv at e Ent er pr ise Code Pub Dat e: Ju ne 06, 2 00 3 defin it ion . The Vend or I D for Cisco Sy st em s I n c. , h as a v alue of 9 . The Vend or Ty pe ( v - t y pe) I SBN: 1- 58 705of -1 12 field has a value 1, -5w hich defines t h is Cisco VSA as t h e " cisco- av pair . " The Ven dor Value Pages: 50 4 ( v - v alu e) is a st r ing t hat consist s of t he f ollow ing f orm at : pr ot ocol : a t t ri but e se p va lu e w her e Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Prot ocol is a v alue of t he Cisco pr ot ocol at t r ibut e for a par t icular t y pe of au t hor izat ion. At t r ib ut e an d v al ue ar e an ap pr opr iat e at t r ibut e- v alue ( AV) pair . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s sep is = for man dat or y at t r ibu t es and * f or op t ion al at t r ibu t es. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN The cisco- avp air s ar e u sed ex t ensiv ely w hen pr ov id ing r em ot e access t o MPLS VPNs. Table 2 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) 1 sh ows som e ex amp les of cisco- avp air s. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Tab le 2 - 1 . Exa m pl es of Cisco a v pai r s back bone How cust om er m ult icast t r aff ic insid e a VPN At t r ib ut et o carr V aylue The lat estip: in taddr er - car rier enh ancem ciscoav pair - pool= m ain_p oolent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices cisco- av pair v pdn : ip - addr esses= 10. 1. 1. 1 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y cisco- av pair lcp: in t erf ace- conf ig= ip v r f for w ar ding < v rf nam e> \ n ip un num ber ed Loop back MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools st exam causes t he addr ess pool, reconf ig ur ed as m ain_ pool on t h e NAS, t o be tThe hey f ir n eed t o d ple ep loy and m ainItPain a secur e, higp hly av ailab le VPN. used dur ing I P aut hor iz at ion ( t h e I PCP p hase) . The n ex t ex am ple def in es an end point of a MPLS VPN chit ect u10 res, eb I Ie, used. b eg in sThe w it last h a br t he vMPLS t un neland ( t h at is, Ar t he LNS, . 1.Volum 1. 1) t o exief amref pleresher allow sofany alid inVPN t erf ace Ar chman it ectdu re. Parcon t I I figu descr adv anced MPLS conThis nect iv it y includ inines g t hea int egrand at ion of com t o be redibes dy nam ically on t h e VPN rou t er. exam ple d ef VRF uses ser pr ovider access on t echn ( dial, cab her ) anon d at he v ariet y .of r out in g t hevIice P addr ess defined t heolog loopies back0 intDSL, er face ( tle, h is Et mu stnet exist LNS) pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he DHCP back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN DHCP allow s ing a device such as a PC t o be d yn amically con figu red w it h net w ork in for m at ion t r oub leshoot . such as an I P addr ess, DNS, and WI NS ser ver add r esses fr om a cent r al locat ion. DHCP rMPLS em ovand es t he b ur and dinat P ad tdr hich can in becu a stt imeVPN Arden chit of ectman u res,aging Volum e I Icoor , also inting rod Iuces heessing, lat est w adv ances omer consum ing t ask for lar ge net w ork s. I n addit ion, DHCP allow s PC user s t o m ov e bet w een int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

dif fer en t I P sub net s ( such as dif ferent of fices) and st ill receiv e t he cor r ect net w or k inf orm at ion each t im e t h ey conn ect t o t h e I P net w or k . DHCP is a client / ser v er pr ot ocol t hat uses Boot st r ap Pr ot ocol ( BOOTP) m essag es for it s r eq uest s. DHCP messag es fr om clien t t o ser v er are car r ied in BOOTP requ est s, w her eas ser v er t o clien t m essag es ar e car r ied in BOOTP replies. The DHCP m essage consist s of a ser ies of opt ions su ch as g at eway addr ess, allocat ed ad dr ess, sub net m ask, DNS serv er add ress, dom ain nam e, and so on. Figur e 2- 1 1 sh ows t he b asic st eps f or DHCP oper at ion • Table of Content s bet w een a PC clien t an d a DHCP ser v er on t he sam e LAN. •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Figu r e 2 - 1 1 . D HCP Oper a t i on Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opicsNOTE an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. BOOTP is an older pr ot ocol t h at pr ov ided fun ct ion alit y sim ilar t o D HCP, alt hou gh in sev er ely Ar lim it ed DHCP ension BOOTP, ly MPLSa and VPN chit ectfashion. u res, Volum e Iis, I , binegfact in s, wan it hexa t br ief refofresher of tm heost MPLS VPN specif yin g n ew at t r ibut es t h at can be ex ch anged bet w een t he client s an d t he Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser pr v ers an d access new m tessage t y pes eeded t o sup he m or) ean r obust I P addr ser v ice ovider echn olog ies (ndial, DSL, cabpor le, tEtt her net d a v ariet y ofess r out in g allocat ion of fer ed by DHCP. pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow The f ollow in g st eps illust r at e t h e DHCP oper at ion : m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploySt meen t tI Vb road pr ovcast id essaa mDHCP et hodology for admvan cede MPLS VPN p t s. 1 . Fin Theally PC, Par clien DI SCOVER essag requ est ing an add ress t r oub leshoot ing . allocat ion . The m essag e w ill be r eceiv ed by all DHCP ser ver s connect ed t o t he LAN ( alt hou gh w e hav e show n only one) . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

St e p 2 . The D HCP ser ver issu es a DHCP OFFER m essage cont ainin g t he I P ad dr ess, dom ain nam e, DNS, lease t ime, an d so on in a unicast m essage back t o t h e PC. Not e t hat sev er al DHCP Of fer m essages m ight be d ep en dant on t he n um ber of DHCP ser v er s connect ed t o t he LAN.

• •

St e p 3 . The PC select s a receiv ed offer ( u sually t he f irst or only on e) . At t h is point , t he off er has n ot b een for m ally accept ed, but t he D HCP serv er usually r eser v es t he add ress ( f or a Table shor t ofperiod ) un t il it receiv es a f orm al requ est fr om t h e PC. Th e PC for m ally Content s r eq uest s t he ad dr ess of fer ed b y br oadcast ing a DHCP REQUEST. A br oadcast is used so I ndex t hat t he message ser v es as a r eject t o any ot her DHCP ser v er s t h at m ade offer s.

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , Jeffver Apcar St e p 4, .I van ThePepelnjak D HCP ser conf irm s

t h at t h e I P add r ess has been allocat ed by r espon ding w it h a DHCP ACK m essage t h at also includ es ot her net w or k configu r at ion Pub par lish er: amCisco et erPress s. Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

The f ollow in g ar e ot her m essages t hat can b e sen t : Pages: 50 4

D H CP D ECLI N E— Clien t t o ser v er , ind icat in g t hat t he net w or k add ress is alr ead y in u se or t h er e is an ot her issu e. D H CPand R ELEASE— t o ser v er ,eind inllg lear t hatn t: he net w or k add ress is t o be Wit h MPLS VPN Ar chitClien ect u tres, Volum I I ,icat y ou' r elinq uished an d t he r emain in g lease cancelled. D H CP AK— er iou t o sclien , indicat ingt echn t h at ologies t h e client of bone net w or add ress is How t oNint egr atSer e vvar r emtot e access in t' so not t h eion back p r kovidin g VPN incor rectt o( fmorany ex amp t he client eds t o a new subn et ) or t h e client ' s lease has ser v ice d iff erle, ent t yp es ofhas cu stmov om er exp ired. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN D H CP I NAd FOdrRM— t tion o ser v erNAT) , ask ing only for local con figu rat ion par am et er s; t he Net w ork ess TrClien an slat ( PEclient alr ead y has an ext er nally conf igur ed n et wor k ad dr ess. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

DHCP Relay Agents

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone The p r ev ious d escrip t ion is a r easonab ly sim plist ic v iew of h ow DHCP w or ks. I t assu mes a DHCPHow ser vter is available LAN tin net weorakVPN ( w hich mig ht well b e t he case if you o carr y cust omon er ev m er ultyicast r afft he ic insid ar e using t he DHCP ser ver f eat u r e in a Cisco r out er ) . How ev er, if t he DHCP ser v er is cen t r alized her e inrier t heenh netancem w or k, ent yous tmo ust en able t he DHCP relay agent feat ur eloym b y ent The latsomew est in t er - car allow f or easier and m or e scalable d ep conf igof urint ingert -he er face a Cisco carLAN r ier int MPLS VPNofserv ices rou t er t o g et t he DHCP m essag es bet w een t he clien t and t h e ser v er . Th e oper at ion of t h e DHCP r elay ag en t f eat u re is sh ow n in Figur e 2- 1 2. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1Figu - 587 05rom Cisco ess. Ex t en endin r e 0202- 11) 2 ,. f D HCP RePrla y Ag t g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

DHCP Relay oper at es as follow s: St e p 1 . All clien t t o ser v er m essag es ( DHCP Discov er , DHCP Req uest , and so on) ar e sen t in a BOOTP Req uest . Wit h MPLS VPNDAr chitrect u res, Volum y ou' St e pand 2 . The HCP elay agent feateurI Ie, is actllivlear at edn :on t h e rou t er int er face v ia t he ip he lp er a ddr ess com m and. When t he r out er sees a BOOTP Requ est t hat con t ains a DHCP m essage, it in ser t s it s LAN int er face add r ess int o t he giaddr field of t h e BOOTP How t o ,int at in e vou ar riou r em ot w e ill access t echn ologies header wegr hich exsam ple be 192 .1 68. 30 . 1. in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s St e p 3 . The d est inat ion b road cast addr ess in t h e or iginal BOOTP m essage is replaced The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN w it h t he u nicast I P add ress specif ied in t he ip helper add ress com man d. Th e BOOTP Net w ork Ad dr ess Tr an slat ion ( PE- NAT) r eq uest is t h en f orw ar ded dir ect ly t o t he D HCP serv er as a unicast m essage. Th e DHCP ser v er uses t he iadt ended dr f ieldint t oodet er mom ineert h sit e subn pool hat ar anatad ess shou How VRFs can beg ex a cust e t o et pr ov idet sep iondrinside t held b e allocat ed fr om . cust om er net w ork St e lat p 4est . The ser VPN ver t osecur client essages arde dr esign et u r ned d ired ectat ly pr t o ot t hect e DHCP agVPN en t The MPLS it y m f eat u res an s aim ing t h er elay MPLS ( r out er ) b y using t he g iaddr as t he d est inat ion. These messages fr om t h e ser v er , such back bone as DHCP Of fer , DHCP ACK, an d so on, ar e car r ied in a BOOTP Reply . How t o carr y cust om er m ult icast t r aff ic insid e a VPN St e p 5 . The r elay agent r eceives t h e message and f orw ar ds t he r eply as a br oadcast or a u nicast p ack etrier t o tenh he client The lat est IinPt er - car ancemPC. ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Providing Dial-In Access to an MPLS VPN This sect ion cov er s t w o m et h ods of conn ect ing sw it ch ed calls t o an MPLS VPN. Th e fir st m et hod is based on VPDN and suppor t s bot h analogu e PSTN and I SDN calls. The second m et hod su ppor t s on ly pur e d igit al calls and is used t o t er min at e I SDN calls dir ect ly on t o a PE •r out er . Table of Content s •

I ndex

MP and V PN all Ar chi te ctur s, V e I I ex amp les in t h is ch apt er, w e use t he addr essing as ThrLS oug hout our reme ot eolum access sum arized ,in Table 2 - 2., Jeff Apcar By JimmGuichard I van Pepelnjak

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN:le 1- 58 Tab 2 705 -2 -1 . 12 I P-5 Ad dr ess Assign m en t for t h e Su per Com N et w or k Pages: 50 4

Com p an y Si t e

Su bne t / H ost

Sup er Com San Jose VHG/ PE rou t er ( loopback 0 )

19 4. 22. 1 5. 2/ 32

Man agement PE rou t er ( loopback 0 ) Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : San Jose NAS/ LAC ( loopback 0)

19 4. 22. 1 5. 3/ 32 19 4. 22. 1 5. 4/ 32

How t o PEint egr CEat inet er v ar f ace iou saddr r emesses ot e access t echn ologies in t o t h e back bone 19p2.r ovidin 168 . 2.g0/VPN 24 ser v ice t o m any d iff er ent t yp es of cu st om er s Man agement LAN 19 4. 22. 1 6. 0/ 24 The n ewRADI PE- CE out in op t ions as w ell as ot her adv anced f eat ur es, includ VPN US rserv erg host 19 4.ing 22. per1 6. 2/ 32 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) DHCP ser v er host 19 4. 22. 1 6. 3/ 32 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he San 19 2. 168 . 3. 0/ 26 cust om er netJose w orkover lapping r em ot e addr ess pool( s) Loop back for VRF inst ant iat ion 19 2. 168 . 2. 100 / 32 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back sbone Fast Food Ly on subn et 10 .2 . 1. 0/ 24 ony RADI USerserv er icast t r aff ic insid e a VPN How t o Ly carr cust om m ult

10 .2 . 1. 5/ 32

Ly on at a enh servancem er 10 .2 . 1.d6/ The lat est in t sales er - cardrier ent s t o allow f or easier and m or e scalable ep32 loym ent of int er -Fresno car r ier su MPLS VPN serv ices bnet ( vend ing machin e) 10 .4 . 1. 0/ 24 Adv anced Reno t rousublesh bnetoot ( vend ing ing t echn m iques ach in e) includ in g r ou t er out pu t s t o en su10 re .5 high . 1. 0/av24 ailab ilit y Dialer for Vendin 2. 168 . 2. 51/ 3 2 MPLS and VPN Ar chit ectFru esn res,oVolum e gI I , b uilds on t he best - sellin g MPLS an 19 d VPN Ar ch it ect u res,Dialer Volum e IReno ( 1 - 587 05-in0g02- 1) , f rom Cisco Pr ess. Ex t endin g int o19 m 2. or168 e adv for Vend . 2.anced 52/ 3 2 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eedk t o San d ep loy and m ain t ain Eu roBan Fr an cisco subn et a secur e, hig hly av ailab le VPN. 10 .2 . 1. 0/ 24 Sacram subnVolum et ( SOHO) .3 . 1. VPN 0/ 24 MPLS and VPN Ar chitent ect ou res, e I I , b eg in s w it h a br ief ref resher of t he10 MPLS Ar ch it ect u re. Palo Par t Alt I I odescr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr ion of ( DSL CPE) 10 .6 . 1. 0/at24 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S-Par I S,isEIsubnet GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge19 of6.h7. ow o / 24 25t .0 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Dialer fort lining Modest o Br anch y st eps t h e ser v ice p rov ider m ust t19 2. 168 2. 61/ includin g secu r it y , ou t he n ecessar ake t o p.rot ect 3t 2he back bone andDialer any at t ached VPN es, and also det ailin g t he lat est secu rit y 19 f eat ur es. 2. t o62/ allow for Lagu na Br sit anch 2. 168 32 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

Dial-In Access via L2TP VPDN MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in

cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

This solut ion allow s a serv ice pr ov id er t o of fer a wh olesale dial ser vice t o rem ot e cust om ers of an MPLS VPN. The r em ot e client s dial a ser vice pr ov ider POP by u sing t h e PSTN or I SDN and , aft er t he app rop r iat e aut hent icat ion and L2 TP pr ocedur es ar e ex ecut ed, ar e conn ect ed t o a PE r out er in t he serv ice pr ov id er net w ork t hat pr ovid es access t o t he relevan t VRF. The m echanism s used t o pr ov ide r emot e access t o an MPLS VPN ar e b ased on t he VPDN m odel. The ad van t age of u sing VPDN is t o separ at e t h e r em ot e access f un ct ion f rom t he edge fu d ial ins t o any NAS in t he net w or k and , using an L2TP t un nel, be d ir ect ed • nct ion. A user Tablecan of Content t• o t he n ear est PE r out er t hat holds t he ap pr opr iat e VRF. Wit hou t t h is fu nct ionalit y, a VRF for I ndex ever y VPN t h at h as r em ot e access capab ilit ies m ust be pr einst ant iat ed on ev ery NAS t hat t he MP LS and V PN Ar chi te ctur e s, V olum e I I user m ight possib ly dial. By Jim Guichard , I van Pepelnjak , Jeff Apcar

To b est ex plain t he var ious com pon en t s and pr oced ur es, we sh all use t he Super Com net w or k show nlish iner: Figur 2- 1 3. Su perCom can p rov ide w h olesale dial ser vices t hr oug h t h e NASes Pub Ciscoe Press inst Pub alled in it s POPs, in g t he San Jose NAS show n in t he diag ram . Th e Fast Foods Dat e: Ju ne 06, 2 00includ 3 Cor porIat ion has a r eq uir em ent t o p rov ide r eal- t ime sales dat a t o it s w orld wid e m obile sales SBN: 1- 58 705 -1 12 -5 for ce f rom a net w or k ser v er t hat is locat ed in Fast Foods Mark et ing HQ in Ly on. Rat her t h an Pages: 50 4 bu ild in g a pr iv at e global r em ot e access n et w or k at subst ant ial cost , Fast Foods h as elect ed t o use t h e Super Com shar ed rem ot e access inf r ast r u ct u re. Th is allow s Fast Foods t o pr ov id e access t o it s VPN f rom any r egion wor ldw ide wh er e Su perCom has a POP pr esence. For t he sake of sim plify ing t he ex am ple, w e w ill show t h e r em ot e access p rocess for a single r emot e salesper son called elvis@fast f oods. com , w ho is locat ed som ew h er e on t he U. S. West Coast Wit MPLS VPN Art hchit ect uFoods res, Volum I I ,a ylocat ou' ll ed lear n :a ser ver at Fast Foods Eur opean andhw ant s and t o access e Fast salesedat on headq uar t ers in Ly on. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Figu r ein g2 op - 1t3ions . Supe r Com Di al -Ianced n Usin N ing per- VPN The n ew PE- CE r out as w ell as ot her adv f eatgurVPD es, includ Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Alt hou he r emaccess ot e dialin access an MPLS f ollow s tnet he )sam prvoced a in g ser v icegh pr tovider t echn olog iest o( dial, DSL,VPN cab le, Et her an de a arietur y es of as r out st andar d VPDN con nect ion , cer t ain par t s of t h e pr ocess chan ge slig ht ly ; f or exam p le, pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o a Sup er at Com a Fast Foods forails m s adv t he anced LNS f unct pr ocess int egr e t hPE eser out f eaterurrat es hinert ot han t h e VPN b ack bonCe.r out ParterI Iper I det d ep ion. loy mThe ent issues is sum mgarized s: t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he includin secu r itas y , follow ou t lining back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN When elvis@fast f oods. com d ials in u sin g PPP, t he Sup er Com San Jose NAS/ LAC ex t r act s deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t he dom ain n ame fast food s. com , and p asses it t o t he Su per Com RAD I US ser ver f or t r oub leshoot ing . aut h en t icat ion . The Su per Com RAD I US ser ver is r each able v ia t he global r out in g t able. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer I f t he d omain nam e au t hent icat ion su cceed s, t hen t he Su perCom RADI US serv er passes int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

back t h e r elevan t L2TP in for m at ion f or fast f oods. com , includ in g t he I P ad dr ess of t he t un nel endp oint ( LNS) . Not e t h at t he Sup er Com RADI US ser v er con t ains dom ain ent r ies r at her t h an specific user ent r ies; t hat is, it has an ent ry f or fast f oods. com r at h er t han one f or elvis@fast f oods. com .

• •

The LAC builds an L2TP t u nnel t o t he LNS. I n MPLS VPN r emot e access t er m inology , t h e LNS can also b e r ef er r ed t o as t h e v ir t ual h om e gat ew ay ( VHG) . Th e t erm VHG r efer s t o t he fact t hat t he LNS fu nct ion is p er f orm ed on a PE r out er r at her t han an LNS r esiding Table of Content s on a cust om er C rou t er. I n our ex am ple, t his VHG/ PE r ou t er is locat ed at San Jose, and I ndex w e w ill r ef er t o it as t he Super Com San Jose VHG/ PE r out er .

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

NOTE

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

You can u se t he t er ms VHG an d PE/ LNS in t er chan geably.

Pages: 50 4

The San Jose VHG/ PE r out er m ust pr ein st ant iat e t h e Fast Foods VRF t hat t erm inat es t h e L2 TP t u nnel t o m in imize t he conv er g en ce t im e f or pop ulat ing t he VRF w it h rou t es. The San er Volum t er m inat Wit h MPLS and Jose VPN VHG/ Ar chitPE ectr uout res, e I Ies , yt he ou' L2TP ll lear tnunn : el by using a vir t ual- t em plat e or a v irt u al- pr ofile. ( You w ill lear n t he d if fer ence lat er . ) Th e Sup er Com net w ork u ses v ir t ualpr of iles; t h er efor e, it ob t ains t h e infor m at ion t o cr eat e a v ir t ual int er f ace f r om t he Howert oCom int egr at eUS v arser iouvserr.em access echn ologies t o t hsu e ch back p r ovidin Sup RADI Thot iseinfor m attion inclu des itinems asbone t he VRF f or t hg eVPN t o er mface, any dt iff yp esaddr of cu st om vser irtvuice al int heerinent t er ft ace ess, aner d st he I P ad dr ess p ool. The r em ot e user accesses t he VRF t hr ough an associat ed v ir t ual in t er f ace. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN To t ainAd t he r elev infor m at ionNAT) t o cr eat e t he v ir t ual in t er f ace, t h e San Jose VHG/ PE Netob w ork dr ess Trant an slat ion ( PEr out er r equest s aut h en t icat ion f or elvis@fast f oods. com f r om t he Super Com RAD I US How VRFs t ended a cust er not sit e hold t o pr tov ar at inside t heat ion; ser v er. Thecan Supbe er ex Com RADIint USo ser v er om does hiside indsep ividu alion user inf orm cust om ere, net wust ork pr oxy t he r equest t o t he r elev ant cust om er RADI US ser v er . I n our t her efor it m exam ple, t h is is t he Lyon Fast Food s RADI US serv er . To achiev e con nect iv it y b et w een t h e The est MPLS y f eat u res an disdnesign s aim at isprcov ot ect ing int hae lat MPLS VPN RADIlat US serv er s, VPN additsecur ionalit con figu rat ion ecessar y. ed This er ed er sect ion back bone t it led " Con figu ring Access Bet w een t h e Super Com an d Fast Foods RAD I US ser ver s. " How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Configuring SuperCom Jose The lat estthe in t er - car rier enhSan ancem ent sNAS/LAC t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices The San AdvJose anced NAS/ t rouLAC blesh conf ootigur ing at t echn ion is iques r easonab includlyin g sim r ou ple t erb ecause out pu t st ht oe en Super su reCom highRADI av ailab US ilit y ser v er pr ov id es t he det ails t h at ar e used t o cr eat e t he ap pr opr iat e L2 TP t un nel f or t he d ial- in MPLS The and nVPN Ar chit ect uig res, Volum I I own , b uilds on user. ecessar y conf ur at ion isesh in Ex amt he plebest 2- 1.- sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLSNOTE and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice This prconf ovider iguraccess at ion show t echnnolog here iesand ( dial, t heDSL, RAD Icab USle, at tEt r ibher ut es netin ) an t hed faollow v ariet ingy sect of r out ionin g pr ot ocols ( I S-specif I S, EIicGRP, and VPNs OSPF)b, ut ar are m in rgequ t heir red eader w ityhVPDN t he k now of h ow t o ar e not t o MPLS for an L2TPledge access. int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or em adv ologies and filt erin g.LAC This Con par t falso s m ult i- car r ier MPLS VPN Exa planced e 2 - 1t op . Sa n Jose NAS/ igucov r aterion deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Hostname SanJose_NAS int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

! aaa new-model aaa authentication ppp default local group radius aaa authorization network default local group radius •

Table of Content s

! •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

vpdn enable

By Jim Guichard , I van Pepelnjak , Jeff Apcar

vpdn search-order domain Pub lish er: Cisco Press

!

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

interface Loopback0 Pages: 50 4 ip address 194.22.15.4 255.255.255.255 ! Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ip radius source-interface Loopback0 !

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s radius-server host 194.22.16.2 auth-port 1645 acct-port 1646 key a$4two The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om m er ands net wsp ork The a aa com ecify t hat any incom ing PPP conn ect ions or net w ork ser vice r equest s ( VPDN/ L2TP) sh ould be aut h en t icat ed or au t hor ized by ch eck ing t he locally con figu red estand MPLS VPN it yCom f eat RADI u res an d esign atails pr ot ing igur t h e ed MPLS VPN dat abThe ase lat fir st t h en t h esecur Super USd ser ver ws haim oseed d et arect e conf wit h the back bone ra di usser v er host com m and. How com t o carr y cust er VPDN m ult icast r aff ic insid VPNt he dom ain n ame por t ion The v pdn m ands enom able and t sp ecify t hate a only ( f ast f oods. com ) of t he in com ing usern am e ( elvis@fast f oods. com ) sh ould be used wh en est in er - carau rier enh ent st he t o allow or easier m or e .scalable d ep loym ent obt ainThe in g lat VPDN t ut nnel t hor izatancem ion f r om Su per fCom RAD Iand US ser ver I t is also a good of int er car r ier MPLS VPN serv ices idea t o st at ically conf igur e t h e sour ce ad dr ess u sed by t he r out er w hen sen ding RADI US m essages so t h at t h e RADI US serv er can easily ident ify RADI US client s. Th is is ach iev ed rouius blesh ootce ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y com m and. t hr ou Adv gh tanced he ip rtad sour - int e rf ace MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey NOTE n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLSThe andcon VPN Ar at chit ectdoes u res,n Volum I I ,inbdivid eg in sual w itVPDN h a brgr iefoups ref resher of t he VPN figur ion ot r elyeon t o b e con figuMPLS r ed for each Ar ch itdom ect uain. re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr The Sup er Com RADI US ser v er pr ovid es t his inf orm at ion, as discussed at inion of ser v ice ovider t heprnext sectaccess ion. t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow SuperCom RADIUS Server m or e adv anced t op ologies and Attributes filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . The RADI US ser v er t hat Super Com m anag es au t hent icat es on t he d omain nam e associat ed w it h t he Therefor e, t h ee en ies inintt he er con only dom ain MPLS andr emot VPN eAruser chit .ect u res, Volum I I ,t ralso rodRADI uces US t heser latvest advsist ances in of cu st omer nam es, not fu lly qitualified nam es such as elvis@fast int egr at ion, secur y, and turser oubleshoot ing feat u res essent f oods. ial t ocom p rov . Each iding dom t h e adv ain anced ent r y

consist s of a ser ies of RADI US at t r ibu t e v alu e ( AV) pairs defining t h e VPDN in for m at ion f or t hat dom ain. This inf orm at ion is passed b ack t o t he LAC so t hat an L2TP t un nel can b e bu ilt t o t he ap pr opr iat e LNS.

•

NOTE

Table of Content s

•

I ndex A RADI US ser v er d oes not act u ally dist in guish bet w een a u ser nam e and a dom ain t he RADI US client passes t o it ( in our case, t he By Jim LAC Guichard , I van Pepelnjak , Jeff Apcar or LNS) in an accessr equest m essag e. I f t h e ser v er find s an ex act m at ch for t he st r ing in it s dat ab ase, t hen AV pair s t hat ar e associat ed w it h t hat ent r y ar e passed b ackPress in an access- accept messag e. This m eans t h at t h e Super Com RADI US Pub lish er: Cisco ser v er is not lim it ed t o k eep in g in for m at ion on t h e dom ain nam e only ; it can also Pub Dat e: Ju ne 06, 2 00 3 aut h en t icat e t he f ully qu alif ied user nam e elvis@fast f oods. com if Fast Food s does n ot I SBN: 1- 58 705 -1 12 -5 hav e it s ow n RADI US serv er . MP LS nam and Ve; PNitAronly chi te ctur s, V olum e I Ist r ing comepar es t he

Pages: 50 4

The Su per Com RAD I US ser ver at t r ibu t es t hat are used t o cr eat e an L2 TP t u nnel f or fast f oods. com ar e show n in Table 2 - 3. Th e m et h od in w hich t he AV pair s ar e set or confhig ur ed and is b ey ond h e scope of Volum t his book it vnaries bet w een RAD I US ser ver Wit MPLS VPN Artchit ect u res, e I I ,becau y ou' llselear : im plem ent at ion s. The at t r ibu t es sh ow n ar e d ef ined in RFC 286 8, " RADI US At t r ib ut es f or Tun nel Pr ot ocol Supp or t ." The t able also pr ov ides t he cor r espon ding Cisco- avp air s t hat w er e How t oior inttegr at epu v ar iou sion r em e access in t o tI hOS e back bone accept p r ovidin av ailab le pr o t he blicat ofotRFC 286 8.t echn Th e ologies lat est Cisco v ersions eitghVPN er AV sermat v ice. t o m any d iff er ent t yp es of cu st om er s pair f or The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can Tab be exle t ended o a cust om er RADI sit e t o US pr ov At idetsep 2 -3 .int Supe r Com r ibarutateion s inside t he cust om er net w ork At t r ib The ut lat e (est Ty pe MPLS ) VPN secur V a lue it y f eat u res an d d esign s aimCorre ed at spondi pr ot ect ing ng Cisco t h e MPLS AV VPN Pa ir back bone User - Nam e ( 1) fast f oods. com How t o carr y cust om er m ult icast t r aff ic insid e a VPN User - Passw or d ( 2) Cisco TheTyp lat est in t er - car rier enh ancem and or ele scalable Tun nele ( 64) 3 ( L2 TP) ent s t o allow f or easier v pdn : tm unn t y pe= l2tdpep loym ent of int er - car r ier MPLS VPN serv ices Tun nel- Med ium - Typ e 1 ( I Pv4 ) ( 65 ) Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Tun nelv er Ar - En dpoin 4. 22.e1 I5. San Jose v pdn :g ip - addran esses= MPLS andSer VPN chit ect ut res,19 Volum I ,2 b( uilds on t he best - sellin MPLS d VPN194 .2 2. 15. 2 ( 67 ) VHG/ PE) Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools Tun nel- Passw or d ( 69) Vision v pdn : l2 t p- t u nnelt hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. passw ord = vision MPLS andClien VPNt -Ar chit Volum e I I _LAC , b eg in s w it h a br ief vref resher VPN LAC Tun nelAut h- Iect D u res,Sup er Com pdn : t unnofel-t he id=MPLS Su perCom_ Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ( 90 ) ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g nel- Ser v er - Aut I D andSup er Com prTun ot ocols ( I SI S, EI hGRP, OSPF) , ar_LNS m in g t he r eader w it h t he k now ledge of h ow t o ( 91 ) int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or eUser adv- anced opt rologies andes filtt erin g. This m ult i- car r ier LAC MPLS VPN t o t he The Nam e tat ibu t e defin he dom ain par namt ealso t h atcov t h er e sSan Jose NAS/ p asses deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN ser v er. The passw ord h as a st at ic v alue of " cisco. " t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE A st at ic p assw or d of " cisco" is alw ay s used in t he RADI US m essage w h en t he LAC r eq uest s VPDN au t hor izat ion for a dom ain. Th er efor e, all dom ain nam e ent r ies on a RADI US serv er m ust b e config ur ed w it h t he p assw or d " cisco. "

•

Table of Content s

The ot her AV p air s r equest t he San Jose NAS/ LAC t o b uild an L2TP t unn el for I Pv 4 p acket s t o I ndex t he dest in at ion 1 94. 22 . 15. 2. The local nam e t h at t h e San Jose NAS/ LAC uses for t h e t un nel is MP LS and V PN Ar chi te ctur e s, V olum e I I " Sup er Com _ LAC. " Th is nam e cor respond s t o t he t e rm in at e - f rom h ost n am e com m and t hat By Guichard vant h Pepelnjak , Jeff Apcar is Jim conf ig ur ed, Ion e San Jose VHG/ PE r out er , w h ich is discussed in t he nex t sect ion . Fin ally , for aut hent icat ion pu rp oses, t he t unn el uses t he p assw or d " vision, " an d t he r em ot e nam e expPub ectlish eder: is Cisco " Super Com _LNS. " Press •

Pub Dat e: Ju ne 06, 2 00 3

An alt er nat iv e t o using a RADI US ser ver f or VPDN aut hor izat ion is t o con figu re a st at ic VPDN I SBN: 1- 58 705 -1 12 -5 gr oup on t he Super Com NAS/ LAC. The d isad van t age of t h is is t he in cr eased oper at ional Pages: 50 4 ov er head if t her e ar e man y NAS/ LACs t o m aint ain and conf ig ur e. By using a cent r alized RADI US serv er , all VPDN con figu rat ion s can b e m ain t ained in on e place and used b y m any NAS/ LACs. Ex am ple 2- 2 sh ows wh at t he st at ic VPDN con figu rat ion t h at cor respond s t o t he RAD I US AV pair in Table - 1 look s likect e uinres, Cisco I OS.e I I , y ou' ll lear n : Wit hsMPLS and 2VPN Ar chit Volum How at e nv ar iou s r NAS/ em ot e access t echn ologies t h e back bone r ovidin g VPN Exa m pl et o 2int - 2egr . Sa Jose LAC VPDN Gr ouinpt oConf i gur a t ipon ser v ice t o m any d iff er ent t yp es of cu st om er s

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) vpdn-group 10 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he request-dialin cust om er net w ork protocol l2tp The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone domain fastfoods.com How t o carr y cust om er m ult icast t r aff ic insid e a VPN initiate-to ip 194.22.15.2 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices local name SuperCom_LAC anced tpassword rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y l2tpAdv tunnel vision MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Configuring the SuperCom San Jose VHG/PE Router

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar chSan it ect u re. Par t I IPEdescr anced VPNt unn conelnect iv ittyh includ g t he int egr at ion The Jose VHG/ r outibes er t eradv m inat es tMPLS he L2TP fr om e San in Jose NAS/ LAC. Th eof ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in r em ot e PPP session r eceiv ed t h r ough t he t unn el fr om elvis@fast f oods. com is t er m inat edg on a pr otuocols ( I S- I int S, erf EI GRP, and vOSPF) ar m in gintt he r eader w it h t he of hFoods ow t o VRF t o v irt al- access ace. The irt u al-,access erf ace is associat edk now w it hledge t h e Fast int egrelvis@fast at e t h ese ffoods. eat ur com es in access t o t h e VPN bon e. Part I I I You det ails anced ent issues allow t o t hbeack Fast Foods VPN. can adv creat e a vdirep t uloy al- m access includin secu r it y , gout hr t lining y stes eps eu ser iceofiles. p rov ider m ust t ake t o p rot ect t he int er faceg by clonin ough tvhe irt n u ecessar al t em plat or tvhirt al-vpr back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy mten Finplat allyes , Par V prigovurided es f a et hodology for ad van associat ced MPLS Vir ualt s.t em ar et Iconf ormindiv idual VPNs. Each edVPN v irt u al int er face em plating e m. ust b e config ur ed f or a specific VRF t o p reinst ant iat e t he r out e f or t h at VRF. t r oub tleshoot Cisco I OS p er m it s n o m or e t han 25 v irt u al- t emp lat es t o be con figu red on a r out er ; MPLSt and VPNe, Ar chit e Iplat I , also int rod uces t hewlat in cumstended omer for her efor t he u ect se uofres, vir tVolum ual- t em es does not scale ellest an dadv is ances n ot r ecom int egrtat secur it y, t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced erion, min at in g a larand ge nu m ber of VPNs.

Vir t ual- pr ofiles ar e m or e flexib le and can use a comm on v ir t u al- t em p lat e or an AAA ( in our case, it w ill b e RADI US) serv er t o p r ovide t he add it ional conf igur at ion det ails needed t o cr eat e t he v irt ual- access int er face. The conf igur at ion infor m at ion on t he AAA ser v er is held on a per u ser b asis. Vir t ual- p rof iles sim plify t he conf ig ur at ion and pr ovid e a m or e scalab le appr oach for t unn el t er m inat ion because only a sing le vir t ual- t em plat e conf ig ur at ion is requ ir ed for VPNs t hat t er m inat e on t h e LNS. • am ple 2- 3Table of Content s Ex sh ows t he n ecessar y config ur at ion f or t h e San Jose VHG/ PE rou t er . •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Exa pl e 2, I van - 3 .Pepelnjak Sa n Jose VH G/ PE Rou t e r Con f igu r at ion By Jim m Guichard , Jeff Apcar Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

hostname SanJose_PE

I SBN: 1- 58 705 -1 12 -5

!

Pages: 50 4

aaa authentication ppp default local group radius aaa authorization network default local group radius Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ! How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN virtual-profile aaa ser v ice t o m any d iff er ent t yp es of cu st om er s vpdn enable The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) ! How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he vpdn-group 1 cust om er net w ork accept-dialin The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone protocol l2tp How t o carr y cust om er m ult icast t r aff ic insid e a VPN virtual-Template 1 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent terminate-from of int er - car r ierhostname MPLS VPNSuperCom_LAC serv ices Advname ancedSuperCom_LNS t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y local MPLS VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN l2tpand tunnel password vision Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t!opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. interface virtual-Template1 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Arno ch itip ectaddress u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g prno ot ocols S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o peer ( Idefault ip address int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he ppp authentication chapt he callin back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m ! or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN tip r oub leshoot ing . SuperCom_Pool 192.168.3.1 192.168.3.62 local pool MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ip local pool FastFoods_Pool 192.168.3.1 192.168.3.62 group VPN_FastFoods int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

ip local pool EuroBank_Pool 192.168.3.1 192.168.3.62 group VPN_EuroBank ! ip radius source-interface Loopback0 ! •

Table of Content s

radius-server host 194.22.16.2 auth-port 1645 acct-port 1646 key a$4two • I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

lish config er: CiscourPress ThePub aaa at ion is id en t ical t o w hat t h e Super Com NAS/ LAC u ses b ecause bot h u se t he samPub e Super Com Dat e: Ju ne 06,RADI 2 00 3 US ser ver . The operat ion al dif fer en ce is t hat t he San Jose NAS/ LAC passesI SBN: t he d1-omain 58 705 -1nam 12 -5 e f ast foods. com t o t he Sup er Com RADI US ser v er t hat r espon ds dir ect ly . I n 50 cont Pages: 4 r ast , t he San Jose VHG/ PE r out er p asses t he fully qu alif ied u ser nam e elvis@fast f oods. com t o t h e Super Com RADI US ser ver f or aut h en t icat ion , w hich, in t ur n , pr ox ies t he m essage t o t h e Fast Foods RADI US ser v er f or pr ocessing . The v ir t ual- pr of ile a aa com man d enab les t he LNS t o ob t ain con figur at ion inf orm at ion fr om t he RAD I US ser ver on a per - user basis t hat can b e app lied t o t h e v ir t u al- t em plat e. I n our case, t he v pdn- gr oup com man d sup plies t he v ir t ual- t em plat e nu mb er . A sin gle VPDN gr oup config ur at ion is Wit h MPLS VPN ect u res, Volum e I Iany , y ou' ll lear r eq uir ed t oand t erm inatAr e chit an L2TP t unn el fr om LAC t hatn :has t h e nam e Sup er Com _ LAC w it h a passw ord of " v ision ." The LAC uses t he local nam e Su perCom_ LNS f or aut hent icat ion, w hich 2 - 1. m at ches pair infvor p rev sly prtovided t o t heinSup in Table Howt he t o AV int egr at e armat iou sion r em ot eiou access echn ologies t o t er h eCom backNAS/ boneLAC p r ovidin g VPN The v ser pd ng rou p is associat ed w it h t he g en er ic v irt u alt emp lat e1 . This v ir t ualt emp lat e is v ice t o m any d iff er ent t yp es of cu st om er s used in conj unct ion w it h in for m at ion r eceiv ed f rom t he Fast Foods RAD I US ser ver t o cr eat e t he virThe t ualaccess int er face e rem n ew PE- CE r out in gf or optthions asot weellu ser as .ot her adv anced f eat ur es, includ ing per- VPN

Net w ork Ad dr ess Tr an slat ion ( PE- NAT) The San Jose VHG/ PE r out er u ses locally con figu red ov er lappin g p ools t o p rov ide I P add resses t o r em ot ebe user The ov pingom pool feat s tsep he ar sam e adinside dr ess tspace t o be How VRFs can ex s. t ended interolap a cust er sit e ur t o eprallow ov ide at ion he used cust con cu rr ent ly in dif ferent VRFs by append in g a gr oup n ame on t h e ip l oca l pool om er net w ork com man d. I n our ex am ple, t hr ee pools hav e b een con figu red t o use t he sam e add ress r ange 19 2. 168 t hr MPLS ough 19 2. 168 . 3.it62: The. 3. lat1est VPN secur y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone A Su perCom f orerr em ot e u sert rsaff w ic hoinsid ar e eaccessing How t o carr y_Pool cust om m ult icast a VPN serv ices in t h e global rou t ing t able ( su ch as b est ef for t I n t er n et ) The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent A f or VPN r em ot e user of Fast int erFoods_Pool - car r ier MPLS serv icess of t h e Fast Foods VPN A Eur oBank _Pool f oroot r emot useriques s of tinclud h e Eu roBan k tVPN Adv anced t rou blesh ing teechn in g r ou er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey NOTE n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. a pr oduAr ct ion etuwres, or k ,Volum t he pools lik ely p r ovide ered VPN MPLSI nand VPN chit n ect e I I , used b eg inwsou w ld it hmaost br ief ref resher of regist t he MPLS Ar ch itadd ectresses. u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g You can fu GRP, rt h er and discuOSPF) ssion ,on ot in her essin gwop t heledge " Adv anced pr ot ocols ( I S-fIind S, EI ar m g taddr he r eader it ht ions t he kinnow of h ow t o Feat u r es f or MPLS VPN Rem ot e Access" sect ion. int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN To com plet e t h e con figu rat ion , w e m ust pr einst an t iat e all t he VRFs t o b e accessed t hr oug h deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t his LNS. We cann ot r ely on d yn am ic in st ant iat ion of t he VRF rou t ing infor m at ion w hen t he t r oub leshoot ing . fir st u ser d ials in b ecause Mu lt ip r ot ocol BGP m igh t t ak e u p t o 60 second s t o con ver ge t h e rMPLS out esand f or VPN t he nAr ewchit VRF. avVolum oid t his , crint eat e an d associat e aadv loop back in intcu erfstace w it h ect uTo res, e IdI elay , also rod uces t he lat est ances omer Ex am ple 24. tint heegr applicable VRF, as show n in at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 2 - 4 . Pr e in st an t i at ion of VRFs

ip vrf FastFoods • rd 10:26 Table of Content s • I ndex MP LS and V PN Ar chiexport te ctur e s, V olum e I I route-target 10:26 By Jim Guichard , I van Pepelnjak , Jeff Apcar

route-target import 10:26 !

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

I SBN: 158 705 -1 12 -5 interface Loopback10 Pages: 50 4

ip vrf forwarding FastFoods ip address 192.168.2.100 255.255.255.255 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How egr iou sesses r em otreequir access ologies t h e back p r ovidin To r edu ce t oheint nu mbatere vofaraddr ed , tyechn ou can use tin h et osame addrbone ess 192. 1 68.g2.VPN 10 0 ice t o m any ent t yp cu st om s . on ev ser er yv loopback t h atd iff iserr equir edes f orofinst ant iaterion The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he NOTE

cust om er net w ork A f ull ex planat ion on how r ou t es are con ver ged b et ween VPN sit es is pr ovided in The VPNPrsecur y f eat d d esign aimAr edchit at ect pr ot ect ing t h e MPLS VPN MPLS and sVPN u res , I SBN Ch aptlat erest 12MPLS of Cisco ess's itVolu m ue res I ofan back bone 15 870 508 11. How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent

FastFoods Server of int er -RADIUS car r ier MPLS VPN Attributes serv ices

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y The Fast Foods RAD I US ser ver au t hent icat es any r emot e user s w h o r eq uest access t o t he MPLS ands VPN chit u res, Volum e om I I , tbhuilds on Com t he best - sellin g MPLS d VPN Fast Food VPN Ar v ia a ect pr oxy r equ est fr e Super RADI US ser ver . I an f aut h en t icat ion Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02f rom endinRADI g intUS o mser or ev er) advtanced succeeds, an accessaccept message is 1) r et, ur ned Cisco ( via tPr heess. SupEx er tCom hat tcont opics an d d ep loyIm ent ect rur e I I prin ovid es r eader w itvhirtt he y ter ools ains t he RAD US at archit t rib ut es eqes, uir Volu ed t omassist config ur in g st he ual-necessar access int face in tt hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. he San Jose VHG/ PE r out er f or t h e r em ot e u ser . MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o NOTE int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu y , oucust t lining t her eq n ecessar y st eps the v ice p rov t ake Unless t h er itVPN om er uest s Super Com t oser m anage it s ider rem m ot ust e u ser listt os,ptrot he ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Sup er Com RADI US ser v er mu st hav e a pr oxy en t r y t o a cu st omer RADI US ser ver m or efor advevanced t opain ologies filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN er y dom it serand v ices. deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN RAD Ar chit ectser u res, e tIes I , also uces t hef oods. lat estcom adv ances in cu st omer The Fast Foods I US verVolum at t r ibu for u int serrod elvis@fast ar e show n in Table 2 - 4. int ion, secur y, and t r oubleshoot featare u res ialovt o p rov iding t hsuch e advas anced All egr of tat he Ciscoavitpair at t rib ut es show ning here seressent vice pr iderspecific, t he p ool

nam e, loopb ack ad dr ess, an d VRF nam e. This inf or mat ion can be st or ed on t he Fast Foods RADI US serv er and passed b ack for t h e user. I n p ract ice, how ever , t his is n ot r ecomm ended du e t o t he secur it y im plicat ions of a cu st om er b eing able t o conf ig ur e a ser vice pr ov ider' s net w or k int er faces. I t is m ore lik ely t hat t he Su perCom RADI US serv er w ould add t he ser vice pr ov ider- specific at t r ibu t es t o p rox y r equest s, w hich w ou ld t h en be passed back w it h an access- accept message f rom t he Fast Food s RADI US serv er. The Cisco- av pairs are sh ow n in t his t able t oget her w it h user - sp ecific at t rib ut es t o sim plify t he exp lanat ion. •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van , Jeff Apcar Tab le Pepelnjak 2 -4 . User e lv is@f ast f oods.com Pub lish er: Cisco Press

At t r ib ut e ( Ty pe )

RAD I U S At t r ibu t e s

V a lue

Pub Dat e: Ju ne 06, 2 00 3

User - Nam 1)705 -1 12 -5 I SBN: e1-(58 Pages: 50 4

elvis@fast f oods. com

User - Passw or d ( 2)

w hat st hebu zz

Serv ice- Ty pe ( 6)

1 ( Fram ed)

Fram ed- Pr ot ocol ( 7 )

1 ( PPP)

Ciscoavp and air VPN Ar chit ectlcp: int er face-econ ipll vlear rf f orw Wit h MPLS u res, Volum I I ,fig= y ou' n : ar din g Fast Foods \ n 1 ip unn um bered loopback 1 0 \ n How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN peer defau iperaddr ser v ice t o m any d iff er ent t yp es of cu stltom s ess pool Fast Foods_Pool The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

NOTE cust om er net w ork

The n in Ciscoavsecur pair sign iesu res an ex carrsiage et ur w illt hvearMPLS y The \lat estt he MPLS VPN it y fifeat anplicit d d esign aimred atn.prUsage ot ect ing VPN bet w een RAD I US ser ver im plement at ions. back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN BasedThe on lat t hese attter r ibut e Super Com willf orcr easier eat e a and v ir t ualint erdface t o ent est in - cares, riert henh ancem ent PE/ s t oLNS allow m oraccess e scalable ep loym t er min ea amed session. This int er face w ill be p laced in t h e Fast Foods VRF and u se ofatint erf-rcar r ier PPP MPLS VPN serv ices t he addr ess of loop back 10 , as discussed in Ex am ple 2- 4. Th e r em ot e u ser elvis@fast f oods.t com w ill oot b e ing pr ovt echn id ed iques w it h t he n exint gavailable adpu dr tess omsutre he high localav adailab dr ess Adv anced rou blesh includ r ou t er out s t of ren ilit y pool called Fast Foods_Pool. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

NOTE

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN is ulik t hat he Fast Food s anced RADI US ser vVPN er w con ouldnect only ain usern ame Ar ch itI tect re.elyPar t I I t descr ibes adv MPLS iv itcont y includ in g t he int en egrt ries at ion of such as " fr ed" rat her t han t heiesfully q ualified d omain nam e.) Aanprd oxy scr ipt onr tout h e in g ser v ice pr ovider access t echn olog ( dial, DSL, cab le, Et her net a v ariet y of Sup er( ICom US ser v er w ould e in r espon le for wstitrhippin of f tledge he d om n ame pr ot ocols S- I S,RADI EI GRP, and OSPF) , arb m g t hesib r eader t he gk now ofain h ow to befor e p rox y ing t he r equest . int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov SuperCom id es a m et hodology for ad van ced MPLS VPN Configuring Access Between and FastFoods RADIUS Servers t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer The Fast Foods RAD I US ser ver is on ly reachable v ia t he Fast Food s VRF. The Su perCom int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

RADI US serv er is connect ed t o an int er face on t he Managem en t PE r out er and m ust be r eachab le via t he g lobal r out in g t ab le for all Super Com r out er s t h at r equir e RADI US serv ices. This is b ecause t h e ra di us- ser v er host com m and t hat is conf ig ur ed on t he NAS and PE r out er s only oper at es in t he glob al r out ing space. Ther ef or e, som e ad dit ional conf igur at ion is r eq uir ed t o allow t he Su perCom RADI US serv er t o com mu nicat e w it h b ot h t he NAS and PE rou t er s in t he global t able and t he RADI US ser v er in t he Fast Foods VRF, wit h out com pr om isin g secur it y in t he Fast Food s net w or k. This is achiev ed • Table of Content s by u sin g t he MPLS VPN m echanism s of r out e- t ar get s and r out e- m aps, as show n in Figur e 2• I ndex 14 . MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

Figu r e 2 - 1 4 . RAD I US Conn ect iv it y

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The est RAD MPLS VPN it y f eatbe u res an d dinesign s aim ed at pr ot ect t h ee MPLS The Su perlat Com I US sersecur ver should placed a Man agement VRF t oing isolat t he VPN back bone Sup er Com man agem en t add r esses fr om t he global t able. This is don e on t he Man agem en t PE r out er show n in Figur e 2- 1 3. Th is allow s t he Fast Food s RADI US ser v er host ad dr ess t o be t o t he carrMan y cust om en er tmVRF ult icast affSu ic insid e a VPN exp ortHow ed t o agem and tt rhe perCom RADI US serv er host addr ess t o be exp ort ed t o t he Fast Food s VRF. Bot h RAD I US serv er s can t h en com m unicat e dir ect ly w it h The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent each ot h er . Th e Fast Foods net w ork r em ains secu re b ecause access is lim it ed t o t he Fast Foods of int er - car r ier MPLS VPN serv ices RADI US serv er f rom t he Man agement VRF on ly. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Access t o t he Sup er Com RADI US ser v er fr om t h e global r out ing t able ( f or Sup er Com r out ers) is achieved by pArlacing st at ice rI out int o on t het he Man agement t hatanpdoint s t o t he MPLS and VPN chit ectauglobal res, Volum I , beuilds best - sellin gVRF MPLS VPN Sup er Com net w ork , as well as a st at ic r out e in t he global r out in g t able t hat point t o anced the Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e sadv Sup er Com Managem ent net w ork . t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of NOTE ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Ch apt er 12 of Cisco Pr ess's Volu m e I of MPLS and VPN Ar chit ect u res p r ovides int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues fu r t her det ailed inf or mat ion on adv anced scenar ios su ch as r ou t e leak ing bet w een a includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he VRF an d t he glob al r out ing t ab le. back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN tEx r oub am leshoot ples 2- 5ing an. d 2- 6 sh ow t he r elev ant conf ig ur at ions on t h e Manag em ent and Paris PE r out er s t o accom plish p rox y access. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 2 - 5 . M an age m en t PE Con f igu r at ion f or RADI US Pr oxy

hostname Management_PE ! •

Table of Content s

• ip vrf SuperCom_Management I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

rd 10:1 By Jim Guichard , I van Pepelnjak , Jeff Apcar export map OUT-Management-RADIUS Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3 route-target import 10:2 I SBN: 1- 58 705 -1 12 -5

!

Pages: 50 4

access-list 20 permit host 194.22.16.2 ! Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : route-map OUT-Management permit 10 match Howipt oaddress int egr at e20 v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s set extcommunity rt 10:1 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) ! How VRFs can be ex 255.255.255.0 t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he ip route 194.22.16.0 Ethernet5/0 cust om er net w ork ip route vrf SuperCom_Management 194.22.15.0 255.255.255.0 POS3/0 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone ip route vrf SuperCom_Management 194.22.16.2 255.255.255.255 Ethernet5/0 How t o carr y cust om er m ult icast t r aff ic insid e a VPN 194.22.16.2 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y The Managem en t PE conf igur at ion has an exp ort m ap defined t hat per mit s only t he Sup er Com RADIArUS addr ess (e194 16 .2on ) to bebest set -w it h t gheMPLS rou t eet 10 : 1. Th e MPLS and VPN chitser ectvuerres, Volum I I ,.2b2. uilds t he sellin ant arg d VPN Fast Food s VRF on t he Paris PE r out er ( show n in Ex am ple 26) has a cor r esp onding r out eAr ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced ar get an im dpor t for 1 . archit Conv er sely, Fast VRF es h as a simsilar m ap setyt ing t he t opics d ep loy 10: m ent ect ur es,t he Volu m Foods e I I pr ovid r eader w it ex h tpor he tnecessar t ools out e-n teed ar get forand t he m Fast RADI US serv ( 10 . 2. 1. , w h ich t he Managem ent VRF tr hey t o 1d0: ep2loy ain Food t ain as secur e, hig hlyerav ailab le 5) VPN. t hen im por t s. The " ad dit ive" key w ord is n ecessar y t o allow t he r out e- t ar get 10: 2 t o be MPLS app en and ded VPN t o t he Ar ex chit istect ingu res, rou t Volum e- t arg e et I I10 , b : 26. eg inWit s whout it h a t br heief " addit ref resher iv e" k ey of w t he or d, MPLS t h e defau VPN lt Ar actch ion it ect is ut ore. ovPar er wt rIitI edescr all exibes ist ing advr out anced e- t ar MPLS get s.VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Throtee st at(ic r out e defin on t he t PE r out ert.he The fir stledge st at icofr out e cr pr ocols I SI S,es EI ar GRP, andedOSPF) , arManagem m in g t heen r eader w it h k now h ow t oeat es a rint out e t o t he Managem ent su bnet in t h e global r ou t ing t able. The n ex t st at ic rou t e creat es a egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues r out e t o gallow o devices t he global r outt hing t able POS3/ t he t in t ertfoace t hat includin secu raccess it y , ou t lining t he ninecessar y st eps e ser v icev ia p rov ider 0m(ust ake p rot ect t he connect s t hand e Manag ent PE t o tsit hees, backb Notailin e t hgatt he t h islatstest at icsecu comritmyand back bone any atem t ached VPN andone) also. det f eatdoes ur es nt ootallow r eq e t he " global" k eyw orand d because w eThis ar e par using an cov in t erf nam e, rnot a nex tVPN - hop m oruir e adv anced t op ologies filt erin g. t also er sace m ult i- car ier MPLS add ress. The st at, ic r ou e pr creat esesa ah m ostetrhodology out e t o t he ser ver t o be u sed deploy m en t s. last Fin ally Par t ItV ov id forSuper ad vanCom ced RAD MPLSI US VPN to ex por t t o ting h e . Fast Foods VRF. ( The ex por t r out e m ap m at ches on t his ent ry . ) Th e Par is PE r oub leshoot r out er has a single st at ic h ost r out e conf igur ed point ing t o t he Fast Foods RAD I US serv er , MPLSnand show in Ex VPN am Ar plechit 2- ect 6. u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 2 - 6 . Pa r is PE Conf i gur a t i on for RADI US Pr ox y

hostname Paris_PE ! •

Table of Content s

•

I ndex

ip vrf FastFoods

MP LS and V PN Ar chi te ctur e s, V olum e I I Byrd Jim 10:26 Guichard , I van Pepelnjak , Jeff Apcar

export map OUT-Customer-RADIUS Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

route-target export 10:26 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

route-target import 10:26 route-target import 10:1 ! Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : access-list 20 permit host 10.2.1.5 !

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

route-map OUT-Customer-RADIUS permit 10 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) match ip address 20 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he set cust extcommunity rt 10:2 additive om er net w ork !

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone ip route vrf FastFoods 10.2.1.5 255.255.255.255 FastEthernet0/1 192.168.2.21 How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Ex am ple 2- 7 sh ows t he r out in g ent r ies for t he Man agem en t an d Fast Foods VRFs. As y ou can t rouort blesh ootting echnant iques includ g r ou eress outof pu1t 0. s t2. o 1. en5su see, bAdv ot hanced VRFs imp only h e rtelev host RADin I US ad tdr orre19high 4. 22av .1ailab 6. 2. ilit y You can also see t he st at ic en t ries discussed pr eviou sly . MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools Exa m pl e 2 - 7 . M an age m en t an d Fa st Foods VRF Tabl es t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Management_PE#show route vrf( dial, SuperCom_Management ser v ice pr ovider accessip t echn olog ies DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o [snip] int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN S 194.22.15.0/24 directly POS3/0 deploy m en t s. Fin ally , Paris t IV pr ov id es connected, a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . 10.0.0.0/32 is subnetted, 1 subnets MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer B egr at ion, 10.2.1.5 via 194.22.15.1, int secur it y,[200/0] and t r oubleshoot ing feat u res 4d21h essent ial t o p rov iding t h e adv anced

194.22.16.0/24 is variably subnetted, 2 subnets, 2 masks C

194.22.16.0/24 is directly connected, Ethernet5/0

S

194.22.16.2/32 [1/0] via 194.22.16.2, Ethernet5/0

----------------------------------------------------------------------•

Table of Content s

• I ndex ip route vrf FastFoods Paris_PE#show MP LS and V PN Ar chi te ctur e s, V olum e I I

[snip] By Jim Guichard , I van Pepelnjak , Jeff Apcar Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks I SBN: 1- 58 705 -1 12 -5

S S

Pages: 50 4 10.2.1.0/24

[1/0] via 192.168.2.21

10.2.1.5/32 [1/0] via 192.168.2.21, FastEthernet0/1

192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : B 192.168.2.100/32 [200/0] via 194.22.15.2, 00:19:03 C

B

How 192.168.2.20/30 t o int egr at e v ar iou is s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN directly connected, FastEthernet0/1 ser v ice t o m any d iff er ent t yp es of cu st om er s 194.22.16.0/32 is subnetted, 1 subnets The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w194.22.16.2 ork Ad dr ess Tr[200/0] an slat ionvia ( PE-194.22.15.3, NAT) 00:19:33 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN The solut ion show n her e is not w it hout it s dr aw back s. For ex am ple, ov er lappin g ad dr esses back bone m ight become an issue in t he Managem en t VRF if m u lt ip le cu st omer s' RADI US ser v er s w er e using How t he sam e ad essom space. Som e for m ic of insid NATewaould t o carr y dr cust er m ult icast t r aff VPNbe necessar y, w hich w ould incr ease t he com plex it y and m anagem en t of t h e solut ion. A new f eat u r e called Per VRFAAA ad dr esses t his pThe r oblem by in obv ingrier t h eenh need f or ent t hesser RADI USmtor o eact as a prdox I t ent lat est t eriat - car ancem t o vice allowprfov or ider easier and scalable epy.loym achieves t heris- car by rallow in g dir ect serv access of int ier MPLS VPN icest o t h e cu st omer 's RADI US ser v er fr om t h e VRF. This feat u re is discussed in a lat er sect ion . Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ectVPDN u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Verifying Dial-In via Operation Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tNow hey tnheed t o tdhe epnecessar loy and m t ainonent a secur hlywav at all y ain comp s ofe,t hhig e net or ailab k havlee VPN. been conf igur ed for r em ot e access, w e can v er if y oper at ion by exam ining ou t put of v ariou s show com m ands. To pr ov ide MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN a m or e com plet e pict ur e of how rem ot e access t o an MPLS VPN oper at es, t w o m or e users Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of hav e dialed in t o t he San Jose NAS in addit ion t o elvis@fast f oods. com . Th ey ar e ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g eric@eur oban k. com an d jim i@f ast f oods. com . Th is is sh ow n in Figur e 2- 1 5. pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Figu r e 2 - 1 5 . M u lt ipl e VPDN User s m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Tw o L2TP t unn els ar e cr eat ed bet w een t h e San Jose LAC and LNS, on e for each dom ain I SBN: 1- 58 705 -1 12 -5 ( Fast Food s and Eu roBan k) . Each u ser h as a separ at e PPP session act iv at ed ov er t he Pages: 50 4 app rop riat e t unn el, an d t hese session s ar e repr esen t ed at t he LNS by a v irt ual- access int er face in t he VRF. The f ollow in g d eb ug ( see Ex am ple 2- 8) fr om t h e San Jose NAS sh ow s t he in com ing call for elvis@fast f oods. com . Af t er t he call is conn ect ed, t he San Jose NAS challen ges t he rem ot e PC Wit MPLS Ar chit res, Volum e I I Jose , y ou'NAS ll lear n : es t his inf orm at ion, it ex t ract s t he for ht he u serand namVPN e/ passw orect d. uWhen t he San r eceiv dom ain nam e f ast f oods. com and sear ches for a m at ching L2 TP t u nnel. Becau se no VPD N gr oup s ar e exp licit ly config ur ed , t he Su per Com RAD I US ser ver is q ueried and t he r elev ant t o int egr at v ar s rA emt un ot enel access t echn ologies t o1t94. h e 2back bone p r ovidin VPNPE t un nelHow inf orm at ion is er et uriou ned. is t hen est ab lishedint o 2. 15. 2 ( San Jose gVHG/ ice ttho emuser any ndame/ iff er ent t ypord es of st om er s f oods. com is for w ard ed ov er t he t unnel. r out erser ) , vand passw of cu elvis@fast The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Exa m pl e 2 - 8 . Sa n Jose De bu g

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork %LINK-3-UPDOWN: Interface changed state toedupat pr ot ect ing t h e MPLS VPN The lat est MPLS VPN securAsync2, it y f eat u res an d d esign s aim back bone As2 CHAP: O CHALLENGE id 14 len 31 from "SanJose_NAS" How t o carr y cust om er m ult icast t r aff ic insid e a VPN As2 CHAP: I RESPONSE id 14 len 39 from "[email protected]" The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int erGot - car rDNIS ier MPLS VPN 94780400 serv ices As2 VPDN: string Adv anced t rou blesh ing t echn includ in g r ou-t er out pu t s t o en su re high av ailab ilit y As2 VPDN: Looking foroot tunnel --iques fastfoods.com MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN As2 VPDN/RPMS/: Got tunnel info for fastfoods.com Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools As2 VPDN/RPMS/: LAC SuperCom_LAC t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. As2 VPDN/RPMS/: l2tp-busy-disconnect yes MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of As2 VPDN/RPMS/: l2tp-tunnel-password xxxxxx ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o As2 VPDN/RPMS/: IP 194.22.15.2 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he As2 VPDN: Share tunnel fastfoods.com IP 194.22.15.2 state established back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN As2 VPDN: Forward to address 194.22.15.2 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . As2 VPDN: Forwarding... MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer As2 direction=1 int egrVPDN: at ion, Bind secur itinterface y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

As2 VPDN: [email protected] is forwarded %LINEPROTO-5-UPDOWN: Line protocol on Interface Async2, changed state to up

•

Table of Content s

•

I ndex

The Jose ebte ugctur fore s,VPD N and MP LSSan and V PN Ardchi V olum e I I v irt u al- t emp lat e ev ent s is sh own in Ex am ple 2- 9. Wh en tBy he L2TP call is receiv ed, a vir t u al int er face ( in our case, Vi2 ) is cloned fr om t h e br ief Jim Guichard , I van Pepelnjak , Jeff Apcar inf orm at ion t hat is conf ig ur ed in v ir t u al- t em plat e1 ( r ef er t o Ex am ple 2- 2 f or d et ails) . Wh en t he user nam e elvis@fast f oods. com is receiv ed ov er t he L2TP t unn el, t he Sup er Com RADI US Cisco Press ser vPub er lish is er: quer ied f or aut h en t icat ion and f ur t her conf igur at ion infor m at ion ( w hich is p rox ied t o Dat e: Ju neRADI 06, 2 00 3 ser ver ) . Af t er t his inf or mat ion is r et ur ned, it is app lied t o Vi2 ( Cloned t he Pub Fast Foods US I SBN:- 158 705addr -1 12 -5 fr om AAA VRF, ess pool, and so on ) an d t he line pr ot ocol is chan ged t o u p. Pages: 50 4

Exa m pl e 2 - 9 . Sa n Jose VH G/ PE- Rou t e r D ebu g Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Vi2 VTEMPLATE: ************* CLONE VACCESS2 ***************** How t o int egrClone at e v arfrom iou s r virtual-Template1 em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Vi2 VTEMPLATE: ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net wip orkaddress Ad dr ess Tr an slat ion ( PE- NAT) default How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he encap ppp cust om er net w ork end

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

How t o carr y cust om er m ult icast t r aff ic insid e a VPN VTEMPLATE: Receiving vaccess request, id 0x5B70035, result 1 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Vi2 VPDN: interface of int erSet - car rto ier Async MPLS VPN serv ices Vi2 VPDN: Virtual interface created for [email protected] Kbps Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o enbandwidth su re high av65 ailab ilit y MPLSVPDN: and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Vi2 Bind interface direction=2 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t2w5d: opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar %LINK-3-UPDOWN: Interface virtual-Access2, changed state to up y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. VTEMPLATE: Sending vaccess request, id 0x63CDE184 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Processing Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of VTEMPLATE: vaccess requests, 1 outstanding ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, , ar m AAA, in g t he r eader w it h vtemplate/AAA t he k now ledge of h ow t o Vi2 VTEMPLATE: Has a and new OSPF) cloneblk now it has int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y ,************* ou t lining t he n ecessar st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Vi2 VTEMPLATE: CLONEy VACCESS2 ***************** back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or eVTEMPLATE: adv anced t opClone ologiesfrom and AAA filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Vi2 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ip vrf forwarding FastFoods int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

ip unnumbered loopback 10 peer default ip address pool FastFoods_Pool end

•

Table of Content s

•

I ndex

VTEMPLATE: Receiving vaccess request, id 0x63CDE184, result 1 MP LS and V PN Ar chi te ctur e s, V olum e I I

%LINEPROTO-5-UPDOWN: Line protocol on Interface virtual-Access2, By Jim Guichard , I van Pepelnjak , Jeff Apcar

changed state to up Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

The f ollow in g ou t pu t in Ex am ple 2- 10 sh ows t he VPDN st at us on t h e San Jose NAS. Two L2 TP t un nels hav e been cr eat ed t o t he Su perCom _LNS wit h t h e local I D s of 287 91 and 35 022 . The fir st t unnel is for Fast Food s and has t w o PPP session s act iv e, w her eas t he secon d t unn el is for Eu roBan k w it h on e session act iv e. The cor respon ding session s can be seen in t he out put fr om t he show v pdn session com m and. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Exa m pl et o 2int - 1egr 0 .atSan Jose NAS V PD N I n ologies f or m aint it on How e v ar iou s r em ot e access t echn o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN SanJose_NAS#show vpdn Net w ork Ad dr ess Tr antunnel slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork L2TP Tunnel Information Total tunnels 2 sessions 3 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone t o carr y cust om er m ult icast t rRemote aff ic insid e a VPN Port LocIDHow RemID Remote Name State Address

Sessions

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent 28791 1463 SuperCom_LNS est 194.22.15.2 1701 2 of int er - car r ier MPLS VPN serv ices 35022 37120 SuperCom_LNS est 194.22.15.2 1701 1 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced vpdn session tSanJose_NAS#show opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN L2TP Session tunnels 2 sessions Ar ch it ect u re. ParInformation t I I descr ibes Total adv anced MPLS VPN con nect iv3it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues LocID RemID Username includin g secu rTunID it y , ou tIntf lining t he n ecessar y st eps t h e ser State v ice p rovLast ider mChg ust Fastswitch t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow 46or e adv 46anced28791 As3 [email protected] est enabled m t op ologies filt erin g. This par t also cov er s m ult00:14:26 i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN 49 49 ing28791 As2 [email protected] est 00:05:13 enabled t r oub leshoot . 50 50 VPN 35022 As4 [email protected] MPLS and Ar chit ect u res, Volum e I I , also int rod uces test he lat est00:02:04 adv ances enabled in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The VPD N inf orm at ion on t he San Jose VHG/ PE r out er is show n in Ex am ple 2- 11 an d is similar t o t he LAC. Not e t hat t he int er face associat ed w it h t he user is a vir t ual- access int er face and t h at all L2TP t unn els ar e t er m in at ed b y using VPDN g r oup 1 as t he t u nnel clien t nam e t h at m at ched t he h ost nam e " Super Com _LAC. " •

Table of Content s

•

Exa m pl e I2ndex - 1 1 . San Jose VHG/ PE Rout er VPDN I n f or m at i on MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

SanJose_PE#show Pub lish er: Cisco Pressvpdn tunnel Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

L2TP Tunnel Information Total tunnels 2 sessions 3

LocID RemID Remote Name State Remote Address Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : 1463 28791 SuperCom_LAC est 194.22.15.26

Port

Sessions VPDN Group

1701

2

1

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN 37120 35022 SuperCom_LAC est 194.22.15.26 1701 1 1 ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) SanJose_PE#show vpdn sess How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork L2TP The Session Total tunnels 3 at pr ot ect ing t h e MPLS VPN lat est Information MPLS VPN secur it y f eat u res an d2d sessions esign s aim ed back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN LocID RemID TunID Intf Username State Last Chg Fastswitch The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent int er - car r ier MPLS serv ices 46 of 46 1463 Vi1 [email protected] est 00:36:22 enabled 49

Adv t rou blesh t echn iques includ in g r ou t er est out pu t s 00:27:09 t o en su re high av ailab ilit y 49anced1463 Vi2oot [email protected] enabled

MPLS and Ar chit ect u res, Volum e I I , b uilds on t he best -est sellin g MPLS an d VPN 50 50 VPN 37120 Vi3 [email protected] 00:24:01 enabled Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN I f w e look at t h e VRF in for m at ion in t he San Jose VHG/ PE r out er in Ex am ple 2- 12, w e see Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of t hat t he vir t ual- access int er f aces hav e b een associat ed w it h t he cor r ect VRF. The loop back ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g int er faces ar e used f or pr einst ant iat ion of t he VPN rou t es, as discu ssed ear lier . pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Exa bone m pl eand 2 -any 1 2 .atSan Jose VHG/ PEalso Rout er VRF nfest orsecu m atrition back t ached VPN sit es, and det ailin g t he Ilat y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . SanJose_PE#show ip vrf MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer RD Interfaces intName egr at ion, secur it y, and t r oubleshoot ing Default feat u res essent ial t o p rov iding t h e adv anced

EuroBank

10:27

virtual-Access3 Loopback11

FastFoods

10:26

virtual-Access1 virtual-Access2

•

Table of Content s

•

I ndex

Loopback10

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

I n our conf ig ur at ion, t he add resses f or each of t h e r em ot e access u ser s ar e t ak en f r om one of Pub Dat e: Ju ne 06, 2 00 3 t he sh ared pools. To ach iev e high er ut ilizat ion of t h e av ailab le addr ess sp ace, all t he pools 1- 58 705 -1 12 -5 use t h eI SBN: same r an ge of 19 2. 168 . 3. 1–1 92. 16 8. 3. 62 . As y ou can see in Ex am ple 2- 13, t w o Pages: 4 been used fr om t h e Fast Foods_Pool, w h er eas one ad dr ess h as been u sed add resses h50 ave fr om t he Eu r oBan k_ Pool. Becau se t hese ad dr esses ar e allocat ed t o d iff er ent VRFs, t here is no possibilit y of over lap.

Wit h MPLS chit ect u res, VHG/ Volum ePEI I , Rout y ou' ll lear : Exa m pl eand 2 -VPN 1 3 . ArSan Jose er nAdd r ess Pool Usa ge How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s SanJose_PE#show ip local pool The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) PoolHow VRFs can be ex t endedBegin Free In use int o a cust om er sitEnd e t o pr ov ide sep ar at ion inside t he cust om er net w ork SuperCom_Pool 192.168.3.1 192.168.3.62 62 0 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN ** pool is in group back bone FastFoods_Pool 192.168.3.1 How t o carr y cust om er m ult icast t r aff ic insid e192.168.3.62 a VPN

60

2

The lat est in t er - car rier enh ent s t o allow f or easier and m or e scalable d ep loym ent ** pool

isancem in group

of int er - car r ier MPLS VPN serv ices EuroBank_Pool 192.168.3.1 192.168.3.62 61 1 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tEx opics an d dt he ep loy ent tarchit es, Foods Volu man e IdI Eur pr ovid es r in eader s wple it h 2t he t ools am ining roumt ing ables ect forurFast oBank Ex am 14,necessar w e can ysee t hat tt he heyhost n eedadt dr o desses ep loyhav ande m ain t ain a secur e, hig hly av ailab le VPN. been inst alled as con nect ed r out es f or each of t he vir t ual- access int er faces. You can also see t he loopb ack ad dr ess u sed for pr ein st an t iat ion of t he VRFs u sing MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN t he addr ess of 192 .1 68. 2. 1 00. Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser rv ice ovider echn olog ies ( dial, DSL, cab EtFood her net ) an d wa as v ariet ofide r out in g t o Ou or igpr inal p remaccess ise f ort p rov iding r emot e access t o le, Fast s users t o pyrov access pr ot ocols ( I SI S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o t he Sales D at a serv er in Ly on ( 1 0. 2. 1. 6) . This has been achieved because t he Fast Foods VRF int egr e tthed ese f eat ur es in teo 1t 0. h e2.VPN ack I det ails adv d ep enterissues has imat por t he BGP r out 1. 0/ b24 frbon om e. t h ePart FastI IFoods VRF onanced t he Par is loy PEm r out y , ouing t lining he nFoods ecessar y st eps t h e seruser v icewpho rovisider akeon t o t phe rotSan ect t he (includin 19 4. 22.g1secu 5. 1) ,r itallow any tFast r emot e access t er m m ust inat ting back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Jose PE r out er access t o t he Fast Food s Ly on su bnet . m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

Exa m pl e 2 - 1 4 . San Jose VHG/ PE Rout er VRF Rout i ng Tab le s

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

SanJose_PE#show ip route vrf FastFoods [snip]

10.0.0.0/24 is subnetted, 1 subnets • • B

Table of Content s

10.2.1.0 I ndex [200/0] via 194.22.15.1, 02:09:57

MP LS and V PN Ar chi te ctur e s, V olum e I I

192.168.2.0/24 is variably By Jim Guichard , I van Pepelnjak , Jeff Apcar C B

subnetted, 2 subnets, 2 masks

192.168.2.100/32 is directly connected, Loopback10

Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3

192.168.2.20/30 [200/0] via 194.22.15.1, 02:09:57

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4 192.168.3.0/32

is subnetted, 2 subnets

C

192.168.3.2 is directly connected, virtual-Access1

C

192.168.3.1 is directly connected, virtual-Access2

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : SanJose_PE#show ipe vroute EuroBank How t o int egr at ar iou s vrf r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s [snip] The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

B

How VRFs can be [200/0] ex t ended via int o 194.22.15.1, a cust om er sit e 02:14:14 t o pr ov ide sep ar at ion inside t he 196.7.25.0/24 cust om er net w ork 194.22.15.0/32 is subnetted, 2 subnets The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back194.22.15.3 bone [200/0] via 194.22.15.3, 02:14:29

B

How t o carr y cust om er m ult icast t r aff ic insid e a VPN 194.22.15.1 [200/0] via 194.22.15.1, 02:13:59

B

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent 192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks of int er - car r ier MPLS VPN serv ices C

192.168.2.100/32 ist echn directly connected, Loopback11 Adv anced t rou blesh oot ing iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

B 194.22.15.1, MPLS and 192.168.2.24/30 VPN Ar chit ect u res, [200/0] Volum e I Ivia , b uilds on t he best -02:14:14 sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced is subnetted, t opics 192.168.3.0/32 an d d ep loy m ent archit ect ur es, Volu1msubnets e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. C 192.168.3.1 is directly connected, virtual-Access3 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Aggregating Remote User Host Addresses includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN The VRF r out ables in t t he p r ov ev id ious exm amp le sh ow edfort had er van e w as host rVPN out e inst alled for deploy m en t s.ing Fintally , Par I V pr es a et hodology ceda MPLS each r emot e access user . To r ed ist r ibu t e t hese r out es t o ot her VPN sit es across t h e MPLS VPN t r oub leshoot ing . back bone, y ou need t o config ur e t he re di st rib ut e conne ct ed com m and config ur ed in BGP for t heand VRFVPN ( und t he dr essfam ily scale t his could MPLS Arer chit ectad u res, Volum e I)I ., For alsolarg int erod ucesdialt he in lat ser est vices, adv ances in cu stlead omert o m any h ost r out es being dist r ibut ed and inst alled int o VRFs by Mult ipr ot ocol BGP. To pr event int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

t his f r om hap pening, you shou ld sum m ar ize t he r emot e host ad dr esses in t he VRF t o t he subn et used f or p ool addr esses b y using t he BGP a ggr eg at e - a ddr e ss com m and, as show n in Ex am ple 2- 15. Th e su m mar y - only k eyw or d pr ev ent s m or e specif ic r out es f rom bein g adv ert ised. Th er efor e, t he re di st rib ut e conne ct ed m igh t b e k ep t f or ot her r out in g r eq uir em ent s, an d an y connect ed r out es in t he ran ge 19 2. 16 8. 3. 0/ 26 can be ov err idd en by t he a ggr eg at e - a ddr e ss ent ry . •

Table of Content s

Exa m pl e I2ndex - 1 5 . Sum m a r iz in g Pool Add r esse s • MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

router bgp 100 Pub lish er: Cisco Press Pub Dat e: [snip]

Ju ne 06, 2 00 3

I SBN: 1- 58 705 -1 12 -5

!

Pages: 50 4

address-family ipv4 vrf FastFoods aggregate-address 192.168.3.0 255.255.255.192 summary-only Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : redistribute connected exit-address-family How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s ! The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN address-family ipv4 vrf Net w ork Ad dr ess Tr an slatEuroBank ion ( PE- NAT) How VRFs can be192.168.3.0 ex t ended int o255.255.255.192 a cust om er sit e t o summary-only pr ov ide sep ar at ion inside t he aggregate-address cust om er net w ork redistribute connected The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone exit-address-family How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices The p ool add r esses 192. 1 68. 3. 1 t o 192 .1 68. 3. 6 2 ar e sum m ar iz ed t o a single r out e 19 2. 168 0/ 26 t, rou w hich appear t heiques label includ f orw arindin ( LFI t he JoseavVHG/ Adv. 3. anced blesh oot ings tin echn g rgout ab t erleout puB) t s on t o en suSan re high ailabPE ilit y r out er as an agg r eg at e r out e ( see Ex am ple 2- 16) . Not e t here are t w o agg regat es f or 19 2. 168 . 3.VPN 0/ 26Ar , rchit ep resent ingVolum one f or VRF.on t he best - sellin g MPLS an d VPN MPLS and ect u res, e Ieach I , b uilds Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLSNOTE and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of An pr enovider t r y t hat has an aggolog r eg at e (label t he cab f orw din g tnet able r eq ad yditofional ser v ice access t echn ies dial, in DSL, le,ar Et her ) an d uir a ves ariet r out in g pr ocessing. Fir st , t h e label is r em ov ed f r om t he st ack and a Lay er 3 look is t o pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge ofuph ow ed fin VRF u nder lying ack etI I.I I det f t he rem oved label not at t issues he int egrper at efort hmese eatt he ur es in ton o t ht he e VPN b ack bonI P e. pPart ails adv anced d episloy m ent botgt om ofr itt he st ack ( ag tgr es sh ould alw ay s bser e vatice t h pe rov botider t om mofust t het ake st ack , rot t heect t he includin secu y , ou t lining heegnat ecessar y st eps the t o) p pack etand is discard ed . back bone any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

Exa m pl e 2 - 1 6 . San Jose PE/ N AS Ag gr eg at e Rout es MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

SanJose_PE#show mpls forwarding | inc 192.168.3 20

Aggregate

192.168.3.0/26[V] 0

21

Untagged

192.168.3.1/32[V] 1400

Vi2

point2point

22

Untagged

192.168.3.2/32[V] 2100

Vi1

point2point

•

I ndex Untagged

192.168.3.1/32[V] 0

Vi3

point2point

•

25

Table of Content s

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar 26 Aggregate 192.168.3.0/26[V] 0

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

I f you look at t he VRF t able f or Fast Foods ( see Ex am ple 2- 17) in t h e Par is PE r out er , y ou can Pages: 50 4 see t hat t he h ost r out es hav e been replaced w it h a sing le su m mar ized r ou t e 192 . 168 .3 .0 / 26.

Exa m pl e 2 - 1 7 . Par i s PE-Rout er Fa st Foods VRF Tabl e Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Paris_PE#show ipatroute FastFoods How t o int egr e v ar iouvrf s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s [snip] The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

S S

10.0.0.0/8 subnetted, 2 sit subnets, How VRFs can is be variably ex t ended int o a cust om er e t o pr ov2idemasks sep ar at ion inside t he cust om er net w ork 10.2.1.0/24 [1/0] via 192.168.2.21 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back10.2.1.5/32 bone [1/0] via 192.168.2.21, FastEthernet0/1 How t o carr y cust om m ult icast tsubnetted, r aff ic insid e a2 VPN 192.168.2.0/24 iservariably subnets, 2 masks

B

The lat est in t er - car rier enh ancem ent s to allow f or easier and m or e scalable d ep loym ent 192.168.2.100/32 [200/0] via 194.22.15.2, 02:56:44 of int er - car r ier MPLS VPN serv ices

C

192.168.2.20/30 is directly connected, FastEthernet0/1 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

194.22.16.0/32 is subnetted, 1 subnets MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced B 194.22.16.2 [200/0] via 194.22.15.3, 02:57:14 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. 192.168.3.0/26 is subnetted, 1 subnets MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN B ch it ect u192.168.3.0 [200/0] 194.22.15.2, Ar re. Par t I I descr ibes advvia anced MPLS VPN con00:00:09 nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Dial-In Access via Direct ISDN m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Dir ect dial- in access allow s a r em ot e u ser w h o has I SDN access t o call a PE rou t er and hav e tMPLS hat call e direct ectuly intVolum o t he appr iatint e VRF. Th ert he e islat n est o L2adv TP ances t u nneling andt erm VPNinat Ar chit res, e I I , opr also rod uces in cunecessary st omer because t he PE r out er p er f orm s t he f unct ions of b ot h a PE r out er and a NAS. Dir ect I SDN int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

dial- in is su ppor t ed only w it h pur e d ig it al calls ( not analogue calls car ried w it hin t he I SDN Bchann el) . Figur e 2- 1 6 sh ows a dir ect I SDN d ial scenar io in t he Super Com n et w or k . The San Jose NAS/ PE rou t er has a pr im ary r at e I SDN ser v ice conn ect ed; t her ef or e, rem ot e user s w ho are equipp ed w it h an I SD N ser v ice can call t he San Jose PE r out er d ir ect ly. I n our ex am ple, Eu roBan k has a small br anch of fice locat ed in Sacram ent o, wh ich is equip ped w it h a SOHO r out er t h at is conn ect ed t o an I SDN serv ice. This r out er uses dial- on- deman d t echn iq ues t o • Table of Content s connect t h e Sacram ent o PCs on t h e 10. 3. 1 .0 / 24 net w or k t o t he Eu roBan k VPN. The link is • I ndex est ablish ed by usin g PPP, and t he SOHO r out er is id en t ified t o t he Super Com n et w or k w it h MP LS and V PN Ar chi te ctur e s, V olum e I I t he user nam e sacr ament o@eu rob ank _SOHO. The choice of t he d om ain n ame By Jim Guichard , I van (Pepelnjak Jeff Apcar eur obank _SOHO r at h er t,han eur obank . com) is delib er at e. The rat ion ale w ill be exp lain ed at t he en d of t h is sect ion. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

Figu r e 2 - 1 6 . Supe r Com Di al -I n Usin g D ir e ct I SDN

Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egrNOTE at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN tsit alsondet he hlat secu f eat esPCs t o allow The acr ony m SOHO ap plies o es, a cuand st omer et wailin or k gt ht at asest a sm allrit nuy mb erurof m or econnect adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS VPN ed, gener ally w hat you w ould fin d in a sm all of fice, hom e off ice ( SOHO) . deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ecteu an res,AAA Volum e er I I ,and alsor elies int rod uces on t heSup lat est adv ances inide cu st Eu roBan k does not hav serv solely er Com t o p rov allomer of it s int egrser at ion, y, and featUS u res ial st ot he p rov t h ed adv anced AAA vices.secur Th eritefor e, t ht reoubleshoot Super Coming RADI seressent ver h old eniding t ries an at t ribu t es for all

r em ot e Eur oBank u ser s ( r egar dless of w h et h er t hey ar e r out ers or sin gle user s/ h ost s) . As in t he VPD N scenar io, v ir t ual- pr of iles ar e used t o cr eat e vir t ual- access int er faces f or incom ing calls. This m echanism pr ov ides a scalable solut ion for t er m inat ing m any d if fer en t users over t h e same I SD N ser v ice b ecau se t he conf ig ur at ion of t he B- chann el vir t u al- access int er face is pr ov ided by t he Super Com RAD I US ser ver b ased on t he callin g user I D. The d irect d ial- in I SDN p r ocess is sim p ler t h an dial- in access u sin g VPD N; it can be • of Content s sum m arized Table as follow s: •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

1 . When t he Sacr am en t o Eur oBank r out er calls in, a PPP link is est ablished over t h e I SD N B- chann el. Pub lish er: Cisco Press Dat e: Ju ne 06, 2NAS/ 00 3 PE r out er obt ain s t he u ser nam e sacram ent o@eur ob ank _SOHO fr om 2 .PubThe San Jose t he Sacr am ent o -5 r ou t er usin g CHAP, w hich it t hen for w ar ds t o t he Su per Com RAD I US I SBN: 1- 58 705 -1 12 ser v er 50 for Pages: 4 au t hor izat ion.

3 . I f su ccessf ul, t h e Super Com RADI US ser v er p asses back an y configu r at ion p aram et ers ( VRF n am e, addr ess pool) t h at ar e associat ed w it h t he user . 4 . The San Jose NAS/ PE r out er cr eat es a vir t ual- access in t er f ace f or t h e PPP session based Wit h MPLS and VPN Arfigu chitred ect uv res, Volum e I I e, ycom ou' bin ll lear on a locally con ir t u alt em plat ed nw: it h t he conf igur at ion t hat t he Sup er Com RADI US ser v er pr ovid es. o intCHAP egr at aut e v ar iouicat s r em e access t oion t h eisback p r ovidin wit g VPN 5 . How The utser hent ionotcom plet est echn and tologies he conninect fu llybone est ablished h in ser v ice t o m any d iff er ent t yp es of cu st om er s t he VPN. ewCom PE- CE r out in gt he opSan t ionsJose as wPE ell rou as tot adv anced es, includ ing tperI n t heThe Supner net w or k, erher also per for m sf eat t heurLNS f unct ion o VPN Net w ork Ad dr ess Tr an slat ion ( PENAT) t er min at e L2TP t un nels fr om t h e San Jose NAS/ LAC as discu ssed pr ev iously. To enab le t he San Jose PE rou t er t o p rov ide L2TP t er m inat ion, it m ust h ave t he com m and v pdn e na ble How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he set . For dir ect dial- in I SDN calls u sin g PPP, t he LNS fu nct ion is not n ecessar y ; h ow ev er, t his cust om er net w ork com man d causes int er est ing b eh avior on t h e San Jose PE r out er . Wh en an I SDN call is r eceived, t heest v pdn e na blesecur com itmyand San Jose erott oect ining it ially ar dVPN an The lat MPLS VPN f eatcauses u res antdhed esign s aimPE edrou at tpr t h ef orw MPLS access r eq uest using j ust t h e dom ain or DNI S n ame. Because t he Su perCom RAD I US serv er back bone has en t ries hold in g L2TP t unn el infor m at ion for all dom ains ( such as fast f oods. com and eur obank , tyher e is d anger t h at ttruaff nnel inf oremaatVPN ion w ill be mist ak en ly r et u rn ed t o t he How. com) t o carr cust oma er m ult icast ic insid San Jose PE rou t er , w h ich w ill t hen unn ecessar ily bu ild an L2TP t un nel t o it self. You can av oid t his pThe r oblem by in conf he RADI US ser t o check for v arand iousmat t es su ch asloym t he ent lat est t er -igur car ing rier tenh ancem ent s tvoerallow f or easier ort reibu scalable d ep NAS- ident ( t hr ier e LAC or VPN LNS)serv or t ices h e NAS- Por t ( an I SDN call) of t h e access r eq uest and of intiferier - car MPLS pr ov iding t he ap pr opr iat e RAD I US r esponse. I n ou r exam ple, w e h ave op t ed n ot t o r ely on Adv anced rouipt blesh ing t echn includ t era out t s t odom en su re nam highe av special RADI US tscr in g oot p rocedur es. iques I nst ead , w einwgillr ou use diffpu er ent ain t oailab id enilit t ifyy t he dir ect dial- in I SDN user s. Ther efor e, using dom ain " eu rob ank _SOHO" av oid s conflict on MPLS andUS VPN chit ectan u res, Volum I I , obank b uilds. on best comt he d ialin -usellin ser s gwMPLS ho arean ud sinVPN g VPD N. t he RADI serAr v er for y bonafidee eur Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tConfiguring hey n eed t o d the ep loySuperCom and m ain t ain a secur hig hly avRouter ailab le VPN. San Josee,NAS/PE MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ex ch amitple 18Par sh tows t he conf ion forMPLS t he San NAS/ PE ou t er in . g t he int egr at ion of Ar ect u2-re. I I descr ibesigur advatanced VPN Jose con nect iv it y rinclud ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Exa 2 - 1f eat 8 . urSan NAS/ PE Rou t e rI IConf ig ur t ion df or Dm irent e ctissues int egrm atpl e teh ese es in Jose t o t h e VPN b ack bon e. Part I det ails advaanced ep loy includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he I SD N D ia l back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . hostname SanJose_PE MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ! int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

virtual-profile virtual-Template2 virtual-profile aaa ! ip vrf EuroBank • •

rd 10:27

Table of Content s I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

route-target export 10:27

By Jim Guichard , I van Pepelnjak , Jeff Apcar

route-target import 10:27 Pub lish er: Cisco Press

!

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

interface Loopback11 Pages: 50 4

ip vrf forwarding EuroBank ip address 192.168.2.100 255.255.255.255 Wit ! h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : interface Serial6/0:15 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s ip unnumbered Loopback0 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN encapsulation ppp Net w ork Ad dr ess Tr an slat ion ( PE- NAT) isdnHow switch-type VRFs can beprimary-net5 ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork ppp authentication chap callin The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN ! back bone interface How t ovirtual-Template2 carr y cust om er m ult icast t r aff ic insid e a VPN lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent no ipThe address of int er - car r ier MPLS VPN serv ices no peer default ip address Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ppp authentication chap callin MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ! ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of The AAA and ov er lapp in g local p ool conf ig ur at ion is t he sam e as f or dial- in access usin g ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g VPDN, as sh ow n p rev iously in Ex am ple 2- 2. Th e only dif fer en ce, b esides t h e I SD N int er face pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o conf ig ur at ion, is t h e add it ion of a vir t ual- p rof ile using vir t ual- t em plat e2. int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN NOTE t r oub leshoot ing . Vir t ual- t em plat e2 is n ecessar y so t h at an y incomin g I SDN PPP calls hav e a vir t ualMPLSt em andplat VPN chit ectau res, Volum e I I ,inalso int rod t he lat est ances in cu omer e t Ar o w hich vir t ualaccess t er f ace canuces be cloned. Viradv t u alt em plat e2stcan int egralso at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced be con figu red w it h an y global con figu rat ion t h at Su perCom m ig ht deem

necessar y, su ch as cert ain access- list s t hat w ould b e comm on f or all users.

The v ir t ua l- p rofi le aa a com m and causes any add it ion al per - user specif ic con figu rat ion s t o be r et r iev ed f r om t he Super Com RAD I US ser ver an d ap plied t o t he cloned int erf ace. Not e t hat Loop back 11 is used t o pr einst ant iat e t he Eu roBan k VRF. •

Table of Content s

•

I ndex

SuperCom RADIUS Server Attributes MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

The RADI US en t r y for t he Sacr ament o SOHO r out er show n in Table 2 - 5 is id en t ical t o t h at of Puble lishPC er: Cisco a sing u ser Press ex cept f or t he ad dit ion of a Fr amed- Rout e at t ribu t e, w hich in ject s a st at ic 06,oBank 2 00 3 r outPub e inDat t oe:t hJueneEur VRF for t he Sacr am en t o LAN 10. 3 .1 . 0/ 24 . The n ex t - h op ad dr ess f or t he rouI SBN: t e is 1-t hen om 58 705aut -1 12 -5 at ically set t o t h e add ress select ed f rom t he local pool for t he r emot e int er face. Pages: 50 4

Tab le 2 -5 . Sacr a m en t o Rou t er RADI US At t r i but es f or D ir e ct I SDN Di al

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

How int pe egr) at e v ar iouVsa rlue em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN At t r ib ut et o( Ty ser v ice t o m any d iff er ent t yp es of cu st om er s User - Nam e ( 1) sacr am ent o@eur oban k_ SOHO The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN User Net - Passw d (dr 2)ess Tr an slat What eb uzz w orkor Ad ionst(hPENAT) Serv ice- Ty pe ( 6) 1 ( Fram ed) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he omoterocol net(w7ork Framcust ed- Pr ) 1 ( PPP) FramThe ed- Rout 22) VPN secur 10 .3it. y1.f0/ 24u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN lat este(MPLS eat back bone Cisco- avp air lcp: int er face- con fig= ip v rf f orw ar din g Eur oBank \ n [ 1] How t o carr y cust om er m ult icast t r aff ic insid e a VPN ip unn um bered loopback 1 1 \ n The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent peer defau lt ip addr ess pool Eur oBank _Pool of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y [ 1]

The \ n signifies an ex plicit car riage r etur n that v ar ies betw een ser ver im plementations.

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

NOTE

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN n ew Cisco f eat ur e called FramMPLS ed Rout e VRF ar eiv w necessar t oint supp Ar ch itAect u re. Par t I IOS I descr ibes adv anced VPN conaw nect it yasinclud in g tyhe egr ort at ion of t heprFrovider am ed-access Rou t e at t r ibut e in contDSL, ext ofcab a le, VRF. This feat u re ailable t he ser v ice t echn olog iest h( edial, Et her net ) an d aisvav ariet y of rinout in g 12 .2 ( 8) T Release of Cisco I OS. You can also use t he ciscoavp air " ip: r out e= 10. 3. pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o 1 .0 . 255. 0 "urin - Rout e at tIrIib e ails t o achieve t h edsame result . int egr25 at5. e 255 t h ese f eat esplace in t o tof h et he VPNFrbam acked bon e. Part I ut det adv anced ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin , Par t I V pr ovSOHO id es a m et hodology for ad van ced MPLS VPN Configuring theally Sacramento Router t r oub leshoot ing . Ex am ple 2- 19 sh ows t he Sacr ament o r out er conf igur at ion. Th e ip a ddr ess n eg ot ia t ed MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer com man d ensur es t h at t h e dialer int erf ace r eceiv es it s add r ess f rom t he Eur oBank _Pool int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

conf ig ur ed on t he San Jose NAS/ PE_Rou t er . A defau lt st at ic r out e is u sed v ia int er face dialer 1 t o g ain access t o t he Eur oBank VPN.

Exa m pl e 2 - 1 9 . Sacr a m en t o SOHO Rout er Con fi gu r at ion f or Di r ect I SD N D ia l •

Table of Content s

•

I ndex

MP LS and V PN hostname Sacramento_SOHO Ar chi te ctur e s, V olum e

II

By Jim Guichard , I van Pepelnjak , Jeff Apcar

! Pub lish er: Cisco Press

interface BRI0/0

Pub Dat e: Ju ne 06, 2 00 3 1- 58 705 -1 12 -5 no ipI SBN: address Pages: 50 4

encapsulation ppp dialer pool-member 5 isdn switch-type Wit h MPLS and VPN Ar basic-net3 chit ect u res, Volum e I I , y ou' ll lear n : ! How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN interface ser v iceDialer1 t o m any d iff er ent t yp es of cu st om er s The n ewnegotiated PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN ip address Net w ork Ad dr ess Tr an slat ion ( PE- NAT) encapsulation ppp How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net dialer pool 5 w ork The lat est MPLS VPN600 secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN dialer idle-timeout back bone dialer string 94780400 How t o carr y cust om er m ult icast t r aff ic insid e a VPN dialer-group 1 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices ppp chap hostname sacramento@eurobank_SOHO Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ppp chap password whatsthebuzz MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN ! ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Ar t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tip heyroute n eed t0.0.0.0 o d ep loy 0.0.0.0 and m ain tDialer1 ain a secur e, hig hly av ailab le VPN. ! MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of dialer-list 1 access protocol ipolog permit ser v ice pr ovider t echn ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Verifying Direct Dial-In Operation deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Ex am ple 20 sh t heu res, r out in g t abeleI Ifor t he int Eurod r oBan k VRF af test er tadv he Iances SDN connect ion h as MPLS and2-VPN Arows chit ect Volum , also uces t he lat in cu st omer been est ablished fr om t he Sacr am ent o SOHO r out er . I nt er face Vir t ualAccess4 h as been int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

creat ed in t he Eu roBan k VRF an d conf igur ed wit h t h e addr ess 192 . 168 .3 .2 f r om t he Eur oBank local pool. ( Not e t hat Vi3 is st ill connect ed t o eric@eur oban k. com . ) I n add it ion , a p er - u ser st at ic r out e, denot ed by t he " U, " f or 10 .3 .1 . 0/ 24 has been insert ed f or t he Sacr am en t o LAN. This in for m at ion w as in t he Fr am ed- Rou t e at t r ibut e t hat w as ret u rn ed in t he access- accept m essage f r om t he Su per Com RAD I US ser ver . The Mult ipr ot ocol BGP w ill dist ribu t e t h e peruser st at ic r out e t o all ot h er Eur oBank VRFs assum ing t hat r ed ist r ibu t e st at ic has b een app rop riat ely conf ig ur ed u nder t h e BGP addr ess- f amily . •

Table of Content s

•

I ndex

Exa e 2Ar-chi 2 0te.ctur San MP LS m andpl V PN e s, V Jose olum e I INAS/ PE Rou t e r Eu r oBan k VRF Rou t e s for Di r ect I SDN Di al By Jim Guichard , I van Pepelnjak , Jeff Apcar Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 SanJose_PE#show ip route vrf EuroBank I SBN: 1- 58 705 -1 12 -5 Pages: [snip]

B

50 4

196.7.25.0/24 [200/0] via 194.22.15.1, 04:28:33

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : 10.0.0.0/24 is subnetted, 1 subnets U

C

192.168.3.2 How 10.3.1.0 t o int egr at[1/0] e v ar iouvia s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s 192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w192.168.2.100/32 ork Ad dr ess Tr an slatis iondirectly ( PE- NAT) connected, Loopback11

C

How 192.168.2.24/30 VRFs can be ex t ended int o avia cust 194.22.15.1, om er sit e t o pr ov ide sep ar at ion inside t he [200/0] 04:28:33 cust om er net w ork 192.168.3.0/24 is variably subnetted, 3 subnets, 2 masks The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back192.168.3.1/32 bone is directly connected, virtual-Access3

C

How t o carr y cust om er m ult icast t r aff ic insid e a VPN 192.168.3.2/32 is directly connected, virtual-Access4

B

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent 192.168.3.0/26 [200/0] via 0.0.0.0, 00:00:54, Null0 of int er - car r ier MPLS VPN serv ices

B

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Providing Dial-Out Access via LSDO The LSDO feat ur e is an eff ect iv e and scalab le met h od of p rov iding d ial- ou t serv ices in a ser vice pr ov ider env ir onm ent . LSDO elim inat es t h e need t o config ur e indiv idual dialer pr ofiles for ev er y •out g oing dest Table Content s in atof ion. I nst ead, all t he d ialer pr of ile at t r ib ut es such as t he d ialin g n um ber , •usern am e/ p assw I ndex or ds, and PPP peer I P addr ess ar e kept on an AAA ser v er. Only a generic d ialer MP and Vneeds PN Ar chi cturconf e s, Vigur olumed e I Ion all ser vice pr ov ider VHG or NAS dev ices. By using an AAA se int LS er face t otebe y ou k eep, I van all dialer config at ions at a cent r al poin t an d d ow nload t hem t o any r out er in t he By Jimcan Guichard Pepelnjak , Jeff ur Apcar ser v ice pr ovider n et wor k t h at p rov ides dial- ou t serv ices. Pub lish er: Cisco Press When an int erest ing pack et causes a dialer t o be act ivat ed , t he r out er dow nloads t he app rop riat e: Jut he ne 06, 2 00ser 3 v er t hat is t hen applied t o t he generic d ialer . LSD O p r ovides m any ot her pr ofPub ile Dat f r om AAA I SBN: 1- 58 705 -1 12 feat u res such as fau lt -5t oler ance, redu ndan cy , an d con gest ion m anagem ent . You can find f ur t her det ailed inf or ion on t he Cisco CCO w eb sit e at w w w .cisco. com . Th is sect ion is con cer ned wit h Pages: 50mat 4 LSD O op er at ion in an MPLS VPN en vir onm ent t hr ough a feat ur e enh ancem ent called VRF- awar e LD SO, w hich w as fir st av ailab le in Cisco I OS v er sion 1 2. 2( 8 ) T.

Figur e 2- 1 7 sh ows an ex am ple of LSDO oper at ion w it h in t he Sup er Com net w ork . Fast Foods has nat ion al gr id of " Yum m yTu mm y " v endin g m achines t h at d isp en se v ar ious snack s. Norm ally, t he Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : v en ding m ach ines ar e off lin e, and each evenin g Fast Foods HQ quer ies t hese v endin g m achines f st ock lev els and ot her m aint enan ce p ur poses. Fast Foods u ses t h e Super Com LSDO ser vice t o ob connect iont ot oint each ofet vh ar e viou ensding ines frtom it hin t hein tFast st ep-gby - st ep How egr at r em m ot ach e access echnwologies o t hFoods e backVPN. bone The p r ovidin VPN Figur e 21 7. oper at ion of t he LSD O ser vice is show n in ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Figu r e 2 - 1 7 . LSDO Op er a t ion f or Fast Foods How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser pr ovider access t echn ies (m dial, DSL, cabed le, at Et her ) an d a vlocat arietion y ofinr out in g Califo Ou rv ice ex am ple show s a sin gle volog en ding achine locat t he net Fast Foods Fr esno, pr ot ocols ( I SI S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o on t he sub net 1 0. 4. 1. 0/ 2 4. Th e Fresno d ial nu mb er is 990 658 90, and t he u ser nam e and passw o int egrfor at eCHAP t h eseisf eat ur es in t oialer t h e/ show VPN bmack I I I edet ails adv anced ep loy m ent ur issues used " Fresno_D et hbon em e. on Part ey . " Th dialer int erf ace t dhat is config ed on t h includin secu it yDialer2 , ou t lining y stused eps tfhore ser ice nect p roved ider m ust ake t1o68. p rot ect. t he Jose PE gr out er r is 0, ant he d tn h ecessar e add ress t h evcon r out e is t 192. 2. 51 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or ef ollow adv anced op ologies filt erin cov s m ult i- car r ier MPLS VPN The in g sutmm ar izes tand he call f lowg.t oThis suppar portt also LSDO forer Fast Foods: deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot St e p 1ing . A. p ack et ar r ives at t he San Jose PE r out er b ound for net w ork 10. 4. 1. 0 / 24 in t he Fast Food s VRF. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at y, and t r 1. oubleshoot ingt ed feat essent t o p rov t h efigur advat anced Stion, e p 2secur . Subitnet 1 0. 4. 0/ 2 4 is r ou t ouares d ialer intial er face ( in iding our con ion exam ples,

Dialer2 0 is used ) w it hin t he Fast Foods VRF. Th is int er face has b een config ur ed w it h " dialer aaa, " w h ich indicat es t hat y ou sh ould ob t ain dialer p r ofile inf orm at ion fr om t h e Sup er Com ser v er. A st at ic r out e m ust be conf igur ed ( we are usin g 192 .1 68. 2. 5 1) p oint ing t o in t erf ac Dialer2 0, an d it is giv en t h e r em ot e n ame " Fr esno_Vendin g. " Th is rem ot e nam e d ist in guis t his r ou t e fr om ot h er vend ing mach in e r out es t hat point t o t he sam e dialer.

• • MP LS

St e p 3 . The San Jose PE r out er issu es an access- r eq uest RAD I US m essag e t o t he Sup er Co RADI US serv er by usin g t he user nam e Fresno_Vend in g- ou t - Fast Foods. Th e user n ame u ses Table of Content s for m at " < rem ot e nam e> - out - < VRF Name> . " I f no nam e has been app lied t o t he st at ic r ou I ndex " < ip addr ess> - out - < VRF nam e> " is used, w h er e I P addr ess is t he / 3 2 ad dr ess t h at ap pea and V PN Ar chi te ctur e s, V olum e I I t he st at ic rou t e.

By Jim Guichard , I van Pepelnjak , Jeff Apcar

St e p 4 . The RADI US ser v er passes back t h e cisco- av pair at t r ibu t es for t h e corr espond in g This consist s of t he dial st r ing , usern am e, and passw or d for CHAP an d t h ress used on t he dialer int er face w hile t he call is act iv e. Pubadd Dat e: Ju net o 06,be 2 00 3

am e Press en t r y. Pub usern lish er: Cisco

I SBN: 1- 58 705 -1 12 -5

St e p 5 . When t he reply is r eceiv ed , a f r ee dialer is sear ch ed f or on t he San Jose PE r out er dialer int er face is conf ig ur ed w it h t he com m and " dialer v pdn ," w hich cau ses a vp dn- g rou p pr ov ide t h e dial- out . Th is v pdn- gr oup is configu r ed w it h " r eq uest - d ialou t . "

Pages: 50 4

St e p 6 . A v ir t ual- access int er face is cr eat ed for t he d ial- ou t session, and an L2TP t unn el is creat ed t o t h e NAS b ased on t he v pd n- gr oup inf or mat ion . This v ir t ual- access int er face is p Wit h MPLS and chit ectVRF. u res, Volum e I I , y ou' ll lear n : inside t h eVPN FastAr Foods St e p 7 . The d ial st r in g is passed t hr oug h t he L2 TP t u nnel. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s St e p 8 . The San Jose NAS t hen d ials t he n um ber by u sin g t he dialer int er face t hat is asso w it hn ew t he PEv pdCE n- gr oup v pd nis conf edanced wit h "f eat accep t - dialout " per- VPN The r out in.gThis op t ions asgrwoup ell as ot herigur adv ur es, includ.ing Net w ork Ad dr ess Tr an slat ion ( PE- NAT) St e p 9 . The Fr esn o CE r out er an sw er s t he call an d issues a CHAP challen ge. The San Jose r out er t h en passes u serint nam passw it er eceiv f rom RAD US ser tver How VRFs can be ex tt he ended o ae/cust omor erd sit t o pr ed ov ide sept he ar at ion I inside he t h rou gh t h session. cust om er net w ork St e lat p 1est 0 . MPLS The call is secur f ully connect a can flowedin at bot ir ect The VPN it y f eat ued, resan anddddat esign s aim prhotdect ingions. t h e MPLS VPN back bone The f ollow secty ions t hult e config at ic ions t h at e necessar y t o pr ovide t he Fast Food s scen How in t ogcarr custdet om ail er m icast tur r aff insid e aarVPN discussed in t he pr ev iou s st ep s. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Configuring the SuperCom San Jose VHG/PE Router Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re

high av ailab ilit y

The San out ect er ruequir es t hr ee s t o be for gLSDO: er ic dialer- in t erf ac MPLS andJose VPNPE Arrchit res, Volum e I Iit,em b uilds on conf t he igur bested - sellin MPLS aang denVPN v pdn forVolum dial- out h e San and st at ic r out es t hegr int emot suebnet t hat u se t Ar ch it- gr ectoup u res, e I (t o 1 -t587 05- 0Jose 02- 1)NAS, , f rom Cisco Pr ess. Ex tfor endin o me or advsanced tdialer opics int an er d dface. ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. The d ialer in t er f ace con figur at ion for Dialer 20 , show n in Ex am ple 2- 21, is a gener ic con figu rat ion exist s and in t he g lobal r out g t able. I t eisI Inot associat a ref VRF, and of t het he I P MPLS add ress t hat is alloc MPLS VPN Ar chit ectin u res, Volum , b eg in s w ited h awit brhief resher VPN t o ch it it can and ibes onlyadv needs t o MPLS be u nique t hnect e global t able. inThe di al r a aataion com Ar ect ube re.any Parvalue t I I descr anced VPN in con iv it y includ g t he inteegr ofm and causes heovider San Jose PE tr echn out erolog t o qies uer( dial, y t he DSL, RADIcab US le, serEt ver orm at Theindi ser v ice tpr access herf or netdialing ) an d ainf v ariet y ion of r. out g al e r v p com man d (allow s aEIvp dn- gand rou OSPF) p t o b e, ar used L2 TP dial- w out pr ot ocols I S- I S, GRP, m infgort he r eader it h. t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back t ached and Conf also det ailinagt iton he lat est secu rit y f eat ur es t o allow Exa bone m pl eand 2 -any 2 1 .atDi al er VPN I ntsit e res, f ace i gur m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . aaa authentication ppp default local group radius MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

aaa authorization network default local group radius aaa authorization configuration default group radius ! interface Dialer20 • •

Table of Content s

ip address 194.22.15.62 255.255.255.252 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

encapsulation ppp

By Jim Guichard , I van Pepelnjak , Jeff Apcar

no keepalive Pub lish er: Cisco Press

dialer in-band Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

dialer aaa

Pages: 50 4

dialer vpdn dialer-group 2 Wit VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : noh MPLS peer and default ip address no cdp enable How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s ppp authentication chap callin !

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

dialer-list protocol ip permit How VRFs2 can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone The ex ist in g v pd n- g rou p 1 conf igur at ion, used in t he p rev ious VPDN dial- in ex am ples, h as been m odified ial- ou sermvice fr om t tr he LNS ( San Howt ot oallow carr ydcust omt er ult icast aff ic insid e a Jose VPN PE r out er ) by t h e addit ion of t he re qu di al out com m and. The com m and rot a ry - group 2 0 allow s int er face D ialer 20 t o u se t his v pdn - g Theout latby estinit in tiat er -ing car an rierL2 enh ent s t tooallow f or Jose easierLAC/ andNAS m or194 e scalable loym for dialTPancem conn ect ion t h e San .2 2. 15. 4d ep ( see Exent am ple of int er car r ier MPLS VPN serv ices 22 ) . Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

Exa m pl e 2 - 2 2 . VPDN Gr ou p Conf i gur a t i on for Dia l- Out MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. vpdn-group 1 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Araccept-dialin ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g protocol pr ot ocols ( I S-l2tp I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues virtual-Template 1 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow request-dialout m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN protocol l2tp t r oub leshoot ing . rotary-group 20 ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer MPLS and VPN Ar chit int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

terminate-from hostname SuperCom_LAC initiate-to ip 194.22.15.4 local name SuperCom_LNS l2tp tunnel password 7 06100632454107 • •

Table of Content s

source-ip 194.22.15.2 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Finally, Pub lishyer: ou Cisco m ust Press conf igur e som e st at ic r out es in t he Fast Foods VRF t o allow t h e dialer in t erf ace fu nct ion, Pub Dat as e: Jush neow 06,n2in 00 3Ex am ple 2- 23. Th e fir st st at ic r out e in ject s t he in t er f ace Dialer 20 int o t he Fast Food s VRF w it h t he I SBN: 1- 58 705 -1 12 -5 n ex t - h op of 1 92. 16 8. 2. 51 . This ad dr ess m ust mat ch t h e int erf ace addr es be d ow nloaded fr om t h e RADI US ser v er for t he PPP session t o Fast Foods Fr esn o. Not e t hat t h e r Pages: 50 4 nam e Fr esno_ Ven ding has been app lied t o t his r out e. This n am e w ill be used t o obt ain t h e dialin inf orm at ion fr om t he RAD I US ser ver v ia an access- requ est message. The secon d st at ic rou t e inj e t he act u al Fr esno Subn et and ensur es t hat Dialer 20 w ill be used , as show n in Ex am ple 2- 23. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Exa m pl e 2 - 2 3 . St at ic Rou t e s f or Di al er I n t e r f ace s How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s ip route vrf FastFoods 192.168.2.51 255.255.255.255 Dialer20 name Fresno_Vending The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN ip route vrfAdFastFoods 10.4.1.0 192.168.2.51 Net w ork dr ess Tr an slat ion ( PE-255.255.255.0 NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Theulat secur it yace f eatwuitres d dVRF esign at pr ot ect t h e MPLS You can se est t heMPLS sam eVPN dialer int erf hinan t he t os daim ial ed ot her r em ot eing access sit es. VPN How ev er , back bone r em ot e nam e and nex t - hop add ress m ust b e diff erent . For ex am ple, t he follow in g con figu rat ion Ex am ple 2- 24 sh ows t he conf igur at ion t o access t o t he Fast Foods Ren o " Yum m y Tum m y" v en ding Howwtitohcarr custeom m ult icast r aff ic insid eeat hVPN m achine t heysam inter er face Dialert 20. ( Assum at Ren o is using t he su bnet 10. 5. 1. 0 / 24. ) The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Exa m pl e 2 - 2 4 . Addit ion al St at ic Rou t e s f or Di al er I n t e r f ace s

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar it ect u res, e I ( 1 - 587 05- 0 02- 1) , f 255.255.255.255 rom Cisco Pr ess. ExDialer20 t endin g intname o m or Reno_Vending e adv anced ipchroute vrfVolum FastFoods 192.168.2.52 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tip heyroute n eed tvrf o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. FastFoods 10.5.1.0 255.255.255.0 192.168.2.52 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Configuring the SuperCom Jose LAC/NAS int egr at e t h ese f eat ur es in t o t h e VPN San b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m e ple adv2anced ologies and filt erin g. vp This t also covter m ult i- tcar VPNest on t h e S Exor am 25 sht op ows t he cor respond ing dn-par g r oup used o saccept he rdier ial-MPLS out r equ deploy m enNAS t s. Fin t IV pr ov -iddialout es a m ser et hodology adevan Jose LAC/ by ally u sin, gPar t he accept vice. The for di al r 2 ced comMPLS m and VPN associat es t he dial- ou tr req oub leshoot uest w it h ing int .erf ace Dialer 2 w hich, in t ur n, uses t he p hy sical int er face Ser ial0 : 15 t o call t h e Fr CE r out er . You m ig ht hav e not iced t h at t h er e is n o r equest - dialin ser vice conf ig ur ed on t h is vp dn MPLS ect u res, Volum I I , San also Jose int rod he. lat estisadv ances vinir tcu st omer gr oup and t o mVPN at chAr t hchit e accept - d ialin on et he PEuces r outter This b ecause ualpr ofiles ar e u int ion, Jose securLAC/ it y, NAS and tfror oubleshoot feat u res essent o mat p rovion iding e adv anced on egr t heatSan dial- in sering vices. ( The t u nnelial inftor is dt h own loaded f r om t he R

ser v er, as discu ssed ear lier in t h e " Dial- I n Access via L2TP VPDN" sect ion. )

Exa m pl e 2 - 2 5 . San Jose LAC/ NAS Conf i gur a t i on for LSD O

vpdn-group 1 of Content s • Table •

I ndex

accept-dialout MP LS and V PN Ar chi te ctur e s,

V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

protocol l2tp Pub lish er: Cisco dialer 2

Press

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1hostname 12 -5 terminate-from SuperCom_LNS Pages: 50 4

local name SuperCom_LAC l2tp tunnel password 7 1058000A0C181C source-ip 194.22.15.4 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ! How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN interface ser v iceDialer2 t o m any d iff er ent t yp es of cu st om er s ip unnumbered Loopback0 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) encapsulation ppp How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork dialer in-band The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN dialer aaa back bone dialer-group 2 How t o carr y cust om er m ult icast t r aff ic insid e a VPN no cdp enable The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices ppp authentication chap callin !

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN interface Serial0:15 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools no ip address t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. encapsulation pppect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN MPLS and VPN Ar chit Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of dialer rotary-group ser v ice pr ovider access t2echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o isdn int egr atswitch-type e t h ese f eat ur primary-net5 es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he isdn incoming-voice modem back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN no cdp enable deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . ppp authentication chap callin MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ! egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced int

dialer-list 2 protocol ip permit

SuperCom RADIUS Attributes •

Table of Content s

•

I ndex

Table MP LS and 2 - 6V PN listAr s chi t h ete RADI ctur e s,US V olum at t reibu I I t es t hat will b e r et ur ned t o dial Fast Foods Fr esno. The user nam m Jim ust Guichard m at ch t, Ihe r em ot e, Jeff nam e> - out - < VRF nam e> " t hat t he San Jose PE r out er gener at es. The By van" < Pepelnjak Apcar of t he at t r ib ut es w ill be ap plied t o t he d ialer int er f ace ( t o cr eat e a dy nam ic dialer m ap) and inclu t he dial nu m ber, user nam e, passw or d, and int er face ad dr ess t h at w ill b e applied t o t h e vir t ual- a Pub lish er: Cisco Press int er face t h at is cr eat ed. The " send- au t h" at t r ibut e in dicat es t hat CHAP w ill be used f or aut h en t i Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Tab le 2 -6 . Supe r Com RADI US At t r ib ut e s f or Fast Food s Fr e sn o At t r ib ut e ( Ty pe ) V a lue Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : User - Nam e ( 1) " Fr esno_ Ven ding- ou t - Fast Foods" ciscoav pair boundt echn : dial-ologies nu mb erin=t o 99t h 065 890 "bone p r ovidin g VPN How t o int egr at e v ar iou s r em ot"eout access e back ser ice t o m any d iff er ent t yp es" of st om :er s d- nam e= Fr esno_Dialer " ciscoavvpair outcu bound sen The n ew PE- CE r out in g op t ions"as ell as: ot her adv anced f eat ur ciscoav pair outwbound sen d- secr et = sh owm etes, heminclud oney "ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) cisco- av pair " out bound : sen d- aut h = 2" How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cisco- av pair " out bound : add r= 19 2. 16 8. 2. 51" cust om er net w ork ser v ice- t y pe out b ound The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o VRF-Aware carr y cust om er m ult icastOperation t r aff ic insid e a VPN Verifying LSDO The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices The f ollow in g ou t pu t in Ex am ple 2- 26 sh ows t he st at e of t h e Fast Foods rou t ing t able on t he San VHG/ PE out er w it h blesh no dialer in tter f aceiques act ivinclud e. Youincan see w ot sstt o at en ic rsu out t hatavwailab ere conf Advranced t rou oot ing echn g r ou t ert he outtpu rees high ilit y ig pr eviou sly , ult im at ely allowin g t h e Fresno su bnet 10. 4. 1. 0 / 24 t o b e accessed v ia int er face Dialer MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tExa opicsman archit ect ur Voluwmit eh I I No pr ovid es le r eader sw plded ep 2 -loy 2 6m.ent Fast Food ses, VRF Dia r Act iviteh t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I Iip descr ibes vrf adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of SanJose_PE#show route FastFoods ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o [snip] int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op is ologies and filtsubnetted, erin g. This par also cov er s2 mmasks ult i- car r ier MPLS VPN 10.0.0.0/8 variably 3 t subnets, deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN tBr oub leshoot ing . 10.2.1.0/24 [200/0] via 194.22.15.1, 3d20h MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer S 10.4.1.0/24 [1/0] via 192.168.2.51 int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

C

10.66.162.0/23 is directly connected, Ethernet5/1 192.168.2.0/24 is variably subnetted, 3 subnets, 2 masks

C

192.168.2.100/32 is directly connected, Loopback10

S

192.168.2.51/32 is directly connected, Dialer20

•

B •

Table of Content s

192.168.2.20/30 [200/0] via 194.22.15.1, 3d20h I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

192.168.3.0/24 is variably subnetted, 3 subnets, 2 masks

By Jim Guichard , I van Pepelnjak , Jeff Apcar

C

192.168.3.2/32 is directly connected, virtual-Access3 Pub lish er: Cisco Press

C

192.168.3.1/32 Pub Dat e: Ju ne 06, 2 00 3

is directly connected, virtual-Access1

I SBN: 1- 58 705 -1 12 -5

B

192.168.3.0/26 [200/0] via 0.0.0.0, 3d19h, Null0

Pages: 50 4

When a p ack et ar r ives at t he San Jose VHG/ PE r out er d est ined for 10. 4. 1. 0 / 24, it is r out ed t ow a Wit h MPLS and VPN chit ect ued res,anVolum e I Iing , y ou' ll learbecau n: int er face Dialer2 0. IAr t is deem in t er est packet se it m at ches t he dialer - list 2 config Becau se no d ial connect ion is act iv e, an access- r equest m essage for d ialin g inf or m at ion is f or wa am ple 2- 27) . W t o t heHow Sup ter sersv er, n in t echn t h e follow ingindebug t put ( seep rEx o Com int egrRADI at e vUS ar iou r emas ot eshow access ologies t o t h e ou back bone ovidin g VPN t he atser t r ibv ut es ar e r et ur ned, a dy nam ic dialer m ap an d an L2TP t unn el based on t he v pd ng rou p ice t o m any d iff er ent t yp es of cu st om er s inf orm at ion ( using t he vp dn- g rou p wit h d ialer r ot ar y- gr oup 20 config ur ed ) ar e cr eat ed. Access t PPP session ovPEer tCE he rdialer nnel is vas ia wv ell irt ualaccess5 . anced f eat ur es, includ ing per- VPN The n ew out in gt uop t ions as ot her adv Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How ex t ended int o asscustRe omque er sitst e t foor pr ov ide sep Exa m pl eVRFs 2 - 2can 7 . be RADI US Acce LSD O ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone RADIUS/ENCODE(00000024): acct_session_id: 44 How t o carr y cust om er m ult icast t r aff ic insid e a VPN RADIUS(00000024): sending The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent RADIUS: Send to unknown id 40 194.22.16.2:1645, Access-Request, len 103 of int er - car r ier MPLS VPN serv ices RADIUS: authenticator 02 iques 7A B7 A5 in D4g rAC D4reDB 3BavBA Adv anced t rou blesh ootCD ing 17 t echn includ ou t-er 4A outFB pu t 9B s t o76 en su high ailab ilit y RADIUS: User-Name 30 "Fresno_Vending-out-FastFoods" MPLS and VPN Ar chit ect u res, Volum[1] e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced [2]Volu m 18e I I*pr ovid es r eader s w it h t he necessar y t ools tRADIUS: opics an d User-Password d ep loy m ent archit ect ur es, t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. RADIUS: Service-Type [6] 6 Outbound [5] MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN RADIUS: NAS-IP-Address [4] MPLS 6 192.22.15.2 Ar ch it ect u re. Par t I I descr ibes adv anced VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g RADIUS: pr ot ocols ( IAcct-Session-Id S- I S, EI GRP, and OSPF)[44] , ar m in10 g t he"0000002C" r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues RADIUS:g secu Nas-Identifier [32] y 13 includin r it y , ou t lining t he n ecessar st eps"SanJose_PE." t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN RADIUS: Received from id 40 194.22.16.2:1645, Access-Accept, len 208 t r oub leshoot ing . MPLS and VPN Ar chit ect u res,52Volum e I IC7 , also latA5 est D7 adv59 ances st omer RADIUS: authenticator D6 BF 13 int 10rod 03uces B8 t-he48 95 in DDcuF5 E3 int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

RADIUS:

Service-Type

[6]

6

RADIUS:

Vendor, Cisco

[26]

37

RADIUS:

Cisco AVpair

[1]

31

RADIUS:

Vendor, Cisco

[26]

40

[1]

34

[26]

43

[1]

37

[26]

28

[1]

22

[26]

34

[1]

28

•

RADIUS: •

Table of Content s

Cisco AVpair I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

RADIUS:

Vendor, Cisco

Outbound

[5]

"outbound:dial-number=99065890"

"outbound:send-name=Fresno_Dialer"

By Jim Guichard , I van Pepelnjak , Jeff Apcar

RADIUS:

Cisco AVpair

"outbound:send-secret=showmethemoney"

Pub lish er: Cisco Press

RADIUS: Pub Dat e: Vendor, Ju ne 06, 2 00Cisco 3 I SBN: 1- 58 705 -1 12 -5

RADIUS:

Cisco AVpair

RADIUS:

Vendor, Cisco

RADIUS:

Cisco AVpair

Pages: 50 4

"outbound:send-auth=2"

"outbound:addr=192.168.2.51"

Wit h MPLSReceived and VPN Ar chit ect RADIUS: from idu res, 24 Volum e I I , y ou' ll lear n : RADIUS/DECODE: VSA send-auth=2 maps to chap How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN DSES 50910: Session create Net w ork Ad dr ess Tr an slat ion ( PE- NAT) DSES How 0x50910: Building dialer VRFs can be ex t ended int omap a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork DSES 0x50910: Next hop name is Fresno_Vending The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Vi5 DDR: Dialing cause ip (s=192.168.2.22, d=10.4.1.1) back bone Vi5 DDR: toerdial 99065890 How tAttempting o carr y cust om m ult icast t r aff ic insid e a VPN The lat est in t erInterface - car rier enhvirtual-Access5, ancem ent s t o allow changed f or easierstate and m or scalable d ep loym ent %LINK-3-UPDOWN: toe up of int er - car r ier MPLS VPN serv ices Vi5 DDR: Dialer statechange to up Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Vi5 DDR: Dialer call has been placed MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch itDDR: ect u res, Volum e I ( 1 - 587up 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Vi5 dialer protocol t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tVi5: hey nCall eed t oconnected, d ep loy and m t ain a secur e, hig hly0 av ailab le VPN. 1 discarded 1 ain packets unqueued, transmitted, MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Vi5 DDR: dialer protocol up Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Vi5: Call connected, 0 packets unqueued, 0 transmitted, 0 discarded pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues %LINEPROTO-5-UPDOWN: Line protocol on Interface virtual-Access5, changed state t includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . The VRF- aw ar e d yn amic d ialer m ap is creat ed, as sh ow n in Ex am ple 2- 28. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 2 - 2 8 . Dy n am i c D ia le r M a p

SanJose_PE#show dialer map Dynamic dialer map ip 192.168.2.51 vrf FastFoods name Fresno_Vending (99065890) •

Table of Content s

• on Di20

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press I f you look at t he Fast Foods r out ing inf or mat ion af t er Fr esno h as been conn ect ed, you see t hat Dat Vir e: Jut ualne 06, 2 00 3 int erPub face Access5 h as r ep laced in t erf ace Dialer 20 , and t h at 19 2. 16 8. 2. 51/ 32 is now a I SBN: 58e, 705as -1 12 connect ed r 1out sh-5ow n in Ex am ple 2- 29. Pages: 50 4

Exa m pl e 2 - 2 9 . Fast Food s VRF w it h Di al er Act iv e Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : SanJose_PE#show ip route vrf FastFoods How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN [snip] ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess an slat ionsubnetted, ( PE- NAT) 10.0.0.0/8 is Tr variably 3 subnets, 2 masks B S

How 10.2.1.0/24 VRFs can be ex t ended int o a 194.22.15.1, cust om er sit e t o3d21h pr ov ide sep ar at ion inside t he [200/0] via cust om er net w ork 10.4.1.0/24 [1/0] via 192.168.2.51 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone 192.168.2.0/24 is variably subnetted, 3 subnets, 2 masks

C

How t o carr y cust om er m ult icast t r aff ic insid e a VPN 192.168.2.100/32 is directly connected, Loopback10

C

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent is serv directly connected, virtual-Access5 of int192.168.2.51/32 er - car r ier MPLS VPN ices

B

192.168.2.20/30 [200/0] via includ 194.22.15.1, Adv anced t rou blesh oot ing t echn iques in g r ou t er 3d21h out pu t s t o en su re high av ailab ilit y

MPLS and 192.168.3.0/24 VPN Ar chit ect uis res,variably Volum e I Isubnetted, , b uilds on t he 3 subnets, best - sellin g2 MPLS masksan d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced is connected, virtual-Access3 tCopics an d192.168.3.2/32 d ep loy m ent archit ectdirectly ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. C 192.168.3.1/32 is directly connected, virtual-Access1 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar re. Par t I I descr ibes adv anced VPN con nect iv itNull0 y includ in g t he int egr at ion of B ch it ect u192.168.3.0/26 [200/0] viaMPLS 0.0.0.0, 3d20h, ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back boneN and anyinf ator t ached andand also detar ailin g t hen lat secu y 30. f eatTh ur es t o allow The VPD t u nnel mat ionVPN f or sit t hees, LNS LAC e show in est Ex am plerit2e San Jose PE m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS VPN uses int er face Vi5 t o send and r eceive t r af fic f or Fresno over t h e t un nel t o t he San Jose LAC/ NAS deploy m en t s. Fin ally , Part he t I Vp hy pr ov id es et hodology adigat vaneced VPN San Jose LAC/ NAS uses sical intaermface Se0: 9 t ofor inst t h e MPLS con nect ion t o Fresno. t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Exa m pl e 2 - 3 0 . Di al er VPDN Tu nn el I nf or m at ion int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

SanJose_PE#show vpdn [snip] LocID RemID Remote Name •

State

Remote Address

Port

Sessions VPDN Group

est

194.22.15.4

1701

1

Table of Content s

32199 38359 SuperCom_LAC • I ndex

1

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

LocID RemID TunID Intf

Username

State

Last Chg Fastswitc

Fresno_Vending

est

00:00:24 enabled

Pub lish er: Cisco Press

53

Pub Dat e: Ju ne32199 06, 2 00 3Vi5 178 I SBN: 1- 58 705 -1 12 -5

-------------------------------------------------------------------------------Pages: 50 4 SanJose_NAS#show vpdn LocID RemID Remote Name

State

Remote Address

Port

Sessions

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : 38359 32199 SuperCom_LNS est 194.22.15.2

1701

1

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s LocID RemID TunID Intf Username State Last Chg Fastswitc The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN 178 Net 53w ork Ad 38359 est 00:00:30 enabled dr essSe0:9 Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

VRFback Static bone Route Download from an AAA Server

How t o carr y cust om er m ult icast t r aff ic insid e a VPN I n our LSD O ex am ple, t he st at ic r out es w er e config ur ed m anu ally in t he San Jose PE r out er t o p Theilitlat inet er - car rier enh ent su s tbnet o allow f oralt easier andt omconf or e scalable d epstloym r eachab y est to th Fast Foods remancem ot e LAN s. An ern at ive ig ur ing t he at ic ent VRF r o of int er car r ier MPLS VPN serv ices exp licit ly on t he San Jose PE r out er is t o aut om at ically d ow nload t hem f rom t he Sup er Com RADI ser v er. This is achieved t hr oug h t h e AAA r out e dow nload feat ur e in Cisco I OS. Th e adv ant age of Adv t roucan blesh ootage ing st t echn in gotreousit t er pu tas cen t o en su locat re high ilit y feat u re isanced t hat you man at ic iques r out esinclud t o r em esout fr om t r al ion av anailab d t h en dow n load t h ese r out es t o specif ic rou t ers t hat are p r ovidin g d ial- ou t serv ices for VPN cu st omer s MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN pr ov ides a scalable solu t ion for m anag ing a lar ge n um ber of r em ot e r out es as w ell as sh if t ing dia Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced load t o ot h er rem ot e- access ser v er s b y sim ply r econfig ur in g t he RAD I US ser ver an d r eloading t h t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools r out es t o anot her r out er . t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. You can enab le t he st at ic r out e dow nload feat ur e on t h e San Jose PE r out er u sin g t h e follow ing g MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN com man d: Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . aaa download [authorization method-list] MPLSroute and VPN Ar chit ect[time] u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

I f a m et hod- list is not sp ecified, t h en t h e defau lt AAA ser ver conf igur ed is used . The r out es ar e dow n load ed per iodically f r om t he AAA ser v er . The t im e par am et er is opt ional an d sp ecifies t h e int er val t o d ow nload n ew r out es fr om t he RAD I US serv er ; by default , t his is set t o 720 m inu t es. Aft er t his comm an d is conf igur ed, t he San Jose PE rou t er imm ediat ely issues a ser ies of RADI US accessrequ est mof essages • Table Content sfor st at ic rou t es. Th e usern am e/ k ey supplied in each RADI US r eq uest m essage consist s of t he rou t er host nam e plu s an in crem en t ing index in t he f or m < host nam e> - n • I ndex exam ple, t h e San Jose PEV rolum out er MP LS and V PN Ar chi te ctur e s, e I Iuses t he f ollow ing user nam es t o dow n load r out es f r om t he RAD ser v er: By Jim Guichard , I van Pepelnjak , Jeff Apcar

SanJose_PE- 1 , SanJose_PE- 2 … SanJose_ PE- n Pub lish er: Cisco Press

ThePub RADI USJuaccessr equest m essag es con t inue u nt il t h e RADI US serv er issu es an access- r ej ect Dat e: ne 06, 2 00 3 t he user nam e/ k ey n ot ex ist in g. Th e incorp orat ion of t h e host nam e in t he r equest m essag e m ean I SBN: 1- 58 705 -1 12 -5 t he RADI US ser v er can dow n load specific st at ic r out es t o par t icular r out er s. By su pply ing an ind Pages: 50 4 t he host nam e, t he st at ic r ou t es can be log ically gr oup ed , f or ex am ple, by VRF. I n t h is w ay, you achieve a scalable m et hod of st at ic r out e dist ribu t ion. I n our exam p le, w e w ill conf igur e t h e Super Com RADI US ser v er t o dow n load st at ic r out es f or bo Fast Food s and Eur oBan k, r eplacing t he m anu al m et hod of configu r in g rou t es dir ect ly int o t he r ou WitroBan h MPLS and bVPN chit ect ut res, Volum e Ir Iout , yes ou'can ll lear Eu k has een Ar included o show how ben d: ow nloaded on a per - VRF basis b ased o < host nam e> - n user nam e. t o ows int egr at e v arI iou r em ot eand access t echn t h e back bone r ovidinstgatVPN TableHow 2 - 7 sh t he RAD US sent ries at t r ibu t es ologies for t he in Eut oroBan k and FastpFoods ic rou t es m any d iff er t yp es cu st om s t hat t ser he vstice at ict orou t es are spent ecified byofu sing t h eerciscoav pair " ip: r out e" at t r ibut e, w hich now su pp VRFs as p art of t he VRF- awar e Fr am ed - Rout e feat ur e t h at is av ailable in Cisco I OS 12 .2 ( 8) T onw The n ew r out in oup g oped t ions as wt he ell user as otnam her eadv anced f eat ur includ perVPNk r out All Fast Food s rPEoutCE es ar e gr un der San Jose_PE1, es, w h er eas ing all Eu roBan Net w ork Ad dr ess Tr an slat ion ( PENAT) gr oup ed u nder t h e user nam e San Jose_ PE- 2. ( We ar e show ing t w o Eu r oBank br anches locat ed a Mod est o and Lagu na in Calif orn ia. ) The r out es conf igur ed con sist of t he connect ed r ou t e for t he How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he int er face at each r em ot e sit e, plu s t he cor r espon ding LAN su bnet point ing t o t he conn ect ed rou t e cust om er net w ork En abling t hese r out es t o b e dow nload ed int o ot her PE r out er s w ould requ ire a sep arat e user n am ent r y cor respond in g t o t h e t ar get r out er 's host nam e. The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

TabThe le lat 2 -7 St ic rier Rou t eancem D owent n loa At t rf or i bu t e s and for mFa Foods daepnd Eur est. in t erat - car enh s t odallow easier orst e scalable loym entoBa of int er - car r ier MPLS VPN serv ices At t r ib ut e V a lue Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ( Ty pe ) MPLS u res, Volum b uilds on Ent t he r best - sellin g MPLS an d VPN User -and NamVPN e ( 1)Ar chit" ect SanJose_PE1"e I I ,Fast Foods y Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced User - Passw or dloy m ent " cisco" t opics an d d ep archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools ( 2) n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. t hey Cisco- avp air " ip: r out e= v r f Fast Foods 1 92. 16 8. 2. 51 25 5. 255 .2 55. 2 55 dialer 20 n ame MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Fresno_Vend ing" Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access ( dial, DSL, her an.2 d 55. a v 2ariet y of r out g " ip: tr echn out e=olog v r f ies Fast Foods 1 92.cab 16 le, 8. 2.Et52 25net 5. )255 55 dialer 20 in n ame pr ot ocols ( I S- I S, EI GRP, and Reno_ VenOSPF) ding" , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues " ip: r out e= Fast Foods 1 0. 4. 255 .2 55. 2 55. 192 includin g secu r it y , ou t lining t hev rnf ecessar y st eps t h1. e 0ser v ice p rov ider0 m ust. 168. t ake2 .5 t o1" p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow " ip: r out e= v r f Fast Foods 1 0. 5. 1. 0 255 .2 55. 2 55. 0 192 . 168. 2 .5 2" m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en tes.( 1) Fin ally",SanJose_PEPar t I V pr ov2" id es aEur m et hodology User - Nam oBank Ent r yfor ad van ced MPLS VPN t r oub leshoot ing . User - Passw or d " cisco" ( 2) and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer MPLS int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Cisco- avp air

" ip: r out e= v r f Eur oBank 1 92. 16 8. 2. 61 25 5. 255 . 255 .2 55 dialer 2 0 n ame Mod est o_Br anch" " ip: r out e= v r f Eur oBank 1 92. 16 8. 2. 62 25 5. 255 . 255 .2 55 dialer 2 0 n ame Lag una_ Bran ch " " ip: r out e= v r f Eur oBank 1 96. 7. 2 8. 0 2 55. 2 55. 25 5. 0 192. 1 68. 2. 61 "

•

" ip: r out Table of Content s e= v r f Eur oBank 1 96. 7. 3 0. 0 2 55. 2 55. 25 5. 0 192. 1 68. 2. 62 "

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

The eb ug out p utPepelnjak in Ex am, Jeff ple Apcar 2- 31 sh ows how st at ic r out es ar e d own loaded f or Fast Food s and By JimdGuichard , I van Eu roBan k VRFs. The r out es h ave b een gr oup ed by VRF on t he RADI US ser v er so t hat t he f irst re ( SanJose_PE- 1) p asses back all t he st at ic r out es f or Fast Foods and t he secon d requ est ( SanJose Pub lish er: Cisco Press 2) passes back all t he st at ic r ou t es for Eur oBank . The t hird r equest ( San Jose_PE- 3) is r ej ect ed Pub Dat e: Ju ne 06, 2 00 3 because t her e ar e no mor e r out es t o dow n load . I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Exa m pl e 2 - 3 1 . St at ic Rou t e D ow n loa d D ebu g

Wit h MPLS and VPN Ar Send chit ectto u res, Volum eid I I , 21646/8 y ou' ll lear194.22.16.2 n: RADIUS(00000000): unknown 1645, Access-Request, l RADIUS: User-Name [1] 14 "SanJose_PE-1" How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er RADIUS: User-Password [2] 18 *s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN RADIUS: Service-Type [6] 6 Outbound [5] Net w ork Ad dr ess Tr an slat ion ( PE- NAT) RADIUS: NAS-IP-Address 6om er 194.22.15.2 How VRFs can be ex t ended int[4] o a cust sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork RADIUS: Acct-Session-Id [44] 10 "00000000" The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN RADIUS: Nas-Identifier [32] 13 "SanJose_PE." back bone RADIUS: from idm21646/8 1645, Access-Accept, len 326 How Received t o carr y cust om er ult icast t r192.22.16.2 aff ic insid e a VPN RADIUS: The lat Vendor, est in t er -Cisco car rier enh ancem [26] ent s88 t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices RADIUS: Cisco AVpair [1] 82 "ip:route=vrf FastFoods 192.168.2.51 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 255.255.255.255 dialer20 name Fresno_Vending" MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, VolumCisco e I ( 1 - 587 05- 0[26] 02- 1) , 86 f rom Cisco Pr ess. Ex t endin g int o m or e adv anced RADIUS: Vendor, t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tRADIUS: hey n eed t oCisco d ep loyAVpair and m ain t ain a[1] secur e, hly av ailab le VPN. 80hig"ip:route=vrf FastFoods 192.168.2.52 MPLS and VPN Ar chit ect u res, Volum I I , b eg in s w it h a br ief ref resher of t he MPLS VPN 255.255.255.255 dialer20 name eReno_Vending" Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, 66 DSL, cab le, Et her net ) an d a v ariet y of r out in g RADIUS: Vendor, Cisco [26] pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eatAVpair ur es in t o t h e VPN bon e."ip:route=vrf Part I I I det ails adv anced d ep loy m ent issues RADIUS: Cisco [1]b ack 60 FastFoods 10.4.1.0 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow 255.255.255.0 192.168.2.51" m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en Vendor, t s. Fin ally Cisco , Par t I V pr ov id[26] es a m66 et hodology for ad van ced MPLS VPN RADIUS: t r oub leshoot ing . RADIUS: Cisco AVpair [1] 60 "ip:route=vrf FastFoods 10.5.1.0 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

255.255.255.0 192.168.2.52" RADIUS(00000000): Send to unknown id 21646/9 194.22.16.2 1645, Access-Request, len 87 RADIUS: •

RADIUS: •

User-Name Table of Content s

User-Password I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

RADIUS:

Service-Type

[1]

14

"SanJose_PE-2"

[2]

18

*

[6]

6

Outbound

[4]

6

194.22.15.2

[44]

10

"00000000"

[32]

13

"SanJose_PE."

[5]

By Jim Guichard , I van Pepelnjak , Jeff Apcar

RADIUS:

NAS-IP-Address

Pub lish er: Cisco Press

RADIUS: Pub Dat e: Acct-Session-Id Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

RADIUS:

Nas-Identifier

Pages: 50 4

RADIUS: Received from id 21646/9 194.22.16.2 1645, Access-Accept, len 327 RADIUS:

Vendor, Cisco

[26]

87

Wit h MPLS and VPN AVpair Ar chit ect u res, Volum I , y ou' ll lear n : RADIUS: Cisco [1] e I81 "ip:route=vrf EuroBank 192.168.2.61 255.255.255.255 dialer20 name Modesto_Branch" How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s RADIUS: Vendor, Cisco [26] 86 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN RADIUS: Cisco AVpair [1] 80 "ip:route=vrf EuroBank 192.168.2.62 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) 255.255.255.255 name How VRFs can dialer20 be ex t ended int oLaguna_Branch" a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork RADIUS: Vendor, Cisco [26] 67 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN RADIUS: Cisco AVpair [1] 61 "ip:route=vrf EuroBank 196.7.28.0 back bone 255.255.255.0 How t o carr 192.168.2.61" y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er -Cisco car rier enh ancem ent s67 t o allow f or easier and m or e scalable d ep loym ent RADIUS: Vendor, [26] of int er - car r ier MPLS VPN serv ices RADIUS: Cisco AVpair [1] 61 "ip:route=vrf EuroBank 196.7.30.0 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 255.255.255.0 192.168.2.62" MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum eSend I ( 1 - 587 0 02- 1)id , f rom Cisco Pr194.22.16.2 ess. Ex t endin g1645, int o mAccess-Request, or e adv anced RADIUS(00000000): to 05unknown 21646/10 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. len n87 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN RADIUS: authenticator 5D 95 36 F8 0F 84 37 F6 - 90 23 71 0C 8D 5D 00 71 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g RADIUS: User-Name [1] 14 "SanJose_PE-3" pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues RADIUS: User-Password [2] 18 * includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow RADIUS: Service-Type [6] 6 Outbound [5] m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN RADIUS: NAS-IP-Address [4] 6 194.22.15.2 t r oub leshoot ing . RADIUS: Acct-Session-Id [44] 10 "00000000" MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

RADIUS:

Nas-Identifier

[32]

13

"SanJose_PE."

RADIUS: Received from id 21646/10 194.22.16.2 1645, Access-Reject, len 35

The ou t pu t inTable Ex am ple 2- 32 v er if ies t he st at ic r out es t h at h ave been dow n load ed f rom t he Su pe • of Content s Rad iu s ser v er . •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Exa m pl e 2 - 3 2 . Ve r if yi ng D ow n load ed St at ic Rou t e s Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1ip 12 -5route static download SanJose_PE#show Pages: 50 4

Connectivity: A - Active, I - Inactive

A 192.168.2.61 255.255.255.255 Dialer20 name Modesto_Branch Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : A A A A A A A

192.168.2.62 255.255.255.255 Dialer20 name Laguna_Branch How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN 196.7.28.0 255.255.255.0 ser v ice t o m any d iff er ent t yp es192.168.2.61 of cu st om er s 196.7.30.0 255.255.255.0 The n ew PE- CE r out in g op t ions 192.168.2.62 as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) 10.4.1.0 255.255.255.0 192.168.2.51 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork 10.5.1.0 255.255.255.0 192.168.2.52 The lat est MPLS 255.255.255.255 VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN 192.168.2.51 Dialer20 name Fresno_Vending back bone 192.168.2.52 255.255.255.255 Dialer20 name Reno_Vending How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

The pAdv r ev ious outtrou putblesh doesoot noting show in iques w hichinclud VRFsint hese nloaded hav e b een placed anced t echn g r ou dow t er out pu t s t or out en es su re high av ailab ilit y; how ev er , y ou can easily con fir m t his b y v iew ing t he rou t ing t ables of each VRF, as show n in Ex a 23 3. and D own loaded st at out es ar e einIdicat ed inon t het he r out in g- sellin t ablegby t h e code P rat h er t han t he MPLS VPN Ar chit ecticu rres, Volum I , b uilds best MPLS an d VPN cust om ary cod e S. Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Exa m pl e 2 - 3 3 . Ve r if yi ng St a t ic Rou t e s in VRFs MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI ip GRP, and OSPF) , ar m in g t he| r inc eaderP.* w it h t he k now ledge of h ow t o SanJose_PE#show route vrf FastFoods int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin r it y , ou t liningS thestatic, n ecessar yI st-eps t h e ser v ice p rovMider m ust t akeB t o- pBGP rot ect t he Codes: gCsecu - connected, IGRP, R RIP, - mobile, back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e advDanced t op ologies filt erin g. This par cov erIA s m-ultOSPF i- car rinter ier MPLS VPN - EIGRP, EX - and EIGRP external, O t -also OSPF, area deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot . N1 -ing OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 MPLS and Ar chitexternal ect u res, Volum I I , also rod uces t he lat est adv2, ances cu st omer E1VPN - OSPF typee 1, E2 -intOSPF external type E -in EGP int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

P - periodic downloaded static route P

10.5.1.0/24 [1/0] via 192.168.2.52

P

10.4.1.0/24 [1/0] via 192.168.2.51

P

192.168.2.51/32 is directly connected, Dialer20

•

P •

Table of Content s

192.168.2.52/32 is directly connected, Dialer20 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

SanJose_PE#show ip route vrf EuroBank | inc P.* Pub lish er: Cisco Press

Codes: Ce: -Ju ne connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP Pub Dat 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

Pages: 50 4

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP Wit h MPLS VPN Ar chit ect u res, Volum e I I , yroute ou' ll lear n : P and - periodic downloaded static P P P P

196.7.28.0/24 [1/0] via 192.168.2.61 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s 196.7.30.0/24 [1/0] via 192.168.2.62 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN 192.168.2.62 is directly connected, Dialer20 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) directly connected, How 192.168.2.61 VRFs can be exis t ended int o a cust om er sit e Dialer20 t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Providing Dial-Out Access Without LSDO (Direct ISDN) •Som et im es tTable h e VRFof Content aw ares LSDO solu t ion m igh t n ot b e applicable. This occur s w hen t here is ial- ou t f r om t he VHG or w hen t he num ber of dial- ou t cust om ers is sm all an d •dir ect I SDN d I ndex cont t o Ar a chi sintegle MP LSained and V PN cturLAC/ e s, V LNS olum ep Iair I ( t her efor e, not man y r out er s need t o be conf igur ed) . Th e L2 TP t u nnels for dialout can b e st at ically conf ig ur ed . By Jim Guichard , I van Pepelnjak , Jeff Apcar Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

NOTE I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

I f VRF- aw are LSDO w as not used, t h en a dialer p r ofile config ur at ion f or each r em ot e dest in at ion is r equir ed on ev er y VHG or NAS ( f or d ir ect I SDN) t hat pr ovid ed dial- out ser v ices. I n a lar ge n et w or k , t his w ou ld inv olv e a consider able am ount of oper at ional ov erh ead . Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : The st at ic d ialer p rof ile configu r at ion ( n o AAA ser ver s ar e used) is sh ow n in Ex am ple 2- 34. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN This conf igur at ion app lies t o dial- out via a st at ically con figu red L2TP t un nel. Not e t hat t he ser v ice t o m any d iff er ent t yp es of cu st om er s chang es only inv olve t he conf ig ur at ion on t h e San Jose PE r ou t er . The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Exa m pl e 2 - 3 4 . Di al er Pr ofi le Conf ig ur a t ion W i t hou t LSD O

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat Dialer20 est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN interface back bone ip vrf forwarding FastFoods How t o carr y cust om er m ult icast t r aff ic insid e a VPN ip unnumbered Loopback10 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices encapsulation ppp Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y no keepalive MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN 20 e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Ardialer ch it ect upool res, Volum t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools dialer t hey n eedremote-name t o d ep loy and Fresno_Vending m ain t ain a secur e, hig hly av ailab le VPN. dialer 99065890 MPLS and string VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of dialer ser v ice pr vpdn ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o dialer-group 2 ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues int egr at e t h ese f eat includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he peer default ipataddress 192.168.2.51 back bone and any t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN no cdp enable deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . ppp authentication chap callin MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ppp chap Fresno_Dialer int egr at ion, hostname secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

ppp chap password 0 showmethemoney ! ip route vrf FastFoods 10.4.1.0 255.255.255.0 192.168.2.51 ip route vrf FastFoods 192.168.2.51 255.255.255.255 Dialer20 permanent •

Table of Content s

• !

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

vpdn-group By Jim Guichard , I1van Pepelnjak , Jeff Apcar accept-dialin

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

protocol l2tp

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4 virtual-Template

1

request-dialout protocol l2tp Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : pool-member 20 How t o int egr at e v ar iou s SuperCom_LAC r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN terminate-from hostname ser v ice t o m any d iff er ent t yp es of cu st om er s initiate-to ip 194.22.15.4 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Netname w ork Ad dr ess Tr an slat ion ( PE- NAT) local SuperCom_LNS VRFs password can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he l2tpHow tunnel 7 06100632454107 cust om er net w ork source-ip 194.22.15.2 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN I n t heThe case I SDN, h e v pdn - gr configu at ion inand t hempr ex am pleloym w ould latof estdir inect t er -dial car rier enht ancem ent s oup t o allow f or reasier orev e ious scalable d ep ent not app an- dcar t he al e r vVPN pd nserv comices m and m ust b e r em ov ed f rom int erf ace dialer 20. For of ly int, er r ierdiMPLS dir ect dial I SDN in t he Sup er Com net w ork , all t hat wou ld b e necessary on t he San Jose VHG/ PE out er w ould be toot o add e I SD N intinclud er face t or ou t het er d ialassushow n inav Exailab am ple Advranced t rou blesh ing t h echn iques in g outou put tps ool, t o en re high ilit y 2- 3 5. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tExa opicsman archit ect ur Volu m e I I pr ovid es r eader s w it h t he necessar y t ools plded ep 2 -loy 3 5m.ent I SD N Dia l-es, Out Pool t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ! ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o interface Serial6/0:15 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he ip unnumbered Loopback0 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN encapsulation ppp deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . dialer pool-member 20 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer isdn switch-type primary-net5 int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

no cdp enable ppp authentication chap callin end

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Providing Dial Backup for MPLS VPN Access Dial b ack up p rot ect ion for a pr im ary CE rou t er / PE r out er link can be p rov ided easily by u sin g eit her of t he d ial- in ar chit ect u r es ( VPD N or D ir ect I SDN) t hat w er e pr ev iou sly d iscussed . The pr im ary and backu p lin ks n or mally r esid e on t he sam e CE r out er. Consider t h e scenar io •show n in Figur Table of1Content e 28. Th es Eur oBank San Fr ancisco CE rou t er has a pr im ary conn ect ion •t er min at in g Ion ndex t he San Jose PE rou t er . Th e pr im ary lin k is pr ot ect ed by a back up int erf ace MP LS can and V PN Ar te ctur e s, V(olum e I Ior dir ect I SD N dial t o est ablish a backu p lin k t o t h e t hat use eitchi h er VPDN L2TP) EuJim roBan k VRF. By Guichard , I van Pepelnjak , Jeff Apcar Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Figu r e 2 - 1 8 . D ia l Back u p for Fa st Foods San Jose

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced I f t he p rim ar y link f ails, t h e back up int erf ace, wh ich is a dialer in t erf ace, au t om at ically calls t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t he San Jose LAC/ NAC ( using an analogue or digit al call) . Th e pr oced ur es f ollow ed ar e t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ident ical t o t hose f or VPDN or dir ect dial- in I SDN access. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ex am ple 2- 36 sh ows t he com m on conf igur at ion and RADI US at t r ibu t es for p r ovidin g a Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of back up link ( in our ex amp le, in t erf ace Dialer 2) t o Eur oBank San Fr ancisco b y using t he ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g ba ck up int e rf a ce com m and. See Table 2 - 8 f or t h e corr esp ondin g list of RADI US at t r ib ut es pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o on t he Su perCom RADI US Ser ver . int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Exa planced e 2 - 3t op 6 .ologies Eur oBa k erin Sa n a npar cisco eri- car Conf gur aVPN t i on for m or em adv andnfilt g. Fr This t alsoCE cov Rout er s m ult r ieri MPLS Ba ck up deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, Serial0/0 secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced interface

backup interface Dialer2 ip address 192.168.2.25 255.255.255.252 ! interface Dialer2 •

Table of Content s

• ip address I ndex negotiated MP LS and V PN Ar chi te ctur e s, V olum e I I Byencapsulation Jim Guichard , I van Pepelnjak ppp , Jeff Apcar

dialer pool Pub lish er: Cisco 5 Press Pub Dat e: Ju ne 06, 2 00 3

dialer idle-timeout 600 I SBN: 1- 58 705 -1 12 -5

Pages: 50 4

dialer string 94780400 dialer-group 1 ppp chap hostname [email protected] Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ppp chap password 0 heyiamup !

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

dialer-list 1 protocol ip permit The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

Tab 2 -8 . San Fr an cisco Rout er RADI US At t r i but es f or Ba ck u p backle bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN At t r ib ut e ( Ty pe ) V a lue

lateest entran s t _back o allow f or easier m or User The - Nam ( 1) in t er - car rier enh ancem " sanf up@eur obanand k. com " e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices User - Passw or d ( 2) " hey iamu p" Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Serv ice- Ty pe ( 6) 1 ( Fram ed) MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Fram ed- Pr ot ocol ( 7 ) 1 ( PPP) Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. You m ig ht hav e not iced t h at t h ese conf igur at ions are sim ilar t o t he Eu roBan k Sacram ent o SOHO r outVPN er used in ect t h eu res, Dir ect I SD N in in scenar erresher , t he d iff ence in t he MPLS and Ar chit Volum e IdialI , b eg s w it hio.a How br iefevref of er t he MPLS VPNr est of t hechcon figu ratPar iont depend on wadv hetanced her st at ic r out ingcon or nect d yn am rou t ing Ar it ect u re. I I descrsibes MPLS VPN iv itic y includ in gis t used he int. egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g I f ot st ocols at ic rou t ing er t OSPF) he backu he rconf ig ur h e CE r outoferh cont t wo pr ( I SI S,isEIused GRP,ovand , arpmlink in g, tthe eader w at it hion t heatk tnow ledge ow t ains o defau lt r out es ( show n in Ex am ple 237) : one poin t ing t o t h e pr im ary in t er f ace and t he ot h er int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues point in ggt o t h er itbacku in t erftace w it h a high er met US at r ib ut es used ( see includin secu y , ou pt lining he n( ecessar y st eps t h er ic) ser. vThe ice pRADI rov ider m tust t ake t o p rot ect t he Tablebone 2 - 9) and in ser t a at sttat ic Fram ed-sit Rout using e frailin am ed outlat e est VRFaw are t he back any ached VPN es, eand alsot hdet g t rhe secu rit y ffeat eatur ureesint t oo allow Euor roBan VRF f or San Fr ancisco v ia tpar h e tback linerk.s Im f ult t hei- pr aryMPLS in t erfVPN ace fails on m e advk anced t opt he ologies and filt erinLAN g. This alsoup cov carim r ier t he SanmFr CE, rou heovd id ialer int er face t h eced cor rMPLS esp ondin deploy enancisco t s. Fin ally Partter, I V tpr es aback m etup hodology forand ad van VPNg st at ic r out e becom e act iv e. t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egrm atpl ion, and oubleshoot featt u Exa e secur 2 - 3 7it.y,Ba ckt rup St a t icing Rou eres s essent ial t o p rov iding t h e adv anced

ip route 0.0.0.0 0.0.0.0 192.168.2.26 ip route 0.0.0.0 0.0.0.0 dialer 2 230 •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Tab le 2 -9 . Ad dit ion al RADI US At t r i but es f or Back u p St a t i c Rout in g Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

At t r ib ut e ( Ty pe )

V a lue

Fram Pages: ed- Rout 50 4e( 22)

10 .2 . 1. 0/ 24

cisco- av pair

" lcp: int er face- con fig= ip v rf f or war d in g Eur oBank \ n

I SBN: 1- 58 705 -1 12 -5

ip unn um bered loopback 1 1 \ n peer defau Wit h MPLS and VPN Ar chit ect u res, Volum e ltI I ip , yaddr ou' lless learpool n : Eur oBank _Pool" How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN For dy nam ic r out ing , conf ig ur e t he dialer in t er f ace and t he v ir t ual- access int er face w it h st at ic ser v ice t o m any d iff er ent t yp es of cu st om er s I P ad dr esses ( t hose t hat ar e not obt ain ed fr om a pool) . You d o not need t o use t h e RADI US Fram edat t rCE ibur tout e ( see Table 10) Ex am pleher 2- 38 ses t he Rou ing includ I n for m at ion TheRout n ewe PEin g op t ions2 -as w.ell as ot advuanced f eat urtes, ing per- VPN Pr ot ocol ( RI P) as t he r out in g pr ot ocol, and t he ad dr esses used at each end of t he b ack up link Net w ork Ad dr ess Tr an slat ion ( PE- NAT) com e fr om t h e 192 . 168 .2 .0 / 24 subn et , w hich h appens t o be t he sam e r ange t h at t he pr im ary link uses. f a difcan fer en sub net is uint sed t he upe link a cor ding P n ettwor How IVRFs bet ex t ended o afor cust omback er sit t o pr, ov ider espon sep ar at ion RI inside he k st at ement f or t hat subnet is necessary . cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back Exa m pl bone e 2 - 3 8 . Dy n am i c Rout i ng Usin g RI P How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent ! San Francisco CE router of int er - car r ier MPLS VPN serv ices !

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

router rip MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced version t opics an d 2 d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. redistribute connected MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN 192.168.2.0 Arnetwork ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g -----------------------------------------------pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues !San Jose PEr itrouter includin g secu y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow router m or e advrip anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN ! t r oub leshoot ing . MPLS address-family and VPN Ar chit ipv4 ect u res, vrf Volum EuroBank e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

version 2 redistribute bgp 100 metric 10 redistribute static network 192.168.2.0 • •

Table of Content s

no auto-summary I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

exit-address-family

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Tab le 2 -1 0 . Addi t i ona l RAD I US At t r ibu t e s f or Ba ck up Dy n am ic Rou t i ng At t r ib ut e ( Ty pe ) V a lue Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : cisco- av pair " lcp: int er face- con fig= ip v rf f or war d in g Eur oBank \ n addr 192 .1 68. 2. 4 1 2 55. 5. 252 " How t o int egr at e v ar iou s ripem ot e ess access t echn ologies in25 t o 5. t h25 e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Providing DSL Access to an MPLS VPN The D SL t echn ology pr ov ides high - sp eed net w or k access ov er a pair of copp er wir es, w hich essent ially is t he local loop f rom t he t elephone com pan y cen t r al off ice ( CO) t o r esid en t ial or •bu sin ess pr em Table of Content s lat ion t echn olog y called Discr et e Mult it on e ( DMT) allow s t h e ises. A m odu •t r ansm issionI ndex of high- sp eed dat a over t h e copper pair . I t is not wit h in t he scop e of t his b ook MP and V PN cturof e s,DVSL olum I Iat ion; how ev er , t h e aspect s t hat relat e t o successf ul t o LS ex plain t heArdchi ette ails opeer oper ion wit, h in an MPLS, Jeff VPNApcar n et wor k ar e cov er ed in t h e follow ing sect ions. By Jim at Guichard I van Pepelnjak DSL has t he f ollow ing basic com ponent s: Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

AtI SBN: t he 1-cust om-1er en d, t h er e is a cust om er pr em ises eq uipm en t ( CPE) , w h ich can be a 58 705 12 -5 dev ice,50such as a r ou t er ( pr ef erab ly Cisco) . Alt er nat iv ely , it can b e a d ev ice t hat is Pages: 4 capable of b rid ging client PCs, w hich do n ot n eed r out ing capabilit y . I t can also be a dir ect ly conn ect ed client PC t hat uses a DSL adap t er car d and special sof t w ar e.

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

NOTE How On t o int egr at esical v ar iou ot ee access in t ot elep t h e hone back bone p r ovidin t he phy layserr,em t her w ill alsot echn be aologies plain old ser vice ( POTS)g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s filt er or split t er on t h e cu st omer p rem ises t o allow simu lt aneous use of a ph one and DSL d ev ice on t he sam e pair of w ir es. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) The bscr can iber be lineexist ended t er m inat anot er sit larg split t eraratattion h e inside CO t o separ How su VRFs int ed o a at cust omher e teo scale pr ov ide sep t he at e tcust he voice calls fr om t h e DSL dat a con nect ion . The D SL dat a conn ect ion is t er min at ed at om er net w ork a d igit al sub scr iber line access m ult iplex er ( DSLAM) , wh ose fun ct ion is t o pr ov ide high densit t erMPLS m in at ion all t he ings int o ed it . The s t o VPN an The latyest VPNofsecur it y copp f eat uer resp airs an d feed d esign aim at prDSLAM ot ect ingconn t h e ect MPLS agg regat ion dev ice by using ATM. back bone The egat isult a icast rou t ert r aff t hat ovid t he hig her- lev el pr ot ocol t erm inat ion How ag t ogrcarr y ion custdevice om er m ic pr insid e es a VPN fr om t he ATM con nect ion . Each cust om er DSL con nect ion is t er min at ed on sep ar at e ATM PVCs. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices DSL uses ATM as it s basic t r anspor t mechanism . You can u se var ious encapsu lat ion m et hods depend in anced g on t he app licatoot ioning t hat is r iques eq uir ed . All in t he latpu ion at ailab ion ilit y Adv t rou blesh t echn includ g ren oucap t er su out t sst ouse en ATM su re adapt high av lay er 5 ( AAL5) t o seg m en t t h e dat a int o ATM cells an d RFC 1 483 t o allow t he t r anspor t of m ult iple ocols ov ect er tuhe sam e ATM RFCon 14t83 in t w v ar iant The f ir st m et h od MPLS andp rot VPN Ar chit res, Volum e I IPVC. , b uilds he com bestes - sellin g oMPLS an s. d VPN allow m uult ipleVolum pr ot ocols be 05car ried t h e same I OS, igur ed Ar ch itsect res, e I ( 1t o- 587 0 02- over 1) , f rom Cisco PVC. Pr ess.I nExCisco t endin g intt his o mis orconf e adv anced hedaal5 key w ord . ect Theursecon d met oes es higher layserw itprhott he ocol m ult iplexin g tusing opics tan d epsn loyap m ent archit es, Volu m ehI od I prdovid r eader necessar y t ools plicit ly btyo PVC ( t hat e tpr ot ocol p ere,PVC) . av ailab le VPN. tim hey n eed d ep loy andis,mon ain ain a secur hig hly MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o NOTE int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues RFC been ob solet by RFC 268 4. t How evverice , tp h rov e ovider er w m helm g p rtact includin g 148 secu3r ith yas , ou t lining t he ed n ecessar y st eps h e ser ust int ake o pice rot is ect t he t o st illand r efer st an dar ases, RFC 1 483 , wdet hich imgp tlies t h eest latsecu est itrit eryatf eat ion.ur es t o allow back bone anyt oatt he t ached VPNd sit and also ailin he lat m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . The p ossible encapsulat ion m et hods are show n in Figur e 2- 1 9. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Figu r e 2 - 1 9 . D SL Enca psul at ion For m a t s

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Each The of t hese n ew en PE-capsulat CE r oution in g m opett ions hod sas and w ell t heir as ot opher er atadv ion anced w it hinf eat an ur MPLS es, includ VPN net ingwperork VPN for r em otNet e access w ork Ad are drdess iscussed Tr an slat in ion t he ( follow PE- NAT) in g sect ions. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

DSL Access by Using RFC 1483 Routed Encapsulation

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone This conn ect ion m et h od is par t icu larly st r aight for w ard an d consist s of an ATM PVC bet w een 2-VPN 2 0 f or a Eur oBank DSL CPE con nect ion . t he DSL and yt he PE r out as show HowCPE t o carr cust om er er m ,ult icast t r naffinic Figur insid e a The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Figu r e 2 - 2 0 . D SL RFC 1 4 8 3 Rout ed

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and chit Volum I I conf , also inted rodatuces t he in cu st omer A st at ic ( orVPN unnAr um berect edu)res, I P ad dr esse is igur b ot h enlat dsest of tadv he ances lin k, and t he ATM int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced subin t er f ace at t he PE r ou t er en d is p laced int o a st at ically conf igur ed VRF. No r emot e user

aut h or izat ion and au t hent icat ion is necessar y in t his scenar io. Fr om an MPLS p er spect iv e, t her e is no dif ference b et w een t his config ur at ion an d any ot h er p er m anent cir cuit con nect ion , such as Fr am e Relay , Packet Ov er SONET ( POS) , or leased line. Becau se t he DSL CPE is a r out er , it can be conf igur ed wit h d yn amic r out in g t o t h e PE rou t er if r equ ir ed and act as a DHCP ser v er t o it s locally connect ed d ev ices. I f addr ess m anagem en t w er e r eq uir ed t o be coord inat ed fr om a Eur oBank cent r al locat ion, t hen a DHCP ser v er cou ld b e locat ed elsew here in t he Eur oBank VPN, such as Par is in ou r exam ple. Th er efor e, t he DSL CPE w ould act as a DHCP r elay ag en t t o t he Par is D HCP serv er. Not e t hat t his D HCP ser ver w ould only sup por t • Table of Content s Eu roBan k DHCP r eq uest s. •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

RFC 148 3 r ou t ed is m ost suit ed for rem ot e of fice applicat ions r at her t h an resident ial u ser s. By Jimf ollow Guichard van Pepelnjak , Jeff Apcar The in g, I con figur at ion ( see Ex am ple 2- 39) sh ows how t o place an RFC 1483 r out ed DSL CPE int o t he Eur oBank VRF. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Exa mI SBN: pl e 1-258- 705 3 9-1. 12San Jose PE Rou t er Con f igu r at ion RFC 1 4 8 3 Rout ed -5 Pages: 50 4

interface ATM2/0.1 point-to-point ip vrf forwarding EuroBank Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ip address 192.168.2.74 255.255.255.252 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN pvc ser 1/32 v ice t o m any d iff er ent t yp es of cu st om er s ubrThe 256 n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) encapsulation aal5snap How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

DSL Access Using RFC 1483 Bridged Encapsulation How t o carr y cust om er m ult icast t r aff ic insid e a VPN

The lat estscen in t er - carall riert raf enh ent st he t o allow f or an easier or eerscalable loymno ent I n t his access ario, ficancem b et ween DSL CPE d t heand PE m r out is br idg dedepand of int er car r ier MPLS VPN serv ices r out ing occur s. The t r af fic is car ried on t he ATM PVC w it h in an RFC 148 3 b r id ged packet , w hich in clu des t he Layer 2 inf or mat ion ( Et hern et add resses an d so on) . Fr om t h e persp ect iv e anced rour blesh ing nt echn iques includ ou t ersuout s t o en suear re shigh ailab ilit y of t heAdv San Jose tPE out er oot , show in Figur e 22 1, tin hg e rATM bintpu ertface app as aav LAN int er face. This is accom plish ed by con figu ring r out e- b ridg e encapsulat ion ( RBE) on t he MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN subin t er f ace. Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

e 2 - 2e 1I I., D SLin sRFC 3 ref Brresher i dge dof t he MPLS VPN MPLS and VPN Ar chit ectFigu u res, rVolum b eg w it h 1 a 4br8ief Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 58 705CPE -1 12 -5 Becau se t he1-DSL h as no rou t ing fu nct ionalit y, it cannot act as a DHCP ser v er . Therefor e, Pages: 50 4 if DHCP is r eq uired, t hen a r emot e Eur oBank D HCP ser ver m ust pr ovid e it . I n ou r exam p le, t he San Jose PE r out er act s as t he r elay agent t o t he Paris Eur oBank D HCP serv er.

Configuring the San Jose PE Router Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Ex am ple 2- 40 sh ows t he conf igur at ion for RBE on t h e San Jose PE r out er . Because t he subin t er f ace ATM2/ 0. 1 act s as a LAN in t er f ace in RBE, t he San Jose r out er ( 1 0. 6. 1. 1/ 32) How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN app ear s as t he gat ew ay f or t he Eur oBank Palo Alt o subn et 10 . 6. 1. 0/ 24 . The San Jose PE ser v ice t o m any d iff er ent t yp es of cu st om er s r out er r elay s an y DHCP requ est s in t h e nor m al m anner t o 19 6. 7. 25. 3 2, using t h e ip h el pe ra ddr ess obaPEl com and. The gl n ew CE rmout in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Exa m How pl eVRFs 2 - 4can 0 . be San ex t ended Jose int PEo aRou custtom er erCon sit ef tigu o prrov atide ion sepf ar oratRFC ion inside 1 4 8t 3 he custd om er net w ork Br i dge The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone interface ATM2/0.1 point-to-point How t o carr y cust om er m ult icast t r aff ic insid e a VPN ip vrf forwarding EuroBank The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices ip address 10.6.1.1 255.255.255.0 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ip helper-address global 196.7.25.32 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Arno ch itip ectmroute-cache u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools ip m ain t ain a secur e, hig hly av ailab le VPN. tatm hey route-bridged n eed t o d ep loy and MPLS pvc and 1/32VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of serubr v ice 256 pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o intencapsulation egr at e t h ese f eataal5snap ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

Configuring the Palo Alto DSL CPE

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The D SL CPE con figu rat ion is basic an d on ly requ ires b ridg ing t o b e config ur ed , as show n in Ex am ple 2- 41.

Exa m pl e 2 - 4 1 . Pal o Alt o DSL CPE Conf igu r at ion f or RFC 1 4 8 3 Br idg ed •

Table of Content s

interface Ethernet0 • I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

no ip address

By Jim Guichard , I van Pepelnjak , Jeff Apcar

no ip directed-broadcast Pub lish er: Cisco Press Pub Dat e: Ju ne 06, bridge-group 1 2 00 3 I SBN: 1- 58 705 -1 12 -5

!

Pages: 50 4

interface ATM0 no ip address Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : no ip directed-broadcast no ip Howmroute-cache t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s no atm ilmi-keepalive The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN pvc Net 1/32 w ork Ad dr ess Tr an slat ion ( PE- NAT) ubrHow 256VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork encapsulation aal5snap The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone bridge-group 1 !

How t o carr y cust om er m ult icast t r aff ic insid e a VPN

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent bridge 1 protocol ieee of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN The of e t hIis( 1solu t ion t hat1)D, SL cu st om erPr s ess. m ustExh tave a DHCP er adv t hat is Ar chditisad ect uvan res,t age Volum - 587 05-is0 02f rom Cisco endin g int o ser m orv e anced ailaban le dwditep hinloy t heir n I ntect ranur etes, because CPE not cap of pr ov id ingy t the IP tav opics m entowarchit Volu m tehe I I DprSL ovid es is r eader s wable it h t he necessar ools n otmbain e desir able f ore,t hhig e cust if le h eVPN. does not hav e t he operat ion al tadd heyresses. n eed t Th o disepmig loy ht and t ain a secur hly omer av ailab and supp or t inf r ast r uct u re t o m anag e and m aint ain his ow n DHCP ser ver ( s) . A n ew feat ur e called DHCP Relay – ect MPLS VPN suppeort av in ailab Cisco I OS 12.of2(t 4) an d 1VPN 2. 2( 8 ) T; it MPLS and VPN Ar chit u res, Volum I I ,isb eg s wle it hfraom br ief ref resher heBMPLS allow t he D HCP er t o ibes ex istadv outanced side of t he VRF, eit her globalinr gout in gint t able Ar ch itsect u re. Par tserv I I descr MPLS VPN con nectinivtithe y includ t he egr ator ion of anot h er pr VRF. A Daccess HCP serv er tolog hat ies is enabled w it hcab t h is ur enet is )ab o vsup pory t of ovrerlap ser v ice ovider t echn ( dial, DSL, le,feat Et her anled t a ariet out inping g add heref ore, a sin gleOSPF) ser v er, ar mig htgprt he ovide addrwesses t o kman VRFs. pr otresses; ocols ( I tSI S, EI GRP, and m in r eader it h t he nowyledge of This h owmt oeans t h at t heegr seratvice ovfider a cent r alized v erails t o adv sup anced por t alld ep rem otme ent VPNissues int e t hpr ese eat urcould es in tpr o ovid the e VPN b ack bon e. DHCP Part I Iser I det loy cust om er This e and tithe s ap plicab ilit o t he idg ed m scen ssed includin g s. secu r it yf eat , ouurt lining n ecessar y ystteps t h eRFC ser 1v 483 ice pbr rov ider ustario t akeare t o discu p rot ect t he anced es ailin for MPLS ot rit e Access. in detbone ail inand t he any ear lier sect ionVPN , " Adv back at t ached sit es, andFeat alsourdet g t he VPN lat estRem secu y f eat ur"es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN tDSL r oub leshoot ing . Using PPP Over ATM Access MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

I n t he PPP over ATM ( PPPoA) scenar io show n in Figur e 2- 2 2, t h e Palo Alt o DSL CPE has r out ing f unct ionalit y an d u ses PPP t o conn ect t o t h e San Jose PE r ou t er . Th e PPP session r uns ov er t he ATM PVC bet w een t he D SL CPE an d t he PE r out er ; t h er efor e, it is called PPP over ATM, or PPPoA. The locally connect ed PCs can eit her be st at ically config ur ed w it h I P add resses or requ est t hem f rom a DHCP ser v er t hat is config ur ed on eit her t he D SL CPE or a r em ot e ser ver in t he Eur oBank in t ran et . •

Table of Content s

•

I ndex

Figu r e 2 - 2 2 . D SL PPPoA

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN The ad van t ageAd ofdruess sin gTrPPPoA access scenar io is t hat you can perf or m a sing le Net w ork an slat in iona (DSL PE- NAT) aut h en t icat ion an d account in g in st an ce on t he DSL connect ion for all PCs behind t h e DSL CPE. The can obbe t ain addr f rom t hatarisatcon redt on How PCs VRFs can ext their ended intesses o a cust omaerlocal sit e DHCP t o pr ovpool ide sep ion figu inside he t he DSL CPE or f r om a cust om er DHCP ser v er . cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN NOTE The st lat est for in t er riering enht he ancem entsession s t o allow easier m or eex scalable The eps est- car ablish PPPoA ar ef or ident ical and t o t hose plained dinept loym h e ent int er car r ier MPLS VPN Iserv ices "of DialI n- Access via Direct SDN" sect ion. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN call Ar chit u res, Volum I I ,access b uilds int onerf t he best - sellin MPLSa an VPNt emp lat e for When t he PPP is rect eceived, a v irt e u alace is clon edgf rom v irtd ualAr it ectsession. u res, Volum I ( 1 US - 587 05-er 0 02, f rom Cisco ess.session Ex t endin om or eadadv anced t hechPPP Th e eRADI serv aut1) h en t icat es t h e Pr PPP andg int supp lies dit ional tconf opics anatdion d epinloy archit es,t uVolu m e I I in prt er ovid es rYou eader s wobt it hain t headdr necessar ools ig ur formment at ion f or ect t h eurvir al- access f ace. can essingy ftor t he tPPP hey session n eed t oind ep loy and m ain t ain a secur e, hig hly av ailab le VPN. sev er al w ay s, includin g t h e RADI US serv er, a local I P p ool, or an on- d em and add ress pool, w h ich is descr ibed in t he " Adv anced Feat ur es for MPLS VPN Rem ot e Access" MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN sect ion. Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Configuring the San Jose PE Router int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Ex ambone ple 2-and 42 sh ows he conf igursit at es, ion and t hat also is necessary e San JoseritPE ou tur erest ot o allow back any at t tached VPN det ailin g on t het hlat est secu y freat t erormin at eanced a PPPoA As wfilt it herin allg.PPP t erpar m inat ions t hat accessing a VPN,VPN scalabilit y m e adv t op session ologies .and This t also cov er sar meult i- car r ier MPLS is achieved viaFin t he com binat of id v irt suppfor ort ed by aced RADI US VPN serv er. This deploy m en t s. ally , Par t I Vion pr ov esuaalmpr etofiles hodology ad van MPLS tt echniqu e has r oub leshoot ingb .een ex plained in det ail in t he ear lier sect ion , " Pr ovid in g Dial- I n Access t o an MPLS VPN. " Th e v ir t u al- t em plat e1 has b een associat ed w it h t h e PPP ATM PVC t hat is connect ingVPN t o t he DSL using t h ee eI Incap t ionuces a al t5he m ux pp padv com m and. When a PPP MPLS and Ar chit ectCPE u res, Volum , alsosul inta rod lat est ances in cu st omer connect receiv edand on PVC 1/ 3 2, v iring t ualt emp latessent e1 is uial sedt ot p o rov clone a vt h ir e t uadv al access int egr at ion ion, issecur it y, t r oubleshoot feat u res iding anced

int er face w it h addit ional configu r at ion inf or m at ion b eing sup plied by t he Sup er Com RADI US ser v er.

Exa m pl e 2 - 4 2 . San Jose PE Rou t er Con f igu r at ion f or PPPoA •

Table of Content s

hostname SanJose_PE • I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

!

By Jim Guichard , I van Pepelnjak , Jeff Apcar

aaa authentication ppp default local group radius Pub lish er: Cisco Press Dat e: Ju ne 06, 2 00 3network default local group radius aaaPub authorization I SBN: 1- 58 705 -1 12 -5

!

Pages: 50 4

virtual-profile aaa ! Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : interface ATM2/0.1 point-to-point pvc How 1/32t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s ubr 256 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN encapsulation aal5mux ppp Net w ork Ad dr ess Tr an slat ionvirtual-Template1 ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork interface virtual-Template1 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone no ip address !

How tdefault o carr y cust er m ult icast t r aff ic insid e a VPN no peer ipom address The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent no keepalive of int er - car r ier MPLS VPN serv ices ppp authentication chap callin Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ! MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced radius Loopback0 tip opics an d d source-interface ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ! MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN radius-server 194.22.16.2 auth-port 1645 acct-port 1646 a$4two Ar ch it ect u re. Par thost I I descr ibes adv anced MPLS VPN con nect iv it y includ in g key t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Not e bone t h at vand ir t uallat e1 is t h esitsame onealso w e det used t o gt er m in e L2 TP rit VPDN session s fr om back anyt emp at t ached VPN es, and ailin t he latatest secu y f eat ur es t o allow t he LAC/ d escr ib edfiltinerin t heg." This Dial- par I n Access viaerL2TP VPDN" ion. VPN m or San e advJose anced t opNAS ologies and t also cov s m ult i- car r sect ier MPLS deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

Configuring the EuroBank Palo Alto DSL CPE

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Ex am ple 2- 43 sh ows t he PPPoA con figu rat ion f or t he D SL CPE. You m ight not ice t h at it is similar in m any r esp ect s t o t he con figu rat ion used in t h e Eu roBan k Sacr am ent o SOHO r out er show n pr ev iously in Ex am ple 2- 19. Th e only dif fer en ce is t hat an ATM PVC is used r at h er t han an I SDN chan nel. The Sup er Com RADI US ser v er w ill use t he u ser nam e paloalt o@eur oban k_ dsl t o aut hent icat e an d d ow nload t he ap pr opr iat e per - user con figu rat ion .

Exa m pl e Table 2 - 4 3of.Content Pal os Alt o DSL CPE f or PPPoA Conf i gur a t i on • •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

interface ATM0

lish er: Cisco Press noPub ip address Pub Dat e: Ju ne 06, 2 00 3 1- 58 705 -1 12 -5 no ipI SBN: redirects Pages: 50 4

no atm ilmi-keepalive pvc 1/32 ubr 256 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : encapsulation aal5mux ppp dialer How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN dialer pool-member 1 ent t yp es of cu st om er s ser v ice t o m any d iff er The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) dsl operating-mode auto How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork ! !

The lat Dialer1 est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN interface back bone ip address negotiated How t o carr y cust om er m ult icast t r aff ic insid e a VPN no ip redirects The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices encapsulation ppp Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y dialer pool 1 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN 1 e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Ardialer-group ch it ect u res, Volum t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools no cdp t hey n eedenable t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ppp and chapVPN hostname MPLS Ar chit ectpaloalto@eurobank_DSL u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ppp password ser v icechap pr ovider accessatwistedpair t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o ! egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues int includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he ip route 0.0.0.0 Dialer1 back bone and any at0.0.0.0 t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN ! deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . dialer-list 1 protocol ip permit MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

SuperCom RADIUS Server Attributes The RADI US en t r y for t he Palo Alt o DSL r out er show n in Table 2 - 11 is st r aigh t for w ar d an d alm ost ident ical t o t he at t ribu t es used f or any ot her dir ect dial- in PPP r out er . I n ou r conf ig ur at ion, t h e PPP ad dr ess is ob t ained fr om t he local pool def in ed f or Eu roBan k on t he • of Content s San Jose PE Table rou t er . A VRF- aw ar e Fr am ed- Rou t e 10 .6 .1 . 0/ 24 is inj ect ed int o t he Eu r oBan k •VRF t o pr ov ide I ndex r each abilit y t o t h e Palo Alt o LAN. Loop back 11 is t h e int erf ace used t o MP LS and V PN ctur e s, V olum e II pr einst ant iat eArtchi h eteEu roBan k VRF. By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Tab le 2 -1 1 . Pa lo Al t o RAD I US At t r ibu t e s for PPPoA

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

At t r ib ut e ( Ty pe )

V a lue

User - Nam e ( 1)

paloalt o@eur oban k_ DSL

User - Passw or d ( 2)

At iw st ed pair

Wit h MPLS Serv ice- Tyand pe (VPN 6) Ar chit ect1u(res, FramVolum ed) e I I , y ou' ll lear n : Fram ed- Pr ot ocol ( 7 ) 1 ( PPP) How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Framser ed-v Rout ( 2any 2) d iff er ent 10 .6t yp . 1.es 0/ 24 ice t oe m of cu st om er s Ciscoavpn air er facev rfadv f orw ar dinfgeat Eur \ n [ 1] The ew PE- CE r out in glcp: opint t ions as wcon ell fig= as otipher anced uroBank es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) ip unn um bered loopback 1 1 \ n How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he peer defau lt ip addr ess pool Eur oBank _Pool cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN [ 1] The \ n signifies an ex plicit car riage r etur n; this v ar ies betw een ser ver im plemen tations. back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Verifying PPPoA Operation

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Becau se t he PPPoA operat ion is sim ilar t o w hat y ou h ave alr eady r ead in Dir ect I SDN access, Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y t her e is no r eal value in show ing inf or mat ion such as r out ing t able an d debug s again; t he out p utand s ar e also em ain deiffer t he -user nam e andan fr dam ed r ou t e MPLS VPN Arsim chitilar ect.u Th res, Volum I I , ences b uildsare on tthat he best sellin g MPLS VPN inj ect ed are diff er ent , and w e are con nect in g u sin g an ATM PVC. Th e out p ut sh in anced Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m orown e adv am ple firent ms archit t hat tect he ur San erovid hasest er m inatsed Palo Alt o PPPoA tEx opics an d2-d44 ep con loy m es, Jose VoluPE m er Iout I pr r eader w itt he h t he necessar y t ools on tvoirdt ualaccess5 As t yain ou acan see, jimhly i" an " er ic" ar e also logged on via an L2TP tsession hey n eed ep loy and m. ain secur e, "hig avdailab le VPN. VPDN session f rom t he San Jose LAC/ NAS. The ad dr ess 1 92. 16 8. 3. 2 has been allocat ed fr om tMPLS he Eur oBank adect druess w hich y sitwapp t o ref be resher t he sam oneMPLS " j imi"VPN is using and VPNlocal Ar chit res,p ool, Volum e I I ,isb w eghin it h ear a brs ief ofet he t hat wect as uallocat t he Fast Food s local pool u sin g tnect he ov inginaddr ess Ar ch it re. Pared t IfIrom descr ibes adv anced MPLS VPN con iv iterylapp includ g t he intpool egr atf eat ion ur ofe. ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egrm atpl e teh ese es in t o t hDeSL VPNabnd ack VPDN bon e. Part I I I det Exa 2 - 4f eat 4 . urPPPoA User I nails f oradv m aanced t i on d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN SanJose_PE#show user t r oub leshoot ing . Line User Host(s) Idle Location MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int ion,0 secur it y, and t r oubleshoot ial t o p rov iding t h e adv anced * egr 0 at con idle ing feat u res essent00:00:00

• •

Interface

User

Mode

Idle

Vi3

[email protected]

PPPoVPDN

00:45:11 192.168.3.3

Vi5 Vi6

paloalto@eurobank_ PPPoATM

00:00:07 192.168.3.2

[email protected] PPPoVPDN

00:51:06 192.168.3.2

Table of Content s I ndex

Peer Address

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

Closer inspect ion t h3e vir t ual access int erf ace, sh ow n in Ex am ple 2- 45, conf irm s t hat it has Pub Dat e: Ju ne 06,of 2 00 been cloned fr om v ir t ual- t em plat e1 v ia a PPPoA session using addit ion al config ur at ion I SBN: 1- 58 705 -1 12 -5 pr ov ided b y t he AAA ( RADI US) serv er and t h at it is in t h e Eu roBan k VRF. Pages: 50 4

Exa m pl e 2 - 4 5 . PPPoA V ir t u al - Access I n t e r f ace Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : SanJose_PE#show interface vi5 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN virtual-Access5 isd up, line iserup ser v ice t o m any iff er ent t ypprotocol es of cu st om s Hardware interface The n ewis PE-Virtual CE r out inAccess g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Interface is unnumbered. Using address of Loopback11 (192.168.2.100) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he om erbytes, net w ork MTUcust 1500 BW 100000 Kbit, DLY 100000 usec, The lat est MPLS255/255, VPN securtxload it y f eat u1/255, res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN reliability rxload 1/255 back bone Encapsulation PPP, LCP Open How t o carr y cust om er m ult icast t r aff ic insid e a VPN Open: IPCP The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int ervaccess, - car r ier MPLS VPN from serv ices PPPoATM cloned AAA, virtual-Template1 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y [snip] MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools vrf EuroBank tSanJose_PE#show hey n eed t o d ep loyip and m ain t ain a secur e, hig hly av ailab le VPN. Name Default Interfaces MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it hRD a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of virtual-Access3 serEuroBank v ice pr ovider access t echn olog ies ( dial, 10:27 DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o virtual-Access5 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Loopback11 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer DSL Access over ing Ethernet int egr at ion, securUsing it y, and tPPP r oubleshoot feat u res essent ial t o p rov iding t h e adv anced

I n t he PPP over Et hern et ( PPPoE) scenar io sh own in Figur e 2- 2 3, t h e Palo Alt o DSL CPE is connect ed t o t he San Jose PE r out er b y using a sim ple br idged connect ion m u ch like t he RFC 14 83 br idged scenar io. PPPoE sessions ar e init iat ed dir ect ly f rom t he PC client s w it h PPPoE soft w ar e inst alled an d b rid ged ov er t he ATM PVC v ia encapsulat ed Et her net - br idged fr am es. Ther ef or e, t he San Jose PE Rout er h as a v ir t ual- access int er face f or each PC client , as opp osed t o a sin gle int er face lik e in t h e PPPoA scenar io. The ad van t age of PPPoE is t hat t h e client PCs; t h er efor e, DSL CPE only n eeds t o h ave b asic br id ging •soft w ar e r esides Table on of Content s •capabilit ies, Iand ndex no r ou t in g fun ct ion s ar e necessary , w h ich k eeps t he har d war e cost s dow n . Becau se Veach ructur ns eits,s Vow n PPP MP LS and PN ArPC chi te olum e I I session, aut hent icat ion and accou nt ing inf or mat ion can be tBy r acked on a per user basis. Jim Guichard , I van Pepelnjak , Jeff Apcar Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Figu r e 2 - 2 3 . D SL PPPoE

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone A D HCP f unct ion is not necessar y becau se t he Sup er Com RADI US ser v er pr ov id es each PC How o carr y cust om er msession. ult icast tAu r aff ic insid a VPN w it h an I Ptaddr ess for it s PPP t hent icateion an d vir t ual- access cr eat ion an d conf ig ur at ion are p er f orm ed by u sing t h e same p r ocedu res as ex plained in t h e earlier sect ion, lat est in - car rier enh"ancem ent s t o allow f or easier and m or e scalable d ep loym ent " Dial-The I n Access viat erDirect I SDN. of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

Configuring the SuperCom PE Router

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced VPD inmCisco I OS pect rocesses PPPoE. ef ore, ou m ust VPDN gyrou p to tThe opics anNd code d ep loy ent archit ur es, Volu m e I ITher pr ovid es ryeader s w itd hef tine he anecessar t ools er min at e all iont ain s t hat ar r ive, e at Josele PE r out er , as show n in Ex am ple t hey n eed t o dPPPoE ep loy con andnect m ain a secur higt he hly San av ailab VPN. 2- 4 6. Th e VPDN g rou p su pplies t he v ir t ual- t em plat e t o be used t o clone a vir t u al- access MPLS andf or VPN chit ect u res, Volum I I ,ebbet eg in w itthhea ATM br ief PVC ref resher of tVPDN he MPLS int er face t heArPPP session. The linekag wseen and t he g rouVPN p is Ar ch it ect u re. Par I descr adv anced MPLS VPN con nect iv ithy t includ in gintt he int egr accom p lished by tuIsing t h eibes pr ot ocol p ppoe com m and on bot he ATM er face anat d ion v pdof nser v iceconf pr ovider t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g gr oup igur at access ion. pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu t lining t he nPE ecessar y st epsCon t h e ser v ice p rov m ust t ake t o p rot ect t he Exa m pl e 2 -r it4y6, .ouSan Jose Rou t er f igu r at ionider f or PPPoE back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN taaa r oubauthentication leshoot ing . ppp default local group radius MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer aaa authorization network default local group radius int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

! virtual-profile aaa ! interface ATM2/0.1 point-to-point •

Table of Content s • pvc 1/32 I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

ubr 256 By Jim Guichard , I van Pepelnjak , Jeff Apcar

encapsulation aal5snap Pub lish er: Cisco Press

protocol Pub Dat e: Ju ne pppoe 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

!

Pages: 50 4

vpdn-group 4 accept-dialin Witprotocol h MPLS andpppoe VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

!

virtual-Template How t o int egr at e v1ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN interface virtual-Template1 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) no ip Howaddress VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork no peer default ip address The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN no keepalive back bone t o carr y cust om er mcallin ult icast t r aff ic insid e a VPN ppp How authentication chap !

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

ip radius source-interface Loopback0 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ! MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced radius-server host 194.22.16.2 auth-port 1645 acct-port 1646 key a$4two t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access echn olog iesCPE ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Configuring the Palot Alto DSL pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin secuonly r it y , rou lining n ecessar st eps t h e and ser vis iceident p rovical idert omt he ust con t ake t orat p rot The D SLg CPE eqtuir es a t he br idg in g conyfigur at ion figu ionect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow show n in t h e RFC1 483 br idg ed sect ion in Ex am ple 2- 41. m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

SuperCom RADIUS Server Attributes

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Theegr RADI US secur at t r ibut f or t r" oubleshoot ann e" allowing access o t he Eur oBank an d pr an ad dr ess int at ion, it y,es and feat utres essent ial t o pVRF rov iding t hovide e adv anced

out of t he Eur oBank local ad dr ess p ool. Table 2 - 12 list s t h ese at t r ibu t es and t heir r espect iv e v alues.

Tab le 2 -1 2 . Use r a nn e@eu r oban k _ D SL RADI US At t r i bu t es •

Table of Content s

• At t r ib ut e (ITy ndex pe )

V a lue

MP LS and V PN Ar chi te ctur e s, V olum e I I

User - Nam e ( 1)

" ann e@eu rob ank _DSL"

User - Passw or d ( 2)

" ir ish ey es"

Pub lish er: Cisco Press Serv ice- Ty pe ( 6)

1 ( Fram ed)

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub Dat e: Ju ne 06, 2 00 3

Fram edPr ot ocol ( 712 ) -5 I SBN: 1- 58 705 -1

1 ( PPP)

50 4 Cisco-Pages: avp air

" lcp: int er face- con fig= ip v rf f or war d in g Eur oBank \ n [ 1] ip unn um bered loopback 1 1 \ n peer defau lt ip addr ess pool Eur oBank _Pool"

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : [ 1]

The \ n signifies an ex plicit car riage r etur n; usage varies bet ween RADI US serv er s.

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Verifying PPPoE Operation

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

I n ourHow exam p le, can r embe ot eexuser ann int e@p has ect edsep viaart he PPPoE client VRFs t ended o aaloalt custo_ omDSL er sit e t oconn pr ov ide at ion inside t he in her PC t o cust t h e om Saner Jose PE r ou t er . W hen t h e PPP session is est ab lished, her v irt u alaccess net w ork int er face is placed in t o t h e Eur oBan k VRF. The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN A PPPoE f ram e cont ain s one of t wo et hert yp es: back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN 0x 88 63 - PPPoE con t r ol pack et , w hich m anag es t he PPPoE session The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent 0x 88 64 - PPPoE dat a packet , w h ich carr ies t he act u al PPP p ack et of int er - car r ier MPLS VPN serv ices Tw o sessions ex ist f or any PPPoE client connect ion. Th e fir st is a VPDN L2TP- lik e session f or Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y t he PPPoE t unnel, an d t he second is f or t he act u al PPP session t hat is car ried w it hin t he PPPoE fr am e.and These sessions corVolum r esp ond e t won o Ett he herbest t yp es in t hgeMPLS fr am e. MPLS VPNt wArochit ect u res, e I It ,o bt h uilds - sellin an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced As m ent ioned pr ev iously , t he VPD N code p rocesses t he PPPoE conn ect ion. Ther ef ore, if w e t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools display t h e VPDN PPPoE t u nnel inf or mat ion as show n in Ex am ple 2- 47, w e can see t he t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Et h er n et en dpoin t s connect ed ov er t he ATM PVC. The r emot e MAC addr ess 009 0. a9fd . 249 e is tMPLS he netand w ork in tAr er fchit aceect car d on Volum " anne'es"I I PC. Thines MAC essref 000 4. 6d 7f. is t hat used on VPN u res, , b eg w it h addr a br ief resher of 60 t he38MPLS VPN tAr hechATM int er face t he San RouMPLS t er . VPN con nect iv it y includ in g t he int egr at ion of it ect u re. Par t at I I descr ibesJose adv PE anced ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Exa 2 - 4f eat 7 . urVPDN I nf ore.mPart at ion f orailst hadv e PPPoE t issues int egrm atpl e teh ese es in t o Session t h e VPN b ack bon I I I det anced d epCli loyen m ent includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t| I V pr ov idPPPoE es a m et hodology for ad van ced MPLS VPN SanJose_PE#show vpdn begin t r oub leshoot ing . PPPoE Tunnel and Session Information Total tunnels 1 sessions 1 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

PPPoE Session Information UID

58

SID

3

RemMAC

OIntf

Intf

Session

LocMAC

VASt

state

0090.a9fd.249e ATM2/0.1

Vi5

CNCT_PTA

•

Table of Content s

•

I ndex 0004.6d7f.6038 VP/VC:

1/32

UP

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

YouPub canDatve: iew t he Ju ne 06,act 2 00u3al PPP session for " anne" by display ing t he act iv e users on t h e San Jose PE r out er show n in Ex am ple 2- 48. Th e addr ess 192 . 168. 3 .5 h as been allocat ed f rom t he I SBN: 1- 58 705 -1 12 -5 Eu roBan k local pool. Meanw h ile, L2TP VPD N users " er ic" an d " j im i" ar e st ill con nect ed . They Pages: 50 4 m ust b e har d w ork er s t o b e logged in f or so lon g!

Exa m pl e 2 - 4 8 . PPPoE DSL a nd VPD N U se r I nf or m at ion Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : SanJose_PE#show user How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s [snip] The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Interface Idle Peer Address Net w ork AdUser dr ess Tr an slat ion ( PE-Mode NAT) Vi3 How VRFs [email protected] 14:12:23 192.168.3.3 can be ex t ended int o aPPPoVPDN cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Vi7 anne@eurobank_palo PPPoE 00:03:14 192.168.3.5 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Vi6 back bone [email protected] PPPoVPDN 14:18:18 192.168.3.2 How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of ple int er2-- car VPN serv ices I n Ex am 49,r ier t h e MPLS PPP session has b een t erm inat ed on vir t ual- access7, cloned fr om v irt u al- t em p lat e1 as p er t he v pdn - gr oup 4 con figu r at ion in Ex am ple 2- 46. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Exa plu eres, 2 -Volum 4 9 . PPPoE I nt Pr eress. f a ce Ar ch itm ect e I ( 1 - 587Vir 05-t0ua 02-l-1)Acce , f romss Cisco Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit SanJose_PE#show interface ect u res, Volum vi7 e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser virtual-Access7 v ice pr ovider access is up, t echn line olog ies protocol ( dial, DSL, is cab up le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int Hardware egr at e t h ese ur es in tAccess o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues isf eat Virtual interface includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and is anyunnumbered. at t ached VPN Using sit es, and also det g t he lat est(192.168.2.100) secu rit y f eat ur es t o allow Interface address ofailin Loopback11 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy en t s. bytes, Fin ally , BW Par t100000 I V pr ovKbit, id es a m et hodology for ad van ced MPLS VPN MTU m 1492 DLY 100000 usec, t r oub leshoot ing . reliability 255/255, txload 1/255, rxload 1/255 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer intEncapsulation egr at ion, secur it y, and LCP t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced PPP, Open

Open: IPCP PPPoE vaccess, cloned from AAA, virtual-Template1 Bound to ATM2/0.1 VCD: 1, VPI: 1, VCI: 32, loopback not set [snip] •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak SanJose_PE#show ip vrf , Jeff EuroBank Apcar

Name Pub lish er:

Cisco Press

Pub Dat e: Ju ne 06, 2 00 3

EuroBank

I SBN: 1- 58 705 -1 12 -5

Default RD 10:27

Pages: 50 4

Interfaces virtual-Access3 virtual-Access7 Loopback11

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

DSLHow Access t o int egr Using at e v ar iou PPPoX s r em otand e access VPDN t echn(L2TP) ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE out in g op t so ions w ell hered adv eataurPE es,rou includ All t h e DSL scenar iosr discussed f arashav e tas ermotinat diranced ect ly fon t er . ing Howperev erVPN , y ou Net wat ork essPPP Tr ant er slat PE-fun NAT) can separ e t hAd e dr DSL m ion inat(ion ct ion f r om t he PE r out er f unct ion by u sin g t he L2 TP VPDN archit ect ur e, as discussed in t he ear lier sect ion , " Dial- I n Access via Direct I SDN. " L2TP VRFs be ex tilit ended int oeda for custlar om erscale sit e tD o SL pr ov sepVPN ar at ion inside t he Figur e VPDNHow pr ovid es tcan he scalab y r equir get oide MPLS t er m inat ions. cust om er net w ork 2- 2 4 sh ows t he Eur oBank Palo Alt o DSL PE rou t er using PPPoX and L2TP t o access t h e San Jose PE r out er. The LAC f unct ion in t his case is most lik ely a Cisco 6 400 un iver sal access The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN concen t r at or . back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

r eenh 2 -ancem 2 4 . PPPoX Usinf or g easier V PD Nand ( L2 TP) The lat est in t er Figu - car rier ent s t o allow m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN For t he pur poses t r oub leshoot ing . of sim plif ying Figur e 2- 2 4, w e h ave sh own t h e Palo Alt o CPE cap able of oper at ing in eit her m ode: PPPoE wh er e t h e CPE act s as a br idge, or PPPoA w her e t he CPE act s asand a rou t er. MPLS VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

I f t he CPE w er e config ur ed t o su ppor t PPPoE, t h e follow ing call pr ocessing w ould occur : St e p 1 . The u ser ann e@eur ob ank .com in it iat es a PPPoE session f rom her PC. St e p 2 . The PPP pack et encapsulat ed in an Et h er net fr am e is t r anspor t ed over t h e ATM PVC by u sing RFC 14 83 br idged m ode. • •

St e p 3 . When t he NAS ( m ost likely a 640 0 u niver sal access concen t r at or ) r eceives t h e Table of Content s init ial p ack et , it look s f or a VPD N gr oup t h at h as t he pr ot ocol p ppoe com m and I ndex conf ig ur ed .

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , Jeff Apcar St e p 4, .I van ThePepelnjak VPD N gr oup p oin t s

t o a v irt ual- t emp lat e t hat y ou can use t o clon e a v irt u al- access int erf ace for t he PPP session . This v irt ual- access int er face act s as t h e p utCisco int erf ace t o t h e L2 TP t u nnel, w hich is cr eat ed in t he next st ep s. Pub out lish er: Press Pub Dat e: Ju ne 06, 2 00 3

St e p 5 . The NAS or un iver sal access con cent rat or ch alleng es t he PPPoE client f or a I SBN: 1- 58 705 -1 12 -5 usern am e passwor d. Because t h e v pdn is conf ig ur ed, t h e dom ain n am e eu r obank . com Pages: 50 4 is used t o search for a VPDN gr oup or qu er y t o t he Su per Com RAD I US ser ver f or L2 TP t un nel inf orm at ion . St e p 6 . An L2TP t un nel is t hen bu ilt t o t he LNS. Wit h MPLS VPNLNS Ar chit ect u es res,t he Volum e I I , yam ou'ellann leare@eur n: St e pand 7 . The r eceiv f ull usern ob ank .com t hr ough t h e t unn el and aut hent icat es it using t he appr opr iat e RAD I US ser ver ( eit her t h e cust omer 's or t he ser v ice pr ovider 's) . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser m any d iff esned of cu st omt he er sRADI US serv er is t h en used t o conf ig ur e a St ve ice p 8 t.oThe in for mer atent ion tr yp et ur fr om v irt u al- access int erf ace and pr ov id e an I P add ress t o t he PPPoE client . The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) I f t he CPE is conf igur ed for PPPoA, t he f ollow ing call pr ocessing occu r s: How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust net w St eom p 1er . The Dork SL CPE in it iat es a PPPoA call. The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN St e p 2 . The PPP pack et is carr ied direct ly in RFC 1 483 encapsulat ion. back bone St e pt o3 carr . The NAS/om u niv access concent r eceives t h e pack et and cr eat es a How y cust er er msal ult icast t r aff ic insidr at e or a VPN v irt u al- access int erf ace fr om t h e v ir t u al- t em plat e defined on t he PVC configu r at ion. Thislat v ir t ual in t erenh f ace is used e out pf or ut easier in t erf ace h eeL2 TP t un nel, t o b eent The est in taccess er - car rier ancem ent sast ot hallow andt omt or scalable d ep loym creat ed- car in rt ier he nex t stVPN eps.serv ices of int er MPLS St eanced p 4 . From t his poot oining t , t ht echn e st ep s areinclud t he sam ast er f rom herePPPoE scenar Adv t rou blesh iques in g er ou out St puep t s t5o in entsu high av ailabio. ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, the Volum e I ( 1 - 587 050 021) , fNAS/Universal rom Cisco Pr ess. Access Ex t endinConcentrator g int o m or e adv anced Configuring SuperCom San Jose t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Ex am ple 2- 50 sh ows t he n ecessar y VPDN con figu rat ion f or t he San Jose NAS/ un iver sal access concen t r atVPN or . VPDN1 is usedet oI I t,er PPPoEof sessions. VPDNMPLS and Ar chitgr ectoup u res, Volum bm egin inat s ew any it h ainbrcom ief ing ref resher t he MPLS VPN gr oup 10ch isitused t o Par cr eat L2TP t o t h eMPLS San VPN Jose con VHG/ PEivrou er for in any PPPoX u ser s w of ho Ar ect u re. t IeI an descr ibest unn advelanced nect it y tinclud g t he int egr at ion hav e t h e dom ain " eu rob ank .com . " ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or eNOTE adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN We could hav e j ust as easily ret r ieved t he v pd n- gr oup 1 0 conf igur at ion fr om t h e t r oub leshoot ing . Sup er Com RADI US ser v er in st ead of st at ically conf igur ing it , in t he sam e m ann er e hav d one t heVolum D ial I e n IuI sing ( L2 TP) t scen ed atint he MPLSt hat and wVPN Arechit ect uinres, , alsoVPDN int rod uces he latario est cov adver ances cu st omer beginn ing of t his chap t er . I f a Cisco 640 0 u niv er sal access concent r being int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov idingatt hore is adv anced

used as t he LAC, t h en Cisco I OS 12. 2( 3 ) B on war d m ust b e used t o supp or t r et riev in g L2TP t unn el infor m at ion fr om t h e RADI US ser v er. How ev er , because w e hav e exp licit ly def in ed t h e vp dn- g r oup for t he t un nel, no RADI US serv er conf ig ur at ion was necessar y .

•

Table of Content s

Exa m pl e I2ndex - 5 0 . San Jose NAS/ Uni ve r sal Acce ss Concen t r a t or VPD N • Con f igu r at MP LS and V PN Arion chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

vpdn enable

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 vpdn search-order domain Pages: 50 4

! vpdn-group 1 accept-dialin Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : protocol pppoe How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN virtual-Template ser v ice t o m any d 1 iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) vpdn-group 10 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork request-dialin !

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN protocol l2tp back bone domain eurobank.com How t o carr y cust om er m ult icast t r aff ic insid e a VPN initiate-to ip 194.22.15.2 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices local name SuperCom_LAC Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y l2tp tunnel password vision MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Ex am ple 2- 51 sh ows t he int er face conf igur at ion t o t er m inat e t h e PPPoX sessions. ATM0 / 0/ 0 .2 MPLS and 1/ VPN ect u res, Volum e I I client , b eg sin tshat w it are h a br iefnect refed resher heged MPLS VPN uses PVC 32 Ar t o chit t erm inat e any PPPoE con v ia aofb trid CPE. I t uses Ar it ect u re. t Iou I descr adv anced VPNt hcon iv it ypage) includt in int egr at ionplat of e1 t hechPPPoE v pdPar n- gr p ( asibes descr ibed in StMPLS ep 3 on e prnect evious og f int dhevir t ualt em ser ovider ologcan ies (be dial, DSL, cab le, 0Et/ her ) an d a 1/ v ariet of r out so tvhice at aprvir t ual- access tinechn t er f ace cloned. ATM0/ 0. 3 net uses PVC 33 t oy conn ectintgo a pr ot ocols ( I conf S- I S,igur EI GRP, OSPF) arect m in t he rveader it h t he k now t oaccess CPE t h at is ed f orand PPPoA. I t ,dir lyguses irt u al-wt emp lat e1 t o ledge clon e aofvhirtow ualint egr at e. e tIhnese ur es in t o vt hiret ualVPNaccess b ack bon Part I det loy as m ent t em plat b otfheat cases, t he t eme.plat e tIhI at is ails cr eatadv ed anced w ill beduep sed t heissues out pu t includin y , L2TP ou t lining t he( going n ecessar st eps h e ser v ice int er faceg fsecu rom rtithe t u nnel t o tyhe San t Jose PE roupt rov er ) .ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy , Par t Jose I V pr ovNAS/ id es a Uni m et hodology for ad van MPLS tVPN Exa mmplenet s.2 -Fin 5 1ally . San ve r sal Acce ss ced Concen r a t or PPPoX tI rnt ouber leshoot ing . f ace Con fi gur a t i on MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

! interface ATM0/0/0.2 point-to-point Description Termination for PPPoE clients from PVC 1/32 no ip route-cache •

Table of Content s • no ip mroute-cache I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

pvc 1/32

By Jim Guichard , I van Pepelnjak , Jeff Apcar

encapsulation aal5snap Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 protocol pppoe I SBN: 1- 58 705 -1 12 -5

!

Pages: 50 4

interface ATM0/0/0.3 point-to-point Description Termination for PPPoA DSL CPE from PVC 1/33 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : no ip route-cache no ip Howmroute-cache t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s pvc 1/33 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN encapsulation aal5mux ppp Net w ork Ad dr ess Tr an slat ionvirtual-Template1 ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork interface virtual-Template1 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone no ip address !

How t o carr y cust om er m ult icast t r aff ic insid e a VPN no keepalive The lat est in t er -ip caraddress rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent no peer default of int er - car r ier MPLS VPN serv ices ppp authentication chap callin Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t is nnot n ecessar y t oand sh ow t h et ain Sana Jose outhly er conf igurleatVPN. ion or per - user RADI US tI hey eed t o d ep loy m ain securPE e, rhig av ailab at t r ibut es b ecau se t hese ar e t h e same as has b een discu ssed in p rev ious scen arios. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser Verifying v ice pr ovider PPPoX access andt VPDN echn olog Operation ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int e tthin eseExf eat t o sh t h ows e VPN bonsession e. Part Iinf I I or det ails d ep loy m entwissues Theegr ouatt pu am ur plees2-in52 t heb ack VPDN mat ionadv f oranced t he user " anne" h o has includin ed g secu it y San , ou tJose liningNAS/ t he unniver ecessar st eps tconcen h e ser vt rice p rov t ake( Assu t o p rot t he connect t o t rhe salyaccess at or by ider u sin m g ust PPPoE. m eect t hat back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow t he Palo Alt o CPE h as been conf igur ed appr opr iat ely. ) Vir t u al- access2 has b een creat ed t o e adv t op ologies andide filtan erinou g.t put Thisint par alsot ocov s m ultt ui-nnel car r ier MPLS tmerormin at eanced t he PPPoE an d p rov er tface t heerL2TP t hat h as VPN been cr eat ed deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t o 194 .2 2. 15. 2 ( San Jose PE rou t er) . t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Exa m pl e 2 - 5 2 . PPPoE an d L2 TP Session I nf or m at ion int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

SanJose_UAC#show vpdn

L2TP Tunnel and Session Information Total tunnels 1 sessions 1 •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

LocID RemID Remote Name

State

Remote Address

Port

Sessions

27748 34770 SuperCom_LNS

est

194.22.15.2

1701

1

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

LocIDPages: RemID 50 4 TunID Intf

Username

24

anne@eurobank est

41

27748 Vi2

State

Last Chg Fastswitch 00:15:54 enabled

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : %No active L2F tunnels How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s PPPoE Tunnel and Session Information Total tunnels 1 sessions 1 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) VRFs Information can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he PPPoEHow Tunnel cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN backcount: bone Session 1 How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent PPPoE Session Information of int er - car r ier MPLS VPN serv ices SID

RemMAC LocMAC Intf VASt OIntf VP/VC Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

1 Vi2 ATM0/0/0.2 MPLS and 0004.27fd.249e VPN Ar chit ect u res, 0004.c12b.b807 Volum e I I , b uilds on t he bestUP - sellin g MPLS an d VPN 1/32 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. SanJose_UAC#show user MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Host(s) Idle Ar ch itLine ect u re. Par t User I I descr ibes adv anced MPLS VPN con nect iv it y includLocation in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g * ot0ocols con ( I0S- I S, EI GRP, and OSPF) idle, ar m in g t he r eader w00:00:00 pr it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Vi2 g secu r it y ,anne@eurob (PPPoE ) v 00:17:30 includin ou t lining t heVirtual n ecessar yPPP st eps t h e ser ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . The Palo Alt o DSL CPE h as now been r econf igur ed t o op er at e in PPPoA m od e. Th e out p ut in MPLS Ex am ple and2-VPN 53 sh Arows chit ect t heu res, session Volum and e Iuser I , also infor intmrod at ion. ucesThe t he PPPoA lat est session adv ances has in bcu een st omer int t eregr minat ation, ed on secur v ir tituy, al-and access1 t r oubleshoot and an L2 ingTPfeat session u res essent h as been ial tcr o eat p rov ediding t o t he t h eSan advJose anced PE

r out er .

Exa m pl e 2 - 5 3 . PPPoA a nd L2 TP Sessi on I n for m a t i on

SanJose_UAC#show vpdn s • Table of Content •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

L2TP Tunnel and Session Information Total tunnels 1 sessions 1 Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 1- 58Remote 705 -1 12 -5Name LocID I SBN: RemID

State

Remote Address

Port

Sessions

est

194.22.15.2

1701

1

Pages: 50 4

26460 4452

SuperCom_LNS

LocID RemID TunID Intf Username State Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : 26

Last Chg Fastswitch

65 26460 Vi1 paloalto@euro est 00:05:22 enabled How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

SanJose_UAC#show The n ew PE- CEuser r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Line User Host(s) Idle Location How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he * 0 cust conom 0 er net w ork idle 00:00:00 VPN securVirtual it y f eat u res d d esign)s aim ed at pr ot ect ing t h e MPLS VPN Vi1The lat est MPLS paloalto@e PPPan(ATM 00:04:10 back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Providing Cable Access to an MPLS VPN The D at a- ov er - Cab le Ser v ice I n t er f ace Sp ecif icat ion ( DOCSI S) is a st an dar d t hat allow s d at a t r a be car r ied ov er a cable net w or k t h at is pr im ar ily u sed for deliv er in g t elevision ch annels. Dat a is •t r ansm it t ed b Table of Content y using r adios f requ en cy ( RF) signals ov er t he cab le sy st em. Tw o- w ay com m un icat i •achieved by Ipndex rov iding a " dow nst r eam " carr ier sig nal f r om t he cable n et wor k t o t he cu st om er an d MP V PN Ar chi te ctur I I cust om er t o t h e cable net w or k. Cable m odem s ar e dev ices at " upLS st and ream " car r ier signe s, al Vfrolum om et he cust er pr em ises t hat con ver t a digit al dat a st r eam t o an RF signal ( upst r eam ) and RF b ack t o By Jimom Guichard , I van Pepelnjak , Jeff Apcar digit al dat a ( dow nst r eam) . At t h e head en d of t he cable net w or k , a cable m odem t er m inat ion sy ( CMTS) per for m s t h e cor r esp onding RF t o d at a op er at ion for m an y cu st omer s ( m any m od em s) . Pub lish er: Cisco Press

Dat,e:sever Ju ne 06, 2 00ndr 3 ed u ser s can sh are a single 6 - MHz d ow nst ream chan nel and on e or m or e Nor Pub mally al hu I SBN:chan 1- 58nels. 705 -1 12 up st r eam Th-5e dow nst r eam chann el t akes t h e place of a sing le t elev ision t r ansm ission chann Pages: el. 50 4

I n a DOCSI S 1. 0- com pliant hy br id fiber - coaxial ( HFC) net w or k ( or j ust cable f or shor t ) , t h e ph ys cable int er face f rom a head end rou t er can h ave man y br anches, each t er min at ing at a cable m o Access t o an MPLS VPN is achiev ed t hr ough a cab le su bint er face t h at has a VRF st at ically config u on it . Version 1. 0 of t he D OCSI S specif icat ion u ses a Ser v ice I D ( SI D) t o ident if y a p art icular cab Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : m odem and all t h e dev ices ( PCs) behind it . Tr aff ic fr om t he sam e SI D alw ay s t erm inat es on t h e subin t er f ace at t he cab le head end PE r out er ; t h er efor e, all CPEs t hat ar e connect ed t o t he sam e m odem ar e VPN. How t oinintt he egrsam at e e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Figur e 2- 2 5 sh ows a cable access scen ario in t h e Sup er Com net w ork . Bot h our cu st omer s, Eur oB and Fast hav e rcable con nect o t ot heir The Sup San Jose PE rVPN out er h as TheFood n ew s,PECE out in gusers op t ions as wed ell tas herVPNs. adv anced f eater urCom es, includ ing perup gr aded t o of fer cable ser v ices an d p hy sically t erm inat es t he cable on int er face Cab le 3/ 0. The Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Eu roBan k and Fast Foods cab le m odems log ically t er min at e on separ at e sub int er faces of Cable 3 TableHow 2 - 13VRFs sh ows ar iou s addint ress nm er en tsit se t ot obeprused ou ar r cable cant he bev ex t ended o aassig cust om ov ideinsep at ion exam insideple. t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Figu r e 2 - 2 5 . Cabl e Access t o Su pe r Com M PLS V PN How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Tab le 2 -1 3 . I P Addr e ss Assi gnm e nt f or Supe r Com Ca bl e Access Com p an y Si t e

Su bne t / H o

Sup er Com Defau lt / Manag em ent int erf ace ( Cable 3 / 0. 1)

19 4. 22. 1 7. 0

Sup er Com DHCP ser ver h ost • Eu roBan k

Table Content Host ofsub net s

•

I ndex

10 .7 . 1. 0/ 24

Cab mod em su bnet MP LS and V PN Ar chile te ctur e s, V olum e II

( Cable 3 / 0. 5)

By Jim Guichard ,Eu I van Pepelnjak , Jeff ser Apcar roBan k DHCP v er

Fast Food s Host sub net

19 2. 168 . 4. 0 19 6. 7. 25 .3 2 10 .7 . 1. 0/ 24

Pub lish er: Cisco Press

le 2mod Pub Dat e: JuCab ne 06, 00 3 em

19 4. 22. 1 6. 3

su bnet ( Cable 3 / 0. 6)

19 2. 168 . 4. 1

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Each cable subint er face on t h e San Jose h ead end PE r out er is conf ig ur ed w it h t he f ollow in g: A VRF nam e— Eur oBank or Fast Foods. Wit h MPLS and chit ect u res, Volum e I for I , yEur ou' oBank ll lear n an : d 1 92. 1 68. 4. 17 / 28 for Fast Foods. The A p r im ar yVPN add Ar ress— 192 .1 68. 4. 1 / 28 pr im ary addr ess su bnet allocat es I P ad dr esses by t h e Super Com D HCP serv er for all cable m odem s t hat w ill be p art of t hat VRF. For exam ple, all Eur oBank cable m odem s ( assum ing How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN is m or e t han one) t hat con nect t o t he San Jose head en d PE r out er ar e allocat ed an add r es ser v ice t o m any d iff er ent t yp es of cu st om er s 19 2. 168 . 4. 0/ 28 . The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN A secondar y add r ess— 10. 7. 1. 1 / 24. Bot h Fast Foods an d Eur oBank use t h e same su bnet for Net w ork Ad dr ess Tr an slat ion ( PE- NAT) cable user s, but t her e is no over lap b ecause t h e subn et is in diff er ent VRFs. The secon dar y add ress subn is ex used t o sat isfy r equest CPE PCs) host t hat are How VRFs canetbe t ended int o aDHCP cust om er sit es tfr o om pr ov ide (sep ar at ions inside t heconn ect ed t cable m odem s. Eit her t h e Super Com D HCP serv er or t h e cust om er D HCP ser ver can su pply cust om er net w ork add resses. I n eit h er case, t he ser ver m u st be r each able w it hin t he VRF. You can achieve t h t hr oulat ghest t he u se VPN of st at ic r out oru res a m an anag ents ex t r anet ich as discussed earlier in The MPLS secur it y es f eat d dem esign aim ed at, w prhot ectwing t h e MPLS VPN "back Dial-bone I n Access via L2TP VPDN" sect ion. A D HCP h elpy ercust adom dr ess f orultcable odem ad dr r equest s and an ot her helper add ress for P How t o carr er m icast m t r aff ic insid e ess a VPN host addr ess requ est s. ( Th ey can be t he sam e ser v er addr ess. ) The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent I n ourofexam le, rt ier he Sup er Com DHCP ser ver sup plies all cab le m odem I P add resses. ( Th e ser v er int erp- car MPLS VPN serv ices DHCP scop e config ur ed f or 192 . 168 .4 .0 / 28 and 19 2. 168 . 4. 16/ 2 8. ) Th e Eu roBan k PC user s ob t ai add resses d irectt ly om t hoot e Eu DHCPinclud ser v er Par Fast Adv anced roufrblesh ingroBan t echnk iques in glocat r oued t er inout puis, t s twoher en eas su ret he high avFood ailabsilitPC y u r eceive t heir addr esses f rom t he Su perCom RADI US serv er. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Refer in gu tres, o Figur e 2-e2I5,( 1t h- 587 e st05ep s0for cable Pr conn it y ar g e int as ofollow Ar ch itrect Volum 02-obt 1) , aining f rom Cisco ess.ect Exivt endin m or es:adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools e pt o1 .d ep When t he Eur oBank Faste, Foods cable m odem is p ow er ed up, it issu es a DHCP t hey nSt eed loy and m ain t ain aorsecur hig hly av ailab le VPN. Discover f or an I P add ress. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN St eupre.2 .Par At t t his poin ibes t , t headv San Jose MPLS h ead VPN end PE t er not det ineintwegr h ich subint Ar ch it ect I I descr anced conrou nect iv itcan y includ in erm g t he at ion of er f a VRF) t his cable odem associat it h.EtIher n t his ses inf or mat ser v ice( hence pr ovider access t echn m olog ies (is dial, DSL, ed cabwle, net )case, an d it a vu ariet y of r oution in g f rom t h subin erIfS, aceEIt GRP, hat isand con figu red, ar onmCable 3/ r0eader as it swdefau lt . kI tnow r elay s t h eofr h eqow uest pr ot ocols ( I tSOSPF) in g t he it h t he ledge t o by u sin g t h helper addf eat ress f orincable odem s) tbon hat e. is Part definIed on ails Cable 3 /anced 0. 1 w it hem giaddr set t o int egr at e t h ese ur(es t o t h emVPN b ack I I det adv dh eptloy ent issues 19g4.secu 22. 1r it 7.y1. Tht lining e helper ess inyt st his case t he Supp er Com v ert o1p94. 2. 16. includin , ou t headdr n ecessar eps t h eisser v ice rov ider DHCP m ust tser ake rot2ect t he3. back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

NOTE

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Rem em b er f r om our pr ev ious d iscussions on DHCP t hat t he giaddr is used in t he r elaye int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

pack et t o in dicat e t he sou rce of t h e r elay an d t h e subn et for t he ad dr ess t h at is b eing r eq uest ed . St e p 3 . When t he Su per Com DHCP ser v er r eceiv es t he requ est , it uses t he giaddr an d t he add ress of t he cab le mod em t o d et er m in e w hich scope t o pr ov ide an add ress fr om . Th e m MAC add ress m ust h ave pr ev iously been p rov ision ed in t he DHCP ser ver .

• •

St e p 4 . The D HCP ser ver r et ur ns an add r ess out of t he appr opr iat e p ool ( 19 2. 168 .4 . 0/ 28 19 2. 168 . 4. 16/ 2 8) for t h e Eu roBan k or Fast Foods mod em in a DHCP Of fer m essage. Table of Content s I ndex

St e p 5 . Any sub seq uent com m unicat ion fr om t h e m odem such as a DHCP Requ est or DHC Renew ar e sent direct ly t o t he Sup er Com DHCP ser v er .

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

St e p 6 . When t he San Jose h ead end PE rou t er r eceiv es t hese m essages f rom t he cable det er m ine t h e corr ect sub in t erf ace t o associat e t he pack et w it h ( t hr oug h t h D) hence PubSI Dat e: and Ju ne 06, 2 00 3 t he VRF. This m ean s t hat t he Super Com DHCP serv er m ust b e r eachab le w tIhe SBN:VRF. 1- 58 705 -1 12 -5

w or k, itPress can Pub net lish er: Cisco

Pages: 50 4

St e p 7 . The PC clien t s issu e a DHCP Discover t o obt ain an I P add ress.

St e p 8 . The PC r equest is r elayed t o t he helper add ress t h at is def in ed on t h e su bint er face host s. The giaddr is set t o t h e secondar y ad dr ess of t h e int er face. ( Rem em ber : Th e pr im ar add ress t hat is conf ig ur ed is f or m odem s, and t he secondar y add ress is used for clien t PCs Wit h MPLS andinVPN Volum , y ou'ess, ll lear n :pack et is r elay ed t o t he Super Com DHC Depend g onAr t hchit e vect aluueres, of t he h elpeerI I addr the ser v er or t he cu st om er 's D HCP ser ver . I f t he DHCP r equest cam e fr om a Fast Foods user , t pack et is r elay ed t o t h e Super Com D HCP serv er t o obt ain an ad dr ess. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s St e p 9 . I f t he D HCP r equest cam e fr om a Eu roBan k user, t he r equest is r elayed t o t h e Eu r DHCP serPEv erCE t or out ob t in ain an t add he ot PC. The n ew g op ionsr ess as wf or ell tas her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

NOTE

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Ther is no user aut hor izat ion and aut h en t icat ion n ecessar y in t he cable access solut ion. Th backebone cable subin t er f aces cann ot be dy nam ically conf igur ed. All t h e app rop riat e con figu rat ion s m ust tboe carr in place t he st cable odeme a is VPN conn ect ed. How y custbefor om ere m ultfir icast t r aff icminsid The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Configuring the SuperCom Endin PE Adv anced t rou blesh oot ing t echnHead iques includ g r ouRouter t er out pu t s t o

en su re high av ailab ilit y

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ex ch amitple 54 Volum sh ows et he r out er 0conf ig ur ionCisco t o p rov ide cable access heorEur oBank an d Ar ect u2-res, I ( 1PE - 587 0502- 1) , f at rom Pr ess. Ex t endin g intt oo tm e adv anced Food s VPN. tFast opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS ect u res, Volum I I , b eg in s Con w it h faigu br ief refion resher t heblMPLS VPN Exa mand pl eVPN 2 - Ar 5 4chit . San Jose PEe Rou t er r at f orofCa e Access Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int at e relay t h ese f eat ur es in t o t h eoption VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues ip egr dhcp information includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow ! m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN interface Cable3/0.1 t r oub leshoot ing . description Non-VPN and modems MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

ip address 194.22.17.1 255.255.255.0 cable dhcp-giaddr policy cable helper-address 194.22.16.3 ! •

Table of Content s

•

I ndex

interface Cable3/0.5

MP LS and V PN Ar chi te ctur e s, V olum e I I

description EuroBank Cable Network

By Jim Guichard , I van Pepelnjak , Jeff Apcar

ip vrf forwarding EuroBank Pub lish er: Cisco Press

ipPub address 255.255.255.0 secondary Dat e: Ju ne10.7.1.1 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

ip address 192.168.4.1 255.255.255.240 Pages: 50 4

cable dhcp-giaddr policy cable helper-address 194.22.16.3 cable-modem Wit h MPLS and VPN Ar chit 196.7.25.32 ect u res, Volumhosts e I I , y ou' ll lear n : cable helper-address !

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s interface Cable3/0.6 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN description FastFoods Cable Network Net w ork Ad dr ess Tr an slat ion ( PE- NAT) ip vrf How forwarding VRFs can be FastFoods ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork ip address 10.7.1.1 255.255.255.0 secondary The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN ip address back bone192.168.4.17 255.255.255.240 cableHow dhcp-giaddr t o carr y custpolicy om er m ult icast t r aff ic insid e a VPN lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent cableThe helper-address 194.22.16.3 of int er - car r ier MPLS VPN serv ices ! Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ip route 192.168.4.0 255.255.255.240 Cable3/0.5 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar it ect u res, Volum e I ( 1 -255.255.255.240 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced ipchroute 192.168.4.16 Cable3/0.6 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tip heyroute n eed t10.7.1.1 o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. 255.255.255.0 Cable3/0.6 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN ip route vrf EuroBank 194.22.16.3 255.255.255.255 FastEthernet2/0 194.22.16.3 gl Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g ip route vrf FastFoods 194.22.16.3 255.255.255.255 FastEthernet2/0 194.22.16.3 g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN The ip d hcp r el ay inf orm at ion opt i on com m and inser t s addit ional in for m at ion ( cir cuit id en t ifie deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t he rem ot e I D) int o t he r elay ed p acket t hat t he DHCP ser v er can u se for ad dit ional p rocessing . t r oub leshoot ing . I nt er face Cab le 3/ 0. 1 is used t o init ially r elay t h e DHCP Discov er m essage t o t he Super Com DHC ser v erand by uVPN singAr t hchit e helper addVolum ress 19 16 int . 3. rod Because t hislatint er adv faceances is n otinassociat ed w it h a V MPLS ect u res, e I4. I ,22. also uces t he est cu st omer all non VPN cable m odem s and h ost PCs also u se it . int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The cab le dh cp - gi a ddr pol icy com m and t hat app ear s u nder all t h e subint er faces dir ect s t he r ou t o use t he p rim ar y or secon dar y add ress in t he giaddr d ep en ding on w het her it is a cable m odem host PC ad dr ess r equest . The su bint er faces Cable 3 / 0. 5 and Cable 3 / 0. 6 hav e pr imar y an d secondar y ad dr esses defined t allow connect ivit y t o bot h cable m od em s an d h ost PCs. Because Eur oBan k uses t he Sup er Com D ser v er for it s cab le mod em addr esses and it s ow n DHCP ser v er t o allocat e PC addr esses, t her e a corr espond inTable g help er addr esses conf ig ur ed f or cable m odem or h ost s. Fast Foods r elies on Sup er • of Content s t o pr ovid e all addr esses; t h er efor e t h er e is on ly a single h elp er ad dr ess n eeded for bot h t y pes of • I ndex r eq uest s. These h elp er addr esses ar e specif ied by u sin g t he cab le he l pe r- a dd re ss com m and. MP LS and V PN Ar chi te ctur e s, V olum e I I

By I van Pepelnjak Jeff Apcar I nJim ourGuichard cable ,ex amp le, w e , h ave opt ed

t o use st at ic r out es t o allow t h e appr opr iat e conn ect iv it y bet w een t h e cab le subnet s an d t he Sup er Com DHCP ser v er . How ever , in pr act ice, it mig ht be m secur t oer:place he Super Com DHCP serv er int o it s ow n m an agement VRF, as d iscussed p rev iou Pubelish Cisco tPress t he Pub " DialI n Access via Dat e: Ju ne 06, 2 00 3 L2TP VPDN" sect ion. I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

NOTE I n our exam p le, w e h ave had t o inj ect t he RFC 1 918 pr iv at e subn et 10 .7 .1 . 0/ 24 int o t he globaland t able t o Ar prchit ov idect e tuhe SuVolum per Com v ernaccess t o t he Fast Food s su bnet . I n Wit h MPLS VPN res, e I IDHCP , y ou'ser ll lear : pr act ice, t his is not r ecom m en ded b ecause of t h e possibilit y of over lapping add r esses. You should use r egist er ed cu st om er add r esses in t h e global sp ace if p ossible. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN

Verifying Net w orkCable Ad dr essOperation Tr an slat ion ( PE- NAT)

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he er pnet w ork The dcust eb ugom out ut in Ex am ple 2- 55 w as generat ed fr om a DHCP Discov er du e t o t h e init ializat ion t he Fast Foods cable m odem . Wh en t h e DHCP Discov er m essage is r eceiv ed ( in a BOOTP Requ est MPLS it Com y f eatDu HCP) res anwditdhesign s aim edofat1 94. pr ot ect17. ing1.t hThe e MPLS VPN for w arThe dedlat t oest 1 94. 22 .1VPN 6. 3 (secur Super t he giaddr 2 2. DHCP Of fer is for w arback dedbone back ( in a BOOTP Reply ) . Wh en t h e DHCP Request is r eceiv ed f rom t he cable m odem conf ir m u se of t he add r ess allocat ed ) , t he giaddr u sed is 19 2. 168 . 4. 17, wh ich is t h at of t h e Fast F t o carr er m kn ultows icastt he t r aff ic insidion e a bet VPN subin How t er f ace. ( Th ye cust r out om er now associat w een t h e cable m odem and t he su bint er The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Exa m pl e 2 - 5 5 . De bu g of Fa st Foods M ode m Addr e ss Requ e s

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN DHCPD: relay Ar ch it ectadding u res, Volum e I information ( 1 - 587 05- 0 02-option. 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tDHCPD: hey n eed t o d ep loy and mto ain t194.22.17.1. ain a secur e, hig hly av ailab le VPN. setting giaddr MPLS and VPN Ar chit ectfrom u res, 0100.02fd.fa0d.77 Volum e I I , b eg in s w itforwarded h a br ief refto resher of t he MPLS VPN DHCPD: BOOTREQUEST 194.22.16.3. Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g DHCPD: forwarding BOOTREPLY to (client 0002.fdfa.0d77. pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at evalidating t h ese f eat ur es in t o information t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues DHCPD: relay option. includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bonebroadcasting and any at t ached VPN sit es, also det ailin g t he lat est secu rit y f eat ur es t o allow DHCPD: BOOTREPLY to and client 0002.fdfa.0d77. m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy en t s. Finrelay ally , Parinformation t I V pr ov id es option. a m et hodology for ad van ced MPLS VPN DHCPD:m adding t r oub leshoot ing . DHCPD: setting giaddr to 192.168.4.17. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res forwarded essent ial t o to p rov iding t h e adv anced DHCPD: BOOTREQUEST from 0100.02fd.fa0d.77 194.22.16.3.

DHCPD: forwarding BOOTREPLY to client 0002.fdfa.0d77. DHCPD: validating relay information option. DHCPD: broadcasting BOOTREPLY to client 0002.fdfa.0d77.? •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

The ou t pu t in Ex am ple 2- 56 con fir ms t he ad dr esses t hat hav e been allocat ed f or t he Eur oBank a By JimFood Guichard , I van Apcar Fast s cab le mPepelnjak odems., Jeff Each m odem h as been allocat ed an add ress w it hin it s r esp ect iv e VRFs t he su bnet t hat is defined on t he pr im ar y addr ess. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Exa mI SBN: pl e 1-258- 705 5 6-1. 12Cabl e M odem Ad dr ess Al loca t i on -5 Pages: 50 4

SanJose_PE#show cable modem Interface Prim Online Timing Rec QoS CPE IP address Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Sid

State

MAC address

Offset Power

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Cable3/0/U1 -0.50 0 192.168.4.18 0002.fdfa.0d77 ser v ice t o1m anyonline d iff er ent t yp2812 es of cu st om er s 5 Cable3/0/U0 2 CEonline 2812 5 adv 0 anced 192.168.4.4 0003.e350.92e9 The n ew PEr out in g op t ions as w ell0.25 as ot her f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net wip orkvrf int SanJose_PE#show The lat est MPLS VPN secur it y f eat u res an dVRF d esign s aim ed at pr ot ect ing t h e MPLS VPN Interface IP-Address Protocol back bone Cable3/0.5 192.168.4.1 EuroBank up How t o carr y cust om er m ult icast t r aff ic insid e a VPN Cable3/0.6 192.168.4.17 FastFoods up The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y DHCP r eq uest forchit PCect clien t s ar e r elay p er on nort he m albest oper at ion; t he only er ence is t hat t he MPLS and VPNs Ar u res, Volum e I ed I , bas uilds - sellin g MPLS an dd iff VPN giaddr . second ar y addr ess is used as t he Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Advanced Features for MPLS VPN Remote Access The p r ev ious sect ion s hav e cover ed b asic in t eg rat ion of r emot e access t ech nologies ( dial- up , DS and cable) int o t he MPLS VPN env ir on ment . This sect ion cover s som e adv anced Cisco I OS feat ur •t hat y ou canTable of itContent use w h r em sot e access an d in clu des t he f ollowin g: •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

On - deman d addr ess pools ( ODAPs)

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Per- VRF AAA Pub lish er: Cisco Press

DHCP r elay —VPN Pub Dat e: Ju ne 06, 2 00 3

sup por t

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

ODAPs I n most dial- up scenar ios, t he dial- in serv er supp lies an I P ad dr ess t o t he d ial- in u ser ( or r ou t er You can allocat e t he I P addr esses t o PPP sessions by using a v ar iet y of met h ods: Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : St at ically con figu red using t he RADI US Fr am ed- I P- add ress at t r ibut e. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Local adtdr ess p ools t hat b e of eitcu h er over or n onov er lapp ing. ser v ice om any d iff er ent can t yp es st om erlapping s Ov erlap ping/ n onov er lapp in g local p ools ar e imp lem ent ed and m ain t ained locally on t he rThe out er . OvPEerlapp local been used h rou ghou ft eat t h eurSuper Coming ex am ples. n ew CE r ing out in g oppools t ions hav as weell as ot her tadv anced es, includ perVPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Add resses can also be p rov ided fr om ov erlap ping pools t h at t h e RADI US serv er m anages. I ov er lapp in g pools arteended configint ur oeda on a om RADI , au d accoun How VRFs can be ex cust er US sit eser t o ver pr ov idet hent sep icat ar ation ion an inside t he t ing mu st conf ig urerednet onwtork he sam e serv er . cust om An essMPLS pool VPN t hat secur a DHCP man Thes DHCP m aint com mon Theaddr lat est it y ser f eatvuerres an ages. d d esign aim ed serv at prerotonly ect ing t h e ains MPLSa VPN pool fr om w hich addr esses ar e dy nam ically assigned up on r equest . Th is met h od d oes not back bone pr ov ide t h e scalabilit y of ov er lapp in g pools. How t o carr y cust om er m ult icast t r aff ic insid e a VPN To su pplement t h e ex ist ing addr ess allocat ion m et h ods, ODAPs w er e int r odu ced in I OS The in t er - car rier enh ancem t o allow easier or er act scalable 12 .2lat ( 8)est T. Using ODAPs allow s an ent addsress pool ftor o ex pand and and mcont b asedd ep onloym addrent ess of int er -Each car r ier VPN served ices usage. ODMPLS AP is associat w it h a VRF an d is in it ially p opulat ed wit h on e or m or e subn et s t hat a RAD I US or DHCP ser ver p rov ides. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y I f t he allocat ion of ad dr esses fr om a pool r eaches a p reset hig h u t ilizat ion m ar k, addit ional MPLSsubn and et VPN Ar chit ect ufres, e I I US , b uilds on t he g MPLS an d . VPN s are leased r om Volum t he RADI or DHCP ser best v er t- osellin sat isfy d em and Con ver sely , if Ar ch itut ect u res, e I ( 1 -a587 0 02f rom ess. Exback t endint og tint m orI US e adv ilizat ionVolum falls below cer05t ain lev 1) el,, su bnetCisco s ar ePr h anded heoRAD or anced DHCP ser v t opicst hat an dprd ov ep ided loy m tent archit ect ur es, I I prisovid es r eader w it h t he necessar y t oolsr out e is he lease. Each t imVolu eam suebnet leased , a corsr espon ding sum m arized t hey ninsert eed ted o dint epoloy and m ain secur e,ov hig av ailab VPN.is r et u rn ed t o t he RADI US or t he VRF t hatt ain is tahen rem edhly w hen t he le lease DHCP ser v er . MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch itAect u re. at Par t I I AP descr ibesigur adved anced MPLS VPNt hat conrnect iv it yad includ g t he intent egr at ion of on a separ e OD is conf f or each VRF eq uires dr essinassignm ser vices ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g r out er . Bot h PPP an d n orm al DHCP client requ est s can be serv iced f rom t he sam e pool. pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or eNOTE adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN RADI US t r oubThe leshoot ing . or DHCP ser v er t hat is used in t he net w ork m u st supp ort t he leasing and r et ur ning of I P subn et s on a per - VRF b asis. OD APs ar e su ppor t ed in Cisco Access MPLSRegist and VPN chitV1 ect. 7u res, Volum r ar frArom on w ard . e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Figur e 2- 2 6 illust r at es how ODAPs w ould w or k in t he Sup er Com net w ork t o p rov ide ad dr esses fo Fast Food s fr om t h e San Jose PE r out er .

•

Figu rs e Table of Content

•

I ndex

2 - 2 6 . Supe r Com ODAP for Fa st Foods

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he The f ollow in gerd escr cust om net wibes ork t he op er at ional st ep s for ODAP: St e lat p 1est . The Su per RAD veranhas been sallocat / 26 adtdr b lock s st ar t in The MPLS VPNCom secur it y I US f eatser u res d d esign aim ededatt hprree ot ect ing h eess MPLS VPN at 192 .1 68. 3. 0 t o su ppor t requ est s f r om t he Fast Foods ODAP. Not e t h at t h ese ad dr ess back bone block s do not h ave t o b e con t iguou s or un ique. Th e sam e ad dr ess b lock s can be allocat ed How oment er mVRFs. ult icast t r aff ic insid a VPN ot hert opcarr oolsy incust d iffer ( The w ay t he e RADI US ser v er imp lem ent s t h is var ies bet w een pr odu ct s and is not w it hin t he scope of t h is ch apt er ; how ev er , Cisco Access Reg ist r ar is The lat est t er -)car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent r ecom m eninded. of int er - car r ier MPLS VPN serv ices St e p 2 . On st ar t up, t he San Jose PE r out er r eq uest s a sub net t o popu lat e it s ODAP for Adv t rou echn iques includ in g r ourequ t er out t s t o en su av ailab ilitify ier Fastanced Food s. I t blesh does oot t h ising t hrtough a RADI US accessestpu message w itreh high t he NASI dent at t r ibut e set t o " od ap- dh cp" t o allow t he RADI US ser v er t o d ist ing uish it fr om a nor m al us MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN aut h en t icat ion r equest . The User- Nam e at t ribu t e cont ains t he VRF t hat t he OD AP subn et is Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced being r eq uest ed f or. t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. St e p 3 . The RADI US ser v er respond s w it h t he f ir st av ailable sub net f rom it s r esour ce pool I n t his case, t his is 19 2. 168 .3 . 0/ 26 , w hich p r ovides 6 2 u seable ad dr esses for PPP client s. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of St e p 4 . A r ou t e is aut om at ically placed int o t he Fast Foods VRF f or 19 2. 16 8. 2. 0/ 2 6. ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Mu lt ip rot ocol BGP d ist r ibut es t his t hr oug hout t he Fast Foods VPN. pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues St e p 5 . At t his poin t , add resses can be allocat ed f r om t he ODAP p ool t o any PPP client includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he r eq uest s ( could be f rom t he NAS/ LAC or d irect I SDN) unt il t he h ig h ut ilizat ion m ar k is back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow r eached. m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN St e p 6 . Assu m in g t he hig h m ar k is r each ed , t he San Jose PE r out er r equest s anot h er t r oub leshoot ing . add ress pool. Th e siz e of t he p ool it r equest s is conf igur able. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Stion, e p 7secur . Theitny,exand t available sub net 8. 3.essent 64 / 26ial is ttohen passed ananced d ad ded t o t h e int egr at t r oubleshoot ing1 92. feat16 u res p rov iding tback h e adv

ODAP for Fast Foods, leavin g on e subnet available in t h e RADI US ser v er . I f n o subn et s are av ailab le, t he RAD US ser ver r esponds w it h an access- r ej ect message. St e p 8 . A cor r espon ding r out e f or 19 2. 168 . 3. 64/ 2 6 is placed int o t he Fast Foods VRF.

• •

St e p 9 . Add resses ar e t h en allocat ed f rom t he ex pand ed OD AP by usin g an av ailable pool 12 4 ad dr esses unt il t he low or high ut ilizat ion m ark is reached. Not e t hat t he u t ilizat ion m ar ks Table ar e aofper cent ag e of t he t ot al cur r en t p ool size. I f p ossible, add resses ar e allocat ed Content s fr om t he f ir st leased sub net . Ther ef or e, over t im e, t he last leased h as add resses r et ur ned I ndex it as PPP sessions t er m inat e.

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard I van Pepelnjak St e p 1, 0 . Assu m in g, Jeff t hatApcar t he

low u t ilizat ion m ar k has b een r eached, t he last leased subn et ( 19 2. 168 . 3. 64/ 2 6) is released back t o t he RAD I US ser ver if t h er e ar e no act ive ad dr esses r enCisco t ly being Pub cur lish er: Press leased f r om it . Pub Dat e: Ju ne 06, 2 00 3

St e p 111 When I SBN: 58.705 -1 12 -5t he su bnet is ret ur ned t o t he RAD I US ser ver , t he cor r esp onding r out e is rPages: em ov50ed f r om t he Fast Foods VRF. 4

Configuring the SuperCom San Jose PE Router Ex ple 2-and 57 sh ows he conf ion t hat Witam h MPLS VPN Artchit ect u igur res, at Volum e I I is , ynecessary ou' ll lear n :t o enable ODAP f or t h e Fast Foods VRF. How e v ar iou s r em ot eRou access t h e fback bone p r ovidin g VPN Exa m pl et o 2int - 5egr 7 .atSan Jose PE t ert echn Conologies f igu rin att oion or ODAP ser v ice t o m any d iff er ent t yp es of cu st om er s

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) aaa authentication ppp default local group radius How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he aaa authorization network default local group radius cust om er net w ork aaa authorization group The lat est MPLS configuration VPN secur it y f eatdefault u res an d d esign sradius aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN ip address-pool dhcp-pool The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ip dhcp pool tFastFoods_ODAP MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN vrf FastFoods Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit utilization mark highect 80ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. utilization mark low 25 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of origin aaa subnet size initial /26 autogrow /26 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o ! int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he radius-server host 194.22.16.2 auth-port 1645 acct-port 1646 key a$4two back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN radius-server attribute 32 include-in-access-req deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . radius-server attribute 44 include-in-access-req MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer radius-server vsa send authentication int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The a aa a ut h ori za t ion confi gu ra t ion com m and allows t he San Jose PE r out er t o con figu re t he ODAP w it h su bnet s r eceiv ed f rom t he Sup er Com RADI US ser v er. The com man d ip a ddr ess- p oo dh cp - pool enab les ODAP as t he g lob al add ress m ech anism for PPP sessions t h at t er m in at e in a VRF; h ow ev er, t his d ef ault can be ov er rid den at t he in t er f ace lev el. •

Table of Content s •The ODAP is I conf ndex igur ed w it h t h e ip d hcp p ool com m and for each VRF t h at r equir es it —in our

case, f or VFast Food The h an MP LS and PN Ar chi tes. ctur e s, hig V olum e IdI low ut ilizat ions ar e specif ied as a per cent ag e ( 80 % an d 2 5% ) t he t ot al nu m ber of addr esses in t he p ool ( could be m ult ip le su bnet s) . The ori gi n com m and By Jim Guichard , I van Pepelnjak , Jeff Apcar act ivat es t h e ODAP for t he Fast Food s VRF. I n our ex amp le, we obt ain su bnet s f r om t he AAA ser v er, wh ich is t h e Super Com RADI US ser ver . Th e init ial subn et r eq uest ed is a / 26 in size; lisher er:, if Cisco Presssion of t he pool is n ecessar y , t he r equ est ed su bnet s ar e also / 2 6. t herPub eaft ex pan Pub Dat e: Ju ne 06, 2 00 3

When rI SBN: eq uest in705 g a-1subn 1- 58 12 -5 et , t he RADI US access- r equest m essag e m ust cont ain t he NAS- Por t ident ifPages: ier ( " odapd hcp" ) and an accoun t ing session - id at t rib ut e so t h at t h e RADI US serv er can 50 4 dist ingu ish dif fer en t sub net r equest s. This is achiev ed by allow ing t he RADI US at t r ibut es 3 2 an d 44 t o be includ ed in t he m essag e. I n add it ion , t h e ra di us- ser v er v sa se nd au t he nt i ca t ion com man d allow s t h e PE rou t er t o includ e cisco- av pair s in t h e r eq uest —in p art icular , a " pool- m as indicat ing t h e size of sub net r equir ed. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

RADIUS Attributes How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The RADI US at t r ibut es r emain r elat iv ely unchan ged fr om pr eviou s exam ples except t hat t he p ee defauThe lt adndr essPEp ool het ions DHCPor ot ODAP r at her t han a ur locally conf ig ur ed ool ( see ew CE used r out inisg top as pool w ell fas her adv anced f eat es, includ ing per-pVPN TableNet 2 - 14) . ThAd isdrisess achTr iev b yion using he in t erf ace com m and pe e r d ef au lt ip a ddr ess dh cp w ork aned slat ( PE-tNAT) pool . How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Tab le 2 -1 4 . Use r At t r i bu t e s for OD AP How t o carr y cust om er m ult icast t r aff ic insid e a VPN At t r ib ut e ( Ty pe ) V a lue The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent User of - Nam e -(car 1) r ier MPLS VPN elvis@fast f oods. com int er serv ices User - Passw or d ( 2) w hat st hebu zz Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Serv ice- Ty pe ( 6) 1 ( Fram ed) MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Fram ed-uPr ot ocol ( 7 )e I ( 1 - 587 1 ( PPP) Ar ch it ect res, Volum 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ectint ur es, Volucon m efig= I I pr r eader it h Foods t he necessar Cisco- avp air lcp: er faceipovid v rf es f orw ar dinsg wFast \ n [ 1] y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ip unn um bered loopback 1 0 \ n MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes advpeer anced MPLS con nect iv it ypool includ in g t he int egr at ion of defau lt ipVPN addr ess dhcpser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr[ 1] at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues The \ n signifies an ex plicit car riage r etur n. Usage varies bet ween RADI US serv er implem ent ations. includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oubNOTE leshoot ing . MPLSBecau and VPN Ar chit res, Volum , also int rod latset est tadv anceswin st omer se t he globect al udefau lt on t e heI I San Jose PE ruces out ert he w as o ODAP it hcut he ip int egraat ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced ddr ess- pool dh cp - pool com m and, it is n ot necessar y t o ent er a peer defau lt

com man d in t h e int erf ace con fig.

Verifying ODAP Operation •The San JoseTable Content s t h e Super Com RADI US ser v er h ave had ODAP con figu red for bot h t h PE rofout er and •Fast Food s and I ndex Eur oBan k VRFs. The out put in Ex am ple 2- 58 sh ows t he RAD I US d eb ug m essages MP LS and PN ArJose chi te PE cturrou e s, V olum e uest II fr om t he VSan t er r eq in g an init ial sub net f or Fast Food s. As you can see, t h e User Nam at t r ibut e con sist s of, Jeff t h eApcar VRF n ame. Th e cisco- av pair consist s of t he pool- m ask ind icat ing By Jim eGuichard , I van Pepelnjak t hat a / 26 su bnet is requ ired. The NAS- ident if ier in dicat es t o t h e RADI US ser v er t hat t his is an ODAP r eq uest . The r esp onse fr om t he Sup er Com RADI US ser v er is su bnet 192 .1 68. 3 .0 / 26, w hic Pub lish er: Cisco Press is used t o init ially config ur e t he ODAP. Th e pr ocedu r e is t he sam e f or t he Eur oBank VRF. Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

Exa mPages: pl e 5024- 5 8

. ODAP RADI US Acce ss Req ue st a nd Accep t M e ssa ge s

RADIUS(00000000): Send to unknown id 21645/68 194.22.16.2:1645, Access-Request, Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : len 136 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN [snip] ser v ice t o m any d iff er ent t yp es of cu st om er s RADIUS: User-Name [1] 11 "FastFoods" The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) RADIUS: User-Password [2] 18 * How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he RADIUS: Vendor, Cisco [26] 33 cust om er net w ork RADIUS: AVpair The lat Cisco est MPLS VPN secur it y [1] f eat u res27an d"pool-mask=255.255.255.192" d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone RADIUS: Acct-Session-Id [44] 10 "00000038" How t o carr y cust om er m ult icast t r aff ic insid e a VPN RADIUS: Nas-Identifier [32] 11 "odap-dhcp" The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent RADIUS: Vendor, 15 of int er - car r ier Cisco MPLS VPN serv[26] ices Adv anced t rou blesh oot ing t echn iques9includ in g r ou t er out pu t s t o en su re high av ailab ilit y RADIUS: cisco-nas-port [2] "Port 56" MPLS and VPN Ar chit ect u res, Volum[5] e I I , b uilds on t he best - sellin g MPLS an d VPN RADIUS: NAS-Port 6 60000 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tRADIUS: opics an d d ep loy m ent archit ect ur es, pr ovid es r eader s w it h t he necessar y t ools NAS-IP-Address [4]Volu m 6 e I I194.22.15.2 t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. RADIUS: Service-Type [6] 6 Outbound [5] MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect uReceived re. Par t I I from descr ibes adv anced MPLS VPN con nect iv it yAccess-Accept, includ in g t he int egr RADIUS: id 21645/68 194.22.16.2:1645, lenat ion 126of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o [snip] int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin r it y , ou t lining t he n ecessar RADIUS:g secu Termination-Action [29] y 6st eps1 t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies g. This RADIUS: Vendor, Cisco and filt erin [26] 29 par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN tRADIUS: r oub leshootCisco ing . AVpair [1] 23 "pool-addr=192.168.3.0" MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer RADIUS: Vendor, Cisco [26] 33 int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

RADIUS:

Cisco AVpair

[1]

27

"pool-mask=255.255.255.192"

The t hr ee rem ot e user s fr om ou r VPDN d ial- in scen ario, elvis@fast f oods. com , jim i@f ast f oods. com and eric@eur oban k. com , h ave d ialed in again, b ut t his t im e t hey h ave r eceiv ed ad dr esses for t h e PPP sessionsTable fr omoft h e ODAPs t hat ar e associat ed w it h t heir VRFs. For t he sak e of ex am ple, t h e • Content s Fast Food s ODAP has had it s h igh/ low ut iliz at ion m ar k s set t o 3 % an d 2 % r esp ect iv ely t o for ce • I ndex exp ansion of t h e pool wit h j ust t w o users. Ex am ple 2- 59 sh ows t he OD AP st at us for t h e Fast Food MP LS and V PN Ar chi te ctur e s, V olum e I I and Eu r oBan k VRFs. By Jim Guichard , I van Pepelnjak , Jeff Apcar

ExaPubmlishpler:e Cisco 2 - 5Press 9 . Fast Food s an d Eu r oBan k ODAPs Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

SanJose_PE#show ip dhcp pool

Pool FastFoods_ODAP : ect u res, Volum e I I , y ou' ll lear n : Wit h MPLS and VPN Ar chit Utilization mark (high/low) : 3 / 2 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Subnet size (first/next) / er 26s (autogrow) ser v ice to m any d iff er ent t yp es of:cu26 st om n ew PE- CE r out in g op t ions as:wFastFoods ell as ot her adv anced f eat ur es, includ ing per- VPN VRF The name Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Total addresses : 124 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Leased addresses : 2 The lat est MPLS VPN secur it y f eat: u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Pending event none back bone 2 subnets are currently in the pool : How t o carr y cust om er m ult icast t r aff ic insid e a VPN Current index IP address range Leased addresses The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices 192.168.3.3 192.168.3.1 - 192.168.3.62 2 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 192.168.3.65 192.168.3.65 - 192.168.3.126 0 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools : m ain t ain a secur e, hig hly av ailab le VPN. tPool hey EuroBank_ODAP n eed t o d ep loy and Utilization mark (high/low) / s25 MPLS and VPN Ar chit ect u res, Volum e I I:, b80 eg in w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Subnet : 26DSL, / 26 ser v ice pr size ovider(first/next) access t echn olog ies ( dial, cab(autogrow) le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o VRF name EuroBank int egr at e t h ese f eat ur es in t o t h e VPN b:ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Total 62also det ailin g t he lat est secu rit y f eat ur es t o allow back boneaddresses and any at t ached VPN sit es, :and m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Leased addresses 1 et hodology for ad van ced MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es :a m t r oub leshoot ing . Pending event : none MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int at ion, is secur it y, and t r oubleshoot ing feat 1 egr subnet currently in the pool : u res essent ial t o p rov iding t h e adv anced

Current index 192.168.3.2

IP address range 192.168.3.1

Leased addresses - 192.168.3.62

1

•

Content s Bot h ODAPs Table hav eofreceiv ed an init ial su bnet allocat ion of 192 .1 68. 3 .0 / 26. •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

NOTE

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Ther e is no r est r ict ion on w hat su bnet s can be u sed. Our ex am ple uses t he sam e sub net I SBN: for 1- 58b705 -5 r ange ot -1 h 12 VRFs t o show t he ov erlap ping pool capab ilit y of ODAP. Pages: 50 4

Tw o ad dr esses hav e been leased f rom Fast Foods_OD AP ( f or " elvis" an d " jim i" ) f rom t he f irst av ailab le su bnet . Because t he high ut ilizat ion mar k h as been ex ceeded, t he Fast Food s_ ODAP h a r eq uest ed and an exp ansion it hu tres, he ex t r a sub 8.n3.: 64/ 26 bein g pr ovid ed fr om t he Wit h MPLS VPN Ar chitwect Volum e I net I , y 19 ou'2. ll 16 lear Sup er Com RADI US ser v er . Th e Eu roBan k_ ODAP has leased one ad dr ess t o " eric. " Ex amHow ple 2-t o60intsh ows outsinrgem t ab for b ott echn h VRFs. You in can t h e connect r outgesVPN t o t he egr at et he v arr iou ot les e access ologies t o tsee h e back bone p red ovidin v irt u alaccess int erf aces f or each u ser . Also, not e t he st at ic r out es t h at h ave b een inj ect ed for ea ser v ice t o m any d iff er ent t yp es of cu st om er s of t he ODAP su bnet s poin t ing t o n ull0. I n t his case, t he BGP a ggr eg at e - a ddr e ss com m and, as discussed eviously , her t o achieve p rop er ur sues, m mar izating ion,pert heVPN connect e The npr ew PE- CE,r is outnot in gnecessar op t ions y. as How w ellev aserot adv anced f eat includ r out esNet mw ust r ed Tr istan r ibu t ed o Mult ip rot ocol BGP. orknot Adbdre ess slat ionint( PENAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust Exa m plom e 2er- net 6 0 w. ork Fast Food s an d Eu r oBan k Rout i ng Ta ble w it h OD AP The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone SanJose_PE#show ip route vrf FastFoods How t o carr y cust om er m ult icast t r aff ic insid e a VPN [snip] The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 10.0.0.0/24 is subnetted, 1 subnets MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN B ch it ect u10.2.1.0 2d02h Ar res, Volum[200/0] e I ( 1 - 587via 05- 0194.22.15.1, 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools variably subnetted, 2 ailab subnets, t hey n192.168.2.0/24 eed t o d ep loy and is m ain t ain a secur e, hig hly av le VPN.2 masks MPLS and 192.168.2.100/32 VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN C is directly connected, Loopback10 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser ovider access t echn[200/0] olog ies ( dial, cab le, Et her2d02h net ) an d a v ariet y of r out in g B v ice pr 192.168.2.20/30 via DSL, 194.22.15.1, pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es is in t ovariably t h e VPN bsubnetted, ack bon e. Part4 I Isubnets, I det ails adv 192.168.3.0/24 2 anced masks d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone 192.168.3.64/26 and any at t ached VPN sit es, also det ailin g t he lat est secu rit y f eat ur es t o allow S [1/0] viaand 0.0.0.0, Null0 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V ov id es a mconnected, et hodology for ad van ced MPLS VPN C 192.168.3.2/32 isprdirectly virtual-Access5 t r oub leshoot ing . C 192.168.3.1/32 is directly connected, virtual-Access4 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int secur it y, and t r oubleshoot feat u res Null0 essent ial t o p rov iding t h e adv anced S egr at ion, 192.168.3.0/26 [1/0] viaing 0.0.0.0,

SanJose_PE#show ip route vrf EuroBank [snip] • •

B

Table of Content s I ndex 196.7.25.0/24 [200/0] via 194.22.15.1, 2d02h

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar 192.168.2.0/24 is variably

C

192.168.2.100/32 Pub lish er: Cisco Press

subnetted, 2 subnets, 2 masks

is directly connected, Loopback11

Pub Dat e: Ju ne 06, 2 00 3

B

192.168.2.24/30 [200/0] via 194.22.15.1, 2d02h

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks

C

192.168.3.1/32 is directly connected, virtual-Access3

S 192.168.3.0/26 [1/0] via 0.0.0.0, Null0 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Per VRF AAA

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

So f ar in t his chap t er , t he Sup er Com RADI US ser v er has au t hent icat ed u ser PPP session s t hat How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he t er min at e on t he San Jose PE rou t er. I n t h e Fast Foods case, t he RADI US access- r equ est s w er e cust om er net w ork pr ox ied t o t he Fast Food s RADI US serv er at Ly on w h er e t h e act ual u ser inf or m at ion w as st or ed. A has been discussed pr eviously , t his r equ ir es t hat a rou t e be av ailable bet w een t h e t w o RADI US The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN ser v ers t o allow t h em t o com mu nicat e. I t also inv olves a ser ies of con figu rat ion st eps t o imp or t back bone and exp or t r out es b et w een t he Man agement VRF, cust om er VRF, and glob al r out ing t able. Su ch conf igHow ur at ions, alty hou e ult com m ont r in t o carr custgh omquit er m icast affMPLS ic insidVPN e a net VPNw ork s, can be pr one t o er ror and secur i issu es. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent You can elimin at reier t heMPLS requ VPN ir em en t of a RADI US pr ox y for rem ot e access b y using a new feat ur e of int er - car serv ices call per - VRF AAA. Th is feat ur e allow s dir ect access t o a cust om er RADI US ser v er fr om w it hin t he VRF f or autt hent icat ion Thet echn adv ant ageinclud of t his hatt era ser Advuser anced rou blesh oot. ing iques in is g rtou out vice pu t s pr t oov enider su reRADI highUS avserv ailaberilitisy no r eq uir ed , nor are com plex I nt r anet con figu rat ion s for p r oxy RADI US access. Because only on e RADI er Ar is chit r equir , a Volum failur eepoint is r emon ovted d accessr esp onse t im e is MPLSUS andserv VPN ect uedres, I I , b uilds he an best - sellin gr equest MPLS an d VPN imch pr it oved. Ar ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools ial imp entand at ion AAAe,r equ ir esav t hat y ou define a v ir t u al- t em plat e for each V tThe hey inn iteed t o d lem ep loy m of ainper t ain- VRF a secur hig hly ailab le VPN. t hat cont ains a cust om er RADI US ser v er . Ap ar t f rom t he VRF nam e and int er face add r essin g m et hod, v irtArualemp lat e Volum supplies relevan t hconf igur ions t hatofd ef ineMPLS t h e access MPLS andt he VPN chitt ect u res, e I It he , b eg in s w it a br iefatref resher t he VPN t o t he cust eru RADI US v er . ibes A peradv - VRF v irt ualt emp latcon e isnect r eq iv uirited because VHG/ rouof t er Ar chom it ect re. Par t Iser I descr anced MPLS VPN y includ in g t he int egrPE at ion for w ar dspron ly a single r eq uest cont ainin t hele,usern am e@d passw ser v ice ovider accessaccesst echn olog ies ( dial, DSL,gcab Et her net ) anom d ain a v nam arietey and of r out in g ord ( r eceived L2TP nnel) . , Th VHG/wPE mu st k now pr ot ocols (t IhrS-oug I S,hEIt he GRP, andt uOSPF) arer mefor in g e, t het he r eader it hrou t het erk now ledge of thhe owVRF t o an d RADI seregr v eratfor domf eat ain ur befor session is est ab lished so ails t hatadv t heanced receivded int e t ah ese es inet ot hteh ePPP VPN b ack bon e. Part I I I det ep loy m ent issues usern amge@d nam e andt he passw ord can ded t o pt rov he cor cust om er US tserv includin secuom r it yain , ou t lining n ecessar y stbe epsf or t hwar e ser v ice iderrect m ust t ake t o RADI p rot ect he e back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

NOTE

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ur e enh ancem ent st rtoubleshoot o t h e per- VRF AAAufres eat essent ur e plan t he ser v ice ovid er int egrFut at ion, secur it y, and ing feat ial ttoo allow p rov iding the advpr anced

RADI US serv er t o dy nam ically pr ov ide t h e cust om er RADI US infor m at ion ( as w ell as t he VRF, int er face ad dr essing, and so on) . Therefor e, f ut ur e v ersions will h ave t hr ee RADI US r eq uest s: one f r om t he LAC t o t h e SP RAD I US ser ver f or t un nel inf orm at ion , one f or t he LNS t o SP RADI US ser v er for VPN and Cu st om er RAD I US in for m at ion, an d on e fr om t h e LNS t o Cust om er RADI US ser v er t o aut hent icat e t he cust om er .

•

Table of Content s

•

I ndex

Figur e 2- 2 7 sh ows t he p er - VRF AAA in t he Sup er Com net w ork for Fast Food s. MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Figu r e 2 - 2 7 . Pe r -VRF AAA VPDN Acce ss Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Essenback t iallybone , r em ot e access is t he sam e as t he VPDN scenar io describ ed pr eviou sly , except t hat conf ig ur at ion in for m at ion f or t h e vir t u al- access in t er f ace is obt ained fr om a sp ecific v ir t ualHow t o Fast carr yFoods. cust om icast t r aff iceinsid e a VPN t em plat e f or Theris m virult t ualt em plat is associat ed w it h a v pdn - gr oup t hat is conf ig ur ed t er min at e Fast Foods user s on ly . You do t his b y using a d iffer ent host nam e in t he v pd n- gr oup estWh in ten er -tcar ancem s treceiv o allow easier and m or e fscalable conf igThe ur atlat ion. h e rier San enh Jose NAS/ent LAC es faorcall f or elvis@fast oods. comd ,epitloym cr eatent es t he of int er car r ier MPLS VPN serv ices L2 TP t u nnel as n or mal, b ut inst ead of using Sup er Com _ LAC as t he L2TP client nam e, a dif fer en t LAC client nam e is u sed t o id en t ify Fast Food s ( in our case, it is Fast Food s_ LAC) . The Sup er Com Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y RADI US serv er ( w hich is not sh ow n) sup plies t his inf or mat ion . When t he San Jose VHG/ PE r out e rMPLS eceives e L2 Ar TPchit r eqect uest , it search VPDNoup t hat m atgches t heanLAC client nam e ( in t h andt hVPN u res, Volum es e I If or , bauilds on gr t he best - sellin MPLS d VPN tAr erch min at ef r om host com m and ) and t h en uses t he associat ed v ir t ualt emp lat e. v irt ualit ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m orThe e adv anced tt em plat e pr ov ides t he in for m at ion t hat allow s t h e San Jose VHG/ PE rou t er dir ect access to the opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools Fast Food s RADI US ser v er w it h t he Fast Food s VRF so t h at elvis@fast f oods. com can be t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. aut h en t icat ed . MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN The per Com LAC/ ur atanced ion rem ainsVPN t h e same asivt it he VPDN in scenar Ar chSu it ect u re. Par t I I NAS descrconf ibesigadv MPLS con nect y includ g t heio. int How egr atever ion ,oft h e conf ig ur at ion ch anges r equir ed f or per VRF AAA for ot h er com pon en t s ar e show n in t he ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in gfollow ing sect pr ot ions. ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Configuring Jose back bone and the any SuperCom at t ached VPNSan sit es, and PE alsoRouter det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. VHG/ Fin ally I V r pr ov ides essev am et hodology for van ced The San Jose PE, Par r outt er equir eral con figu rat ionadchan ges.MPLS Fir st ,VPN y ou m u st config ur e a t r oubser leshoot AAA ver gring ou.p t h at d ef ines t he d et ails of t he Fast Food s RADI US ser v er. The conf ig ur at ion for t he Fast Foods RADI US ser ver is show n in Ex am ple 2- 61. To su ppor t t he p ossibilit y of ov er lapp in MPLS and VPN Ar om chiter ectRADI u res,US Volum rod uces he ip latleest advusing ancest in st -omer add resses of cust serveerIsI ,walso hen int t here ar e mt ult VRFs he cu p er VRF AAA int egr at ion, secur it y, and t r oubleshoot ing feat res essent ial und t o per rov iding e adv anced feat u re, a new com man d ser ve r- pri v at e h as ubeen d ef ined t he ser tvher gr oup . This allow

RADI US serv er s t hat hav e t he sam e I P ad dr ess t o be defined but associat ed wit h a diff er ent VRF The ser ver g rou p also associat es t he VRF w h er e t h e pr ivat e RADI US ser v er is locat ed . I n ou r exam ple, t h e Fast Foods VRF uses t he RADI US ser v er 10. 2. 1. 5 locat ed at Ly on, w h ich is dir ect ly r eachab le in t he VRF r ou t in g t able. I n ad dit ion, y ou m ust conf igur e a m et h od list f or aut h en t icat ion an d au t hor izat ion f or t h e Fast Foods ser ver g rou p. Th e vir t ual- t em plat e f or Fast Food s uses t hese met h od list s. •

Table of Content s

Exa m pl e I2ndex - 6 1 . Con f igu r in g t he Fast Foods RADI US Ser v er Gr oup • MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

aaa group server radius SG_FastFoods Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 10.2.1.5 2 00 3 server-private auth-port 1645 acct-port 1646 key Two4a$ I SBN: 1- 58 705 -1 12 -5

ip vrf forwarding FastFoods Pages: 50 4 ! aaa authentication ppp FastFoods_List group SG_FastFoods Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : aaa authorization network FastFoods_List group SG_FastFoods How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Next , The you nm ew ustPEdefine CE r out RADI in gUSop tspecific ions as com w ell man as otds her f oradv t heanced VRF, fas eatshow ur es,n includ in Ex am ingple per2-VPN 62. I n ou case, Net t hewFast RADI USslat serion v er( PEconNAT) t ains u nqu alif ied user nam es ( no " @fast food s. com " ) ; ork Food Ad drsess Tr an t her efor e, t he f irst com m and st r ips of f t he d omain nam e f or any access- r equest s in t he Fast Food How VRFs can be ex int o aa sou cust omad er drsitess e t oin pr ov ide ar at ion sinside t heFoods VRF. Th e second comm antdended p rov ides rce t he VRFsep t hat allow t he Fast custserv om er w ork t he San Jose PE rou t er. RADI US er net t o reach The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

Exa m pl e 2 - 6 2 . Fast Food s RADI US- Specif ic Com m a nd s for per - VRF AAA How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent radius-server vrf FastFoods of int er - car rdomain-stripping ier MPLS VPN serv ices !

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

MPLS and VPN Ar chit ect u res, Volum e I Ivrf , b uilds on t he best - sellin g MPLS an d VPN ip radius source-interface lo10 FastFoods Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and chit sectspecific u res, Volum , b eg in svwiritt ualh a tbr ief lat referesher of t he Finally, t heVPN FastAr Food v pd n-egrI Ioup and emp ar e config ur MPLS ed , asVPN show n in Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he intt egr at ion Ex am ple 2- 63. Not e t he host n ame for t h e v pdn- gr oup m at ch es t he t u nnel clien n ame at tof r ib ut e ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in fr om t he Sup er Com RADI US ser v er Fast Foods d om ain ent r y . Any Fast Foods PPP sessiongs t hat ar pr ocolsed ( I SS, tEI OSPF) m vp in gdnt he r eader h tvhe now ledge estotablish ovIer heGRP, L2TPand t unnel f or, tar h is g rou p usew tithe ir t kualt em platof e3.h ow Th et ovir t ual int egr at ee def t h ese es rin t o tant h e VPN b ack bont o e. crPart anced d ep loy in m ent t em plat in esf eat all ur t he elev inf orm at ion eat eI IaI det v ir tails ual- adv access int er face t he issues Fast Foods includin g secu it y ,ich ou AAA t lining t he n ecessar y st eps t h e Foods ser v iceu pser rov ust Foods_List t ake t o p rot ect t het h e VRF, includ in gr wh m et hod list t o use for Fast s.ider ThemFast causes back bone and at t ached VPN sit es, alsoFoods det ailin g t US he lat rit1. y 5f eat t o allow accessrequ estany m essage t o be sent t o t and h e Fast RADI serest v ersecu 1 0. 2. w itur h es a sour ce m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS VPN add ress of 19 2. 168 .2 . 100 ( loopb ack 1 0) . deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

Exa m pl e 2 - 6 3 . VPDN a nd Vi r t u al Tem p la t e Con f igu r at ion f or pe r -V RF MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer AA A int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

vpdn-group 2 accept-dialin protocol l2tp • •

Table of Content s

virtual-Template I ndex 3

MP LS and V PN Ar chi te ctur e s, V olum e I I

hostname FastFoods_LAC Byterminate-from Jim Guichard , I van Pepelnjak , Jeff Apcar local name SuperCom_LNS Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3 l2tp tunnel password vision I SBN: 1- 58 705 -1 12 -5

!

Pages: 50 4

interface virtual-Template3 ip vrf forwarding FastFoods Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ip unnumbered Loopback10 peerHow default ipataddress t o int egr e v ar iou s dhcp-pool r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s ppp authentication chap FastFoods_List The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr essFastFoods_List Tr an slat ion ( PE- NAT) ppp authorization How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

SuperCom RADIUS Server Attributes back bone

How t o carr y cust om er m ult icast t r aff ic insid e a VPN The on ly at t r ibut e t hat ch anges f or t he Fast Foods d omain ent r y is t he nam e of t he Tu nnel client , lat est in t er - car (rier ancem ent. s t o allow f or easier and m or e scalable d ep loym ent Table 2 - 15) w hichThe is Fast Foods_LAC seeenh of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Tab le 2 -1 5 . Su per Com RAD I US At t r i bu t e s for per - VRF AAA Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey d ep ailab le VPN. At t rnibeed ut et o( Ty peloy ) and m ain t ain a secur e, hig hlyVav a lue User -and NamVPN e ( 1)Ar chit ect u res, Volum e I I , b eg in s w itfast MPLS h af oods. br ief com ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of User - Passw or d ( 2) cisco ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g prTun ot ocols ( I Sw it h t he k now ledge of h ow t o nel- Typ e I( S, 64)EI GRP, and OSPF) , ar m in g t he r eader 3 ( L2 TP) int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Tun nel-gMed ium ( 65 ) t he n ecessar y st eps t h1e (ser I Pv4 ) p rov ider m ust t ake t o p rot ect t he includin secu r it y- Typ , ouet lining v ice back and at t ached VPN sit es, and also det19 ailin g t1he lat( est y f eatPE) ur es t o allow Tun bone nel- Ser v erany - En dpoin t ( 6 7) 4. 22. 5. 2 Sansecu JoseritVHG/ m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Tun nelPassw or dally ( 69) v ision deploy m en t s. Fin , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Tun nel- Clien t - Aut h- I D ( 90 ) Fast Food s_ LAC MPLS andSer VPN chit uces t he lat est adv ances in cu st omer Tun nelv er Ar - Aut h-ect I Du(res, 91) Volum e I I , also int rod Sup er Com _LNS int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Verifying per-VRF AAA Operation Now t h at p er - VRF AAA has b een config ur ed f or Fast Foods, w h en elvis@fast f oods. com an d jim i@f ast f oods. com d ial in again, t h ey are associat ed w it h vp dn- gr oup 2. Th is is becau se t he t un nel client nam e Fast Foods_LAC w as pr ov ided w it h t h e L2TP t un nel r eq uest f rom t he San Jose • of Content s LAC/ NAS. AllTable ot her n on- Fast Food s user s such as Eu r oBank user " eric" st ill u se vp dn- g rou p 1 w it h •t he Super Com I ndex RAD I US ser ver p rov iding m ost of t h e int er face config ur at ions. You can v erif y t his MP LS and V PN te ctur s, Vm olum e I Ion t h e San Jose VHG/ PE rou t er , as sh ow n in exam ining t hAr e chi VPDN inefor at ion Ex am ple 2- 64. By Jim Guichard , I van Pepelnjak , Jeff Apcar

ExaPubmlishpler:e Cisco 2 - 6Press 4 . Ve r if yi ng VPD N Conn ect ion I nf or m a t ion Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

SanJose_PE#show vpdn

L2TP Tunnel and Session Information Total tunnels 2 sessions 3 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN LocID RemID Remote Name State Remote Address Port Sessions VPDN Group ser v ice t o m any d iff er ent t yp es of cu st om er s 36418The 11895 SuperCom_LAC 194.22.15.26 1701f eat1ur es, includ 1 ing per- VPN n ew PECE r out in g op est t ions as w ell as ot her adv anced Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he LocIDcust RemID Intf Username State Last Chg om er TunID net w ork 14

54lat est36418 est 2d08h The MPLS Vi6 VPN secur it y f [email protected] u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

How t o carr y cust om er m ult icast t r aff ic insid e a VPN LocID RemID Remote Name State Remote Address Port Sessions VPDN Group The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent int er - car r ier MPLS VPN serv 47519of 24880 FastFoods_LAC est ices 194.22.15.26 1701 2 2 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN LocID RemID TunID Intf Username State Last Chg Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools 20 60 47519 Vi4 [email protected] est 00:00:56 t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. 21 61 47519 Vi5 [email protected] est 00:00:08 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues The RADI out lining t put int he Ex am ple 2- y65stsh ows r eqider uestmmust essage " elvis" includin g US secudebug r it y , ou n ecessar eps t h et he seraccessv ice p rov t ake ft or o puser rot ect t he being sen t d ir ect ly t o t h e Fast Foods RADI US ser v er 10. 2. 1 .5 by using t he RAD I US sou rce ad dr es back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow ( NAS I P-anced Addr ess) of 192 .1and 68. 2. 00, g. w hThis ich is loopb ack 1 0. prrein an t iatVPN ion of t h e m or e –adv t op ologies filt1erin par t also cov er s( Use m ultfor i- car ier stMPLS Fast Food s VRF.) Not e t h at t h e dom ain nam e has b een st rip ped of f t he u ser nam e. deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

Exa mand pl eVPN 2 - Ar 6 5chit . Acce ss-Volum Re que D EBUG f or t he p er VRF MPLS ect u res, e I I st , also int rod uces lat- est advAAA ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

RADIUS(00000036): Send to unknown id 1645/24 10.2.1.5:1645, Access-Request, len RADIUS:

authenticator 39 FA 82 72 D4 E1 72 92 - EA 1A DA 33 48 6E 5A A0

RADIUS:

Framed-Protocol

[7]

6

PPP

•RADIUS:

Table of Content s User-Name

[1]

6

"elvis"

[3]

19

*

[61]

6

Virtual

[5]

[6]

6

Framed

[2]

[4]

6

192.168.2.100

[32]

13

"SanJose_PE."

•

[1]

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e RADIUS: CHAP-Password

II

By Jim Guichard , I van Pepelnjak , Jeff Apcar

RADIUS:

NAS-Port-Type

Pub lish er: Cisco Press

RADIUS:

Service-Type

Pub Dat e: Ju ne 06, 2 00 3

I SBN: 1- 58 705 -1 12 -5

RADIUS:

NAS-IP-Address

Pages: 50 4

RADIUS:

Nas-Identifier

RADIUS: Received from id 1645/24 10.2.1.5:1645, Access-Accept, len 20 RADIUS: authenticator A1 Volum 41 83e I94 29n :- 52 C8 47 16 72 E2 46 3A Wit h MPLS and VPN Ar chit ect14 u res, I , yA9 ou' 60 ll lear RADIUS(00000036): Received from id 1645/24 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v%LINK-3-UPDOWN: ice t o m any d iff er ent t yp es of cu st om er s 2d08h: Interface virtual-Access4, changed state to up The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he Ex am ining t he ch aract er ist ics of t he vir t ual- access4 in t erf ace for elvis@fast f oods. com , y ou can s cust om er net w ork t hat it w as cloned fr om v ir t ual- t em plat e3, as d ef ined in v pd n- gr oup 2 ( see Ex am ple 2- 66) . The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

Exa m pl e 2 - 6 6 . Vi r t u al -Acce ss I n t e r fa ce s

How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ierinterface MPLS VPN serv ices SanJose_PE#show virtual-access 4 Adv anced t rouis blesh ootline ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y virtual-Access3 up, protocol is up MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Hardware is Virtual Access interface Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools Interface is unnumbered. Using address of Loopback10 (192.168.2.100) t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MTU 1500 bytes, BW 256 Kbit, DLY 100000 usec, MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of reliability 255/255, txload 1/255, rxload 1/255 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Encapsulation PPP, LCP Open int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Open: IPCP back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN PPPoVPDN vaccess, cloned from virtual-Template3 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Protocol l2tp, tunnel id 25317, session id 12, loopback not set MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int[snip] egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

DHCP Relay: VPN Support This f eat ur e Table pr ov id VRF-saw are su ppor t for DHCP Relay and allow s a sing le DHCP ser ver t o • of es Content supp ort DHCP client s in d if fer ent VRFs, w h ich m ight hav e ov er lapp in g addr ess sp aces. The D HCP • I ndex ser v er can b e locat ed in glob MP LS and V PN Ar chi te ctur e s, tVhe olum e I al I t able, allow ing t he serv ice pr ov id er t o of fer DHCP serv ices, a local VRF ( t h at is, t h e one t h e client r esides in) , or a r em ot e VRF ( t h at is, an ext ran et VPN) . By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

NOTE I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

The D HCP ser ver m ust hav e t he capab ilit y t o supp or t ov erlapp ing addr ess pools f or t his feat u re t o w or k.

Wit h MPLS VPN a ArDHCP chit ectruelay res, ag Volum I ,ov y ou' learitnional : This f eat ur and e allows en t t eo Ipr idelladd inf or mat ion in t he D HCP r equest t o allow t he DHCP ser ver t o ident if y t he cor r ect VPN nam esp ace for I P addr ess assignm ent or polic app licat ion. This add it ion al inf orm at ion is pr ov ided b y using t he DHCP Relay Ag en t I nf or mat ion to n intas egrOpt at eion v ar82 iou r em ot e access t echnOpt ologies in ttoo tconv h e back bone r ovidin VPN opt ionHow , k now . sThe r elay agent uses ion 82 ey in for mpat ion in gt he for m o ser v ice t o m any d iff er ent t yp es of cu st om er s subop t ions. For DHCP VPN- r elat ed act iv it ies, t he subop t ions u sed ar e as follow s: The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net AdThe dr ess Tr anagent slat ion ( PEV PNw-ork I D— r elay u ses t hNAT) is subop t ion t o conv ey t o t he DHCP ser ver t h e VPN t h at t DHCP r eq uest is associat ed w it h . The relay agent also uses VPN- I D t o ident if y for t he VRF How bet hex ended ser int voera . cust er sit e tcan o pr con ov ide any r VRFs epliescan fr om e t DHCP Th eom ident ifier sistsep of ar eitat h ion er t inside he VRFt he nam e or t he cust om er net w ork VPN I D as def in ed in RFC 2685 . The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

NOTE

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Con figu rat ion of a VPN I D f or a VPN is opt ion al. You can st ill use t he VRF nam e t o of int er - car r ier MPLS VPN serv ices ident if y con figu r ed VPNs in t he r out er . Th e VRF nam e is n ot af fect ed b y t he VPN I D conf ig ur at ion. Th e ident ificat ion m echan ism s ar e ind ep en dent of each ot her. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN t - se le ct ieon— subop t ion en t ifies t hePrI ess. P su bnet in t hgeint VRF h e ranced eq uest Ar ch itSu ectbne u res, Volum I ( 1 -This 587 050 021) ,idf rom Cisco Ex t endin o mt horate tadv iginat edloy fr m om . I narchit nor mal r elay ag enmt eprI Iocessing , t rhe sub snet er ivnecessar ed f rom yt he g at ew ay t opicsoran d d ep ent ect ur es, Volu pr ovid es eader w itish dt he t ools add ress ( giaddr ) of t he r elay ag en t . Th e DHCP ser ver also u ses t h e giaddr t o com mu nicat e t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. w it h t he r elay agent . How ev er , w hen r elay ing a r equest f r om a VRF, t he giaddr is t he add r e ur edAron t he er face, b eief visible t o t he HCP serv er . Ther ef or e, MPLSconf andigVPN chit ectVRF u res,int Volum e Iw I ,hich b eg m in sigh w tit n h ot a br ref resher ofDt he MPLS VPN he usu bnet ion ibes su bopt ion allowMPLS s separ at ion t he su bnet fr om he at addr Ar ch ittect re. Par- tselect I I descr adv anced VPN conof nect iv itclient y includ in g t he inttegr ioness of used t o pr com m un access icat e w it h t heolog DHCP verDSL, . Thiscab w illle,b eEtexp lain)ed ex amp pr ovid ser v ice ovider t echn ies (ser dial, her net anin d tahe v ariet y ofler out in g ed lat er t his sect pr ot ocols ( I S-ion. I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Se grvsecu e r- I rDit -yove id e—t he Aft er a clienty has been an ider I P addr ess, it sen dsrotr enew or includin , ourr t lining n ecessar st eps t h e allocat ser v iceedp rov m ust t ake to p ect t he r elease s t direct t o t sit he es, DHCP Howev DHCP ser m igurhtesnot be dir ect back bone andpack anyetat achedlyVPN andserv alsoer. det ailin g er, t het he lat est secu ritvyerf eat t o allow eachab le frt op omologies t h e client ( I g. t mig ht par b e tinalso t hecov glob t able. ) Thr ier e Ser v er- VPN I D- ov er ride m or e radv anced and VRF. filt erin This eral sm ult i- car MPLS subop t ion is u sed t o ch ange t he I P ad dr ess of t h e DHCP ser v er in r eply pack et s t o t h e VRF deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN int er face add ress of t he relay agent . The r elay agent in ser t s it s VRF int er face add ress int o t r oub leshoot ing . t his su bopt ion w hen it f ir st r elays t he r equest . Wh en t he reply is r et ur ned, t he v alue of t h is t hen copect iedutres, o t he DHCP er addr essuces opt ion; t her e,ances t he clien t is " t rick ed " int o MPLSfield and is VPN Ar chit Volum e Iser I , valso int rod t he lat estefor adv in cu st omer sen ding it s r enew/ release p ack et s dir ect ly t o t h e r elay ag en t . int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE

• •

The D HCP ser ver m ust also su ppor t DHCP Opt ion 82 as w ell as pr ov ide a m echan ism t o m anage over lapping add r esses fr om dif fer en t n ame sp aces. This capab ilit y is available in Version Table 5. 5 of t he Cisco of Content s Net w or k Regist r ar. I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Figur e 2- 2 8 sh ows VPN- awar e D HCP Relay op er at ion for t he Eu roBan k Palo Alt o CPE t hat is connect ed t o t he Super Com net w or k by usin g DSL. I n t his scenar io, t he CPE is con nect ed by u sin lish3 er:b Cisco Pressan d t he VRF ATM int er face at t he San Jose PE r out er is conf ig ur ed w it h r out e RFCPub 148 r id ged, br idg e Dat en e: cap Pub Jusu ne lat 06,ion 2 00 (3 RBE) . Th er efor e, it b eh aves as if it w er e a LAN in t er f ace. Th e DHCP ser v er locat edI SBN: in t he perCom global r out ing t able, w hich does not hav e dir ect r eachab ilit y t o t h e 1- 58Su 705 -1 12 -5 10 .6 . 1. 0/ 24 sub net of Eu r oBan k Palo Alt o. Pages: 50 4

Figu r e 2 - 2 8 . VPN -Aw a r e DH CP Re la y Op er a t i on Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices The D HCP r elay oper at ion can be sum m ar ized in t he f ollowin g st eps: Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y St e p 1 . A client on t h e Palo Alt o su bnet 10. 6. 1. 0 / 24 requ est s an ad dr ess b y br oadcast ing MPLS and VPN Ar chit u res, Volum I I , b uildscont on ains t he best sellin g MPLS an tdh VPN DHCP Discov er ect m essage. Th isemessage in for- m at ion su ch as e MAC addr ess and Ar ch it ect u res, 1 - 587 0 02, f rom Prar ess. Ex tSan endin g intPE om or eeradv host nam Volum e. Th ise isI (car r ied 05in a b rid1)ged p ackCisco et t ow d t he Jose r out . anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey nSt eed loySan andJose m ain secur e, hig ailabagent le VPN. e pt o2 .d ep The PEt ain r outaer act ing ashly t h eav relay r eceives t h e pack et . Bef or e for w ar ding it t o t h e Super Com D HCP serv er , t he San Jose PE r out er add s t he relay agent MPLS and VPN Ar chit u res, e I I s: , b VPNeg in sI D w it=h "aEubrroBan ief refk"resher he MPLS inf orm at ion ( Opect t ion 8 2)Volum as follow , Subnof et -t Select ion VPN = Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion15of.1 7, " 10 . 6. 1. 0/ 24 " , Ser ver - I D- Ov er r ide = " 10. 6. 1 .1 . " The giaddr f ield is set t o 194 . 22. ser v icew pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in hich is t he ou t going int er face add ress in t he g lob al r out ing t ab le t hat is reachab gle fr om t pr ot ocols I SI S, DHCP EI GRP,ser and , ar m in g t he r eader w it h t he k now ledge of h ow t o Sup (er Com verOSPF) . int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin it y , rou t lining t heunicast n ecessar eps t hDiscov e ser ver icempessage rov ider t m o pperCom rot ect t he Stge secu p 3 . rThe elay agent s t hyestDHCP owust ar dt ake t he tSu DHCP back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow ser v er 194 . 22. 16 .3 . m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploySt meen , Parser t I Vver pr ov id eses am et hodology foruses ad van MPLS VPNSub net - Select ion p t s. 4 . Fin Theally D HCP r eceiv t he pack et and t heced VPNI D and t r oub leshoot ing . subop t ions t o allocat e an ad dr ess f rom t he cor r ect VPN nam esp ace. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer St e p 5 . The D HCP ser ver sends t he DHCP off er back t o t he San Jose PE rou t er by u sin g t h int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

v alue of t he giaddr field , w hich was 194 .2 2. 15 .1 7. St e p 6 . The r elay agent r em ov es t he Op t ion 82 infor m at ion. St e p 7 . The D HCP Off er is unicast ( using t h e MAC addr ess) t o t h e r eq uest in g client .

• •

St e p 8 . The client t hen conf ir ms it s receiv ed addr ess by br oadcast ing a D HCP Req uest t ow ar dTable t he of r elay agent . Content s I ndex

St e p 9 . The San Jose PE r out er t h en add s t he op t ion 82 infor m at ion.

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard I van Pepelnjak St e p 1, 0 . The D HCP, Jeff ReqApcar uest Pub St lisheer: p Cisco 1 1 . Press The D HCP

m essage is t hen r elayed t o t he Sup er Com DHCP ser ver .

ser ver t h en f orm ally allocat es t h e add ress, using t he Opt ion 82 t he cor rect n am espace.

Pubinf Datorm e: Juat neion 06, t2o00access 3 I SBN: 1- 58 705 -1 12 -5

St e p 1 2 . A D HCP Ack now led ge is t h en f orw ar ded t o t he San Jose PE rou t er .

Pages: 50 4

St e p 1 3 . The San Jose PE r out er r eceives t h e DHCP Ack m essage and chan ges t he D HCP ser v er I D t o t he ad dr ess in t h e Ser v er - I D- Over rid e, wh ich is 1 0. 6. 1. 1. St e p 1 4 . The ack now ledge is t hen f or war d ed dir ect ly t o t h e DHCP client . Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : St e p 1 5 . Any sub seq uent r enew or r elease m essag es ar e sent dir ect ly t o 10. 6. 1 .1 . When t he San Jose PE r out er r eceiv es t hese m essag es, it adds t he Opt ion 82 infor m at ion and How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN r elay s t h e packet t ow ar d t h e Sup er Com DHCP ser ver . ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad ess TrJose an slatPE ionRouter ( PE- NAT) Configuring thedrSan How VRFs can be chan ex t ended int oara ecust om er sitapply e t o prt oovt he ideSan sep ar at ion The on ly configu r at ion ges t hat necessary Jose PEinside r out ert.he Sever al cust om er net w ork com man ds hav e b een int r oduced or m odified t o sup por t t h e DHCP Relay—VPN Supp ort f eat u re and ar e show n in t he follow ing conf ig ur at ion ( see Ex am ple 2- 67) , w h ich app lies t o t he D SL The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN RFC1 483 scenar io discussed p rev iously. back bone The com m and ip d hcp r el ay inf orm at ion opt i on v pn in ser t s t h e DHCP Relay Agent I n for m at io How t o carr y cust om er m ult icast t r aff ic insid e a VPN opt ion ( Op t ion 8 2) int o an y DHCP r eq uest s t hat t he San Jose PE r out er r eceives. I n par t icu lar , t h v pn key ensur es- car t hat t he t hrancem ee VPNsu bopt ions—VPNbnet - Select Thew ord lat est in t er rier enh entrelat s t o ed allow f or easier and ImD, or Su e scalable d epion, loymand ent Serv er I D Ov er r ide—ar e added. of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch itNOTE ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t iont o8d2ep can u sed veye,sub t h atlearVPN. e u nr elat ed t o VPNs, such as t he t hey Op n eed loyalso and be m ain t aint oacon secur higopt hlyions av ailab circuit ident ifier sub opt ion and t he r em ot e I D sub opt ion used in cable access. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols and Re OSPF) m infiggu t her rat eader Exa m pl (eI S2 I-S, 6 7EI. GRP, DH CP la y, ar Con i on w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m e adv anced ologies and filt erin g. vpn This par t also cov er s m ult i- car r ier MPLS VPN ipordhcp relay t op information option deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . ! MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ip vrf EuroBank int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

rd 10:27 vpn id ACDE48:27 route-target export 10:27 route-target import 10:27 •

Table of Content s

•

I ndex

!

MP LS and V PN Ar chi te ctur e s, V olum e I I

interface ATM2/0.1 point-to-point By Jim Guichard , I van Pepelnjak , Jeff Apcar

description RBE connection to Palo Alto DSL CPE Pub lish er: Cisco Press

ipPub vrf forwarding Dat e: Ju ne 06, 2 00 3 EuroBank I SBN: 1- 58 705 -1 12 -5

ip address 10.6.1.1 255.255.255.0 Pages: 50 4

ip helper-address global 194.22.16.3 no ip mroute-cache Wit h MPLS and VPN Ar chit atm route-bridged ipect u res, Volum e I I , y ou' ll lear n : pvc 1/32 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s ubr 256 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN encapsulation aal5snap Net w ork Ad dr ess Tr an slat ion ( PE- NAT) !

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone The v pn id com m and un der t he VRF configu r at ion allow s a uniqu e I D t h at is d ist in ct fr om t he VR nam eHow t o bet oallocat VPN I Dicast is sptecified in t heeafor m at d ef ined by RFC 268 5 and con sist s of carr y ed. custThe om er m ult r aff ic insid VPN t he follow in g elem en t s: The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices An Or ganizat ion al Un ique I d en t if ier ( OUI ) t hat consist s of a t h ree- oct et hex nu mb er . Th e IAdv EEEanced Registt rou r at ion Aut hor it yt echn assigns OUI s t o in any t hat res com pon ilit en yt s blesh oot ing iques includ g r com ou t erpany out pu t s tman o enuf suact re uhigh av ailab un der t he I SO/ I EC 8 802 st and ard . The OUI generat es u niver sal LAN MAC addr esses and MPLSpr and VPNident Ar chit ectsufres, Volum e I I ,and b uilds - sellin gw MPLS d VPN ot ocol if ier or use in local m eton r opt he olit best an - ar ea net ork (an MAN) ap plicat ion s. For Ar ch itexam ect u res, e If or ( 1 Cisco - 587 05, f rom Cisco ess. ple, Volum an OUI Sy0st02em1) s is 00 - 036B (Pr h ex ) . Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey nAeed d ep loy and minain t ain a secur av ber ailab lehich VPN.ident ifies t he VPN w it hin t he VPNt oindex , consist g of a fou r- octe, et hig hexhly num , w com pany . MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar it ect re. u Par t I ACDE48 I descr ibes con it yI includ int egr ion Ouch r ex amuple sed as tadv he anced OUI , wMPLS h ich isVPN defin ednect by iv t he EEE t oinr gept rhe esent pr at iv at e uofse. Th ser pr ovider access t echnas olog ( dial, id DSL, cab le, Et her an de-aDist v ariet of rer out VPNv ice in dex used is t h e same t heies u nique en t ifier used in tnet h e )Rout ingyuish . in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Theegr ipathelper adfdr h as odif ied su e. ppor t aI DHCP ser vadv er addr ess t hat r eachab le in t int e t h ese eatess ur es in been t o t h emVPN b ackt obon Part I I det ails anced d ep loy is m ent issues global r out ing rtitable, ot hert he VRF, or t h e ylocal VRF. t n ow es ider t he fm orust m ip h elpt oerp- rot addect r ess includin g secu y , ouan t lining n ecessar st eps t h e I ser v icet ak p rov t ake t he[ v r f nam ebone | glob al] any addat ress. I f n VPN eit hersitVRF nor galso lobal k ailin eyw or e est u sed, t he add m ust be back and t ached es, and det g ds t hearlat secu rit yDHCP f eat ur es rtess o allow r eachab leanced in t het op local VRF. and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN m or e adv ologies deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Ou r ex am pleing u ses t r oub leshoot . t h e Super Com D HCP serv er , w hich is r eachable on t h e man agem en t LAN in t h global r out ing t able. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Verifying VPN-Aware DHCP Relay Operation The ou t pu t show n in Ex am ple 2- 68 is a debu g of D HCP act iv it y on t he San Jose PE rou t er w hen client on t he Palo Alt o LAN r eq uest s a DHCP add ress. The f irst sect ion sh ow s t he D HCP Discover being r eceived w it h t he giaddr in it ially b eing set t o 10. 6 .1 . 1 ( t he incom ing in t erf ace addr ess) . Th Op t ion 8 2 in for m at ion is ad ded, an d t he giaddr is t hen ov er wr it t en w it h t he out g oing global ress ofonContent t he San Jose PE r out er ( t h e int er face t hat is used t o r each t he DHCP ser ver •int er face addTable s ions show t he BOOTREPLY f rom t he D HCP serv er ( cont ainin g t he DHCP Of fer ) , •The n ex t sect I ndex follow ed Vby hechi DHCP t he clien t an d t h en an ot her BOOTREPLY ( cont aining t h e DHC MP LS and PNt Ar te ctur eReq s, Vuest olum ef rom II Ack) . By Jim Guichard , I van Pepelnjak , Jeff Apcar

ExaPubmlishpler:e Cisco 2 - 6Press 8 . VPN- Aw a r e DH CP Re la y De bug Out put Pub Dat e: Ju ne 06, 2 00 3

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

DHCPD: DHCPDISCOVER received from client 0100.0347.bb2f.12 on interface ATM2/0.1 DHCPD: there is no address pool for 10.6.1.1. DHCPD: setting tou res, 10.6.1.1. Wit h MPLS and VPNgiaddr Ar chit ect Volum e I I , y ou' ll lear n : DHCPD: adding relay information option. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser vVPN ice tid o m=ACDE48:27 any d iff er ent t yp es of cu st om er s DHCPD: TheSelected n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN DHCPD: subnet=10.6.1.0 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) DHCPD: Server-id-override=10.6.1.1 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he custgiaddr om er net w ork DHCPD: changed to 194.22.15.17 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN DHCPD: BOOTREQUEST from 0100.0347.bb2f.12 forwarded to 194.22.16.3. back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN DHCPD: BOOTREPLY to client Theforwarding lat est in t er - car rier enh ancem ent s t o 0003.47bb.2f12. allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices DHCPD: Vrf name from sub-option = EuroBank Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y DHCPD: Forwarding reply on numbered intf MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN DHCPD: ARP (10.6.1.2, 0003.47bb.2f12). Ar ch it ectcreating u res, Volum e I entry ( 1 - 587 050 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tDHCPD: hey n eed t o d ep loy and m ain t ain to a secur e, hig hly av ailab le VPN. unicasting BOOTREPLY client 0003.47bb.2f12 (10.6.1.2). MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider accessreceived t echn olog ies ( dial, DSL, 0100.0347.bb2f.12. cab le, Et her net ) an d a v ariet y of r out in g DHCPD: DHCPREQUEST from client pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at esetting t h ese f eat ur es in tto o t h10.6.1.1. e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues DHCPD: giaddr includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back boneadding and any at t ached VPN sit es, option. and also det ailin g t he lat est secu rit y f eat ur es t o allow DHCPD: relay information m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy en t s.id Fin=ACDE48:27 ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN DHCPD:m VPN t r oub leshoot ing . DHCPD: Selected subnet=10.6.1.0 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced DHCPD: Server-id-override=10.6.1.1

DHCPD: giaddr changed to 192.22.15.17 DHCPD: BOOTREQUEST from 0100.0347.bb2f.12 forwarded to 192.22.16.3.

DHCPD: forwarding BOOTREPLY to client 0003.47bb.2f12. •

Table of Content s

•

I ndex

DHCPD: Vrf name from sub-option = EuroBank MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff on Apcar DHCPD: Forwarding reply numbered

intf

DHCPD: Pub lishcreating er: Cisco PressARP entry (10.6.1.2, 0003.47bb.2f12). Pub Dat e: Ju ne 06, 2 00 3

DHCPD:I SBN: unicasting BOOTREPLY to client 0003.47bb.2f12 (10.6.1.2). 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Summary Rem ot e access t o an MPLS VPN supp ort s man y dif ferent access t echnologies. These include PSTN an d I SDN dial- in and dial- out , all DSL en cap su lat ion m odes, and cable access u sin g a •DOCSI S- 1. 0 Table of Content com pliant netsw or k. By cent ralizing conf ig ur at ion and addr essing f unct ions on •ser v ice pr ovider I ndexor cu st omer AAA/ DHCP serv ers, a high ly scalable r em ot e access solu t ion can MP and. V Ar chiion te ctur s, V olum I be LS b uilt I nPNaddit , me any f eateuI res h ave b een int r odu ced or enhan ced in Cisco I OS t o prJim ov ide VRF-,aw arPepelnjak e supp ort , inclu By Guichard I van , Jeff Apcarding OD APs, p er - VRF AAA, DHCP Relay—VPN Supp ort , and VPN- I D am on g ot h er s. Th e use of t hese feat ur es and t h e ar ch it ect ur es described t hr oug hout t his ch apt er allows a serv ice pr ovid er t o bu ild a sin gle r em ot e access in fr ast ru ct ur e t hat m any Pub lish er: Cisco Press cust om er s can shar e. Remot e access t o an MPLS VPN allow s a cu st omer t o obv iat e t he need Pub Dat e: Ju ne 06, 2 00 3 t o build, man age, and m aint ain his ow n r em ot e access in fr ast ru ct ur e, low er ing cost s an d I SBN: 1- 58er 705 -5 v ice p rov ider s can g en er at e n ew r ev enue st r eams by assum ing im pr ovin g cov ag-1e.12Ser r esponPages: sib ilit50 y 4of r em ot e access pr ov isionin g on b eh alf of t h e cust om er .

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Chapter 3. PE-CE Routing Protocol Enhancements and Advanced Features •The in it ial imp Table Content lemofent at ions of t he Cisco Sy st ems I n c. Mult ipr ot ocol Label Sw it ching ( MPLS) •v irt u al pr iv atI e ndex net w or k ( VPN) ar chit ect ur e pr ov id ed sup por t f or sev er al, but not all, r out ing MP LSocols and V bet PN Ar chi te ctur s, ovid V olum I I ge ( PE) r out er s and cust om er ed ge ( CE) r out er s. This init ial pr ot w een t h e epr ere ed supp included der Gat ay Pr ot ocol ( BGP- 4 ) , st at ic r out ing , Rout in g I n for m at ion By Jim ort Guichard , I van Bor Pepelnjak , Jeffew Apcar Pr ot ocol ( RI P) ver sion 2 and Op en Shor t est Pat h First ( OSPF) , each of w hich w as descr ibed in det ail in t he fir st v olu m e of t his book . D ep loym ent ex per ien ce h as show n t hat t he m aj orit y of Pub lish er: Cisco Press ser v ices h ave b een pr ov isioned using eit her st at ic r out ing or BGP- 4 . How ever , t his Dat e: Ju ne 06, 2 00 3 comPub binat ion is changin g as MPLS t echn ology has gained mor e accep t ance am ong a d iver se I SBN: 1- 58 m ix of en d cu st705 om-1 er12s.-5Many of t h ese cust om ers hav e m ore com plex r out ing t op olog ies t hat Pages: 50ed 4 t hr ough m or e int egr at ion w it h t h e cust om er I n t er ior Gat ew ay Pr ot ocol ( I GP) . ar e best serv

Becau se of t his chang e, sev er al enh ancement s hav e been ad ded t o t he su ppor t of t he OSPF pr ot ocol, and t h e abilit y t o r u n eit her Enhan ced I n t erior Gat ew ay Rout ing Pr ot ocol ( EI GRP) or I nt egr at ed I n t er m ediat e- Syst em t o I nt erm ediat e- Sy st em ( I S- I S) has been added t o t h e list of CE p and r ot ocols. Thchit is ch apt er descr ibes en hancem WitPEh MPLS VPN Ar ect u res, Volum e I tI h, ey ou' ll lear n :en t s m ade t o t he OSPF pr ot ocol. I t also pr ov ides a d et ailed look at h ow EI GRP and I S- I S hav e b een imp lem ent ed and how each is conf ig ur ed at t he PE r out er s. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN

NOTE Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

As w itVRFs h all ot herbePEr out ing ocols, w hen ucing EI GRP I S bet w een How can exCE t ended int opraotcust om er sit e in t ot rod pr ov ide sep ar at or ionI Sinside t he tcust he ser pr w ovork ider and t h e VPN cust om er , n o ad dit ional p rot ocol ch anges ar e omvice er net r eq uir ed at t he CE r ou t er s. They can con t inue t o r un st and ard I OS im ages. The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o t his carrchap y cust omwere m ultrefer icast t o r aff ic sam insidple e a ser VPN Thr oug hout t er, w ill t he vice pr ov ider t opology , as sh ow n in Figur e 3- 1 . All r elev ant I P ad dr ess r ang es f or t h e ser v ice p rov ider b ack bon e and at t ached Theom laters est are in t ersh - car ancem VPN cust owrier n in enh Table 3 - 1.ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

Figu r e 3 - 1 . Sa m ple Ser v ice Pr ov id er Top ol ogy

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Tab le 3 -1 . I P Ad dr ess Assign m en t for Su pe r Com Ba ck bon e How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN v ice t o tm Comser p an y Si e any d iff er ent t yp es of cu st om er s Su bne t The nsewSan PE-Jose CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ perVPN Fast Food 19ing 5. 12. 2 .0 / 24 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Ly on 10 .2 . 1. 0/ 24 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he Eu roBan k San Fr an cisco 10 .2 . 1. 0/ 24 cust om er net w ork Lon don 19 6. 7. 24 .0 / 24 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Par is 19 6. 7. 25 .0 / 24 back bone Washing t on 19 6. 7. 26 .0 / 24 How t o carr y cust om er m ult icast t r aff ic insid e a VPN Sup er Com Par is ( Loop back 0) 19 4. 22. 1 5. 1/ 32 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent JoseMPLS ( Loopb ack 0) ices 19 4. 22. 1 5. 2/ 32 of int er -San car r ier VPN serv Washing t on oot ( Loopb 4. 22. 5. 3/ ilit 32y Adv anced t rou blesh ing tack echn0)iques includ in g r ou t er out pu t s t o en su re 19 high av1ailab PE- CE I n t er f ace Ad dr esses 19 2. 168 . 2. 0/ 24 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

PE-CE Connectivity: OSPF The u se of OSPF for PE- CE conn ect iv it y w as ex t ensiv ely cov er ed in Volum e 1 of t his pu blicat ion . How ev er , var ious en hancement s hav e been m ad e sin ce Volu me 1 w as f irst •pu blish ed t h Table ofease Content s v iabilit y of deployin g t his par t icular r out ing p rot ocol. Th er efor e, it at incr t he •is usefu l t o pI rndex ovide a qu ick r ev iew of h ow OSPF is u sed in t his env iron ment and t h en describe MP V PN Ar chi te V olum e I I ap plied t o t he ar chit ect ur e. t heLSenand hancement s ctur t hate s,hav e been By Jim Guichard , I van Pepelnjak , Jeff Apcar

Befor e div ing int o t he d et ails of t h ese enhan cem ent s, it is perh aps h elpf ul t o r eview w hy OSPF m igh t b e ch osen as t h e r out ing pr ot ocol on t he PE- CE link . I t is clear t hat OSPF is a lish er: Cisco Press comPub plex rou t ing pr ot ocol t hat m ight not su it all env ir onm en t s. I ndeed, it is pr obably f air t o DatOSPF e: Ju nem06, 2 00 3 say Pub t hat igh t only b e desirab le for VPN cu st omer s w ho w ant t o r et ain OSPF w it h in 12 -5 each ofI SBN: t h eir1- 58 sit705 es,-1eit h er dur ing a m igr at ion or on a p er m anent basis. Pages: 50 4

Ther e ar e m any r eason s w hy cust om ers m igh t w an t t o r et ain t heir OSPF con figu rat ion s, alt hou gh t he m ost com m on reasons ar e as f ollows: Pr ev ent ion of a lar ge n um ber of ext er nal rou t es w it hin t he OSPF t opology Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Pr ovision of a m or e flexib le t opology t hat is ab le t o sup por t b ack door con nect iv it y bet w een cust om er sit es How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN seroid v ice to m iff ert oent t yp es of ecuOSPF st om er s m at ion int o ot her pr ot ocols such as BGP- 4 Av ance ofany havding redist r ibut infor or RI P ver sion 2 at t he CE r out er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Netoid w ork Adof drhav ess ing Tr an ion PE-por NAT) Av ance t oslat lear n/ (sup t an ot her r out ing pr ot ocol such as BGP- 4 at t he net w or k edge How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone NOTE How t roibut carrion y cust er m ult icast ic insid VPN Redist is aom m echanism t h att r aff allow s a reouat er t o m ov e r out es fr om on e pr ot ocol ( or st at ic en t ry ) in it s r ou t ing t able t o anot her r out in g pr ot ocol. The desire The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent t o rest r ict t he am ou nt of r edist r ib ut ion can b e ext r em ely im por t ant in a nor m al of int er - car r ier MPLS VPN serv ices OSPF env ir onm en t . This is becau se a r out e t h at is r edist r ib ut ed int o OSPF w ill app as an t ern al r ou t iques e w it hin t he in t op Thepu OSPF dict at Advear anced t rouexblesh ootOSPF ing t echn includ g rology ou t er. out t s t o pr enotsuocol re high aves ailab ilit y t hat ext er nal rou t es be f lood ed acr oss t he w hole OSPF dom ain, w h ich incr eases t he er head t he ect p r ot ocol Volum as w elle Ias CPUonload all- sellin r out er t h at ar art icipat ing MPLSov and VPN of Ar chit u res, I , tbhe uilds t he on best g sMPLS aned pVPN in t he OSPF dom ain. Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t ain arand ea t ympes, st ub u bby can be d ep loy ed so t hat t hey Cer n eed t o OSPF d ep loy ain t su aincha as secur e, or higt ot hlyally av st ailab le ,VPN. ext er nal rou t es are not sent int o t he ar ea. How ev er, t his can hav e t he dr awb ack of t imalArrchit out ing t hee ar he ref f ullresher t op olog inf MPLS orm at ion MPLSsubop and VPN ect ubecause res, Volum I I ea , bd egoes in s not w it hh ave a br tief of yt he VPNin hich t o Par m ak d ecision on tanced he bestMPLS exit VPN pointcon t ownect ar divt it h ye includ OSPF binack bonint e egr for at a ion of Ar ch itwect u re. t IeI adescr ibes adv g t he par t icular ex t er nal rou t e. ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o t h e fteat ighur t int at tion OSPF it h e. Mult ip rot BGPadv used in t hdeepMPLS int egrDu at ee tt oh ese es egr in t o h e of VPN b ackwbon Part I I Iocol det ails anced loy m VPN ent issues back use of OSPF d ecessar oes not ynecessit atee ser t hev ice g enper atider ion of ex t er nal tr oout es ect t he includin g bone, secu r ittyh,eou t lining t he n st eps t h rov m ust t ake p rot w hen redist r ibut in g b et ween VPN sit es and Mult ipr ot ocol BGP. Using OSPF as t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow CE r ou t ing pr ot ocoland is bet er f g. rom t hepar cust om er' s per ivcar e t han r edist rib ut ion m or ePEadv anced t op ologies filtterin This t also cov er s spect m ult ir ier MPLS VPN fr om BGP int o OSPF at t he cu st om er sit e. deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur itConnectivity y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced OSPF PE-CE Requirements

To f acilit at e t he m ult it u de of possible OSPF t op ologies and t o p rov ide conn ect iv it y bet w een VPN sit es t hat r un t he OSPF pr ot ocol, an addit ional lev el of r out ing hier archy , r efer r ed t o as t he MPLS VPN Sup er back bone , is r equir ed. Th is addit ional lev el of hierar chy is n ecessar y so t hat VPN sit es can r u n in dependent OSPF pr ocesses and learn r out es f rom ot her VPN sit es w it hout t h e necessit y of a dir ect adj acen cy w it h t hose sit es. •

Table of Content s

The OSPF pr ot ocol alr ead y pr ov id es t w o levels of hier archy : t he back bon e ( ar ea 0) and I ndex non backb one ar eas t hat hav e t o be dir ect ly at t ach ed t o t he b ackb one. The t h ird level of MP LS and V PN Ar chi te ctur e s, V olum e I I hier archy , w h ich t he MPLS VPN ar ch it ect ur e p rov ides, exist s ab ove t he nor m al b ack bon e area By Guichard I vanhelp Pepelnjak ( ifJim it ex ist s) . ,To illust,rJeff at eApcar t h is point , Figur e 3- 2 sh ows how a par t icular VPN clien t m igh t at t ach t o an MPLS VPN en vir onm ent . •

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

Figu r e 3 - 2 . OSPF Cl ie nt Con ne ct iv it y t o a n M PLS VPN Back bone Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools Ther e ar e a coup le of in t erest ing observ at ions t hat you can mak e f rom Figur e 3- 2 . Th e fir st is t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. t hat m ult iple OSPF backb one ar eas ( Ar ea 0) are possible w it h in t h e same VPN cust om er env iron ment . Each sit e can choose t o ru n an ind ep en dent backb one ar ea, or m ult iple sit es MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN can act collect ively as one backb one ar ea t h rou gh t he u se of sham - link s. Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he NOTE back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or eSham adv anced opeologies and in filtm erin This cov car rClient ier MPLS VPN - link st ar discussed or eg.det ail par in tth also e sect ionertsit m ledult" iVPN Backd oor deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Lin ks" lat er in t h is ch apt er. t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion,bone securariteas y, and r oubleshoot featcust u resom essent ial t o p,rov e adv When back ar e t used wit h in ing a VPN er t opology t h eiding onlyt h cav eat anced t o be aw ar e

of is t hat any sit e conf igur ed t o r un an OSPF b ack bon e ar ea mu st be at t ached d irect ly w it h t he MPLS VPN Sup er back bone, eit her t h rou gh a d ir ect link or a v irt ual link . This is man dat or y because t he PE r out er s alw ay s act as Ar ea Bor der Rou t ers ( ABRs) and need t o b e able t o exchan ge int r a- ar ea inf or mat ion w it h ot her ABR or back bone area rou t er s. The second int erest ing observ at ion is t hat y ou can hav e a com plet e OSPF dom ain, w it h back bone and nonb ack bon e ar eas, at t ach ed t o a single Vir t ual Rout ing & For w ard ing inst ance ( VRF) at t h e PE rou t er . Th is is possib le because t he PE r out er act s as an ABR and pr esen t s all • Table of Content s OSPF ar eas behind t h e MPLS VPN b ack bon e as non backb one ar eas t o t h e local OSPF d omain. •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

NOTE Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

I f m ult iple ar eas are at t ach ed t o t he sam e VRF, t h en t h e back bone ar ea m ust ex ist I SBN: 1- 58 705 -1 12 -5 w it hin t he VRF. This is necessar y t o p rov ide conn ect iv it y bet w een t h ese Pages: 50 4 one ar eas. Assignin g a loopback int er face t o t he VRF and placing t his non backb loopback w it h in t h e backb one ar ea can ach iev e it .

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Basic OSPF Operation Between PE and CE Routers How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN I n MPLS chit res ,t yp ( Volum Ch er apt ser and v ice VPN t o mAr any d ect iff eru ent es of ecuI )st, om s er 9, " MPLS/ VPN Ar chit ect ur e Ov er v iew , " sev er al st ep s w er e h ighlight ed t h at ar e necessar y w hen y ou ar e init ially pr ovisioning a new VPN cust er.PEWitCE h trhe of as St ep 4,as w eotwher ill not andf eat on ur t hese fur t h er h inVPN t h is Theom n ew outex in cept g opion t ions w ell advexp anced es, includ ingwit perchapt Net er . w How , ess it is Tr iman p ort t t o( PEun NAT) derst and t h at t h ese st eps ar e t h e basic bu ild in g block s orkever Ad dr slatan ion of t he VPN and ar e r eq uir ed r egar dless of t h e PE- CE p r ot ocol t hat w ill be used for t h e VPN How cust om er : VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork 1 . Defin e est andMPLS configVPN ur e secur t he VRFs. The lat it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone 2 . Defin e and config ur e t he r out e dist ingu isher s. How t o carr y cust om er m ult icast t r aff ic insid e a VPN 3 . Defin e and config ur e t he im por t and ex por t policies. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent int er -re cart rhe ierPEMPLS VPN 4 . of Con figu CE lin ks.serv ices anced blesh ing t echn includ ou t erVRFs. out pu t s t o en su re high av ailab ilit y 5 . Adv Associat e tthrou e CE int oot er faces t o t h iques e pr eviou slyindgefrined MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN 6 . Con figu re Mult ipr ot ocol BGP. Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools 7 . Mu t ually r ed ist r ibut e ( except in t h e case of BGP on t he PE- CE link s) r out es bet w een t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Mu lt ip rot ocol BGP an d t h e r out ing pr ot ocol on t h e PE- CE link s. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Alt hou gh each OSPF int er face is associat ed w it h a par t icular VRF, it is necessar y t o p rov ide a ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g m ech anism w hereby t he PE r out er is able t o dist ingu ish w hich rou t es belong t o w h ich VRFs, pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o and t o und er st and w hich in t erf aces b elon g t o w hich OSPF pr ocesses. To achieve t his aim , a int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues sep arat e OSPF pr ocess is necessar y f or each VRF t hat w ill receiv e VPN r ou t es via OSPF. includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back any VPN also ed dettailin g t hed lat est secu rit yopt f eat o allow Du e bone t o t h eand comp lexat it tyached of OSPF ansit d es, t he and associat opology at abase, t he ionurtes o utse m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS VPN dif fer en t r out in g cont ex t s ( as w it h BGP- 4 and RI P ver sion 2 , for ex am ple) is n ot cur r en t ly deploy Fin ally , Par t I V ore, pr ov aid es m et hodology for ad( w van MPLS VPN pr ocess- id ) is av ailabm leen int s. Cisco I OS. Theref diffaerent OSPF p rocess it hced a diff erent tr req oub leshoot ing . uir ed per VRF. Fu t ur e I OS r eleases w ill pr ov id e cont ent su ppor t . MPLS Ar chit u res, Volum e I I , also ucesant he est adv ances cupar st omer Figur eand 3- 3 VPN sh ows t heect separ at ion of each OSPFint prrod ocess d itlat s associat ion w itin h a t icu lar int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced VRF.

Figu r e 3 - 3 . OSPF Pr ocess Se pa r at ion a nd Associa t ion w it h VRFs

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : The separ at ion of diff er ent VRFs int o independ en t OSPF p r ocesses is achiev ed using an ext ension t o t he rou t er ospf com m and, as illu st rat ed in Ex am ple 3- 1. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Exa m pl e 3 - 1 . Se par a t i on of VRFs in t o D if f er e nt OSPF Pr oce sse s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he router Process ID> VRF custOSPF om er con figur at ion com man d m igh t chang e t his. You iew t he t he out t he show How VRFs can becan ex t vended intcu o arr ent custdom om erainsitid e tvalu o pr e ovin ide sep arpatutionof inside t he i p ospf com m and. cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

Prevention of Routing Loops Between OSPF Sites How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent I n man deploy scen arios, it isices necessar y t o pr ov ide du al at t achm ent for cust om er sit es of yint er - carment r ier MPLS VPN serv t o diff er ent PE rou t er s, or p er h aps hav e m or e t han one con nect ion f rom t he cust om er sit e t o t he sam PE r out er blesh at t heoot sering vice pr oviques ider locat ion sam set of out es Adveanced t rou t echn includ in.gThis r ou tim er plies out put hat t s t ot he en su re ehigh av railab ilit y can be adv ert ised in t o a cust om er sit e f r om m ult iple poin t s, pot ent ially r esult ing in t he MPLSion andofVPN chit ect u res, Volum e I I t, he b uilds ont ial t heforbest g MPLS an d nVPN creat r outAr ing loops. To over come pot en rou- tsellin ing loops, a dow bit w it h in t h e Ar it ect u res,ofVolum e I ( ic 1 - 587 05-header 0 02- 1)is , furom Exin t endin optch ion s field t he gener OSPF sed,Cisco as illuPrstess. rat ed Figurgeint 3-o6 m . or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLSFigu and VPN u res, He Volum b eg in si ng w it hOp a brt ief t he r e 3Ar- chit 6 . ect OSPF ad eerI I ,Sh ow ionref s resher Fi el dofan d MPLS D owVPN n Bi t Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : The d ow n b it is set on ly wh en a PE rou t er generat es a Ty pe 3 sum m ary LSA int o an at t ached sit e of a p art icular VPN. Aft er r eceivin g an LSA w it h t he d own b it set , a PE r out er is ab le t o Howe ttohat int it egr at e ld v arign iouore s r em e access o t han e back p rrovidin VPN det er min shou t heotLSA du ringt echn SPFologies com pu tin attion d notbone r edist ibut e tghe any d iffBGP. er ent t yp es of cu st om er s r out e ser in tvoice Mutltoipmr ot ocol Theeasily n ew PECE op t ions w elln as anced es, includ VPNi p You can in sp ectr out t heinvgalue of t has e dow bitotwher it hinadv t he OSPFf eat d atur abase w it h ing t he pershow Adas dr ess Trnaninslat ( PE-3NAT) ospf Net comwmork and, show Exion am ple 8. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Exa m pl e 3 - 8 . Ex a m i na t i on of t h e LSA t o Ch e ck D ow n Bi t Se t t i ng The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone SanJose# ospf data How tshow o carr ip y cust om er m ultsummary icast t r aff10.3.1.15 ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices OSPF Router with ID (192.168.1.12) (Process ID 101) Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05-Link 0 02- 1) , f rom Cisco ess. Ex t endin g int o m or e adv anced Summary Net States (AreaPr1) t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS LS and age:VPN 401Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of serOptions: v ice pr ovider t echn olog ies (DC, dial, Downward) DSL, cab le, Et her net ) an d a v ariet y of r out in g (Noaccess TOS-capability, pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int LS egr at e t h ese f eat ur esLinks(Network) in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Type: Summary includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back boneState and any t ached VPN (summary sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Link ID:at10.3.1.15 Network Number) m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. FinRouter: ally , Par t 192.168.1.12 I V pr ov id es a m et hodology for ad van ced MPLS VPN Advertising t r oub leshoot ing . LS Seq Number: 80000001 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Checksum: 0xC886 Length: 28 Network Mask: /32 TOS: 0

Metric: 65

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By , I van , Jeff requ Apcarir e TyJim pe Guichard 5 and Ty pe 7Pepelnjak LSAs also

som e k ind of mechan ism t h at w ill p rev en t t h em fr om cont inu ally b ein g ad ver t ised ar ound t h e back bone n et w or k an d b et ween VPN sit es. To facilit e er: t h is requ irem en t , t h e or ig inat ing PE rou t er set s an ex t ern al r out e t ag —t he dom ainPubat lish Cisco Press t ag—w it hin t he Typ2 e Pub Dat e: Ju ne 06, 005 3 or Typ e 7 LSA. I f a PE r out er r eceiv es an LSA t h at cont ain s t he sam e t ag as ItSBN: h e locally conf ig ur ed t ag , t h en t he PE r out er kn ows t hat anot her PE r out er g en er at ed 1- 58 705 -1 12 -5 t his r ou t e and t he LSA is ig nor ed . The f or mat of t he 32- b it dom ain- t ag can be seen in Figur e Pages: 50 4 3- 7 .

Figu r e 3 - 7 . Dom ai n- Ta g For m at

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork By def ault , t h e t op 4 b it s of t he t ag ar e alw ay s set t o 110 1, and t h e low est 16 bit s ar e set t o t he aut onom ousMPLS sy st em nusecur mb erit of he uMPLS b ackb You t his d ef ault The lat est VPN y fteat res anVPN d d esign s one. aim ed at can pr otchang ect inget h e MPLS VPN v alueback by ubone sin g t he dom a in- t a g < 3 2 - bi t v al ue > com m and w it hin t he OSPF pr ocess conf ig ur at ion. How t o carr y cust om er m ult icast t r aff ic insid e a VPN Ex am ple 3- 9 sh ows t he ex t er nal r out e t ag set t ing for a par t icular Ty pe 5 LSA. I n t h is exam The ple, lat t h eest Exin t ern r out t ag ancem v alue of 143 es and t o m or e scalable d ep loym ent t er al - car riere enh ent3s489 t o 661 allow f orequat easier 11 010of000 0000 000 000 101 11 in b inar y. This show s t hat t h e t op 4 b it s ar e set t o int000 er - car r ier000 MPLS VPN110 serv ices 11 01 and t he b ot t om 1 6 b it s ar e set t o t he MPLS VPN b ack bon e aut on omou s syst em n um ber Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y of 21 5. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Exa m pl e 3 - 9 . Ex t e r na l Rou t e Ta g Ex am pl e t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN SanJose# external Ar ch it ect ushow re. Parip t I Iospf descrdata ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues ID (192.168.2.16) 100) includin g secu rOSPF it y , ouRouter t lining twith he n ecessar y st eps t h e ser v (Process ice p rov iderIDm ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Type-5 AS External Link States t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

LS age: 1040 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 192.168.2.16 (External Network Number) • •

Table of Content s

Advertising Router: 10.2.1.49 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

LS Seq Number: 8000002B

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Checksum: 0xF59E Pub lish er: Cisco Press

Length: 36 Pub Dat e: Ju ne

06, 2 00 3

I SBN: 1- 58 705 -1 12 -5

Network Mask: /32 Pages: 50 4

Metric Type: 2 (Larger than any link state path) TOS: 0 Wit h MPLSMetric: and VPN 1Ar chit ect u res, Volum e I I , y ou' ll lear n : Forward Address: 0.0.0.0 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s External Route Tag: 3489661143 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

VPN Client Backdoor Links

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone When connect ing VPN sit es t hat ru n t he OSPF pr ot ocol, you m ight assu m e t hat t he d at a p at h bet w een t w o ysitcust es is ailable t h e eMPLS VPN b ack bon e. This m ight not Howt ht oe carr omonly er mav ult icast t across r aff ic insid a VPN necessar ily b e t he case, and m any lar ge VPNs t oday pr ov ide a backu p p at h bet w een sit es. TheseThe pat lat h s est ar einr ef r edrier t o as back doorent linsks, an d t hey pr esentand a pm rob t hat mduep st loym be ent t erer- car enh ancem t o allow f or easier or lem e scalable add ressed so- car t h at r out in g can in fluenced b ased on policy . Th e pr esence of b ack door link s of int er r ier MPLS VPNbe serv ices is t he maj or r eason t h at OSPF migh t b e desir ab le on t h e PE- CE link s; t h e use of ot h er Adv anced blesh t echn iques includ r ou t er out pu t s t o en su re high av ailab ilit y pr ot ocols cannott rou achiev e oot t h eing desir ed con nect iv it y in gg oals. MPLSeand Ar chit ect uple res,net Volum I I , bhas uilds on door t he best MPLS d VPN Figur 3- 8 VPN sh ows a sam w or k et hat b ack lin ks- sellin bet wgeen cu stan omer sit es. The Ar it ectku res, e eI at ( 1t-ached 587 05-t o0 02, f rom Cisco Prbone, ess. Ex t endin intom o merorhas e adv anced Euch roBan VPN Volum sit es ar t he 1) MPLS VPN back b ut t he g cust also tdeploy opics an m ent Volu m e I I pr ovid es eader t he necessar ools ed dd dir ep ectloy link s betarchit w eenect t hur e es, sit es. Because t hese lin rks are st owbiteh used on ly for yb tack up tpu hey n eed t ho ed tep loy m ain t ainacr a oss secur e, MPLS hig hlyb av rp oses, r aff ic and sh ould flow t he ackailab bon le e ifVPN. possib le. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn DSL, cab le, Et her net an ds a v ariet y of r out in g Figuolog r e ies 3 - (8dial, . OSPF Back door Li) nk pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

The b acku p link s in t he Eur oBank n et w or k p ose an int er est in g OSPF pr oblem. All Eu roBan k sit es are in t h e sam e OSPF ar ea; t her ef or e, t he f ull connect ivit y wit h in each sit e is ad ver t ised Wit h MPLS VPN Ar chit ect u res, I I , y ou' ll at lear : t he in t r a- area rou t es are t o all ot herand sit es. Rout e select ion rVolum ules ine OSPF dict e tnhat pr efer red ov er t he int er ar ea r out es, w hich m eans t h at all t raf fic b et w een t he sit es will f ollow t he in t r a- area pat h v ia t he b ackd oor lin ks. I n ot her w or ds, t h e Eu roBan k sit es w ill n ev er use How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN t he MPLS backb one f or int er sit e t raf fic, un less, of cour se, t he back door link s becom e ser v ice t o m any d iff er ent t yp es of cu st om er s un available. Ev en wor se, t he PE r out er s w ill ign ore t he Mu lt ip rot ocol BGP r out es t h at t hey r eceive herCE PEr out r outiner because ave r a-anced ar ea OSPF e adv ert o t h em Thefr om n ewotPEg sop t ions ast hey w ell has ot an herint adv f eat urrou es, tinclud ingised per-tVPN fr om Net t he wCE r out er s. Ex am ple 310 sh ows t he select ion of t he back door p at h t o r each t h e ork Ad dr ess Tr an slat ion ( PE- NAT) Eu roBan k Par is CE rou t er fr om t h e San Jose PE r ou t er . How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Exa m pl e 3 - 1 0 . Ba ck door Lin k Se le ct ion Exa m ple The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How show t o carrip y cust ult icast t r aff ic insid e a VPN SanJose# bgpom v er a m 196.7.25.1 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent BGP routing table entry for 100:251:196.7.25.1/32, version 58 of int er - car r ier MPLS VPN serv ices Paths: (3 available, best #2) Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Advertised tochit non MPLS and VPN Ar ect upeer-group res, Volum e peers: I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced 194.22.15.1 t opics an d d ep loy194.22.15.3 m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Local MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN 30) Ar ch it194.22.15.3 ect u re. Par t I I(metric descr ibes advfrom anced194.22.15.3 MPLS VPN con(194.22.15.3) nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Origin incomplete, metric pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar22, m in glocalpref t he r eader 100, w it h tvalid, he k now internal ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues OSPF includinExtended g secu r it y ,Community: ou t lining t heRT:1:793 n ecessar y OSPF st eps DOMAIN t h e ser v ID:0.0.0.101 ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow RT:1:2:0 2 and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN m or e adv anced t opOSPF ologies deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Local t r oub leshoot ing . 0.0.0.0 MPLS192.168.2.13 and VPN Ar chitfrom ect u res, Volum e(194.22.15.2) I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Origin incomplete, metric 86, localpref 100, weight 32768, valid, sourced, best Extended Community: RT:1:793 OSPF DOMAIN ID:0.0.0.101 OSPF RT:1:2:0 OSPF 2 • •

Local

Table of Content s I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

194.22.15.1 (metric 30) from 194.22.15.1 (194.22.15.1)

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Origin incomplete, metric 11, localpref 100, valid, internal Pub lish er: Cisco Press

Extended Pub Dat e: Ju ne 06, Community: 2 00 3

RT:1:793 OSPF DOMAIN ID:0.0.0.101 OSPF

I SBN: 1- 58 705 -1 12 -5

RT:1:2:0 OSPF 2

Pages: 50 4

SanJose#show ip route vrf EuroBank 196.7.25.1 Wit h MPLSentry and VPN chit ect u res, Volum e I I , y ou' ll lear n : Routing forAr 196.7.25.1/32 Known via "ospf 101", distance 110, metric 86, type intra area How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Redistributing via bgp 215 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Advertised by bgp 215 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Last update from Serial0/0/0, How VRFs can be 192.168.2.13 ex t ended int o aon cust om er sit e t o pr00:00:17 ov ide sep arago at ion inside t he cust om er net w ork Routing Descriptor Blocks: The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN * 192.168.2.13, from 192.168.2.14, 00:00:17 ago, via Serial0/0/0 back bone Route metric is er 86, traffic share count is 1 How t o carr y cust om m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices rou blesh oot ing includ ou tpr erefix out(pu t o is ent su high av ailab ilit y UsingAdv t h isanced ex amtple, y ou can seet echn t hat iques t he 1 96. 7. 25in. g 1/r32 w ht sich hereloop back add ress of t he Eur oBank Par is CE r out er ) is lear ned via Mult ipr ot ocol BGP fr om t h e Par is and MPLS andt on VPN chiterect u res, , b uildsinton t he best sellinBGP g MPLS VPN Washing PEAr r out s an d is Volum in ser t e edI Ilocally o Mult ipr ot-ocol at t han ed San Jose PE Ar ch it ect u res, Volum e I ( 1 587 050 021) , f rom Cisco Pr ess. Ex t endin g int o m e adv anced r out er . The locally gener at ed r out e is con sider ed t he best p at h wit h in Mult ipr otorocol BGP. tHow opics d ep loy m ion ent of archit es, Volu m er out I I pr es rshow eaders st hat w it ht he t heselect necessar ev an er ,dexam inat t he ect EururoBank VRF ingovid t able ed p yatthools is tlearn hey nedeed d ep loy m ain- ht ain a secur hig v iat oOSPF w it and h a next op of 192. 1e,68. 2.hly 13 , av w ailab hich le is tVPN. he Eur oBank San Fran cisco CE r out er . MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u ing re. ly Parillog t I I ical descr adv anced con it yr ainclud g thheis int egrerat ionov ofer This seem r ouibes t e select ion is MPLS m adeVPN becau senect t heivint ar eainpat p ref r ed ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g t he in t erar ea p at h g en er at ed by t h e San Jose PE r ou t er . I n add it ion , OSPF h as a low er pr ot ocols ( I ive S- I S, GRP,t han and IOSPF) , ar m in gThis t heclear r eader w it h st he k now h ow t o bon e adm inist r at distEIance nt er nal BGP. ly show t h at t h e ledge MPLS of VPN b ack int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues w ill not be u sed for any int er sit e t raf fic, w hich w ill be car ried ex clusively by t h e back door includin y , Eur ou toBank lining tsit hees. n ecessar y ault st eps t havior e ser visiceaccept p rov ider akeptose o p rot link s betgwsecu een rt it he This d ef b eh able m if ust t h e t pur of ect t he t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow connect ivit y in t o t h e MPLS VPN b ack bon e is for backu p p ur poses only . How ev er, becau se t his m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS VPN is gener ally not t he case, t he def ault b eh avior is not n or mally accep t able. To ov ercom e t h is deploy m en ally , Parint t IraV pr es ab et m ween et hodology adervan VPN issu e, an ext s. t r aFin ( logical) ar ov eaidlink t he PEfor r out s isced int MPLS r odu ced t o t he t opolog y. tThis r oublink leshoot ing . , k now n as a sh am - lin k, is est ablished bet w een t he VRF loopback int er faces in t he PE r out er s, and it is t r eat ed as an OSPF dem and cir cuit t hat has no per iod ic floodin g acr oss t he MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer link . int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

OSPF PE-CE Sham-Link Support The sh am- link pr ovides v ir t ual in t ra- area conn ect iv it y across t h e MPLS VPN Su perb ack bon e so t h at t r af fic can be at t r act ed t o t he backb one r at her t h an t aking t h e back door link b et w een sit es. As pr ev iously st at ed , t h is log ical lin k r uns w it h in VRFs of t h e same VPN bet w een PE •r out er s. An OSPF Table of Content s is cr eat ed and dat abase ex chang e ( for t he p art icular OSPF adj acency •pr ocess) occur I ndex s acr oss t he link . This means t hat t he PE r out er can flood Typ e 1 and Typ e 2 MP LS and PN Ar sit chies te ctur s, V olum II LSAs b et V ween acreoss t he eMPLS VPN backb one, t her eb y creat ing t h e desir ed in t r a- area connect ivit y . , I van Pepelnjak , Jeff Apcar By Jim Guichard Wit h a sham - link conf igur ed bet w een PE rou t ers, if t h e PE r ou t er receiv es an upd at e v ia lish er: Cisco Press Mu ltPub ip rot ocol BGP f or a p ar t icu lar pr ef ix, it w ill pr efer t h e int r a- ar ea pat h for t he sam e pr efix , Pub is Datste:illJulear ne 06, 2 00acr 3 oss t he sh am- link . Th er efor e, t he t r affic will f low acr oss t he MPLS w hich ned I SBN: 1- e. 58 705 -1 12 -5 VPN b ack bon Pages: 50 4

I n our exam p le t opology of Figur e 3- 8 , t h e Eu roBan k cu st omer h as back door link s bet w een m ost of it s sit es; t her ef or e, sh am- lin ks ar e n ecessar y t o pr ev ent int ersit e t r af fic f rom cr ossin g t he backd oor link s. Because back door link s ex ist bet w een t he San Fr ancisco and Washingt on CE r out er s and t he Wash ingt on an d London CE r out er s, y ou shou ld d ep loy sh am- lin ks bet w een t h e PE rou t er s t o w hich t he CE r out er s at t ach. I n ou r ex am ple, t his means t hat a Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : sham - link is r equir ed b et w een t he San Jose and Washing t on PE r out er s and t h e Washingt on and Par is PE rou t ers. Figur e 3- 9 sh ows t he u se of t h e sham - link f unct ionalit y , bu t only bet w een San Jose Wash ingt PE r outt echn er s for ease in oft oillust ionbone . Howt ht oe int egr at e an v ardiou s r em oton e access ologies t h erat back p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Figu r eslat 3 -ion 9 . (OSPF Net w ork Ad dr ess Tr an PE- NAT)Sh am - Li nk De ploy m en t How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Cr eat ion of sham - link s f or t he Eur oBank cust om er r esult s in t w o separ at e sh am- link s: on e int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues bet w een t h e San Jose PE r out er an d Wash ingt on PE r out er , and anot h er bet w een t he includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Washing t on PE r out er an d t he Par is PE r out er. I t is w or t h not ing t h at no sham - link exist s back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow bet w een t h e Par is PE r out er an d t he San Jose PE rou t er. The r eason f or t his is t h at n o m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN back door link ex ist s bet w een t he Eur oBank San Fran cisco an d Par is sit es; t her ef or e, a sham deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN link is n ot st r ict ly r equir ed. I n pr act ice, it m ig ht be easier f r om a p rov ision ing and net w or k t r oub leshoot ing . m anagem ent point of view t o con figu re a sham - link b et w een t h ese t w o sit es, t h er eby creat fu ll mesh am- Volum lin ks f or VPN. r esutlthe s in al u nnecessar y omer sh am MPLSing anda VPN Ar chitof ectsh u res, e ItIh, isalso intThis rod uces latsev esteradv ances in cu st link s, but it d oes reliev e t h e ser v ice p rov ider f rom t he b ur den of u nder st andin g w h ich int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv ancedVPN

sit e has b ack door lin ks wit h w hich ot her VPN sit es.

NOTE A sham - link is requ ir ed bet w een any t w o sit es t hat shar e a back door link . I f no Table of Content s back door link ex ist s bet w een t he sit es, t hen a sham - link is n ot r equir ed. I f t he MPLS • I ndex VPN b ack bon e is t o be used for conn ect iv it y, t hen t he OSPF cost of t he sham - link MP LS m and chitte s, Van olum e her II ustV PN b eArbet erctur t h ean y ot pat h v ia t he back door link s bet w een t h e VPN sit es. •

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

OSPF Pub Dat Sham-Link e: Ju ne 06, 2 00 Configuration 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

A separ at e loopb ack in t erf ace in sid e t he VRF is r eq uir ed f or each VRF t h at is t o be con nect ed t o ot her PE r out ers usin g sh am- lin ks. Th is loop back int er face is used as an en dpoint add ress for t he sham - link . Th e sam e loop back int erf ace in a VRF can be u sed t o t er m inat e an y nu mb er of sh am link s. ( There is no r equ ir em en t f or a d iff er ent loop back add ress per sham link w it hin t he sam e VRF. ) This loopback ad dr ess shou ld n ot be redist r ibut ed int o Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Mu lt ip rot ocol BGP b ecause t h e sh am - lin k endpoin t ad dr ess is d ist r ibu t ed bet w een PE r out er s using t he OSPF ext end ed com m unit y at t ribu t e w it h r out e- t y pe 1 29. Ex am ple 3- 11 sh ows t he conf igHow ur at ion necessar f oriout he cr eat of a sham link bet w h eback Sanbone Jose pand Wash ingt on t o int egr at e yv ar s r em ot eion access t echn- ologies ineen t o t ht e r ovidin g VPN Figur e 39 . PE r out ers fr om ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net Tr an slat ionm( PENAT) Exa m plweork3 -Ad 1 dr 1 .ess OSPF Sha -Lin k Con f igu r at ion How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork hostname SanJose The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone ! How t o carr y cust om er m ult icast t r aff ic insid e a VPN interface loopback 1 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent description sham-link to Washington of int er - car** r ierinterface MPLS VPN for serv ices ip vrf forwarding EuroBank Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ip address 255.255.255.255 MPLS and VPN 10.2.1.2 Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t!opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. router ospf 101 vrf EuroBank MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I 10.2.1.2 descr ibes adv anced MPLS VPN40 con nect iv it y includ in g t he int egr at ion of area 1 sham-link 196.7.26.2 cost ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he hostname Washington back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m ! or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshootloopback ing . interface 1 MPLS and VPN Ar ect u res, Volum I I , also int rod he lat est adv ances in cu st omer description **chit interface for esham-link to uces San tJose int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

ip vrf forwarding EuroBank ip address 196.7.26.2 255.255.255.255 ! router ospf 101 vrf EuroBank •

Table of Content s

•

I ndex

area 1 sham-link 196.7.26.2 10.2.1.2 cost 40 MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

ThePub a relish a er: com Cisco m and Pressis used t o cr eat e t he sham - link , and t h e sou r ce an d dest in at ion loopb ack int erPub faces Dat e:ident Ju ne ify 06, 2t he 00 3 t w o en dpoint s of t he sham - link . An OSPF cost m ust be associat ed w it h t he sh amlin k so t hat shor t est pat h f ir st ( SPF) can u se it t o calculat e t h e shor t est pat h . I f t he I SBN: 1- 58 705 -1 12 -5 cost ofPages: t he sh amlin k is bet t er t han any backd oor link bet w een sit es, t hen in t er sit e t r aff ic 50 4 flow s acr oss t he MPLS VPN backb one. I f t he cost is h igher t h an t he back door link p at h, t hen int er sit e t raf fic f low s across t h e back door link . This b eh avior pr ovides f lex ibilit y w it hin t he OSPF t op ology . You can m anip ulat e t r aff ic flow based on adm inist r at or- con t rolled policy ( OSPF cost s) r at her t han on t he int r a- ar ea v er sus in t er ar ea r ule. Wit MPLS iand VPNsha Ar chit I I , ynou' : 3- 12 can now be used t o check Thehshow p ospf m - lect inku res, com Volum m and eshow in llExlear amnple t hat t he sh am- lin k fr om Ex am ple 3- 11 h as been su ccessf ully cr eat ed. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Exa m pl e 3 - 1 2 . show i p ospf sha m -l in k Com m a n d Out pu t

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) SanJose# How show VRFs ip can ospf be ex sham-link t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Sham back Linkbone OSPF_SL0 to address 196.7.26.2 is up t o carr address y cust om er m ult icast t r aff ic insid e a VPN Area How 1 source 10.2.1.2 est in t ercircuit - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent RunThe aslat demand of int er - car r ier MPLS VPN serv ices DoNotAge LSA allowed. Cost of using 40 State POINT_TO_POINT, Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Timer intervals configured, Hello 10, Dead 40, Wait 40, MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Hello due in 00:00:04 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Adjacency State FULL (Hello suppressed) MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN queue length 4, nect number Ar ch itIndex ect u re.2/2, Par t retransmission I I descr ibes adv anced MPLS VPN con iv it y of includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g retransmission 0 and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o pr ot ocols ( I S- I S, EI GRP, int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues First 0x63311F3C(205)/0x63311FE4(59) includin g secu r it y , ou t lining t he n ecessar y st eps t hNext e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e0x63311F3C(205)/0x63311FE4(59) adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN retransmission scan length is 0, maximum is 0 t r oubLast leshoot ing . retransmission is 0intmsec, maximum is adv 0 msec MPLSLast and VPN Ar chit ect u res, scan Volumtime e I I , also rod uces t he lat est ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Link State retransmission due in 360 msec

The ou t pu t f rom t he p rev ious exam p le con fir ms t hat t he sham - link is act iv e and t h at it ru ns as a deman d cir cuit . ( No period f lood ing occur s acr oss t he link , an d h ellos ar e sup pr essed. ) The n ew ly crTable eat edof sham - link is ad ver t ised w it hin t he PE r out er s Ty pe 1 LSA as an • Content s un num ber ed p oin t - t o- p oin t conn ect ion bet w een t w o PE r out er s. This is illust r at ed in Ex am ple • I ndex 3- 1 3. MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Exa m pl e 3 - 1 3 . Sha m -Link Re pr e se nt at ion W it hi n t he OSPF D at ab ase Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

SanJose# show Pages: 50 4 ip ospf data router 10.2.1.2

OSPF Router with ID (10.2.1.2) (Process ID 101) Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Router (Area 1)ologies in t o t h e back bone p r ovidin g VPN How t o int egr at e v ar iouLink s r emStates ot e access t echn ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN LS Net age: 527 w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o DC) a cust om er sit e t o pr ov ide sep ar at ion inside t he Options: (No TOS-capability, cust om er net w ork LS Type: Router Links The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone ID: 10.2.1.2 Link State How t o carr Router: y cust om er m ult icast t r aff ic insid e a VPN Advertising 10.2.1.2 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent LS Seq Number: 8000001F of int er - car r ier MPLS VPN serv ices Checksum: 0x4CEB Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Length: 60 Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN MPLS and VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced AreaanBorder t opics d d ep loyRouter m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. AS Boundary Router MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Number of Par Links: 3 ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Ar ch it ect u re. t I I descr ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Link connected to: another Router (point-to-point) includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow (Link ID)t opNeighboring Router ID: par 196.7.26.2 m or e adv anced ologies and filt erin g. This t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN (Link ing Data) Router Interface address: 0.0.0.18 t r oub leshoot . Number ofchit TOS MPLS and VPN Ar ect umetrics: res, Volum0e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

TOS 0 Metrics: 1

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

PE-CE Connectivity: Integrated IS-IS Now t h at t h e enhan cem en t s t o t he OSPF pr ot ocol hav e been cov ered, it is t im e t o in t r oduce t h e fir st n ew pr ot ocol t o be add ed t o t he list of PE- CE pr ot ocols: I S- I S. Alt houg h I S- I S is n ot •exp ect ed t o Table of Content b e one of t h e sm ore wid ely d ep loy ed pr ot ocols for t h is t y pe of connect ivit y d ue t o •it s lim it ed deploy I ndex m en t w it hin En t erp rise net w or k s, it s availabilit y as a PE- CE p rot ocol mig ht MP and PN Ar chi te V olum e I I ios. For ex am ple, a VPN client m ig ht be r unn ing I S- I S on t he st illLSbe imVpor t ant inctur cere s, t ain scenar intJim er nal n et w, or k an d m igh, Jeff t w Apcar ant t o main t ain t he I S- I S t opolog y w hen m ov ing t o an MPLS VPN By Guichard I van Pepelnjak env iron ment . The p rim ar y r easons for t h is ar e sim ilar t o t hose discussed w it hin t he OSPF sect ion: Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3

Av oid ance of-1hav I SBN: 1- 58 705 12 -5ing t o redist r ibut e I S- I S in for m at ion in t o ot h er pr ot ocols su ch as BGP- 4 or RI P50 ver Pages: 4 sion 2 at t he CE r out er s Av oid ance of hav ing t o lear n/ sup por t an ot her r out ing pr ot ocol such as BGP- 4 at t he net w or k edge Sup por t f or I S- I S is also im por t ant for t he m igr at ion of an I SP, w h ich uses I S- I S as it s r out in g Wit MPLS and chit ect u res, Volum I I , y ou' : r ier ' s Car r ier ar chit ect ur e. This pr othocol t ow ar dVPN t heAr MPLS VPN backb one,e such as llinlear t hen Car ar ch it ect u re is ex plained in m or e det ail in Ch apt er 6, " Larg e- Scale Rout ing and Mu lt ip le Serv ice Pr ovider Connect ivit y . " How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s n ew PE-Connectivity CE r out in g op t ions as w ell as ot her adv anced IS-ISThe PE-CE Requirements

f eat ur es, includ ing per- VPN

Net w ork Ad dr ess Tr an slat ion ( PE- NAT) ex-t st ended int oing a cust er and sit e tito isprw ovidide ar at ionw itinside t heser v ice I S- I S,How lik e VRFs OSPF,can is abelink at e r out pr otom ocol, ely sep ad opt ed h in t he cust om er net w ork pr ov ider comm un it y. The t echnical d et ails of h ow I S- I S oper at es are out side t he scope of t his pu blicat ion . Reader s w ho requ ir e t h is lev el of det ail shou ld r efer t o t he Cisco Pr ess book I S- I S The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Net w ork Design Solut ions , w r it t en b y Abe Mart ey . back bone As w it h t he OSPF pr ot ocol, I S- I S can split a r out ing d omain int o a series of ar eas w here How t o carr y cust om er m ult icast t r aff ic insid e a VPN int er area con nect iv it y is achieved by in t er connect ion acr oss a Level 2 back bone, p art ially ov er lay in g t he ind ividu al Lev el 1 areas. I n general, sm all I S- I S t op olog ies ar e b uilt w it hin a The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent single ar ea, and t his area in clud es all t he r ou t er s w it hin t h e rou t ing dom ain. As t he net w or k of int er - car r ier MPLS VPN serv ices incr eases in size, it is sp lit int o a Lev el 2 backb one an d a num b er of Lev el 1 ar eas. Rout er s est ablish Lev el 1t rou adjacencies t o tper foriques m r out in g wit local r a-suarreeahigh r outav ing) and Adv anced blesh oot ing echn includ in gh in r ouat er outarea pu t s (tint o en ailab ilit y Lev el 2 adjacencies t o per for m r out in g bet w een Level 1 ar eas ( int er area rou t ing) . MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN The I Su res, LevelVolum 2 back is cr eat h r,ough conPr nect ionExof all Lev el o 2m rou fr anced om all Ar chIitSect e Ibone ( 1 - 587 050 ed 02-t1) f rom t he Cisco ess. t endin g int orteers adv eas, an andd dlocal t ach ect t o ur t he bone Leves el r12 r out erit. hWit hin a local yartea, tar opics ep loyarmeas ent at archit es,back Volu m e Ivia I praovid eader sw t he necessar oolsall rt hey out ern seed k now h ow t o r each all ot her r out er s w it hin t he ar ea, bu t t h ey k now not h in g about t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. r out er s in ot her ar eas. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN The ault of a Cisco r out er f orMPLS t h e firVPN st I SI Snect pr ocess t o be in cr geat ed int is egr t o act as of a Ar chditef ect u re.behav Par t ior I I descr ibes adv anced con iv it y includ t he at ion Lev el 12 r out er . This is b asically a com binat ion of Lev el 1 an d Level 2 . ( The r out er est ablishes ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g botothocols Lev el( I1S-and el 2 ad jacencies anm d in mgaint s t w o wsepar at ek dat pr I S, Lev EI GRP, and OSPF) , ar t heain r eader it h t he nowabases: ledge ofone h owf or t ot he local Lev el 1 area an d anot her f or t he Level 2 back bone. ) You can configu r e t he r out er t o actissues as a int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent Lev el 1 g ( insecu t r a- rarea) t er only bot h ay st Lev el 1 andp rov a Lev el m 2 ust ( int terar ou tect er (tthe he includin it y , ourou t lining t he, nas ecessar eps t hreout sererv ice ider akeea) t o pr rot defaubone lt ) , orand as any an inatt er ar ea rVPN out ersitonly Because of ailin t his gr ang ofest optsecu ions,ritvyarf eat ious ions back t ached es, .and also det t he elat urcom es t obinat allow fororcon nect iv it y tcan be est ablish ederin . g. This par t also cov er s m ult i- car r ier MPLS VPN m e adv anced op ologies and filt deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Wit h t he in t r oduct ion of an MPLS VPN backb one b et w een VPN sit es, an add it ion al Lev el of t r oub leshoot ing . r out ing hier ar ch y ( r ef er r ed t o as Lev el 3) abov e Lev el 2 h as been ad ded ( sim ilar t o OSPF) . This add it ion al VPN levelAr ischit r equir so Volum t hat VPN es can r unuces ind ep enlat dent S- I S p r ocesses d lear n MPLS and ect ued res, e I I ,sitalso int rod t he est I adv ances in cu stan omer rint out es f rom ot her VPN sit es w it hout m aint aining a dir ect adjacency w it h t hose sit es. Wit egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced h t h is

add it ion al level, t h e rou t ing hierar chy chan ges fr om Level 1 / Level 2 / Level 1 t o Lev el 1/ Lev el 2/ Lev el 3/ Level 2 / Level 1 . This g iv es v ariou s connect ivit y op t ions bet w een t h e PE rou t ers and CE r out er s. To h elp y ou und er st and how I S- I S mig ht be deploy ed, w e'll assum e t h at Eu r oBan k has d ecided t o mig rat e it s int ern al net w or k t o t he I S- I S p rot ocol an d ru n Level 1 - 2 ev er y w her e. Fast Foods also r uns I S- I S and at t aches t o t he Sup er Com MPLS VPN back bone, b ut it only r un s Lev el 2. This conn ect iv it y can b e seen in Figur e 3- 1 0. •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I vanFigu Pepelnjak r e ,3Jeff - 1Apcar 0. I

S- I S PE- CE Con ne ct i vi t y Opt ions

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone A VPN sit e can at t ach t o t he MPLS VPN b ackb one by u sin g Level 1 , Lev el 1- 2, or Level 2 m odes How t o carr y cust om er m ult icast t r aff ic insid e a VPN of oper at ion. You w ill lear n abou t each of t hese op t ions an d h ow t hey af fect t h e r out ing bet w een e -nex sectenh ionancem s. The sit lates estinint ht er car trier ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced tof rouIS-IS blesh oot ing t Routing echn iques includ in g r ou t er out pu t s t o Separation VPN Information

en su re high av ailab ilit y

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced As w it h all PE- CE conn ect iv it y opt ion s, t he PE r out er needs t o be ab le t o p rov ide separ at ion t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools bet w een VPN client s. Separ at ion of f or w ard ing in for m at ion is ach iev ed t h r ough t he use of t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. VRFs. How ev er , sep arat ion at t he r out in g p rot ocol lev el is also needed so t hat t he PE r out er can id and en t ify w hich r out up dat es belong t o inwh ich s. I ref S- Iresher S usesoft he sam e m VPN echan ism as MPLS VPN Ar chit ecting u res, Volum e I I , b eg sw it hclient a br ief t he MPLS Figur e 33 ) —t h at is, a separ at e p rocess is r eq uired forion each tAr hechOSPF pr ot ocol ( as sh own in it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at of rou t er i si s com m and Iser S- vI S VPN clien t . To su ppor t t his m ech anism, an ex t ension t o t he ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in ghas been p r ovided, asEIshow in ExOSPF) am ple, ar 3-m 14. pr ot ocols ( I S- I S, GRP,n and in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Exa bone m pl eand 3 -any 1 4 .atExt en sion o rand ou talso e r idet si sailin Com m lat a nd back t ached VPN sittes, g t he est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . SanJose(config)#router isis VRF vrf-name MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The op t ion wit h in t h e rou t er i si s com m and allows a t ag t o be allocat ed t h at can be used t o r eference t h e par t icular I S- I S pr ocess. Th is is necessary w h en y ou are assignin g int er faces t o t he pr ocess u sin g t he ip r out e r i sis com m and. Ex am ple 3- 15 sh ows t he necessar y con figu r at ion t o creat e t h e Eu roBan k and Fast Foods I S- I S pr ocesses an d t o assig n t he relevan t int er faces t o t hese pr ocesses on t h e San Jose PE r out er . •

Table of Content s

•

I ndex

Exa e 3Ar-chi 1 5te.ctur Con iguer at MP LS m andpl V PN e s, Vfolum I I ion of I S- I S Pr ocess on PE Rou t e r s By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press hostname SanJose Pub Dat e: Ju ne 06, 2 00 3

!

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

ip vrf EuroBank rd 100:251 route-target export 1:793 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : route-target import 1:793 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ! ser v ice t o m any d iff er ent t yp es of cu st om er s ip vrf TheFastFoods n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) rd 100:269 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork 1:821 route-target export The lat est MPLS VPN1:821 secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN route-target import back bone !

How t o carr y cust om er m ult icast t r aff ic insid e a VPN

interface Serial 3/0/0 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices description ** interface to EuroBank San Francisco CE-router Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ip vrf forwarding EuroBank MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Arip ch itaddress ect u res, 192.168.2.14 Volum e I ( 1 - 587255.255.255.252 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools EuroBank tip heyrouter n eed t oisis d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ! MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of interface Serial 3/0/1 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o description FastFoods CE-router int egr at e t h ese ** f eatinterface ur es in t o t h etoVPN b ack bon e.San PartJose I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he ip bone vrf forwarding FastFoods back and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN ip address 192.168.2.17 255.255.255.252 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . ip router isis FastFoods MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ! egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced int

router isis EuroBank vrf EuroBank net 47.1234.0000.0000.0020.00 metric-style wide ! •

Table of Content s

• I ndex router isis FastFoods vrf FastFoods MP LS and V PN Ar chi te ctur e s, V olum e I I

47.3456.0000.0001.0020.00 Bynet Jim Guichard , I van Pepelnjak , Jeff Apcar metric-style wide Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Aft er all of t he I S- I S p rocesses hav e been cr eat ed an d t he r elev ant int erf aces h ave been associat ed wit h cust om er VRFs, t he PE r out er can for m a r out ing adj acency w it h t he at t ached CE r out er s for t he p ur poses of ex chang in g rou t ing infor m at ion. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Propagation of IS-IS Routes Within Multiprotocol BGP How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Aft er all of t he r elev ant I P pr efix inf or mat ion h as been collect ed fr om t h e at t ached VPN sit e, it is necessar y t oPEd ist r ibu t e in t his t ot ions ot herasPE r out s her w it hin he n et fwor fulling conpernectVPN iv it y The n ew CE r out g op w ell aserot advtanced eatkurso es,t hat includ can be pr ov ided t o t he VPN cust om er . Th is, as w it h all ot her PECE r out in g pr ot ocols ot her Net w ork Ad dr ess Tr an slat ion ( PE- NAT) t han BGP- 4, r equir es redist r ibut ion f rom t he VRF in t o Mult ipr ot ocol BGP. I t is achiev ed by using How t he re di stcan rib ut com m andint woit hin t heom BGP pr eocess. Anide exam t his r ed ist r ibu t ion f or VRFs bee ex t ended a cust er sit t o pr ov sepple ar atofion inside t he t he Eur oBank giv en in Ex am ple 3- 16, w hich show s t hat bot h Lev el 1 and Lev el 2 r out es cust om erVPN net wisork should be r edist r ibut ed fr om t h e VRF. The I S- I S cost is aut om at ically t ran sf er r ed in t o t h e BGP The lattest MPLS secur y ft eat an d d esign s aim ed at pr ot ect ing t h e MPLS VPN MED at t r ibu e du rin g tVPN h e r ed ist r it ibu ionupres rocess. back bone How y cust om er ult icast e aRou VPN t e s in t o M u lt ipr ot ocol BGP Exa m pl et o 3carr - 16 . Redi st m r ibu t i ont r aff oficI insid S-I S The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices router 10t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Advbgp anced ! MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced address-family vrfect EuroBank t opics an d d ep loy m ipv4 ent archit ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. redistribute isis EuroBank vrf EuroBank level-1-2 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Arno ch itauto-summary ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g prno ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o synchronization int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he exit-address-family back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m!or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE To g et locally con nect ed int er faces t hat are wit h in t he VRF in t o Mu lt ip r ot ocol BGP, it is necessar y t o conf igur e re di st rib ut e conne ct ed w it h in t h e BGP addr ess fam ily for t hat VRF. •

Table of Content s

•Aft er t he VPN I ndex p r ef ix infor m at ion has been im p ort ed int o any r eceiv in g VRFs at r emot e PE MP LSer and V PN Ar ctur e s, rVedist olum rib e I Iut ion once again so t hat t he in for m at ion can be adv er t ised t o r out s, you m chi ustteapply any t ach ed, ICE out er s t ,hJeff at rApcar esid e w it hin t he VPN. Ex am ple 3- 17 sh ows t he n ecessar y By Jimat Guichard van rPepelnjak conf ig ur at ion for t h is redist r ibut ion w it hin t he Eur oBank VPN. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Exa mI SBN: pl e 1-358- 705 1 7-1. 12Redi st r ibu t i on f r om V RF i nt o I S- I S Pr oce ss -5 Pages: 50 4

router isis EuroBank vrf EuroBank net 47.1234.0000.0000.0020.00 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : redistribute bgp 10 metric transparent level-1-2 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN metric-style wide ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

NOTE The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN The ran sp arent k ey w or d wit h in t h e config ur at ion of t he pr eviou s exam ple t ells t he backt bone PE r out er t o redist r ibut e t he I S- I S r out es w it h t he m et r ic carr ied in t he MED at t r ibut e How carr y ot cust omBGP er mr out ult icast affm ic et insid e anonVPNzer o, t h en t h e sam e m et r ic is of t het oMult ipr ocol e. I f t rhe r ic is used wit h in t h e I S- I S LSP. I f t h e m et r ic is zer o, t hen t he default I S- I S m et r ic is u sed. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int r ier1MPLS VPN icesur ed on t he re di st rib ut e bg p com m and, t he Wit h ter he- car Level - 2 k eyw or dserv config Mu lt ip rot ocol BGP r out es ar e r edist rib ut ed as ex t er nal I S- I S r out es in t o Lev el 1 and Advelanced blesh ootding t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Lev 2 I S- tI rou S t opology at abases. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tAft opics an dr edist d ep loy mtent ect urcon es,figu Volu m ew IitI hin pr ovid r eader t het ing necessar y t ools er t he ribu ion archit has been red t he es r elev ant IsS-wIitSh rou pr ocess, any tr hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. out es t h at w ere lear ned via Mult ipr ot ocol BGP and w ere in st alled w it hin t he VRF ar e adv ert ised t ow ard t h e r elevan t CE r out er s. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Leve1 Router CE, Router Connectivity pr ot ocols1-2 ( I S- PE I S, EI GRP, andto OSPF) ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Now bone t h at yand ou hav lear n ed tVPN he basic figualso rat ion epsg ftor ent inritgyI SI Suras CE back anye at t ached sit es,con and detst ailin heim latplem est secu f eat esat oPEallow r out ing pranced ot ocol,t op y ou can mand ov e filt onerin t o hg.ow dif ferent t opcov ologeries e id car ep loy ed. m or e adv ologies This par t also s marult r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN The st t y peing of. I S- I S connect iv it y t o consider is Lev el 1- 2 . This is t h e defau lt m ode on a Cisco t r oubf irleshoot r out er , and t he Eur oBank VPN is using t his m ode of operat ion f or all it s int er nal con nect iv it y . Becau se t his is Ar t hchit e default , noVolum addit e ional con figu rat ion fr om t hatinwcu h ich w as MPLS and VPN ect u res, I I , also int rod ucesist necessar he lat est yadv ances st omer conf ig at urion, ed insecur Ex am pleand 3- 15. Th er efor e,ing w itfeat hin utres he Eur oBank t hiding e Sant hFr int egr it y, t r oubleshoot essent ial tVPN, o p rov e ancisco, adv anced

Washing t on, Par is, and Lon don CE r out er s, and t he I S- I S p rocesses t h at ar e associat ed w it h t his VPN on t he Su perCom PE rou t ers, ar e all u sin g is- t y pe Lev el 1- 2 , as illust r at ed in Figur e 311 .

Figu r e 3 - 1 1 . Eu r oBan k Le ve l 1 - 2 I S- I S Topol ogy •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Thev niew ew t PEr out in of g op ellit has herEuadv anced f eatbur includ per-iVPN You can he tCE opology t h teions r outas ersw w in ot t he roBan k VPN y es, using t heing show si s Net w ork Ad dr ess Tr an slat ion ( PENAT) t opol ogy com m and. You can v iew t he ad jacen cy for m at ion b y using t he show cln s ne ig hbor s com m and, as show n in Ex am ples 3- 1 8 an d 3- 1 9. Th ese ex amp les show only t h e How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he local sit e con nect iv it y on t he San Jose PE r out er b ecause n o r out es at t his poin t h ave b een cust om er net w ork dist r ibut ed bet w een Eu roBan k sit es acr oss t he MPLS VPN backb one. The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

Exa m pl e 3 - 1 8 . show i si s Top ology Out put f or Eu r oBan k VPN How t o carr y cust om er m ult icast t r aff ic insid e a VPN

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of intshow er - carisis r ier MPLS VPN serv ices SanJose# topology Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Area and EuroBank: Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tIS-IS opics an d d ep to loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools paths level-1 routers t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. System Id Metric Next-Hop Interface SNPA MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of SanFrancisco 10 San Francisco Se3/0/0 *HDLC* ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o SanJose -int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN IS-IS paths to level-2 routers deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . System Id Metric Next-Hop Interface SNPA MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer SanFrancisco Saning Francisco int egr at ion, secur it y, and 10 t r oubleshoot feat u res essent ial t oSe3/0/0 p rov iding t h*HDLC* e adv anced

SanJose

--

Exa m pl e 3 - 1 9 . show cl ns n e igh bor s out put •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

SanJose#show clns neighbors

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

Area PubEuroBank: Dat e: Ju ne 06,

2 00 3

I SBN: 1- 58 705 -1 12 -5

System Id

Interface

SNPA

State

Holdtime

Type Protocol

SanFrancisco

Se3/0/0

*HDLC*

Up

26

L1L2 IS-IS

Pages: 50 4

Wit h MPLSshow and VPN chit ect u res, detail Volum e I I , y ou' ll lear n : SanJose# clnsAr neighbors How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN v ice t o m any d iff er ent t yp es of cu st om er s Area ser EuroBank: The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN System Id Interface SNPA State Holdtime Type Protocol Net w ork Ad dr ess Tr an slat ion ( PE- NAT) SanFrancisco Se3/0/0 28ov ide sep arL1L2 How VRFs can be ex t ended *HDLC* int o a cust om erUp sit e t o pr at ion IS-IS inside t he cust om er net w ork Area Address(es): 47.1234 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN IP back Address(es): 192.168.2.13* bone Uptime: How t o00:00:36 carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced blesh oot iques includ in g r ou t er out pur ou t s tt o re high av ailab ilitsy At t his st age of tt rou h e deploy m ing en t ,t echn t he San Fr ancisco Eur oBank CE er en shsu ould see all r out er w it hin it s local sit e in ad dit ion t o t h e San Jose PE r out er . Because bot h t he PE r out er and t he MPLS and VPN Ar chit u res, I I ,t es b uilds best - sellin MPLS d sh VPN CE r out er ar e r un ningect Lev el 1-Volum 2, all erou t hat on ar et he reachab le witgh in t h e an sit e ould be seen Ar u res, ( 1 - 587 f rom Pr ess. t endin int ofirmms or et his advand anced botch h itwect it hin t heVolum Levele1I and Lev05el 20 02lin k-1)st, at e datCisco abase. Ex amExple 3- 20g con show s opics anSan d d ep m ent CE archit es, Lev Volu I I prLev ovid eader s ew it t he y om t ools tt hat t he Frloy ancisco rouect t erurhas elm1eand el es 2 rlin k- st at ph ack et snecessar ( LSPs) fr the t hey Jose n eedPE t o rou d ept er loy. and m ain t ain a secur e, hig hly av ailab le VPN. San MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Exa m pl e 3 - 2access 0 . Le ve l 1olog - 2 ies Da(tdial, a baDSL, se f cab or le, EuEt r oBan CE t ey rof r out in g ser v ice pr ovider t echn her net )k an d aRou v ariet pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he SanFrancisco# show isis database back bone and any at t ached VPN sit es, detail and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . IS-IS Level-1 Link State Database: MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer LSPID Seq Num ingLSP LSPt o Holdtime int egr at ion, secur it y, andLSP t r oubleshoot featChecksum u res essent ial p rov iding t h eATT/P/OL adv anced

SanFrancisco.00-00 * 0x00000004

0x85CB

942

1/0/0

1065

1/0/0

Area Address: 47.1234 NLPID:

0xCC

Hostname: SanFrancisco • •

Table of Content s I ndex IP Address:

10.2.1.1

MP LS and V PN Ar chi te ctur e s, V olum e I I

Metric: By Jim Guichard10 , I van Pepelnjak IP , Jeff 192.168.2.12/30 Apcar Metric: 0

Pub lish er: Cisco Press

Pub Dat e: Ju ne Metric: 10

06, 2 00 3

IP 10.2.1.1/32 IS-Extended SanJose.00

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4 SanJose.00-00

0x00000003

0xBE4C

Area Address: 47.1234 NLPID:

0xCC

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Hostname: SanJose IP How Address: t o int egr at 196.7.25.3 e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Metric: 10 IP 192.168.2.12/30 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork ion ( PE- NAT) Metric: 0 Ad dr ess Tr an IPslat 196.7.25.3/32 How VRFs t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he Metric: 10 can be ex IS-Extended SanFrancisco.00 cust om er net w ork IS-IS Level-2 Link State Database: The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN LSPIDback bone LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL How t o carr y cust om er m ult icast t r aff ic insid e a VPN SanFrancisco.00-00 * 0x00000002 0xDC7E 925

0/0/0

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Area Address: of int er - car r ier47.1234 MPLS VPN serv ices NLPID: Adv anced t rou0xCC blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Hostname: MPLS and VPN SanFrancisco Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced IP Address: t opics an d d ep loy m 10.2.1.1 ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Metric: 10 IS-Extended SanJose.00 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re.0 Par t I I descrIP ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Metric: 10.2.1.1/32 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I SOSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Metric: 10I S, EI GRP, and IP 192.168.2.12/30 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y0x050A st eps t h e ser v ice p rov ider m ust 0/0/0 t ake t o p rot ect t he SanJose.00-00 0x00000004 1058 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e advAddress: anced t op 47.1234 ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Area deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub NLPID: leshoot ing . 0xCC MPLS and VPN SanJose Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Hostname: int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

IP Address:

• •

196.7.25.3

Metric: 10

IS-Extended SanFrancisco.00

Metric: 0

IP 196.7.25.3/32

Metric: 10

IP 10.2.1.1/32

Table of Content s

Metric: 10

I ndex

IP 192.168.2.12/30

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

I S- IPub S alw lish er: ays Cisco pr ef Press ers in t r a- area rou t es t o int er ar ea r out es. This m eans t h at in our ex amp le, t he Eu roBan ke:San ancisco CE r out er w ill select any Level 1 r out es ov er Lev el 2 r out es lear ned Pub Dat Ju neFr 06, 2 00 3 fr om t he San Jose PE rou I SBN: 1- 58 705 -1 12 -5 t er. The pr eviou s exam ple show ed t hat t he on ly rou t e r each able at t he San Jose PE r out er is 1 96. 7. 25 . 3/ 32 , and t his was adv er t ised b ot h at Lev el 1 and Level 2 . Pages: 50 4 Ex am ple 3- 21 sh ows t hat t he San Fran cisco CE r out er h as select ed t h e Lev el 1 p at h for t h is par t icular pr efix .

Exa m pl e 3 - 2 1 . San Fr an cisco CE Rout er Le ve l 1 - 2 Rou t e Se le ct ion Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN SanFrancisco# show route ser v ice t o m any ip d iff er ent t yp es of cu st om er s Codes: - static, - anced RIP, fMeat-urmobile, - perBGPVPN TheCn ewconnected, PE- CE r out inSg op t ions as wIell-asIGRP, ot her Radv es, includBing Net w ork Ad dr ess Tr an slat ion ( PE- NAT) D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he custN1 om-er OSPF net w ork NSSA external type 1, N2 - OSPF NSSA external type 2 TheE1 lat estOSPF MPLSexternal VPN securtype it y f eat d esign s aim ed at pr ot 2, ect ing e MPLS VPN 1,u res E2 an - dOSPF external type E -t hEGP back bone i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area How t o carr y cust om er m ult icast t r aff ic insid e a VPN * - candidate default, U - per-user static route, o - ODR The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices P - periodic downloaded static route Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Gateway resort is 05not0 02set1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Ar ch it ect uof res,last Volum e I ( 1 - 587 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. 196.7.25.0/32 subnetted, subnets MPLS and VPN Ar chit ectis u res, Volum e I I ,1b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of i L1 via( dial, 192.168.2.14, Serial1/0 ser v ice pr 196.7.25.3 ovider access[115/10] t echn olog ies DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o 10.0.0.0/32 subnets int egr at e t h ese f eat uris es subnetted, in t o t h e VPN 1 b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he C directly Loopback0 back bone 10.2.1.1 and any atis t ached VPN sitconnected, es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN subnetted, 1 etsubnets deploy192.168.2.0/30 m en t s. Fin ally , Paris t IV pr ov id es a m hodology for ad van ced MPLS VPN t r oub leshoot ing . C 192.168.2.12 is directly connected, Serial1/0 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Now t h at all t he local sit e r out es hav e been lear ned, y ou m ust r edist r ib ut e t h em fr om w it hin t he VRF int o Mult ipr ot ocol BGP so t h at ot h er PE r out er s can imp ort t h em . An exam p le of h ow t o con figu re t his r ed ist r ibu t ion w as sh own ear lier . Af t er t he r edist rib ut ion has been com plet ed, any r ou t es t hat are lear ned fr om t h e San Fr ancisco CE r out er or locally at t ached VRF int erf aces t hat ar e associat ed wit h t h e Eur oBank I S- I S pr ocess ar e carr ied wit h in Mult ipr ot ocol BGP ( see Ex am ple 3- 22) . Th is ex am ple also show s t h e out p ut of de bug i si s v rf , w hich can b e used t o • Table of Content s conf ir m t hat t he r out es ar e passed t o Lev el 3 ( MPLS VPN back bone) an d adv er t ised by • I ndex Mu lt ip rot ocol BGP. MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Exa m pl e 3 - 2 2 . I S- I S Rout es Car r i ed W it hi n M ul t ip r ot ocol BGP Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

SanJose# show Pages: 50 4 ip bgp vpnv4 vrf EuroBank BGP table version is 54, local router ID is 194.22.15.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Origin codes: i - IGP, e - EGP, ? - incomplete How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Network Next Hop Metric LocPrf Weight Path The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN RouteNet Distinguisher: 100:251 w ork Ad dr ess Tr an slat ion ((default PE- NAT) for vrf EuroBank) How VRFs can be ex t ended int o a cust om er sit e 10 t o pr ov ide sep ar at ion *> 10.2.1.1/32 192.168.2.13 32768 ? inside t he cust om er net w ork *> 192.168.2.12/30 0.0.0.0 0 32768 ? The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How show t o carrip y cust er m ult icast t r aff ic insid e a VPN SanJose# bgpom vpnv4 vrf EuroBank 10.2.1.1 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent BGP routing table entry for 100:251:10.2.1.1/32, version 54 of int er - car r ier MPLS VPN serv ices Paths: (1 available, best #1, table EuroBank) Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Advertised toArnon peer-group MPLS and VPN chit ect u res, Volumpeers: e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced 194.22.15.3 t192.168.1.14 opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Local MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN 192.168.2.13 0.0.0.0 (194.22.15.2) Ar ch it ect u re. Parfrom t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Origin metric 10, ,localpref 32768, valid, best pr ot ocolsincomplete, ( I S- I S, EI GRP, and OSPF) ar m in g t he 100, r eaderweight w it h t he k now ledge of hsourced, ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Extended Community: RT:1:793 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN SanJose# debug t r oub leshoot ing . isis vrf MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

5d22h: ISIS-VRF: EuroBank:Adv(ISIS=>BGP VPN) 10.2.1.1/32, L3 5d22h: ISIS-VRF: EuroBank:Adv(ISIS=>BGP VPN) 192.168.2.12/30, L3

I• t is also n ecessar y t o r ed ist r ibut e any r emot e Eur oBank rou t es int o t he local sit e at t h e PE Table of Content s r out er . Ex am ple 3- 23 sh ows som e d eb ugg in g out pu t t h at conf irm s successfu l r edist ribu t ion of • I ndex Mu lt ip rot ocol BGP r out es int o Lev el 1 and Level 2 I S- I S t op ology dat ab ases, and also t h e San MP LS and V PN Ar chi te ctur e s, V olum e I I Fran cisco CE r out er 's rou t ing t able af t er t his r edist rib ut ion has b een perf or m ed at t he San Jose By Guichard PEJim r out er. , I van Pepelnjak , Jeff Apcar Pub lish er: Cisco Press 3 ExaPub mDat ple:e Ju3ne- 206,3 2. 00San Fr an cisco CE Rout er Af t e r Red ist r ib ut i on I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

SanJose#debug isis vrf

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : 5d22h: ISIS-VRF: EuroBank:Learn(ISIS 196.7.24.0/25

192.168.2.41

MP LS and V PN Ar chi te ctur e s, V olum e I I

*> 196.7.25.0/25

192.168.2.41

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Route Distinguisher: 10:2512 (default for vrf EuroBank_Retail) Pub lish er: Cisco Press

*> Pub 192.168.2.44/30 Dat e: Ju ne 06, 2 00 3 192.168.2.45

0

0 65200 65001 ?

I SBN: 1- 58 705 -1 12 -5

*> 192.168.2.52/30

192.168.2.45

0

0 65200 65001 ?

*> 196.7.24.128/25

192.168.2.45

1

0 65200 65001 ?

*> 196.7.25.128/25

192.168.2.45

0

0 65200 65001 ?

Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Sim ilar ly , t he CE rou t er pr ep en ds t h e aut on omou s syst em nu m ber configu r ed w it h t he ne ig hbo ser v ice t o m any d iff er ent t yp es of cu st om er s loca l- as com m and t o all incomin g BGP up dat es, as show n in Ex am ple 4- 12. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Exa m pl e 4 - 1 2 . Loca l Au t on om ou s Sy st e m Nu m be r Pr ep en ded t o I n com VRFs BGPHow Upda t ecan s be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Paris#show ip bgp vpnv4 vrf Trading How t o carr y cust om er m ult icast t r aff ic insid e a VPN BGP table version is 56, local router ID is 192.168.252.2 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Status codes: s suppressed, d damped, h history, * valid, > best, i -internal, of int er - car r ier MPLS VPN serv ices SAdv Stale anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Origin codes: - ect IGP, - EGP, incomplete MPLS and VPN Arichit u res,e Volum e I I?, b-uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Network Next ect Hop t opics an d d ep loy m ent archit ur es, Volu m e I I Metric pr ovid esLocPrf r eader s Weight w it h t hePath necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Route Distinguisher: 1:1 (default for vrf Trading) MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN *>ch192.168.2.12/30 192.168.2.42 10 at?ion of Ar it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in0g 65100 t he int egr ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g *>ot192.168.2.32/30 0 65100 10 t o? pr ocols ( I S- I S, EI GRP,192.168.2.42 and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues *> 192.168.2.40/30 0.0.0.0 0 v ice p rov ider 32768 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser m ust? t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow *>or192.168.2.48/30 0.0.0.0 32768 m e adv anced t op ologies and filt erin g. This par t also 0cov er s m ult icar r ier? MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN *> 196.7.24.0/25 192.168.2.50 1 32768 ? t r oub leshoot ing . MPLS and VPN Ar chit ect u0.0.0.0 res, Volum e I I , also int rod uces adv ances *> 196.7.25.0/25 0 t he lat est 32768 ? in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

*> 196.7.26.0/25

192.168.2.42

0 65100 10 ?

The p r esence of an ex t r a au t onom ous sy st em num ber in t he aut onom ous sy st em pat h m ight int er fer e w it h t he BGP loop p rev en t ion cod e in ot her C rou t er s. These r out er s w ould rej ect t he incom ing BGP u pdat e if t h e aut on om ous syst em n um ber t hat is conf ig ur ed w it h t he ne ig hbor l o • Table of Content s a s com m and on t he CE r out er eq uals t heir BGP aut on omou s syst em nu mb er , as dem onst rat ed in • I ndex Figur e 4- 8 . MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar PubFigu lish er: rCisco e 4Press - 8.

BGP Up dat e I gn or ed D ue t o Ext r a Au t onom ou s Sy st em i n t he Aut onom ous Sy st e m Pa t h

Pub Dat e: Ju ne 06, 2 00 3 Nu m be r I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The f ollow in g sequ en ce of ev en t s occu r s in Figur e 4- 8 : The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone t o rcarr y cust om er m ultpicast a er VPN 1 . How The PE out er sends a VPN r ef ix ttroaff t hice insid CE r e out t h rou gh BGP. Because t he p ref ix w as r ed ist r ibu t ed int o BGP on anot her PE r out er , t he aut onom ous sy st em pat h cont ains only t he The ests in t eronom - car rier entber s t o( 10 allow pr ovlat ider' aut ous enh sy stancem em n um ) . f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices 2 . A v ir t ual au t onom ous sy st em num b er is in ser t ed in t o t h e aut on omou s syst em pat h d ue t o t Adv anced ing ltoca echnl-iques includ in gbefor r ou teert hout pu t spr t oefen high ailab ilit yBGP behav ior oft rou t heblesh ne igoot hbor as com m and e BGP ix su is re inser t edavint o t he t able on a Paris CE rou t er . Therefor e, t h e BGP ent ry in t h e Paris CE rou t er con t ains MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN aut on om ous syst em p at h 6510 0 10. Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an dBGP d eppr loyefix m ent ect ur m et IerI pr s w it hsitte. heTh necessar y t onom ools ou s 3 . The is parchit r opagat edes, t o Volu a C rou in ovid t h e es Parr eader is Tr ading e r eal aut t hey nsyst eedem t o nd um ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ber of t he Par is CE r out er is p r ep en ded t o t he aut onom ous sy st em pat h , r esult i in an au t onom ous sy st em pat h of 65 001 65 100 10 . MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar4ch ect uPar re. isPar I I descr ibeseradv anced MPLS con iv itse y includ in gupd t heatint ion of . itThe t r tadin g C r out r eject s t he BGPVPN u pdat e nect b ecau t he BGP e egr contatains it s own ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g aut on om ous syst em n um ber ( 65 100 ) . pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egrissue at e t h f eat ur es in t o t hI eOS VPN b ack bon I det epal loyopt m ent This wese as solved in Cisco r elease 12 .2e.T Part and I1I2. 0STails w itadv h ananced add itdion ion issues of t he includin g secu , ou t lining t he n ecessar y st eps t4h-e3.ser v ice p rov ider m ust t ake t o p rot ect t he Table ne ig hbor l ocar it l-yas com m and descr ibed in back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

Tab le 4 -3 . Di sa bl in g Pr e pen di ng of n ei ghbor loca l- a s Aut onom ous Sy st

MPLS and VPN Ar chit ect u res, , also int rodiuces t he latU estpdat adv ances NuVolum m beer I Ion I ncom ng BGP es in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Com m a nd Sy nt a x

D e scri pt i on

ne ig hbor ip- add ressloca l- as as- num b er [ no- pr ep en d]

Con figu res t h e r out er not t o p r ep en d t h e local aut on omou s syst em n um ber t o r ou t es t hat are receiv ed f r om ext er nal p ee

The no- pre pe nd op t ion of t he ne ig hbor l oca l- as com m and pr event s t he BGP r out er w it h • ig hbor l oca Table of Content s ed on a BGP neighbor fr om p repend in g t he ne ig hbor l oca l- as ne l- as con figur •aut on om ousI ndex syst em n um ber t o in com ing BGP up dat es. The usage of t his com man d on t h e Par is MP LSer and Ar chi te ctur e s, Visolum e In I in Ex am ple 4- 13) result s in t he d esir ed BGP r out ing t ab le, w h r out ( t hVePNconfigu r at ion show is Jim display ed in Ex am ple 4-, Jeff 14.Apcar By Guichard , I van Pepelnjak Pub lish er: Cisco Press

ExaPub mDat ple:e Ju4ne- 106,3 2. 00Di sabl in g Local Aut on om ous Syst e m Pr e pen di ng on 3 I ncom i ng BGP U pda t es I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

router bgp 65001 ! Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : address-family ipv4 vrf Trading How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN neighbor 192.168.2.42 local-as 65100 no-prepend ser v ice t o m any d iff er ent t yp es of cu st om er s !

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) address-family ipv4 vrf Retail How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he neighbor local-as 65200 no-prepend cust om192.168.2.46 er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

How t o carr y cust om er m ult icast t r aff ic insid e a VPN Exa m pl e 4 - 1 4 . VRF BGP Rout e s on t h e Par i s CE Rout er The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Paris#show ipt rou bgpblesh vpnv4 allt echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Adv anced oot ing MPLStable BGP and VPN version Ar chit ect isu res, 75, Volum locale router I I , b uildsIDonis t he192.168.252.2 best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced * valid, best, i -y internal, tStatus opics ancodes: d d ep loysm suppressed, ent archit ect urdes,damped, Volu m e h I I history, pr ovid es r eader s w it h >t he necessar t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. S Stale MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ectcodes: u re. Par ti I I- descr anced VPN con nect iv it y includ in g t he int egr at ion of Origin IGP,ibes e -adv EGP, ? MPLS - incomplete ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining n ecessar y st eps Metric t h e ser v LocPrf ice p rov ider m ustPath t ake t o p rot ect t he Network Nextt he Hop Weight back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies1:1 and(default filt erin g. This cov er s m ult i- car r ier MPLS VPN Route Distinguisher: for par vrft also Trading) deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . *> 10.2.1.0/25 192.168.2.42 0 10 ? MPLS and VPN Ar chit ect u192.168.2.42 res, Volum e I I , also int rod uces t he lat est adv ances *> 192.168.2.12/30 0 10 in? cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

*> 192.168.2.32/30

192.168.2.42

*> 192.168.2.40/30

0.0.0.0

0

32768 ?

*> 192.168.2.48/30

0.0.0.0

0

32768 ?

*> 196.7.24.0/25

192.168.2.50

1

32768 ?

0

32768 ?

•

Table of Content s

•

I ndex

*> 196.7.25.0/25

0.0.0.0

0 10 ?

MP LS and V PN Ar chi te ctur e s, V olum e I I

*> 196.7.26.0/25

192.168.2.42

0 10 ?

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Route Distinguisher: 1:2 (default for vrf Retail) Pub lish er: Cisco Press

*> Pub 10.2.1.129/32 Dat e: Ju ne 06, 2 00 3 192.168.2.46

0 10 ?

I SBN: 1- 58 705 -1 12 -5

*> 192.168.2.16/30

192.168.2.46

0 10 ?

*> 192.168.2.36/30

192.168.2.46

0 10 ?

*> 192.168.2.44/30

0.0.0.0

Pages: 50 4

0

Wit MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear0n : *> h192.168.2.52/30 0.0.0.0

32768 ? 32768 ?

*> 196.7.24.128/25 192.168.2.54 1 32768 ? How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s *> 196.7.25.128/25 0.0.0.0 0 32768 ? The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN *> 196.7.26.129/32 192.168.2.46 0 10 ? Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed Complex Virtual Router Setups back bone

at pr ot ect ing t h e MPLS VPN

How t o carr y cust om er m ult icast t r aff ic insid e a VPN The m u lt i- VRF exam ples int r odu ced so f ar hav e im plement ed sim p le VPN t opolog ies w her e t h e indiv idual VPNs and w ent er escom plet ely ed.and By umsing dit ional MPLS The lat est in t er -associat car rier ed enhVRFs ancem t o allow f orisolat easier or e ad scalable d ep loymVPNent r elat ed I OSr ier f eat ur es,VPN y ou serv can ices ex t end t hese scenar ios t o mor e com plex t opologies of Cisco int er - car MPLS im plem ent ed w it hin a single CE r ou t er , w h ile r em ain ing isolat ed fr om t h e comp lex it ies of t he MP VPN bAdv ackanced bon e. t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS andan VPN Ar chit ect u res, I I , b uilds on er t he g MPLS VPNe 4- 9 . Th e t r adi Con sider ot her r equest of t hVolum e Eur e oBank cu st om , wbest hich- sellin is illust r at ed an in d Figur Ar ch itand ect uret res, e I in ( 1 -t h 587 05- 0Fr021) , f rom ess. Exly t endin int o mbut or et hey adv anced floor ailVolum b ank ing e San ancisco sit eCisco m ust Pr be clear separg at ed, r equir e acc t opics anmon d d epf ile loy m ur es,edVolu I I preovid esThis r eader w itm h ust t he not necessar y t oolsle by o a com serent verarchit t h at ect is locat at tm h e sam sit e. sersver be r eachab t hey n eed epem loyployees and m ain t aineda at secur e, hig hly av ailab le VPN. r ading or rt oetdail locat ot her sit es. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access ( dial, DSL, cab le, Etect her net ) an a qui v ariet y ofer nt outsin g Figu r e t4echn - 9 . olog Sa ies n Fr a ncisco Conn iv it y dRe r em pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: The con nect50 iv4it y r eq uir em ent s ar e easily im p lem ent ed wit h t h e over lappin g VPN t opology int r odu ced in Chapt er 1 2, " Ad van ced MPLS/ VPN Topologies" of MPLS and VPN Ar chit ect u res ( Vol I ) . The in it ial app roach t o t he San Fr an cisco CE r out er conf igur at ion w ould in volv e conf ig ur ing t h VRFs w it h appr opr iat e r out e dist ingu isher s and r out e t arg et s, as sh ow n in Ex am ple 4- 15.

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Exa m pl e 4 - 1 5 . Ove r la ppi ng VPN Con fi gu r at ion on t h e Sa n Fr a nci sco CE Rou t e r How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN ip vrf CommonServer Net w ork Ad dr ess Tr an slat ion ( PE- NAT) rd 1:3 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork route-target export 1:3 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN route-target back bone import 1:3 route-target How t o carr import y cust om1:1 er m ult icast t r aff ic insid e a VPN route-target The lat est inimport t er - car rier 1:2enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices ! Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ip vrf Retail MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Arrd ch it1:2 ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep export loy and m ain t ain a secur e, hig hly av ailab le VPN. route-target 1:2 MPLS and VPN Arimport chit ect u res, route-target 1:3 Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access route-target importt echn 1:2 olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int ! egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back boneTrading and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow ip vrf m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN rd 1:1 t r oub leshoot ing . route-target export 1:1 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

route-target import 1:3 route-target import 1:1

Aft er p r operly conf igur ing all t h e VRFs and t he rou t e t ar get s, y ou w ou ld p rob ably be su rp rised t o • Table of Content s learn t h at t h e rou t es ar e not pr opagat ed bet w een VRFs—a r esult of t h e fact t hat t he int er - VRF r o • I ndex im por t an d ex por t w or k s only t h r ough Mult ip rot ocol BGP. To enab le t he r out e pr opagat ion b et w e MP LS and V PN Ar chi te ctur e s, V olum e I I t hese VRFs, y ou m u st config ur e t he BGP r out ing p rocess on t he CE r out er an d r edist r ib ut e t h e V By Jimes Guichard , I van , Jeff ad Apcar r out int o t he p erPepelnjak - VRF BGP dr ess f am ily . You m ust perf or m t hese configu r at ion st eps ev en t hou gh BGP is not used f or peer ing sessions or for ad ver t isem ent of r ou t es t o ot h er rou t er s. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

NOTE

Con figu rat ion of a VPNv 4 add ress fam ily is not r eq uir ed because t he CE rou t er does not peer w it h VPNv 4 BGP neig hbor s. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : When t his r edist r ib ut ion is config ur ed ( show n in Ex am ple 4- 16) , t h e r out es ar e im por t ed int o t he How t o int egr e vple ar iou s r em oton e access desired VRFs, as Exatam 4- 17 d em st r at es.t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Exa m pl e 4 - 1 6 . BGP Con fi gur a t i on on t he San Fr an ci sco CE Rou t e r Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork router bgp 65002 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN address-family ipv4 vrf Trading back bone redistribute How t o carr connected y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices address-family ipv4 vrf Retail Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y redistribute connected MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ! ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loyipv4 and m ain tCommonServer ain a secur e, hig hly av ailab le VPN. address-family vrf !

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN redistribute connected Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Exa bone m pl eand 4 -any 1 7 .atVRF in es, g Ta blalso e ondett ailin he gSan Frest ansecu ci sco r back t achedRou VPNt sit and t he lat rit y CE f eatRou ur es ttoe allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . SanFrancisco#show ip route vrf CommonServer MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Routing Table: CommonServer Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area • •

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 Table of Content s

I ndex E1 OSPF external type 1, E2 - OSPF external type 2, E - EGP

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard van Pepelnjakdefault, , Jeff Apcar * - , Icandidate

U - per-user static route, o - ODR

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Gateway of last resort is not set I SBN: 1- 58 705 -1 12 -5

Pages: 50 4

Gateway of last resort is not set

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks B

How 10.2.1.0/25 t o int egr at e v ar s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN isiou directly connected, 00:07:41, Ethernet0/0 ser v ice t o m any d iff er ent t yp es of cu st om er s

C

10.2.2.0/24 is directly connected, Ethernet0/2 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) 10.2.1.128/25 is directly connected, 00:07:41, Ethernet0/1

B

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he 192.168.2.0/30 is subnetted, 2 subnets cust om er net w ork B B

192.168.2.12 directly 00:07:41, The lat est MPLS VPNis secur it y f eat uconnected, res an d d esign s aim ed at Serial0/0.313 pr ot ect ing t h e MPLS VPN back bone 192.168.2.16 is directly connected, 00:07:41, Serial0/0.613 How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

NOTE

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch itThe ect ucon res, Volum e Iin( 1Ex - 587 , f rom Pr ess. om anced figur at ion am 05ple 04-02161) cov ers aCisco simp le set u pExwt endin it h nogCintrou t erors;e tadv herefor e, t h e t opicsr ed anist d rdibu ep tloy ent archit es,esVolu e I I ipr pr ovid es BGP r eader s isf w it h tthe ionmof conn ectect ed ur r out int omMult ot ocol sat ies he necessar design y t ools t hey rneq eed o dent ep loy ain ing t ainora secur hly ld avcont ailabain le VPN. uirtem s. I fand t he mt rad r et ail e, sithig e wou ad dit ional C r out er s, t he r out in g pr ot ocol u sed w it h t hese C r out er s w ould hav e t o be r edist ribu t ed in t o Mu lt ip r ot ocol BGP. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr oteocols ( I SEI GRP, in gurt he eader w it h Fran t he kcisco now ledge of erh ow o Mor in- d ep t hI S, ex plor at ionand of tOSPF) he d at, aarstmr uct es ron t he San CE r out r evteals t h at t h e int egr at t h ese eat ur in t o t hCE e VPN Part Imim I I det anced epaloy mrou entt er issues behav iore of t he fSan Fres ancisco rou t berack m bon ore e. closely icsails t headv b eh avior dof PE ev en g secu r it ys, aoustt an lining t he m n ecessar st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he tincludin hou gh it r em ain dalone ult i- VRFy device: back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m ene t ar s. eFin , Parinst t IV pr ov id et hodology ad MPLS VPN Ther mally ult iple ances ofes t hea m sam e BGP r outfor ew it van h difced ferent r out e d ist in guisher s, as t r oub show leshoot n in ingEx . am ple 4- 18. ( Local cop ies of t he BGP r out e w it h r out e dist ing uish er s equ al t o t h VRF r out e dist ingu isher s ar e gener at ed au t om at ically du r in g t he im por t p rocess. ) MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 4 - 1 8 . M u lt i pr ot ocol BGP Tabl e on t h e Sa n Fr a ncisco CE Rou t e r

SanFrancisco#show ip bgp vpnv4 all • •

BGP table Table of version Content s is 17, local router ID is 196.7.1.1 I ndex

Status codes: MP LS and V PN Ar chi te ctur s e s, suppressed, V olum e I I

d damped, h history, * valid, > best, i - intern

By Jim Guichard , I van Pepelnjak , Jeff Apcar

S Stale

Pub lish er: Cisco Press

Origin codes: i - IGP, e - EGP, ? - incomplete

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Network

Next Hop

Metric LocPrf Weight Path

Route Distinguisher: 1:1 (default for vrf Trading) *> 10.2.1.0/25 Wit h MPLS and VPN Ar chit ect u 0.0.0.0 res, Volum e I I , y ou' ll lear n :

0

32768 ?

*> 10.2.2.0/24 0.0.0.0 0 32768 ? How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN *> 0 32768 ? ser v192.168.2.12/30 ice t o m any d iff er ent0.0.0.0 t yp es of cu st om er s Route The n ewDistinguisher: PE- CE r out in g op1:2 t ions(default as w ell asfor ot her vrf advRetail) anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) *> 10.2.1.128/25 0.0.0.0 0 32768 ? How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust10.2.2.0/24 om er net w ork *> 0.0.0.0 0 32768 ? The lat est MPLS VPN secur it y f eat u res an d d esign s aim0ed at pr ot ect ing t h e *> 192.168.2.16/30 0.0.0.0 32768 ? MPLS VPN back bone Route Distinguisher: 1:3 (default for vrf CommonServer) How t o carr y cust om er m ult icast t r aff ic insid e a VPN *> 10.2.1.0/25 0.0.0.0 0 32768 ? The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices *> 10.2.1.128/25 0.0.0.0 0 32768 ? Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y *> 10.2.2.0/24 0.0.0.0 0 32768 ? MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN 0.0.0.0 32768 Ar ch it*> ect u192.168.2.12/30 res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess.0Ex t endin g int o m or?e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools 32768 ? t hey n*> eed192.168.2.16/30 t o d ep loy and m ain0.0.0.0 t ain a secur e, hig hly av ailab le0VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Lab els arIeS,allocat ed and t o t he VRF, rar out am ple en tledge houghofMPLS pr ot ocols ( I SEI GRP, OSPF) m es in g( see t he rEx eader w it4h 19) t he ev k now h ow tiso n ot conf igu t erf aceurand ot ocol areails conadv figuanced red. d ep loy m ent issues int egron at ean t h in ese f eat es inno t o Mult t h e ipr VPN b ackBGP bon e.neighb Part Iors I I det includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e Exa adv anced filt For erin g. pargt also s mt ult r ierFr MPLS m pl et op 4 ologies - 1 9 . Mand PLS w This a r din Ta blcov e er on hei- car San a nciVPN sco Rou t e r deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLSSanFrancisco#show and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer mpls forwarding-table int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Local

Outgoing

Prefix

Bytes Tag

Outgoing

tag

tag or VC

or Tunnel Id

switched

interface

16

Aggregate

10.2.1.0/25[V]

0

17

Aggregate

192.168.2.12/30[V]

•

Table of Content s

•

I ndex

Aggregate

\

0

MP LS and V PN Ar chi te ctur e s, V olum e I I

18

Next Hop

10.2.1.128/25[V]

0

By Jim Guichard , I van Pepelnjak , Jeff Apcar

19

Aggregate

192.168.2.16/30[V]

\

Pub lish er: Cisco Press

0

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

20 Pages:

Aggregate

50 4

10.2.2.0/24[V]

0

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Linking the Virtual Router with the MPLS VPN Backbone at ionofexam ples •The con figur Table Content s in t he p r ev ious sect ion used t he sim plest possib le con nect iv it y m ult i- VRF CE r out er an d t he PE r out er : Fr ame Relay sub int er faces. Th is •bet w een t h eI ndex connect y tAr ypchi e te orctur ot eher MP LS andivit V PN s, V conn olum eect I I iv it y t y pes w her e you could config ur e subint er faces on t he sam e phy sical in t erf ace ( su ch as VLAN- based Et her net , Fast Et h er net , or Gigabit Et h er net By Jim Guichard , I van Pepelnjak , Jeff Apcar connect ivit y ) are highly r ecom m ended because t hey ar e simp le t o conf igur e an d p rod uce alm ost no und esir ed side eff ect s ( apar t f r om t he I P qualit y of serv ice, or QoS, conf igur at ion er: Cisco Press t hatPub mlish ight be m or e com plex t han an eq uiv alent connect ion on a point - t o- point lin k) . Ther e Datever e: Ju ,nesev 06,er 2 00 ar e,Pub how al3 new access t echnolog ies, such as cable net w or ks, t h at d o not allow y ou I SBN:re1-mu 58 705 12 su -5 bint er faces bet w een a pair of r out er s. I n t h ese scen arios, gener ic t o con figu lt ip-1le r out ing encapsulat ion ( GRE) t u nnels can be used t o est ablish m ult ip le vir t ual lin ks b et ween Pages: 50 4 t he adjacent rou t ers.

GRE Refresher Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : The GRE t ech nology is u sed in Cisco I OS t o t unn el a v ar iet y of d if fer ent p r ot ocols acr oss a How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN gener ic I P back bone. GRE t unn els ar e conf igur ed as r eg ular t un nel int er faces in Cisco I OS ser v ice t o m any d iff er ent t yp es of cu st om er s and ar e est ablish ed bet w een t w o I P add resses: t un nel sou r ce an d t un nel dest inat ion . Af t er t he t unn el is con figu red and oper at ional, it behav es ex act ly lik e a point - t o- point lin k fr om t he The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN r out ing per spect iv e. Rou t ing pr ot ocols ( or st at ic r out ing ) ar e r un ov er t he t u nnel, r out es ar e Net w ork Ad dr ess Tr an slat ion ( PE- NAT) exchan ged and in st alled in t he I P r out in g t able, and t he t raf fic can st art t o flow ov er t he t un nel. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork When t he t unn el in t erf ace appear s as t h e next - hop int erf ace in t he I P r out in g an d for w ard ing t ables, pack s can b eVPN rou tsecur ed in it t oy tfheat e tuunn p acket ar eatencapsulat an ot her IP The lat et est MPLS resel. an These d d esign s aimsed pr ot ect inged t h in e MPLS VPN dat agback r am bone w it h t he sour ce and dest inat ion addr ess set t o t h e configu r ed t un nel sour ce and dest inat ion. The I P p rot ocol t yp e in t he I P h ead er is set t o 47 t o indicat e t h at t h e I P dat agr am carr ies a GREencapsulat . How t o carr y cust omed er pack m ultet icast t r aff ic insid e a VPN The pThe acket s est w it hin It P ot ocol t y peancem 47 receiv a rou are pr ocessed as f ollow ds:ep loym ent lat er pr - car rier enh ent s ed t o by allow f ort er easier and m or e scalable of int er - car r ier MPLS VPN serv ices The anced I P soutrrou ce ad dr ess pariques ed t o includ t h e t unn dest at ion is con redav onailab t unn Adv blesh ootis ingcom t echn in gelr ou t erinout pu ttshat t o en su refigu high ilitely int er faces t o f ind t he cor r espon ding t un nel int er face. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN t he Volum t u nneleint t unnCisco el keyPr( ess. if it is figugred) ar ed t o t he Ar ch itAft ecter u res, I (er1 face - 587 is 05-f ound 0 02- ,1)t he , f rom Excon t endin int oismcomp or e adv anced value in tect h e ur I Pes, datVolu ag r am. t hovid e v alu do n sotwmit at he p ack et t opicscorr an despond d ep loyinmg ent archit m e IIIf pr es es r eader h ch, t he tnecessar y tis ools oppted t hey ndreed o d. ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols (NOTE I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues The t unn el key does n ot signif ican t ly increase t he secur it y of t he t unneled d at a includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he because it is a sim p le clear - t ex t valu e ( sim ilar t o an SNMP com mu nit y st r ing) . back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow The t unn el key should be used pr im ar ily t o pr event conf ig ur at ion mism at ches. m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . The p acket is pr ocessed as if it ar r ived t hr oug h t he poin t - t o- point link ( t u nnel in t er f ace) . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

GRE Tunnels in the MPLS VPN Architecture The GRE t un nels can be fr eely com bined w it h t h e MPLS VPN ar chit ect ur e as long as y ou m aint ain t he f ollow in g r ules: A t unn el in t er ace cans be con figu red t o b elon g t o a VRF. Such a t un nel can t hen b e used Table of fContent t o est ablish in t r a- VRF conn ect iv it y acr oss an I P back bone. I n t his case, t he b ackb one • I ndex w ould not necessarily r equir MP LS and V PN Ar chi te ctur e s, V olum e I I e MPLS t o be enabled nor w ou ld it requ ire t he f ull feat u re set of an MPLS VPN deploy m en t . The sam e concept can b e applied t o est ablish m ult iple By Jim Guichard , I van Pepelnjak , Jeff Apcar logical link s ov er a single p hy sical link b et w een a PE rou t er and a CE rou t er . •

PubTun lish er: Press nelCisco int er faces

can b e used t o link PE r out ers, w it h out t he r equir ement of r unn in g LDP net w or k. I n t h is case, labeled VPN packet s ar e encapsulat ed w it hin a I GRE dat ag ram s r at h er t han being lab eled w it h an I GP label der iv ed fr om LDP. SBN: 158 705 -1 12 -5 How ev50 er4, y ou u su ally st ill h ave t o r un LD P bet w een t h e t un nel endp oin t s t o en su re t hat Pages: an LDP im plicit - n ull label is assigned t o t h e Mult ip rot ocol BGP nex t - hop .

w Dat it hin t he b ack Pub e: Ju ne 06, 2 00bon 3 e

I n most I OS r eleases, alt h ough t h e t un nel int er face can b e config ur ed as a VRF int er face, t he t unn el en dpoint s ( t un nel sour ce and t unn el dest in at ion ad dr esses) m ust be r eachable in t he global I P addr ess sp ace b y t he rou t er s t hat t er m inat e t h e GRE Wit h MPLS andThis VPNessent Ar chitially ect u res, Volum I I , y ou' ll lear n: t un nels. m ean s t hate GRE t u nnel encapsulat ion code is n ot VRF- aw ar e. I n t his case, t he Global I P r ou t in g t able f orw ar ds t he I P d at agr am s t hat carr y t h e t un neled t r aff ic. I n ad dit ion, I P dat agr am s t hat car ry t unn eled t raf fic m u st be r eceiv ed ov er a How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN global int er face. ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How NOTE VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Wit h a soph ist icat ed con figu rat ion r ely ing on VRF r out es w her e glob al nex t hop s and global r out es VRF faces, youedcan con re t the out er VPN The lat est MPLS VPN secur it ypoint f eat ut o res an dintder esign s aim at pr otfigu ect ing h e rMPLS such t hat t he GREencapsulat ed t r affic can be receiv ed ov er a VRF int er face. back bone Such a conf igur at ion is comp lex an d sh ould b e av oid ed . How t o carr y cust om er m ult icast t r aff ic insid e a VPN The rlat est r ictinions t hatrier areenh descr ibedent in st he pr ev ious b ullet hav rem ov edd in t he I OS est t er - car ancem t o allow f or easier andembeen or e scalable ep loym ent 12 hich VPN sup por t s ices VRF- based t unn el int erf aces. I n t his I OS r elease, t he of .0 intSerr -elease, car r ier w MPLS serv t un nel endp oint s can belong t o a VRF and t h e GRE- en capsulat ed t r af fic can be r eceiv ed ov eranced an in t er f ace t hat gs t oiques t he sam e VRF. Adv rou blesh ootbelon ing t echn includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and These r ulesVPN ( par Art icularly chit ect u tres, he rVolum eq uir em e Ient I , btuilds hat t he on GRE t he best en dpoin - sellin t sgmMPLS ust b e anind gVPN lobal I P sp ace) Ar also ch it exp ectlain u res, w hy Volum t he euse I ( 1of- 587 GRE 05t unn 0 02els1)t ,o f link rom tCisco h e PEPr rou ess. t er Ex s wt endin it h t h g e int CEor out m orers e adv is anced tdiscour opics an aged d d ep f r om loy m a ent secur archit it y per ectsp ur es, ect ivVolu e: m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. f t heVPN servAr ice prect ov id er isVolum r unninegI Ia, secur wresher here allofcust fic is MPLSI and chit u res, b eg ines IwPitbackb h a brone, ief ref t heomer MPLSt raf VPN t ht eI IVPNs, he badv ack anced bon e isMPLS exp osed o t r nect af ficivf rom a CE in r out er , int w hich o be Ar ch itcarr ect uied re. in Par descr tibes VPN tcon it y includ g t he egr athas ion tof r eceived ov access er a global erf ace. ser v ice pr ovider t echnint olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o f tehet hserv pubon blice.I nt ern IetI I in t he I P adddrepess of it s int egrIat ese ice f eatpr urov esidinert oist hr eunnin VPNgbaack Part det ailsg lob advalanced loyspace m ent issues MPLS VPN e, t he r out er yb ecom osed o rov t h eider I nt er includin g secu r itby ack , oubon t lining t heCE n ecessar st epses t hexp e ser v icet p mnet ust . t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

NOTE

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer t unn h as ot her d rawing b ack s. u For ple, cap sulat t r afanced fic int egrUsing at ion,GRE secur it y,els and t r oubleshoot feat resexam essent ial t thoe pen rov iding t hed e adv

cannot be load - sh ared based on sour ce and dest inat ion I P add ress. Fur t her mor e, t he addit ional I P header t h at is n eeded for GRE en cap sulat ion r edu ces t h e usable pay load size, som et im es r esu lt in g in t h e need t o fr agm ent t r anspor t ed I P dat ag r ams, w h ich m ight r esult in r educed for w ard ing per for m ance of t he r out er t hat is per for m ing t he f r agm en t at ion or r eassem b ly .

•

Table of Content s

You can av oid bot h secur it y r isks b y deploy ing pr oper I P access list s on PE rou t er s or CE • I ndex r out er s, but t hese access list s requ ire ad dit ional man dat or y conf ig ur at ion operat ion s in t he MP LS and V PN Ar chi te ctur e s, V olum e I I pr ov isionin g p r ocess. Alt er nat iv ely , y ou could deploy VRF- aw ar e GRE t un nels if t he I OS Jim Guichard , I van Pepelnjak Jeff Apcar rByelease y ou ar e u sing in y,our net w or k supp ort s t hem . Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 NOTE Pages: 50 4

Thr oug hout t he con figu rat ion exam p les in t he rem ainder of t h is ch apt er , GRE t un nels based on glob al I P add r esses will b e used t o r ed uce t he com plex it y of t he exam ples an d t o ensur e t hat y ou can successfully use t h e exam ples w it h any I OS r elease t hat supp ort s MPLS VPN fu nct ionalit y . Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN

Using Tunnels to Link Multi-VRF ser vGRE ice t o m any d iff er ent t yp es of cu st om er s CE Routers to the MPLS VPN Backbone The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Based on t he in for m at ion in t h e pr evious t w o sect ions, it should be easy t o deploy sev eral How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he point - t o- point v ir t u al link s bet w een t he CE rou t er and t he PE r out er b y using t he set up show n cust om er net w ork in Figur e 4- 1 0. The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

Figu - 1 0y .cust Vi om r t ueralmVRF I nt rtaff e ricf ace ple m en t e d w it h PE-CE GRE Howr et o4carr ult icast insidse Iam VPN Tun ne ls The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : t o inting egr at e velines ar iou sinr em otde waccess t echnt hologies Keep How t h e follow guid m in h en using is desiginn:t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The On e nglobal ew PE-loop CE back r out inint g er opface t ionsneeds as w ell t o as be ot conf herigur adved anced as t unn f eatelursou es, rinclud ce/ dest ing inat perionVPN on Net orkrou Adt er dr ess anrou slatt ion ( PENAT) t he wCE andTrPE er for each par allel lin k. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN NOTE back bone You can u se t he sam e loopback int er face on t he PE r ou t er for t u nnel link s t o How m t oult carr y cust m ult r affallel ic insid e els a VPN iple CE rom outer er s, bu icast t t h e tpar t unn t er m inat ed at t h e sam e r em ot e r out er m ust hav e dist inct sour ce add resses t o enable p rop er assignm ent of The lat est in t ert-unn car eled rier enh ancem t onel allow f orface. easier and m or e scalable d ep loym ent incom ing t r aff ic t o tent h e st un int er of int er - car r ier MPLS VPN serv ices Adv rou blesh oot iques includ in g rspace; ou t er out puis, t s tao VRF en suisrenot high av ailab y The anced PE- CEt link needs t oing bet echn in glob al I P add ress t h at configu r edilitat t he PE r out er en d. Glob al r out ing ( eit her st at ic r out ing or a dy nam ic r out ing pr ot ocol) MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN m ust b e est ab lished across t h is link t o pr opagat e t he t u nnel sour ce and dest inat ion Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced add resses b et ween t he PE r out er and t h e CE r out er . BGP is t he r ecom m ended rou t ing t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools pr ot ocol in desig ns b ased on dy nam ic r out ing because of it s secur it y f eat ur es. t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. I ncom in g access list s shou ld b e configu r ed on bot h t h e PE r ou t er and CE r out er. These MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN access list s sh ould per mit only t h e t unn eled t r aff ic bet w een t he t unnel sou rce and t h e Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of dest inat ion addr esses and t h e r out ing pr ot ocol u pdat es ( if a dy nam ic r out ing pr ot ocol is ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g used bet w een t he PE r out er an d t h e CE r out er ) . pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egrIat e t idual h ese fteat t h e VPN b ack bon e. (Part I det ailsand adv assig ancedned d ept o loyt hmeir ent issues ndiv unnurelesintinert ofaces are con figu red one IpI er VRF) includin g secu y , ou tVRF lining he n esses ecessar eps t h seron v ice ider t ake and t o p rot ect t he r espect iv reit VRF. I P taddr arye stconfig ureed t hep rov t unn el inmt ust erf aces, VRF back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow r out ing pr ot ocols ar e conf ig ur ed t o r un over t h e t un nel int er faces. m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy mively en t s., you Fin ally I V pr ovaidves m et hodology van ced Alt ern at can, Par impt lem ent irt aual link f or one for VRFad( VRF B inMPLS FigurVPN e 4- 1 1) over a t r oub leshoot . belong s t o an ot her VRF ( VRF A in Figur e 4- 1 1) by using VRF- aw ar e GRE ph ysical link ing t h at t un nels. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Figu r e 4 - 1 1 . VRF- Aw a r e GRE Tun ne l Est a bl ishe d Bet w e en t he PE Rou t e r a nd t h e CE Rou t er

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Keep t h e follow ing guid elines in m in d w h en y ou are im p lem ent ing t his d esign : How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork On e VRF loopb ack in t er f ace need s t o b e config ur ed as t h e t un nel sour ce/ d est inat ion on t he CE rou MPLS t er and PE secur rou t erit yfor each t unnselaim lin k. ilar the case, The lat est VPN f eat u respar anallel d d esign ed Sim at pr otlyectt oing t hpr e evious MPLS VPN back t he sam bone e loopb ack in t erf ace can b e used f or m ult iple t u nnel end point s as lon g as t hese t un nels t erm inat e at d if fer en t r em ot e r out er s. How t o carr y cust om er m ult icast t r aff ic insid e a VPN The PE- CE link needs t o be in t he sam e VRF as t he VRF loopback int er face t h at is act ing The in t er - caroin riert . enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent as t hlat e est t un nel endp of int er - car r ier MPLS VPN serv ices I ndiv idual t unn el int er faces are con figu red ( one p er VRF) and assig ned t o t h eir Adv anced rou blesh t echn iques pu tel s tin o ten re high ailab ilit y r espect iv e tVRF. VRFoot I Ping addr esses ar e includ config in urgedr ou ont er t heout t unn erfsu aces an d av VRF r out ing pr ot ocols ar e conf ig ur ed t o r un over t h e t un nel int er faces. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect res, ice Volum ( 1' s- 587 0 02, ost f romofCisco Pr ess. t endin g int adv From t heuserv pr oveidI er per 05sp ect iv e,1)m t he secur it y Ex r est r ict ion s aro emr or emeov edanced by tusing opics tan d ep m entevarchit ect ur Volu mer e 'IsI per pr ovid esivr eader will it hpossib t he necessar t ools hisd set uploy . How er , fr om t hes, e cust om sp ect e, it iss st le t hat ay m aliciou s tuser hey w n eed t o d ep t ainA)a could secur e, hig hly avpailab lesVPN. ho belon gsloy t o and Sit e m A ain ( VRF insert GRE ack et t h at ar e dest ined for t h e PE r out er and spoof t r af fic t h at is sup posed ly orig in at ing in VRF B. To rem ove t his pot en t ial MPLS VPNyAr e I I ,lex b eg in st also w it h m a or br eiefsecu ref resher of t he MPLS secur itand y h ole, ouchit canect u useres, a mVolum or e comp , bu re, d esign in w hich VPN t h e PE- CE Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egrPE at ion link belong s t o a dedicat ed VRF on t he PE r out er ( t o r em ov e secur it y issu es on t he r outofer ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in side) and t o t he g lobal I P ad dr ess sp ace on t h e CE r out er ( t o rem ov e secur it y issu es on gt h e pr I S- I S, EI GRP, , ar mt ed in gint he r eader it h t he k now ledge of h ow t o CEotr ocols out er (side) . Such a d and esignOSPF) is pr esen Figur e 4- 1w2. int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced Figu t op ologies This par cov erTu s mnn ult el i- car ier MPLS VPN r e 4 -and 1 2 .filtMerin or g. e Secu r et also PE-CE Dresign deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) As y ou canVRFs see frcan om be t h eexdiscu ssions h is om secterion, of GRE un nels bett he w een PE How t ended int oina tcust sit ed ep t o loym pr ovent ide sep ar at tion inside r out ercust s and CE r out er s is comp lex ; t heref ore, y ou sh ould alway s t r y t o im plem ent a sim ple om er net w ork solut ion, b e it u sin g Fr am e Relay en cap su lat ion in a WAN env iron ment or VLAN encapsulat ion in a LAN ir onm ent .VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN The env lat est MPLS back bone How t o carr y cust om er m ultto icast t r aff ic insid e a VPN Deploying GRE Tunnels Support Multi-VRF in EuroBank's European Sites The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices ancedk tsit rou t echn includ g rsou puacen t s t ot PE en su re er high ailabtilit y Each Adv Eur oBan e blesh mu st oot having e tw o logiques ical con nectinion t ot er t heout adj r out t o av su ppor t he separ at ion of t he Tr adin g an d Ret ail depar t m en t s. This r equir ement is easy t o im plem en t MPLS res, Volum I I , bingt uilds best -addit sellinion g MPLS aned Relay VPN d at a- lin k in t he and U. S.VPN sit esAr( chit Sanect Fruancisco and eWash onon ) btyheusing al Fram Ar ch it ection u res, ( 1 - 587 05-w0een 02- 1) , fCE romr ou Cisco ExPE t endin int oAssum m or e eadv anced connect id enVolum t ifierse (IDLCI s) bet t he t er s Pr aness. d t he r outgers. t h at cost tconsiderat opics an d ion d eps loy m ent archit ectof ur tes, e rI at I pr s w oBank it h t he w necessar pr event t he u se he Volu sam emst egovid y in es Eurr eader ope; Eur ould likey tt oools r et ain tahey eed t o dbet ep loy andit smPar ainis t ain secur higt hhly av ailab VPN. singnle DLCI w een CEar out er e, and e Par is PEler ou t er as w ell as a single D LCI bet w een t h e Eur oBank Paris sit e ( Par is CE r out er ) an d t he Eu r oBan k Lon don sit e ( Lond on C MPLS VPN ecther u res, e IperCom I , b eg in sser wvitice h apbr iefider ref,resher of kt he MPLS r out er and ) . Wor k inAr g chit t oget w it Volum h t he Su rov Eu roBan decid ed VPN to Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of im plem ent t he m u lt i- VRF concep t in comb inat ion w it h t u nnel in t er f aces t h rou ghou t Eur ope, ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g as show n in Figur e 4- 1 3. I n addit ion , Eu roBan k w ill use GRE t u nnels based on g lob al I P pr ot ocols ( I S-nel I S, endp EI GRP, , ar mI in t heess r eader w iton h tPE he rkout now o s.) r out ing . ( Tun oin tand s ar eOSPF) in global P gaddr sp ace erledge s and of CEh row outter int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Figu r e 4 - 1 3 . Tu nn el I nt er f aces Th at Li nk CE Rout er VRFs in Eu r ope deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Perf orHow m t he plement t h e trequ desig t o follow int egrin atge st v eps ar iout os rim em ot e access echnired ologies inn: t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s St e p 1 . Con figu re loop back int er faces on t he PE r out er and t h e CE r out er in Paris. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN St ewpork 2 . Ad Con unn elion in t erf aces b et w een t he Par is PE rou t er and t he Paris CE r ou t er Net drfigu ess re Tr tan slat ( PENAT) as w ell as bet w een t h e Par is CE r out er and t he Lond on C r out er . How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust net figu w orkre t he WAN lin k. The WAN link s t h at link t he PE r out er s and CE r out er s St eom p 3er . Con m ust b e in t he glob al I P r out in g t ab le on bot h ends. The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back St e pbone 4 . Adv ert ise loopb ack in t erf ace addr esses bet w een t h e t un nel endp oin t s. How y cust omelerint mer ult icast int r aff insid a VPN St e pt o5 carr . Place t unn faces t h eict ar geteVRFs. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent St e p 6 . Perf or m t he rem ainder of t h e VRF conf igur at ion. ( Conf ig ur e VRF in t er f aces an d of int er - car r ier MPLS VPN serv ices VRF r out in g pr ot ocols. ) Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y The f ollow in g sect ions exp lain each st ep in m or e det ail. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tConfiguring hey n eed t o d Loopback ep loy and mInterfaces ain t ain a secur e, hig hly av ailab le VPN. MPLS and int VPN Ar chitmu ect st u res, Volum I I , on b egainPE s wr out it h er a br ief arefCE resher of in t he MPLS Loop back er faces be con figuered and rou t er Par is, asVPN show n in Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he Ex am ple 4- 20. Loopback int er faces m ust also b e config ur ed in t he London C r int outegr er .at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egrm atpl e teh ese es in t o t hck e VPN Part Iig I I ur detaails adv anced d ep loy m ent issues Exa 4 - 2f eat 0 . urLoopba I n tbeack r fabon cee.Conf t ion includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN PE_Paris(config)# t r oub leshoot ing . interface Loopback2511 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

ip address 192.168.251.1 255.255.255.255 no ip directed-broadcast ! interface Loopback2512 • •

Table of Content s

ip address 192.168.251.2 255.255.255.255 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

no ip directed-broadcast

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

CE_Paris(config)# Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

interface Loopback1 Pages: 50 4

ip address 192.168.252.1 255.255.255.255 no ip directed-broadcast Wit ! h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : interface Loopback2 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s ip address 192.168.252.2 255.255.255.255 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN no ip directed-broadcast Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork C_London(config)# The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN interface Loopback1 back bone ip address 192.168.252.11 How t o carr y cust om er m ult255.255.255.255 icast t r aff ic insid e a VPN Thedirected-broadcast lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent no ip of int er - car r ier MPLS VPN serv ices ! Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y interface Loopback2 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Arip ch itaddress ect u res, 192.168.252.12 Volum e I ( 1 - 587 050 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced 255.255.255.255 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. no ip directed-broadcast MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h eseTunnel f eat ur esInterfaces in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Configuring includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and anymatust t ached VPN es,bet and alsot hdet ailin gPE t he later estan secu rit yPar f eat t o allow Tun nel int er faces b e con figusit red w een e Paris r out d t he is ur CEesr out er as m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS VPN w ell as bet w een t h e Paris CE rou t er and t he London C r out er , as show n in Ex am ple 4- 21. deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

Exa m pl e 4 - 2 1 . Tun ne l I nt e r f ace Conf i gur a t i on MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

PE_Paris(config)# interface Tunnel2511 description *** Trading tunnel to CE Paris *** • tunnel source Table ofLoopback2511 Content s •

I ndex

tunnel MP LS and Vdestination PN Ar chi te ctur e s,192.168.252.1 V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

tunnel key 2511

!

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

I SBN: 158 705 -1 12 -5 interface Tunnel2512 Pages: 50 4

description *** Retail tunnel to CE Paris *** tunnel source Loopback2512 tunnel destination 192.168.252.2 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : tunnel key 2512 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN CE_Paris(config)# ser v ice t o m any d iff er ent t yp es of cu st om er s interface Tunnel1 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) description *** Trading tunnel to PE Paris *** How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er netLoopback1 w ork tunnel source The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN tunnel destination 192.168.251.1 back bone tunnel key 2511 How t o carr y cust om er m ult icast t r aff ic insid e a VPN !

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices interface Tunnel2 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y description *** Retail tunnel to PE Paris *** MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Loopback2 Artunnel ch it ect usource res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tunnel t hey n eeddestination t o d ep loy and 192.168.251.2 m ain t ain a secur e, hig hly av ailab le VPN. tunnel MPLS and key VPN 2512 Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ! v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g ser pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o interface Tunnel11 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he description ***atTrading tunnel back bone and any t ached VPN sit es, to andLondon also det*** ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN tunnel source Loopback1 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . tunnel destination 192.168.252.11 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer tunnel keysecur 2511 int egr at ion, it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

! interface Tunnel12 description *** Retail tunnel to London *** tunnel source Loopback2 •

Table of Content s

• tunnel destination I ndex 192.168.252.12 MP LS and V PN Ar chi te ctur e s, V olum e I I

key, I van 2512 Bytunnel Jim Guichard Pepelnjak , Jeff Apcar Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

C_London(config)#

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4 interface Tunnel1

description *** Trading tunnel to Paris *** tunnel source Loopback1 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : tunnel destination 192.168.252.1 How key t o int2511 egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN tunnel ser v ice t o m any d iff er ent t yp es of cu st om er s ! The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) interface Tunnel2 How VRFs *** can be ex t ended int o a to cust om er sit e t o pr ov ide sep ar at ion inside t he description Trading tunnel Paris *** cust om er net w ork tunnel source Loopback2 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone tunnel destination 192.168.252.2 How t o carr y cust om er m ult icast t r aff ic insid e a VPN tunnel key 2512 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch itNOTE ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey As n eed t o died ep loy ain t ain a secur hig hlyt uav ailab specif in t and he d m esign r ules, t he pe, arallel nnel intle er VPN. faces bet w een a pair of r out er s m ust u se d iff er ent t unn el sou r ce an d dest in at ion I P addr esses. Conv ersely, MPLSt he andt unn VPNel Ar u res, Volum I I , ent b egrou in st w iefamp ref resher het er MPLS intchit erf ect aces g oing t o deiffer eritsh( faorbrex le, t unnofel t in f acesVPN on Ar ch itt he ect Paris u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of CE r ou t er ) cou ld u se t he sam e t un nel sour ce I P addr ess. ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Configure the WAN Links back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN The link bett s. w een t he, Par r out eres and t hete hodology Par is CE rou er van m ust in t he global I P r out ing deploy m en Fin ally Paris t IPE V pr ov id am for tad cedb eMPLS VPN tt able on t h e PE rou t er. Sim ilar ly , t he link s fr om t he Par is CE r out er t o t he Par is PE r out er and r oub leshoot ing . Lon don C rou t er mu st be in t h e global I P r out ing t able on t h e Par is CE r out er, as show n in Ex am ple 22. Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer MPLS and4-VPN int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 4 - 2 2 . W AN I nt er f a ce Con f igu r at ion

PE_Paris(config)# interface Serial0/0.641 point-to-point • •

Table of Content s

I ndex description *** Link to EuroBank Paris ***

MP LS and V PN Ar chi te ctur e s, V olum e I I Byip Jim address Guichard , I van Pepelnjak , Jeff Apcar 192.168.2.26 255.255.255.252

noPub ip lishdirected-broadcast er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

frame-relay interface-dlci 641 I SBN: 1- 58 705 -1 12 -5

Pages: 50 4

CE_Paris(config)# interface Serial0/0.1 point-to-point Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : description *** Link to London *** How t o int192.168.2.29 egr at e v ar iou s 255.255.255.252 r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ip address ser v ice t o m any d iff er ent t yp es of cu st om er s no ip directed-broadcast The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) frame-relay interface-dlci 274 !

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

interface point-to-point The lat Serial0/0.614 est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone description *** Link to PE_Paris *** How t o carr y cust om er m ult icast t r aff ic insid e a VPN ip address 192.168.2.25 255.255.255.252 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent no ip directed-broadcast of int er - car r ier MPLS VPN serv ices Adv anced tinterface-dlci rou blesh oot ing t echn frame-relay 614iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Advertise the Loopback Interfaces

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch itback ect u re. Par t I Iadd descr ibes m adv VPNbet con necttivhe it yt unn includ in gdpoin t he int at ion Loop int er face resses ustanced be adMPLS ver t ised w een el en t s. egr BGP is of ser v iceed pr bovider access t echn ies (t hdial, her an dintaer v ariet r outEu inroBan g deploy et w een t he PE r outolog er and e CEDSL, r out cab er, le, andEtRI P net is u)sed nallyy inoft he k pr ( I SI S, EI GRP, and meintghat t het he r eader w iter h tis heconf k now ledge o BGP netotwocols or k, as show n in Ex am pleOSPF) 4- 23., ar Not CE r out igur ed asofahgow lobtal int egr atore on t h ese eat rurout eserin. t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues neighb t hef PE includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or em adv andI P filtRou erin g.t iThis par tppor also cov m ult i- car VPN Exa planced e 4 - 2t op 3 .ologies Gl ob al ng Su t inergsTu nn el rIier ntMPLS er f aces deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer PE_Paris(config)# int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

router bgp 10 network 192.168.251.1 mask 255.255.255.255 network 192.168.251.2 mask 255.255.255.255 neighbor 192.168.2.25 remote-as 65001 •

Table of Content s route-map NoAdvertise in • neighbor 192.168.2.25 I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

neighbor 192.168.2.25 filter-list 1 out

By Jim Guichard , I van Pepelnjak , Jeff Apcar

! Pub lish er: Cisco Press Dat e: Ju ne 06, 2 00 3 ip Pub as-path access-list 1 permit ^$ I SBN: 1- 58 705 -1 12 -5

!

Pages: 50 4

route-map NoAdvertise permit 10 set community no-advertise Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : CE_Paris(config)# How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s router rip The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN version 2 Ad dr ess Tr an slat ion ( PE- NAT) Net w ork network 192.168.2.0 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork network 192.168.252.0 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone no auto-summary !

How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Thebgp lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent router 65001 of int er - car r ier MPLS VPN serv ices network 192.168.252.1 mask 255.255.255.255 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y network 192.168.252.2 mask 255.255.255.255 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced neighbor 192.168.2.26 remote-as 10 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN C_London(config)# Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g router pr ot ocolsrip ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues version 2 r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he includin g secu back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow 192.168.2.0 mnetwork or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN 192.168.252.0 t rnetwork oub leshoot ing . no auto-summary MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The p r ev ious ex amp les also in clu de a num ber of add it ional m easu r es in t rod uced in t he global BGP rou t ing config ur at ion b et w een t he PE r out er and t h e CE r out er t o en su re secur it y and st abilit y of t he design :

• •

The CETable rou t er adv er tsises only it s ow n loopback int er faces in BGP, and n ot t h e ot her of Content subn et sI ndex fr om t h e cust omer n et wor k ( C- net w or k) .

MP LS and V PN Ar chi te ctur e s, V olum e I I

The PE r out er set s t h e no- ad ve rt i se com m unit y on u pdat es r eceiv ed f rom t he CE r out er t o pr ev ent t hem f rom bein g pr opagat ed fu rt her int o t he serv ice pr ovid er net w ork ( Pnet w or k) .

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

The PEJurne out er2 00 f ilt3er s Pub Dat e: 06,

ou t going up dat es t ow ar d t he CE r out er w it h a f ilt er list t o p rev en t mI SBN: em or1-y58an d CPU over load on t h e CE r out er . 705 -1 12 -5 Pages: 50 4

Place Tunnel Interfaces into the Target VRFs Tun nel int er faces ar e placed in t he t ar get VRFs, as show n in Ex am ple 4- 24. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Exa m pl e 4 - 2 4 . VRF I n t e r fa ce Conf ig ur a t ion How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN PE_Paris(config)# Net w ork Ad dr ess Tr an slat ion ( PE- NAT) interface Tunnel2511 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork ip vrf forwarding EuroBank_Trading The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN ip address back bone192.168.2.42 255.255.255.252 !

How t o carr y cust om er m ult icast t r aff ic insid e a VPN

interface The lat Tunnel2512 est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices ip vrf forwarding EuroBank_Retail Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ip address 192.168.2.46 255.255.255.252 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tCE_Paris(config)# hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN interface Tunnel1 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser ovider accessTrading t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g ipv ice vrfpr forwarding pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egraddress at e t h ese192.168.2.41 f eat ur es in t o t h255.255.255.252 e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues ip includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow ! m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN interface Tunnel2 t r oub leshoot ing . ip vrf forwarding Retail MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

ip address 192.168.2.45 255.255.255.252 ! interface Tunnel11 ip vrf forwarding Trading • •

Table of Content s

ip address 192.168.2.49 255.255.255.252 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

!

By Jim Guichard , I van Pepelnjak , Jeff Apcar

interface Tunnel12 Pub lish er: Cisco Press

ipPub vrf forwarding Dat e: Ju ne 06, 2 00 3 Retail I SBN: 1- 58 705 -1 12 -5

ip address 192.168.2.53 255.255.255.252 Pages: 50 4

C_London(config)# Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : interface Tunnel1 ip vrf forwarding Trading How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s ip address 192.168.2.50 255.255.255.252 !

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

interface Tunnel2 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork ip vrf forwarding Retail The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN ip address back bone192.168.2.54 255.255.255.252 How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Remaining VRF Configuration

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y The VRFs need t o be conf igur ed, w it h t heir r esp ect iv e VRF r out ing p rot ocols, and t h e LAN MPLS and VPN u res, Volum uilds on MPLSisan d VPN int er faces in ParArischit an ect d London need et oI I b, eb assign edt he t o tbest hese- sellin VRFs.g BGP d ep loyed bet w een Ar it ect u res, Volum I ( 1r out - 587 02-is,1)and , f rom Pr ess. Exeen t endin int o CE m orrou e adv t hechPE r out er and t hee CE er05in 0Par RI PCisco is u sed bet w t he gParis t er anced and t he tLon opics d ept er loy archit es, con Volu m er at I Iion pr sovid r eader snext w it h. t( he necessar donanCdrou . m Thent e VRF I P ect rouur t ing figu ar eesincluded Please r efer yt ot ools t he t"hey n eed BGP t o d ep m ainert ain a secur higlier hly inavt ailab VPN. Ru nning in loy Vir t and u al Rout Scenar ios"e,ear h is chleapt er f or a d et ailed descr ipt ion of t he BGP conf igur at ion used in Ex am ple 4- 25. ) MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Exa m pl e 4 - 2 5 . VRF I P Rout in g Conf i gur a t i on pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow PE_Paris(config)# m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN router bgp 10 t r oub leshoot ing . address-family ipv4 vrf Volum EuroBank_Trading MPLS and VPN Ar chit ect u res, e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

neighbor 192.168.2.41 remote-as 65100 ! address-family ipv4 vrf EuroBank_Retail neighbor 192.168.2.45 remote-as 65200 •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Paris(config)#

By Jim Guichard , I van Pepelnjak , Jeff Apcar

router rip Pub lish er: Cisco Press

address-family vrf Trading Pub Dat e: Ju ne 06, 2ipv4 00 3 I SBN: 1- 58 705 -1 12 -5

version 2

Pages: 50 4

redistribute bgp 65001 metric transparent network 192.168.2.0 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : network 196.7.25.0 !

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s address-family ipv4 vrf Retail The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN version 2 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) redistribute bgpbe65001 metric How VRFs can ex t ended int o transparent a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork network 192.168.2.0 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN network 196.7.25.0 back bone

!

How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Thebgp lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent router 65001 of int er - car r ier MPLS VPN serv ices address-family ipv4 vrf Trading Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y redistribute rip MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Arneighbor ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) 192.168.2.42 remote-as 10, f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o192.168.2.42 d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. neighbor local-as 65100 no-prepend MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN ! Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g address-family ipv4 vrf Retail pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues redistribute rip includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow neighbor 192.168.2.46 remote-as 10 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN neighbor 192.168.2.46 local-as 65200 no-prepend t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

London(config)# router rip address-family ipv4 vrf Trading version 2 • •

Table of Content s

network 192.168.2.0 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

network 196.7.24.0

By Jim Guichard , I van Pepelnjak , Jeff Apcar

! Pub lish er: Cisco Press

address-family vrf Retail Pub Dat e: Ju ne 06, 2ipv4 00 3 I SBN: 1- 58 705 -1 12 -5

version 2

Pages: 50 4

network 192.168.2.0 network 196.7.24.0 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Aft er y ou hav e com plet ed all t h ese conf igur at ion st ep s, you can ver ify p rop er operat ion of ser v ice t o m any d iff er ent t yp es of cu st om er s t his d esign by in spect in g t h e VRF I P rou t ing t able on t he Lond on C r out er , w hich is sh ow n in Ex amThe ple 426.PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN n ew Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Exa m pl eVRFs 4 - 2can 6 . be VRF I P Rout g Ta bleressiton hov e ide Lond C Rout How ex t ended int o in a cust om e t o tpr sep on ar at ion insideer t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back boneip route vrf Trading London#show How Table: t o carr y Trading cust om er m ult icast t r aff ic insid e a VPN Routing The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP of int er - car r ier MPLS VPN serv ices D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y N1VPN - OSPF external 1, N2 MPLS and Ar chitNSSA ect u res, Volum e type I I , b uilds on t-heOSPF best -NSSA sellin gexternal MPLS an dtype VPN 2 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced external external - EGP y t ools t opics anE1 d dep OSPF loy m ent archit ecttype ur es, 1, VoluE2 m e- I IOSPF pr ovid es r eader type s w it h 2, t heEnecessar t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. * - candidate default, U - per-user static route, o - ODR MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Gateway not ,set pr ot ocols of ( I S-last I S, EI resort GRP, andisOSPF) ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow 196.7.25.0 isThis subnetted, 1 subnets m or e adv anced t op 255.255.255.128 ologies and filt erin g. par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN R 196.7.25.0 [120/1] via 192.168.2.49, 00:00:03, Tunnel1 t r oub leshoot ing . 196.7.24.0 255.255.255.128 subnetted, subnets MPLS and VPN Ar chit ect u res, Volum e I Iis , also int rod uces1t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

C

196.7.24.0 is directly connected, Ethernet0/0 196.7.26.0 255.255.255.128 is subnetted, 1 subnets

R

196.7.26.0 [120/1] via 192.168.2.49, 00:00:03, Tunnel1 10.0.0.0 255.255.255.128 is subnetted, 1 subnets

•

R •

Table of Content s

10.2.1.0 [120/1] via 192.168.2.49, 00:00:03, Tunnel1 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

192.168.2.0 255.255.255.252 is subnetted, 4 subnets

By Jim Guichard , I van Pepelnjak , Jeff Apcar

R

192.168.2.40 [120/1] via 192.168.2.49, 00:00:03, Tunnel1 Pub lish er: Cisco Press

R

192.168.2.32 Pub Dat e: Ju ne 06, 2 00 3

[120/1] via 192.168.2.49, 00:00:03, Tunnel1

I SBN: 1- 58 705 -1 12 -5

C R

192.168.2.48 is directly connected, Tunnel1

Pages: 50 4

192.168.2.12 [120/1] via 192.168.2.49, 00:00:05, Tunnel1

London#show ip route vrf Retail Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Routing Table: Retail How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area Net w ork Ad dr ess Tr an slat ion ( PE- NAT) N1VRFs - OSPF NSSA external N2sit-e OSPF NSSA external type 2 How can be ex t ended int o type a cust 1, om er t o pr ov ide sep ar at ion inside t he cust om er net w ork E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN * bone - candidate default, U - per-user static route, o - ODR back How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat in t erresort - car rier is enhnot ancem ent s t o allow f or easier and m or e scalable d ep loym ent Gateway ofest last set of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 196.7.25.0 255.255.255.128 is subnetted, 1 subnets MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar res, Volum e I ( 1[120/1] - 587 05- 0via 02- 1) , f rom Cisco Pr ess. Ex t endinTunnel2 g int o m or e adv anced R ch it ect u196.7.25.128 192.168.2.53, 00:00:10, t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n196.7.24.0 eed t o d ep loy255.255.255.128 and m ain t ain a secur hig hly av ailab le VPN. is e, subnetted, 1 subnets MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN C 196.7.24.128 is directly connected, Loopback1001 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g 196.7.26.0 255.255.255.255 is subnetted, 1 subnets pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues R 196.7.26.129 [120/1] via 192.168.2.53, 00:00:10, Tunnel2 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow 10.0.0.0 255.255.255.255 is subnetted, 1 subnets m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN R 10.2.1.129 [120/1] via 192.168.2.53, 00:00:10, Tunnel2 t r oub leshoot ing . 192.168.2.0 255.255.255.252 is subnetted, 4 subnets MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

R

192.168.2.44 [120/1] via 192.168.2.53, 00:00:11, Tunnel2

R

192.168.2.36 [120/1] via 192.168.2.53, 00:00:11, Tunnel2

C

192.168.2.52 is directly connected, Tunnel2

R

192.168.2.16 [120/1] via 192.168.2.53, 00:00:12, Tunnel2

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

VRF Selection Based on Source IP Address I n t he t r adit ional imp lem ent at ion of t he MPLS VPN ar ch it ect ur e in Cisco I OS, each phy sical or logical int er face w as associat ed w it h on e VRF t ab le, result ing in a one- VPN- per - int er face •design lim it at Table Content s r ovider s t hat w ant ed t o of fer access t o dif fer en t VPN net w ork s ( or ion. ofSer v ice p •dif fer en t up st I ndex ream I SPs) t o m any cust om ers wh o w er e con nect ed t o a shar ed m edia ( cab le or MP PN ast Ar chi te ctur e s,f irst V olum I I nt er ed t h is lim it at ion. Et hLS er and n et Vinfr r uct ur e) enecou By Jim Guichard , I van Pepelnjak , Jeff Apcar

I n sit u at ions in w hich m or e t han on e VPN cust om er had t o b e connect ed t o a single p hy sical int er face, t he f ollow in g solut ion s w er e av ailable: Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

VPN om I SBN:cust 1- 58 705ers -1 12w -5ho w er e connect ed t o a LAN int er face w ere sp lit int o mu lt iple v ir t u al LANs VLAN) , each VLAN subint er f ace b elon ging t o a dif ferent VRF. Th is appr oach cou ld Pages: (50 4 sep arat e t he Tr adin g an d Ret ail LANs in t he Eur oBank n et w or k if t he Eur oBank CE r out er s had only on e LAN in t er f ace. Sub in t erf aces w er e also used ( if av ailable) f or m ult iple VPN cust om er s w ho w er e connect ed t o t he sam e WAN int erf ace. This app roach w or ked if t he WAN t echn ology t hat Wit h MPLS and VPN Ar chit e tIed I , ysuou' ll lear n: w as deploy ed in t he ect netuwres, ork Volum su ppor bint er faces. For ex am ple, Fr am e Relay and ATM su ppor t ed su bint er faces based on Fr ame Relay DLCI or ATM vir t ual cir cuit s ( VCs) . How t o eint egrarios, at e v arGRE iou st unn r emels ot ecould access t h e back bone p r ovidin g VPN I n som scen bet echn usedologies t o cr eatinet ological int er faces. ser v ice t o m any d iff er ent t yp es of cu st om er s PPP- ov er - Et hern et ( PPPoE) could be d ep loy ed bet w een t he VPN cu st omer s ( even The ew PECEst r out in g op t ions w rell adv anced ur es, ing indivnidual w ork at ions) and t heasPE outas erot s ther o separ at e t h ef eat VPN custinclud om ers in tpero d ifVPN fer ent Net w ork Ad dr ess Tr an slat ion ( PENAT) VPNs. How VRFs can bet ed ex tin ended a cust om er e tuse o prtov sep ataceion inside t he All t h e desig ns pr esen t he pint r evoious b ullet ed sit list heide oneintarerf p er - cust om er cust om er net w ork par adig m and t hu s shar e a com m on scalabilit y pr oblem : The num ber of cust om ers t hat a single PE r out er can su ppor t is lim it ed by t h e num ber of in t er f aces t h at t h e Cisco I OS The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN supp ort s. back bone A n ew fu nct ionalit y, VRF select ion b ased on sour ce I P addr ess, was in t r oduced in Cisco I OS How t o carr y cust om er m ult icast t r aff ic insid e a VPN r elease 12. 0 S t o cir cum vent t h e one- VPN- per- in t erf ace desig n r ule an d associat ed scalab ilit y issu es. Wit h est t h isinfun ionrier alit y, t he VPN ent p acket f or w ard is perf or med f ollow s:d ep loym ent The lat t er ct - car enh ancem s t o allow f oring easier and m or easscalable of int er - car r ier MPLS VPN serv ices I f t he VRF select ion f eat u re is en abled on an int er face, a look up is per for m ed on t he Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y sour ce I P add ress in t he VRF select ion t able t o det er min e t he VRF t o w hich t he sendin g I P h ost belongs. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Aft er t he t ar get VRF is fou nd, t he VRF Cisco Ex pr ess For w ar ding ( CEF) t able look up is t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools per for m ed on t h e dest in at ion I P addr ess t o f ind t he n ex t - h op an d associat ed MPLS label t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. st ack. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Global CEF t able looku p is perf or med on t he d est inat ion I P ad dr ess if t h e VRF select ion Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of look up fails. ( The sour ce I P ad dr ess is n ot associat ed w it h a VRF. ) ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols I S- ple I S, conf EI GRP, , ar m sinin g tTable he r eader we it hassociat t he k now t oionalit y . The t hr ee (sim igurand at ionOSPF) com m and 4 - 4 ar ed ledge w it h tof hishfow unct int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy ally , Par t I rVin prgovV idRF es aSel m etect hodology forse addvan cedSour MPLSce VPN Tabmleen4t s.-4Fin . Con f igu ion Ba on I P Addr e ss t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Com m a nd Sy nt a x

D e scri pt i on

v rf sel ect i on source add ress m ask v rf nam e

This g lobal com man d popu lat es t he VRF select ion t able. A sing le ( global) per - r out er VRF select ion t able is sup por t ed in I OS r elease 1 2. 0S.

ip v rf se le ct

This in t er f ace- level com m and en ables t he VRF select ion look up for

• source •

Table of Content pack etss t hat ar e receiv ed t hr ough t h e sp ecif ied int er face. The ip v rf I ndex sel ect sou rce an d ip v rf f orw ar di ng com m ands are mu t ually

MP LS and V PN Ar chi te ctur e s, V olumIef ItIh e exclusive.

VRF Select ion feat ur e is conf igur ed on an int er face, y ou VRFs ( using t h e ip v rf f orw ar di ng com m and) on t he

cannot, Jeff config ur e By Jim Guichard , I van Pepelnjak Apcar sam e int erf ace.

er: Cisco ip Pub v rflish r ece iv e PressThis in t er f ace- level com m and en ables redist r ibut ion of t h e I P pr efix Datee: Ju ne 06, 2 00 3 ig ur ed on t he sp ecified int erf ace int o t he specif ied VRF rou t ing t able. v rf Pub - nam conf I SBN: 1- 58 705 -1 12 The -5 d et ailed usage g uidelin es of t his com man d are cov ered lat er in t h is sect ion. Pages: 50 4

VRF Selection in the EuroBank Network Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : The VRF select ion f unct ionalit y can be ap plied in t hose Eu r oBan k sit es t hat mu st supp ort t w o VPNs per sit e ( Tr ading an d Ret ail VPN) bu t ar e n ot im plement ed w it h a VLAN- sup por t ing How t,o as intsh egr at e in v arFigur iou ser em access t echn ines t o could t h e back p r ovidin g VPN t echnology own 4- 1ot 4.e For ex amp le, ologies t hese sit havbone e been im plem en t ed ser v ice t T o Et mh any t yp10 es0BASEof cu stTom s net , or Tok en Ring. w it h 10BASEer ndetiff, er shent ared Et er her The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Figu r e 4 - 1 4 . Tw o Sit e s Con ne ct ed t o t he Sam e Ph ysical I nt er f ace How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bonef unct and ionalit any atyt ached sit es, in and ailin g ohibit t he lat f eatVLAN ur es t o allow The LAN t h at is VPN d ep loyed t h ealso Pardet is sit e pr s est t h esecu use rit of yt he m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS subin t er f ace on t h e Par is CE rou t er. The only w ay t o sep ar at e t he Tr ad in g h ost s frVPN om t h e deploy enst s.is Fin t I V pr ov idion es afum etionalit hodology for ad van MPLS Ret ail hmost t o ally u se , t Par he VRF select nct y, result ing inced a conf igurVPN at ion t hat is tsimilar r oub leshoot t o t heing on. e in Ex am ple 4- 27. ( Th e config ur at ion in t he ex am ple includes on ly t he VRF select ion- specif ic configu r at ion com m ands. Th e r est of t he conf ig ur at ion is sim ilar t o t he one MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer in Ex am ple 4- 1. ) int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 4 - 2 7 . VRF Se le ct i on on t he Pa r is CE Rou t e r

vrf selection source 196.7.25.0 255.255.255.128 vrf Trading • Table source of Content196.7.25.128 s vrf selection 255.255.255.128 vrf Retail •

I ndex

MP LS !

and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

interface TokenRing 0/0 Pub lish er: Cisco Press

ip vrf select source Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58196.7.25.1 705 -1 12 -5 ip address 255.255.255.0 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

NOTE

Secu How rit t oy int is egr a matajor e v ar issue iou s wr em h enotdeploy e access ingt echn t he VRF ologies select in tion o t hf unct e back ionalit boney .pBecau r ovidin seg VPN tser he vTrad ice ting o mand any Ret d iffail er ent w ortkst yp es at ions of cuinst om Parer is sr eside on t h e same sh ared LAN seg m en t , each user can obser v e t he t raf fic of t h e ot her d ep art ment . I t is also easy Thean n ew CEt or out in g op w ell as ot advotanced f eatan urdes, includ inghor perVPN for in t rPEuder br eak in ttoions a was or kst at ion fr her om an her VPN g ain u naut ized Net w ork essVPN. Tr an slat ion ( PE- NAT) access intAd o tdr hat How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Designing Return Path for the Traffic The lat estthe MPLS VPN secur it y f eat u res an VPN d d esign s aim ed

at pr ot ect ing t h e MPLS VPN

back bone t o figur carr yatcust er Ex m ult t r27, aff ict hinsid a VPN Wit h tHow he con ion om fr om amicast ple 4e I Pepack et s sen t f rom w ork st at ions t h at ar e at t ached t o t h e Par is LAN ar e f or w ard ed t o appr opr iat e VPNs an d ev ent ually r each t h e TheVPN lat est t er -ions. car rier enh s is t o LAN allow or f ace easier andgsmt or scalable epr ou loym desired destininat How evancem er , t h eent Par in tf er belon o tehe g lobal dI P t inent g of int er car r ier MPLS VPN serv ices t able of t he Par is CE r out er ( t h e int erf ace is not in a VRF) ; t herefor e, it s I P su bnet is not aut om at ically pr opagat ed int o t he VRF r out ing t ables f or t he Tr ad in g and Ret ail VPN. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Con sequ en t ly, t he VPN I P host s in ot her sit es can not ret u rn t h e t r aff ic t o Par is I P h ost s. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN You can u se t w o designs t o est ablish t he ret u rn pat h f or t he VPN t r aff ic: Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey nThe eedwt ho ole d epI loy a secur e, ailab P prand efix m t hain at tisain assigned t o hig an hly int eravface wle it hVPN. VRF select ion is in ser t ed in t o t he VRF r out ing t ab les. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch itPar ecttusre. descr ibes adv anced it ye includ in gint t he at ion of e of Par t he t I IPI add ress space assignMPLS ed t o VPN t he incon t ernect f aceivar in ser t ed o tint h eegr appr opr iat ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g VRF t able. pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int at eu tse h ese in t oivt e h ecom VPN ack if bon e. w Part d ep loy m ent Youegr can t hef eat ip vurrfesr ece m band you ant I tIoI det t ranails sferadv t heanced I P pr efix assig nedissues t o t he includin secu it y , ou t lining t he n recessar st eps t h eion sertvoice ider ming ust t tab ake p rot int er faceg on w rhich y ou' v e configu ed t he yVRF select t hep rov VRF r out les.t oWit h ect t hist he back boned,and t achedwVPN es, r and also det he lat est eat es assigned t o allow com man y ouany can at specify hich sit VRF out ing t ab le ailin sh allg rteceive t hesecu globritaly IfP prur efix m e adv anced t opw ologies anduse filt terin g. Thisanpar alsoI Pcov sm ult ear i- car MPLS t o or t he int er face on hich you h e comm d. tThe pr er efix app s riniert he VRFVPN r out ing deploy m en t s. Fin ally I V prand ov idmu es sta be m etredist hodology for int adovan ced t able as a connect ed ,inPar t ertf ace r ibut ed Mult iprMPLS ot ocolVPN BGP like an y ot her tdir r oub ectleshoot ly conning ect .ed VRF sub net . MPLS VPN Arexam chit ect u res, I I ds , also int rod t he latEx estam adv I n t he and Eu r oBank ple, t h eVolum commean t o use ar euces sh ow n in pleances 4- 28.in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 4 - 2 8 . I nser t ion of I nt er f ace- W ide I P Pr e f ix in t o t he V RF Tab le s

interface TokenRing 0/0 •

Table of Content s • ip vrf receive I ndex Trading MP LS and V PN Ar chi te ctur e s, V olum e I I

ip vrf receive Retail By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

The ip vI SBN: rf r ece e-1com 1- 58iv 705 12 -5m and in Ex am ple 4- 28 in ser t s t h e I P pr efix 1 96. 7. 25 . 1/ 24 t hat cover s host s Pages: b elon ging 50 4 t o t he Tr ading and Ret ail sit es int o bot h t he Trad in g and Ret ail VRF t ab le. As a r esult , h ost s fr om ot h er Tr ad in g sit es can access Ret ail host s in t he Par is sit e, and host s fr om ot her Ret ail sit es can access t h e Tr ading host s in Par is. Th e un desir ed in t er - VPN com mu nicat ion can be p er f orm ed only in one dir ect ion ( ot h er sit es t o Paris h ost s) , but m any denial- of - ser vice at t ack s need only one- w ay comm u nicat ion . The design f rom Ex am ple 4- 28 should not be u sed in secur it y- con scious env ir onm en t s. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : A m or e secu re appr oach t o t he ret u rn - t r aff ic design inv olv es VRF st at ic r out es point in g t o t h e global int er face: How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s For ever y VRF t h at is associat ed w it h an in t er f ace t hr ough t h e VRF select ion The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN fu nct ionalit y , config ur e a VRF st at ic rou t e cover ing only t h e I P add ress space assig ned Net w ork Ad dr ess Tr an slat ion ( PE- NAT) t o t hat VRF w it h t he v rf sel ect i on com m and. The st at ic r out e sh ould point t o t h e dir ect ly conn ect ed int er face, as show n in Ex am ple 4- 29. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Exa mest pl eMPLS 4 - 2VPN 9 . Secu VPN n Trsafaim f icedDe The lat secur itr ye f eat u resRe antdudresign at si prgn ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN ip route vrf Trading 196.7.25.0 255.255.255.128 TokenRing 0/0 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of er - carvrf r ier MPLS VPN serv ices ip int route Retail 196.7.25.128 255.255.255.128 TokenRing 0/0 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Redist r ibut e t he VRF st at ic r ou t es in t o Mult ipr ot ocol BGP t o pr op agat e t h em t o ot h er PE t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools r out er s. t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Wit h t his ap pr oach , each VRF t able r eceives on ly t he I P pr ef ix associat ed w it h t he host s in it s MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN VPN, pr ev en t ing und esir ed int er sit e int er- VPN t r aff ic. The base p rob lem of t h e VRF select ion Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of fu nct ionalit y st ill r em ains, t h ough : Th e user s f r om dif fer en t VPNs t h at ar e at t ached t o t he ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g sam e phy sical sh ared m ed ia can st ill com m unicat e w it h each ot her . pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Performing NAT in a Virtual Router Environment NAT in conj unct ion w it h p riv at e I P ad dr esses ( as def in ed in RFC 191 8) w as in it ially int rod uced as t em por ary measur e t o en su re con t inuou s gr ow t h of t he I nt er net w h ile I Pv 6 w as developing . As w •m any t em por Table Content s it w as w idely accep t ed and f ur t her ex t en ded in t h e Cisco I OS ar y of m easur es, •im plem ent atIion ndext o inclu de p ort add ress t r anslat ion ( PAT) and t w o- w ay NAT. Tod ay, NAT is used MP V PN e s, V olum e I nect I oneLSofand t he pr Ar imchi arte y ctur means of con in g ent er pr ise net w or ks t o t h e I n t ern et . I t is also com mon ly deploy ed in scenar ios in w, Jeff hichApcar n et wor k s t hat ar e using ov er lapp in g or pr ivat e I P add ress spaces By Jim Guichard , I van Pepelnjak need t o be in t erconn ect ed. er: Cisco Press I n tPub he lish MPLS VPN en vir onm ent , NAT is generally im plem en t ed in t hr ee scenar ios: Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

When t he Pages: 50 4 ser vice pr ov ider w ant s t o of fer I nt er net access t o it s cust om er s w ho use pr iv at e I add resses, at least one dev ice bet w een t he end user and t h e I nt ern et has t o per for m t he N fu nct ion. Tr adit ion ally , t h is t ask w as lef t t o t he CE devices because NAT w it hin t he VRF w as not supp ort ed. The t y pical set up t oget her w it h sam ple CE r out er conf ig ur at ion is sh ow n in Figur e 4- 1 5 an d Ex am ple 4- 30. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Figu e 4s -r em 1 5ot . eCE Rout techn er N AT on n etbone I ntper f a ceg VPN How t o int egr at e v arriou access ologies in t oI nt t h eer back r ovidin ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols (NOTE I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu it y up , ouint lining t he y ston epst he t h ed ser v icew p rove ider ust tat ake to p t he The rset Figur e 4- n 1 ecessar 5 is based esign her two m separ e sub inrot t erect f aces back bone ar and any at t ached VPNI nsit es, etand also det g t ilar he lat est secu rit ur eslex t o, allow e used f or VPN and t ern connect ivitailin y . Sim , alt h ough m yorfeeat comp set up m or e adv anced op used ologies filt erin g. of This par t also cov could tbe forand ot her t y pes VPN connect ivit yer. s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Exa m pl e 4 - 3 0 . Sim pl e NAT Per f or m ed Tow a r d I n t e r ne t int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

! ! Define a separate subinterface for Internet access. This is the ! NAT outside interface • •

Table of Content s

!

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

interface Serial0.2 point-to-point

By Jim Guichard , I van Pepelnjak , Jeff Apcar

description *** Link to public Internet *** Pub lish er: Cisco Press Pub ip Dat e:address Ju ne 06, 2 00 3 194.22.18.1

255.255.255.252

I SBN: 1- 58 705 -1 12 -5

ip nat Pages: 50 4

outside

frame-relay interface-dlci 200 ! Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ! All other interfaces are NAT inside interfaces ! How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s interface Ethernet0 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN ipwnat inside Net ork Ad dr ess Tr an slat ion ( PE- NAT) ! How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork ! Define Overload NAT translation using IP address of outside interface The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone ! How t o carr y custsource om er m list ult icast1 tinterface r aff ic insid e Serial0.2 a VPN ip nat inside overload The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent ! of int er - car r ier MPLS VPN serv ices ! All packets going to Internet are translated Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS!and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced 1 permit any t opicsaccess-list an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of When t he ser vice pr ov ider wies ant (sdial, t o ofDSL, fer comm onEtser v ices o ad naum ber yofofit rsout cust ser v ice pr ovider access t echn olog cab le, her net ) tan v ariet inom g ers, t h cust om er s h ave t o use coor dinat ed I P add resses t o be able t o access t he com mon pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o serv er s. r enI um berin custanced om er dnet orm ksent or issues t he n eed int egrThis at e trhequir ese fem eaten ur teseitinher t o tthr igger e VPNs bt he ackneed bon e.f or Part I I det ailsg adv epwloy a NAT fu nct f orm ted e t hey cu omt er NATt ake cou tld b rot e per m ed includin g secu r it yion , oupter lining he insid n ecessar st st eps h e add ser vr ess ice pspace. rov iderThe m ust op ectfor t he indiv idual CE at r out er s. The pical set up t oget sam le con ionurisesshow n in Figu back bone and any t ached VPNt ysit es, and also dether ailinwgit h t he latpest secufigu rit yrat f eat t o allow 1 6anced an d Ex am ple 4- 31. m or e 4adv t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

Exa m pl e 4 - 3 1 . Com p le x NAT Tow a r d Com m on Se r ve r Pe r for m e d on MPLStand Ar chittect h e VPN CE Rou e ru res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

! ! Define a loopback interface with coordinate IP address ! • •

Table of Content s

interface Loopback0 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

ip address 194.22.18.1 255.255.255.255

By Jim Guichard , I van Pepelnjak , Jeff Apcar

! Pub lish er: Cisco Press

! Dat WAN Pub e: Juinterface ne 06, 2 00 3

toward PE router is NAT outside interface

I SBN: 1- 58 705 -1 12 -5

!Pages:

50 4

interface Serial0 ip nat outside Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ! ! LAN interface is NAT inside interface How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s ! The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN interface Ethernet0 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) ip nat How VRFsinside can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork ! The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN ! Only back bonepackets toward common server are translated How t o carr y cust om er m ult icast t r aff ic insid e a VPN ! The lat est inTranslate t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent route-map of int er - car r ier MPLS VPN serv ices match ip address 101 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ! MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch itaccess-list ect u res, Volum101 e I (permit 1 - 587 050 021) ,host f rom 194.22.16.1 Cisco Pr ess. Ex t endin g int o m or e adv anced ip any t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n!eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN ! Define a route-map controlled overload NAT translation Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g ! using IP address of the loopback interface pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues ! includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow ip nat inside source route-map Translate interface Loopback0 overload m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Figu r e 4 - 1 6 . Com ple x CE Rout er NAT on VPN I n t e r f ace

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

I nst ead of p er f orm ing NAT w it h in cust om er add ress space on each CE r out er , t he ser vice pr ov ider could deploy a b ank of NAT d ev ices ( one per cust om er) on a cent r al locat ion, pr efer ably close t o t he com m on ser v er s. A sam ple set up for t hr ee cu st omer VPNs is d isp lay Wit h MPLS and VPN in Figur e 41 7. Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Figu r e 4 - 1 7 . Cen t r a li ze d Pe r -V PN N AT

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN I n ch allit cases, t he ser vice isionin is 1) sim m or conEx t r olled ice ovanced id er can Ar ect u res, Volum e I (pr1 ov - 587 05- 0g02, fpler rom and Cisco Preess. t endinif gt he int serv o m or e pr adv for m VRFar earchit NAT fect unct y in r outes er rs.eader This sf eat PE- NAT, w as tper opics antdh ed ep loy aw m ent urionalit es, Volu m et he I I PE pr ovid w ituhr te,hecalled necessar y t ools int r odu ced in Cisco I OS r elease 12. 2 T and w ill be descr ibed in t his sect ion t oget her w it h a r ef r es t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. on NAT conf igur at ion and oper at ion. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egrNOTE at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he The NAT fu nct ionalit y of Cisco I OS an d r elat ed conf igur at ion comm an ds is also br iefly back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow cover ed in Ch apt er 1 of En hanced I P Ser vices for Cisco Net w ork s f r om Cisco Pr ess. For an m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN in- d ep t h d escr ipt ion of NAT in Cisco I OS and det ailed conf igur at ion gu id elines, w hich are deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN bey ond t he scope of t h is book , please r ef er t o t h e Cisco I OS d ocu ment at ion av ailable on t r oub leshoot ing . w w w .cisco. com . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NAT Refresher The b asic NAT fu nct ionalit y is best ex plained in it s sim plest applicat ion: en abling a n et w or k t h at pr iv at e I P add r esses ( sh ow n in Figur e 4- 1 8) t o com mu nicat e w it h t he p ublic I nt er net . •

Table of Content s

•

I ndex

Figu r e 4 - 1 8 . Ba si c NAT Fu nct i on a lit y

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN serscenar v ice tio, o mt h any d iff er ent es or ofmcu omf ollow er s in g f unct ions: I n t his e NAT d ev icet yp perf s st t he The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN When an Ad I Pdr pack eceived fr om t h e inside int er face, t he sou rce I P addr ess is replaced w Net w ork ess et Tr is anrslat ion ( PENAT) a g lobal I P addr ess, t h e I P checksum of t he I P p ack et is r ecomp ut ed, an d t he pack et is How VRFs be ex int oinat a cust er gsit e t oI P prad ovdr ide sep ar atcor ionr espon insideds t he for w ar ded can t ow ard it st ended f inal d est ion . om The lobal ess t hat t o t he sou rce custress om erisnet w ed orkin a t r anslat ion t able . add st or The latan estI P MPLS it y f eat u res d dside esign aim ed at ot ect ingion t h eI PMPLS VPNis When packVPN et is secur r eceived fr om t h eanout inst er f ace, t h eprdest inat add ress backpar bone com ed t o t he ad dr esses in t h e t r anslat ion t able. I f t here is a m at ch, t h e dest in at ion glob I P ad dr ess is r eplaced w it h t he p riv at e I P ad dr ess an d t he pack et is f orw ar ded t ow ar d a ho How carr y of cust om erwmorult in t het oinside t he net k.icast t r aff ic insid e a VPN est in t esses er - car used rier enh s tpr o iv allow orad easier andcou m or scalable d epmloym entt o t The gThe loballatI P addr t o ancem r ep laceent t he at e IfP dr esses ld eb e st at ically app ed of int er car r ier MPLS VPN serv ices pr iv at e I P add r esses ( st at ic NAT) . Th is set u p is com m only used t o ensur e t h at serv ers ( su ch as w host s an d e- m ail serv ers) w it h p riv at e I P addr esses ar e alw ays r eachable f rom t he g lobal I nt er n ing ress, t echnas iques includ g r ou t er1 9. out pu t s t o en su re high av ailab ilit y t hr ou Adv gh tanced he samt rou e publesh blic oot I P add show n in in Figur e 4MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools Figu r e 4 - 1 9 . St a t ic N AT Use d t o Acce ss Ser v er s i n Pr iv at e I P Addr e ss t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Space

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Alt ern at ively , you can define a pool of global I P addr esses ( NAT pool ) t hat are sh ared bet w een al users in t h e pr iv at e net w or k and allocat ed on- d em and . Cisco I OS also p r ovides a r ich set of conf igHow ur at ion t o int com egrmatands e v arwiou it hs wr em h ich ot ey ou access can decid t echneologies on a p ack in t oett -hper e back - packet bonebasis p r ovidin w het g her VPNt he serI P v ice o m any d iff er t ypslat es ed. of cu st om er s sour ce addt ress should beent t ran Basic The NATnper s t r anslat heas I Pot addr , wfhich eans t hating it rpereq uir es a ew for PE-mCE out in gion op tbased ions asonw tell her ess advonly anced eat urmes, includ VPN dist inct I P dr addr forslat evion er y ( uPEserNAT) w ho is sim u lt aneously accessing t h e global I n t er net fr om Netgwlobal ork Ad essess Tr an t he pr ivat e n et wor k . Ty pically , such a u ser w ou ld on ly open a few TCP or UDP session s at a t im e How canorbe ex tpr ended intper o amcust er sitIePt oaddr pr ov idet osep t het h ousand How ev er , tVRFs he TCP UDP ot ocol it s aom single ess op ar enatmion or einside t han 65 cust om er capab net w ork sessions. This ilit y en hanced t h e oper at ion of NAT by allow ing t he in t rod uct ion of PAT, w hi is also called ov er load NAT. PAT allow s m u lt ip le pr ivat e I P addr esses t o be m app ed t o one g lob al The( see lat est MPLS it y f eat u ice res perf an dor d esign s aim at prpor ot ect ingslat t h eion MPLS VPN add ress Figur e 4-VPN 2 0) .secur Th e NAT d ev ms TCP an dedUDP t t ran t oget h er w it h back bone I P ad dr ess t r anslat ion. How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Figu r e 4 - 2 0 . PAT of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE The b asic NAT fu nct ionalit y can su ppor t any pr ot ocol t h at is r un ning on t op of I P. PAT w or ks only for applicat ions t h at ar e r unn ing on t op of TCP or UDP.

•

Table of Content s

•

I ndex Configuring NAT on a PE Router MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

The PE- NAT im plem en t at ion in Cisco I OS ex t ends t he exist ing NAT f un ct ion alit y t o includ e VRFaw ar e lish NAT. The Press VRF- aw ar e NAT su ppor t s m ost of t he NAT f un ct ion alit y in I OS ( st at ic and dy nam Pub er: Cisco NATPub t r an Datslat e: Juions, ne 06,PAT 2 00 3 t r anslat ion, ov erlapp ed t r anslat ions, u se of r ou t e m aps t o select I P p ack et be t ranI SBN: slat ed, and on) . I n t h e fir st PE- NAT r elease, t he NAT t ran slat ion can be per for m ed w it h 1- 58 705 -1so 12 -5 a sing Pages: le VRF50(4not VRF- t o- VRF) or bet w een a VRF and t h e global I P r out ing t able. Any VRF or glob al int er face can b e an insid e or an out side in t er f ace. Fur t h er m or e, an int er f ace t is connect ing a PE r out er t o t he n et wor k cor e ( MPLS- en abled in t er f ace of t he PE r out er) can be conf ig ur ed as t he inside int er face, and NAT can be applied t o all MPLS- en cap sulat ed VPN packet r eceived t hr oug h t hat in t er f ace ( giv in g t he net w or k designer s an opt ion t o p er f orm NAT in a sing Wit h MPLS point in t heand n etVPN w or kAr ) . chit ect u res, Volum e I I , y ou' ll lear n : The NAT config ur at ion com m ands wer e chang ed only sligh t ly ; t he v rf op t ion was added t o t h e How t o ce intan egrdatout e vsid ar iou s r em ot eNAT access t echn in t on t in h eTable back bone e source comm andologies s, as show 4 - 5. p r ovidin g VPN in si de sour ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Tab le 4 -5 . Con f igu r in g V RF-Aw a r e NAT on PE Rout e r s

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Com m a nd Sy nt a x D e scri pt i on The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN ip n at insi de source { li st { access- list To enab le NAT of t h e insid e sour ce addr ess wit h back bone nu m b er | nam e} pool nam e [ ov er loa d] | a VRF, use t he ip n at insi de source v rf g lobal st at iHow c localglobal} v er rf nam ur at ion com m and. t o ip carr y custipom m ulteicast t r aff ic insidconf e a ig VPN ip n at { li stenh { accesslist -s t o allow To enab le NATand of tm h eorout side sourdce add ress Theout latside est insou t er -rce car rier ancem ent f or easier e scalable ep loym ent nu m b er | nam e} pool nam e | st at i c globalw it hin a VRF, u se t he ip n at out side sou rce vr of int er - car r ier MPLS VPN serv ices ip local- ip } v rf nam e global configu r at ion com m and. Advinsi anced t rou iques in genab r ou tle erNAT out pu en sueredest high avion ailab ilit yess ip n at de de stblesh ina t i oot on ing l ist t{echn accesslistinclud To of ttshteo insid inat addr w it hin a VRF, u se t he ip n at insi de de st ina t i on nu m b er | nam e} pool nam e v rf nam e MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN v rf g lobal conf igur at ion comm and . Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. I n t he f ollow ing t w o sect ions, w e discuss how t o u se t he m odified NAT com man ds t o im plem ent MPLS anddeploy VPN Ar u res, Volum I I , b egVPN in s n wet it hwor a br com mon mchit en t ect scen ar ios in ane MPLS k : ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Using( I PENAT t o allow s w ,h ar o hav erlapp ingwaddr access pr ot ocols S- I S, EI GRP, anduser OSPF) m ineg ov t he r eader it h tesses he k now ledget oofcomm h ow on t o ser v ices int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Using PE-r NAT t ot lining give user h o havye stpreps iv att eh eI Pser advdr t o t thake e I ntt oerpnet includin g secu it y , ou t hesnw ecessar iceesses p rov access ider m ust rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy t s. Fin allyto , Par t I V pr ov Common id es a m et hodology for ad van ced MPLS VPN Usingm en PE-NAT Access Services t r oub leshoot ing . MPLS VPNio,Artchit ect uer res, Volum e I I pr , also int rod uceslikt e het olatoff est ances in cu st omer I n t hisand scenar h e Sup Com ser vice ov ider w ould er adv comm on ser v ices t h at ar e coint egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced locat ed w it h t he W ash in gt on PE r out er, as show n in Figur e 4- 2 1. A num ber of ser vices can be

im plem ent ed w it h t his app roach, inclu ding Voice over I P ( VoI P) gat ew ay s, web host ing , e- mail host ing , host ing of ot her ap plicat ion s, or comm on DNS.

Figu r e 4 - 2 1 . Com m on Ser v ices i n Su per Com N et w or k •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) As alw ay s, t he com mu nicat ion b et ween t he end users and t he com m on ser ver t h at is locat ed in Washing will can on lybebeexsuccessfu l ifo tahecust u ser s er cansitreach comsep mon serv I P sub net an d v ice Howt on VRFs t ended int om e t o prt he ov ide ar at ionerinside t he v er sa.cust I t ' som easy t o ensur e t hat t he u ser s can reach t he com m on ser ver by usin g t he ov erlapp ing er net w ork VPN t op ology described in Chap t er 12, " Adv anced MPLS/ VPN Topologies" of MPLS and VPN Ar ch itThe ect ur esest ( Volu meVPN I ) . The com unicat t he scom erect t oing t h et hen user VPN s is m or e lat MPLS secur it y m f eat u resion an fr d om d esign aimmedonatser prvot e dMPLS pr oblem atbone ic. I n t h is case, t h e en d user s in Eur oBan k San Fr ancisco and Fast Foods San Jose u se back ov er lapp in g I P addr esses; t h er efor e, t her e is no un iq ue r et ur n pat h fr om t he Washing t on- based carr ser v erHow t o t thoese u ysercust s. om er m ult icast t r aff ic insid e a VPN The est designer in t er - carsrier t oerallow f or oaches easier and m ore et his scalable d ep: loym ent The Su perlat Com canenh u seancem sev erent al ds iff ent appr t o solv p r oblem of int er - car r ier MPLS VPN serv ices Deploy st and ard NAT t he CE r out er s t hinat e taccessin com serv . Witilit h yt his Adv anced t rou blesh ooton ingallt echn iques includ g rarou er out pugt st he t o en sum reon high averailab app roach, a sm all por t ion of global I P addr ess sp ace w ould b e assig ned t o each cust om er s MPLSeven and VPN Arle chit u res, I I ,enoug b uildsh on t he - sellin aner d VPN a sing I Pect addr essVolum w oulde be in m ostbest cases. ThgeMPLS CE r out w ould t hen use t he Ar ch itov ecteruload res, Volum I ap ( 1 -sour 587 05f rom of Cisco Pr ess. Ex ttendin m or eon advser anced NAT t oe m ce I0P02ad1) dr,esses packet s sent ow ardg tint h eocomm v ice t o an t opicsallocat an d ded ep loy m entI Parchit ect uras es,show Volunmin e IFigur I pr ovid it h ple t he4necessar y t ools e 4-es 2 2.r eader ( See sExwam 31 ear lier in t h is sec global add ress, t hey nfor eeda tCE o drep ainpt ain a secur e, ion hig.)hly av ailab le VPN. outloy er and NAT m sam le con figu rat MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access ( dial, DSL, cab le,Per Et her net an don a v ariet y of r outtin Figu rteechn 4 - olog 2 2 .ies Com ple x NAT f or m) ed a CE Rou e rg pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Deploy PE- NAT on t he W ash in gt on PE r out er t o p er f orm t he NAT operat ion at a cent r al serv point . Wit h t his ap pr oach , Sup er Com can also m inim ize t he u se of public I P addr esses beca all MPLS VPN user s can use t he sam e NAT addr ess pool, as show n in Figur e 4- 2 3. Fur t her mor e, w it h carefu l design, t he NAT addr ess pool can use pr ivat e I P add resses, sav in on pub lic addr ess sp ace. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Figu r e 4 - 2 3 . PE- NAT De ploy ed i n Su per Com N et w or k ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o NOTE int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he To m inim ize t h e com p lex it y, t he d iag r ams t hr ough out t he r est of t his sect ion w ill only back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow include Wash ingt on and San Jose PE rou t ers and con nect ed CE r out er s. m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . The Su per Com designer s decid ed t o deploy a cent ralized PE- NAT solut ion by u sin g t h e add ressin MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer sch em e d isp lay ed in Table 4 - 6. int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Tab le 4 -6 . Com m on Ser v er Add r ess Assign m en t D e scri pt i on

I P P re fi x

v er of sub net s • Com m on ser Table Content

19 4. 22. 1 6. 0/ 24

•

19 4. 22. 1 6. 1

I ndex PE r out er add ress

MP LS and V PN Ar chi te ctur e s, V olum e I I

VoI g at ew ay By JimPGuichard , I van Pepelnjak , Jeff Apcar Ou t sid e NAT pool

19 4. 22. 1 6. 2 17 2. 16. 0 .0 / 22

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 58 705 12 -5( NAT is only p er for m ed in sid e a single VRF) r eq uir es car eful desig n on t h e The PE-I SBN: NAT1-lim it at-1ion Pages: 4 r out er t hat in clu des t he f ollowin g com pon en t s: Washing t on50PE

A d ed icat ed VRF is cr eat ed f or t he com m on ser ver . A NAT pool is est ablished in t h e Washingt on PE r out er , and t h e r out ing bet w een t h e com m o Wit h MPLS chitpool ect u res, Volum e I I in , ytou' learmon n : serv er VRF. ser v erand andVPN t heAr NAT is con figu red he llcom For all cust om er s w h o ar e accessin g t he com mon serv er , cust omer VRFs are conf igur ed on How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Washing t on PE r out er , an d t he r out e t ow ar d t he com m on ser ver is in ser t ed in t o t h e cu st om ser v ice t o m any d iff er ent t yp es of cu st om er s VRF. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN VRF- aw ar e NAT is conf igur ed on t h e Washingt on PE r out er . Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Each one of t h ese com ponent s is discu ssed in a separ at e su bsect ion t hat follow s. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Common VRF The latServer est MPLS VPNConfiguration secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone t o bcarr cust ult icast ttron aff ic A VRFHow m ust e cryeat ed om on er thm e Washing PEinsid r outeera tVPN o isolat e t he com m on ser ver f rom t he g lob I P ad dr ess space in w hich t h e I nt er net serv ice is off er ed, as sh ow n in Ex am ple 4- 32. I n The lat est in t er - car ancem ent srit t oy allow or easier m ormeon scalable loym entr esi env iron ment s t hat hav e rier m oreenh relax ed secu r equirf em en t s, t and he com ser ver dmep ight also of int er car r ier MPLS VPN serv ices in global I P addr ess sp ace. Cont r ar y t o t he ov er lapp in g VPN t opolog y, n o r out e leak age b et w een t his VRF and t he cu st om er VRFs is d ef ined. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Exa plu eres, 4 -Volum 3 2 . Com on05Se0 r02ve1)r , Vf rom RF Cisco De f inPritess. ionEx t endin g int o m or e adv anced Ar ch itm ect e I ( 1m - 587 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ip vrf CommonServer MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of rdv ice 100:100 ser pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o route-target export int egr at e t h ese f eat ur es in100:100 t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he route-target import 100:100 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN ! deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . interface FastEthernet3/0 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int ip egrvrf at ion, forwarding secur it y, and CommonServer t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

ip address 194.22.16.1 255.255.255.0

NAT Pool and Related IP Routing Configuration •

Table of Content s

•

I ndex

A le NAT pool defined t o ecov MPsing LS and V PN Ar chi teis ctur e s, V olum I I er t he n eeds of all cu st omer s w ho are accessing t h e com m on ser v er. The cor respond in g con figu rat ion com man ds ar e show n in Ex am ple 4- 33. By Jim Guichard , I van Pepelnjak , Jeff Apcar

ExaPubmlishpler:e Cisco 4 - 3Press 3 . NAT Pool De fi ni t i on Pub Dat e: Ju ne 06, 2 00 3

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

ip nat pool Common 172.16.0.0 172.16.3.255 netmask 255.255.252.0

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : An I P r out e t h at cov er s t he NAT p ool is def in ed in t he Com mon Ser v er VRF t o en able t he rou t ing r et ur n p ack et s f rom t he com m on ser ver t ow ar d t he PE r out er w it h t he com m ands in Ex am ple 4Howant noun o int egr e vr ar iou e access t echn t h eCE back bone p rot ovidin You can ce tat his out e st or em t heotcom m on ser ver ologies t hr oughinat oPEr out ing pr ocol,gorVPN y ou can v ice anyrou d iff er ent of m cuon st om s . use stser at ic or dt oefm ault t ing on ttyp heescom sererver The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Exa m pl e 4 - 3 4 . I P Rou t i ng f r om t h e Com m on Se r ve r t o t he I P NAT Pool How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork ip route vrf 255.255.252.0 The lat est CommonServer MPLS VPN secur172.16.0.0 it y f eat u res an d d esign s aim edNull0 at pr ot ect ing t h e MPLS VPN back bone ! How t o carr y cust om er m ult icast t r aff ic insid e a VPN router rip The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er version 2 - car r ier MPLS VPN serv ices !

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

MPLS and VPN Ar chit ect u res, e I I , b uilds on t he best - sellin g MPLS an d VPN address-family ipv4 vrf Volum CommonServer Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d 2 d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools version t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. redistribute static MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of network 194.22.16.0 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow The I P rou t e t ow ar d t he NAT pool is p rop agat ed t ow ard t h e com m on ser v er ( see Ex am ple 4- 35) ; m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN t her efor e, t he NAT pool f r om w hich t he t r anslat ed r et ur n addr esses w ill com e is r eachab le fr om deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN com mon serv er. t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Exa e secur 4 - 3 5it.y,I and P Rou t i ng oning t hfeat e Com m on ial Set or ve r iding t h e adv anced int egrm atpl ion, t r oubleshoot u res essent p rov

CommonServer#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area • •

Table of Content s I ndex N1 OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

MP LS and V PN Ar chi te ctur e s, V olum e I I

E1 -, I van OSPF external type By Jim Guichard Pepelnjak , Jeff Apcar

1, E2 - OSPF external type 2, E - EGP

* - candidate default, U - per-user static route, o - ODR

Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3

P - periodic downloaded static route

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Gateway of last resort is not set

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : 172.16.0.0 255.255.252.0 is subnetted, 1 subnets R C

How 172.16.0.0 t o int egr at e v[120/1] ar iou s r em ot e194.22.16.1, access t echn ologies in t o t h FastEthernet0/0 e back bone p r ovidin g VPN via 00:00:01, ser v ice t o m any d iff er ent t yp es of cu st om er s 194.22.16.0 255.255.255.0 is directly connected, FastEthernet0/0 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

NOTE back bone

IHow t is utnnecessar y tom o r er edist r ibicast ut e r out esicf insid r om e t he Com mon Ser v er VRF int o Mult ip rot ocol o carr y cust m ult t r aff a VPN BGP. Th e Com m onSer ver VRF is com plet ely isolat ed fr om t h e r est of t he MPLS VPN net or kest ( similar t o rier t he VRFlit e conf ion discussed eviously t his chap t er ) . ent Thew lat in t er - car enh ancem entigur s t oatallow f or easierprand m or e in scalable d ep loym of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

Customer VRF Configuration

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools The cu rr ent PE- NAT im plem en t at ion wor k s only in side a single VRF. D ue t o t his r equir ement , y ou t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. need t o def in e a VRF on t he Washing t on PE rou t er for ev er y cust om er w ho accesses t he com m on ser v erand so tVPN hat tAr hechit NAT nct ion will e b eI I per forin msed he ref cust om er of VRF. MPLS ectfu u res, Volum , b eg w itinside h a brtief resher t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of The Eur oBank VRF is already defined in t h e Washing t on PE r out er . You m ust cr eat e t he Fast Food ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g VRF, as show n in Ex am ple 4- 36. pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Exa bone m pl eand 4 -any 3 6 .atCust ersitVRF Dealso fi nidet t ion back t achedom VPN es, and ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . ip vrf FastFoods MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int rd egr100:252 at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

route-target export 100:252 route-target import 100:252

•You m ust d efTable s t e t ow ar d t he com mon serv er in ev ery cu st om er VRF on t h e Washing ine aofstContent at ic rou • ndex PE r out er t o Ien su re t hat ( fr om t h e PE rou t er ' s per sp ect iv e) NAT w ill alw ay s be p er f orm ed in sid e MP LSom and Ar chi te ctur s, V olum I I t e t his st at ic r ou t e int o Mult ipr ot ocol BGP and any r elev ant PE cust erV PN VRF. You muest r ed ister ibu r out pr ot ocol o enable, Jeff conn ect iv it y fr om CE r ou t er s t o t he cent r al ser ver . Bot h config ur at ion By Jiming Guichard , I vant Pepelnjak Apcar st eps ar e illu st rat ed in Ex am ple 4- 37. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4 NOTE

No in t er f aces ar e placed in VRFs of cust om ers wh o d o not connect d ir ect ly t o t h e Washing t on PE r out er . Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Exa m pl e 4 - 3 7 . I P Rou t i ng f r om Cu st om er s t o t h e Com m on Se r v er

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN ip route vrf EuroBank 194.22.16.0 255.255.255.0 FastEthernet3/0 194.22.16.2 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) ip route vrf FastFoods 194.22.16.0 255.255.255.0 FastEthernet3/0 194.22.16.2 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork ! The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN router bgp 10 back bone address-family ipv4 How t o carr y cust omvrf er mFastFoods ult icast t r aff ic insid e a VPN redistribute The lat est instatic t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices ! Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y address-family ipv4 vrf EuroBank MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Arredistribute ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced static t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t!hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN router rip Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g address-family ipv4t echn vrf olog EuroBank pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues redistribute static includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Aft er t hese con figur at ion st eps, t he r ou t e t ow ar d t h e comm on ser v er is inser t ed int o t he Eu r oBa and Fast Food s VRFs on t he Wash in gt on PE rou t er ( see Ex am ple 4- 38) . Th is rou t e is pr op agat ed MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ot her PE r out er s and t o t he CE r out er s ( see Ex am ple 4- 39) . Th er efor e, t he com m on ser v er is int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

r eachab le fr om all cu st om er sit es.

Exa m pl e 4 - 3 8 . Rou t e Tow ar d t h e Com m on Se r v er in t h e Eur oBa nk an d Fast Food VRF on t he W a sh in gt on PE Rout er •

Table of Content s

• PE_Washington#sh I ndex ip route vrf EuroBank 194.22.16.0 MP LS and V PN Ar chi te ctur e s, V olum e I I

Routing entry 194.22.16.0 255.255.255.0 By Jim Guichard , I van for Pepelnjak , Jeff Apcar Known via "static", distance 1, metric 0 Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3 Redistributing via bgp 10 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4 by bgp 10 Advertised

Routing Descriptor Blocks: * 194.22.16.2, via FastEthernet3/0 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Route metric is 0, traffic share count is 1 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s PE_Washington#show ip route vrf FastFood 194.22.16.0 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net wentry ork Ad dr ess194.22.16.0 Tr an slat ion ( PENAT) Routing for 255.255.255.0 How via VRFs"static", can be ex t ended int o 1, a cust om er sit Known distance metric 0 e t o pr ov ide sep ar at ion inside t he cust om er net w ork Redistributing via bgp 10 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone by bgp 10 Advertised How t o carr y cust om er m ult icast t r aff ic insid e a VPN Routing Descriptor Blocks: The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent * 194.22.16.2, via FastEthernet3/0 of int er - car r ier MPLS VPN serv ices Route isoot 0,ingtraffic share count ist er1 out pu t s t o en su re high av ailab ilit y Adv ancedmetric t rou blesh t echn iques includ in g r ou MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tExa hey m n eed loy. Rou and mt e ainTow t ain aar secur hly av pl et o4d-ep 39 d t he,ehig Com mailab on le SeVPN. r v er in t h e Sa n Jose PE

Rou t e r a nd Con ne ct ed CE Rou t er s MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o PE_SanJose#show FastFood int egr at e t h ese f eatip ur esroute in t o t hvrf e VPN b ack bon 194.22.16.0 e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Routing for 194.22.16.0/24 back bone entry and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Known via "bgp 0, for type internal deploy m en t s. Fin ally 10", , Par t distance I V pr ov id es200, a m etmetric hodology ad van ced MPLS VPN t r oub leshoot ing . Redistributing via rip MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer byit y, rip transparent int Advertised egr at ion, secur andmetric t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Last update from 194.22.15.3 00:06:42 ago Routing Descriptor Blocks: * 194.22.15.3 (Default-IP-Routing-Table), from 194.22.15.3 Route metric is 0, traffic share count is 1 • •

Table of Content s

AS Hops I ndex 0

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

SanJose#show ip route 194.22.16.0 Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3 Routing entry for 194.22.16.0 255.255.255.0 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4 "rip", distance 120, metric 1 Known via

Redistributing via rip Last update from 192.168.2.18 on Serial0.236, 00:00:19 ago Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Routing Descriptor Blocks: * 192.168.2.18, 192.168.2.18, ago, How t o int egr at efrom v ar iou s r em ot e access00:00:19 t echn ologies in t ovia t h eSerial0.236 back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Route metric is 1, traffic share count is 1 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can beip ex route t ended 194.22.16.0 int o a cust om er sit e t o pr ov ide sep ar at ion inside t he SanFrancisco#show cust om er net w ork Routing entry for 194.22.16.0/24 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN backvia bone"rip", distance 120, metric 1 Known How t o carr y cust om er m ult icast t r aff ic insid e a VPN Redistributing via rip The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Last update from 192.168.2.14 on Serial0.313, 00:00:03 ago of int er - car r ier MPLS VPN serv ices Routing Descriptor Blocks: Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y * 192.168.2.14, from 00:00:03 ago, viag Serial0.313 MPLS and VPN Ar chit ect u res,192.168.2.14, Volum e I I , b uilds on t he best - sellin MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Route 1,ect traffic share t opics an d d ep metric loy m ent is archit ur es, Volu m e I Icount pr ovidis es r1eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g NAT Configuration on the Washington PE Router pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Wit h bone t he I P rouany t ingatint ached place, VPN NATsit is es, conand figu ralso ed wdet it hailin t he gf ollow ingestst eps: back and t he lat secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en , Par t Inect V prsovt he id es am adWash van ced The intts. er Fin f aceally t hat con com met onhodology ser ver t ofor t he in gtMPLS on PEVPN rou t er is config ur ed a t r oub an leshoot ing . out side NAT in t erf ace w it h t h e comm an ds in Ex am ple 4- 40. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 4 - 4 0 . Out si de NAT I nt er f a ce Con fi gu r at ion

interface FastEthernet3/0 ip nat outside •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

A sing le rou t e m ap is defined t o m at ch pack et s t hat are ex chang ed bet w een t h e cu st omer s and t h e com m on ser v er . A samp le rou t e m ap con figu rat ion is show n in Ex am ple 4- 41.

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Exa m pl e 4 - 4 1 . Rou t e M a p an d Acce ss List Use d i n NAT D ef in it ions I SBN: 1- 58 705 -1 12 -5

Pages: 50 4

ip access-list extended CommonNAT permit ip any 194.22.16.0 0.0.0.255 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ! How t o int egr at e v ar iou spermit r em ot e 10 access t echn ologies in t o t h e back bone p r ovidin g VPN route-map CommonNAT ser v ice t o m any d iff er ent t yp es of cu st om er s match ip address CommonNAT The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The NOTE lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Perf or min g NAT based on a rou t e m ap is st r on gly adv ised in com plex NAT scenar ios Howbecause t o carr y Cisco cust om er cr meat ult icast aff ic insid e a VPN I OS es ex tt rended t r anslat ion ent r ies w hen a r out e m ap is used w it h t he ip n at com m and. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of - car r ier t MPLS VPN Theintinert er f aces h at conn ectserv CEices r out ers t o t h e Washingt on PE r out er ar e conf igur ed as in sid e NAT in t er f aces w it h t he ip n at insi de com m and, as show n in Ex am ple 4- 42. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN m plVolum e 4 - 4e 2I .( 1I-nt f aces d CEPrRou t et rendin s ArgeintCon f igu r ed as Ar ch itExa ect u res, 587er 050 02- 1)Tow , f romarCisco ess. Ex o m or e adv anced nside I nm t er ce s ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t opicsI an d d ep loy entf aarchit t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

NA

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch itinterface ect u re. Par t Serial6/3.312 I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of point-to-point ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, OSPF) , ar m in g t he r eader w it h*** t he k now ledge of h ow t o description *** and Link to EuroBank Washington int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he ip nat r inside back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub Ileshoot ing . ce NAT t r anslat ion is con figu red for t he Eur oBank and Fast Food s VRF w it h nside sour com man ds show n in Ex am ple 4- 43. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 4 - 4 3 . Per - VRF I n side Sour ce I P Addr e ss Tr a nsla t i on De f in it i on

ip nat inside source route-map CommonNAT pool Common vrf EuroBank • •

of Content s ip natTable inside source route-map CommonNAT pool Common vrf FastFoods I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Aft er t hese con figur at ion st eps, PE- NAT is fully op er at ional, bu t on ly f or cust om er sit es t hat ar e Pub lish er: Cisco Press at t ached direct ly t o t h e Washin gt on PEr out er . For ex am ple, t he Washin gt on CE r out er can access Pub Dat e: Ju ne 06, 2 00 3 t he com m on ser v er , b ut t he San Fran cisco CE r out er cann ot b ecause t h e pack et s sent fr om it 1- 58 705 -1 12serv -5 er ar e not for w ar ded fr om an inside NAT in t er f ace t o an out side NAT t ow ar dI SBN: t he com mon Pages: 50 4 int er face f rom t he p er spect iv e of t h e Washingt on PE r out er . To en able NAT f unct ionalit y f or r em o sit es, y ou m ust d ef ine all t h e core in t er f aces ( in t er f aces t h at link PE r out er s w it h P r out er s and ot her PE r out er s) as inside in t er f aces, w hich is sh ow n in Ex am ple 4- 44.

Exah MPLS Wit m pl eand 4 -VPN 4 4 . ArI nt chiter ectf uaces res, Volum Towear IId , yNe ou' llt w lear ornk: Cor e Ar e Con f igu r ed a s NAT I nside I n t er f a ce s How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s interface Serial6/0 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) description *** Link to PE_SanJose *** How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he ip nat inside cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone y cust om erconf m ult icast t r aff insid VPN et session is opened f r om a CE r ou t er Test inHow g t het oprcarr oper PE- NAT igur at ion is ic sim ple;e a Teln t ow ar d t he com mon serv er , and t he NAT t r anslat ion ent ries ar e exam ined on t he PE r out er . lat45 estshinows t er - car enh ancem s t oon allow andt on m orCE e scalable ent k Ex amThe ple 4t w orier t r anslat ion enent t ries: e forf or t heeasier Washing rou t er indtep heloym Eu roBan of int er car r ier MPLS VPN serv ices and t h e ot her one for t h e San Jose CE rou t er in t he Fast Food s VRF. Op en in g a few Telnet session fr om CE rou t er s t o t he com m on ser v er result s in NAT t r anslat ions show n in Ex am ple 4- 45. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Exa plu eres, 4 -Volum 4 5 . NAT a 05nsla t i ons on Cisco t h e PE Rou e r g int o m or e adv anced Ar ch itm ect e I ( 1 -Tr 587 0 021) , f rom Pr ess. Ex ttendin t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. PE_Washington#show natVolum translations MPLS and VPN Ar chit ectip u res, e I I , b eg in sverbose w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Prov ice Inside global Inside local Outside global ser pr ovider access t echn olog ieslocal ( dial, DSL, cabOutside le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o tcp 194.22.16.2:23 int egr172.16.0.1:11007 at e t h ese f eat ur es in t o192.168.2.17:11007 t h e VPN b ack bon e. Part I I I det ails adv anced 194.22.16.2:23 d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he create useVPN 00:00:24, 23:59:35, back bone and00:00:24, any at t ached sit es, andleft also det ailin g t heMap-Id(In): lat est secu rit y4, f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN flags: deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . extended, use_count: 0, VRF : FastFood MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int tcp egr172.16.0.2:11012 at ion, secur it y, and t r oubleshoot 192.168.2.33:11012 ing feat u res 194.22.16.2:23 essent ial t o p rov iding t194.22.16.2:23 h e adv anced

create 00:00:08, use 00:00:08, left 23:59:51, Map-Id(In): 5, flags: extended, use_count: 0, VRF : EuroBank

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Using PE-NAT for Shared Firewalls By Jim Guichard , I van Pepelnjak , Jeff Apcar Pub lish er: Cisco Press

You can u se NAT fu nct ionalit y t hat is similar t o t he one deploy ed in t he pr ev ious scen ar io t o g ive Pub Dat e: Ju ne 06, 2 00 3 MPLS VPN cust om ers w ho h ave pr iv at e I P addr esses access t o t he I nt er net t hr ough a sh ared PEI SBN: 58 705 -1 12 -5 NAT d ev ice.1-The cor respond in g t opology of t h e Sup er Com net w ork is sh own in Figur e 4- 2 4. Pages: 50 4

Figu r e 4 - 2 4 . I nt er n et Acce ss w it h Sh ar e d PE- NAT Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tI opics d ept loy ent archit Volu I I ly pr ovid es r eader h ern t heetnecessar y tr ools n t his an setdup, he m Washing t onect PEurr es, ou t er is m dire ect connect ed t o sanw Iitnt gat ew ay out er t h r o tahey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. LAN conn ect ion. I n t er net access t hat is im plem ent ed t hr oug h p ack et leak in g bet w een VRFs an global I P r out ing ( d escrib ed in m ore d et ail in Chapt er 1 3, " Ad van ced MPLS/ VPN Topics" of t he M MPLS andArVPN Ar chit u res, e I Iw, ill b eg s w it hinat his br ief ref resher and VPN chit ect u reect ( Volu meVolum I ) book b einused scenar io. of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he NOTE back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or eI nadv anced t op ologies and filt erin be g. This also tcov m ult car r ier VPN t his par t icular set up, it w ould ev enpar simt pler o u er sesan I nti-er net - in-MPLS a- VPN appr oach deploy m en t s.ploy Fin ally Par et IdVesign pr ov id es a m etused hodology formad and em t he ,sam t hat w as for com onvan serced ver MPLS accessVPN in t he p rev ious t r oubsect leshoot . only d iff er ence in t he conf igur at ion w ould be t hat t he per- VRF st at ic r out e ion. ing The t ow ar d t he com mon serv er ( as conf igur ed in t h e pr evious sect ion) wou ld b e r ep laced by a MPLSper and VPNd ef Arault chit ect - VRF r ouutres, e. Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The d esign used t o im plem en t PE- NAT bet w een a VRF and t h e global I P rou t ing t able is sim ilar t t he in t er- VRF desig n an d has t h e sam e lim it at ions of PE- NAT. ( NAT is on ly perf or med inside a si VRF. )

• •

St e p 1 . The in t er f ace t ow ard t h e I n t ern et gat ew ay is placed in t h e global I P r out ing t able, show n in Ex am ple 4- 46. Table of Content s I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Exa m pl e 4 - 4 6 . I nt er n et Ga t e w a y I n t e r f ace Conf i gur a t i on

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 interface FastEthernet3/0 I SBN: 1- 58 705 -1 12 -5

ip address Pages: 50 4 194.22.16.1 255.255.255.0

St e p 2 . A sing le NAT pool is defined w it h t he com man d in Ex am ple 4- 47 t o cover t he need of alland custVPN om er w h ect o aru eres, accessin erllnet . A Wit h MPLS Arschit Volumge tIhe I , Iynt ou' lear n :su bset of t he su bnet defined on t he Washing t on PE r out er , t h e I nt er net gat ew ay link is u sed t o sim plify I P r out ing . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice om ent t yp es of cu om Exa mtpl e any 4 - 4d 7iff.erNAT Pool Destfi niert ison The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) ip nat pool Common 194.22.16.16 194.22.16.31 netmask 255.255.255.240 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN St e pbone 3 . A g lobal I P r ou t e cover ing t he NAT pool is d ef ined w it h t he com m and in Ex am ple back 48 t o ensur e t hat t h e Washingt on PE r out er w ill per for m p rox y - ARP wh en t h e I nt ern et gat ew f orw ar dsom ret t r aff ic t tow aricd insid I P addr How t oay carr y cust erurmn ult icast r aff e a esses VPN in t he NAT pool. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er VPN Exa m- car pl er ier 4 -MPLS 4 8 . Gl observ al ices I P Rou t i ng t o I P N AT Pool Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN ipchroute 194.22.16.16 Null0 Ar it ect u res, Volum e I ( 1 -255.255.255.240 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. St e pVPN 4 . AArVRF is defin for ev t he com serv VPN er. ( The MPLS and chit ect u res,ed Volum e er I I y, bcuegstinomer s w it w h ho a braccesses ief ref resher of t mon he MPLS Eu roBan k VRF is alr eady defanced in ed inMPLS t he WVPN ash in gt on PE er, but Food VRFofm ust Ar ch it ect u re. Par t I I descr ibes adv con nect iv itr out y includ in gt he t heFast int egr at ion ed, asaccess sh ow nt echn in Exolog am ple 49. ) DSL, cab le, Et her net ) an d a v ariet y of r out in g ser v icecreat pr ovider ies 4( dial, pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r ite y , 4ou t lining t he nom ecessar y st eps t hfi e ni sert vion ice p rov ider m ust t ake t o p rot ect t he Exa m pl -4 9 . Cust er VRF De back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN tip r oub leshoot ing . vrf FastFood MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer rd 100:252 int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

route-target export 100:252 route-target import 100:252

• • MP LS

St e p 5 . A d ef ault rou t e w it h t he I nt er net gat ew ay as t he g lobal n ex t - hop is d ef ined in eve cust omTable er VRF on t hes W ash in gt on PE r out er t o ensu re t hat ( fr om t h e PE r ou t er ' s per sp ect iv of Content NAT w Iill b e perf or m ed inside a sin gle VRF. This d ef ault rou t e m ust b e r ed ist r ibu t ed int o ndex Mu lt ip rot ocol BGP an d an y r elevan t PE- CE r out ing pr ot ocol, as show n in Ex am ple 4- 50. and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Exa m pl e 4 - 5 0 . De f au lt I P Rou t i ng f r om Cu st om er s t o t h e I n t e r ne t Ga t e w a y

Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

ip route vrf EuroBank 0.0.0.0 0.0.0.0 194.22.16.2 global ip route vrf FastFood 0.0.0.0 0.0.0.0 194.22.16.2 global ! Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : router bgp 10 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent FastFood t yp es of cu st om er s address-family ipv4 vrf The n ew PE-static CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN redistribute Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

!

default-information originate How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN address-family ipv4 vrf EuroBank back bone redistribute How t o carr static y cust om er m ult icast t r aff ic insid e a VPN default-information originate The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

! Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y router rip MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Araddress-family ch it ect u res, Volum e I ( 1vrf - 587EuroBank 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced ipv4 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep static loy and m ain t ain a secur e, hig hly av ailab le VPN. redistribute MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr S- I S, EI GRP, OSPF) m incom g t he r eader w itdef h tault he kInow ledge ofar hd owt he t o I nt er net Aftot erocols t hese( I con figur at ion and st eps hav e, bareen p let ed, t he P rou t e t ow int ese fteat t o Eur t h eoBank VPN ban ackdbon e.Food Part VRFs I I I det anced tdon ep loy enterissues gategr ew at aye ist hinser ed ur intes o tinhe Fast onails t h eadv Washing PE m r out ( see includin secu y , is ourou t lining n ecessar eps e ser v ice rov ider m ust t os p( rot he ple Ex am pleg 451)r.it Th t e ist he pr op agat ed yt ostot hert hPE r out er spand t o t he CE trake ou t er seeect Extam back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow 52 an d Ex am ple 4- 53) . Th er efor e, t he I n t er n et gat ew ay is r each able fr om all cu st om er sit es. m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN tExa r oubm leshoot pl e 4ing - 5. 1 . De f au lt Rou t e i n t h e Eu r oBa nk V RF on t h e W ashi ng t on P

Rou te r MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

PE_Washington#show ip route vrf EuroBank 0.0.0.0 Routing entry for 0.0.0.0 0.0.0.0, supernet Known via "static", distance 1, metric 0, candidate default path • •

Redistributing via rip, bgp 10 Table of Content s I ndex

byte ctur ripe s, V olum e I I MPAdvertised LS and V PN Ar chi By Jim Guichard , I van Pepelnjak , Jeff Apcar

bgp 10

Pub lish er: Cisco Press Routing Descriptor Blocks: Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1(Default-IP-Routing-Table) 12 -5 * 194.22.16.2 Pages: 50 4

Route metric is 0, traffic share count is 1

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Exa m pl e 4 - 5 2 . De f au lt Rou t e i n t h e Eu r oBa nk V RF i n t he San Jose PE Rou t e r How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN PE_SanJose#show ip Tr route Net w ork Ad dr ess an slatvrf ion (EuroBank PE- NAT) 0.0.0.0 Routing forbe0.0.0.0 supernet How entry VRFs can ex t ended0.0.0.0, int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Known via "bgp 10", distance 200, metric 0, candidate default path, type inter The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Redistributing via rip back bone How t o carrby y cust er m ulttransparent icast t r aff ic insid e a VPN Advertised ripom metric Theupdate lat est infrom t er - car rier enh ancem ent s t o allow Last 194.22.15.3 00:54:22 ago f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Routing Descriptor Blocks: Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y * 194.22.15.3 (Default-IP-Routing-Table), from 194.22.15.3 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Route metric is 0, traffic share count is 1 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. AS Hops 0 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egrm atpl e teh ese es fin t o ltt h e VPNt e b ack I det ails adv anced Exa 4 - 5f eat 3 . urDe au Rou i nbon t h e. e Part Sa nI IFr a ncisco Routdeep r loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , ip Par troute I V pr ov id es a m et hodology for ad van ced MPLS VPN SanFrancisco#show 0.0.0.0 t r oub leshoot ing . Routing entry for 0.0.0.0/0, supernet MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer intKnown egr at ion, it y, and t r oubleshoot feat u res ial t o pdefault rov iding tpath h e adv anced viasecur "rip", distance 120,ing metric 1, essent candidate

Redistributing via rip Last update from 192.168.2.14 on Serial0.313, 00:00:27 ago Routing Descriptor Blocks: • •

* 192.168.2.14, from 192.168.2.14, 00:00:27 ago, via Serial0.313 Table of Content s I ndex

Route metric is 1, traffic share count is 1

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

YouPub do Dat not t o2 00 pr3opagat e an I P rou t e t ow ar d t he NAT pool t o t he I nt er net gat ew ay becau se e: need Ju ne 06, add resses in t he NAT pool belon g t o a su bnet t hat is dir ect ly conn ect ed t o t h e I n t ern et gat ew ay . I SBN: 1- 58 705 -1 12 -5 The I nPages: t er net50gat ew ay r elies on t he Washin gt on PE rou t er t o p er f orm pr oxy - ARP. 4 Wit h I P r out ing in place, NAT is conf igur ed w it h t he follow ing st eps: St e p 1 . The in t er f ace t hat con nect s t he com m on ser ver t o t he Wash in gt on PE rou t er is conf ig ur ed as an ou t sid e NAT int er face w it h comm and s fr om Ex am ple 4- 54. Th e int erf aces Wit h MPLS VPN CE Ar chit Volum e Iingt I , yon ou'PE ll lear n er : as w ell as cor e int erf aces are con figu t hat and connect r ouect t erus res, t o t he Wash r out as inside NAT int erf aces. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Exa m pl e 4 - 5 4 . NAT I nt er f a ce Assign m en t s

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) interface FastEthernet3/0 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork description *** Link toward Internet gateway *** The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN backoutside bone ip nat !

How t o carr y cust om er m ult icast t r aff ic insid e a VPN

The lat Serial6/0 est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent interface of int er - car r ier MPLS VPN serv ices description *** Link to PE_SanJose *** Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ip nat inside MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced ! t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. interface Serial6/3.312 point-to-point MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN to EuroBank Washington Ardescription ch it ect u re. Par*** t I I Link descr ibes adv anced MPLS VPN con*** nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g nat inside prip ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow St e anced p 2 . A tsing le rou tand e- mfilt aperin is defined to m at ch cov all er pack s i-t hat ex chang ed bet w een t m or e adv op ologies g. This par t also s metult car rare ier MPLS VPN Ex am ple 455. cust om er s an d t he I nt er net g at ew ay w it h t h e com m and in deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and Volum ea IIp , also rod uces he lat est adv in cuDstef omer ExaVPN m plArechit 4 -ect 5 5u.res, Rou te M an dintAcce ss t List Use d ances i n NAT in it ions int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

route-map CommonNAT permit 10

• •

St e p 3 . I nside sour ce over load NAT t r anslat ion is con figur ed for t he Eu roBan k and Fast Foo VRFs wTable it h t of heContent com msands in Ex am ple 4- 56. I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Exa m pl e 4 - 5 6 . Per - VRF I n side Sour ce I P Addr e ss Tr a nsla t i on De f in it i on

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 1- 58 705 -1 12 -5 ip natI SBN: inside source route-map CommonNAT pool Common vrf EuroBank overload Pages: 50 4

ip nat inside source route-map CommonNAT pool Common vrf FastFood overload

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Sim ilar ly t o t he p rev ious scenar io, t est ing t he pr oper PE- NAT con figu rat ion is sim ple: A Telnet session is opened f r om a CE r out er t ow ard an I nt er net dest inat ion, and t he NAT t r anslat ion ent r ar e exam Howined t o int on egr t he at ePE v ar r out iouer s r. em Ex am ot eple access 4- 57t echn sh ows ologies sev er in al t toran t h eslat back ionbone ent r ies p r ovidin fr om g difVPN fer en t VR all of ser t h em v iceusin to g m tany he sam d iff er e ent global t yp Ies P addr of cuess st om fr er oms t h e comm on NAT p ool. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net Tr anTr slat ( PENAT) on t h e PE Rou t e r Exa m plweork4 -Ad 5 dr 7 .ess NAT aion nsla t i ons How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork PE_Washington#show ip secur nat translations The lat est MPLS VPN it y f eat u res an dverbose d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Pro Inside global Inside local Outside local Outside global How t o carr y cust om er m ult icast t r aff ic insid e a VPN tcp194.22.16.17:11008 192.168.2.17:11008 15.0.0.1:23 15.0.0.1:23 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent create of int er - 00:00:34, car r ier MPLSuse VPN00:00:34, serv ices left 23:59:25, Map-Id(In): 4, Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y flags: MPLS and VPN Ar chit ect u res, Volum e I I ,0, b uilds he best - sellin g MPLS an d VPN extended, timing-out, use_count: VRF on : tFastFood Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced ttcp opics an d d ep loy m ent archit ect ur es, Volu m e I I pr15.0.0.1:23 ovid es r eader s w it h t he necessar y t ools 194.22.16.17:11009 192.168.2.17:11009 15.0.0.1:23 t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. create 00:00:32, use 00:00:06, left 23:59:53, Map-Id(In): 4, MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch itflags: ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I SI S, EI GRP, and OSPF) ar m in g t he r eader w it h t he k now ledge of h ow t o extended, use_count: 0, VRF : ,FastFood int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining192.168.2.33:11269 t he n ecessar y st eps t h15.0.0.1:23 e ser v ice p rov ider m ust t ake t o p rot ect t he tcp194.22.16.17:11269 15.0.0.1:23 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or ecreate adv anced t op ologiesuse and00:00:09, filt erin g. This par23:59:50, t also cov er sMap-Id(In): m ult i- car r ier 6, MPLS VPN 00:00:09, left deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oubflags: leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer extended, use_count: 0, VRF : EuroBank int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Summary This chap t er discu ssed how MPLS VPN t echn ology can help y ou desig n soph ist icat ed net w ork s w it hout deploy ing t he f ull MPLS VPN fu nct ionalit y. You can use m ult iple r ou t in g t ables in a •single CE r out Table Content er t of o sep arats e m ult iple co- locat ed VPNs w it hou t deploy ing an on- sit e PE r out er. •

I ndex

These r out ingArtchi ables b eeh alm as in dependent r out er s and hav e t o be link ed w it h a PE MP LS and V PN te ctur s, ave V olum e I ost I rByout er t h rou gh independ en t ph ysical or logical in t er f aces. The in dependent logical int er faces Jim Guichard , I van Pepelnjak , Jeff Apcar ar e sim p lest t o cr eat e on p hy sical m edia t h at sup por t sub int erf aces ( Fr am e Relay , ATM, or sw it ch ed Et hern et ) . I f, h owev er, you cannot use on e of t hese phy sical media, y ou can st ill Pub lish er: Cisco Press im plem ent logical int er faces w it h GRE t unn els, alt h ough t un nels w ill mak e y our net w ork m or e Datand e: Ju ne 06, t2ly 00less 3 comPub plex sligh secu re becau se t he CE r out er m ust hav e access t o t he glob al I P 1- 58 -1 12 -5 acen t PE r out er . I n t he access lay er ( su ch as LAN int er faces of t he CE r out ingI SBN: t ab le of705 t he adj r out erPages: s) , you 50 4can also use t he VRF select ion b ased on sou rce I P addr ess if t he access lay er t echnology d oes not perm it you t o separ at e t he VPN u ser s int o v ir t u al gr oup s ( such as vir t ual LANs) . Anot h er fun ct ion alit y t hat is closely r elat ed t o MPLS VPN is t he ab ilit y t o per for m VRF- aw ar e NAT. This fun ct ion alit y , u su ally deployed in a PE r out er, giv es t he ser v ice pr ovid er s scalab le Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : m ean s of im plem ent in g cent r alized cont r olled NAT solut ion s in scenar ios w here t hey pr eviou sly h ad t o pot ent ially d ep loy dist rib ut ed NAT on ev ery CE rou t er. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN The VRFNAT cter ion alitt yp y is deploy ser vaw iceart oe m anyfun d iff ent esusually of cu st om er s ed on a PE r out er , alt h ough it w ou ld b e com plet ely f easible t o use t he id en t ical fu nct ionalit y in a m ult i- VRF CE r ou t er t o im plement m ult iple ep en heellsam device. Theind n ew PE-dent CE r NAT out ininst g opances t ions in as t w as eotphy her sical adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Part III: Advanced Deployment Scenarios • •

Table of Content s Ch apt er 5 Pr ot ect ing t he MPLS- VPN Back bone I ndex

ChVapt 6 Lar geScale Rout MP LS and PN er Ar chi te ctur e s, V olum e I I ing

and Mu lt ip le Ser v ice Prov ider

Con nect iv it y

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Ch apt er 7 Mult icast VPN Pub lish Cher: aptCisco er 8Press I P Ver sion

6 Tr anspor t Acr oss an MPLS Backb one

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Chapter 5. Protecting the MPLS-VPN Backbone •When t he suTable bject ofofContent secu r sit y in a Mult ipr ot ocol Label Sw it ching ( MPLS) v ir t u al pr iv at e •net w or k ( VPN) I ndex b ack bon e is discussed, com par isons ar e inev it ably m ade w it h VPNs t hat ar e MP LS and tee ctur e s, V olum e I I ch ron ous Tr ansfer Mode ( ATM) ser v ices. This m ost lik ely deliver edV vPN ia Ar Frchi am Relay or Asyn st ems fr om t,he fact t hat b, Jeff ef orApcar e t he ex ist en ce of MPLS VPN t ech nology , VPNs w ere deliv ered By Jim Guichard I van Pepelnjak by u sin g Lay er 2 p oin t - t o- poin t conn ect ions such as ATM or Fr ame Relay p er m anent v ir t u al circuit s ( PVCs) . I n t he case of pr e- MPLS Lay er 3 serv ice pr ov id er net w ork s, gener ic r out ing Pub lish er: Cisco Press encapsulat ion ( GRE) or I P Secur it y ( I PSec) t un nels w er e t h e VPN p rov ision ing mechanism . I n Dat e: Ju ne 06, 2 00 3 any Pub ev ent , t h e pr im ary r esponsibilit y of t he ser vice pr ov ider w as t o pr ovid e an end - t o- end I 1- 58a705 -1 12uit -5 t h r ough t heir cor e net w or k; Lay er 3 cu st om er inf or mat ion w as connectSBN: ion as cond Pages: 4 spar en t ly. The ser v ice pr ovider d id n ot p art icipat e or hav e v isibilit y of t he t r anspor t ed50t ran cust om er net w ork .

I n con t rast , an MPLS VPN ser v ice p rov ider m aint ains in st ances of t he cust om er ' s r out ing t ab le in each PE rou t er t o w h ich a cust om er sit e is connect ed an d consequent ly has v isibilit y of t h e cust er net st om e erI Iw, ho is llmlear ig r at Wit hom MPLS andw ork VPNt opology Ar chit ect. uAny res, cu Volum y ou' n :ing a sit e fr om a Lay er 2 ATM/ Fram e Relay- pr ovisioned net w ork t o an MPLS VPN w ould nat u r ally ex pect t o receiv e t h e same or a bet t er level of secu r it y t hat he had p rev iously receiv ed; t heref ore, a com p arison of MPLS VPNs How v er sus 2 eserv w arr ant echn t ed . ologies in t o t h e back bone p r ovidin g VPN t o Layer int egr at v arices iou swrou emldotbeeaccess ser v ice t o m any d iff er ent t yp es of cu st om er s An independ en t st ud y on t his subj ect by Mier com, a t h ir d - par t y t est in g facilit y in Pr incet on Jun ct ion Jersey conclu t hatas MPLS or ksanced " met for ed all ing of t perh e secur The, nNew ew PECE ,r out in g ded op t ions w ell VPN as otnet herw adv eatexceed ur es, includ VPN it y char act erwist ics Ad of dr a ess comp Lay(er b ased VPN such as Fram e Relay or ATM." The st u dy Net ork Tr ar anable slat ion PE-2-NAT) t est ed v ar iou s secur it y aspect s of an MPLS VPN net w or k again st t he com par able f eat ur es in an ATM anVRFs d Fr am e Relay w or k. secu rit ey titoem w ion er e inside as follow How can be ex tnet ended intThe o a basic cust om er sit pr sovcom ide par seped ar at t hes: cust om er net w ork Add ress and r outVPN ing separ inutres h e MPLS VPN ar chit ect o Lay er 2 The lat est MPLS secur at it yion f eat an d d esign s aim ed uatreprisoteq ectuivalent ing t h e tMPLS VPN m odels. back bone An VPN servom iceerprm ovid er corter aff net or k e is ainv isib le t o a cu st omer n et w or k , as is a HowMPLS t o carr y cust ult icast icwinsid VPN cust om er net w ork t o t h e cor e n et w or k . The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent An MPLS VPN w or kVPN is as r esist of int er - car r iernet MPLS serv icesant t o Denial of Serv ice ( DoS) at t acks as a Layer 2 net w or k. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y The in herent secur it y capab ilit ies of an MPLS VPN t h at p rov ide a fav or able com par ison t o Lay er and 2 netVPN w or Ar ks chit ar eect d iscussed in t he sect ionbest s. - sellin g MPLS an d VPN MPLS u res, Volum e I If ollowin , b uildsg on t he Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLSNOTE and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Reader s w hoaccess wan t t echn o do olog fu rt hies er (readin g on cab Fr ame Relay / ATM y com ison ser v ice pr ovider dial, DSL, le, Et her net ) ansecur d a v it ariet y ofpar r out insg t o MPLS t ain OSPF) t h e Miercom f r om w com. of A Cisco pr ot ocols ( I S-VPNs I S, EI can GRP,oband , ar m in gr epor t he rt eader ww it w h .m t heierk com now .ledge h ow t o hit ent ur it led " Secu of tbhe MPLS ch it ect re"ails is also highly dr ecomm end ed int egrwat e epaper t h ese f eat es in t o t hrit e yVPN ack bon e.ArPart I I I udet adv anced ep loy m ent issues andg can ain ed f rom includin secube r it yobt , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he ht t p: /and / cisco. war p/ pub iosw / prdet odlit / mgx in f_dlat s.h t msecu . Sim infor m att oion back bone anycom/ at t ached VPNlic/ sitcc/ es,pd/ and also ailin t he est ritilar y f eat ur es allow MPLS VPN rit y and can filt also beg.foun in dr af t - behr inger m iplsit y . VPN m or eon adv anced t opsecu ologies erin Thisd par t also cov er s m-ult carsecur r ier MPLS deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . This chap does notect atut em t o m ak p arisons t o Lay 2-est b ased ser v ices st ead MPLS andt er VPN Ar chit res,ptVolum e IeI ,com also int rod uces t heerlat adv ances in bcuutstin omer focu ses on t he secur y capabilit ies available t he essent MPLS VPN ect ur et han d p ranced ovides int egr at ion, secur it y,itand t r oubleshoot ing featinu res ial t oarp ch rovitiding e adv

pr act ical ex am ples and st eps t h at a ser v ice p rov ider can t ake t o incr ease t h e secur it y of an MPLS VPN b ack bon e and any at t ach ed VPN sit es.

NOTE •

Table of Content s This chap t er does not deal w it h t he aspect s of secu rin g an ind iv idu al Cisco r out er . Reader sI ndex w ho wan t t o learn m or e about secur ing Cisco r out er s ar e r ecom m en ded t o MP LS and V PN Ar chi te ctur e s, V olum e I I dow n load t h e " Secu ring a Cisco Rout er " w h it ep aper fr om By Jim ht Guichard t p: / / w, Iwvan w . cisco.com Pepelnjak , Jeff / w Apcar ar p/ pu blic/ 7 07/ 2 1. pd f •

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Inherent Security Capabilities An MPLS VPN serv ice off er ing allow s a serv ice pr ov id er t o u t ilize it s Lay er 3 b ack bon e t o p r ovide inf rast r uct ur e t hat cust om er s can shar e, supp ort in g t he par ad ig m of " Build Once an d Sell Man y. •facilit at e such Table of Content s serv ice pr ovid er mu st r ely on t h e inher en t secu r it y cap abilit ies t h at a serv ice, t he •int o MPLS fr om I ndex d ay one of it s in cept ion . These cap abilit ies h ave been pr eviou sly ex plained in Vo MP LS and Ar chi ctur e s,u res V olum e I I ev er , it is ap pr opr iat e t o rev isit som e of t h em so t hat w e can e MPLS andV PN VPN Ar te chit ect ; how MPLS fr om a, Isecur it y p er spect iv e. These inher ent secur it y capabilit ies can be cat egor ized as follo By Jim Guichard van Pepelnjak , Jeff Apcar PubAdd lish er: Cisco Press and ress space

r out ing separ at ion

Pub Dat e: Ju ne 06, 2 00 3

No v isib ilit705 y of t he I SBN: 1- 58 -1 12 -5 cor e net w or k Pages: 50 4

Resist an ce t o label spoof ing

Address Space Separation Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Those f amiliar w it h t he MPLS ar chit ect ur e w ill k now t h at t h e add ress space sep arat ion is one of capabilit ies aff ord ed b y an MPLS VPN. The add r ess space of dif fer en t VPNs, each p ossibly consis o int at e is v ar iou r em ot e access . t All echn ologies t ohtoh ar e back bone ed p r ovidin VPN VPN m anyHow cust tom er egr sit es, ent ir sely independent cust om er sin w e connect t o an gMPLS ser tvhe icewt o m any iff er t ypdres of cu st om er p s ublic or p riv at e I P ad dr esses as defin ed by RFC can use h ole randge of ent I P ad esses—eit her 19 18—an d su ccessf ully oper at e t heir I nt r anet VPNs, w it h out in t er f er ence f rom ot her VPNs or t r a Thewnork ew. PEr out op t ionsr ange as w ell as otsepar her adv anced ur es, core net Th eCE core adindrg essing is also at ed fr omf eat each custinclud om er ing addperressVPN space, a Net w ork Ad dr ess Tr an slat ion ( PENAT) ser v ice pr ovider t o bu ild it s cor e, if necessar y , f rom t he RFC 19 18 addr ess ran ge. Howsep VRFs beachieved ex t endedt hr int o ah cust t o ent pr ovvir ide seprou ar at ion f inside heg ( VRF) inst Add ress arat can ion is oug t he om u seerofsitdeiffer t ual t ing/ or war dt in cust om er net w ork t he PE r out er for each cust om er or g rou p of cust om er sit es con nect ed t o t hat PE r out er . Each VR pop ulat ed w it h r out es f rom eit h er t he CE r out er or ot her VRFs w it hin t he n et wor k . Rou t es fr om C The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN ar e lear n ed t hr ou gh st at ic rou t ing or dy nam ic r out in g p rot ocols, w hich are VRF cont ex t aw ar e. T back bone t he rou t ing pr ot ocol w ill up dat e r out es on ly wit h in t h at VRF inst ance. Rout es f r om ot her VRFs ( lo local or r emot e pr ovid er edg e, or PE, rou t er s) are ob t ained via Mult ipr ot ocol Bor der Gat ew ay Pr o How t o carr y cust om er m ult icast t r aff ic insid e a VPN ( BGP) . The decision of w hich rou t es t o im por t , w h ich in t ur n for m s t he VPN ( int r anet or ex t r anet det er min het er r out e rier t argenh et s ancem ( BGP ex t ended com fm it y at tand r ibutmes) at ar e associat edent w it h The ed lat by est t in - car ent s t o allow oruneasier or et hscalable d ep loym of int er - car r ier MPLS VPN serv ices Mu lt ip rot ocol BGP is n ot VPN awar e; it s pr imar y f unct ion in an MPLS VPN backb one is t o dist r ib u cust om er anced rou t est rou betblesh w eenoot PEing routtechn ers. iques Th e stinclud andar in d gBGP at hout select app w h enavselect Adv r oupt er pu t sion t o en sulies re high ailab ing ilit y t h r out e, r egar dless of w h et h er it is an I nt er net r out e or a VPN rou t e. Ther ef ore, t o ensur e un iq uen cust omand er rou t es t he beack e, aon 64 t-he bit best rou t-esellin dist ingu ish eranisd pr ep en ded t o all VP MPLS VPN Arcar chitr ied ect uacr res,oss Volum I I ,bon b uilds g MPLS VPN for m ing a VPNv 4 addr ess. The r out e d ist in guisher gu aran t ees ad dr ess separ at ion w hen VPN r ou Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced iedan acr t hemcor tcarr opics d oss d ep loy ente.archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. The cir cuit ad dr esses t hat are used bet w een a PE rou t er and a CE r out er are a pot ent ial area wh ov er lapp g addr . Th leitw h e ref serresher v ice prof ovider is assigning cir cu it MPLS andin VPN Aressing chit ect ucan res,occur Volum e is I I ,isbpossib eg in s w h hen a brtief t he MPLS VPN fr om a cust er wh o is also singnect an ivadd block rom 918 off or his Ar ch itan ectRFC u re. 19 Par18 t I block I descrt oibes advom anced MPLS VPN ucon it y ress includ in g tfhe intRFC egr at1 ion netvwice or k.prThe issuaccess e her et echn is t hat if ies t he (ser vice pr ov ider asked it hdassignin it add ser ovider olog dial, DSL, cab le, isEtther net )wan a v arietgy cir of cu r out in g r esses 19 18, t he add r ess assig nm ent p olicy u sed m ight not necessarily be com pat ib le w it h t h pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o e add ress assig p olicy er isb ack u sinbon g t e. o allocat ivat addranced essesdfep or loy hismsubn et s. I n t h i int egrnm at eent ht ese f eatt huratest hinet cust o t h eom VPN Part I IeI pr det ailse adv ent issues ov er lappginsecu g addr could t he occur . Th is pr bev av b y eit er allow h eect cust omer includin r it yesses , ou t lining n ecessar y oblem st eps t hcan e ser iceoided p rov ider mhust t ake ting o p trot t he circuit addrand esses g t VPN he ser ice and pr ovider addr out ed addr back bone anyorathtavin ached sitves, also assign det ailincir g tcuit he lat estesses secu rit y fof eataurr egist es t oerallow The oblem w it thopallow ing and t he cust omg. er This t o assign add resses hat PE-rCE addr esses b et w m or ep radv anced ologies filt erin par t also cov er s ismtult i- car ier circuit MPLS VPN cust omm erenVRFs mally ig ht, Par not t be e, if t he serv icevan pr ovid wer VPN e pr ov iding m anagem deploy t s. Fin I V un priq ovue. id esTher a mefor et hodology for ad ced er MPLS PECEleshoot cir cuiting s, an t r oub . over lap of ad dr esses cou ld occur in t he man agem en t VRF. Th e use of r eg ist er e add resses b y t he ser vice pr ov ider m ight not be pr act ical for t hose pr ov iders wh o d o not hav e a l enoug h b lock MPLS and VPNav Arailable. chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE

• •

The I P addr ess assign ment of t he PE- CE circuit s and t he p rob lem s t h at h ave b een discussed descr ibed in d et ail in d raf t - gu ich ard - PE- CE- add r, wh ich y ou can f in d at ht t p: / / w w w . iet f .or g / in t ern et - dr aft s/ . Th is dr aft pr oposes a solut ion t o assist serv ice pr ovid e w it h t heir addr ess assign m en t by allocat ing a uniqu e pr ivat e addr ess r ange f or exclusiv e us Table of Content s MPLS VPN p rov ider s w it h no p ossibilit y of ov er lap w it h RFC 19 18 cust om er net w ork s. I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Alt hou gh t he MPLS VPN archit ect ur e pr ov ides add ress sep arat ion , it d oes not in t r in sically gu aran er: t Cisco Press t he Pub roulish t es he CE r out er or a r emot e VRF inj ect int o t he VRF are v alid. A bogu s CE r out er could b Pub Dat ne 06, 00 s 3 spoof ed r out es, or a config ur at ion er r or by t h e ser v ice p r ovider could int r int r odu cede: tJuhat inj 2ect r out es Iint o t1-he VRF t hat SBN: 58 705 -1 12 -5 ar e not par t of t h at VPN, com pr om isin g secur it y. Howev er , y ou can t ake st eps Pages: t o mit50 ig4at e or m inim ize t he p ossibilit y of such br eaches. These pr ecau t ions ar e discussed i follow ing sect ions. Th e nex t sect ion s also discu ss sev er al I n t er net Eng ineer ing Task For ce ( I ETF) t hat add ress t he area of CE- t o- CE au t hent icat ion in an eff or t t o elim inat e secu r it y pr oblems due pr ov ider config ur at ion er r ors. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

No Visibility of the Core Network

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN serspecifically v ice t o m any iff erred entby t ypt hes of cu st om er sider , t he cor e n et w or k inf r ast r u ct u re in clu ding a Unless condfigu e ser v ice p rov and t op olog y is not v isible t o a cust om er VPN. Lik ew ise, t he cu st omer VPN in for m at ion is not ne ew cor PE-eCE out op t ions as w ellMu as ltot her adv anced f eatsfur es,VPN includ v isibleThe t o nt he n etrw or in k .gThis is b ecause ipr ot ocol BGP t ran ers inf ing orm perat ionVPN bet w een Net w ork Ad dr ess Tr an slat ion ( PENAT) r out er s, and labels perf or m t he for w ard ing fun ct ion in t he cor e of t h e net w ork . Cust om er VPN r o or iginat e f r om anot h er PE r out er acr oss t he cor e net w or k w ill be associat ed w it h t he BGP nex t - h How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he of t he origin at ing PE rou t er . Th e BGP next - h op addr ess of t he PE r out er is not v isible or reachab cust om er net w ork cust om er addr ess sp ace, ev en t h ough it is t he BGP next - hop addr ess t hat is used t o for w ar d cu s t r aff icThe in tlat heest netMPLS w or k cor VPNe. secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone To illust r at e t h is point , we will u se t he Su perCom net w or k show n in Figur e 5- 1 an d ex am ine t h e r out esHow in t he FastyFoods net orult k cont in insid t he San Jose PE rou t er . t o carr cust om erw m icastained t r aff ic e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Figu r e 5 - 1 . Su per Com N et w or k

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : The Fast Foods VRF in t h e San Jose PE r out er h as sev er al VPN r out in g ent r ies, as show n in Ex am Som e of t hese ent r ies or igin at ed f rom t he Fast Food s Ly on sit e ( 10. 2 .1 .0 / 24, 192 . 168. 2 .2 0/ 30 ) t How at e vPE ar iou r em ot e efor access t echn t o t hFoods e backLyon bonewpillr ovidin connect ed ttoo int t heegr Paris r outs er . Ther e, all r outologies es fr ominFast hav e g t hVPN e BGP n e ser v ice t o m any d iff er ent t yp es of cu st om er s add ress of 19 4. 22. 15 . 1, w hich is t he Par is PE r out er in t he Su perCom net w or k. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Exa m pl e 5 - 1 . I n abi li t y t o Access BGP Ne xt -H op PE Rout er fr om a VRF How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork SanJose_PE#show The lat est MPLS ipVPN route secur vrf it y FastFoods f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone [snip] How t o carr y cust om er m ult icast t r aff ic insid e a VPN 10.0.0.0/24 is subnetted, 1 subnets The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int10.2.1.0 er - car r ier [200/0] MPLS VPNvia serv194.22.15.1, ices B 02:00:02 S

Adv anced t rou blesh oot ingvia t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 195.12.2.0/24 [1/0] 192.168.2.17

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN 192.168.2.0/30 is subnetted, 2 subnets Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools C 192.168.2.16 is directly connected, Serial5/0 t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. B [200/0] 01:59:47 MPLS and 192.168.2.20 VPN Ar chit ect u res, Volumvia e I I ,194.22.15.1, b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of SanJose_PE#ping vrf tFastFoods ser v ice pr ovider access echn olog ies 194.22.15.1 ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Typebone escape to VPN abort. back and sequence any at t ached sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Sending 5, ICMP Echos 192.22.15.1, 2 seconds: deploy m en t s.100-byte Fin ally , Par t I V pr ov id estoa m et hodology fortimeout ad van cedisMPLS VPN t r oub leshoot ing . ..... MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Success rate isit y, 0 and percent (0/5) ing feat u res essent ial t o p rov iding t h e adv anced int egr at ion, secur t r oubleshoot

A p ing of t he ad dr ess 1 94. 22 .1 5. 1 in Ex am ple 5- 1 sh ows t hat is not reachable f r om t he Fast Food even t hou gh it app ear s as t he BGP nex t - hop in t he Fast Food s r out ing t able on t h e PE rou t er. When a cust om er VPN p ack et is sent t o it s d est inat ion VRF, t he MPLS label associat ed w it h t he P BGP next - hop is used t o for • Table of Content s w ar d t he pack et in t he cor e net w or k. Aft er labels hav e b een dist rib ut r• out es in t heI ndex cor e ( w e can select iv ely ch oose w h ich r out es get a label) , t h e P an d PE r out er s can for w ar d dat amtesctur b ased on ate tIach ed MPLS labels only . Th e r out ers in t h e P- net w or k only need MP LS and V PNagr Ar chi e s, V olum I t he eg ress int er face and out going label f or t he in com ing labelled pack et t o allow for w ar ding. No By Jim Guichard , I van Pepelnjak , Jeff Apcar r eq uir ed of cust om er rou t es or even t he cu st om er VPN lab el t hat is hidden fu r t her in t he label st Ther ef or e, in it s sim plest for m , t h e core net w ork on ly r eally needs t o k now ab out t he PE r out er B lish er: Cisco Press addPub resses in it s I nt er ior Gat ew ay Pr ot ocol ( I GP) t o f orw ar d cust om er VPN dat ag ram s. Pub Dat e: Ju ne 06, 2 00 3

Alt hou gh t he cor e -1 add ressin g is n ot v isib le t o t h e cust om er net w ork , t h e same can not be gu aran I SBN: 1- 58 705 12 -5 t he suPages: bnet used f or PE- CE cir cu it add ressin g. Visibilit y of PE rou t er cir cuit in for m at ion m igh t allo 50 4 net w or k t o in t r ude or perf or m DoS at t acks on t h e PE rou t er . Using unn um ber ed int er faces on t h circuit m ig ht init ially p r ovide a simp le det err ent by hid in g t he add r ess used at t h e PE en d, b ut yo easily d iscov er t his by u sin g t ra cer out e . I n t he case of a m an aged CE r ou t er ser vice, w her e t he does n ot hav e access t o t he CE rou t er , t he PE- CE cir cuit ad dr ess could be filt ered t o p rev en t it fr r ed ist r ibu t ed int o t he cu st omer n et w or k . I n addit ion, var ious in bound f ilt er s can be ap plied at t h Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : r out er t o rest r ict CE r out er access. The v ar ious t echniq ues available ar e ex plained in a lat er sect On e m et h od of p ot ent ially rev ealing ad dr esses in t h e core t opology f r om a VPN is t hr oug h t h e us How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN t ra cer out e com m and. The inf or mat ion t h at is p assed b ack by t ra cer out e is read- on ly. Th er efo ser v ice t o m any d iff er ent t yp es of cu st om er s t hou gh cir cuit addr esses on core rou t er s ar e v isib le, t here is no w ay t o r each t hose r out er s f rom Add resses n et in w or k can beashid f r om v iew a VPN byurcon inging t h eperno VPN m p ls i p The n in ewt he PE-cor CEer out g op t ions w den ell as ot her advinanced f eat es,figur includ pr opaNet gatwet t l for w a rd ed com m and on t he PE r out er . When a t ra cer out e is issued fr om a VRF ork Ad dr ess Tr an slat ion ( PE- NAT) com man d enab led , no cor e ad dr esses are ret u rn ed ; how ev er , t he add ress of t he eg ress PE- cir cu is v isible. noom mer p lssitiep tprop aga - t t ar l fat orw rde d com connect ed VRFs t o t hecan CEbe rouex t er How t ended int o The a cust o pr ov idet esep ionainside t he m and is di det ailcust in Ch apt er 13 of Volum e 1 of MPLS and VPN Ar chit ect u res . om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone to Label Spoofing Resistance How t o carr y cust om er m ult icast t r aff ic insid e a VPN I n MPLS oper arancem e allocat an I Pf or roueasier t e by tand he dow r eam r out er loym ( t heent nex t - h The VPN lat est in tat erion, - car labels rier enh ented s t tooallow m ornestscalable d ep in t heofd irint ect t h eMPLS dest inat . ices Lab el spoof in g is t he abilit y of t h e upst r eam r out er t o replace erion - carof r ier VPNion) serv a lab el in t o a pack et t hat w as not or iginally allocat ed by t h e dow nst r eam r out er . Ther ef or e, if t h dow n Adv st r eam r out er w er e oot allow t o r eceiv a t amin pg er red acket it t w sendavitailab t o an anced t rou blesh ingedt echn iqueseinclud oupt er out,pu s ould t o eneit su hreerhigh ilitinco y dest inat ion or dr op it if t h er e w ere no cor r espon ding out p ut label. Alt houg h it is possib le t o spoo MPLS and Ar chit res,ress Volum e I II P , bnet uilds on, tlabel he best - sellin gisMPLS an d VPNin an MPLS n et w dest inat ionVPN or sour ceect I Puadd in an w ork sp oofing not possible Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced A Ciscoanr ou does not archit accept pack led for label swit c t opics d dt er ep loy m ent ectlabeled ur es, Volu met e sI Ion pr an ovidint eserr face eadert hsat w itishntot heenab necessar y t ools sw it ch g sh not and b e enabled he PEe,r out facelet hat leads t o t he CE r out er ( unless t h t hey n in eed t oould d ep loy m ain t ainona tsecur hig er hlyint averailab VPN. Sup por t ing Car r ier serv ice is used) ; t heref ore, an y labeled pack et s t hat ar riv e at a PE r out er fr om Ared chit res, Volum , boofing eg in s is w itnot h apossible. br ief ref resher t heerMPLS VPN t he sou r rMPLS out er and ar e VPN dr opp . Iect n tuhis case, labeelI Isp The CEofr out can spoof Ar chinat it ection u re.I PPar t ress I I descr ibes anced t he int egraf atfect ion tof dest add befor e t adv he pack et MPLS get s t oVPN t hecon PEnect r outiverit,ybinclud ut t hisinwgould only h e cu s ser nv ice prdu ovider echnsep ologaries ( dial, DSL, Et her net ) Ian d a v ariettyheofcur out in g ow VPN e t o taccess he addtress at ion capab ilit cab y ofle, MPLS VPN. n essence, st om er s w ould pr ot ocols I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o spoof in g t (hemselves. int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Lab el spgoofing myight possible t h e P-y net w ortkh if naut orized P ust r outter ehow includin secu r it , ou tbe lining t he n in ecessar st eps e an ser vuice ph rov ider m akeis tsom o p rot ect tat het ach How ev er , by t hteached LD P pr ot ocol f orand label distdet r ibut ion in at ionritwit m essage back bone andu sin anyg at VPN sit es, also ailin g in t hecomb lat est secu y h f eat ur es t o digest allow 5 ( aut t icat ion , tthe possib ilit y offilt t herin is scenar w illt also be sucov bster ant it igat MD 5VPN aut hent icat ion m orheenadv anced op ologies and g. Thisiopar s ially m ult i-mcar r iered. MPLS Neig hbor Aut hent icat " ced MPLS VPN exp lainm edenlat inally t he, sect it led deploy t s.erFin Par t ion I V tpr ov id"es am et hodology for ion. ad van t r oub leshoot ing . MPLS andSupporting VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Carrier Carrier int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Lab els ar e accep t ed f r om a CE r ou t er in t h e case of Carr ier Sup por t ing Car rier ( CsC) . The CsC ar is det ailed in Ch apt er 6, " Larg e- Scale Rout ing and Mu lt ip le Ser v ice Pr ov ider Con nect iv it y ." I n t hi CE r out er im poses labels for I GP r out es in t he cust om er car r ier VPN; t h er efor e, y ou m igh t t h ink possible t o sp oof lab els. How ever , t h er e ar e sev er al secur it y m ech anisms in t h e PE rou t er t hat p fr om occur r ing: • •

of Content s The PE Table r out er cont rols w h ich labels t he CsC CE r out er u ses f or any r ou t es it learn s fr om r em I ndex r out er s.

MP LS and V PN Ar chi te ctur e s, V olum e I I

The PE ,rIout k eep s , tJeff r ack of w hich By Jim Guichard vaner Pepelnjak Apcar

label b inding s hav e been adv er t ised t o w hich int er face.

When a p ack et is r eceiv ed f r om a CsC CE r out er , t he lab el is exam ined and ver ified t hat it h t he values assigned t o r out es in t he sam e VRF as t he in t er f ace. I f it is not , t h en t h e pack et Pub Dat e: Ju ne 06, 2 00 3 dr opp ed .

Pub lish er: Cisco Press

I SBN: 1- 58 705 -1 12 -5

Assu mPages: e in Figur 50 4 e 5- 2 t hat CsC is enab led bet w een t h e Paris PE r out er an d t he Eu r oBank Par is CE The Par is PE r out er h as adv er t ised t h e VRF r out e 196 .7 . 26. 0/ 2 4 t o t h e Eur oBank CE rou t er along associat ed lab el 27. The v alue of t h is lab el bind in g is con fir med in t he t w o show com m ands in E 2. Th e fir st com man d sh ow s t he label b inding f or t he pr ef ix, wh er eas t h e second comm an d show for w ar ding ent r y ( LFI B) t hat w ill be used. Not ice t h at t h e for w ar ding ent r y also has an ident if ier Rouht MPLS e" indicat t hAr at chit label is allocat in llt hlear e Eur Wit anding VPN ect2u7res, Volum ed e I Iw, ityhou' n :oBan k VRF. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN r e t5yp- 2 Prcu e st v om ener t ion of Labe l Sp oof in g in CsC ser v ice t o m any Figu d iff er ent es. of s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced hed Paris PEmrent out er r eceiv a pack Eur oBank w it h slabel , t he VPN r out e id en t if ie tWhen opics tan d ep loy archit ectes ur es, Voluetmfreom I I pr ovid es r eader w it h27 t he necessar y t ools LFI B is com par ed t o t he VRF ( if any ) t hat is d ef ined on t he incom ing in t erf ace. I f t h ey do n ot m a t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. pack et is dr opp ed ; ot h er w ise, t he p ack et is f orw ar ded. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Exa m pl e 5 - 2access . Lab el Bi olog ndi ies ng( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g ser v ice pr ovider t echn pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es,vrf andEuroBank also det ailin g t he lat est255.255.255.0 secu rit y f eat ur esdetail t o allow Paris_PE#show mpls ldp binding 196.7.26.0 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally rev , Par 15 t I V pr ov id es a m et hodology for ad van ced MPLS VPN 196.7.26.0/24, t r oub leshoot ing . local binding: label: 27 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, Advertised secur it y, and to: t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

192.168.2.25:0 remote binding: lsr: 192.168.2.25:0, label: 19

Paris_PE#show mpls forwarding label 27 detail • •

Table of Content s

Local

I ndex Outgoing

Prefix

Bytes tag

Outgoing

switched

interface

Next Hop

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard van VC Pepelnjak Apcar Id tag tag , Ior or , Jeff Tunnel

27

Pub lish18 er: Cisco Press

196.7.26.0/24[V]

0

Se4/0

point2point

Pub Dat e: Ju ne 06, 2 00 3

MAC/Encaps=4/12, MRU=1496, Tag Stack{18 22}

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

0F008847 0001200000016000 VPN route: EuroBank

No output feature configured Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Per-packet load-sharing How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN

Static Labels Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he om er w ork St at iccust labels is anet new feat u re available f rom Cisco I OS 1 2. 0( 23 ) S on war d. This f eat u re allow s st a bind ings t o be con figu red bet w een labels and I Pv4 p refix es and also allow s t he p rov isioning of st The lattest MPLS VPN it y fsw eatituched res an d hd esign atupr e MPLS VPNt o p er connect s in he m idp oin t ofsecur a labelpat ( LSP)s. aim Theed f eat reotisect pring imart hily designed back bone connect ion t o neigh bor r out er s t hat do not su ppor t LDP or RSVP but do supp ort MPLS for w ar ding t o carr y ecust om er m t r aff e a env VPNiron ment , t hen it w ould be possible f or t I f st atHow ic labels wer enabled onult a icast CE r out ericininsid a CsC pr ov ided b y t he PE r out er t o be ch anged at t h e CE r out er . How ev er, as discussed in t he pr eviou s The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent any p acket s t h at ar r ive w it h an incor rect label ar e d rop ped due t o t he ant ilabel spoof in g cap abili of int er - car r ier MPLS VPN serv ices add it ion , Cisco I OS does not allow a label f or a pr ef ix t o b e m odified by using st at ic com man ds i peer has p r ev iously pr ov id eding a lab el. iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Adv anced t rou blesh oot t echn Ex am ple 3 shAr ows t em pt t o che ange t he out label for pr ef ix 19an 6.d7.VPN 26. 0 / 24 t o u se 77. MPLS and5-VPN chitan ectat u res, Volum I I , b uilds ongoing t he best - sellin g MPLS tAr hechParis PE r out er h as already pr ovid ed label 27 as t he out going label, it w ill t ak pr eced en ce o it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e eadv anced st at ic bind ing. t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Exa pl eVPN 5 - Ar 3 .chit Stect a tui res, c Bin din eg I ICom MPLSmand Volum , b eg m in san w itdh a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es mpls in t o t hforwarding e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues EuroBank_Paris#show includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back boneOutgoing and any at t ached VPN sit es, and alsoBytes det ailintag g t heOutgoing lat est secu ritNext y f eat Hop ur es t o allow Local Prefix m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m tag en t s.or FinVC ally , Par I V pr ov idId es a m et hodology for ad interface van ced MPLS VPN tag or t Tunnel switched t r oub leshoot ing . 17 23 10.2.1.0/24 0 Et1/0 192.168.2.26 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int t r oubleshoot ing feat t o p rov iding t h e adv anced 18 egr at ion, 24 secur it y, and 192.168.2.12/30 0 u res essent ial Et1/0 192.168.2.26

19

26

192.168.2.32/30

0

Et1/0

192.168.2.26

20

27

196.7.26.0/24

0

Et1/0

192.168.2.26

EuroBank_Paris(config)#mpls static binding ipv4 196.7.26.0 255.255.255.0 output •

Table of Content s

•

I ndex

.26 77

MP LS and V PN Ar chi te ctur e s, V olum e I I By%Jim Guichard , I van Pepelnjak , Jeff Apcar Warning: Next hop 192.168.2.26

is an TDP/LDP peer (192.168.2.26:0)

% Pub Label lish er: learned Cisco Press from peer, if any, takes precedence Pub Dat e: Ju ne 06, 2 00 3

% Continuing with configuration of the label I SBN: 1- 58 705 -1 12 -5

Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Neighbor Authentication Man y point s of v uln er abilit y in an MPLS VPN net w or k can b e m inimized t hr oug h t he use of neighb or aut h en t icat ion . This t yp e of aut hent icat ion pr event s a r out er f rom receiv ing •fr au dulent upd Table of Content at es fr om as rou t ing neighb or and can also b e used t o v er if y upd at es it r eceives •fr om a label Idist ndexr ibut ion peer . MP LS and V PN Ar chi te ctur e s, V olum e I I

IByf Jim rouGuichard t ing pr ot ocol aut hent icat ion is n ot enab led bet w een neigh bor s, t hen secur it y of t he , I van Pepelnjak , Jeff Apcar net w or k could be com pr omised by t he in t r oduct ion of bogu s r out es. An unaut hor ised rou t er could inject r out es t o div ert t r aff ic t ow ar d a m onit or in g point , w h er e t h e dat a in t he I P p ack et s Pub lish er: Cisco Press could be analy zed. Rout es could also be int r odu ced for no ot her r eason t han t o disru pt t he Pub e: Ju cause ne 06, 2 DoS. 00 3 net w or Dat k and I SBN: 1- 58 705 -1 12 -5

I n Cisco I OS, Pages: 50 4neighb or aut h en t icat ion can be enabled for BGP; I nt er m ed iat e Syst em - t oI nt er mediat e Syst em ( I S- I S) ; Enhan ced I n t erior Gat ew ay Rout ing Pr ot ocol ( EI GRP) ; Open Shor t est Pat h First ( OSPF) ; Rout ing I nf orm at ion Pr ot ocol, ver sion 2 ( RI Pv 2) ; and t he Label Dist r ibut ion Pr ot ocol ( LD P) . Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

NOTE How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Neig hbor aut hent icat ion is not suppor t ed by u sin g t h e Tag Dist rib ut ion Prot ocol (The TDP)n.ew Theref ore, t o in enable t h e as high levot elher of aut en t icatfion in es, an includ MPLS ing VPNper- VPN PE- CE r out g op t ions w est ell as advhanced eat ur net w or k, LDP m ust b e used on t he P/ PEnet w or k int er faces. Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork All t h e afor ement ion ed p rot ocols sup por t au t hent icat ion f or t h e var ious neig hbor com bin at ions t hat can an MPLS k,u as in Table 5 -ed 1. at pr ot ect ing t h e MPLS VPN The ex latist estinMPLS VPN VPN securnet it ywfor eat resshow an d n d esign s aim back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

-1 rier . Neenh igancem hbor ent Com na tfior oneasier a ndand Autmhoreent i ca t i on The lat Tab est inle t er5 - car s t obi allow scalable d ep loym ent of int er - car r ier MPLS VPN serv ices N e igAdv hbor nt ica ion t echn Re qui re d includ in g r ou t er out pu t s t o en su re high av ailab ilit y anced tAu rout he blesh ootting iques PE t o CE Select ed PE- CE r out ing pr ot ocol p lus LD P if CsC is en abled. I f BGP+ labels is MPLS and VPN Ar chit ect u res, I I , aut b uilds t he sellin g MPLS an tdh e VPN being used onVolum CsC, tehen h enon t icat ionbest is r-eq uir ed only on BGP session Ar ch it ect u res, Volum e I ( 1 587 050 021) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced ( no LDP r eq uir ed ) . t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey loy and m ain t ain secur hig hly avchang ailab le VPN. PE t on eed PE t o d epBGP aut hent icat ionafor t hee,secu re ex e of VPNv4 r out es. PE t o and P and P Ar Aut h en ionVolum f or t he r out ot ref ocol ( I GP)ofplu s LDP MPLS VPN chit ectt icat u res, e IbI ackb , b egone in s w it h ing a brpr ief resher t he MPLS VPN t ochPit ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Ar ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese eathur in t ion o t his e VPN ack bon PartinI gI I rou dettails adv anced d ept hloy ent When neighb or faut enes t icat enabbled, t he e. r eceiv er aut hent icat es em sou r ceissues of includin r it yby , ou t lining t he ed n ecessar y stt eps t h erce seran v ice ider m ust t ake t o pcan rot ect r out ing g upsecu dat es usin g a shar k ey t hat he sou d t hp erov r eceiver k now . You uset he two back and t ached es,mand also det ailin g t he lat est secu rit y f eatt ex ur es t o tallow t y pesbone of aut h enany t icatation : p lainVPN t exsit t or essag e digest algor it hm 5 ( MD5) . Plain t , as he m or ee adv ancedsend t op ologies filt erin g. kThis par also tcov m ult i- car r ier MPLS nam im plies, s t he auand t hent icat ing ey as a tclear ex tert rsansmission ov er t he VPN cir cuit . MD 5 deploy t s. Fin , Par t Iead, V pr ov for adby vanusin ced gMPLS does n m ot en send t heally k ey; inst it id cr es eataesmaetmhodology essage digest t he kVPN ey and t he m essag e t r oub leshoot as a hash t o ing MD.5. The result ing m essage d igest is t hen exchan ged am on g n eigh bor s, w hich ensur es t hat t he k ey cannot be lear ned t h r ough un aut hor ized mon it orin g. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE Serv ice pr ov id er " best pr act ice" is t o u se MD5 aut h en t icat ion ; t h er efor e, t his t y pe of aut h en t icat ion w ill be used in all t he ex am ples t hat follow .

•

Table of Content s

•

I ndex

PE MP LSto andCE V PN Authentication Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

This sect ion p rov ides an exam ple of h ow t o con figu re MD5 aut hent icat ion on PE/ CE cir cu it s for Pub lish er: Cisco Press dy nam ic r out in g p rot ocols. Ob viously , if r out ing on t he PE/ CE cir cuit is lim it ed t o st at ic ent r ies, Dat ne 06, t henPub aut h e: enJut icat ion2 00 w3ill be su perf luous b ecause t h e ser v ice pr ovider h as cont r ol ov er t he 12ed -5 int o t he VRF t able. r out es ItSBN: h at 1ar58 e 705 inj -1 ect Pages: 50 4

For our ex am ples, w e will u se t he u su al Super Com n et wor k , as show n in Figur e 5- 3 . Th e Fast Food s and Eur oBan k CE r out ers hav e been conf igur ed f or d yn amic r out in g t o t h e Sup er Com PE r out er s. Eu roBan k w ill use RI Pv 2 f or it s PE/ CE r out ing pr ot ocol, and Fast Food s has select ed OSPF. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

e e5v-ar 3 iou . PE/ CE t i ng in ologies t he Supe r Com Ne t w k g VPN How t oFigu int egrr at s r em ot eRou access t echn in t o t h e back bone p ror ovidin ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u ect res,ion Volum I I , tbheg s w itCom h a brn ief he rMPLS VPN To p r ovide a secur e conn bet weeen e in Super et wref or kresher an d t hofe tCE out er s, MD5 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr ion of aut h en t icat ion is enab led on t he r out in g p r ot ocols t hat Fast Foods and Eur oBank use.atThe ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in follow ing sect ions descr ibe t h e con figu rat ion s t hat ar e necessar y t o enab le neig hbor rougt ing pr ( Iion S- I.S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o autothocols en t icat int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow RIPv2 Authentication for EuroBank m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Ex am ple 5- 4 sh ows t he PE r out er conf ig ur at ion t o set u p RI Pv 2 aut h en t icat ion t o t he Eur oBank CE r out er . VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer MPLS and int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 5 - 4 . Pa r is PE Rout er RI Pv2 Aut he nt ica t i on Conf i gur a t i on

service password-encryption

•

Table of Content s

• I ndex interface Ethernet0/0 MP LS and V PN Ar chi te ctur e s, V olum e I I

forwarding EuroBank Byip Jim vrf Guichard , I van Pepelnjak , Jeff Apcar ipPub address 192.168.2.26 255.255.255.252 lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

ip rip authentication mode md5 I SBN: 1- 58 705 -1 12 -5

ip

Pages: 50 4 rip authentication

key-chain CE-Neighbor

no cdp enable

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : router rip How t2 o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN version ser v ice t o m any d iff er ent t yp es of cu st om er s ! The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slatEuroBank ion ( PE- NAT) address-family ipv4 vrf How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he version 2 cust om er net w ork redistribute bgp 100 metric 5 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone network 192.168.2.0 How t o carr y cust om er m ult icast t r aff ic insid e a VPN no auto-summary The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent exit-address-family of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLSchain key and VPN CE-Neighbor Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced 1 an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tkey opics t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. key-string 7 000816120C5E19140631 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int h eset of eat es in t o ist hteheVPN e. Part I det ailst ion advcom anced d ep loy m ent Theegr f irat steittem b e ur enabled serbviack ce bon pa ssw ord-I Ien cr yp m and; t his comissues m and includin secut he r it yp, assw ou t lining t he n ecessar y st eps h er ser rov idercon m ust akeion t o. p rot ect t he ensur es gt hat or ds ar e not r eadable in t the outverice s' p NVRAM figutrat back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or tehe adv anced t op and au filtt erin This t also sm r ier MPLS For Eur oBank cirologies cu it , MD5 hentg. icat ion par is enab ledcov f orer RI Pvult 2 ib car y using t w o ipVPN r ip deploy m en Finin ally I V pr id es a m et for ad van ur ced VPNhent icat ion for a ut he nt i cat s. t i on t er, fPar acet com mov and s. The firhodology st com m and config esMPLS MD5 aut t rhe oub spleshoot ecified ing int.erf ace, wh er eas t h e second comm an d specifies t he k ey t o be used via a k ey chain. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE Ak ey ch ain is a sophist icat ed m ech anism t hat RI Pv 2 ( and EI GRP) uses t o p rov ide a k ey for MD 5. A key chain allows a series of k ey s t o be specified, w hich w ill be cy cled t hr ou gh by t h e rou t er. Each k ey w it hin t he k ey chain has a sp ecific lif et im e; w hen t he lifet im e ex pir es, t he n ex t key in t he chain is act ivat ed , if it is conf ig ur ed. •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

IByf Jim keyGuichard chains, Iare , bot h aut hent icat ion n eigh bor s need t o be sy nchr onized t o t he sam e van used Pepelnjak , Jeff Apcar t im e so t h at t h ey ar e u sin g t h e same key s at a par t icular t im e. The Net w or k Time Prot ocol ( NTP) is best suit ed f or t h is pur pose. Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

NOTE For m ore com plet e inf or mat ion on k ey ch ain s, r ef er t o t h e " Manag ing Aut hent icat ion Keys" sect ion in t h e Con figur in g I P Rou t ing Pr ot ocol- I ndepend en t Feat ur es of t he Cisco I OS I P Conf igu rat ion Guide , w hich can b e fou nd at w w w .cisco. com . Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN To sim plify t he conf ig ur at ion ex am ple, t he k e y ch ai n CE- N ei ghb or t hat is used f or t he ser v ice t o m any d iff er ent t yp es of cu st om er s Eu roBan k VPN d oes n ot u se t he lifet im e feat ur e; in st ead, it u ses a perm anent k ey . Ex am ple 55 sh ows respond ing Pv2 conf at ion forher t he Euanced r oBan fkeat Par CEinclud r out er. Thet he n ewcor PECE r out in gRIop t ions asigur w ell as ot adv urises, ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Exa m How pl eVRFs 5 - 5can . Eu ber ex oBa t ended nk Pa int or is a cust CEom Rou er sit t eer t oRIprPv ov ide 2 Au septar h at en ion t i cat inside ion t he er ion net w ork Con fcust iguom r at The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone service password-encryption How t o carr y cust om er m ult icast t r aff ic insid e a VPN !

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices key chain PE-Neighbor Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y key 1 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN 7 020A014F03031D33455E Ar chkey-string it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t!hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN interface Ethernet1/0 Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser ipv ice address pr ovider 192.168.2.25 access t echn olog 255.255.255.252 ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int at eauthentication t h ese f eat ur es in tmode o t h e md5 VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues ip egr rip includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back boneauthentication and any at t achedkey-chain VPN sit es, PE-Neighbor and also det ailin g t he lat est secu rit y f eat ur es t o allow ip rip m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN routerm rip t r oub leshoot ing . version 2 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, securconnected it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced redistribute

redistribute static network 192.168.2.0

•

Table of Content s

OSPF Authentication for FastFoods • I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Ex am ple 5- 6 sh ows t he PE r out er conf ig ur at ion t o set u p OSPF aut hent icat ion t o t he Fast Food s CE r out er . Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3 12 -5 Exa mI SBN: pl e 1-558- 705 6 . -1Pa r is PE Rout er OSPF Au t h en t i ca t ion Conf igu r a t ion Pages: 50 4

interface Serial5/0 Wit iph MPLS vrf forwarding and VPN Ar chit FastFoods ect u res, Volum e I I , y ou' ll lear n : ip address 192.168.2.22 255.255.255.252 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp of cu om er s ip ospf message-digest-key 1 es md5 7 st 00051F09104F0A140034584B1A The nenable ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN no cdp Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork router ospf 200 vrf FastFoods The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN log-adjacency-changes back bone area How 2 authentication message-digest t o carr y cust om er m ult icast t r aff ic insid e a VPN redistribute subnets The lat est inconnected t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices redistribute bgp 100 metric-type 1 subnets Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y network 192.168.2.0 0.0.0.255 area 2 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. For t he Fast Foods cir cu it , MD5 is act ivat ed f or an area usin g t he a re a com m and un der t he MPLS VPNcon Ar chit res, Volum e I I of , bteg it h at he br ief ref resher of t he MPLS VPN OSPF pand rocess figuect r atuion . The value heinkseyw and m essag e digest algor it hm t o b e used Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr ion ar e specif ied w it h t he ip ospf m essag e- di gest - k ey in t er f ace com m and . Un lik e t h eatRI Pv of 2 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocol, OSPF d oes not su ppor t key chains. Ex am ple 5- 7 sh ows t he cor respond ing OSPF pr ot ocols I S- for I S, tEI OSPF) , art m conf ig ur at(ion h eGRP, Fast and Foods CE rou er.in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Exa m pl e 5 - 7 . Fa st Foods Ly on CE Rou t er RI Pv2 Aut he nt ica t i on m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Con f igu ionally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN deploy m enrt at s. Fin t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer interface int egr at ion, 4/0 secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

ip address 192.168.2.21 255.255.255.252 ip ospf message-digest-key 1 md5 7 130912061818052620 no fair-queue ! •

Table of Content s

• I ndex router ospf 200 MP LS and V PN Ar chi te ctur e s, V olum e I I Byrouter-id Jim Guichard , I192.168.2.21 van Pepelnjak , Jeff Apcar

log-adjacency-changes Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3 area 2 authentication message-digest I SBN: 1- 58 705 -1 12 -5 Pages: 50 4 redistribute connected subnets

redistribute static subnets network 192.168.2.0 0.0.0.255 area 2 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN NOTE Net w ork Ad dr ess Tr an slat ion ( PE- NAT) OSPF sup por t s aut hent icat ion on an int er faces basis; t her ef or e, not all int erf aces in How VRFs int o a digest cust omaut er hent sit e icat t o pr ovride sepe ar iont oinside an ar ea concan figube redex wtitended h messageion equir a at key be t he cust om er net w ork conf ig ur ed .

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o Authentication carr y cust om er m ult icast PE to PE

t r aff ic insid e a VPN

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of tint er -icat car ion r ier can MPLS MD5 au hent be VPN enabserv led ices on t he Mult ipr ot ocol BGP session s bet w een PE r out er s, as show n in Figur e 5- 4 . Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced e 5 4 . archit BGPect VPN Sessi i nest h e Susper N et w or k t opics anFigu d d eprloy m-ent ur es,v4Volu m e I Ions pr ovid r eader w it hCom t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Ex am ple 5- 8 sh ows t he n ecessar y config ur at ion t o act ivat e BGP au t hent icat ion for p eer s of t he Par PE rou t er .VPN Act iv ionect ofu MD5 aut h en per for Wit is h MPLS and Arat chit res, Volum e tIicat I , yion ou' is ll lear n : m ed in t he global p ort ion of t h e BGP pr ocess conf igur at ion. This m eans t h at bot h I Pv 4 and VPNv4 add ress f amilies, if t h ey are act ive, w ill h ave t h eir rou t ing upd at es aut hent icat ed bet w een peers. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN The con t o act iver atent e BGP h en ion serfigur v ice at t oion m any d iff t yp aut es of cut icat st om er sis sim ple. I t r eq uir es only t he ne ig hbor pa ssw ord com m and, w hich im plicit ly uses t he MD 5 alg orit h m t o au t hent icat e TCP sessions f or a BGPThe neigh borPE. This attion all otf eat h erurBGP PE r out er perpeers. n ew CE rconf out inigur g op ionsshould as w ellbeasr eplicat ot her ed advon anced es, includ ing VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How ber ex ended int o er a cust om er sit ehe t ont prica ov ide sep ar at ion inside Exa m pl eVRFs 5 - 8can . Pa is t PE Rout BGP Aut t i on Con fi gur a ttihe on cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone router bgp 10 How t o carr y cust om er m ult icast t r aff ic insid e a VPN no synchronization The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent no bgp of intdefault er - car r ieripv4-unicast MPLS VPN serv ices bgp Adv log-neighbor-changes anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y neighbor 194.22.15.2 remote-as MPLS and VPN Ar chit ect u res, Volum e I I10 , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced neighbor password 071A354D4202100B031D0609 t opics an d d 194.22.15.2 ep loy m ent archit ect ur es, 7Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. neighbor 194.22.15.2 update-source Loopback0 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Arneighbor ch it ect u re.194.22.15.3 Par t I I descr ibes adv anced remote-as 10MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g prneighbor ot ocols ( I SI S, EI GRP, and OSPF) , ar in g t he r eader w it h t he k now ledge of h ow t o 194.22.15.2 password 7m 071A354D4202100B031D0609 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t liningupdate-source t he n ecessar y stLoopback0 eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he neighbor 194.22.15.3 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow mno or eauto-summary adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE Wit h m any PE r out er s, rou t e r ef lect or s ar e m ost lik ely u sed for VPNv 4 r out e exchan ge. I n t his case, t he conf ig ur at ion for MD 5 neig hbor aut hent icat ion is t he sam e as show n in t h e pr evious ex am ple. •

Table of Content s

•

I ndex

MP LS and V PN Ar chi P-Network Authentication te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Aut h en t icat ion in t he P- n et wor k consist s of ensur ing t hat all I GP an d LDP neig hbor s ar e confPub ig ur it h Press an MD5 aut h en t icat ion k ey . lished er: w Cisco Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

IGP Authentication Pages: 50 4

The I GP used in all ex amp les t hr ough out t his book for t h e Super Com n et wor k is OSPF; t her efor e, t he conf igur at ion t hat is app lied is sim ilar t o t hat used f or OSPF on t h e Fast Foods PE/ CE cir cuit . Ex am ple 5- 9 sh ows t he conf igur at ion for t he Washing t on P r out er t h at int er con nect s all t he ot her PE rou t ers at San Jose, Paris, an d W ash in gt on in t he Sup er Com Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : net w or k. The OSPF aut hent icat ion con figu r at ion is sim ilar for all ot her PE and P r out er s in t he net w or k. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Exa m pl e 5 - 9 . W a shi ngt on P Rou t e r OSPF Aut h e nt i ca t i on Con fThe igunrew at PEionCE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork service password-encryption The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone mpls How label protocol ldp t o carr y cust om er m ult icast t r aff ic insid e a VPN

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices router ospf 1 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y router-id 194.22.15.4 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Arlog-adjacency-changes ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. area 0 authentication message-digest MPLS and VPN Ar chit ect u res, Volum e area I I , b eg0in s w it h a br ief ref resher of t he MPLS VPN network 194.22.15.0 0.0.0.255 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues interface Serial4/0 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Description Link to SanVPN Jose PE-router m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN ip address 194.22.15.18 255.255.255.252 t r oub leshoot ing . ip ospf message-digest-key 1 md5 7 12180918061F0D16253E302D20 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur itip y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced tag-switching

! interface Serial5/0 Description Link to Paris PE-router • •

ip address 194.22.15.21 255.255.255.252 Table of Content s I ndex

ip ospf message-digest-key 1 md5 7 070E2D435A1D181718071F0917

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar tag-switching ip

!

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

interface Serial6/0 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Description Link to Washington PE-router ip address 194.22.15.25 255.255.255.252 ip ospf message-digest-key 1 md5 7 0607032E585A080B0A02060E1F Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : tag-switching ip How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN w ork Ad dr ess Tr an slat ion ( PE- NAT) LDP Net Authentication How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust omt oert he netIwGP orkau t hent icat ion, all LDP session s should be enab led f or MD5 I n addit ion aut h en t icat ion . This in clud es CsC env ir onm en t s in w hich t h e PE rou t er is pr ov id ing t he The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN up st r eam CE r out er w it h labels for I GP r out es in t he VPN. back bone MD5 au t hent icat ion is on ly suppor t ed w it h LDP. I n env ir on ment s t hat are usin g TDP g lob ally , How t o carr y cust om er m ult icast t r aff ic insid e a VPN LD P can be enabled on a per - cir cuit basis if aut hent icat ion is r eq uired. Once again , t he conf ig ur at ion is st r aigh t for w ar d, as Ex am ple 5- 10 f or t h e Washingt on P r out er show s. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Exa m planced e 5 - 1t rou 0 . blesh W a sh on iques P Rout er inLDP hepuntt sicat Adv ootin inggt t echn includ g r ouAut t er out t o eni on su re high av ailab ilit y Con f igu r at ion MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tmpls hey nldp eed tneighbor o d ep loy and m ain t ain a password secur e, hig7hly0005110A014F040A0E234942 av ailab le VPN. 194.22.15.2 MPLS Ar chit ect u res, Volum epassword I I , b eg in s7w11081B091206040005282E28 it h a br ief ref resher of t he MPLS VPN mpls and ldp VPN neighbor 194.22.15.1 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v iceldp pr ovider access t echn olog iespassword ( dial, DSL,7 cab le, Et her net ) an d a v ariet y of r out in g mpls neighbor 194.22.15.3 15130900013E24282931302E pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN I n t he case of LDP session s being used f or CsC, t he v rf k ey wor d is add ed t o t he m pl s ldp deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN ne ig hbor com m and on t he PE r out er so t hat t he LD P peer in g addr ess of t he CE r out er can be t r oub leshoot ing . specif ied . Ex am ples 5- 1 1 an d 5- 1 2 sh ow t he n ecessar y com m ands at t he PE r out er and CE r out er t o en able aut h en t icat ion w hen t he Eur oBank CE r ou t er is usin g t he CsC feat u re. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 5 - 1 1 . PE Rout e r LDP Aut he nt ica t i on Con fi gur a t i on for CsC

mpls ldp neighbor vrf EuroBank 192.168.2.25 password 7 104F0B1500031D070D062F27

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Exa m pl e 5 - 1 2 . Eur oBa n k CE Rou t e r LD P Au t h en t i ca t ion Conf igu r a t ion By Jim Guichard , I van Pepelnjak , Jeff Apcar f or CsC Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

mpls ldp I SBN: neighbor 1- 58 705 -1 12 -5 192.168.2.26 password 7 104F0B1500031D070D062F27 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

CE-to-CE Authentication An ar ea t hat is cu r rent ly b ein g ad dr essed in t he I ETF is t hat of CE- t o- CE aut h en t icat ion . When a CE r ou t er is con nect ed t o a PE r out er , m echan ism s ar e av ailab le t o ensur e t h at t he dir ect connect ion t o t he net w ork is validat ed. These in clu de PPP aut hent icat ion and neighb or •aut h en t icat ion Table of Content u sing MD 5.s How ever , no m echan ism is pr esent ly av ailable t o ver if y t h at t h e CE •r out er and t hI ndex e cust om er n et wor k ar e ind eed connect ed t o t he cor r ect VPN in t he MPLS MP and netLS w or k. V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

The b asic pr em ise is t hat t he cu st om er can ex pect t o be conn ect ed t o t h e corr ect VPN by t he ser v ice pr ovider , an d t h at t h e cust om er ' s t r aff ic w ill not b e t r anspor t ed out side t he VPN. Pub lish er: Cisco Press Fur t her mor e, it is assum ed t hat unau t hor ized t r af fic w ill not be allow ed in t o t h e cust omer 's Pub Dat e: Ju ne 06, 2 00 3 VPN. How ever , a secur it y br each of t h e VPN is qu it e possib le if t here is an er r or in t he VPN I SBN: 1- 58Because 705 -1 12 -5 t he ser vice pr ov ider is r espon sib le for t h e inf rast r uct ur e p rov iding t h e conf ig ur at ion. 50 4 ich includ es r out e dist ingu isher s, r out e t ar get s, VRF- t o- in t er f ace allocat ions, MPLS-Pages: VPN—wh and VPN r ou t e dist r ib ut ion—it is qu it e possib le t hat an er r or in any of t hese ar eas cou ld allow un aut hor ized par t ies access t o t h e VPN, w hile t he legit im at e VPN cu st om er is u naw are of t he secur it y b reach. To oid t his a pr m echanism isllneeded Witav h MPLS andp rob VPNlem Ar ,chit ectocess u res, or Volum e I I , y ou' lear n : t o d et ect accident al m isconf igur at ions in t h e ser v ice p rov ider n et w or k . Becau se t he v ar iou s solu t ions ar e st ill being pr oposed and debat ed, a CE- t o- CE aut h en t icat ion f eat u re has y et t o be im plement ed for MPLSHow VPN. t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s How ev er , t o p r ovide a bet t er u nder st an ding of t he con cept and t h e pr oblem it is t r y ing t o solve,The t h ensolu t ionCE p r roposed aft - as iet fw- ppv pn ot - l3v pnauanced t h, w hich le fr omper- VPN ew PEout in g in op dr t ions ell as her adv f eatis ur av es,ailab includ ing ht t p: /Net / ww . ietAd f .or / in tTr ern - drion aft s, w illNAT) be discu ssed. Th is dr aft pr oposes t he u se of a t ok en ww ork drgess anetslat ( PEt hat cust om er net w ork s m ust hold t o p er m it access t o a VPN. The cust om er can hold m or e t han on How e t ok VRFs en tcan o allow be ex par t ended t icip atint ion o in a cust ov erom lapp er insitgeVPNs t o pr or ov ide ext rsep anet ars.at ion inside t he cust om er net w ork Figur e 5- 5 sh ows each st ep in t he op er at ion of CE- t o- CE aut h en t icat ion ( also r eferr ed t o as CE- t o-The CE lat m em er v erVPN if icat secur ion ) uitsin t hueres t okan end- based pr oach . pr ot ect ing t h e MPLS VPN estbMPLS y fgeat d esignap s aim ed at back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Figu r e 5 - 5 . CE- t o- CE Aut he nt icat i on Usi ng Tok en s

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN The CE- t o- CE au t hent icat ion pr ocess illust rat ed in Figur e 5- 5 can be d ivided int o t hr ee deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN com ponent s: t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Cu st om er - t o- PE sig naling int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

PE- t o- PE sign alin g PE- t o- Cust om er sig naling The st eps requ ir ed for each of t hese com pon en t s ar e descr ibed as follow s: St e p 1 . Each cust om er VPN sit e orig in at es and for w ar ds on e or m or e t okens t ow ard t h e PE r out er t o wh ich it is con nect ed. These t okens in dicat e m em b er ship of a par t icular • Table ofn Content s cum st ances, t h e t ok en s or ig inat e f rom a cust om er- m an aged VPN. Under orm al cir • dev ice,I ndex w hich in m ost cases is t he cu st om er - ow ned CE r ou t er . Wh en t h e CE- rou t er is MP LS and V PN Ar chi te ctur s, V olum m anaged by t heeServ ice ePrI Iovider , it is unlik ely t h at t h e cust om er will allow t he ser v ice pr ov ider t o Pepelnjak m an age, Jeff t heApcar t okens becau se it defeat s t he or iginal in t en t of t h e By Jim Guichard , I van aut h en t icat ion —t hat is, t o av oid con figu rat ion m ishaps b y t he ser vice pr ov ider. Pub lish er: Cisco Press

I f a m anag ed CE r out er serv ice is being pr ov id ed , t h en t ok en s can be or iginat ed fr om a cust om er - cont r olled d ev ice or r out er w it hin t he VPN sit e t hat is not t he CE r out er . I SBN: 1- 58 705 -1 12 -5 Tok en s can b e pr opag at ed t o t he PE r out er f r om t he cust om er t hr ou gh BGP or a new Pages: 50 4 UDP- based t oken pr opagat ion p rot ocol.

Pub Dat e: Ju ne 06, 2 00 3

I f t he r out in g p r ot ocol t hat is used on t h e PE/ CE cir cu it is BGP, t hen t he t ok ens can be t r ansfer r ed v ia t h e ex ist ing BGP session v ia a n ew ex t ended comm u nit y at t r ibu t e. I f BGP r out in gArischit notecten on t he Wit h MPLS and VPN u abled res, Volum e I PE/ I , yCE ou'circuit ll lear n, :t hen t he UDP- based pr ot ocol w ill pr ov ide t h e t oken- for w ard ing fu nct ion. Not e t h at t h e BGP session or t h e VPN Tok en pr opag at ion p r ot ocol can or iginat e fr om a rou t er or dev ice in t he cu st om er sit e behin d How t o int at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN t he CE rouegr t er. ser v ice t o m any d iff er ent t yp es of cu st om er s I f t he cust om er sit e r eq uires CE- t o- CE b ased aut h en t icat ion , t hen t he PE r out er w ill not The ewisePECEes r out g her op t ions as er w ell her adveanced includ peradv nert r out ( t oinot PE r out s) tas h atotor iginat fr om fteat he ur cues, st omer siting e un t il VPN a Net Adbeen dr essr Tr an slat t okwenork h as eceiv ed .ion ( PE- NAT) How can be t ended int o ed, a cust sit eert oadv pr ov ioninat inside he es St e pVRFs 2 . When a tex oken is receiv t h eom PEerr out ertide isessep t heardatest ion r tout cust om er net w ork or iginat ed by t h e CE r out er t o all ot her PE r out er s by u sing t h e st andar d Mult ipr ot ocol BGP mechan ism . I n addit ion t o t he VPNv 4 rou t es t hat are adv er t ised , each The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Mu lt ip rot ocol BGP u pdat e con t ain s t he associat ed t ok en car r ied as a new ext en ded back bone com mu nit y at t r ibu t e called t he CE- t o- CE Aut h en t icat ion Token. ( This is t he sam e ext m unit e r eferr t o ine St 1) Th er efor e, each r out e in t h e Howend t o ed carrcom y cust om yeratmt rib ult ut icast t r aff ed ic insid a ep VPN for w ar ding t ab le is associat ed w it h a t ok en. I f Mu lt ip r ot ocol BGP is n ot b ein g u sed t o dist lat r ibut rou w een PE rou tent er s, t h ef or VPN Tok en Pr opag ion Pr ot ocol could The este in t ert es - carbet rier enh ancem s ttoh en allow easier and m or eatscalable d ep loym ent hav ov ided t his f unct of inteerpr- car r ier MPLS VPNion. serv ices St eanced p 3 . When t he rem ot e tPE r out er r includ eceives r out h pu a nt ew h er av t hrailab oug hilit y Adv t rou blesh oot ing echn iques in g r oues t erw it out s t ot ok enen su ,reeithigh Mu lt ip rot ocol BGP or t he VPN Tok en pr opagat ion pr ot ocol, it mu st r elay t he t ok en t o t he MPLS and VPN Ar ecter. u res, I I , PE b uilds on m t he at t ached CEchit r out HowVolum ev er, et he r out er ustbest not- sellin pass ga MPLS t ok en an t o da VPN CE rou t er, if a Ar ch it ect res, Volum e I ( 1p- rev 587iou 05-sly 0 021) , fed rom Cisco ess. t endin g int m or e war advdanced t okuen h as not been receiv f r om t hatPrsit e. Ex The t ok en cano be f or ed fr om t opics tan d ep loyer m ent ect ur es,n et Volu pr ovideit eshrer eader w itthhet he necessar hedPE r out t o t harchit e cu st omer w ormkebIyI using BGPs or VPN Tok en y t ools t hey npr eed t o at d ep loyp rand m ain t ain a secur e, hig hly av ailab le VPN. opag ion ot ocol. MPLS and Ar chit tect res,rou Volum e I I , es b egt he in s tw it h a itbraut ief hent ref resher t he MPLS VPN St e pVPN 4 . When heuCE t er receiv oken, icat esofagainst k now n t ok en s Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of for par t icu lar VPNs it h as config ur ed . ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I Sandicat OSPF) , ar m tinhe g CE t he issues r eaderan w italar h t he k nowirledge of hatow St e p 5 . I IS, f t EI heGRP, au t hent ion fails, m requ ing oper or t o int egr at ese ion f eat ur es inally t o t,h ite VPN e. Part det ails comp adv anced eptloy issues inteert hvent . Op t ion m ightb ack w it bon hdr aw f r omI ItIhe VPN let elydun il t m heent fault is includin g secu r ect if ied.r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy enttage s. Fin t I -Vbased pr ov idap espraoach m et hodology for aut ad van The ad m van ofally t h e, tPar ok en t o CE- t o- CE h enced t icatMPLS ion is VPN t h at it pr ovides t h e t r oub leshoot ingppor . t ing m ult iple ov erlap ping VPNs for a cust om er. On t he d own side, t h is flex ibilit y of su app roach is incum bent up on t h e cust om er t o per for m ad dit ional con figur at ion s in h is MPLS VPN Aras chitmect Volumional e I I ,pr also int rod uces est Tok adv en ances in cu stion omer net w orand k, as w ell ainu tres, ain addit ot ocols—t h at ist he t h elatVPN p r opagat int egr at ion, secur oubleshoot pr ot ocol or BGP onit y, t heand PE/t rCE circuit . ing feat u res essent ial t o p rov iding t h e adv anced

On e of t he ad van t ages for a separ at e VPN t ok en dist ribu t ion pr ot ocol is t hat alt houg h it is easy t o ex t en d t he BGP pr ot ocol t o su ppor t t he p rop agat ion of t okens, it is not necessarily easy t o do so w it h ot her pr ot ocols used on t he PE/ CE cir cuit such as RI P, OSPF, I SI S, EI GRP, or st at ic r out in g. A separ at e VPN t ok en dist r ibut ion pr ot ocol w ill allow a cu st omer sit e t o m aint ain it s exist ing PE/ CE r out in g pr ot ocol ( assu min g t h at BGP is not being used) in add it ion t o enabling t he CE- t o- CE aut hent icat ion feat ur e. •Anot h er dr aft Table s ly in cir cu lat ion is d raf t - behr ing er - m pls- vp n- au t h, w hich is t hatofisContent cur rent •av ailab le fr om I ndex ht t p: / / w w w . iet f .or g / in t ern et - dr aft s. Th is pr oposal needs n o new p r ot ocols, n o MP LS PNgr Arades chi te ctur s, VCE olum e I Ier s, and no add it ion al config ur at ion in t h e cu st omer soft w and ar e Vup at tehe r out net w or k. I t bases it s solut, ion on t he p rem ise t hat MD5 neighb or aut h en t icat ion ( as d iscussed By Jim Guichard , I van Pepelnjak Jeff Apcar pr eviou sly ) shou ld b e r un on PE/ CE circuit s. BGP UPDATE messages bet w een PE rou t ers will include a new BGP at t r ibu t e, ref er r ed t o as t he " UPD ATE au t hent icat or ." Pub lish er: Cisco Press

Dat e: Ju ne 06,hent 2 00 3icat or" at t r ibu t e carr ies t w o ent it ies: a gener at or v alue and a key ed ThePub " UPDATE aut SBN: 158 705u -1re 12 -5 HMAC IMD5 signat of t he g en er at or v alue. The sign at ur e is ob t ain ed b y r unnin g t he MD5 k ey used by50t 4he par t icular VPN w hose rou t es ar e car r ied w it hin t h e BGP u pdat e against t he Pages: gener at or v alue.

On r eceipt of a BGP upd at e t hat cont ains t he UPDATE aut h en t icat or at t r ib ut e, a receiv ing PE r out er can use it s local copy of t he VPNs MD5 k ey t o gener at e a key ed HMAC MD5 signat ur e of t he generat or valu e t hat is con t ained wit h in t h e at t r ibut e. I f t h e r esult is diff erent fr om t he Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : v alue t hat is t r ansm it t ed in t he UPDATE au t hent icat or at t r ibut e, t he UPDATE is discar ded and a w ar nin g is log ged. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Ther eser ar veice some st rdaint im pt osed t hst isom pr oposal: t o mcon any iff ersent yp es by of cu er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Rou t ing w it h MD5 aut hent icat ion [ RFC 208 2, RFC 215 4, RFC 23 85] m ust b e config ur ed Net w ork Ad dr ess Tr an slat ion ( PE- NAT) for all PE- CE link s. Ther ef or e, st at ic rou t ing is not possib le for CE- CE au t hent icat ion un less t h e can VPNbe cust er is int w illing t o accept t hat serv prar ovat idion er w ill cortrhe ect ly How VRFs exom t ended o a cust om er sit e t ot he pr ov ideice sep inside conf ig ur e it s st at ic r out ing inf or mat ion . cust om er net w ork The e kMPLS ey muVPN st be used allu res CE ran out s in t sheaim sam VPN. causes som eVPN The sam lat est secur it yf or f eat d er d esign ede at pr otThis ect ing t h e MPLS oper at ional issues w it h ex t r anet s, w here VPNs essent ially over lap, alt hou gh ext r anet s back bone can be supp ort ed eit her cen t r ally or dist rib ut ed b y m aint aining all VPN key s w it hin a list at t het oPE r out er s. om er m ult icast t r aff ic insid e a VPN How carr y cust IThe f t he pr- ov er m anages t ers f on b eh alf and of t he cust om er , t hen latserv est ice in t er caridrier enh ancemt he entCE s t orou allow or easier m or e scalable d ep loym ent dow st r- eam C rMPLS out ersVPN mu serv st use t h e same MD5 k ey as ot her sit es w it h in t h e same VPN. of intner car r ier ices This is b ecause t h e ser v ice p r ovider m igh t m iscon figu re eit her t h e PE or CE r out er ; tAdv heranced efor e, ttrou he VPN beiques ableinclud t o autinhent icat it m an bleshclient oot ingmtust echn g r ou t ere on out equip pu t s tment o en sut hat re high av ages. ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Control of Routes That Are Injected into a VRF An ar ea t hat can cause DoS in an MPLS VPN net w ork is an ex cessiv e n um ber of r out es being inj ect ed fr om t h e CE r out er t o t he VRF in t h e PE rou t er , result ing in mem or y ex hau st ion an d •possible failur Table s t er. A VRF on a PE rou t er can be popu lat ed w it h cu st omer r out es e ofoft hContent e PE rou •in sev er al w ay I ndex s: MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Thr oug h direct conf igur at ion int o t he VRF of st at ic rou t es t hat t he ser vice pr ov ider en t ers

PubThr lish oug er: Cisco Press h t he use

of a dy nam ic r out ing pr ot ocol b et w een t he CE r out er an d t he PE r out er

Pub Dat e: Ju ne 06, 2 00 3

Thr oug1-h58Mult ipr I SBN: 705 -1 12ot -5 ocol BGP for ex chang e of VPNv4 r out es bet w een PE r out er s ( including int r anet , ex t r anet , and I nt er net VPNs) Pages: 50 4 The u se of st at ic rou t ing pr ov id es t he g reat est secu rit y b ecause t h e ser v ice p r ovider cont r ols t he dest in at ions and n um ber of pr efix es in ject ed int o t he VRF. I n cont r ast , a PE/ CE r out in g pr ot ocol an d Mult ipr ot ocol BGP are dy nam ic in n at ur e; t h er efor e, any n um ber of r out es could be in ject ed or r em oved at an y t im e. This poses a p rob lem becau se t he PE r out er could be Wit h MPLS VPN Arfr chit res, Volum I I ,ory ou' lear n :rot ocol BGP f r om a r em ot e CE r out er . flood ed w itand h upd at es omect a ulocal CE rouet er v iallMu lt ip Ther ef or e, t he PE r out er could be op en t o a DoS at t ack ( an excessiv e num b er of VRF r out es m ight r esult in m em ory over flow , causing CEF t o b e disabled an d MPLS VPN fu nct ionalit y t o intough egr atm e alicious v ar iou s in r em ot,eaaccess in t ot er t h, eorback bone p ratovidin VPN fail) , How eit hert ot hr t ent m alf unt echn ct ionologies in g CE rou a conf igur ion ergr or ser v ice t o m any d iff er ent t yp es of cu st om er s som ew her e in t he n et w or k t h at r esu lt s in an ex cessiv e nu m ber of r out es being inject ed in t o t h e VRF. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN w ork ess Tr, an slat ionber ( PE-ofNAT) To adNet dr ess t hisAdprdroblem t he num r out es t h at a VRF accep t s can b e limit ed by t h e m ax i m u m rout es com m and un der t he VRF definit ion conf ig ur at ion, as sh own in Ex am ple 5How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he 13 . Th e fir st par am et er on t he com man d is t he lim it of r out es p er m it t ed w it hin t h e VRF; an y cust om er net w ork r out es t h at exceed t h is num b er will b e dr opp ed , un less t he w ar ni ng- only k ey wor d is used. The second et erVPN d ef ines cenut res age an t hrdeshold, hich, eding , gener at es aVPN The latpar est am MPLS securaitpyerf eat d esign swaim edifatexceed pr ot ect t h e MPLS w ar ning m essage. back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Exa m pl e 5 - 1 3 . m a xi m um r ou t e s Com m a nd The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices AdvEuroBank anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ip vrf MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN rd 10:27 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools route-target export 10:27 t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. route-target import 10:27 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of maximum routes ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Toordeem onanced st r at e ttop heologies behav ior t herin e mg. axThis imu m escov com r outVPN ing pr ot ocols m adv andoffilt parrout t also erm s and, m ult i-t he carPE/ r ierCE MPLS used in t h e Super Com n et w or k —w hich in clu de RI Pv 2, eBGP, an d OSPF—will b e discussed in deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN tt rhe follow in g sect ions. The m ax i m u m rout es com m and w ill be conf igur ed for each of t hese oub leshoot ing . pr ot ocols, and t hen an ex cessive n um ber of r out es w ill be in ject ed . As w ill be discussed, t h e behav ior ofVPN t heAr mchit ax iect m uum rout es com and int v aries depend on w h ich r outin ingcupstrot ocol is MPLS and res, Volum e II m , also rod uces t he ing lat est adv ances omer used. int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Using RIPv2 as the PE/CE Routing Protocol As an exam ple, w e w ill use t h e Eu roBan k VRF on t he Paris PE r out er . As d escrib ed pr ev iou sly , Eu roBan k uses RI Pv2 t o inj ect rou t es in t o it s VRFs. Ex am ple 5- 14 sh ows t he Eur oBank VRF in t he st eady st at e. Six r ou t es are act iv e in t he Eur oBank VRF. Th e fir st r out e is in ject ed b y t he • Table of Content s Eu roBan k CE r out er in Paris u sin g RI Pv2 , t he n ex t four are in ject ed b y Mult ipr ot ocol BGP fr om • I ndex r em ot e PE r out er s ind icat ed by t h e " B" at t h e beginnin g of each en t ry , an d t he last ent r y is t he MP LS and V PN Ar chi te ctur e s, V olum e I I connect ed r out e for t he PE/ CE cir cuit . By Jim Guichard , I van Pepelnjak , Jeff Apcar

ExaPubmlishpler:e Cisco 5 - 1Press 4 . Par i s PE Rou t e r Eu r oBan k VRF Rou t e s Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Paris_PE#show ip route vrf EuroBank [snip] R 196.7.25.0/24 [120/1] via 192.168.2.25, 00:00:21, Ethernet0/0 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : B

196.7.26.0/24 [200/0] via 194.22.15.3, 00:18:21 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN 10.0.0.0/24 1 cu subnets ser v ice t o m anyis d iffsubnetted, er ent t yp es of st om er s

B

B B C

194.22.15.2, 00:18:21 The n10.2.1.0 ew PE- CE [200/0] r out in g opvia t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) 192.168.2.0/30 is subnetted, 3 subnets How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork [200/0] via 194.22.15.3, 00:18:21 192.168.2.32 The lat est MPLS VPN[200/0] secur it y via f eat u194.22.15.2, res an d d esign s00:18:21 aim ed at pr ot ect ing t h e MPLS VPN 192.168.2.12 back bone 192.168.2.24 is directly connected, Ethernet0/0 How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

I nspect in g t he BGP VPNv4 t ab le for t he Eu roBan k VRF in Ex am ple 5- 15, y ou can see t hat t he Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y r out es cor respond t o t hose inst alled in t he VRF. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced plded ep 5 -loy 1 5m.ent Par i s PE Rou er m Eu v4s wTa tExa opicsman archit ect ur es, tVolu e rI IoBan pr ovidkesVPN r eader it hble t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par tip I I bgp descrvpnv4 ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Paris_PE#show vrf EuroBank ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o [snip] int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining n ecessar y st eps Metric t h e ser v LocPrf ice p rov ider m ustPath t ake t o p rot ect t he Network Nextt he Hop Weight back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies10:27 and filt erin g. Thisfor parvrf t alsoEuroBank) cov er s m ult i- car r ier MPLS VPN Route Distinguisher: (default deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . *>i10.2.1.0/24 194.22.15.2 0 100 0 ? MPLS and VPN Ar chit ect u194.22.15.2 res, Volum e I I , also int rod uces lat est adv ances *>i192.168.2.12/30 0 t he 100 0 ? in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

*> 192.168.2.24/30

0.0.0.0

0

*>i192.168.2.32/30

194.22.15.3

0

*> 196.7.25.0

192.168.2.25

1

*>i196.7.26.0

194.22.15.3

0

•

Table of Content s

•

I ndex

32768 ? 100

0 ? 32768 ?

100

0 ?

MP LS and V PN Ar chi te ctur e s, V olum e I I By Guichard , I van Pepelnjak Jeff Apcar ToJim d em on st r at e t he m ax i,m um rout es

com m and on t he Eur oBank VRF, w e w ill ap ply a lim it of 1 0 on t h e Par is PE r ou t er , as sh ow n in Ex am ple 5- 16. Th e 1 0 0 v alue is t he per cen t age t hr eshold w hich t o g en er at e a log m essag e. ( Alt houg h 1 00% is used for p ur poses of t his Pub lish er:atCisco Press exam a Ju sm v alu Pubple, Dat e: nealler 06, 2 00 3 e w ould nor m ally b e config ur ed t o gener at e a sy slog m essage b ef or e t he limIitSBN: was reached. ) An y r out es t hat ar e inj ect ed in t o t h e Eu roBan k VRF abov e t h e limit w ill 1- 58 705 -1 12 -5 be d r opped. Th is behav ior can b e chang ed t o logging a message only ( an d not d r opping t h e Pages: 50 4 r out e) b y r ep lacing t h e t hr esh old v alue w it h t he w ar ni ng- only k ey wor d.

Exa m pl e 5 - 1 6 . M a xi m um Rout e Lim i t Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ip vrf HowEuroBank t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s rd 10:27 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN route-target 10:27 Net w ork Ad export dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex10:27 t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he route-target import cust om er net w ork maximum routes 10 100 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN To ch eck t h at t h e m ax i m u m rout es com m and is w or king , t he Eur oBank Par is CE r out er h as The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent been con figur ed t o or iginat e 10 addit ion al pr efix es fr om 19 2. 168 . 20. 0/ 2 4 t hr ough of int er - car r ier MPLS VPN serv ices 19 2. 168 . 29. 0/ 2 4. Ex am ple 5- 17 sh ows t he w ar ning m essage t hat is generat ed w hen t he m axim umanced rou t et rou lim it is exceed . Adv blesh oot inged t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Exa plu eres, 5 -Volum 1 7 . Rou Lim W 1) a r, ni ngCisco Pr ess. Ex t endin g int o m or e adv anced Ar ch itm ect e I ( 1t-e587 05-it 0 02f rom t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum I I , b eg in stable w it h a limit br ief ref resher of t heEuroBank, MPLS VPN %IPRT-3-ROUTELIMITEXCEEDED: IPe routing exceeded Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g 192.168.24.0/24 pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m e ining adv anced t opoBank ologiesVRF andand filt erin This par also cov ult i- car r ier VPN Exor am t he Eur t he g. associat ed t ent r ies inert hs emBGP VPNv 4 MPLS t able as sh ow n in deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Ex am ple 5- 18, y ou see t h at t h er e ar e ind eed only 1 0 r out es in ject ed int o t he VRF and t he t r oub 4leshoot . f our of t h e new r out es w er e accept ed: 192 . 168 .2 0. 0/ 24 t h rou gh VPNv t ab le.ing Only 19 2. 168 . 23. 0/ 2 4. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE The RI Pv2 dat ab ase on t he Par is PE rou t er only cont ains t he r out es t h at h ave b een accept ed in t he VRF. An y r out es t hat w ere dr opped do not ap pear in t he RI P dat ab ase. Th is is cont r ar y t o t h e behav ior of eBGP an d OSPF, as w ill be discussed lat er in t his sect ion. Wit h eBGP and OSPF, alt hou gh a r out e m ig ht be dr op ped f r om a • Table of Content s VRF, it st ill ap pear s in t he Mu lt ip rot ocol BGP VPNv 4 t able or OSPF lin k- st at e • I ndex dat ab ase. Th is is an im p ort an t p oint t o not e becau se an ex cessiv e n um ber of r out es MP LS can and Vaffect PN Ar chi te ctur V olum e pt I I ion w it h eBGP and OSPF. m em or eys,con su m By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

ExaPub mDat ple:e Ju5ne- 106,8 2. 00Par i s PE Rou t e r VRF a nd VPNv 4 Tabl e Af t e r Rout es 3 f r om I SBN: Eur1-oBa n-1k12CE Rou t er 58 705 -5 Pages: 50 4

Paris_PE#show ip route vrf EuroBank [snip] Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : R B R R

B R R

B

196.7.25.0/24 [120/1] via 192.168.2.25, 00:00:13, Ethernet0/0 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN 196.7.26.0/24 via 194.22.15.3, 00:08:20 ser v ice t o m any d[200/0] iff er ent t yp es of cu st om er s 192.168.21.0/24 [120/1] via 192.168.2.25, The n ew PE- CE r out in g op t ions as w ell as ot her adv00:00:13, anced f eat urEthernet0/0 es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) 192.168.20.0/24 [120/1] via 192.168.2.25, 00:00:13, Ethernet0/0 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork 10.0.0.0/24 is subnetted, 1 subnets The lat est MPLS[200/0] VPN secur it y 194.22.15.2, f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN 10.2.1.0 via 00:08:51 back bone 192.168.23.0/24 [120/1] via 192.168.2.25, 00:00:13, Ethernet0/0 How t o carr y cust om er m ult icast t r aff ic insid e a VPN 192.168.22.0/24 [120/1] via 192.168.2.25, 00:00:13, Ethernet0/0 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices 192.168.2.0/30 is subnetted, 3 subnets Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 192.168.2.32 [200/0] via 194.22.15.3, 00:08:20

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN B ch it ect u192.168.2.12 194.22.15.2, Ar res, Volum e I ( 1[200/0] - 587 05- 0via 02- 1) , f rom Cisco Pr00:08:51 ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools isaindirectly connected, tChey n eed192.168.2.24 t o d ep loy and m t ain a secur e, hig hly avEthernet0/0 ailab le VPN. Paris_PE#show vpnv4 vrfe EuroBank MPLS and VPN Arip chitbgp ect u res, Volum I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of [snip] ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Network LocPrf Weight int egr at e t h ese f eat ur es Next in t o t hHop e VPN b ack bon e. Metric Part I I I det ails adv anced Path d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Route Distinguisher: 10:27 for det vrfailin EuroBank) back bone and any at t ached VPN (default sit es, and also g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN *>i10.2.1.0/24 194.22.15.2 0 ?VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology 0for ad 100 van ced MPLS t r oub leshoot ing . *>i192.168.2.12/30 194.22.15.2 0 100 0 ? MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer *> egr 192.168.2.24/30 0 ial t o p rov 32768 int at ion, secur it y, and0.0.0.0 t r oubleshoot ing feat u res essent iding t?h e adv anced

*>i192.168.2.32/30

194.22.15.3

0

*> 192.168.20.0

192.168.2.25

1

32768 ?

*> 192.168.21.0

192.168.2.25

1

32768 ?

*> 192.168.22.0

192.168.2.25

1

32768 ?

1

32768 ?

*> 196.7.25.0 192.168.2.25 By Jim Guichard , I van Pepelnjak , Jeff Apcar

1

32768 ?

*>i196.7.26.0

0

•

100

0 ?

Table of Content s

• I ndex *> 192.168.23.0

192.168.2.25

MP LS and V PN Ar chi te ctur e s, V olum e I I

Pub lish er: Cisco Press

194.22.15.3

100

0 ?

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

The ou t pu t in Ex am ple 5- 19 con fir ms t hat t he RI Pv 2 dat ab ase cont ain s t he sam e r out es as held in t h e VRF.

Wit h MPLS chitoBa ect u res, , y ou' ll lear : se Exa m pl eand 5 -VPN 1 9 . ArEur n k Volum VRF eRII I Pv 2 Da t anba How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Paris_PE#show ip rip database vrf EuroBank The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN 10.0.0.0/8 auto-summary Net w ork Ad dr ess Tr an slat ion ( PE- NAT) 10.2.1.0/24 redistributed How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork [5] via 194.22.15.2, The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN 192.168.2.0/24 auto-summary back bone 192.168.2.12/30 redistributed How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est194.22.15.2, in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent [5] via of int er - car r ier MPLS VPN serv ices 192.168.2.24/30 directly connected, Ethernet0/0 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 192.168.2.32/30 redistributed MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it[5] ect uvia res, 194.22.15.3, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t192.168.20.0/24 hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. auto-summary MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN 192.168.20.0/24 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g [1] via 192.168.2.25, 00:00:01, Ethernet0/0 pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues 192.168.21.0/24 auto-summary includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow 192.168.21.0/24 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN [1] via 192.168.2.25, 00:00:01, Ethernet0/0 t r oub leshoot ing . 192.168.22.0/24 auto-summary MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

192.168.22.0/24 [1] via 192.168.2.25, 00:00:01, Ethernet0/0 192.168.23.0/24

auto-summary

192.168.23.0/24 • •

Table of Content s

[1] via 192.168.2.25, 00:00:01, Ethernet0/0 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

196.7.25.0/24

auto-summary

By Jim Guichard , I van Pepelnjak , Jeff Apcar

196.7.25.0/24 Pub lish er: Cisco Press

[1] via Pub Dat e: Ju ne192.168.2.25, 06, 2 00 3

00:00:02, Ethernet0/0

I SBN: 1- 58 705 -1 12 -5

196.7.26.0/24

auto-summary

196.7.26.0/24

redistributed

Pages: 50 4

[5] via 194.22.15.3, Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser vMultiprotocol ice t o m any d iff er ent t yp es cu st om er s VPNv4 Routes Using BGP toofExchange The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) The ou t pu t f rom t he RI Pv 2 scenar io show s t hat t he r out e lim it com m and is w ork ing as exp ect ed; how ever , w e only conf igur ed a lim it on t he Eur oBank VRF in Par is. I f addit ional How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he r out es w ere in ject ed b y ot her Eu roBan k CE r out er s ( or st at ic r out es ad ded b y t he ser vice cust om er net w ork pr ov ider) , t hey w ould be r eceiv ed v ia Mu lt ip r ot ocol BGP at t he Paris PE r out er . The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN To illust r at e t h e ef fect of n ot ap plyin g t he r out e lim it on all PE r out er s t hat hav e VRFs f or back bone Eu roBan k, w e hav e config ur ed t h e San Jose CE r ou t er t o or iginat e anot her 1 0 r out es: 19 2. 168 . 30. 2 4 yt hr ough 19 2. 39. 0/ 2 4.ic An inteeraest in g t h ing happ en s. Alt houg h t hese How t o 0/ carr cust om er m 16 ult 8. icast t r aff insid VPN add it ion al r out es f rom Eur oBank San Jose ar e not inst alled in t he Par is Eur oBank VRF, t h ey are r et ainThe ed in he BGP 4 t able for t heent Eur Th e outand p ut m inorEx ple 5- d 20 owsent t he latt est in t erVPNv - car rier enh ancem s oBank t o allowVRF. f or easier e am scalable epsh loym cur r enoft st of trhier e BGP VPNv t able at t he Paris PE r out er . The addit ional rou t es w er e intat ere- car MPLS VPN4 serv ices r eceived fr om t h e San Jose PE r ou t er ( next - hop of 194 .2 2. 15. 2 ) , bu t t h ey all hav e an " r" flag associat wit h ttrou h em , w hoot ich ing indicat esiques a rouinclud t ing infor attion base f ailur Alt houg h t hilit ese Adved anced blesh t echn in g m r ou er out pu t(sRIt oB)en su ree.high av ailab y r out es w ere receiv ed v ia Mult ipr ot ocol BGP and st ored int o t he BGP t able on t h e Paris PE VPN Ar chit u res, Voluminet oI I t,hbeuilds hedue bestt o- sellin g MPLS d VPN rMPLS out er and , t hey could notect be inst alled VRF on t abtle t he lim it im pan osed by t h e Ar ch it ect Volum e Im ( 1and. - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced m ax im u umres, rout es com t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Exa m pl e 5 - 2 0 . Par i s PE Rou t e r Eu r oBan k VPN v4 Ta ble w it h Rou t es MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN f r om San Jose Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Paris_PE#show vpnv4 EuroBank includin g secu r it yip , oubgp t lining t he nvrf ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow BGP version is 153, router IDt also is 194.22.15.1 m or etable adv anced t op ologies and local filt erin g. This par cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Status codes: t r oub leshoot ing . s suppressed, d damped, h history, * valid, > best, i - internal, RIB-failure MPLS and VPN Arrchit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Origin codes: i - IGP, e - EGP, ? – incomplete

Network

Next Hop

Metric LocPrf Weight Path

Route Distinguisher: 10:27 (default for vrf EuroBank) •

Table of Content s

•

I ndex

*>i10.2.1.0/24

194.22.15.2

MP LS and V PN Ar chi te ctur e s, V olum e I I

*>i192.168.2.12/30

194.22.15.2

0

100

0 ?

0

100

0 ?

By Jim Guichard , I van Pepelnjak , Jeff Apcar

*> 192.168.2.24/30

0.0.0.0

0

32768 ?

Pub lish er: Cisco Press

*>i192.168.2.32/30 Pub Dat e: Ju ne 06, 2 00 3 194.22.15.3

0

100

0 ?

I SBN: 1- 58 705 -1 12 -5

*> 192.168.20.0

192.168.2.25

1

32768 ?

*> 192.168.21.0

192.168.2.25

1

32768 ?

*> 192.168.22.0

192.168.2.25

1

32768 ?

Pages: 50 4

Wit MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear1n : *> h192.168.23.0 192.168.2.25

32768 ?

r>i192.168.30.0 194.22.15.2 0 100 0 ? How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s r>i192.168.31.0 194.22.15.2 0 100 0 ? The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN r>i192.168.32.0 194.22.15.2 0 100 0 ? Net w ork Ad dr ess Tr an slat ion ( PE- NAT) r>i192.168.33.0 194.22.15.2 0 pr ov100 ? inside t he How VRFs can be ex t ended int o a cust om er sit e t o ide sep ar at0ion cust om er net w ork r>i192.168.34.0 194.22.15.2 0 100 0 ? The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN r>i192.168.35.0 194.22.15.2 0 100 0 ? back bone r>i192.168.36.0 194.22.15.2 0 How t o carr y cust om er m ult icast t r aff ic insid e a VPN

100

0 ?

The lat est in t er - car194.22.15.2 rier enh ancem ent s t o allow f or0 easier and m or e0 scalable d ep loym ent r>i192.168.37.0 100 ? of int er - car r ier MPLS VPN serv ices r>i192.168.38.0 194.22.15.2 0 100 0 ? Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y r>i192.168.39.0 194.22.15.2 0 100 0 ? MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar it ect u res, Volum e I 192.168.2.25 ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr g int?o m or e adv anced *>ch196.7.25.0 1 ess. Ex t endin 32768 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t*>i196.7.26.0 hey n eed t o d ep loy and 194.22.15.3 m ain t ain a secur e, hig hly av ailab VPN. 0 le 100 0 ? MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o The end r esu lt is t h at ev en t h ough t he Eur oBank CE rou t er is pr ev ent ed fr om accident ally or int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues m aliciously f lood ing t he Par is PE r out er w it h rou t es, a DoS cou ld st ill occur on t he PE r out er by includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he exh aust ing t he m em ory in t h e Mult ipr ot ocol BGP VPNv 4 t able w it h rou t es t hat are accept ed back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow fr om ot her PE rou t ers. m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. sit Fin ally , Par t I V tpr idax es i a et hodology for mad vantced To av oid t his uat ion , apply heovm mm um rout es com and o allMPLS VRFs.VPN Give som e tconsiderat r oub leshoot ing . ion t o t he v alue of t h e limit imp osed; if t he v alue is t oo low , v alid r out es w ill b e r ej ect ed, cau sin g a DoS for som e cust om er rou t es. Also n ot e t h at t h e m ax i m u m rout es v alue MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer m ust cat er f or all t y pes of r out es t h at ar e inj ect ed int o t he VRF, w hich includes st at ics, int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

connect ed, and r out es lear ned d yn am ically. App ly ing a con sist ent value for t h e m ax i m u m rout es t o all VRFs p rev en t s Mu lt ip r ot ocol BGP fr om dist ribu t ing VPNv4 r out es t h at ar e accep t ed in one p art of t he net w ork but not anot her .

• •

NOTETable of Content s I ndex

MP LS The and m V PN e s, es V olum e m I I and axAr i mchi u te mctur rout com

is not select iv e on w hich rou t es it d rop s; it f irst - d rop ped basis. Th is is not r eally a pr oblem because t he main fu nct ion of t his com man d is t o av oid m em ory over flow in t he PE r out er du e t o rou t ing inst abilit y in t he cust om er net w ork . I t is t he ser vice pr ov ider' s Pub lish er: Cisco Press r espon sib ilit y t o m onit or sy st em log s and r ect if y t he p r oblem im m ediat ely if one is Pub Dat e: Ju ne 06, 2 00 3 det ect ed .

ially drPepelnjak ops t hem a last - in, By Jim essent Guichard , I van , Jeffon Apcar

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Using eBGP as the PE/CE Routing Protocol Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : The sam e RI B- f ailu re pr oblem can occur if eBGP is used as t h e PE/ CE r out in g pr ot ocol bet w een t he Paris PE r out er an d t he Par is Eur oBan k CE r out er. I n t h is case, t h e Eur oBank VRF w ill r ej ectHow t he locally orat iginat es,otbu t t h e ent echn t r ies ologies r eceiv ed eBGP wg ill VPN be t o int egr e v aring ioursout r em e access in tf orom t h et he back bonesession p r ovidin r et ainser ed vin t he BGP VPNv 4 t able for t he VRF. Th is is show n in t h e out p ut in Ex am ple 521. As ice t o m any d iff er ent t yp es of cu st om er s y ou can see in t h e ex am ple, w hen t he BGP session is est ablished, a w ar ning m essage is logg ed indicat ingntew h e lim has been ex ceeded. Howev t he adv addanced it ionalf eat six ur r out t hat ing w ere reject The PE-itCE r out in g op t ions as w ell aser, ot her es,es includ perVPNed fr om Net t he wVRF in t he VPNv t able it h t he " r " st at us code. ork ex Adist dr ess Tr an slat 4ion ( PE-wNAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust Exa m plom e 5er- net 2 1 w. ork Par i s PE Rou t e r Eu r oBan k VRF Rou t e s Usi ng e BGP The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone %BGP-5-ADJCHANGE: vpn How t o carr y custneighbor om er m ult192.168.2.25 icast t r aff ic insid e a vrf VPN EuroBank Up %IPRT-3-ROUTELIMITEXCEEDED: IP routing tablef orlimit EuroBank, The lat est in t er - car rier enh ancem ent s t o allow easierexceeded and m or e -scalable d ep loym ent of int er - car r ier MPLS VPN serv ices 192.168.24.0/24 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Paris_PE#show ip route vrf EuroBank MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN [snip] Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tBhey n196.7.25.0/24 eed t o d ep loy and m ain t ain secur e, hig hly av00:38:21 ailab le VPN. [20/0] viaa 192.168.2.25, MPLS and VPN Ar chit ect[200/0] u res, Volum I I , b eg in s w it h a br ief ref resher of t he MPLS VPN B 196.7.26.0/24 viae 194.22.15.3, 00:38:21 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser pr ovider access t echn olog ies DSL, cab le, Et her net ) an d a v ariet y of r out in g B v ice192.168.21.0/24 [20/0] via( dial, 192.168.2.25, 00:21:53 pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int e t h ese f eat ur es in[20/0] t o t h e VPN ack bon e. Part I I I00:22:24 det ails adv anced d ep loy m ent issues B egr at 192.168.20.0/24 via b192.168.2.25, includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any atis t ached VPN sit es,1 and also det ailin g t he lat est secu rit y f eat ur es t o allow 10.0.0.0/24 subnetted, subnets m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally [200/0] , Par t I V pr ov id194.22.15.2, es a m et hodology for ad van ced MPLS VPN B 10.2.1.0 via 00:38:21 t r oub leshoot ing . B 192.168.23.0/24 [20/0] via 192.168.2.25, 00:21:53 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int ion, secur it y, and [20/0] t r oubleshoot feat u res essent ial t o p rov iding t h e adv anced B egr at 192.168.22.0/24 via ing 192.168.2.25, 00:21:53

192.168.2.0/30 is subnetted, 3 subnets B

192.168.2.32 [200/0] via 194.22.15.3, 00:38:21

B

192.168.2.12 [200/0] via 194.22.15.2, 00:38:21

C

192.168.2.24 is directly connected, Ethernet0/0

• •

Table of Content s I ndex

Paris_PE#show ip bgp vpnv4 vrf EuroBank MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar [snip]

Network Pub lish er: Cisco Press

Next Hop

Metric LocPrf Weight Path

Pub Dat e: Ju ne 06, 2 00 3

Route I SBN: Distinguisher: 10:27 (default for vrf EuroBank) 1- 58 705 -1 12 -5 Pages: 50 4

*>i10.2.1.0/24

194.22.15.2

0

100

0 ?

*>i192.168.2.12/30

194.22.15.2

0

100

0 ?

* 192.168.2.24/30 192.168.2.25 0 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : *> 0.0.0.0 0

0 20 ? 32768 ?

How t o int egr at e v ar iou s r em ot e access t echn ologies in100 t o t h e back0bone *>i192.168.2.32/30 194.22.15.3 0 ? p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s *> 192.168.20.0 192.168.2.25 0 0 20 ? The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) *> 192.168.21.0 192.168.2.25 0 0 20 ? How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he *> 192.168.22.0 0 0 20 ? cust om er net w ork 192.168.2.25 *> 192.168.23.0 192.168.2.25 0 ing 20 t?h e MPLS VPN The lat est MPLS VPN secur it y f eat u res an d d esign0s aim ed at pr ot ect back bone r> 192.168.24.0 192.168.2.25 0 0 20 ? How t o carr y cust om er m ult icast t r aff ic insid e a VPN r> 192.168.25.0 192.168.2.25 0 0 20 ? The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent r> 192.168.26.0 192.168.2.25 0 0 20 ? of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh192.168.2.25 oot ing t echn iques includ in g r ou r> 192.168.27.0 0 t er out pu t s t o en 0 su 20re?high av ailab ilit y MPLS and VPN Ar chit ect u192.168.2.25 res, Volum e I I , b uilds on t he 0best - sellin g MPLS0 an VPN r> 192.168.28.0 20d ? Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tr> opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid0es r eader s w it h t0he20 necessar y t ools 192.168.29.0 192.168.2.25 ? t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. *> 196.7.25.0 192.168.2.25 0 0 20 ? MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow NOTE m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN I t is w or t h not in g t h at w h en a rou t e is m ar ked as " r , " it will not be ad ver t ised in BGP. t r oub leshoot ing . This is t o pr event cust om er t r affic fr om being black - holed d ue t o inconsist ent r out ing at t he PE r out er s. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

To con t ain t h e nu mb er of rou t es t hat eBGP accept s, t he BGP ne ig hbor m ax i m u m - pre f ix com man d shou ld b e config ur ed on t he PE r out er f or t h e CE r out er neighb or , as show n in Ex am ple 5- 22. Th is pr ev ent s t he PE r out er fr om accept ing excessiv e r out es t hr oug h t he PE/ CE BGP session . Not e t h at MD 5 au t hent icat ion is also en abled f or t h e PE/ CE BGP session. •

Table of Content s

Exa m pl e I5ndex - 2 2 . Con f igu r in g M a x im u m Pr ef ix e s for PE/ CE e BGP • MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

router bgp 10 Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2ipv4 00 3 address-family vrf EuroBank I SBN: 1- 58 705 -1 12 -5

redistribute connected Pages: 50 4 redistribute static neighbor 192.168.2.25 remote-as 20 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : neighbor 192.168.2.25 password 7 1211041B17060D1633 neighbor 192.168.2.25 How t o int egr at e v ar iou activate s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s neighbor 192.168.2.25 maximum-prefix 10 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN bgpNet dampening w ork Ad dr ess Tr an slat ion ( PE- NAT) VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he no How auto-summary cust om er net w ork no synchronization The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone exit-address-family How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices By def ault , ex ceeding t he m ax im um p refix v alue causes t h e BGP session t o b e dr opp ed bet w een t h e PEtrou er and er iques and a includ message o be t ot st he n in Adv anced routblesh ootCE ingr out t echn in g rt ou t ersen outt pu t o sy enstsuem re log, high as avshow ailab ilit y Ex am ple 5- 23. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

NOTE

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN dam in g com and is also included in tnect he conf at ion Ex am ple at 5-ion 23.of Ar ch itThe ect uBGP re. Par t IpIen descr ibesmadv anced MPLS VPN con iv it yigur includ in gint he int egr This com m and cont r ols a f lapping r out e or int erf ace w hen a CE r out er is sending t ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out inoo g m any( IpSref ix es and causing net w or m k inst y. pr ot ocols I S, EI GRP, and OSPF) , ar in g abilit t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Exa planced e 5 - 2t op 3 .ologies BGP Se D rThis op par D ue t o cov M ax um Prr ier e fiMPLS x Excee m or em adv andssion filt erin g. t also er sim m ult i- car VPN ded deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod lat est adv %BGP-5-ADJCHANGE: neighbor 192.168.2.25 vpnuces vrft he EuroBank Upances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

%BGP-4-MAXPFX: No. of prefix received from 192.168.2.25 (afi 2) reaches 8, max 10 %BGP-3-MAXPFXEXCEED: No. of prefix received from 192.168.2.25 (afi 2): 11 exceed limit 10 •

Table of Content s

•

I ndex

%BGP-5-ADJCHANGE: neighbor 192.168.2.25 vpn vrf EuroBank Down BGP Notification MP LS and V PN Ar chi te ctur e s, V olum e I I

sent

By Jim Guichard , I van Pepelnjak , Jeff Apcar

%BGP-3-NOTIFICATION: sent to neighbor 192.168.2.25 3/1 (update malformed) 0 Pub lish er: Cisco Press

bytes Pub Dat e:

Ju ne 06, 2 00 3

I SBN: 1- 58 705 -1 12 -5

%IPRT-3-ROUTELIMITEXCEEDED: IP routing table limit exceeded - EuroBank, Pages: 50 4

192.168.26.0/24 Paris_PE#show ip bgp vpnv4 vrf EuroBank neighbor Wit and VPN Ar chit ect u res, Volum I , y ou' ll lear nremote : BGPh MPLS neighbor is 192.168.2.25, vrfe IEuroBank, AS 20, external link BGP version 4, remote router ID 0.0.0.0 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s BGP state = Idle The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Last read 00:05:34, hold time is 180, keepalive interval is 60 seconds Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Received 69 can messages, 0 notifications, 0 eint o queue How VRFs be ex t ended int o a cust om er sit pr ov ide sep ar at ion inside t he cust om er net w ork Sent 69 messages, 1 notifications, 0 in queue The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Default minimum time between advertisement runs is 30 seconds back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat estfamily: in t er - carVPNv4 rier enhUnicast ancem ent s t o allow f or easier and m or e scalable d ep loym ent For address of int er - car r ier MPLS VPN serv ices Translates address family IPv4 Unicast for VRF EuroBank Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y BGP table version 260, neighbor version 0 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u3, res,Offset Volum e0, I ( 1Mask - 587 05Index 0x80 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eedrefresh t o d ep loyrequest: and m ain treceived ain a secur0, e, hig hly 0, av ailab le VPN. Route sent maximum limit 10 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Threshold for warning message 75% Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Connections established 2; dropped 2 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Last reset 00:05:35, due to BGP Notification sent, update malformed m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Peer had exceeded the max. no. of prefixes configured. t r oub leshoot ing . Reduce the no. of prefix and clear ip bgp 192.168.2.25 to restore peering MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

No active TCP connection

As soon as t he BGP pr efix lim it h as been ex ceeded, t h e off ending BGP neighb or is shut dow n and t h e BGP session m ust b e r est ar t ed m an ually. ( A new au t om at ic r est ar t f eat ur e is av ailab le fr om Cisco I OS 12 .0 ( 22) S onw ar d. ) I t is t hen up t o t he serv ice pr ov id er t o r ect if y t he pr oblem • Table of Content s and r eset t he BGP peering session. I f it is not desir able f or t he peer ing session t o be sh ut • I ndex dow n , t hen t he w ar ni ng- only k ey wor d can b e app en ded t o t he m ax i m u m - pre fi x com m and. MP LS and V PN Ar chi te ctur e s, V olum e I I I n t his case, on ly a w ar ning m essage is log ged, b ut t he p refix es ar e accept ed and st or ed in t he By Jim Guichard VPNv 4 t ab le., I van Pepelnjak , Jeff Apcar Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

NOTE

Pages: 50 4

As of I OS release 1 2. 0( 2 2) S, a re st ar t k ey wor d has b een add ed t o t he m ax i m u m pr ef ix com m and. This k ey w or d allow s t h e oper at or t o sp ecify an in t er v al in m in ut es t hat t he peer ing session sh ould st ay dow n befor e being aut om at ically act iv at ed. How ev er , t his d oes not m it igat e t he op er at or f r om corr ect ing t he u nder ly ing Wit h MPLS pr oblem and. VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Using OSPF as the PE/CE Routing Protocol

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) I n Ex am ple 5- 24, t h e PE/ CE cir cu it t h at is b et w een t he Par is PE rou t er and t he Fast Foods Lyon How can conf be ex t ended o a cust e toBank o pr ov ide sept he ar at ionFoods insideVRF t he has b een CE r out er hVRFs as been igur ed f orint OSPF. As om in er t h esitEur case, Fast w ax orkimu m r out e lim it of 1 0. Th e st ead y st at e for t he Fast Food s VRF show s conf igcust ur edom wer it hnet am t hat 4 r out es ar e inst alled . The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

Exa m pl et o 5carr - 24 . Par r Fast Foods How y cust omi s er PE m ultRou icast t ter aff ic insid e a VPNVRF Rout es The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Paris_PE#show ip route vrf FastFoods Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y [snip] MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volumis e I subnetted, ( 1 - 587 05- 0 02, f rom Cisco Pr ess. Ex t endin g int o m or e adv anced 10.0.0.0/24 1 1) subnets t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tOhey t o d ep loy [110/20] and m ain t ain secur e, hig hly av02:01:31, ailab le VPN.Serial5/0 E2 n eed10.2.1.0 viaa 192.168.2.21, MPLS and VPN Ar chit ect[200/0] u res, Volum I I , b eg in s w it h a br ief ref resher of t he MPLS VPN B 195.12.2.0/24 viae 194.22.15.2, 00:21:38 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice192.168.2.0/30 pr ovider access tis echn olog ies ( dial,2 DSL, cab le, Et her net ) an d a v ariet y of r out in g subnetted, subnets pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int t h ese f eat ur es in[200/0] t o t h e VPN bon e. Part I I I00:21:38 det ails adv anced d ep loy m ent issues B egr at e 192.168.2.16 viab ack 194.22.15.2, includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone 192.168.2.20 and any at t ached sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow C is VPN directly connected, Serial5/0 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer The Fast Foods CE r out er h as subsequent ly b een config ur ed t o or ig inat e 10 r out es: int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

19 2. 168 . 40. 0/ 2 4 t hr ough 19 2. 16 8. 49/ 2 4. As ex pect ed , a w ar nin g m essag e is sent t o t he Par is PE r out er console t o ind icat e t hat t he m ax imu m nu mb er of rou t es for t he Fast Food s VRF has been ex ceeded. The r out es t h at exceed t h e limit ar e dr opp ed fr om t he VRF. As Ex am ple 5- 25 show s, only 6 of t he 10 rou t es hav e been accept ed.

Exa m pl e 5 - 2 5 . Par i s PE Rou t e r Fast Foods VRF Rout es Af t e r Rou t e s Food s CE sRout er •f r om FastTable of Content •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

%IPRT-3-ROUTELIMITEXCEEDED: IP routing table limit exceeded - FastFoods, Pub lish er: Cisco Press

192.168.46.0/24

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Paris_PE#show ip route vrf FastFoods Pages: 50 4

[snip] O E2 192.168.44.0/24 [110/20] via 192.168.2.21, 00:01:17, Serial5/0 O 192.168.45.0/24 via e192.168.2.21, WitE2 h MPLS and VPN Ar chit [110/20] ect u res, Volum I I , y ou' ll lear n : 00:01:16, Serial5/0 O E2 192.168.42.0/24 [110/20] via 192.168.2.21, 00:01:19, Serial5/0 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN O E2 ser 192.168.43.0/24 [110/20] 00:01:18, Serial5/0 v ice t o m any d iff er ent t yp esvia of cu192.168.2.21, st om er s n ew PE- CE r out in g op t ionsvia as w192.168.2.21, ell as ot her adv anced f eat ur es, includ ing per- VPN O E2 The 192.168.40.0/24 [110/20] 00:01:21, Serial5/0 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) O E2 192.168.41.0/24 [110/20] via 192.168.2.21, 00:01:20, Serial5/0 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork 10.0.0.0/24 is subnetted, 1 subnets est MPLS[110/20] VPN securvia it y f eat u res an d d esign s aim ed at Serial5/0 pr ot ect ing t h e MPLS VPN O E2 The lat 10.2.1.0 192.168.2.21, 00:04:56, back bone B

B

195.12.2.0/24 [200/0] via 194.22.15.2, 00:04:56 How t o carr y cust om er m ult icast t r aff ic insid e a VPN 192.168.2.0/30 is subnetted, 2 subnets The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices 192.168.2.16 [200/0] via 194.22.15.2, 00:04:56

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y C 192.168.2.20 is directly connected, Serial5/0 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. How ev er , all t he rou t es receiv ed, in clud ing t hose dr opp ed f rom t he VRF, hav e been k ept in t h e MPLS link and- VPN ect u res, e at I I e, b egab in sase w itfor h at br refFood resher of t he MPLSn VPN OSPF st at eAr d chit at abase. TheVolum link - st dat heief Fast s VPN is show in Ex am ple Ar 5- 2ch6.it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egrm atpl e teh ese es in t h e Rou VPN b e. Foods Part I I I det ails adv anced epe loyDa m ent issues Exa 5 - 2f eat 6 . urPar i st oPE t eack r bon Fast OSPF Li nk - Stdat t a base includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Finip ally ospf , Par t 200 I V prdatabase ov id es a m et hodology for ad van ced MPLS VPN Paris_PE#show t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

OSPF Router with ID (192.168.2.22) (Process ID 200)

Router Link States (Area 2)

•

Table of Content s

•

I ndex

Link ID

ADV Router

MP LS and V PN Ar chi te ctur e s, V olum e I I

192.168.2.21

192.168.2.21

Age

Seq#

Checksum Link count

1550

0x80000005 0xD12

2

1614

0x80000005 0x418

2

By Jim Guichard , I van Pepelnjak , Jeff Apcar

192.168.2.22

192.168.2.22

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Link ID

Type-5 AS External Link States

ADV Router

Age

Seq#

Checksum Tag

Wit h MPLS and VPN 192.168.2.21 Ar chit ect u res, Volum e I I , y ou' ll lear n: 10.2.1.0 1550 0x80000004 0xA36C

0

192.168.2.16 192.168.2.22 1631 0x80000001 0xD72D 3489661028 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s 192.168.40.0 192.168.2.21 27 0x80000001 0xE3AA 0 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN 192.168.41.0 192.168.2.21 26 0x80000001 0xD8B4 0 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) 192.168.42.0 0xCDBE 0 How VRFs can 192.168.2.21 be ex t ended int o a25 cust om er sit e 0x80000001 t o pr ov ide sep ar at ion inside t he cust om er net w ork 192.168.43.0 192.168.2.21 24 0x80000001 0xC2C8 0 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN 192.168.44.0 192.168.2.21 23 0x80000001 0xB7D2 0 back bone 192.168.45.0 192.168.2.21 0xACDC How t o carr y cust om er m ult icast t22 r aff ic insid e a 0x80000001 VPN

0

The lat est in t er192.168.2.21 - car rier enh ancem 21 ent s t o allow f or easier and 0xA1E6 m or e scalable 192.168.46.0 0x80000001 0 d ep loym ent of int er - car r ier MPLS VPN serv ices 192.168.47.0 192.168.2.21 20 0x80000001 0x96F0 0 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 192.168.48.0 192.168.2.21 19 0x80000001 0x8BFA 0 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02-16 1) , f rom Cisco0x80000001 Pr ess. Ex t endin g int o m0or e adv anced 192.168.49.0 192.168.2.21 0x8005 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t195.12.2.0 hey n eed t o d ep loy192.168.2.22 and m ain t ain a secur e, hig hly av0x80000001 ailab le VPN. 0xBAF0 1633 3489661028 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o At pr esent , t here is no m echanism in Cisco I OS t o con t r ol or lim it t h e behav ior of OSPF int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues k eepin g all r ou t es in it s link - st at e d at abase, regar d less of t he lim it v alue on t h e m ax i m u m includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he rou t es com m and. Assign in g an in bound d ist r ibu t e- list t o allow k now n cu st omer sub net s or back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow pr efix es is not ef fect ive. Alt hou gh t he list pr ev ent s r out es f r om being inst alled int o t he VRF, m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN t hese r out es ar e st ill k ep t in t he link - st at e d at abase. Fu t ur e I OS r eleases w ill add ress t his issue deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN by r est r ict ing t h e num b er of n on- self - gener at ed link - st at e adv er t isem en t s ( LSAs) t hat ar e t r oub leshoot ing . allow ed w it hin a g iv en OSPF pr ocesses lin k- st at e dat abase. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE

• •

Ev en t houg h OSPF rou t es cannot be r est rict ed f r om ent r y int o t he local link - st at e dat ab ase, t hey can b e pr ev ent ed fr om b eing p opulat ed in t o Mult ipr ot ocol BGP and t o ot her PE r out er s and VPN sit es. To g et t he OSPF r out es int o BGP, t h ey m u st be r ed ist r ibu t ed at t he or igin at ing PE r ou t er . Because r ed ist r ibu t ion is p er f orm ed fr om t he rou tTable ing t of able, t he rou t es are not populat ed int o BGP. Content s I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By , I van , Jeff Apcar I nJim conGuichard clusion, if aPepelnjak dy nam ic r out ing

p rot ocol is necessar y on t h e PE/ CE circu it , t he m ost eff ect iv e w ay t o lim it r out es an d pr ev ent a PE r out er f rom bein g flooded by I P p ref ix es t hat ar e annPub ounced r omPress t he cu st om er n et w or k is t o use a com binat ion of m ax im u m r out e lim it s on lish er: fCisco VRFs and eBGP wit Pub Dat e: Ju ne 06, 2h00m 3 ax imu m pr efix es con figu red. I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

PE to CE Circuits As discussed earlier in t his chap t er , t h e MPLS core in fr ast r uct ur e is neit her r each able nor v isible f r om w it hin a cust om er VPN; t h er efor e, it is p r ot ect ed fr om p ot en t ial cust om er DoS at t ack s. An ex cept ion t o t his r ule is t he peerin g in t er f ace of t he PE r out er for t he PE/ CE •circuit . Because Tablet h ofeContent s cu st omer VRF is defined on t his int er face, it is reachable b y t he cust om er •net w or k. Theref I ndex ore, t h e PE r out er m ight be sub ject t o int r usion of D oS at t em pt s f r om t he MP LSom and cust erV PN netAr w chi orkte. ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

To m it igat e unau t hor ized access t o t he ser vice pr ov ider net w or k, access- list f ilt er s should be placed on t h e PE rou t er ingr ess in t er f ace t o lim it access, for ex am ple, t o t he peer in g Pub lish er: Cisco Press add resses ( PE/ CE endp oin t s) used by t h e PE/ CE r out in g p rot ocol. Also, d ist r ibut ion f ilt er s can Pub Dat e: Ju ne 06, 2 00 3 be ap plied on t h e rou t ing pr ocess such t hat none of t he sub net s used f or PE/ CE cir cuit s ar e I SBN: 1- 58 705 12 -5cust om er net w or k. I f Sup er Com is pr ov id ing a m anag ed r out er serv ice, m ade av ailable t o -1t he Pages: filt 50 4er s can b e config ur ed at t he CE r out er in st ead of t he PE r out er . t hen t hese To b et t er und er st and t he filt ering t h at is p ossible, w e w ill exam ine t he PE/ CE cir cuit b et w een t he Super Com Par is PE r out er and t he Fast Foods Lyon CE r out er . Th e I P add resses u sed on t he Paris/ Ly on PE/ CE cir cu it ar e 19 2. 168 . 2. 22 at t he PE r out er and 19 2. 168 . 2. 21 at t he CE rWit outher . As and has been prchit ev iou d iscussed u ses MPLS VPN Ar ectsly u res, Volum e, It Ihis , y cir ou'cuit ll lear n : OSPF t o ex ch ange r out es an d at pr esent , no access- list or dist ribu t ion filt ers h ave been app lied. This m eans t h at t h e cu st omer net w or k has f ull v isib ilit y of all t he sub net s t hat Sup er Com uses t o pr ov ide PE/ CE cir cuit s f or Fast Food w eegr exat amin e iou t hes Fast Ly on trechn out ing t ab leinint oEx ple 527, pwreovidin can see t hat Hows.t oI f int e v ar r emFoods ot e access ologies t ham e back bone g VPN all t h eser cirv cuit bnet arert ing it hes192 2. 0er/ 30 ice t su om anys dstiff ent wt yp of .1 cu68. st om s are visible. This could pot ent ially lead t o an unscr upu lou s indiv idual com p rom ising t he PE r out er s v ia Teln et at t em pt s or access t o an y nu mbThe er ofn ew TCP/ UDP PECEpr ort outs. in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How ex t Food ended s intLyon o a custRout om er in sitg e tTa o prble ov ide sep ar at ion inside t he Exa m pl eVRFs 5 - 2can 7 . be Fast cust om er net w ork

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone FastFoods_Lyon#show ip route How t o carr y cust om er m ult icast t r aff ic insid e a VPN [snip] The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent 10.0.0.0/24 subnetted, 1 subnets of int er - car r ier is MPLS VPN serv ices C

10.2.1.0 is directly connected, Adv anced t rou blesh oot ing t echn iques includEthernet0/0 in g r ou t er out pu t s t o en su re high av ailab ilit y

MPLS VPN Ar chit ect[110/65] u res, Volum e I I192.168.2.22, , b uilds on t he best - sellinSerial4/0 g MPLS an d VPN O E1 and 195.12.2.0/24 via 3d18h, Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics 192.168.2.0/30 an d d ep loy m ent archit ect ur es, Volu2msubnets e I I pr ovid es r eader s w it h t he necessar y t ools is subnetted, t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. O E1 192.168.2.16 [110/65] via 192.168.2.22, 3d18h, Serial4/0 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar re. Par t I I descris ibes adv ancedconnected, MPLS VPN con nect iv it y includ in g t he int egr at ion of C ch it ect u192.168.2.20 directly Serial4/0 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at tion ached sitect es,lyand also g t he est secu rit yerf eat The on ly comm un icat t h atVPN is dir requ ireddet betailin w een t helat Paris PE r out anur d es t h et o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS VPN Fast Food s CE r out er is for OSPF r out ing ex ch anges and p ossibly I CMP for reachabilit y t est ing. deploy m e, en tyou s. Fin allycr, eat Paret tIhVe pr es a m et ad van MPLS Ther ef or can filtov eridfor t he PEhodology r out er asfor show n inced Ex am ple VPN 5- 28 b ased on t his oub rt req uirleshoot em ent .ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 5 - 2 8 . Fast Food s CE Rout er Fi lt er

ip access-list extended FastFoods-CE-Filter permit icmp host 192.168.2.21 host 192.168.2.22 •

Table of Content s host 192.168.2.21 224.0.0.0 0.0.0.255 • permit ospf I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

deny

ip any 192.168.2.0 0.0.0.255

By Jim Guichard , I van Pepelnjak , Jeff Apcar

permit ip any any Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

The f ir st line of t he access list perm it s I CMP pack et s ( ping s and so on ) t o be sent f r om t he Fast Food s CE r out er only t o t he d irect ly connect ed PE r out er int er face, on w hich t he Fast Food s VRF is def in ed . Allow in g pings is usef ul f or diag nost ics and man agem en t . The second line p er m it s OSPF t o exchan ge r out es b y allowin g com m unicat ion bet w een t he CE r out er and m ult icast d est inat ions t hat OSPF uses ( t h at is, 22 4. 0. 0. 2, 224 .0 .0 . 5, and Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : 22 4. 0. 0. 6) on a serial p oint - t o- p oint an d br oadcast circuit . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

NOTE The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) The f ilt er used w it hin t he pr ev ious ex am ple m ight need t o be m odif ied depend ing on w hich h er be t y pes of media usedom . Som e eOSPF igur atar ions useinside unicast How VRFsotcan ex t ended int oarae cust er sit t o prconf ov ide sep at ion t he pack et s rat her t han m ult icast f or neighb or discov er y. cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone The t hir d line d en ies access t o PE/ CE cir cuit sub net s f or any p rot ocol fr om any sou rce in t he Fast Food w ork . Th ent st raccess b y eusing app licat ions such as Telnet . The last Hows tLy o on carrnet y cust om er ismpr ultev icast aff ic insid a VPN line per m it s all ot her access, essent ially bet w een Fast Foods sit es. A per mit filt er m ust b e The for lat est in tot er e- car rier enh ancem o allow f orCE easier e scalable d epploym included a r em man agement w orent kstsatt ion if t he r ou t erand in t m erforaces ar e b eing olledent of int erilit - car for reachab y . r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch itNOTE ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey The n eedOSPF t o d ep loyerand must ain tbe ainset a secur e, int higerhly avad ailab le VPN. r out id m t o t he f ace dr esses on bot h t he PE r out er and t h e CE r out er; ot her w ise, t h e access- list pr ev ent s OSPF fr om oper at ing . MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ocols ( I 29 S- I sh S, ows EI GRP, , ar in gapplied t he r eader h rt he h ow for to Exot am ple 5howand t h e OSPF) accesslistm is t o t hew itPE outkernow serledge ial intof er face int egr at e st hinbou ese fnd eat tur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Fast Food r affic. includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or em adv erin g. This covPE/ er s mCE ult i-Ci car r ier tMPLS VPN Exa planced e 5 - 2t op 9 .ologies Appliand ng filt I nBoun d par Fi ltt ealso r on r cui deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer interface Serial5/0 int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

ip vrf forwarding FastFoods ip address 192.168.2.22 255.255.255.252 ip access-group FastFoods-CE-Filter in ip ospf message-digest-key 1 md5 7 020A014F18120E2D47 •

Table of Content s • no cdp enable I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

lisht er: Ciscot h Press ThePub n ex t hing at y ou sh ould do is pr ev ent dist ribu t ion of Su per Com PE/ CE cir cuit Dat e:( u Jused ne 06, addPub resses by2 00 ot3her Fast Foods PE/ CE circuit s) t o t h e CE r out er by apply ing an ou t bou nd dist r ibut e list t o705 t h-1e12 Fast I SBN: 1- 58 -5 Foods OSPF pr ocess on t he PE r out er . Alt h ough t he in boun d accessgr oup Pages: f ilt er 50 d escr ib ed p rev iously pr ev ent s u naut h orized access t o PE/ CE- circuit s, it is st ill 4 good pr act ice t o m inim ize net w or k v isibilit y t o only w hat t he C- net w or k is r eq uired t o see.

The con figur at ion show n in Ex am ple 5- 30 allow s OSPF t o d ist r ibut e all r out es t o t he CE r out er except for t hose t hat begin w it h t h e pr efix 1 92. 16 8. 2. 0/ 2 4, w hich is t he PE/ CE cir cuit addr ess r ange used in t he Su perCom net w or k. The PE r out er should not accept r out es f rom t he Wit MPLSs and chitaddr ect uess res,ran Volum I I , ar y ou' ll learinn :t he Super Com cor e net w or k. This FasthFood CE r VPN out erArfor ges tehat e used includes PE/ CE cir cuit s an d t h e r eg ist er ed ad dr esses used f or core lin ks an d loop back add resses. Th is pr ev ent s t h e CE r out er f rom in ject ing false PE/ CE ad dr esses t hat m ight cau se How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN r out ing issu es t o ot h er Fast Foods sit es or spoof in g Super Com inf r ast r u ct u re addr esses. ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN

Exa m plweork5 -Ad 3 dr 0 .ess Filt i ngion PE/ Cir cui t Rout es Net Tr er an slat ( PE-CE NAT)

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork ip access-list standard PE-CE-Circuits The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN bone deny back 192.168.2.0 0.0.0.255 Howany t o carr y cust om er m ult icast t r aff ic insid e a VPN permit The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices ip access-list standard SuperCom-Address-Range Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y deny 192.168.2.0 MPLS and VPN Ar chit ect0.0.0.255 u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tdeny opics an194.22.0.0 d d ep loy m ent0.0.255.255 archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN router 200 FastFoods Ar ch it ectospf u re. Par t I Ivrf descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g prrouter-id ot ocols ( I S-192.168.2.22 I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues log-adjacency-changes includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow 2 anced authentication message-digest marea or e adv t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t rredistribute oub leshoot ing . connected subnets MPLS redistribute and VPN Arbgp chit ect 100 u res, metric-type Volum e I I , also 1 subnets int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

network 192.168.2.0 0.0.0.255 area 2 distribute-list PE-CE-Circuits OUT distribute-list SuperCom-Address-Range IN

•

Table of Content s

•

I ndex

no mpls ip propagate-ttl forwarded MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

NOTE I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

The ex am ple also show s t h at t h e Super Com cor e net w or k is hidd en f rom t he Fast Food s sit e by use of t h e no m p ls i p prop aga t e - t t l com m and.

Witer h MPLS Ar chit ect e I It e, ylist ou', lly ou learcan n : exam ine t h e Ly on CE r out er , as Aft ap plyand in g tVPN he access f ilt uerres, an dVolum dist ribu show n in Ex am ple 5- 31. Only t he d irect ly connect ed cir cu it subn et is v isible on t h e CE r out er ; t her efor e, no ot her PE rou t er is r eachab le. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) NOTE beutex o a be cust omfigur er sit t o pr ovCE ider sep ar at ion inside t het o AHow sim VRFs ilar dican st rib e -t lended ist ou int t can con ede on t he out er OSPF pr ocess cust om er net w ork pr event t he PE/ CE circuit subn et fr om b ein g seen b y any Fast Food s r out er s t hat m ight be b eh ind Fast Foods Lyon CE r out er . The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Exa m pl e 5 - 3 1 . Che ck in g Acce ss fr om t h e Lyon CE Rou t e r The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou bleship ootroute ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y FastFoods_Lyon#show MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN [snip] Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. 10.0.0.0/24 is subnetted, 1 subnets MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of C 10.2.1.0 is directly connected, Ethernet0/0 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o O E1 195.12.2.0/24 [110/65] via 192.168.2.22, 01:11:31, Serial4/0 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he 192.168.2.0/30 is subnetted, 1 subnets back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN C 192.168.2.20 is directly connected, Serial4/0 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . FastFoods_Lyon#ping 192.168.2.22 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.22, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/32 ms •

Table of Content s

FastFoods_Lyon#telnet 192.168.2.22 • I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

Trying 192.168.2.22 ...

By Jim Guichard , I van Pepelnjak , Jeff Apcar

% Destination unreachable; gateway or host down Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

FastFoods_Lyon#traceroute 195.12.2.1 Pages: 50 4

Type escape sequence to abort. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Tracing the route to 195.12.2.1 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s 1 192.168.2.22 20 msec 20 msec 20 msec The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN 2 192.168.2.17 20Trmsec * Net w ork Ad dr ess an slat20 ionmsec ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork MPLS VPNt osecur y ect f eat res an d ed d esign s aim at applicat pr ot ect ing e MPLS VPNet A p ingThe canlatstest ill be issued t h e it dir lyu conn ect PE r ou t er ,edb ut ionst hsuch as Teln back bone w ill not be p er m it t ed. Th e t ra cer out e ( t o t h e Fast Foods San Jose LAN) in Ex am ple 5- 31 show s t h e PE/ CE ad dr esses in t h e Fast Foods VPN, but no ot her cor e addr esses ar e v isible. How t o carr y cust om er m ult icast t r aff ic insid e a VPN Ex am ining t he Fast Foods inb ound access list on t he Paris PE r out er in Ex am ple 5- 32 sh ows The ylatpack est et in st erhav - car ent t o allowf or f ororeasier andf rom m or et he scalable d ep loym how man e rier beenenh p erancem m it t ed ors denied iginat ing Fast Foods Ly onent of int er car r ier MPLS VPN serv ices net w or k. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

Exa pl eVPN 5 - Ar 3 2chit . Fast Food s CE eronFit he lt er on t heg MPLS Pa r isanPE Rout er MPLSmand ect u res, Volum e I I Rout , b uilds best - sellin d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Paris_PE#show access-list FastFoods-CE-Filter MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. t I I descr ibesFastFoods-CE-Filter adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Extended IP Par access list ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S-icmp I S, EIhost GRP, and OSPF) , ar m host in g t he r eader w it h t he k now ledge of h ow t o permit 192.168.2.21 192.168.2.22 (20 matches) int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secuospf r it y , ou t lining t he n ecessar y224.0.0.0 st eps t h e ser v ice p rov ider t ake t o p rot ect t he permit host 192.168.2.21 0.0.0.255 (517m ust matches) back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or edeny adv anced t op ologies and filt 0.0.0.255 erin g. This par also cov er s m ult i- car r ier MPLS VPN ip any 192.168.2.0 (8 t matches) deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oubpermit leshoot ing ip. any any (77 matches) MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The in boun d f ilt er s an d ou t bou nd dist rib ut e list s descr ibed in t h e pr eviou s sect ion are eq ually app licable w h en using ot her PE/ CE r out ing pr ot ocols such as eBGP, RI Pv 2, an d EI GRP. I f st at ic r out ing w ere used , t hen only an inbou nd filt er w ould be r equ ir ed on t he PE r out er. I f a p oin t - t o- poin t ( n on m ult iaccess) conn ect ion is being used f or t h e PE/ CE cir cu it and dy nam ic r out in g is n ot r equir ed, t h en a com bin at ion of u nnu mb er ed and st at ic r out es ( poin t ing t o t h e int er face) can be conf ig ur ed t o pr ov id e st r ict con t r ol of r out es int o t he C• of Content s net w or k andTable t o min im ize t h e access and v isibilit y t h at t h e CE r out er has of t he P- n et w or k . •The d isad vanI ndex t age of u nnu mb er ed addr esses is t hat t he in t erf aces ar e u nav ailab le for r em ot e MP LSinand V PNmAranagem chi te cturen e s,t .V olum I e, unn um ber ed int er faces ar e not su it able for ser v ice t est g and ThereefI or prJim ov iders wh,oI van d epPepelnjak en d on , rJeff each abilit y st at us b y polling t he CE r out er in t er f ace. An ot her By Guichard Apcar disadv ant ag e is t hat t he r ou t ing t able m ust be m anually m aint ain ed , w hich m igh t n ot be desirab leer:forCisco a larg e net w or k. Pub lish Press Pub Dat e: Ju ne 06, 2 00 3

Alt hou gh unn um ber ed int er faces hide t he add ress of t he PE r out er cir cuit , it does not pr ev ent SBN: 1- 58 705 -1 12 -5 t ra cer Iout e f r om being used t o obt ain t h e valu e of t he ad dr ess b eing u sed. Theref ore, it is Pages: 50 4 t o ap ply inbou nd filt ers t o p rev en t access t o t he PE r out er in t er f ace addr ess, as st ill necessary w as discussed in Ex am ple 5- 28. A com m on and sim ple m et hod f or deny ing Teln et access t o a PE r out er fr om a CE r out er is t o place an access list on t he Vir t ual Ter m inal I nt er faces ( VTY) . Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Ex am ple 5- 33 sh ows a t y pical conf ig ur at ion of a ser v ice pr ovid er r ou t er . An access list is conf ig ur ed t o only accep t Telnet conn ect ions fr om I P sour ce add resses t hat ar e p art of t he Sup erHow Com t ocorint e egr n etat we orvkaradd space ( 19 4. 22 .1 5.ologies 0/ 2 4) . Th list is t hen applied to ioursess r em ot e access t echn in tis o taccess h e back bone p r ovidin g VPN t he ran of vt oirtmual t erdm ar eofused f or er r em serge v ice any iffin erals entt hat t yp es cu st om s ot e log in . I f t he in bound access list s discussed pr eviously did not ex clu de Telnet access, and a PE rou t er relied on t h is access list t o pr ev entn ew Telnet access e CEas r out er s,ast hen a pot ial secur it yes, br includ each could exist . The PE- CE r out fr inom g opt ht ions w ell ot her advent anced f eat ur ing perVPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How int oTel a cust er sit e t o pr ov ide sep ar at ion inside t he Exa m pl eVRFs 5 - 3can 3 . be Prex evt ended e nt i ng ne om t Access cust om er net w ork

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone line vty 0 4 How t o carr y cust om er m ult icast t r aff ic insid e a VPN access-class SuperCom_Network-TELNET in The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent password 051B091B2E4A49061501 of int er7- car r ier MPLS VPN serv ices login Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tip opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools access-list standard SuperCom_Network-TELNET t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. permit 194.22.15.0 0.0.0.255 log MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ardeny ch it ect uany re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of log ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ! ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Extranet Access On e of t he g reat adv ant ages of t h e MPLS VPN ar chit ect u r e is t hat VPNs can b e m er ged easily bet w een dif fer en t cust om ers' int r an et s t o cr eat e sp ecific ex t r anet VPNs. You can cr eat e an •ext r an et by im Table Content poroft ing ands ex por t ing r out es bet w een dif fer en t cust om er VRFs. •

I ndex

IMP f ILS P add ovchi ertelap een ecust and ress V PN Ar cturbet e s, w V olum I I om er s is n ot an issu e ( t hat is, t he I P addr ess sp ace is un iq ue b et w een cust om er s) , t hen you can im p ort r out es dir ect ly b et ween t he VRF t ables. By Jim Guichard , I van Pepelnjak , Jeff Apcar Aft er an ex t r anet is cr eat ed bet w een dif fer en t VPNs, t h e cu st omer int ran et s are su bject t o Pub lish Cisco access byer:host s Press out side t h eir own VPNs ( f r om t he ex t r anet ) . Alt hou gh t he in t en t ion t o allow Pubt rDat e: Jumig ne 06, 00 3 e bona fide business reasons ( f or ex amp le, t o allow or der in g bet w een an ex anet ht 2hav supp lier an d1- m I SBN: 58an 705ufact -1 12 -5ur er ) , it is perh aps slight ly m isguided t o assum e a lev el of t r ust bet w een int 50 r an Pages: 4 et s. I t is imp ort ant t hat a logical sep ar at ion is m aint ain ed bet w een int r an et s t hat ar e par t icipat ing in an ex t r anet . This is achiev ed t h rou gh t he t rad it ion al m et hod of using a f ir ew all b et w een t he int r anet s. Pr ior t o MPLS- VPNs, pr ov isionin g a cir cuit bet w een t w o com panies cr eat ed an ex t r anet . I t w as t h en t he responsibilit y of each com pany t o secu re it s en d of t he circuit by u sin g a Wit MPLS chit ect u res,edVolum I I ,This y ou'is ll illust lear nr:at ed in Figur e 5- 6 . Assum e t hat pr ivhat ely mand aintVPN ain edArand m anag f ir eweall. Fast Food s and Eur oBan k had an ex t r anet p r ior t o t h e day s of subscr ib ing t o t h e excellent Sup erHow Com t oMPLSVPN Foodst echn and Eur oBank ed bone t heir pow n fir ew int egr at e ser v arvice. iou s Bot r emhotFast e access ologies in tcon o t hfigur e back r ovidin g alls VPN t o adh erser e to t he secur it y policies of t h eir r espect iv e or ganizat ion s. v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Figu r e 5 - 6 . Tr adi t i on al Ex t r a ne t Fi r ew al li ng

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. I n t he case of an ex t r anet cr eat ed in an MPLS- VPN en vir onm ent , t h e fir ew all fu nct ion can be MPLS VPNt rol Ar chit res,ice Volum h a br resher of ser t hevice MPLS un der and t he con of tect he userv pr oveidI Ier, ,bwegh in ichs w isitlocat edief at ref a com m on or VPN p eer ing Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of point , as show n in Figur e 5- 7 . ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin gFigu secu rritey , 5ou y st eps v ice pm rov iderSe mrust t akePoin t o p rot - 7t lining . Exttrhe a nn ecessar et Fi r ew a ll tahte aserCom on vi ce t ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

I n t his scenar io, Su perCom pr ov ides t he ex t r anet b et w een Fast Foods and Eur oBank at a cen t r al point ( PE r out er ) in t he n et w or k . This com m on ser vice PE r out er has a sep arat e VRF defin ed f or Fast Foods and Eur oBank . Each of t h e VRFs t hen con nect t o a separ at e int er face on t he Fir ewall, w h ich not only p rov ides t he secur it y and logical sep ar at ion r equir ed, b ut also any n ecessar y ad dr ess t r anslat ion, if Eur oBank an d Fast Foods hav e ov erlapp ing addr ess Wit h MPLS VPN rAr u res, I I t, hyeou' lear n :belon g t o Fast Food s, w hereas t h e E spaces. I n and t he illust atchit ion,ect you canVolum see t heat F llr ou t es r out es belong t o Eur oBank . I f add ress t r anslat ion is requ ir ed, t hen a st at ic r out e is inj ect ed int o each of t he VRFs at t h e comm on ser v ice PE r out er t hat r epr esent s t he t r an slat ed rou t es How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN t hr ou gh t he f irew all, w hich can be seen as t he ET an d FT r ou t es. Th e t r anslat ed r out es ar e ser v ice t o m any d iff er ent t yp es of cu st om er s dist r ibut ed t hr oug h t he r esp ect iv e int r anet s using st and ard Mu lt ip r ot ocol BGP VPNv 4 pr oced ur es. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Alt hou gh t he ex amp le discu ssed places t h e fir ew all at a comm on ser v ice point t hat Super Com cont r ols, t her e is no reason wh y Eu roBan k and Fast Foods cou ld n ot em ulat e t h eir or iginal How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he ext r an et connect ion b y pr ov id ing indiv idually ow ned fir ew alls t h at ar e int er connect ed u sing cust om er net w ork t he MPLS- VPN. I n t his case, t he ex t r anet r out in g occur s in t he VPN t hat con nect s t he t wo fir ew alls, as est illust r at edVPN in Figur . Th e exan t r anet VRFst hat connect h e ing t w ot hf irew alls VPN uses The lat MPLS secureit5y 8f eat u res d d esign aim ed at pr sottect e MPLS t he sam e r out e dist in guisher s and im por t / exp ort r out e t arg et s t o ex ch ange t he t r anslat ed back bone r out es ( if NAT is n ecessar y ) b ecause t h ey shou ld h old id en t ical rou t ing en t r ies. How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent 5 - 8VPN . Cuserv st om of int er -Figu car r ierr eMPLS icese r - Con t r oll ed Ext r an et Fir e w a ll Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Youegr can cr eatsecur e anitex r anett r doubleshoot irect ly beting w een VRFs it hou tial u sing f irew alls.t hThis m anced ight occu r if int at ion, y, t and feat u reswessent t o p rov iding e adv

only a few t r u st ed dev ices in each int r anet n eed t o com m unicat e w it h each ot h er , an d t he add ress space t hat each int r an et uses is uniq ue. Consider Figur e 5- 9 , w her e Fast Food s San Jose and Eu roBan k Par is requ ire t w o specif ic host s t o comm un icat e wit h each ot her. The Fast Food s San Jose h ost is allocat ed t h e I P add ress F1 , an d t he Eu roBan k Par is host is allocat ed t he addr ess E1 . Because t he ex t r anet on ly need s t o b e for m ed b et ween sp ecific dev ices locat ed at t hese par t icular sit es, on ly t he h ost add resses of E1 an d F1 n eed t o be im por t ed int o t h e VRFs at Fast Foods San Jose and Eu roBan k Par is. Th is can b e ach iev ed t• hr ou gh t he Table u se of r out e m aps, w her e a un ique r ou t e t ar get can be ex por t ed w it h t he host of Content s add ress. The n omin at ed VRFs at San Jose and Paris t hen im por t t his u nique rou t e t ar get , and • I ndex all ot h er VRFs are ex clu ded fr om im por t ing t he uniqu e r out e t ar get . I n add it ion , an access list MP LS and V PN Ar chi te ctur e s, V olum e I I can be app lied at t he CE r out er int er faces t o fur t h er rest r ict com m un icat ion bet w een F1 an d By , I van Pepelnjak Jeff access Apcar list is r equir ed, t h e CE r out ers' r out es can be u pgr aded E1Jim . I fGuichard m or e secur it y t han ,an w it h a v er sion of Cisco I OS t hat pr ov ides fir ew alling capab ilit y . Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Figu r e 5 - 9 . Si m ple Ex t r a ne t Bet w e en Tw o VRFs

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Internet Access The p r ovision of I nt er net access in an MPLS VPN n et wor k can be as st r aigh t for w ar d as pr ov isionin g a defau lt r out e wit h in a VRF t h at p oin t s t o one or m or e egr ess g at eway s. Wh en a •cust om er requ Table iresoft Content h e fu ll sor par t ial BGP I nt er net r out in g t able v ia one or mor e egr ess •gat ew ay s, t hen I ndext he g lob al r out ing t ab le sh ould be used. MP LS and V PN Ar chi te ctur e s, V olum e I I

The p r ovision of sim ple I nt er net access u sin g t h e defau lt r out e t o an MPLS- VPN uses t he By Jim Guichard , I van Pepelnjak , Jeff Apcar sam e pr ocedu r es as for p rov isioning ex t r anet s. I n fact , f r om an MPLS- VPN perspect ive, y ou could con sid er I n t er net access using t he d ef ault rou t e as n ot hing m ore t han a g iant ex t r anet w it hPub a lish m er: uchCisco largPress er pot ent ial f or secur it y b reaches. Pub Dat e: Ju ne 06, 2 00 3

The p r ovision of705 I nt net access t o m ost sm all- t o m ed iu m - sized en t er p rise cust om er s I SBN: 1- 58 -1 er 12 -5 gener ally Pages:requ 50 4 ires not m uch m ore t hat in ject in g a def ault r out e int o t he cust om er VPN point in g t o t h e ser v ice p rov ider I nt er net g at eway . I f m ult iple I nt er net g at ew ay s w ere available f rom t he ser vice pr ov ider, t hen each cou ld in ject a d ef ault rou t e, w it h t he best on e being im por t ed int o t he VRF based on st and ar d BGP pat h select ion. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : The d isad van t age of u sing t h e defau lt r out e f or m ult iple I nt er net gat ew ays is t hat opt im al r out ing is n ot achieved. All I nt ern et access w it hin a VRF w ould follow t h e sam e p at h t hr ough How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN t he MPLS- VPN net w ork , r egar dless of wh et her a b et t er g at eway wer e av ailab le for a ser v ice t o m any d iff er ent t yp es of cu st om er s par t icular I nt er net d est inat ion . You cou ld solv e t his p rob lem by inj ect ing t h e I n t ern et r out es int o t he t hat n t er nas etwpr point t o t he best egrinclud ess gat ay .VPN TheVRF; n ew in PECE rway out ,ineach g op tIions ellefix as w otould her adv anced f eat ur es, ingew perHow ev er , t his is st r ong ly discou rag ed du e t o t he r out er r esou rce an d p r ocessin g ov erh ead s Net w ork Ad dr ess Tr an slat ion ( PE- NAT) r eq uir ed t o m ain t ain I n t er net rou t es w it hin mu lt iple VRFs. I n t h is case, t h e global rou t ing t able How shou VRFs ld b e can used. be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Regar dless of t he t y pe of I n t er n et access r eq uir ed , some for m of fir ew all is necessary t o pr ot ect t hlat e VPN cust om er frsecur om uitnaut h orized and DoSedatat t acks. Th eing follow sect ions The est MPLS VPN y f eat u res anaccess d d esign s aim pr ot ect t h e ing MPLS VPN discuss t he v ar ious f irew all scenar ios t h at can be d ep loy ed. back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Shared Internet Access Using the Default Route The lat est in t er - car rier enh ancem ent s t o allow f or easier and

m or e scalable d ep loym ent

of int er - car r ier MPLS VPN serv ices Figur eAdv 5- anced 1 0 sh ows n t er noot et access being pr includ ov id edintgo rFast Foods and oBank via aav shar edilit y t rouIblesh ing t echn iques ou t er out pu t s tEur o en su re high ailab fir ew all ser v ice. I n t his scen ario, bot h Fast Foods an d Eur oBank im por t t he d ef ault rou t e, indicat ed as D in t h e ect VRFs. ersely, sharon edt Ihe n t er net- sellin VRF g imMPLS por t s an the r ou t es MPLS and VPN Ar chit u res,Conv Volum e I I , t bhe uilds best d necessary VPN fr om t he Fast Food s and Eu roBan k VPNs. The def ault r out e can b e ex por t ed t o all t he VRFs Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tt hat com h emFast andurEur esult is t hat in b ot h yt hese opics an pr d dise eptloy entFoods archit ect es,oBank Volu mVPNs. e I I prThe ovidres r eader s w itall h tsit heesnecessar t ools VPNs ouldt ohav dir ect t o tahesecur I nt ere,net no nav eed t o let rav erse a hub w it hin Fast Food s or t hey nweed d epeloy and access m ain t ain hig( hly ailab VPN. Eu roBan k) w it h pr ot ect ion being pr ov id ed b y t he Su perCom shar ed f irew all. This solut ion assu es t hat I P ad essing bet w is uniqu e so t h atVPN t h e same MPLSmand VPNt he Ar chit ectdr u res, Volum e een I I , bFast eg inFoods s w it hand a brEur ief oBank ref resher of t he MPLS shar VRF , or t h eadv use of PE-MPLS NAT VPN is in ef fect ativtithe PE r out The irew Ar ch ed it ect u re.can Parbt eI Iused descr ibes anced con nect y includ iner g s. t he int fegr atall ioninof tser hisv ice casepris not r eq uir edt echn t o per for m u nless he add r esses Fast Foods org ovider access olog iesNAT ( dial, DSL, tcab le, Et her netin) eit anher d a tvhe ariet y of r out in Eu roBan pr iv atand e add ressin g.mTh ant age his ksolut ion is of t hat becau pr ot ocolsk (VPNs I S- I S,use EI GRP, OSPF) , ar ineg disadv t he r eader w itof h t he now ledge h ow t o se t he VPN ers sh are a com irewball, hey e. ar Part e bouI Ind t o ails t he adv secur it y p olicies t hat int egrcust at eom t h ese f eat ur es in t omon t h e fVPN ackt bon I det anced d ep loy m ent issues Sup er Com im pr oses. if mu le I nt ern eteps gattew s varice e av ailab le,mop t imal includin g secu it y , ouAlso, t lining t heltnipecessar y st h eay ser p rov ider ust t akerou t ot ing p rotfor ect at he par t icular efix w ill ot b e ach ievsit ed the best as est select edritbased ones t hteo defau back bone pr and any atnt ached VPN es,b ecause and also det ailinpgatt hhewlat secu y f eat ur allow lt rmout t o aanced p ar t icu larologies gat ew ay. or e adv t op and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res,r Volum also rint heetlatAcce est adv ances in cu st omer Figu e 5 - 1e0I .I ,Sha edrodI uces nt e rt n ss int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Firewall Co-Location When add ress ov er lap is an issue or t he cust om er requ ires cont r ol of h is ow n secur it y Wit h MPLS VPN Arand chitNAT ect u res, Volum e Ibe I , yr eplicat ou' ll lear : show n in Figur e 5- 1 1. A cent ral PE policies, t hand e fir ewall serv ices can ednas r out er can hold a ser ies of I nt er net access VRFs, som e of w hich conn ect t o co- locat ed cust om er fir ew alls, and ot her s t h at sup por t a sh ared m anaged fir ew all ser v ice. To minim ize How t o of intpegr at e vint ar iou s r emrot access ologies in trou o t ht er e ,back bone p r bovidin g VPN t he num ber hy sical er faces eqeuir ed on ttechn he sh ared PE VLANs can e used to ser v ice t o m any d iff er ent t yp es of cu st om er s dir ect I nt er net access f rom a VRF t o t h e associat ed f irew all. The ad van t age of p rov iding add ress t r anslat ion at a cent r al point is t hat a sm all addr ess pool is requ ir ed t hat you can The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN app ly t o all sit es in t he VPN. Th e closer t hat NAT is p er f orm ed t o t h e cust om er , t h e m or e Net w ork Ad dr ess Tr an slat ion ( PE- NAT) r eg ist er ed ad dr esses t hat ar e requ ired because each CE or ag gr eg at ion p oint need s an add ress Howpool. VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

Figu r e 5 - 1 1 . Sha r ed I nt e r n et Acce ss a nd Fi r ew a ll Co- Loca t i on back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Hub and Access the deploy m en t s.Spoke Fin ally , Internet Par t I V pr ov id es a m etUsing hodology for Global ad van cedRouting MPLS VPN Table t r oub leshoot ing . The p rand ev ious arioect show a cu steomer f irew locat edlat inest t headv Suances perCom To a MPLS VPNscen Ar chit u res,edVolum I I , also intall rodcouces t he in POP. cu st omer high lyatsecur y - con scious st om er , t his ill not ial be tdoesir able at all. int egr ion, itsecur it y, and cu t r oubleshoot ingscenar feat u io reswessent p rov iding t h e adv anced

I f a cust om er r eq uires t ot al cont r ol of access t o t he I nt er net for all it s sit es—including ph ysically locat ing t h e fir ew all on it s ow n pr em ises—t hen a hu b and sp oke t opology shou ld b e deploy ed w it h I nt er net access p rov ided by t h e global rou t ing t able of t h e MPLS- VPN ser vice pr ov ider. Consider t he scenar io t h at is d ep ict ed in Figur e 5- 1 2. Eur oBank is pr ov iding I nt er net access t o all it s sit es via a h ub at it s San Jose headq uar t ers. A defau lt r out e is exp ort ed f rom t he San Jose hu b t o all it s spok e sit es as indicat ed by t he D . •

Table of Content s

•

I ndex

MP LS and V PN Ar chiFigu te ctur ers,eV5 olum - 1 e2I.I

H ub- a nd- Sp oke I n t e r ne t Acce ss

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

NOTE The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices The Eur oBank h ub- an d- spok e t opolog y is only r equir ed f or I nt er net access u sing t h e defau lt r outt rou e. All Euroot oBank t raniques et t r aff ic is in t rganspor w een VRFs Adv anced blesh ing tin echn includ r ou t ert ed outdirect pu t s ly t o bet en su re high av ailab ilit y using a f ully m esh ed t op olog y. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools Eurn oBank Jose, f irew ect a global f ace in t h e Super Com n et wor k ; tAt hey eed t o San d ep loy anda m ain tall ainisaconn secur e,ed higt ohly av ailabinlet er VPN. t hat is, no VRF is def in ed on t he PE r ou t er t o w hich t he f irew all connect s. Any t raf fic d est ined tMPLS o t he and I nt erVPN net Ar f r om Eur oBank sit ee wI Iould p ief by tref h eresher defaultofr tout an d dVPN irect ed t o chitaect u res, Volum , b egbe in sp ick w ited h aubr he eMPLS t hechSan ubt sit Fr om San t he f irewVPN all t rcon anslat t he t raf ficin(gif tnecessar and of Ar it ectJose u re. hPar I I e. descr ibes advJose, anced MPLS nectes iv it y includ he int egry) at ion senvds int o t he access glob al rt out ing t able Su perCom . The I nt ernet net) tan rafdfica tvhen t he ser iceit pr ovider echn olog ies (ofdial, DSL, cab le, Et her ariett ryav oferses r out in g Sup er Com net w ork and eg resses t he app rop riat e Super Com I nt er net b or der r out er. One pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o benefit cu st bomer h as ot al cont rolails overadv allanced aspect net int egr atof e tthhis esesolut f eation ur esis int hat t o t ht heeVPN ack bon e. t Part I I I det d sepofloyI nt mer ent issues access. g Becau er nett he t r afnfic is caryried in tthhee Sup Com global g t able, t heect b est includin secuse r it yt ,heouI tnt lining ecessar st eps ser ver ice p rov ider mr out ust int ake t o p rot t he pat h bone can be select or a par t icusit lares, I ntand ern et pr efix if t hgert ehewlat as est m orsecu e t han e ur I n es t ernt oetallow back and any ed at tfached VPN also det ailin rit y on f eat egr p oint in t thop e ologies net w orkand . Th efiltI erin nt er g. netThis BGPpar r out ing tcov able need o be heldVPN in t h e PE m oress e adv anced t also er sonmlyult i- carsrtier MPLS r out er smt en hatt s.connect e ItntI V ernpretovbor der r out er s an d cust t hat MPLS requ ire global deploy Fin ally ,t hPar id es am et hodology for om ad ers van ced VPN connect ivit y . ing Th .e core r ou t es do n ot r equir e t h e I n t ern et r out ing t ab le becau se t hey for w ar d t r oub leshoot on labels, n ot I P pr ef ixes. ( I n t his case, it is t h e label of t he d est inat ion edge PE r ou t er . ) A disadv ant ag e isArt hat all uI nt er net t r afefic Eu roBan m ust t r av seadv t heances SuperinCom et w or k MPLS and VPN chit ect res, Volum I I f,or also int rodkuces t he later est cu stnomer t w ice, firion, st t osecur get it t oy,t he oBank hu b ing andfeat t hen back out ial int ot ot he Sup er Com global rou t ing int egr at andEur t r oubleshoot u res essent p rov iding t h e adv anced

t able. I f NAT is r equir ed, t h en a dedicat ed r egist er ed pool m ust be allocat ed t o Eur oBank . ( How ever , t his is less of an issue d ue t o t he av ailabilit y of PAT) . Tw o con nect ion s ar e requ ired fr om t he San Jose Eur oBan k sit e, alt h ough t hey could be log ical cir cuit s pr ov ision ed ov er a single p hy sical link . Wit h some sm ar t con figu rat ion , it m igh t ev en be p ossible t o com bine t h e fir ew all and CE r out er f unct ion at San Jose int o a single u nit , b ut t w o circuit s wou ld st ill b e r eq uir ed . •

Table of Content s

• Firewall at I ndex the CE Router MP LS and V PN Ar chi te ctur e s, V olum e I I

Anot er opt ion is Pepelnjak t o conf igur all CE rou t er s in a VPN w it h f ir ew all f unct ionalit y av ailable in By Jim hGuichard , I van , JeffeApcar Cisco I OS, as sh own in Figur e 5- 1 3. I n t his scen ar io, all t r aff ic ex it ing any Eur oBank sit es is subjPub ectlisht oer:f irCisco ew all r est rict ions, w hich cou ld in clud e int r anet access as w ell as I n t ern et access. Press No f irew alls ar e r eq uir ed at t he I nt er net egr ess point , but m ore con figu rat ion and Pub Dat e: Ju ne 06, 2 00 3 m anagem ent are n ecessar y at each of t he CE rou t ers. Th is in clu des pr ov id ing a NAT pool f or I SBN: 1- 58 705 -1 12 -5 ever y sit e, alt houg h u sin g Por t Addr ess Tran slat ion ( PAT) min im izes t he num ber of r egist er ed Pages: 50 4 add resses r equir ed.

Figu r e 5 - 1 3 . Fir e w a ll s at All CE Rou t e r s Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools am ple s tand h e default r out b eing sed n t er net access; how ever , if t her e w ere tThe hey ex n eed t o dshow ep loy m ain t ain a esecur e, uhig hlyforavI ailab le VPN. m ult iple egr ess gat ew ays an d opt im al r out ing w ere desir able, t h en y ou cou ld use t h e global rMPLS out ingand t abVPN le. I Ar n tchit his ect case, u res, t w Volum o cir cueit IsI w , b illeg be in rsequir w it h ed a br f r ief om ref t he resher CE rou oft er t het oMPLS conn ect VPNt o t h e Ar PEch r out it ect eru VRF re. Par intterI If ace descr anibes d t headv glob anced al r out MPLS ing tVPN ab le.con Access nect ivtit o yt he includ global in g rt out he int in gegr t able at ion could of ser alsov ice be pr ach ovider iev ed access t h rou gh t echn t he olog u se ies of a( dial, st at icDSL, r out cab e w le, it h in Et her t h e net VRF ) an u sing d a vt hariet e glyoba of rl out k eyinwor g d pr ot ocols I S- onding I S, EI GRP, and OSPF) in g t he w it hpoin t he t king now ledge h ow and a cor r(esp st at ic r out e in t, har em global rour eader t ing t able back t o of t he CE troout er int at er egist t h ese f eataddr ur esess in t opool t h e t VPN b ack bon Part I det ails ( f oregr t he ered he CE r out er e. f irew allI Iholds) . adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

IPSec over MPLS Gener ally , t h e MPLS- VPN ser v ice p r ovider m ust be t r ust ed t o som e ext ent t o fully secu r e t he net w or k. How ev er, t here mig ht be an occasion wh er e a cust om er r equ ir es t ot al con t r ol ov er •t r aff ic t hat passes Table oft hr Content oughs t h e core. You cannot cont r ol t h e ser v ice p rov ider p ort ion of t he •net w or k aft er I ndex t raf fic h as lef t t he CE r out er . For cust om er s w ho hav e a requ irem en t f or a high MP LS and V PN rit Ary chi te ctur e s, Vtolum e I I of I PSec t unn els ov er t he MPLS cor e. level of secu , consider h e use By Jim Guichard , I van Pepelnjak , Jeff Apcar

View I PSec as an ov er lay net w ork t o t h e MPLS- VPN net w ork . Th e MPLS infr ast r uct ur e is n ot aw ar e of t he I PSec layer , n or is t he I PSec lay er aw ar e of t h e MPLS- VPN net w or k. I PSec er: Cisco Press m erPub elylish r eq uir es I P con nect iv it y b et w een t wo endp oin t s in t he cust om er net w or k. An I PSec Pub Dat e: Jube ne 06, 2 00ision 3 t un nel could p rov ed b et w een t w o CE r out er s, assum ing t h e cu st omer ow ns t hem . I f SBN: 1-1 12 t he serIvice pr58 ov705 ider is-5pr ov iding a m an aged CE r out er ser vice, t hen t he I PSec t un nels can b e est ablish ed 50 f ur Pages: 4 t her back in t he cust om er net w or k, avoid in g t he cust om er dependin g on t h e ser v ice pr ovider t o conf ig ur e t he I PSec t u nnels. I PSec is adv ant ageous. I t allow s secur e comm u nicat ion in a cust om er net w or k, in clu ding encry pt in g t he dat a, aut h en t icat in g cust om er endp oin t s, gu aran t eeing int egr it y of t h e dat a, and pr ov iding r ep lay det ect ion . The d isad van t age is t h at I PSec t ur ns t he MPLS- VPN int o a Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ser ies of point - t o- point t un nels, w h ich ar e not scalable in a lar ge net w ork t hat mig ht r equ ir e fu ll m eshin g. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Summary This chap t er cov er ed som e asp ect s of h ow t o m ake an MPLS- VPN m or e secur e f rom un aut hor ized access and at t ack. No net w or k is im perv ious t o at t ack , bu t by follow ing sim ple •conf ig ur at ionTable of Content s m inim ize secur it y br eaches. I n sum m ar y: ru les, y ou can •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

MPLS- VPNs pr ovid e a h ig h lev el of secur it y , including add r ess separ at ion, no v isibilit y of t he cor e n et w or k , and r esist ance t o label spoofin g.

By Jim Guichard , I van Pepelnjak , Jeff Apcar

PubUse lish er: Ciscoered Press r egist

addr esses f or t he cor e inf r ast r u ct u re and PE/ CE cir cu it s. This av oid s an PE/ CE cir cu it s and allows t he serv ice pr ov id er t o f ilt er cor e add ressin f or CE I SBN: 1- 58g 705 -1 12 -5 r out er s t h at ar e using dy nam ic r out in g p rot ocols.

ovDat er e: lap pr oblem Pub Ju ne 06, 2 00 3 on Pages: 50 4

Alw ays apply f ilt er s inb ound on t he PE r out er s t o lim it access t o t h e PE cir cuit ad dr ess for rou t ing pr ot ocols and ping s only . I f t he ser vice pr ov ider m anages t h e CE r out er, t hen t he filt er can b e applied on t he out b ound int er face t o t he PE r out er . I f dy nam ic r out ing pr ot ocols ar e being used on t h e PE/ CE cir cu it s, filt er out t he ad dr ess Wit h MPLS Ar chit ectPE/ u res, r angeand t hatVPN is used f or CE Volum cir cu it e s. I I , y ou' ll lear n : Alw ays use MD5 neighb or aut h en t icat ion r out in g ad jacencies an d LDP neig hbor s. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser vaw icearteo tm any d iffinergent t yp cuVRF st omdoes er s n ot n ecessar ily st op t h ose rou t es fr om Be hat limit r out eses in tof oa being held in ot h er mem or y st ru ct ur es. I f VRF r ou t e lim it ing is r equir ed, t r y t o use eBGP The outPE/ in gCE op cir t ions or stnatew ic rPEoutCE es rf or cuitas s. w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) MPLS- VPNs pr ovid e a com par able level of secu r it y t o Fr ame Relay and t he ATM net w or k. How VRFs can tbe ex tLayer ended2 int o a cust om erdat sitaeencry t o pr pt ovion ide is sep ar at inside How ev er , like hese t echnologies, n ot prion ov ided. Tot he fu rt h er custease om ersecu net w incr ritork y , y ou can d ep loy I PSec as an ov erlay t o t he MPLS- VPN net w ork . The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Chapter 6. Large-Scale Routing and Multiple Service Provider Connectivity •

Table of Content s

t he serv ice benefit s p rov ided by a Mult ipr ot ocol Label Sw it ch ing ( MPLS) v ir t u al •As int er est inI ndex pr e net w or VPN) boneeI Ihav e gr ow n, so hav e t he size an d t yp e of en d- cu st om er s MPiv LSatand V PN Ar k chi( te ctur eb s,ack V olum w ho are seekin g t h eir use. This has an im pact on t h e basic connect ivit y m od el t hat t he By Jim Guichard , I van Pepelnjak , Jeff Apcar ar ch it ect u re pr ovides b ecause it mig ht not sat isfy all t he r equir ement s of each client . I n m any cases, scalin g t h e am ount of r out ing inf or mat ion exchan ged wit h t h e ser v ice p rov ider m igh t lish er: Cisco Press be aPub challen ge, or t h e geogr aph ic locat ion of each of t he cu st om er 's sit es m ight exp and e: Ju ne 06, of 2 00a3 sin gle ser v ice pr ovider . Th er efor e, diff erent ser v ice mod els ar e bey Pub ondDat t he r each I SBN: 58 705 -1 12 -5 r eq uir ed t o 1addr ess each of t hese scenar ios and p rov ide ap pr opr iat e m echan ism s t o facilit at e connect ivit y50bet Pages: 4 w een VPN sit es. Ch apt er 14 of MPLS and VPN Ar chit ect u res , Volum e 1 ( I SBN: 1 - 587 05- 0 81- 1) in t rod uced t h e concep t s of t he Car rier 's Carr ier and I nt er pr ov id er solut ion s. As w it h sev er al ot her em er ging t echnologies at t he t im e, v ariou s asp ect s of t hese ar chit ect ur es hav e m at ur ed since t h e init ial pu blicat ion , and m or e deploy ment exp er ience has b een gained. Theref ore, t h is ch apt er w ill Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : r ev iew each of t h ese t echnology areas an d p rov ide a m or e in- dept h discussion on each t op ic so t h at y ou can successfu lly im plem en t each of t hese solut ion s. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Whileser w or k in g hrany oughd iff exer amp con ratstion ins t his chapt er , w e w ill r efer t o t he sam ple v ice t otm ent let yp esfigu of cu omser ser v ice pr ovider t opology , as show n in Figur e 6- 1 . All r elev ant I P ad dr ess r ang es f or t h e Table 6 -her 1. adv anced f eat ur es, includ ing per- VPN ser v ice prnovider ackrbon own The ew PE-bCE out es in gare op tsh ions asinw ell as ot Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

Figu e 6er- net 1 . wSu custrom orkper Com a nd Eur oCom Ne t w or k Ba ck bon e Topology The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Tab le 6 -1 . I P Ad dr ess Assign m en t for Su pe r Com Ba ck bon e Com p an y Si t e

Su bne t

Eu roCom

Par is ( loopback 0)

19 6. 49. 1 .1 / 32

Lon don ( loopback 0)

19 6. 49. 1 .2 / 32

•

Table of Content s

•

nich ( loopb ack 0) I Mu ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Man agement LAN

By Jim Guichard , I van Pepelnjak , Jeff Apcar

PE- CE I n t er f ace Ad dr esses

Sup Pub erlish Com er: Cisco SanPress Jose ( Loopb ack0 ) Pub Dat e: Ju ne 06, 2 00 3

Par is ( Loop back 0)

19 6. 49. 1 .3 / 32 19 6. 49. 2 .0 / 24 19 4. 69. 2 7. 0/ 24 19 4. 22. 1 5. 1/ 32 19 4. 22. 1 5. 3/ 32

I SBN: 1- 58 705 -1 12 -5

agement Pages: 50Man 4

LAN

PE- CE I n t er f ace Ad dr esses

19 4. 22. 1 6. 0/ 24 19 2. 168 . 2. 0/ 24

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Large Scale Routing: Carrier's Carrier Solution Overview ar ch itsect ur e w as f ir st int r odu ced, it w as env isag ed t h at it wou ld b e used •When t he MPLS TableVPN of Content ov ide Lay er- 3 ser vices t o Ent erp r ise cust om ers wh o h ad a limit ed su bset of I P •pr im arily t o Ipr ndex rMP out due e popu LSes. andHow V PNev Arer, chi te ctur teo s, tVholum e I I larit y an d lar ge deploym ent base of t his t yp e of solu t ion, m any lar ge Ent er pr ises, smaller MPLS VPN ser vice pr ov iders, an d I nt er net ser vice p rov ider s By Jim Guichard , I van Pepelnjak , Jeff Apcar ( I SPs) hav e seen adv ant ages in t he MPLS ar ch it ect u re and requ est ed con nect iv it y f rom an MPLS VPN b ack bon e pr ov id er . Pub lish er: Cisco Press Datar e: yJuadv ne 06, 3 t hat t h ese end- cu st om er s see is t hat t hey can av oid building t h eir ThePub p r im ant2 00 age ow n Lay er - 21- inf rast uct I SBN: 58 705 -1 r12 -5 u res and u se an MPLS VPN pr ovid er in st ead t o in t erconn ect t heir sit es. Apar t Pages: fr om r50educing inf rast r uct ur e cost s, each sit e can b e fu lly meshed wit h it s p eer sit es, 4 t her eby pr ov iding t he most opt im al r out ing . To p r ovide max im um av ailabilit y, t he endcust om er can also be dual- h omed t o d iff er ent PE r out er s of t h e car r ier' s MPLS VPN b ack bon e.

The im plicat ion of allow ing t h ese t y pes of cust om er access t o an MPLS VPN b ack bon e is t hat t he backb one m ight hav e t o car r y lar ge am oun t s of r out ing inf or mat ion f or each indiv idual Wit MPLS VPNf or Ar chit ectple, u res, Volum e I Iain , yly ou'need ll lear custhom er . and An I SP, exam alm ost cert s nt o: ex ch ange a par t ial—if not t he ent ir e—I n t er net r out ing t able b et w een it s sit es. This is b ecause t h e cust om er s m igh t need access t o tthe f ull spect ofsI rnt erot net r out es,t echn such ologies as w henin tt o hey e dualh om t o diff er ent How o int egr at e vr um ar iou em e access t h earback bone p red ovidin g VPN I SPs. ser I n vt hice e case of a lar ge En t er p rise or an ot her MPLS VPN serv ice pr ov id er , a subst ant ial t o m any d iff er ent t yp es of cu st om er s nu mb er of pr ef ixes m igh t need t o b e reachab le fr om w it hin each sit e. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Pr ovidNet in gwaccess t oess t h ese cust cr eat es a pot en t ial scaling issu e because each PE r out er ork Ad dr Tr an slatom ioners ( PENAT) m ust m aint ain all t h e local r out ing inf orm at ion w it hin a VRF. Th is r out ing inf orm at ion t hen needsHow t o be d ist can r ibu tbe ed ex t ot ended all r elev ant r out r em ot e sep CE ar r out er s inside can obtthe ain VRFs int o aPE cust omerers so sit et ht at o pr ov ide at ion app rop riat e rou t ing infor m at ion. Alt h ough t h er e ar e no r est r ict ions w it hin t he b ase MPLS VPN cust om er net w ork ar ch it ect u re t o pr ev en t t h e ex chang e of lar ge am ount s of rou t es bet w een PE r out ers and CE r out erThe s, itlat isest im por t antVPN t o usecur nder st r am ions sofaim such iviting y . Because t hese MPLS it yand f eatt he u res anificat d d esign ed connect at pr ot ect t h e MPLSofVPN pot entback ial scaling bone issu es, a new solut ion is need ed , w hich is pr ovid ed t hr ou gh t he Carr ier' s Car r ier archit ect ur e. How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

NOTE Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y The n am e Car r ier 's Car rier m igh t im ply t h at t h e ar ch it ect u re is only r elevan t t o MPLSlar and Ar chit ect uer res, Volum I I ch , bituilds - sellint og aMPLS ant dypVPN ge VPN ser v ice pr ovid s, bu t t h eear ect ur on e ist he n otbest specific single e of Ar ch itorect u res, ion Volum I ( am 1 - 587 0 021) , f rom Cisco Prider ess.s Ex om or e m adv ganizat . Fore ex ple,05m idr ange ser vice p rov ort endin lar ge gEnint t erp rises ig anced ht t opicsdeploy an d d tep loysolu m ent ect ur es, m e I I such pr ovidas est heir r eader w it hers t he necessar y ter ools h is t ionarchit f or scalab ilit yVolu reasons, PEsr out becom ing ov t hey pr n eed t o d ep loy ain infor t ain m a secur ov isioned w it hand roum t ing at ion.e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Carrier's Carrier Route Types pr ot ocols ( I SI S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he To u nder and any howatt he Car r ier ' s Car r ierand solut iondet assist h lat scalin an dritcar ier ur b ack e back bonestand t ached VPN sit es, also ailinsgwt it he est gsecu y freat es tbon o allow isolat it is n ecessar y t o and fir st filt d raw w een w hcov icherr sout e used for intVPN er nal m or e ion adv, anced t op ologies erinag.line Thisb et par t also mes ult ar i- car r ier MPLS connectmivit a par anid d es whaich r out es b elong o ex t erced nal MPLS cust om ers of t hat VPN. deploy enyt s.ofFin allyt,icular Par t IVPN V pr ov m et hodology for tad van VPN To b etleshoot t er com pr.ehend t his, r efer t o t he I nt er Com VPN t hat is show n in Figur e 6- 2 . t r oub ing MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Figu r e 6 - 2 . Ca r r ie r 's Car r i er : I nt er Com VPN Con ne ct iv it y

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Figur e 6- 2 sh ows t hat I n t erCom is at t ached t o t h e Eur oCom back bone in t w o p laces: London and Br ussels. I nt er Com h as connect ivit y t o t he I n t er n et w it hin t he London sit e and has t wo of it s ow n I nt ern et client s: I nt er Flow ers and Gam esNet . I n t he Br ussels sit e, I nt er Com h as a Wit MPLS and Art :chit ect u res, e I I , y ou' ll lear n : fu r thher I nt er netVPN clien Soccer On linVolum e. Wit hin t he Lond on an d Bru ssels sit es, I nt er Com h as v arious lin ks bet w een each of it s r out er s How egrback at e vint ar iou s r emon ot eeach access ologies t o tin h et er back bone r ovidin in addit iont ot oint loop er faces rou tt echn er. The loopbinack f aces ar epused forg VPN ser v ice t o m any d iff er ent t yp es of cu st om er s net w or k m anagem ent , BGP peerin g, and so on . I nt er Com also p rov ides v ar iou s int er nal ser v ices t o it s cust om er s, such as w eb h ost in g, DHCP, and so on . All t he rou t es associat ed The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN w it h t hese asp ect s of t h e I nt er Com net w or k ar e classified as int ern al r ou t es. Net w ork Ad dr ess Tr an slat ion ( PE- NAT) The London I nt er Com sit e h as access t o t he I nt er net v ia a local peer ing connect ion. Th e How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he I nt er Com sit e learn s t he ent ir e I nt er net rou t ing t able f rom t his peer in g session . Bot h t he cust om er net w ork Lon don and Br ussels sit es hav e I nt ern et client s at t ached, an d I n t er net rou t es ar e ex chang ed w it h tThe heselatcuest st omer All t he r ouittyesf eat lear nedan fr om t h e I sntaim ern ed et and cust om ers MPLSs. VPN secur u res d d esign at prf rom ot ectex ingt ert hnal e MPLS VPN of t heback I n t er Com net w or k are classif ied as ext er nal r ou t es. bone I n addit iont ot ocarr t hey int er nal anm d ult ex ticast ern alt rraff outice insid t yp es, er e ar e sever al ot her t er m s t hat ar e How cust om er e at hVPN used t o help define t he Car r ier ' s Car r ier archit ect ur e. An illust r at ion of each of t hese com ponent is pr in Figur 6- 3 , ent an ds tthey are falso list ed and here: The latsest inovided t er - car rier enh eancem o allow or easier m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices CSC— Thist rou is an abbr eving iat ion used in includ t h e t ext mean Carpu r ier rier Adv anced blesh oot t echn iques in gt or ou t er out t s 's t oCar en su re. high av ailab ilit y t er — t he sam a noron m al r out er except t hat rov ides MPLSMPLSCSC and PE VPNrou Ar chit ectThis u res,isVolum e I Ie, as b uilds t hePEbest - sellin g MPLS anitd pVPN t oMPLS label f or war d in g rat h er t han I Pt oMPLS label im posit ion. Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools CSC CE rou t er — This is t he sam e as a nor m al CE r out er ex cept t hat it ru ns a lab el t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. dist r ibut ion pr ot ocol w it h t he PE r out er . MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Car ri er ne t w ork — This is an MPLS VPN serv ice pr ovid er t hat pr ovid es CSC Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of fu nct ionalit y . ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols S-'sI S, EIri GRP, OSPF) , ar misintghet he w it h t VPN he k now h ow t ot ached Car ri( Ier Car er n and et w ork — This netr eader w ork of t he custledge om er of t hat is at int egrtat e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues o t he Car r ier net w or k. includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Figu r e 6 - 3 . Ca r r ie r 's Car r i er Ter m i nology t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Table 6 - 2 p r ovides all t he r elev ant I P addr ess assign m en t s for Eur oCom , I nt er Com , an d each of I Pub nt er Com 's I ntPress er net cu st omer s, w hich y ou saw in Figur e 6- 2 . lish er: Cisco Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Tab le 6 -2 . I P Ad dr ess Assign m en t for Eur oCom , I n t e r Com , a nd End Cust om er s Com p an yand VPN Ar chit ect u res, Volum e I ISi Wit h MPLS , tyeou' ll lear n : Eu roCom ( aut on om ous sy st em # 2 0)

PE- CE in t er f ace addr esses

Su bne t 19 4. 69. 2 7. 0/ 24

intt onom egr at ous e v arsy iou r em e access r ovidin VPN I nt erHow Com t (oau st sem # 1ot00) Lont echn don ologies in t o t h e back bone p14 5. 27. 6g2. 0/ 24 ser v ice t o m any d iff er ent t yp es of cu st om er s Lon don CE r out er ( loopb ack 0) 14 5. 27. 6 2. 1/ 32 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN 14 5. 27. 6 2. 2/ 32 Net w ork Ad dr ess Tr an slat ion ( PE- NAT)Gam esNet peer ing r out er Br ussels 14 5. 27. 6 3. 0/ 24 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Br ussels CE r out er ( loop back0 ) 14 5. 27. 6 3. 1/ 32 Online peered ingatr out 14 27. 6 3. 2/ 32 The lat est MPLS VPN secur it y f eat u resSoccer an d d esign s aim pr oterect ing t h e 5. MPLS VPN back bone I nt er Flow ers Lon don 20 1. 16. 4 .0 / 24 insid GamHow esNett o carr y cust om er m ult icast t r aff ic Lon done a VPN

22 2. 27. 5 .0 / 24

Soccer The Online lat est in t er - car rier enh ancem ent s Br t oussels allow f or easier and m or e scalable 21 6.d49. ep loym 2 4. 0/ent 24 of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Carrier Backbone Connectivity The p r ev ious sect ion clear ly show s t h at I nt er Com is pr ovidin g I SP t yp e ser v ices w it hin it s VPN t o it s cu st omer s; t h er efor e, it h as t he p ot ent ial t o carr y a su bst ant ial am ou nt of r ou t ing •inf orm at ion bet Table of Content w een it s sitses. I n ou r ex am ple, I nt er Com r eceiv es t he ent ir e I nt er net r out in g •t able f r om it Isndex up st ream I SP wit h in t h e Lon don sit e. I t also r eceiv es r out ing inf or mat ion f rom MP LS and te ctur e s,cust V olum I I s. All of t h is rou t ing infor m at ion need s t o be dist r ibut ed each of itVsPN I ntArerchi net en dome er bet w een t h e ,II van nt erCom Lon donApcar and Br ussels CE r out er s by t he Eu roCom back bone; t his By Jim Guichard Pepelnjak , Jeff includes end - cu st omer r out es an d f ull I nt er net rou t ing. Cisco Press Du ePub t olish t her: e lar ge am ount of r out ing inf or mat ion and t h e desir e f or I nt er Com t o k eep a t igh t 2 00e3 r out ing inf orm at ion, I n t erCom and Eu roCom decided t o ut ilize t h e contPub r olDat one:itJus ne int06, er sit 12 -5ect ur e. Deploym ent of t his solut ion pr ov ides t he r out in g p olicy cont rol Car r ierI'SBN: s Car1-r58 ier705 ar-1chit desired by I50 nt4er Com . Th is is becau se I n t er Com is able t o adv er t ise ext er nal rou t es bet w een it s Pages: sit es by using BGP- 4 and d ist r ibut e all int er nal r out es t o t he neig hbor ing Eu roCom PE r out er by u sin g st at ic or dy nam ic r out ing .

As w it h nor m al MPLS VPN d ep loym ent s, r out es ar e exch anged bet w een CSC PE rou t er s an d CSC CE r out er s and placed in t o t h e VRF t h at cor respond s t o t hat par t icu lar VPN clien t . Becau se Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : all ex t er nal rou t es ar e ex chang ed d ir ect ly bet w een t he I n t er Com sit es b y using BGP- 4, only r out es t h at belong t o t he I nt er Com in t er n al net w or k ar e adv er t ised f r om t he CSC CE r ou t er t o t he CSC er . at Theisv ar suiou bstsant ially uces ttechn he am oun t of in for m at ion t hat tghe HowPE t or out int egr r em ot er ed access ologies in tr oout t hin e gback bone p r ovidin VPN Figur e 64 illust r at es t his concept and how Eu roCom MPLS VPN b ack bon e net w or k m ust car ry . ser v ice t o m any d iff er ent t yp es of cu st om er s I nt er Com ex ch anges r out es w it h Eur oCom. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can rbe a cust prlovRou ide sep at ion inside Figu e ex 6 -t ended 4 . I n tint e rona l anom d erExsitt ee trona t e ar Excha nge t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Becau se only I nt er Com r ou t, es are extchanged wheen CSC CE rof outhers pr ot ocols ( I S- int I S,erEInal GRP, and OSPF) ar m in g he r eaderbet w it t het hkenow ledge ow tand o PE rint out er s, all ex t er nal r out in g in for m at ion t hat I n t er Com car r ies is lost fr om t he Eu roCom CSC egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues PE r out ers. Th risit ym, ean t hat tt he he n Eur oComy CSC PEt hr eout ervsice hav e lim it edmvust isibtilit y int t h eect t he includin g secu ou t slining ecessar st eps ser p rov ider ake to o p rot I nt erbone Com rand out in g dat omain ; t hVPN er efor eed det a f orw p arad t han I Pt ohop - by back any t ached site, es,t hey and nalso ailinargdin t heg lat est igm secu ot rithyerf eat ur es allow hop r out ing . This is r equ ir ed becau se packet s t h at h ave an I P dest in at ion ad dr ess ex t er n al to m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN tdeploy he I n tm er en Com net w or k are not rou t able at t he CSC PE r out er s because t he d est inat ion I P p r ef ix t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN w ill not hav e been d ist r ibu t ed t o Eu roCom. t r oub leshoot ing . We h ave VPN Ar chit u res ,int Volum e 1 ,t he t hatlatMPLS forances w ar ding t ostBGP MPLS andseen VPN in Ar MPLS chit ectand u res, Volum e Iect I , also rod uces est adv in cu omer dest inat ions is based on label for w ar ding t ow ar d t he n ex t h op of t h e r out e. Becau se I n t er Com int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

dist r ibut es all ex t ern al r out es by usin g BGP- 4, y ou should be ab le t o u se t his m echan ism also. How ev er , t his r equir es an en d- t o- end MPLS label- swit ched pat h ( LSP) bet w een t h e ingr ess and egr ess BGP- 4 p eer s. Ther ef or e, I n t er Com m ust be able t o pr ovide t his LSP, bot h w it hin it s ow n sit es ( opt ional) and acr oss t h e Eur oCom backb one n et w or k . To p r ovide an LSP acr oss t he Eu r oCom net w or k , t he lay er dist r ib ut ion pr ot ocol needs t o be ext end ed int o t he at t ached I nt er Com sit es. You w ill see lat er in t his chap t er how t o achiev e t his an d how t h e LSPs ar e b uilt t h rou gh t he CSC PE r out er s and b et w een Carr ier' s Car r ier • Table of Content s sit es. •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Exchange of Internal Routes Between VPN Sites Pub lish er: Cisco Press Dat e: Ju ne 06, 2 00 3 TherPub e is not h ing par t icu larly special abou t t h e MPLS VPN back bon e w it h r esp ect t o t he Car r ier ' s 1- 58 705 Car r ierI SBN: archit ect ur-1 e.12I-5 n ot her w ord s, all int er nal r out es ar e p laced in t o t he VRF, w hich Pages: s50t 4o t he end- cust om er , and ar e dist r ib ut ed amon g CSC PE r out er s u sing corr espond Mu lt ip rot ocol BGP. The fun dam en t al d if fer en ce bet w een t his ar chit ect ur e and t he base MPLS VPN ser vice is t hat not all VPN r ou t es are sent t o t h e CSC PE r out ers; inst ead , t hey ar e dist r ibut ed dir ect ly b et w een sit es using BGP- 4 . This r esu lt s in CSC PE r out er s hav ing par t ial v isibilit y of cust om er' s r out ing . Thu s, t hey m ust r ely on a pack et f orw ar ding capab ilit y t h at is dif en t f rom he d Ar ef ault hopb y- hVolum op I Perou car rny: cust om er I P dat agr am s b et w een Witfer h MPLS and tVPN chit ect u res, I I ,t ing y ou't llo lear sit es.

Ex amHow ple 6-t o1 int p r egr ovides e iou initsial conf at iont echn of t he Eur oCom out er tghat w ill at e tvhar r em ot eigur access ologies in t o London t h e backCSC bonePEp rr ovidin VPN supp ort t he ex chang e of I nt erCom int er nal r out es f r om t he Lond on sit e b et w een t h e Lon don ser v ice t o m any d iff er ent t yp es of cu st om er s and Mu nich CSC PE r out er s. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Exa m pl e 6 - 1 . CSC PE Rou t er Con f igu r at ion f or I nt e r n al Rou t e How Excha ngVRFs e can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone hostname EuroCom_LondonPE How t o carr y cust om er m ult icast t r aff ic insid e a VPN ! The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent ip vrf InterCom of int er - car r ier MPLS VPN serv ices rd 20:1234 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u20:99 res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN route-target export Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced troute-target opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools import 20:99 t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ! MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re.Ethernet10/1/1 Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of interface ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g prdescription ot ocols ( I S- I S,**EI interface GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o to InterCom London int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin secu r it y , ou tInterCom lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he ip vrf gforwarding back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow mip or eaddress adv anced194.69.27.6 t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN 255.255.255.252 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . ! MPLS and VPN router bgp 20Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 196.49.1.3 remote-as 20 neighbor 196.49.1.3 update-source Loopback0 • •

!

Table of Content s I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

address-family ipv4 vrf InterCom By Jim Guichard , I van Pepelnjak , Jeff Apcar

no auto-summary Pub lish er: Cisco Press

noPub synchronization Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

exit-address-family Pages: 50 4 ! address-family vpnv4 Wit h MPLS and VPN Ar chit activate ect u res, Volum e I I , y ou' ll lear n : neighbor 196.49.1.3 neighbor 196.49.1.3 send-community extended How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s exit-address-family The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Routing Information Exchange Between CSC PE Routers and CE The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Routers back bone How, tan o carr y cust ultticast ic insid e aVPN VPNPE rou t er / CE r out er r ou t e exchan ge I n t heory y I GP t h atom is er supmpor ed f ort r aff b ase MPLS can be used wit h t h e Car r ier 's Car rier ar chit ect u re. Th e CSC CE r out er w ill use t h is rou t ing The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent pr ot ocol t o adv ert ise int er nal r ou t es fr om t h e at t ached VPN sit e. Th ese int er nal rou t es w ill t hen of int er - car r ier MPLS VPN serv ices be p laced int o t he cor respond ing VRF f or subsequent dist r ib ut ion across t h e MPLS VPN back bone usin g Mult ipr ot ocol BGP. The use of Bor der Gat ew ay Pr ot ocol ( BGP- 4) acr oss t he Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y PE/ CE link s w it h in t h e Car r ier 's Car rier ar chit ect u re is a special case t h at r equir es some ext ensions t o t hAr e chit pr otect ocol t o su pporet It Ihe equir ement label distg rMPLS ibut ionandescribed earlier in MPLS and VPN u res, Volum , br uilds on t he of best - sellin d VPN tAr his ch apt er. This case w ill be cover ed in det ail lat er in t his chap t er . ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Static Routing Between CSC PE/CE Routers MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser ovider ies ( dial, cab le, er Et her ) an ariet g eed, Thev ice f ir stpropt ion t access hat y out echn m igholog t consider f orDSL, PE/ CE r out connet nect iv itdy aisvst at icy rof outr out ing ;inind pr otic ocols I S- IisS,wEI GRP, and OSPF) ar m g t he it h tcust he kom now t o is a st at r out(ing idely deploy ed t od,ay forinnor malr eader MPLS wVPN erledge s. St atofic hr ow ou t ing int egropt at eion t h ese f eatnum ur es in tof o trhout e VPN I I I sit det adv d ep loy ent issues good if t he ber es wbitack hin bon t h ee.atPart t ached e ails is sm allanced and does n otmchan ge on a includin secu rThis it y , ou t lining ecessar eps h e Carr ser vier' ice sp Car rov ider m ust ect t ake rot he r eg ular g basis. m igh t n ott he b e nt he case ywst her e tthe r ier archit ur et oisp d epect loyted back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow because t he en d- cust om er is t yp ically an I SP or lar ge ent er pr ise, wh ich m ight hav e a m or e an adv anced t op par te.also eres num m ultbi-ercar MPLS subst t ial num b er ologies of in t er and nal rfilt outerin es g. t o This ex chang I f acov larg ofr ier r out es m VPN u st be deploy en t s. Par t Iur V at prion ov idofest hae m et hodology van ced MPLS exchanm ged, t h Fin en ally t h e ,config CSC PE rou t erformad ig ht becom e comVPN plex du e t o t h e t r oub nu mbleshoot er of sting at ic. rou t es. I f t h e r out ing inf orm at ion chang es regu lar ly , t hen m anagem ent of t he st at ic r out es m ight become pr ohibit iv e. Because of t h ese r eason s, t he u se of st at ic r out in g MPLS VPN e I Iis, also intrag roded uces t he lat est adv ances in cu st omer w it hin and a Carr ier'Ars chit Carect r ieru res, en virVolum onm ent discou . int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

From t he CSC CE r out er ' s per sp ect iv e, a st at ic def ault r out e t hat point s t owar d t he CSC PE r out er m ight be d esir able because t his rem oves t h e r eq uir em ent of main t aining a n um ber of st at ic r out es at t he CSC CE r out er . How ever , t h e desig n concept of for w ar ding I P pack et s t ow ar d ex t ern al VPN d est inat ion s by u sin g t he MPLS label of t h e BGP n ex t - h op p r ev ent s t h is. This is b ecause an end- t o- en d LSP is r equir ed acr oss t he VPN and MPLS VPN b ack bon e, and any su mm ar izat ion ( in clu ding, of cou rse, t h e defau lt r out e) b r eak s t h e en d- t o- end LSP, as exp lain ed in Chap t er 13 of MPLS and VPN Ar chit ect u res , Volum e 1 . You w ill see lat er in t his chapt er t hat Table t he use of a st at ic default r out e at t he CSC CE rou t er is imp ossible w it hin t h e • of Content s Car r ier ' s Car r ier env ir onm en t . •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

To enab le t he successfu l t r anspor t of packet s t owar d I nt er Com ex t er nal dest in at ions, t he only By Jimes Guichard I vanneed Pepelnjak Apcar r out t h at y,ou t o ex, Jeff chang e bet w een t he I n t erCom sit es ar e t h e BGP- 4 nex t - hop add resses of t h ese r out es. Th ese nex t - hop add r esses wou ld t y pically be t h e PE r out ers t hr ough w hich t heer:exCisco t er nal dest in at ions ar e r each able. This m eans t h at in our ex amp le, t he n um ber of Pub lish Press st atPub ic r Dat oute:esJuat t he Eur ne 06, 2 00 3 oCom CSC PE r out er s is m inim al because t he I nt er Com VPN has on ly t w o sit Ies. SBN: 1- 58 705 -1 12 -5 Pages: 50 4

NOTE As st atand ed ear in t hect is uch aptVolum er , I nteerICom also h asn :som e local serv ices wit h in it s Wit h MPLS VPNlier Ar chit res, I , y ou' ll lear sit es, an d t he r out es f or t hese ser v ices need t o b e ex chang ed w it h t he Eur oCom MPLS VPN b ack bon e. Howev er, t o sim plify t h e con figu r at ion ex amp les w it h in t h is How ter o ,int e v ar s rnot em ot access echn chapt t hegr eseatr out esiou w ill bee con siderted f urologies t her . in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net want orkconf Ad dr an slat The r elev ig ess ur atTr ions f or ion t he (IPEn t erNAT) Com Lond on sit e, t o supp ort t he u se of st at ic rou t ing, ar e show n in Ex am ple 6- 2. For t h e sake of sim plicit y , on ly t he BGP- 4 n ex t - h op ad dr esses of VRFs canesNet be exan t ended int o a custpeer om erin g sitrou e t ot erprsov sep ar ion inside t he I nHow t er Com Gam d SoccerOnline aride e show n ,atalt houg h t ot he com plet e cust om erion net orknext - h op addr esses of t he I n t er Flow er s and I nt er net peer ing r out er s t he con figu rat , twhe w ould need t o be ad ded. The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

Exa m pl et o 6carr - 2 .y cust St aom t i cerRout e Con fiic guinsid r atei on for I n t e r Com VPN How m ult icast t r aff a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices hostnameEuroCom_LondonPE Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ! MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ectbgp u res,20 Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced router t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey ! n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN address-family ipv4 vrf Volum InterCom Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr oviderstatic access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g redistribute pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egrauto-summary at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues no includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow no bone synchronization m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN exit-address-family t r oub leshoot ing . ! MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

! Route to GamesNet BGP next hop ip route vrf InterCom 145.27.62.2 255.255.255.255 194.69.27.5 ----------------------------------------------------------------------hostnameInterCom_LondonCE •

Table of Content s

•

I ndex

!

MP LS and V PN Ar chi te ctur e s, V olum e I I

! Route to SoccerOnline BGP next hop By Jim Guichard , I van Pepelnjak , Jeff Apcar

ip route 145.27.63.2 255.255.255.255 194.69.27.6 Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

This conf igur at ion show s t hat t he Eur oCom Lond on CSC PE r out er h as a st at ic r out e point ing t o t he 145 .2 7. 62. 2 / 32 pr efix , w hich is t he add ress used for t h e loopback 0 in t er f ace on t he I nt er Com Gam esNet peering r out er w it h in t h e Lond on sit e. Th e I n t erCom Lon don CSC CE r out er has a st at ic r out e p oint ing t o t he 1 45. 27 .6 3. 2/ 3 2 p ref ix , w h ich is t he addr ess used f or t he loop back0 int er face on t h e Soccer Online p eer ing rou t er w it hin t he Br ussels sit e. These Wit MPLS and Ar chit e I I ,wyhen ou' llex lear n: addhresses w ill bVPN e used as ect t heu res, BGPVolum next - hop changin g GamesNet and Soccer On lin e r out es dir ect ly bet w een t he I nt er Com London an d Br ussels sit es. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN NOTE Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

You m ig ht quest ion w h y t he 1 45. 2 7. 62. 2/ 3 2 and 145 .2 7. 63 .2 / 32 pr efix es are u sed as How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he t he BGP- 4 next - hops of all Gam esNet and Soccer On lin e r out es adv ert ised bet w een cust om er net w ork t he I n t er Com Lond on and Bru ssels sit es. I n nor m al BGP- 4 oper at ion, t he nex t - hop of ext nalest rou t es isVPN not secur ch anged w hen adan verd t disin g acr oss ed an at intpr ern How evVPN er , Theerlat MPLS it y f eat u res esign s aim otal ectsession. ing t h e MPLS Iback nt er Com is u sing t h e ne x t hop sel f f eat ur e on it s edge r ou t er s ( t h at p eer w it h bone Gam esNet and Soccer Online) t o chang e t he n ex t - h op t o one of it s ow n ad dr esses. This in atyescust t heom n eed o car r y any t er nale a cust omer in t er f ace ad dr esses w it hin How elim t o carr er mt ult icast t r aff ex ic insid VPN t he I n t er Com net w or k. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ingCSC t echnPE/CE iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Dynamic Routing Between Routers MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced n most her e t hearchit Carrect ier'ur s es, Car Volu r ier ar chIitI ect ur e is loy ed, t in g is ynot tI opics ancases d d ep w loy m ent me pr ovid es dr ep eader s w st it hattic her ou necessar t ools desirab le for CSC PE r out er t o CE r out er connect ivit y . Th is m ig ht be because of t he num ber of t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. r out es w it hin t he sit e, or p er hap s t hese r out es chang e on a r egular b asis. Also, t he sit e m igh t hav e m ult iple ectect ions in t oVolum t he MPLS w ould dict at eMPLS a m ore dy nam ic MPLS and VPNconn Ar chit u res, e I I , bVPN eg inbsack w itbon h a e,br w iefhich ref resher of t he VPN m et rouPar t e texchan ge.ibes What evanced er t heMPLS case,VPN any con of t nect h e cur ly su in ppor t edint I GP ocols Ar chhod it ectof u re. I I descr adv iv itrent y includ g t he egrpr atot ion of can be used in a Car rier 's Carr ier env iron ment . ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Theegr con figur at ion ofurt he rou t bing ot ocol is t h e asadv in anced t h e base VPNissues int at e t h ese f eat es dy in tnam o t h eicVPN ackpr bon e. Part I IeI sam det ails d epMPLS loy m ent env iron ment . You f in d det ailed infor my at atider ions m f or vertsion 2 ect ( RI tPv includin g secu r it y , can ou t lining t he n ecessar stion epson t h et he serconf v iceigur p rov ustRItP ake o p rot he2) and Op en Shor t est Pat h Fir st ( OSPF) in Ch apt er 9, " MPLS/ VPN Ar chit ect ur e Oper at ion" of MPLS back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow and chit ect u res , Volum 1 . erin Youg.can f ind inf or mat f ori-Icar S- IrS, GRP, VPN and m or eVPN advAr anced t op ologies ande filt This part his t also cov er sion m ult ierEIMPLS adv anced OSPF in t his book ' s Ch apt er 3, " PECE Rout in g Prot ocol Enhan cem ent s an d Ad van ced deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Feat u r es. " Sam ple conf igur at ions for t h e Eu roCom Lon don CSC PE rou t er ( for each rou t ing t r oub leshoot ing . pr ot ocol) ar e p rov ided for com plet eness in Ex am ple 6- 3. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 6 - 3 . Dy na m ic Rou t in g Pr ot ocol Conf i gur a t i ons f or I nt er Com

OSPF Configuration:

•

Table of Content s

router ospf 101 vrf InterCom • I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

network 194.69.27.4 0.0.0.3 area 1

By Jim Guichard , I van Pepelnjak , Jeff Apcar

redistribute bgp 20 subnets metric 20 Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

!

I SBN: 1- 58 705 -1 12 -5

router bgp5020 Pages: 4 ! address-family ipv4 vrf InterCom Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : redistribute ospf 101 match internal external 1 external 2 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s RIP V2 Configuration: The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) router Howrip VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork version 2 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone ! How t o carr y cust omvrf er mInterCom ult icast t r aff ic insid e a VPN address-family ipv4 The lat 2 est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent version of int er - car r ier MPLS VPN serv ices redistribute bgp 20 metric transparent Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y network 194.69.27.0 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. router bgp 20 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar!ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g vrf OSPF) InterCom praddress-family ot ocols ( I S- I S, EI ipv4 GRP, and , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues redistribute includin g secu r it yrip , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN EIGRP Configuration: t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

router eigrp 1 ! address-family ipv4 vrf InterCom redistribute bgp 20 • •

Table of Content s

network 194.69.27.4 0.0.0.3 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

no auto-summary

By Jim Guichard , I van Pepelnjak , Jeff Apcar

autonomous-system 21 Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

router bgp 20 Pages: 50 4

! address-family ipv4 vrf InterCom Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : redistribute eigrp 21 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s IS-IS Configuration: The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) router InterCom Howisis VRFsInterCom can be ex vrf t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork net 47.1234.0000.0000.0020.00 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN redistribute back bone bgp 10 metric transparent level-1-2 metric-style How t o carr wide y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices router bgp 20 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ! MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Araddress-family ch it ect u res, Volum e I ( 1vrf - 587InterCom 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced ipv4 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain vrf a secur e, hig hlylevel-1-2 av ailab le VPN. redistribute isis InterCom InterCom !

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h eseof f eat ur es in t o t h e VPN b ack bon e. Part VPN I I I detSites ails adv anced d ep loy m ent issues Exchange External Routes Between includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or elear adv anced t op ologies and filt also cov er s tm VPN You ned earlier in t his chapt er erin t hatg.cuThis st ompar er t ext er nal rou esult wi-itcar hinr ier t he MPLS Car r ier ' s Car r ier deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN ar ch it ect u re are n ot ex ch anged dir ect ly w it h t he MPLS VPN back bone. Th is im p lies t h at dir ect tBGPr oub4leshoot ing .b et w een C r out er s ar e r eq uir ed t o dist rib ut e t h ese ex t er nal r out es. I n m ost sessions cases, t h e BGP- 4 session b et w een sit es w ill be est ablished w it h in t h e same au t onom ous MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer syst em ; t h er efor e, int er nal BGP- 4 w ill b e used. Figur e 6- 5 sh ows t hat t he I nt er Com GamesNet int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

and Soccer On lin e rou t ers are conn ect ed by u sing an int er nal BGP- 4 session for t he ex ch ange of Gam esNet and Soccer Online r out es.

Figu r e 6 - 5 . I n t e r na l BGP Pe er i ng Be t w ee n I n t e r Com C Rout er s •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN NOTE Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Ther e is no r est r ict ion w it hin t he Car rier 's Carr ier ar ch it ect ur e t o pr event t he use of How VRFs cansessions be ex t ended int ocu a stcust er es. sit e t o pr ov ide sep ar at ion inside t he ext er nal BGP b et ween om om er sit cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back For clar it y bone an d t o simp lif y our ex am ple conf ig ur at ion, Figur e 6- 5 on ly show s a BGP session bet w een t h e Gam esNet an d SoccerOnline edge rou t er s an d not b et ween all I nt erCom r out er s. How t oint carr om4erismused ult icast t reen aff iccust insid e er a VPN How ev er , if erny alcust BGPbet w om sit es, t hen st andar d int ern al BGP- 4 r ules app ly . Th is m ean s t hat a f ull m esh of sessions is r equ ir ed bet w een all sit es; ot herw ise, t o The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent r ed uce t he num ber of sessions, r out e reflect or s or BGP con feder at ions m ust be deploy ed. of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN NOTE Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools The f ull m esh r equ ir em en t includ es t he CSC CE r out er s at t his poin t because a lab el t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. dist r ibut ion pr ot ocol h as not yet been deploy ed w it h in t h e I nt erCom sit es or across t he PE/ CE link s. This m eans t h at all t he ext er nal rou t es kn ow n w it h in t h e I nt erCom MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN aut on om ous syst em w ill be car r ied on t he CSC CE rou t ers, alt h ough t hese r out es w ill Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of not be ex ch anged w it h t he CSC PE r out er s. You h ave alr eady seen in t his chap t er ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g t hat pack et s ar e dr opped by t h e CSC PE r out ers if t he I P d est inat ion add resses ar e pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o un available, and t h is is also t he case for t he CSC CE r out er s. You w ill see lat er in t his int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues chapt er t hat t he r eq uir em ent for BGP on t he CSC CE rou t ers will b e r em ov ed w hen a includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he label dist r ibut ion pr ot ocol is d ep loyed on t he PE/ CE lin ks and w it h in t he I nt er com back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow sit es. m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . I n a r eal deploy ment , it is lik ely t h at I nt er Com wou ld u se rou t e r ef lect or s. All int er nal BGP- 4 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer sessions w ould peer w it h t hese rou t e r ef lect or s r at her t h an direct p eer ing bet w een edge int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

r out er s. Ex am ple 6- 4 sh ows t he BGP- 4 conf igur at ion on t he I nt er Com edg e r out er s t hat w ill allow t he ex chang e of r out es bet w een t he Gam esNet an d Soccer On lin e r out er s.

Exa m pl e 6 - 4 . BGP-4 Conf ig ur a t ion f or I nt er Com Edge Rout er s •

Table of Content s

hostname InterCom-GamesNet • I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

!

By Jim Guichard , I van Pepelnjak , Jeff Apcar

router bgp 100 Pub lish er: Cisco Press Dat e: Ju ne 06, 2 00 3 noPub synchronization I SBN: 1- 58 705 -1 12 -5

neighbor 145.27.63.2 remote-as 100 Pages: 50 4 neighbor 145.27.63.2 update-source Loopback0 ----------------------------------------------------------------------Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : hostname InterCom-SoccerOnline !

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s router bgp 100 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN no synchronization Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a 100 cust om er sit e t o pr ov ide sep ar at ion inside t he neighbor 145.27.62.2 remote-as cust om er net w ork neighbor 145.27.62.2 update-source Loopback0 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN This conf igur at ion show s t hat t he I n t erCom- GamesNet r out er ( I P addr ess 145. 2 7. 62. 2) has an The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent int er nal BGP- 4 session w it h t he I nt er Com - Soccer Online rou t er ( I P add ress 14 5. 27. 63 . 2) . ( I t is of int er - car r ier MPLS VPN serv ices an int er nal BGP- 4 session becau se t he r emot e aut on omou s syst em nu mb er s ar e t h e same. ) You can in Ex amblesh ple 65 ing t hatt echn t he Iiques nt er Com - Gam t er h e Soccer Online Advsee anced t rou oot includ in gesNet r ou t errou out puhas t s t olearn en sued re t high av ailab ilit y subn et 21 6. 49. 24 . 0/ 24 f rom t he I nt er Com - Soccer Online rou t er w it h a nex t - hop of 14 5. 27. 6 3.VPN 2, wAr hich t he SoccerOnline r out er .best Th e- sellin I nt erCom - SoccerOnline MPLS and chitisect u res, Volum e I I ,peerin b uildsg on t he g MPLS an d VPN r out er h as learn ed t h e Gam esNet sub net 2 22. 27 .5 . 0/ 24 f rom t he I nt er Com Gam esNet rou w itanced h a nex t Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m orteeradv hop of an 14d5.d27. 6 2.m 2,ent w h archit ich is ect t heurGam esNet peer in ovid g rouest err eader . t opics ep loy es, Volu me I I pr s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS res, I , bEx eg tinesrw it hl aBGPbr ief ref resher an of tge he MPLS VPN Exa mand pl eVPN 6 - Ar 5 .chit Caect r ruie r 'sVolum Car reiIer na 4 Exch Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t oip t h eroute VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues InterCom-GamesNet# show includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back boneC and any at t achedS VPN sit es, and det ailin he lat est rit y f eat t o allow Codes: - connected, - static, I also - IGRP, R g - tRIP, M -secu mobile, B ur-esBGP m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m D en t s.EIGRP, Fin ally , EX Par t IV pr ov idexternal, es a m et hodology for ad van MPLS VPN area EIGRP O - OSPF, IA - ced OSPF inter t r oub leshoot ing . N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, it y,external and t r oubleshoot ingE2 feat res essent ial t o ptype rov iding anced E1 -secur OSPF type 1, - uOSPF external 2, tEh e-adv EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route •

Table of Content s

•

I ndex

Gateway of last resort is not set MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

i L2 145.27.63.2/32 [115/10] via 145.27.62.6, Ethernet3/1 Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

B

216.49.24.0/24 [200/0] via 145.27.63.2, 3d00h I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

InterCom-SoccerOnline#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 ser v ice t o m any d iff er ent t yp es of cu st om er s E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he - er candidate cust*om net w ork default, U - per-user static route, o - ODR -est periodic downloaded static ThePlat MPLS VPN secur it y f eat u res anroute d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN Gateway of last resort is 194.69.27.10 to network 0.0.0.0 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices t rou blesh oot[115/10] ing t echn iques in g r ou t er out pu t s t o en su re high av ailab ilit y i L2 Adv anced 145.27.62.2/32 via includ 145.27.63.10, Ethernet4/0 MPLS and VPN Ar chit ect[200/0] u res, Volum I I , b uilds on t he3d00h best - sellin g MPLS an d VPN B 222.27.5.0/24 viae 145.27.62.2, Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN The n ex t - h ops f or t he Gam esNet and Soccer On lin e subn et s hav e been learn ed v ia t h e Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of I nt er Com I GP, w h ich in t his case is I nt erm ediat e Sy st em- t o- I n t er m ediat e Sy st em ( I S- I S) . ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g These r out es w ere in ject ed int o t he I n t er Com I GP at t he CSC CE r out er s, t hr ou gh pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o r ed ist r ibu t ion of st at ic r out es in t o t h e I S- I S pr ocess, as show n in Ex am ple 6- 6. I f a d yn am ic int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues r out ing pr ot ocol is u sed across t h e PE/ CE link s, t h en t his redist r ibut ion st ep is n ot r equir ed includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he because t he next - h op addr esses w ill be lear ned f r om t he local CSC PE r out er . back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Exa pl e 6ing - 6. . Re dist r i but ion of BGP Ne xt - H op s in t o Sit e I GP t r oubm leshoot MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

router isis InterCom redistribute static ip

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Label Distribution Protocols on PE-CE Links The p r ev ious sect ion s hav e show n how r ou t es are ex changed dir ect ly b et ween VPN sit es an d also w it h t he MPLS VPN backb one. Hav in g dist ribu t ed all of t he r out ing inf or mat ion , y ou m ight t hink t hat con nect iv it y is achieved bet w een t h e cu st omer sit es, but y ou h ave alr eady •seen t hat t his Table s is nofotContent t h e case. Ex am ple 6- 7 sh ows t hat ping t est s r esult in n o r each abilit y • bet w een t h eI ndex VPN endp oint s ( in t his case t he I n t erCom- GamesNet r out er an d a host on t h e MP LS and V PN Ar chi te e s, 0V/olum e Ibnet I Soccer Online 216 .2ctur 9. 24. 24 su ). By Jim Guichard , I van Pepelnjak , Jeff Apcar

ExaPubmlishpler:e Cisco 6 - 7Press . Conn e ct i vi t y Fai lur e Bet w e en C Rout er s Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

InterCom-GamesNet# ping 216.29.24.1

Type escape sequence to abort. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Sending 5, 100-byte ICMP Echos to 216.29.24.1, timeout is 2 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN seconds: ser v ice t o m any d iff er ent t yp es of cu st om er s ..... The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Success rate is 0 percent (0/5) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Let ' s back r em ind our selv es w hat t he p rob lem is and inspect t he I n t er Com rou t ing t able at t he bone Lon don CSC PE rou t er . Hav ing dist r ibut ed ever yt hing w it hin t he cont r ol p lane, dat a carrldy be custavailable, om er m ultbu icast icing insid e le a VPN for w arHow dingt oshou t t h et r raff out t ab sh ows t hat t he d est inat ion subn et 21 6. 29. 2 4. 0/ 24 does n ot ex ist w it hin t he I nt er Com VRF, as show n in Ex am ple 6- 8. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Exa m pl e 6 - 8 . M issi ng Rou t in g I n f or m a t i on at CSC PE Rou t e r

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced show ipect route InterCom tEuroCom_LondonPE# opics an d d ep loy m ent archit ur es, vrf Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN - EIGRP, EX -ibes EIGRP external, O - con OSPF, OSPF ininter area Ar ch it ectDu re. Par t I I descr adv anced MPLS VPN nectIA iv it y- includ g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g - IOSPF NSSAand external type N2r eader - OSPF NSSA pr ot ocolsN1 ( I SS, EI GRP, OSPF) , ar m in g1,t he w it h t he kexternal now ledge type of h ow2 t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues - rOSPF 1, yE2st eps - OSPF external - EGP includin gE1 secu it y , ouexternal t lining t hetype n ecessar t h e ser v ice p rovtype ider m2, ustE t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow - IS-IS, L1 - and IS-IS level-1, L2 t -also IS-IS m or e advianced t op ologies filt erin g. This par cov erlevel-2 s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN IT -ingIS-IS inter area or inter level t r oub leshoot . * VPN - candidate default, per-user static o ances - ODRin cu st omer MPLS and Ar chit ect u res, Volum eU I I-, also int rod uces t he route, lat est adv int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

P - periodic downloaded static route

Gateway of last resort is not set

• •

Table of Content s

194.69.27.0/30 is subnetted, 1 subnets I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

C

194.69.27.4 is directly connected, Ethernet10/1/1

By Jim Guichard , I van Pepelnjak , Jeff Apcar

145.27.0.0/32 is subnetted, 3 subnets Pub lish er: Cisco Press

B

145.27.63.1 Pub Dat e: Ju ne 06, 2 00 3

[200/0] via 196.49.1.3, 3d03h

I SBN: 1- 58 705 -1 12 -5

S B

145.27.62.2 [1/0] via 194.69.27.5

Pages: 50 4

145.27.63.2 [200/0] via 196.49.1.3, 3d03h

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Rem em b er t hat t he f und ament al pr inciple of t he Car rier 's Carr ier ar ch it ect ur e is t o off load t he MPLS VPN b ack bon e fr om h avin g t o carr y end - cu st omer ex t ern al r out es. I n ou r ping t est How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN exam ple, t h e dest inat ion addr ess of t he p in g is in deed a pr ef ix t hat belongs t o on e of ser v ice t o m any d iff er ent t yp es of cu st om er s I nt er Com 's ex t ern al cust om er s. This r ou t e w as nev er dist ribu t ed t o t he CSC PE r out er ; t her efor he PECSCCE PEr out r out h as no means ardadv inganced an in com pack et t hing at cont ain s a Thee,ntew iner g op t ions as w ell of asfor ot w her f eating ur es, includ per- VPN dest inat ion addr ess t hat is ext er nal t o t he I n t er Com VPN. This m eans t h at t h e CSC PE r out er Net w ork Ad dr ess Tr an slat ion ( PE- NAT) has no choice bu t t o dr op t he p ack et an d in for m t h e CSC CE r out er t hat t he dest in at ion h ost is un reachable. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork To ov er com e t h is fu ndam ent al r ou t in g pr oblem, t he CSC PE r out er s m ust b e able t o for w ar d pack et s frlat omest the CSC VPN CE r out er itbased som otsher anatt he dest P add rVPN ess. The MPLS secur y f eat uon res an et d dhing esign aimt hed pr ot ectinat ing ion t h e I MPLS On e of t he b asic concept s of MPLS is t hat it sep arat es r out in g fr om f orw ar ding . MPLS back bone for w ar ds a pack et based on t h e valu e of t he lab el only; t he I P addr ess is not ex am ined by label How sw it ch out er in tom he er p ack et -icast for w ar ding pat he( aexVPN cept in t he case of load balancing) . I f a t o rcarr y scust m ult t r aff ic insid label w ere pushed ont o a p ack et befor e it got t o t he CSC PE r out er, t hen t he CSC PE r out er w ouldThe be lat ab est le t oinftorw ar drier all enh packancem et s fr om er based t he label, rdeg dless er - car ent st ht eo CSC allowCE f orr out easier and mon or e scalable epar loym entof w het her t her e -dest ion of VPN t he pack w ere an in t er nal or ext er nal addr ess. To enable t h is of int car rinat ier MPLS serv et ices fu nct ionalit y , label dist r ibut ion m ust b e ext end ed f rom t he ser vice pr ov ider backb one d own t o AdvCE anced rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y t he CSC rou ters. MPLSeand Ar chit u res, b uilds bestMPLS - sellinVPN g MPLS an one d VPN Figur 6- 6 VPN sh ows t hatectLDP is Volum ex t endeedI I f,rom t heon Eutrhe oCom b ackb dow n t o t he Ar ect u res, Volum I (ussels 1 - 587 050 02, f rom I ntch eritCom London ande Br CSC CE 1) r out er s. Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN u res, Ex Volum e I Ion , b eg s w itCSC h a brPE ief ref resher VPN Figu r eAr6chit - 6 .ectLDP t e nsi f rinom Rout er oft ot he CEMPLS Rout er Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

NOTE LD P and BGP ar e t he on ly label dist r ib ut ion pr ot ocols t hat ar e suppor t ed in a Car r ier ' s Car r ier env ir onm en t ; t herefor e, y ou can not use t he Tag Dist r ibut ion Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Pr ot ocol ( TDP) on t he PE/ CE lin ks, alt h ough y ou can cont inu e t o u se it w it hin t he r est of t he n et w or k if y ou so desir e. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s To enab across t h e inCSC rouas t erwt ell o CE ouher t er adv lin ks, y ou fm ust igur e ing t h e perm plVPN s ip ThelenLDP ew PECE r out g opPE t ions asr ot anced eat ur conf es, includ int er face com man d on t h e int er face. The select ion of LDP as t he lab el dist rib ut ion pr ot ocol is Net w ork Ad dr ess Tr an slat ion ( PE- NAT) aut om at ic an d does not need t o be conf igur ed b y using t he m pl s la be l prot ocol ld p com man Ex amcan ple 6sht ended ows t heintconf ioner ofsittehet oEur oCom London CSC PE r out Howd.VRFs be9ex o a igur custat om pr ov ide sep ar at ion inside t heer, as w ell as t he select ion of LDP. cust omaut er om netat wic ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back Exa m pl bone e 6 - 9 . En ab li ng LDP on t he PE Rout er / CE Rou t e r I nt er f a ce How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent hostname EuroCom_LondonPE of int er - car r ier MPLS VPN serv ices !

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

interface Ethernet10/1/0 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced description **m interface InterCom t opics an d d ep loy ent archit ectto ur es, Volu m e ILondon I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ip vrf forwarding InterCom MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN 194.69.27.6 Arip ch itaddress ect u re. Par t I I descr ibes255.255.255.252 adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g tag-switching pr ot ocols ( I S- I S, ip EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow 00:04:44: Set t op CSC labeland distribution to erLDP for VRF m or e adv anced ologies filt erin g. This protocol par t also cov s m ult i- car r ierInterCom MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int ion, it y, and u resCE essent ialf or to p rov t h e radv Aftegr er yatou havsecur e conf ig ur ed ttrhoubleshoot e CSC PE ring outfeat er and r out er LD P iding label dist ibutanced ion , y ou can

conf ir m successfu l est ablish ment of t he LDP session b y using t he show m pl s ld p d iscov e ry < vr f> an d show m pl s ld p n ei ghb or < v rf> com m ands, as illust r at ed in Ex am ple 6- 10.

NOTE • •

of Content s Each of Table t he LDP com m ands has been ex t ended t o su ppor t t he Car r ier ' s Car r ier I ndex ar ch it ect u re so t hat infor m at ion for each LDP- in- a- VRF cont ex t can be display ed.

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

ExaPubmlishpler:e Cisco 6 - 1Press 0 . Use of sh ow m pl s ldp discov er y / ne ig hbor Com m an ds Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

EuroCom_LondonPE#show mpls ldp discovery vrf InterCom Local LDP Identifier: 194.69.27.6:0 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Discovery Sources: How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Interfaces: ser v ice t o m any d iff er ent t yp es of cu st om er s The nEthernet10/1/1 ew PE- CE r out in g(ldp): op t ions xmit/recv as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) LDP Id: 145.27.62.1:0 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLSshow VPN secur y f eat u res an d dvrf esign s aim ed at pr ot ect ing t h e MPLS VPN EuroCom_LondonPE# mpls itldp neighbor InterCom back bone Peer LDP Ident: 145.27.62.1:0; Local LDP Ident 194.69.27.6:0 How t o carr y cust om er m ult icast t r aff ic insid e a VPN TCP connection: 145.27.62.1.646 - 194.69.27.6.11002 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of intState: er - car r ier MPLSMsgs VPN sent/rcvd: serv ices Oper; 14/19; Downstream Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Up time: 00:08:18 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN LDP discovery sources: Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools Ethernet10/1/1, Src IP addr: 194.69.27.5 t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. bound peer MPLS and Addresses VPN Ar chit ect u res, to Volum e I ILDP , b egIdent: in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of 145.27.62.6 145.27.62.1 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab194.69.27.5 le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow This amanced ple show t hat anand LDP b et wpar eent also t he Eu r oCom Loni-don PE rou t er and t he m or eex adv t opsologies filtsession erin g. This cov er s m ult car r CSC ier MPLS VPN Ideploy nt er Com London CSC CE r out er h as been successfu lly est ablished. I n t his p art icular m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN exam ple, t h eing Eu.roCom CSC PE rou t er has an LD P ident if ier of 1 94. 6 9. 27. 6: 0, and t h e t r oub leshoot I nt er Com CSC CE r out er h as an LDP ident ifier of 14 5. 27 .6 2. 1: 0. The LDP ident if ier is select ed as t h eand highVPN est loop back er face add w it hin t heuces VRF;t he if no loopadv back int erinface s, t hen MPLS Ar chit ect uint res, Volum e ress I I , also int rod lat est ances cu stexist omer t heegr highest P addr essand available w it hining t h efeat VRF is used. int at ion, Isecur it y, t r oubleshoot u res essent ial t o p rov iding t h e adv anced

The I n t er Com VRF on t he Eur oCom London CSC PE r out er cont ains no loop back int er face. This m eans t h at t he high est available I P addr ess is t he ad dr ess assigned t o t h e int er face t hat connect s t o t he I nt er Com CSC CE rou t er . How ev er , t h e I nt er Com CSC CE r out er d oes hav e a loopback ad dr ess, 14 5. 27 .6 2. 1/ 3 2; t herefor e, t h is addr ess is used as t he LD P ident if ier r at h er t han t h e addr ess of t he link t o t h e Eur oCom CSC PE rou t er . Th is is an im p ort an t ob ser v at ion t o und er st and, especially if st at ic r out in g is used acr oss t he PE/ CE lin k. The I P ad dr ess t h at is used for t h e LDP ident if ier m ust be r each able fr om t he LD P n eigh bor b ecause t h e LDP est ablish ed bet •sessions ar e Table of Content s w een LDP id en t ifiers. •

I ndex

IMP n LS ourand exam le, at eics, rVout eh V PN pAr chiatest ctur olum e as I I been p rov ision ed at t he Eur oCom London CSC PE r out er t hat poin t s t ow ar d t he I nt er Com CSC CE r out er loop back addr ess, 145 .2 7. 62. 1 / 32. I f t h e By Jim Guichard , I van Pepelnjak , Jeff Apcar st at ic r out e is r em oved fr om t h e Eu roCom CSC PE rou t er, t hen you can no long er est ab lish an LD P session wit h t h e I nt erCom CSC CE r out er ( see Ex am ple 6- 11) . Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 -5 P I den t i fi er Usage w it h St at ic Rou t in g Exa mI SBN: pl e 1-658- 705 1 1-1. 12LD Pages: 50 4

EuroCom_London-PE# show mpls ldp discovery vrf InterCom Local LDP Wit h MPLS andIdentifier: VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : 194.69.27.6:0 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o mSources: any d iff er ent t yp es of cu st om er s Discovery The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Interfaces: Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Ethernet10/1/1 (ldp): xmit/recv How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er LDP net wId: ork 145.27.62.1:0; no route The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN This ex am ple clear ly show s t hat no r out e ex ist s at t h e Eu roCom CSC PE rou t er for t he r emot e LD P ident ier 62. 1: 0) ; tancem heref ore, oblemf or exist s. A and session be est The if lat est( 145. in t er2-7. car rier enh ent sa t pr o allow easier m orcannot e scalable d epablished loym ent because t his essMPLS is u sed as serv t h e ices t r anspor t ad dr ess f or t h e TCP conn ect ion. of int er -ad cardrr ier VPN Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

LDP Discovery: Transport Address Usage MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d

VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools You can clearly av oid t he p rob lem in t h e pr ev ious ex am ple by conf igur ing a st at ic rou t e t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. w it hin t he VRF on t he CSC PE r out er . How ev er , t his p rob lem occur s b ecause t h e t r anspor t add ress used ablish t h e Volum TCP session betinwseen CSC rou t er of and r out er is t he MPLS and VPNt oArest chit ect u res, e I I , b eg w it ht hae br ief PE ref resher t heCEMPLS VPN sam as ut he t ifieribes add ress. You can chang t hisnect d efivault behavin iorg by m pl Ar cheit ect re. LDP Par t idI Iendescr adv anced MPLS VPNecon it y includ t heusing int egrt hateion ofs ld p discove ry t r a nsp ort ad dre ss com m and on t he link t hat at t ach es t he CSC PE r out er ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g t o t heot CE rou( tI er, as EI show n in Ex OSPF) am ple , 6pr ocols S- I S, GRP, and ar12. m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Exa bone m pl eand 6 -any 1 2 .atm pl s ldp scov eralso y t rdet anailin spor t - add back t ached VPN di sit es, and g t he lat estr ess secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . EuroCom_LondonPE(config)#interface e10/1/1 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot feat u res essenttransport-address ial t o p rov iding t h e adv anced EuroCom_LondonPE(config-if)# mplsing ldp discovery interface

InterCom_LondonCE# interface e5/1 InterCom_LondonCE(config-if)#mpls ldp discovery transport-address interface •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Hav in g sp ecified t hat t he t r ansp ort add ress should be t h e same as t he local int er f ace ad dr ess, By , I van Pepelnjak ExJim amGuichard ple 6- 13 sh ows t hat , Jeff t he Apcar LDP session is successf ully est ablish ed . Pub lish er: Cisco Press

ExaPub mDat ple:e Ju6ne- 106,3 2. 00Successf u l LDP D iscov er y w it h t r a nspor t - ad dr ess 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

EuroCom_LondonPE#show mpls ldp discovery vrf InterCom Local LDP Identifier: Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : 194.69.27.6:0 Discovery Sources: How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Interfaces: The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN (ldp): xmit/recv Net wEthernet10/1/1 ork Ad dr ess Tr an slat ion ( PENAT) 145.27.62.1:0; How VRFsLDP can Id: be ex t ended int o a custIP omaddr: er sit e 194.69.27.5 t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN EuroCom_LondonPE# back bone show mpls ldp neighbor vrf InterCom How tLDP o carrIdent: y cust om er m ult icast t r affLocal ic insidLDP e a VPN Peer 145.27.62.1:0; Ident 194.69.27.6:0 The lat estconnection: in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent TCP 194.69.27.5.646 - 194.69.27.6.11296 of int er - car r ier MPLS VPN serv ices State: Oper; Msgs sent/rcvd: 9/15; Downstream Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Up time: 00:03:41 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced LDP discovery sources: t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Ethernet10/1/1, Src IP addr: 194.69.27.5 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN bound peer LDP Ident: Ar ch it ect uAddresses re. Par t I I descr ibestoadv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g 145.27.62.6 145.27.62.1 194.69.27.5 pr ot ocols ( I SI S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN As Ex am ows, ident n ot af fect ed y van t he ced m plMPLS s ldp VPN di scov e ry deploy mple en t 6s. 13 Finsh ally , Part theI VLD prPov id esifaierm is et hodology for bad tt rra nspor t a ddr ess com m and. How ev er, t he TCP connect ion b et ween t he CSC CE r out er an d oub leshoot ing . PE r out er is now bet w een 1 9 4 . 6 9 . 2 7 .5 .6 4 6 – 1 9 4 . 6 9 . 2 7 . 6 . 1 1 2 9 6 , w hich ar e t he local int er face resses. 6 46 is t he TCPepIort usedint f or P. ) t he lat est adv ances in cu st omer MPLS andadd VPN Ar chit(ect u res, Volum I , also rodLD uces int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE A f ur t her op t ion t o r esolv e t he LDP session est ablish ment pr oblem is t o config ur e t he LDP rou t er- id m anually at t he CSC CE rou t er by u sing t h e m pl s ldp r out e r- i d com man d. Th is for ces t he LD P ident if ier t o be t he I P ad dr ess of t h e specif ied int er face. How er, t he • Table of ev Content s p rob lem wit h t h is solu t ion is t h at t he link t o t he CSC PE r out er m ight flap , causing t he r out er - id t o chan ge and cr eat in g p ot ent ial inst abilit y . • I ndex Ther ef or e, it is r ecom m ended MP LS and V PN Ar chi te ctur e s, V olum e I I t hat you set t h e r out er- id t o a loopb ack in t erf ace on t he CSC CE rou t er and specif y t he t ran sp ort add ress t o be used via t he m pl s ldp By Jim Guichard , I van Pepelnjak , Jeff Apcar di scov er y t ra nspor t - a ddr ess com m and. You sh ould also use t his com m and at t h e CSC PE r out er if m ore t han one int er face is associat ed w it h t he CSC VRF. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

Label Distribution Between CSC PE Router and CE Router Pages: 50 4

Aft er LDP has been en abled on t he CSC PE r out er t o CE r out er link s, labels for in t ern al r out es ar e exchan ged b et ween t he CSC PE r out er and t h e CE r out er . Ex am ple 6- 14 sh ows t he label Wit h MPLS u res,Lon Volum I I , yPE ou'rou ll lear : exchan ge band et w VPN een tAr h echit Euect roCom don eCSC t er nand t he I nt er Com Lond on CSC CE r out er . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Exa m pl e 6 - 1 4 . La be l Ex ch an ge Con f ir m a t ion Be t w e en PE/ CE Rout er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) EuroCom_LondonPE# show mpls forwarding How VRFs can be ex t ended int o a cust omvrf er sitInterCom e t o pr ov ide sep ar at ion inside t he cust om er net w ork Local Outgoing Prefix Bytes tag Outgoing Next Hop The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN bone tag back tag or VC or Tunnel Id switched interface 19

How t o carr er m ult icast t r aff ic 9934 insid e a VPN Et10/1/1 Pop tag y cust om 145.27.62.1/32[V]

20

The17 lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e194.69.27.5 scalable d ep loym ent 145.27.62.2/32[V] 12084 Et10/1/1 of int er - car r ier MPLS VPN serv ices

21

27 145.27.63.2/32[V] 8404 AT9/0/0 10.2.1.10 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

194.69.27.5

22 27 145.27.63.1/32[V] 7930 AT9/0/0 10.2.1.10 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. InterCom_LondonCE# show mpls forwarding MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Local Prefix Bytes tagnect Outgoing Ar ch it ectOutgoing u re. Par t I I descr ibes adv anced MPLS VPN con iv it y includ inNext g t he Hop int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g tag orand Tunnel pr ot ocolstag ( I S-or I S, VC EI GRP, OSPF)Id , ar m in g switched t he r eader w itinterface h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues 16 145.27.63.1/32 0 t h e ser v ice Et5/1 194.69.27.6 includin g22 secu r it y , ou t lining t he n ecessar y st eps p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow 17or e advUntagged 145.27.62.2/32 m anced t op ologies and filt erin g. This 11714 par t also covEt5/0 er s m ult i- car r145.27.62.5 ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN 18 21 ing . 145.27.63.2/32 0 Et5/1 194.69.27.6 t r oub leshoot MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The ou t pu t f or t he Eur oCom London CSC PE r out er show s t h at sub net s 14 5. 27. 6 2. 1/ 32 and 14 5. 27. 6 2. 2 ( t he loopb ack s of t h e I nt erCom Lon don CSC CE r out er and t h e I n t erCom Gam esNet rou t er) ar e r eachab le via 194 .6 9. 27. 5 ( t h e I n t erCom Lon don CSC CE r out er) . Sub net s 14 5. 27. 63 . 1/ 32 and 1 45. 27 .6 3. 2/ 3 2 ( t he I nt er Com Br ussels CSC CE rou t er and t he I nt er Com Soccer On lin e r out er) ar e r eachab le via 10. 2. 1 .2 0 ( a P rou t er w it h in t he Eu roCom MPLS VPN b ack bon e) . •The ou t pu t f or Table t heofI Content n t er Com s Lond on CSC CE rou t er sh ow s t hat subn et s 145. 2 7. 63. 1/ 32 and 32 ar e r each able v ia 19 4. 69. 27 . 6 ( t he Eu roCom Lon don CSC PE rou t er ) . The •14 5. 27. 6 3. 2/I ndex 14 5. 27. 2/Ar 32chisub nete s,( tVholum e I nteerCom Gam esNet rou t er) is r eachab le via 145 .2 7. 62 .5 ( t h e MP LS and6V2. PN te ctur II dir ect ly conn ect ed int er face add ress on t he I nt er Com Gam esNet r out er ) . The lin k bet w een t he By Jim Guichard , I van Pepelnjak , Jeff Apcar Lon don CSC CE r out er and t h e Gam esNet r out er d oes not hav e label sw it ch in g enab led ; t her efor e, packet s t hat are d est ined t o 145. 2 7. 62. 2 ar e un t agged . Pub lish er: Cisco Press Pub t Dat Ju ne 06, Using h ise:label for2w00ar3 ding inf orm at ion , connect ivit y w it h in t h e I nt erCom VPN is est ablished, as show I SBN: n in1-Ex 58 am 705 -1 ple 12 -5 6- 15. Th e fu ll dat a- p at h f r om t he I n t er Com- GamesNet r out er t o t he I nt er Com - Soccer Online r out er is pr ovided w it hin t he ex amp le and in Figur e 6- 7 . Pages: 50 4

Exa m pl e 6 - 1 5 . Successf u l Conn e ct i vi t y W it hi n t he I n t e r Com V PN Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : InterCom-GamesNet# ping 216.49.24.1 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s n ew PECE r out in t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Type The escape sequence tog op abort. Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Sending 5, 100-byte ICMP Echos to 216.49.24.1, timeout is 2 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er netseconds: w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN !!!!! back bone Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices InterCom-Gamesnet# show ip cef 216.49.24.0 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 216.49.24.0/24, version 81, cached adjacency 145.27.62.6 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN 0 ch packets, bytese I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Ar it ect u res,0Volum t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools via 145.27.63.2, 0m dependencies, recursive t hey n eed t o d ep loy and ain t ain a secur e, hig hly av ailab le VPN. MPLSnext and VPN chit ect u res, Volum e I I , b eg invia s w it145.27.63.2/32 h a br ief ref resher of t he MPLS VPN hop Ar 145.27.62.6, Ethernet3/1 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g valid cached adjacency pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPNcef sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow InterCom-GamesNet# show ip 145.27.63.2 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V80, pr ovcached id es a madjacency et hodology 145.27.62.6 for ad van ced MPLS VPN 145.27.63.2/32, version t r oub leshoot ing . 0 packets, 0 bytes MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int via egr at145.27.62.6, ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced Ethernet3/1, 1 dependency

next hop 145.27.62.6, Ethernet3/1 valid cached adjacency

InterCom_LondonCE# show ip cef 216.49.24.0 •

Table of Content s

•

I ndex 216.49.24.0/24, version 44, cached adjacency 194.69.27.6 MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I0van Pepelnjak , Jeff Apcar 0 packets, bytes

tag information Pub lish er: Cisco Press from 145.27.63.2/32, shared, unshareable Pub Dat e: Ju ne 06, 2 00 3

local tag: 18

I SBN: 1- 58 705 -1 12 -5

Pages: 50 4

fast tag rewrite with Et5/1, 194.69.27.6, tags imposed { 21} via 145.27.63.2, 0 dependencies, recursive next hop 194.69.27.6, Ethernet5/1 via 145.27.63.2/32 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : valid cached adjacency How rewrite t o int egr at e v arEt5/1, iou s r em194.69.27.6, ot e access t echn ologies in t o t h { e 21} back bone p r ovidin g VPN tag with tags imposed ser v ice t o m any d iff er ent t yp es of cu st om er s NOTE## the label value of corresponds to the BGP next-hop of The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) the 216.49.24.0/24 subnet How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork EuroCom_LondonPE# mpls itforwarding 21s aim ed at pr ot ect ing t h e MPLS VPN The lat est MPLSshow VPN secur y f eat u res anlabel d d esign back bone Local Outgoing Prefix Bytes tag Outgoing Next Hop How t o carr y cust om er m ult icast t r aff ic insid e a VPN tag tag or VC or Tunnel Id switched interface The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent 21 of int 27er - car r ier MPLS 145.27.63.2/32[V] 11106 AT9/0/0 10.2.1.10 VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chitshow ect u res, e I I ,InterCom b uilds on t145.27.63.2 he best - sellin g MPLS an d VPN EuroCom_LondonPE# ip Volum cef vrf Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t145.27.63.2/32, opics an d d ep loy m version ent archit 16, ect urcached es, Volu m e I I pr ovid10.2.1.10 es r eader s w it h t he necessar y t ools adjacency t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. 0 packets, 0 bytes MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr tag information set ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I SI S, EI local tag: 21GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu y , ou t lining t heAT9/0/0, n ecessar y 10.2.1.10, st eps t h e ser tags v ice p rov ider m ust fast tagr itrewrite with imposed { 27t ake 20} t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN via 196.49.1.3, 0 dependencies, recursive deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oubnext leshoot ing .10.2.1.10, ATM9/0/0 via 196.49.1.3/32 hop MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer valid cached adjacency int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

tag rewrite with AT9/0/0, 10.2.1.10, tags imposed { 27 20}

EuroCom_P#show mpls forwarding Local

Outgoing

•

Prefix

Bytes tag

Outgoing

Next Hop

switched

interface

134180

AT0/0

10.2.1.21

Next Hop

Table of Content s

tag •

tag I ndex or VC

or Tunnel Id

MP LS and V PN Ar chi te ctur e s, V olum e I I

27

Pop tag

196.49.1.3/32

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

EuroCom_MunichPE# mpls forwarding label 20 Pub Dat e: Ju ne 06, 2 00show 3 I SBN: 1- 58 705 -1 12 -5

LocalPages: Outgoing 50 4

Prefix

Bytes tag

Outgoing

tag

tag or VC

or Tunnel Id

switched

interface

20

18

145.27.63.2/32[V] 0

Se10/0/1

point2point

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : InterCom_BrusselsCE#show mpls forwarding label 18 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Local Outgoing Prefix Bytes tag Outgoing Next Hop The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN tag Nettag oranTunnel interface w orkor Ad VC dr ess Tr slat ion (Id PE- NAT) switched 18

200 HowUntagged VRFs can be 145.27.63.2/32 ex t ended int o a cust om er sit e t o prEt3/0 ov ide sep ar at145.27.63.9 ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Figu r e 6 - 7 . LSP for I n t e r Com VPN

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

NOTE

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

A successf ul pin g of t he Soccer Online su bnet fr om t he I n t erCom Lon don sit e r elies on t he f act t h at t h e I nt erCom Lon don CSC CE r out er k now s of t h e Soccer Online subn et . This is because t h e Lond on CSC CE rou t er receiv es an I P pack et t hat has a dest inat ion addr ess of 216 .4 9. 24 .1 and m ust perf or m a look up in t he f or war d in g inf orm at ion base ( FI B) f or t his d est inat ion . To r em ove t his r eq uir em ent , you m ust ext end label d ist r ibu t ion in t o t h e at t ached sit e so t hat an LSP is av ailable fr om t he ingr ess edge r out er t o t he eg ress edge r ou t er . Th is m ean s t hat in ou r exam ple, y ou need t oTable ext en d LDP t o t he Gam esNet an d Soccer On lin e edge r ou t er s so t hat t he • of Content s I nt er Com CSC CE r out er s per for m lab el sw it ching only . As ex plained ear lier in t h is • I ndex chapt er , ex t en ding LD P int o each Car r ier ' s Car r ier sit e r emov es t he requ irem en t f or MP LS and V PN Ar chi te ctur e s, V olum e I I BGP- 4 peer in g at t h e CSC CE r out ers and redu ces t he com plex it y of t h e BGP By Jim tGuichard , I van Pepelnjak , Jeff Apcar opolog y. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Use of Static Default Routes at CSC CE Routers Pages: 50 4

The u se of st at ic default r out es ( t hat poin t t ow ar d t he CSC PE r out er f or ext er nal next - h op r eachab ilit y ) at t h e CSC CE r out er ar e not possible w it hin t he Carr ier' s Car r ier archit ect ur e. To h elp illust r at e t his r est rict ion, let ' s assu me t hat t he I nt er Com CSC CE r ou t er s h ave b een conf ur ed and w it hVPN st atAr ic chit defau r out es inst e ead t hell specific Wit hig MPLS ectltu res, Volum I I , of y ou' lear n : st at ic r out es t h at w e d escrib ed earlier . Ex am ple 6- 16 sh ows t hat becau se of t he st at ic def ault r out e con figu rat ion , no connect ivit y is available f rom t he I nt er Com Lond on CSC CE r ou t er t o t h e Soccer Online sub net How o int 21 6. 49. 2 4.t 0/ 24 egr . at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Exa m pl e 6 - 1 6 . Con ne ct iv it y Bet w e en I nt er Com CSC CE Rou t e r s Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork InterCom_LondonCE# ping 216.49.24.1 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Type How escape t o carr sequence y cust omto er m abort. ult icast t r aff ic insid e a VPN The lat in t er - carICMP rier enh ancem s t o allow f or easier and is m or2e scalable d ep loym ent Sending 5, est 100-byte Echos toent216.49.24.1, timeout of int er - car r ier MPLS VPN serv ices seconds: Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ..... MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect urate res, Volum I ( 1 - 587 050 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Success is 0 epercent (0/5) t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of This loss of connect ivit y occur r ed b ecause t h e CSC PE rou t er m ust r ely on lab el sw it ching t o ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g for w ar d t r aff ic wit h in t h e VPN f or ext er nal rou t es. Because no label is av ailab le for t he def ault pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o r out e, f orw ar din g f ails. Even if a label w er e av ailab le at t h e CSC PE rou t er , f or w ard ing mig ht int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues st ill fail b ecau se p ack et s m ight be sent t o on e exit point r at her t han t o t he cor r ect eg ress CSC includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he PE r out er. back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Exa pl e 6ing - 1. 7 . De f au lt Rest r i ct i on i n Ca r r ie r 's Car r i er Env ir on m en t t r oubm leshoot MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

InterCom_LondonCE# show ip route 216.49.24.0 Routing entry for 216.49.24.0/24 Known via "bgp 10", distance 200, metric 0, type internal Last update from 145.27.63.2 00:32:17 ago • •

Table of Content s

Routing Descriptor Blocks: I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

* 145.27.63.2, from 145.27.63.1, 00:32:17 ago

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Route metric is 0, traffic share count is 1 Pub lish er: Cisco Press

ASe: Hops 0 2 00 3 Pub Dat Ju ne 06, I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

InterCom_LondonCE# show ip route 145.27.63.2 % Subnet not in table Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : InterCom_LondonCE# show ip route 0.0.0.0 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Routing entry for 0.0.0.0/0, supernet The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Known via "static", distance 1, metric 0, candidate default path Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Routing Descriptor How VRFs can be exBlocks: t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork * 194.69.27.6 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Route back bonemetric is 0, traffic share count is 1 How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier ip enhcef ancem ent s t o allow f or easier and m or e scalable d ep loym ent InterCom_LondonCE# show 216.49.24.1 of int er - car r ier MPLS VPN serv ices 216.49.24.0/24, version 1735, cached adjacency 194.69.27.6 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 0 packets, 0 bytes MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum efrom I ( 1 - 587 05- 0 02- 1)shared, , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tag information 0.0.0.0/0, unshareable t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey local n eed t otag: d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. implicit-null MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN via 145.27.63.2, 0 dependencies, recursive Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g next hop 194.69.27.6, Ethernet5/1 via 0.0.0.0/0 pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues valid cached adjacency includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . As illust r at ed in Ex am ple 6- 17, t h e 21 6. 49. 24 . 0/ 24 subn et is r each able v ia a n ex t - h op of 14 5. 27. 6 3.VPN 2 ( t he I nt er peering r out er ) t. he Thlat is next - hop doesinnot exomer ist w it hin MPLS and Ar chit ectCom u res,Soccer VolumOn e lin I I ,ealso int rod uces est adv ances cu st tint heegr rou t ing t able, so y ou mu st use t h e defau lt r out e. Th is default point s t o a next hop at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced of

19 4. 69. 2 7. 6, w hich is t he Eur oCom London CSC PE r out er . The CEF ent r y f or t he 21 6. 49. 2 4. 0/ 24 sub net show s t h at n o label st ack is pr epended t o t he out going pack et s wh en t hey ar e sent t ow ard t h e CSC PE r ou t er ; t her ef ore, f or w ard in g fails because t he CSC PE r out er has no f or w ard in g en t ry for t h e 21 6. 49. 24 . 0/ 24 subn et . To ov ercom e t h is issue, t h e CSC CE r out er m ust hav e st at ic r out es point in g t owar d t he BGP n ex t - hop f or ext er nal rou t es. A d ef ault t hat point s fr om t he CSC CE rou t er t o t he CSC PE r out er is im possib le wit h in t h e Car r ier ' s Car r ier env ir onm en t . •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

BGP-4 Between PE/CE Routers Pr ev ious ex am ples of t he Carr ier' s Car r ier archit ect ur e used LDP on t he CSC PE r out er t o CE r out er link s t o dist rib ut e labels for t he I GP r out es. Howev er, in m any cases, su ch as an I SP •env iron mentTable of 4Content , BGPis t hes pr ef er r ed p r ot ocol for r out in g ex chang e ( m ore so becau se t he PE•CE pr ot ocol is I ndex u su ally dict at ed by t he serv ice pr ov id er s, and m any of t hem pr efer BGP- 4 ) . MP LSef and V PN chi te V olum II Ther or e, suAr ppor t ctur for ets,his pr oteocol has been add ed t o Cisco I OS. This su ppor t is refer r ed t o asJim I PvGuichard 4 + Labels, RFC 3, Jeff 107Apcar supp ort . I t p rov ides t he abilit y t o assign labels t o BGP r out es, By , I van or Pepelnjak w hich is not available in st andar d MPLS soft w ar e, and r em ov es t he r equir ement of r unn ing LD P on t he PE- CE link s. Pub lish er: Cisco Press

Pub Ju ne 06, t2hat 00 3 I n t erCom has chosen t o u se BGP- 4 on it s link t o t h e Eur oCom Figur e Dat 6- 8e: sh ows I SBN: LDP 1- 58 705 -5 been enab led w it hin each of it s sit es so t hat it d oes not hav e t o h old back bone. h as-1 12 also all it s Pages: ex t er n50al4 r out es on it s CSC CE r out er s.

Figu r e 6 - 8 . BGP-4 on PE Rout er / CE Rou t e r Li nk s f or Car r i er ' s Ca r r ie r Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices To enab t he ext rou ch ange lab elst echn w it hiques BGP- includ 4 r out in es, new el s,avhailab as been Advleanced bleshof oot ing g raou t er ext outension, pu t s t o sen en sudrel ab high ilit y add ed t o t he BGP ne ig hbor com m and, as y ou can see in Ex am ple 6- 18. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced plded ep 6 -loy 1 8m.ent sen d- la bel s Ext to n gh bor a nd y t ools tExa opicsman archit ect ur es, Voluen m esiI Ion pr ovid esei r eader s w itCom h t hem necessar t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of hostname EuroCom_LondonPE ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ! ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin secu20 r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he router gbgp back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow mno or ebgp adv anced t op ipv4-unicast ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN default deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t rbgp oub leshoot ing . log-neighbor-changes MPLS and VPN Ar chit ect u res, Volum e 20 I I , also int rod uces t he lat est adv ances in cu st omer neighbor 196.49.1.3 remote-as int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

neighbor 196.49.1.3 update-source Loopback0 no auto-summary ! address-family vpnv4 • •

Table of Content s

neighbor 196.49.1.3 activate I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

neighbor 196.49.1.3 send-community extended

By Jim Guichard , I van Pepelnjak , Jeff Apcar

exit-address-family Pub lish er: Cisco Press

!

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

address-family ipv4 vrf InterCom Pages: 50 4

neighbor 194.69.27.5 remote-as 100 neighbor 194.69.27.5 activate Wit h MPLS and VPN Ar chit as-override ect u res, Volum e I I , y ou' ll lear n : neighbor 194.69.27.5 neighbor 194.69.27.5 send-label How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s no auto-summary The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN no synchronization Net w ork Ad dr ess Tr an slat ion ( PE- NAT) exit-address-family How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork ----------------------------------------------------------------------The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN hostname InterCom_LondonCE back bone !

How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Thebgp lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent router 100 of int er - car r ier MPLS VPN serv ices neighbor 194.69.27.6 remote-as 20 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ! MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Araddress-family ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced ipv4 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o194.69.27.6 d ep loy and mactivate ain t ain a secur e, hig hly av ailab le VPN. neighbor MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN neighbor 194.69.27.6 send-label Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g no auto-summary pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues no synchronization includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow exit-address-family m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE Ex am ple 6- 18 also sh ows t he u se of t he a s- ove rr id e com m and. This com man d ( ext en siv ely cov ered in Chapt er 1 1 of MPLS and VPN Ar chit ect u res , Volum e 1 ) is necessar y w it hin t he I nt er Com VPN becau se each of it s sit es uses t he sam e aut on om ous syst em n um ber. I n n orm al operat ion , a BGP- 4 speak er ignor es any up dat e t h at cont ain s it s ow n aut onom ou s sy st em nu mb er . How ev er , w hen a sov er ri de is con figu red, • Table of Content s t he CSC PE r out er r eplaces t h e I nt er Com aut onom ous syst em n um ber w it h t he aut onom ous sy st em n um ber of t he MPLS VPN back bone, • I ndex t hu s allow in g su ccessf ul r each MP LS and V PN Ar chi te ctur e s, V olum e I I abilit y bet w een end- cust om er sit es. By Jim Guichard , I van Pepelnjak , Jeff Apcar

er: Cisco ThePub ne lish ig hbor < Press I P- ad dre ss> se nd- la be l com m and is config ur ed w it hin t he ip v4 ad dr essfamPub ily . Dat You can check e: Ju ne 06, 2 00 3 successf ul est ablishm ent of t his BGP- 4 capabilit y f or each neigh bor , as illust ratI SBN: ed in1- 58 Ex705 am-1ple 12 -56- 19. Pages: 50 4

Exa m pl e 6 - 1 9 . Con f ir m a t ion of sen d- la be l Ca pab ili t y

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : EuroCom_LondonPE#show ip bgp neighbor BGP neighbor is at 194.69.27.5, vrf InterCom, remoteinAS 100, external linkg VPN How t o int egr e v ar iou s r em ot e access t echn ologies to th e back bone p r ovidin ser v ice t o m any d iff er ent t yp es of cu st om er s BGP version 4, remote router ID 145.27.62.1 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN w ork Ad ess Tr an slat ion BGPNet state = dr Established, up( PEforNAT) 00:58:53 How VRFs00:00:53, can be ex t ended int o ais cust om erkeepalive sit e t o pr ovinterval ide sep ar atis ion 60 inside t he Last read hold time 180, seconds cust om er net w ork Neighbor capabilities: The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Route refresh: advertised and received(new) How t o carr y cust om er m ult icast t r aff ic insid e a VPN Address family IPv4 Unicast: advertised and received The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent IPv4 MPLS Label capability: advertised and received of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ...rest MPLS and clipped VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS Aft er aand BGPVPN 4 session Ar chit ect has u res, been Volum su ccessf e I I , ully b eg est in sab w it lished h a brbet ief wref een resher t he CSC of t he PEMPLS r out erVPN an d t he Ar CEchr out it ect eru,re. exchan Par t ge I I descr of r out ibes es uadv sing anced I Pv 4MPLS + LabVPN els can con nect occuivr,itand y includ I n t erCom in g t hecan int egr ex ch atange ion ofit s ser int er v ice nal pr r out ovider es waccess it h t h e tEur echn oCom olog ies backb ( dial, one. DSL, Ex am cab ple le, 6Et20 herpnet r ovides ) an dan a villust arietryatof ionr out of in h ow g t he pr I S- I S, EI GRP, , ar es m ina glabel t he rfeader it h t heOnk now owaddr t o ess I ntot erocols Com (London CSC CEand r outOSPF) er r eceiv or t he wSoccer lin e ledge edge rof ouht er int egr at 6e 3. t h2/ ese ur tes t o oCom t h e VPN b ack bon e. PE Part I I Ier. det ails adv anced d ep loy m ent issues 14 5. 27. 32 ffeat rom heinEur London CSC r out includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or em adv filtbe erinls g. Recei This parpt t also s m ult i- car r ier MPLS VPN Exa planced e 6 - 2t op 0 .ologies I Pv4 and + La by cov CEerRou t er deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer InterCom_LondonCE# show ip bgp label int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Network

Next Hop

In Label/Out Label

145.27.63.2/32

194.69.27.6

18/20

This ex am pleTable show t hat as lab el value of < 2 0> h as been r eceiv ed f r om t he Eur oCom London • of sContent CSC PE r out er for t he Soccer On lin e ed ge r out er ad dr ess 1 45. 27 . 63. 2/ 3 2. Th e I nt erCom CSC • I ndex CE r out er u ses t h is lab el for all t r affic t hat it sen ds t ow ar d 145 . 27. 63 .2 , includin g all ex t ern al MP LS and V PN Ar chi te ctur e s, V olum e I I BGP- 4 r out es t h at ar e r each able v ia t his n ex t - h op ad dr ess. By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Filtering Routes on CSC CE Router to PE Router Links Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 50 4 inPages: ject ion of

The int er nal rou t es int o t he BGP pr ocess t h at r un s acr oss t h e CSC CE r out er t o PE r out er link is achiev ed t hr ou gh redist r ibut ion . The CSC CE r ou t er in ject s int er nal r out es in t o I Pv4 + Labels by r edist r ibut ing f rom t he local r out in g p rocess, as show n in Ex am ple 6- 21.

Wit h MPLS chit ect I , y ou' ll lear n : o I Pv4 + Labe ls Exa m pl eand 6 -VPN 2 1 . ArRedi sturres, ibuVolum t i on ef rI om I GP int How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s hostname InterCom_LondonCE !

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

router 100 Howbgp VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork neighbor 194.69.27.6 remote-as 20 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN ! back bone address-family How t o carr y cust ipv4 om er m ult icast t r aff ic insid e a VPN The lat est isis in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent redistribute InterCom level-2 of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN By def ault , all int er nal rou t es w it hin t he local I GP pr ocess ar e r ed ist r ibu t ed . To p rev ent t his Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced and only r edist r ib ut e select ed rou t es su ch as t he BGP- 4 nex t - hop add r esses, y ou m ust ap ply t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools filt er ing, eit her d ur ing t he r edist r ib ut ion or w hen t he r out es ar e sent t o t h e CSC PE rou t er t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. across t he BGP- 4 session. Ex am ple 6- 22 p r ovides an exam p le of how t h e I nt erCom Lon don CSC CE r out er f ilt er s ever y t hing except t he loopb ack addr ess of t he Gam esNet edge r out er , MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN 14 5. 27. 6 2. 2/ 32 . Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Exa 6 - 2f eat 2 . urFilt ert oi ng + e. LaPart be ls es anced d ep loy m ent issues int egrm atpl e teh ese es in t h e of VPNI Pv4 b ack bon I I I Up detdat ails adv includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN hostname deploy m en InterCom_LondonCE t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . ! MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int router egr at ion, bgp secur 100 it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

neighbor 194.69.27.6 remote-as 20 ! address-family ipv4 redistribute isis InterCom level-1-2 •

Table of Content s

• neighbor 194.69.27.6 I ndex activate MP LS and V PN Ar chi te ctur e s, V olum e I I

neighbor 194.69.27.6 INTERNAL out By Jim Guichard , I van Pepelnjak route-map , Jeff Apcar neighbor 194.69.27.6 send-label Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

no auto-summary

I SBN: 1- 58 705 -1 12 -5

no

Pages: 50 4 synchronization

exit-address-family ! Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : access-list 1 permit 145.27.62.2 How t oINTERNAL int egr at e vpermit ar iou s r 10 em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN route-map ser v ice t o m any d iff er ent t yp es of cu st om er s match ip address 1 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) set mpls-label How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN This ex am ple show s t hat r out es ar e filt er ed w hen t hey ar e adv er t ised t ow ard t h e BGP- 4 back bone neighb or ( t o illu st r at e t he need for t h e set m pls- l a be l com m and) . How ev er, if t his filt er ing w ere How t o bet operf orymed rib ut hen teh e desir able r out es w ou ld nev er m ake it carr custdur oming er mr edist ult icast t rion, aff ict insid a un VPN int o t he BGP t able an d filt ering at t he BGP- 4 lev el w ould not be r eq uir ed . Ther ef or e, t he r ecomThe m enlat ded ech enh anism in t his ment t o use r out and filt erloym du ring estfilt in ering t er - carmrier ancem ent senv t o iron allow f or is easier and m eorm e aps scalable d ep ent r ed istof r ibu intt ion. er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch itNOTE ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools se loy a r out m ain ap ttain hat ayou app t ohly a BGP n eiglehbor t hey You n eedcan t o du ep ande m secur e,lyhig av ailab VPN.t o cont r ol MPLS label pr opag at ion in BGP- 4 u pdat es. When y ou ar e set t ing a r out e m ap, as show n in am VPN ple 6-Ar22, ou um ust Volum conf igur mitplsa be com m andoft ot he allow lab VPN el MPLSEx and chityect res, e Ie I ,t h be egset in s w h a lbr iefl ref resher MPLS ionPar f ort IBGP4 ribes out es. defauMPLS lt , w hen e m ap, pr ef arion e of Ar ch itallocat ect u re. I descr advBy anced VPNyou con set nectaivrou it y tinclud in gallt he intixes egr at senpr t uovider nlabelled. Ther ef ore, d iscab r equir edher if net y ou) w elsr out in g ser v ice access t echn ologt his ies comm ( dial, an DSL, le, Et anant d aMPLS v arietlab y of at t ached o BGP4 r ou t es. pr ot ocols ( I S- ItS, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Hav dist ribu t ed of t heand necessar orm at ion , Ex 23r ier sh ows t he com plet e m or in e gadv anced t opall ologies filt erinyg.label This inf par t also cov er am s mple ult i-6-car MPLS VPN LSP betmwen een he ally Gam esNet e rou t he SoccerOnline edge rou t er VPN , t o r each t he deploy t s. t Fin , Par t I Vedg pr ov id est era and m et hodology for ad van ced MPLS 6. 49. 2 4. 0/ing 24 . sub net . Figur e 6- 9 p r ovides an illust r at ion of t h is LSP. t21 r oub leshoot MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egrm atpl ion, feat Be u rest w essent t om p rov idingt tan he d adv anced Exa e secur 6 - 2 3it.y,I and Pv4t r oubleshoot + La be lsing LSP e enialGa esNe

Socce r On li ne

InterCom-GamesNet# ping 216.49.24.1

•

Table of Content s

Type escape sequence to abort. • I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

Sending 5, 100-byte ICMP Echos to 216.49.24.1, timeout is 2 By Jim Guichard , I van Pepelnjak , Jeff Apcar

seconds: Pub lish er: Cisco Press Pub !!!!!

Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

Pages: 50 4

InterCom-GamesNet# show ip cef 216.49.24.0 216.49.24.0/24, version 56, cached adjacency 145.27.62.6 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : 0 packets, 0 bytes tagHow information shared t o int egr at efrom v ar iou145.27.63.2/32, s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s local tag: 17 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN fast tagAdrewrite with Et3/1, 145.27.62.6, tags imposed {18} Net w ork dr ess Tr an slat ion ( PE- NAT) viaHow 145.27.63.2, VRFs can be 0 ex dependencies, t ended int o a cust recursive om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork next hop 145.27.62.6, Ethernet3/1 via 145.27.63.2/32 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone valid cached adjacency How rewrite t o carr y cust omEt3/1, er m ult icast t r aff ic insidtags e a VPN tag with 145.27.62.6, imposed { 18} The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices InterCom_LondonCE# show mpls forwarding label 18 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Local Outgoing Bytes tagbestOutgoing MPLS and VPN Ar chit ectPrefix u res, Volum e I I , b uilds on t he - sellin g MPLSNext an d Hop VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced or Tunnel Id Volu m eswitched ttag opics antag d d ep loyVC m ent or archit ect ur es, I I pr ovid es rinterface eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. 18 20 145.27.63.2/32 12594 Et5/1 194.69.27.6 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g EuroCom_LondonPE# showand mpls forwarding label 20 w it h t he k now ledge of h ow t o pr ot ocols ( I S- I S, EI GRP, OSPF) , ar m in g t he r eader int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Local gOutgoing Prefix Bytes Outgoing Next Hopt o p rot ect t he includin secu r it y , ou t lining t he n ecessar y st eps t h etag ser v ice p rov ider m ust t ake back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow tag or t op VCologies or Tunnel Id g. This switched m or e advtag anced and filt erin par t also covinterface er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN 20 27 ing . 145.27.63.2/32[V] 13089 AT9/0/0 10.2.1.10 t r oub leshoot MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

EuroCom_LondonPE#show ip cef vrf InterCom 145.27.63.2 145.27.63.2/32, version 10, cached adjacency 10.2.1.10 0 packets, 0 bytes tag information set • •

Table of Content s

local tag: 20 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

fast tag rewrite with AT9/0/0, 10.2.1.10, tags imposed {27 19}

By Jim Guichard , I van Pepelnjak , Jeff Apcar

via 196.49.1.3, 0 dependencies, recursive Pub lish er: Cisco Press

next 10.2.1.10, Pub Dat e: hop Ju ne 06, 2 00 3

ATM9/0/0 via 196.49.1.3/32

I SBN: 1- 58 705 -1 12 -5

valid cached adjacency Pages: 50 4

tag rewrite with AT9/0/0, 10.2.1.10, tags imposed { 27 19}

Wit h MPLS and VPN Arshow chit ect u res,forwarding Volum e I I , ylabel ou' ll lear EuroCom_MunichPE# mpls 19n : Local Outgoing Prefix Bytes tag Outgoing Next Hop How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s tag tag or VC or Tunnel Id switched interface 19

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN 16 145.27.63.2/32[V] 10282 Se10/0/1 point2point Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork InterCom_LondonCE# show mpls forwarding label 16 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Localback Outgoing Prefix Bytes tag Outgoing Next Hop bone tag How tag or VC or er Tunnel Id t r aff ic switched t o carr y cust om m ult icast insid e a VPN interface 16

ThePop lat est in t er - car rier enh ancem ent s t o and m or e145.27.62.5 scalable d ep loym ent tag 145.27.62.2/32 0 allow f or easier Et5/0 of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced r ed 6d-ep 9 loy . Im Pv 4 archit + Laect bel Be ee n es Gam e sNe Socce yr On li ne t Figu opics an ent ur s es,LSP Volu m e tI Iwpr ovid r eader s w itt hatnd he necessar t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Hierarchical VPNs: Carrier's Carrier MPLS VPNs I n som e cases, t h e cust om er of t he Car r ier MPLS VPN back bone net w ork m igh t also w an t t o pr ov ide MPLS VPN ser vices t o it s ow n cust om ers. Th is t yp e of connect ivit y is r efer r ed t o as •hierar chical VPNs Table ,ofwContent s iple levels of VPNv 4 lab el allocat ion. it h m ult •

I ndex

Figur e 6-V1PN 0 sh t hate s,I nVtolum erCom MP LS and Ar ows chi te ctur e I I is now pr ovidin g MPLS VPN ser v ices t o Gam esNet an d Soccer Online, an d t hey hav e connect ivit y w it h in t h eir ow n ext ran et . By Jim Guichard , I van Pepelnjak , Jeff Apcar Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Figu r e 6 - 1 0 . M PLS VPN Ex t r an e t Bet w e en Ga m esNe t an d Socce r On li ne

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN As y ou canbone see in Figur e 6- 1 0, t h e I nt er Com Gam esNet and Soccer Online edg e r out er s now back pr ov ide MPLS VPN PE r out er f unct ionalit y t o Gam esNet and Soccer Online. You can see t he t o carr er mGamesNet ult icast t r aff ic rou insid a VPN Ex am ple 6- 24. For t h e sake of conf igHow ur at ion of tyhecust I ntom er Com PE t ere in simp licit y , only a sin gle I P p refix t hat is assigned t o a loopb ack in t er f ace b elon ging t o t he The latVPN est is in tshow er - car enhprancem s t oconf allow f or easier and m or e scalable Gam esNet n rier in t he int ou tent s and ig ur at ion ex am ples t hat follow . d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Exa m pl e 6 - 2 4 . Con f igu r at ion of Ga m esNe t an d Socce r O nl in e PE Rou t e r sVPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN MPLS and Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. hostname InterCom_GamesNet MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN ! ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Ar ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g ipotvrf pr ocolsGamesNet ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues rd 99:1234 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow export mroute-target or e adv anced t op ologies100:99 and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t rroute-target oub leshoot ing . import 100:99 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ! int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

interface loopback0 description ** loopback for GamesNet ip vrf forwarding GamesNet ip address 222.27.5.1 255.255.255.255 •

Table of Content s

•

I ndex

!

MP LS and V PN Ar chi te ctur e s, V olum e I I

router bgp 100

By Jim Guichard , I van Pepelnjak , Jeff Apcar

no bgp default ipv4-unicast Pub lish er: Cisco Press

bgp Publog-neighbor-changes Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

neighbor 145.27.63.2 remote-as 100 Pages: 50 4

neighbor 145.27.63.2 update-source Loopback0 no auto-summary Wit ! h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : address-family vpnv4 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s neighbor 145.27.63.2 activate The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN neighbor 145.27.63.2 send-community extended Net w ork Ad dr ess Tr an slat ion ( PE- NAT) exit-address-family How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork ! The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN address-family ipv4 vrf GamesNet back bone redistribute How t o carr connected y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent no auto-summary of int er - car r ier MPLS VPN serv ices no synchronization Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y exit-address-family MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. The m ain chang e fr om t h e pr evious Car rier 's Car rier s con figu r at ion ex amp les is t hat t he BGP MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN session b et ween t he Gam esNet and Soccer Online ed ge r out er s is now Mult ipr ot ocol BGP Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of r at her t h an I Pv 4 BGP. This chan ge d oes n ot af fect t h e I nt er Com or Eur oCom b ack bon e at all ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g because t he BGP session is t r anspor t ed as applicat ion d at a acr oss t he n et w or k . The pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o for w ar ding am ong I nt er Com sit es, PE- CE link s, and t he Eur oCom b ackb one is also int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues un ch anged; MPLS is st ill used t o t r anspor t t he VPN t raf fic. The only dif ference b et w een t his includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he ar ch it ect u re and t he sim pler Car rier 's Car rier ar chit ect u re is t hat t he VPN t raf fic is back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow t r anspor t ed acr oss t he net w ork wit h an ext r a MPLS label ( I nt er Com 's VPN label) at t ached. m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy t s. Finurally , Par I V Ex pr am ov idple es 6am et yhodology for in adEx van Using tm h eenconfig at ion f r tom 24, ou can see amced pleMPLS 6- 25 tVPN he LSP used t o tpr r oub leshoot ing . ov ide connect ivit y wit h in t he Gam esNet / Soccer On lin e ex t r anet . Figur e 6- 1 1 sh ows an illust rat ion of t h is LSP. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 6 - 2 5 . Hi er a r ch ical VPN LSP Exa m pl e

InterCom_GamesNet# show ip cef vrf GamesNet 216.49.24.1 216.49.24.1/32, version 5, cached adjacency 145.27.62.6 •

Table of Content s

• packets, I ndex 0 0 bytes MP LS and V PN Ar chi te ctur e s, V olum e I I

tagGuichard information set, Jeff Apcar By Jim , I van Pepelnjak local tag: VPN route head

Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3

fast tag rewrite with Et3/1, 145.27.62.6, tags imposed {19 18} I SBN: 1- 58 705 -1 12 -5

50 4 viaPages: 145.27.63.2, 0 dependencies, recursive

next hop 145.27.62.6, Ethernet3/1 via 145.27.63.2/32 valid cached adjacency Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : tag rewrite with Et3/1, 145.27.62.6, tags imposed { 19 18} How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s InterCom_LondonCE# show mpls forwarding label 19 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN w ork Ad dr ess Tr an slat ion ( PE- NAT) Bytes tag Outgoing LocalNetOutgoing Prefix Next Hop VRFs ex t ended o a cust om er sit e t o printerface ov ide sep ar at ion inside t he tag How tag or can VC be or TunnelintId switched cust om er net w ork 19 20 145.27.63.2/32 13902 Et5/1 194.69.27.6 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN EuroCom_LondonPE#show mpls forwarding label 20 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Local Outgoing Prefix Bytes tag Outgoing Next Hop of int er - car r ier MPLS VPN serv ices tag Advtag ort rou VC blesh oroot Tunnel Id iques includ switched interface anced ing t echn in g r ou t er out pu t s t o en su re high av ailab ilit y 20 27VPN Ar chit ect145.27.63.2/32[V] 16196 MPLS and u res, Volum e I I , b uilds on t he bestAT9/0/0 - sellin g MPLS10.2.1.10 an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. EuroCom_LondonPE#show ip cef vrf InterCom 145.27.63.2 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN 145.27.63.2/32, 12, adjacency Ar ch it ect u re. Par t I Iversion descr ibes advcached anced MPLS VPN con10.2.1.10 nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g 0 ot packets, bytes pr ocols ( I S-0I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues tag information includin g secu r it y , ou tset lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow tag:t op20 m or elocal adv anced ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN tag with AT9/0/0, 10.2.1.10, tags imposed {27 21} t r oubfast leshoot ing rewrite . MPLS VPN Ar chit ect res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer viaand 196.49.1.3, 0 udependencies, recursive int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

next hop 10.2.1.10, ATM9/0/0 via 196.49.1.3/32 valid cached adjacency tag rewrite with AT9/0/0, 10.2.1.10, tags imposed { 27 21}

•

Table of Content s

•

I ndex

EuroCom_MunichPE#show mpls forwarding label 21 MP LS and V PN Ar chi te ctur e s, V olum e I I

Local

Outgoing

Prefix

Bytes tag

Outgoing

switched

interface

Next Hop

By Jim Guichard , I van Pepelnjak , Jeff Apcar

tag

tag or VC

or Tunnel Id

Pub lish er: Cisco Press

21

16 Pub Dat e: Ju ne 06, 2 00 3

145.27.63.2/32[V] 13697

Se10/0/1

point2point

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

InterCom_BrusselsCE#show mpls forwarding label 16 Local

Outgoing

Prefix

Bytes tag

Outgoing

Next Hop

Wit andorVPN u res, Volum y ou' ll lear n : interface tagh MPLS tag VC Ar chit or ect Tunnel Id e I I , switched 16

Pop tag 145.27.63.2/32 14968 Et3/0 145.27.63.9 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN InterCom_SoccerOnline# show mpls forwarding label 18 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) LocalHow Outgoing Bytes Hop t he VRFs can be Prefix ex t ended int o a cust om er sit etag t o prOutgoing ov ide sep ar atNext ion inside cust om er net w ork tag tag or VC or Tunnel Id switched interface The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN 18 back Aggregate 216.49.24.1/32[V] 1040 bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Figu r e 6 - 1 1 . LS P

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

VPN Connectivity Between Different Service Providers As t h e popu larit y of t he MPLS VPN solut ion has gr own , so h as t he size and r each of t h e en dcust om er s of t h e ser v ice. Th e gr eat er t he nu m ber of sit es w it hin a par t icu lar Ent er pr ise, t he •gr eat er t he lik Table of Content elihood t h at scert ain g eog rap hic locat ion s w ill at t ach t o d if fer en t ser vice •pr ov iders. ThI ndex is requ ires a diff erent connect ivit y m od el t han t he b ase MPLS VPN ar ch it ect u re MP LSides. and V PN Ar chi te ctur e s, V olum e I I pr ov By Jim Guichard , I van Pepelnjak , Jeff Apcar

I n t his sit uat ion, t ran sit t r aff ic bet w een cust om er sit es m ust pass t hr oug h m or e t h an on e aut on om ous syst em an d m or e t h an on e MPLS VPN b ack bon e. Consider Figur e 6- 1 2, w hich Pub lish er: Cisco Press show s how t he sit es w it hin t he Ban kCorp VPN at t ach t o t heir local carr iers. Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Figu r e 6 - 1 2 . Ba nk Cor p I nt er p r ov id er Top ology

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLSeand Arrat chit u res, , bt w uilds best - sellin gwhMPLS d VPNt o t he Figur 6- 1 VPN 2 illust esect t hat BanVolum kCorpe hI Ias o siton es:t he Sant a Clara, ich atan t aches Ar cher it ect u res, Volum I ( 1 -bone 587 05, f rom Prtess. Ex t endin g int m or adv anced Sup Com MPLS VPNeback v ia0 t02he 1) San JoseCisco PE rou er ; and Berlin, whoich at e t aches t o t he tEu opics an dMPLS d ep loy m ent archit ect ur es, m e IPE I pr ovid r eader s w itthI tPhe necessar y t ools roCom VPN b ack bon e v ia t he Volu Munich r ou t eres . Th e r elevan addr ess assign ment s tfor heyBank n eed t op dare ep loy and m ain t ain6a- 3. secur e, hig hly av ailab le VPN. Cor show n in Table MPLS VPN Ar chit ect u res, I , b eg h awbr ieft hese ref resher het hat MPLS VPN Clear lyand , Ban kCorp w ould like Volum t o hav e e Iconn ectinivsitw y itbet een sit es,ofbtut requ ires t h e Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion exchan ge of VPN- specif ic r out es bet w een t h e Super Com an d Eur oCom n et wor k s. This t y peof of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g connect ivit y is collect iv ely ref er r ed t o as I n t erAS or I n t erp rov ider VPN. pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced filt erin g. This par t also covterfor s m ult i- car r ier MPLS VPN Tabt op le ologies 6 -3 . Iand P Ad dr ess Assign m en Ban k Cor p VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Com p an y

Si t e

Su bne t

Bank Cor p

Sant a Clar a

19 8. 121 . 63. 0/ 2 4

Berlin

19 8. 121 . 62. 0/ 2 4

Table ofConnectivity Content s Interprovider Requirements • •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By , I van Pepelnjak , Jeff Apcar ToJim suGuichard ppor t t he exch ange of VPN rou t ing infor m at ion bet w een ser v ice p r ovider s, a n ew m ech anism is requ ired so t h at pr efix an d lab el det ails can be adv er t ised acr oss t he int er prlish ovid lin Press ks. As Figur e 6- 1 3 sh ows, n orm al MPLS VPN pr oced ur es are ru n wit h in each Pub er: er Cisco aut on om ous syst em , 3and an y PE r ou t er s t h at h ave relev ant cust om er sit es at t ach ed can im por t Pub Dat e: Ju ne 06, 2 00 t he rou t ing infor m at ion t hr oug h u se of t he r out e- t ar get ex t ended comm un it y at t r ibut e. I SBN: 1- 58 705 -1 12 -5 How ev er , t he b ase archit ect ur e d oes n ot p rov ide t he abilit y t o adv er t ise t his in for m at ion t o Pages: 50 4 ot her ser vice pr ov iders, w hich m ean s t hat ext ensions t o t he pr ot ocols are requ ir ed.

Figu r e 6 - 1 3 . I nt er AS Con ne ct i vi t y M ode l Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. As illust r atVPN ed inArFigur e 61 3, tVolum h e Super ousofsy st em boun dar y MPLS and chit ect u res, e I I Com , b egan in sd wEur it hoCom a br iefaut refonom resher t he MPLS VPN rAr out s ( ASBRs) no m eans w anced it h w hich t o exch t h eivritout es forint he Banint kCorp cher it ect u re. Par th ave I I descr ibes adv MPLS VPN ange con nect y includ g t he egr atVPN. ion ofAs yser ouv ice w ill pr see in t he sect ion s t hat follow , t h er e ar e act ually sev er al w ays t o sup por t t h e ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g exchan ge (of rouGRP, t ing and inforOSPF) m at ion, ar amon pr ov pr ot ocols I S-VPN I S, EI m in gg tser he vice r eader widers: it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Back- t o- back VRF solut ion back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e Ex adv ologies t eranced nal Mut op lt ipr ot ocoland BGPfilt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub Mu leshoot ingMP. eBGP f or VPNv4 pr efix ex ch ange lt ih op MPLSMu and Ar chit ect ubet res, Volum ee I I ref , also lt ihVPN op MPeBGP w een r out lect int or srod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The op t ion select ed for deploym ent depends on a nu mb er of fact or s, su ch as t h e nu mb er of I nt er AS VPN clien t s, t he amou nt of VPN r out ing inf orm at ion t o ex chang e, filt ering p olicies, and so on .

Back-to-Back VRF Solution •

Table of Content s

•The sim plestI ndex solut ion t o im plem en t is back - t o- back VRFs. Th is m et h od essen t ially t ur ns each of MP and V PN Arer chi ctur s, Vrou olum e I It hat t reat t he ad jacen t ser vice pr ov ider ASBR as a CE r out er . t heLSASBR r out s teint o ePE t ers This eans t ,hI van at inPepelnjak our ex ,am t he Su per Com Par is ASBR sees t he Eur oCom Par is ASBR as a By Jim m Guichard Jeffple, Apcar CE r out er , and v ice ver sa. This is illust rat ed in Figur e 6- 1 4, w it h t he relev ant conf ig ur at ion of each ASBR pr ov id ed in Ex am ple 6- 26. Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3 -5 Exa mI SBN: pl e 1-658- 705 2 6-1. 12Ba ck - t o- Back VRF ASBR Conf i gur a t i on Pages: 50 4

hostname SuperComParis-ASBR Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ! ip vrf BankCorp How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s rd 10:4972 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN route-target export 20:123 Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

!

route-target import How VRFs can be ex 20:123 t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN interface POS10/0/0 back bone description interface toicast EuroCom How t o carr** y cust om er m ult t r aff ic Paris-ASBR insid e a VPN ip vrf The lat forwarding est in t er - car BankCorp rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices ip address 192.168.2.37 255.255.255.252 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced ----------------------------------------------------------------------t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools thostname hey n eed tEuroComParis-ASBR o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN ! Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g ip vvrf BankCorp pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr99:5432 at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues rd includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow route-target export 20:123 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Finimport ally , Par t20:123 I V pr ov id es a m et hodology for ad van ced MPLS VPN route-target t r oub leshoot ing . ! MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

interface POS8/1/0 description ** interface to SuperCom Paris-ASBR ip vrf forwarding BankCorp ip address 192.168.2.38 255.255.255.252 •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Figu r e 6 - 1 4 . Ba ck - t o- Back VRF De ploy m en t Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices This conf at ion in ing eacht echn of t hiques e ASBR rouin t er lear out Bank Cor p av sitailab es wilit it hin Adv igur anced t rour esult bleshsoot includ g sr ou t erning out rpu t ses t of or en su re high y t heir ow n aut on omou s syst em . The Eur oCom Par is ASBR lear ns rou t es 194 .6 9. 27 .1 6/ 30 ( t h e PECEand link VPN on t he Mu ect nich PE rVolum out er ) ean 1 uilds 98. 12on 1. 62 .0 /best 24 (- tsellin he Ban kCor pan Ber sit e r each able MPLS Ar chit u res, I I d, b t he g MPLS d lin VPN vAriachMu nich ) . The Super Com Par is ASBR lear ns r out es 1 92. 1 68. 2. 32 / 30 ( t he PECE linkanced on t h e it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv Jose rou t erm) ent andarchit 198 .ect 121ur.6es, 3. 0/ 24 m (t e heI IBank Cores p rSant a sClar e rnecessar eachab ley via San tSan opics an dPE d ep loy Volu pr ovid eader w itah sit t he t ools tJose) hey n. eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g NOTE pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Ex am ple 6shtows t he conn ect iv it yy st requ e VPN t . tHow ever includin g secu r it y27 , ou lining t he n ecessar epsirem t h eent sersv of iceonly p rovon ider m ustclien t ake o p rot ect, t he a r eal d ep loy m ent w ou ld clearly h ave m u lt ip le VPN client s, each of w hich w ou ld back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow uir e t heir ow n back-and t o- back VRF connpar ecttion betcov w een heultASBRs. on lyVPN way t o m or er eq adv anced t op ologies filt erin g. This also er s tm i- car r ierThe MPLS scale such connect ivit y is t o im plement a log ical in t erf ace perVPN across t h e deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN ysicaling link t r oubph leshoot . . Fram e Relay sub in t erf aces ar e an exam p le of t his, in w h ich a sing le dat a- lin k con nect ion ident if ier ( DLCI ) is used p er - clien t . Such connect ivit y is in chit d et ail Ch apt er 4,e "I IVir t ual int Rout Connect ivit y . "adv ances in cu st omer MPLSdiscussed and VPN Ar ect uinres, Volum , also roderuces t he lat est int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 6 - 2 7 . Ba nk Cor p Rout e s W it hi n ASBR Pr ior t o I nt er AS Di st r ibu t i on

•EuroComParis-ASBR# Table of Content shows ip route vrf BankCorp • I ndex MP LS and C V PN chi te ctur e s, V olum II Codes: - Ar connected, S - estatic, I - IGRP, R - RIP, M - mobile, B - BGP By Jim Guichard , I van Pepelnjak , Jeff Apcar

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area Pub lish er: Cisco Press

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

Pub Dat e: Ju ne 06, 2 00 3

I SBN: 1- 58 705 -1 12 -5

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

Pages: 50 4

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Gateway of last resort is not set How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r outis in gsubnetted, op t ions as w1ellsubnets as ot her adv anced f eat ur es, includ ing per- VPN 194.69.27.0/30 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) B B

194.69.27.16 [200/0] via 196.49.1.3, 21:39:37 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork 198.121.62.0/24 [200/1] via 196.49.1.3, 21:39:37 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN 192.168.2.0/30 is subnetted, 1 subnets back bone

C

directly How 192.168.2.36 t o carr y cust omis er m ult icast t rconnected, aff ic insid e a POS8/1/0 VPN

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices SuperComParis-ASBR#show ip route vrf BankCorp Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ectDu res, Volum eEX I ( 1-- 587 05- 0external, 02- 1) , f romOCisco Pr ess.IAEx-t endin int o m or e adv anced - EIGRP, EIGRP - OSPF, OSPFg inter area t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed ep loy NSSA and mexternal ain t ain a secur higN2 hly -avOSPF ailab leNSSA VPN.external type 2 N1t o-d OSPF typee, 1, MPLS and Ar chitexternal ect u res, Volum I I , bE2 eg in w it h a br ief ref resher E1VPN - OSPF typee 1, - sOSPF external type of 2,t he E -MPLS EGP VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr access olog ies ( dial, DSL, Et herlevel-2, net ) an d aia v ariet y of r out in g area i ovider - IS-IS, L1t echn - IS-IS level-1, L2 cab - le, IS-IS - IS-IS inter pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e*t h-ese f eat ur es indefault, t o t h e VPNU b-ack bon e. Partstatic I I I det ails adv anced d ep loy m ent issues candidate per-user route, o - ODR includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s.last Fin ally , Par t I V ov id es Gateway of resort isprnot seta m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int ion, secur it y, and [200/1] t r oubleshoot feat u res essent ial t o p rov iding t h e adv anced B egr at 198.121.63.0/24 viaing 194.22.15.1, 21:57:36

192.168.2.0/30 is subnetted, 2 subnets B

192.168.2.32 [200/0] via 194.22.15.1, 21:57:37

C

192.168.2.36 is directly connected, POS10/0/0

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Distribution Routes Across ASBR-ASBR Link By Jim Guichard , I vanof Pepelnjak , Jeff Apcar Pub lish er: Cisco Press

HavPub in gDat ime:p ort t he Ju need 06,all 2 00 3 local rou t es in t o t h e ASBR VRFs, t he nex t st ep is t o d ist r ibu t e t he r out es t o t he ad jacen t ser vice pr ov ider by u sing a dy nam ic r out ing pr ot ocol p er - VRF. Af t er t his I SBN: 1- 58 705 -1 12 -5 st ep is com plet e, any p ack et s r eceived across t h e ASBR- ASBR lin k and dest ined f or on e of t he Pages: 50 4 subn et s w it hin t he VRF w ill b e label sw it ch ed by usin g t he nor m al MPLS VPN for w ar ding m ech anism s. You can u se any of t he cu rr ent ly sup por t ed PE- CE r out ing pr ot ocols across t h e ASBR- ASBR link . Alt hou gh I GP pr ot ocols can t heoret ically be used becau se t he link is an int er - aut on om ous syst conn ectVPN ion, Ar in chit m ost t he ser Wit hem MPLS and ectcases, u res, Volum e vI Iice , ypr ou'ovider ll lear np :ref er s t o use BGP- 4 f or t he ex chang e of r out ing inf or mat ion . Using an I GP p r ot ocol requ ires r edist rib ut ion at t h e bor der r out er s, and st at ic r out ing inv olv es coor dinat ion of t h e ASBR conf igur at ion ( w hich is sim ply n ot f easible) . I n How t o ext int egr at e figu v ar rat iouion s r em ot e access t echn t o tgh BGP e back bone g VPNI n cont r ast , no r a con is needed wh en y ouologies ar e ru in nnin bet w eenp rtovidin h e ASBRs. ser ,v BGPice t o4mprany d iff er ent es ofand cu stsecu om erritsy m echanism s; t her ef or e, it is t h e pr ot ocol of add it ion ov ides bet t ert yp policy choice in t his env ir onm ent . The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN NetroCom w ork Ad dr ess slathav ion e( PENAT)t o use BGP- 4 on t he ASBR- ASBR link . The Bot h Eu and SupTr eran Com ch osen conf ig ur at ion of b ot h ASBRs is show n in Ex am ple 6- 28. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Exa m pllat e est 6 - 2MPLS 8 . BGP4 Con guu res r at an ion ASBR Rou t eotr s The VPN secur it y fi f eat d dof esign s aim ed at pr ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN hostname SuperComParis-ASBR The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent ! of int er - car r ier MPLS VPN serv ices Advbgp anced router 10t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and default VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN no bgp ipv4-unicast Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools bgp log-neighbor-changes t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. neighbor 194.22.15.1 remote-as 10 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Arneighbor ch it ect u re.194.22.15.1 Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of update-source Loopback0 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g prno ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o auto-summary int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he ! back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow maddress-family or e adv anced t op ologies vpnv4 and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t rneighbor oub leshoot194.22.15.1 ing . activate MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer neighbor 194.22.15.1 send-community extended int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

exit-address-family ! address-family ipv4 vrf BankCorp neighbor 192.168.2.38 remote-as 20 •

Table of Content s activate • neighbor 192.168.2.38 I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

no auto-summary By Jim Guichard , I van Pepelnjak , Jeff Apcar

no synchronization Pub lish er: Cisco Press

exit-address-family Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

----------------------------------------------------------------------Pages: 50 4 hostname EuroComParis-ASBR ! Wit h MPLS and20VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : router bgp no bgp ipv4-unicast How default t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s bgp log-neighbor-changes The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN neighbor 196.49.1.3 remote-as 20NAT) Net w ork Ad dr ess Tr an slat ion ( PEneighbor 196.49.1.3 Loopback0 How VRFs can be ex update-source t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork no auto-summary The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN ! back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN address-family vpnv4 The lat 196.49.1.3 est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent neighbor activate of int er - car r ier MPLS VPN serv ices neighbor 196.49.1.3 send-community extended Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y exit-address-family MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced ! t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. address-family ipv4 vrf BankCorp MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN remote-as Arneighbor ch it ect u re.192.168.2.37 Par t I I descr ibes adv anced10 MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g 192.168.2.37 prneighbor ot ocols ( I SI S, EI GRP, andactivate OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues no auto-summary includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow mno or esynchronization adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t rexit-address-family oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Now t h at a BGP- 4 session is av ailable w it hin t he Ban kCorp VRF, Ex am ple 6- 29 sh ows t hat all t he Bank Cor p r out es ar e av ailable at each ASBR.

Exa m pl e 6 - 2 9 . Ba nk Cor p Rout e s a t ASBRs Aft er BGP-4 D ist r i but ion •

Table of Content s

•SuperComParis-ASBR# I ndex show ip route vrf BankCorp MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard Codes: C - , Iconnected, van Pepelnjak , Jeff S -Apcar static, I - IGRP, R - RIP, M - mobile, B - BGP

EIGRP, Pub lishD er: -Cisco Press

EX - EIGRP external, O - OSPF, IA - OSPF inter area

Pub Dat e: Ju ne 06, 2 00 3

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How of t o int egr at e v ar iouis s r not em otset e access t echn ologies in t o t h e back bone p r ovidin g VPN Gateway last resort ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tris an slat ion ( PE- NAT) 194.69.27.0/30 subnetted, 1 subnets B B

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he 194.69.27.16 [20/0] via 192.168.2.38, 00:02:20 cust om er net w ork

B

198.121.63.0/24 The lat est MPLS VPN[200/1] secur it y via f eat u194.22.15.1, res an d d esign s22:23:35 aim ed at pr ot ect ing t h e MPLS VPN back bone 198.121.62.0/24 [20/0] via 192.168.2.38, 00:02:20

B

How t o carr y cust om er m ult icast t r aff ic insid e a VPN 192.168.2.0/30 is subnetted, 2 subnets The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int192.168.2.32 er - car r ier MPLS[200/0] VPN servvia ices 194.22.15.1, 22:23:35

C

Adv anced 192.168.2.36 t rou blesh oot is ing directly t echn iques connected, includ in g rPOS10/0/0 ou t er out pu t s t o en su re high av ailab ilit y

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tEuroComParis-ASBR# opics an d d ep loy m entshow architip ectroute ur es, Volu e I I pr ovid es r eader s w it h t he necessar y t ools vrfmBankCorp t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ectDu re. Par t I I descr adv anced MPLS VPN nectIA iv it y- includ g t he int egr at ion of - EIGRP, EX -ibes EIGRP external, O - con OSPF, OSPF ininter area ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocolsN1 ( I SS, EI GRP, OSPF) , ar m in g1,t he w it h t he kexternal now ledge type of h ow2 t o - IOSPF NSSAand external type N2r eader - OSPF NSSA int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin gE1 secu it y , ouexternal t lining t hetype n ecessar t h e ser v ice p rovtype ider m2, ustE t ake t o p rot ect t he - rOSPF 1, yE2st eps - OSPF external - EGP back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e advianced t op ologies filt erin g. This par cov erlevel-2, s m ult i- caria r ier- MPLS - IS-IS, L1 - and IS-IS level-1, L2 t -also IS-IS IS-ISVPN inter area deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot . * - ing candidate default, U - per-user static route, o - ODR MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Gateway of last resort is not set

194.69.27.0/30 is subnetted, 1 subnets B •

B •

194.69.27.16 [200/0] via 196.49.1.3, 22:06:30 Table of Content s

198.121.63.0/24 [20/0] via 192.168.2.37, 00:02:13 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

B

198.121.62.0/24 [200/1] via 196.49.1.3, 22:06:30

By Jim Guichard , I van Pepelnjak , Jeff Apcar

192.168.2.0/30 is subnetted, 2 subnets Pub lish er: Cisco Press

B

192.168.2.32 Pub Dat e: Ju ne 06, 2 00 3

[20/0] via 192.168.2.37, 00:02:13

I SBN: 1- 58 705 -1 12 -5

C

192.168.2.36 is directly connected, POS8/1/0

Pages: 50 4

These r out es w ill now be adv ert ised wit h in t he Sup er Com and Eur oCom MPLS VPN back bones Wit MPLS VPN chitan ect res, I I ,hyave ou' llBank learCor n : p sit es at t ached. I f y ou look at t h e andhw ill beand im por t edArby y uPE rouVolum t er s t ehat Sup er Com San Jose PE r out er in Ex am ple 6- 30, y ou can see t hat t he Ban kCorp 19 8. 121 . 62. 0/ 2 4 su bnet ( wh ich is t h e Ber lin sit e) is available. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Exa m plneew6 -PE3 0CE . Successf u l Dist i bu ion nk Cor p es, Rout esing v ia The r out in g op t ions as wrell astot her of advBa anced f eat ur includ per- VPN I nt er AS Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork SanJose-PE#show ip route vrf BankCorp The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back Codes: C bone - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP How t o carr y cust om er m ult icast t r aff ic insid e a VPN D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent N1er-- car OSPF type 1, N2 - OSPF NSSA external type 2 of int r ier NSSA MPLS external VPN serv ices - OSPF external E2includ - OSPF type E re - high EGP av ailab ilit y AdvE1 anced t rou blesh oot ing type t echn 1, iques in g rexternal ou t er out pu t s t o2, en su i VPN - IS-IS, L1u res, - IS-IS IS-IS ia an - dIS-IS MPLS and Ar chit ect Volumlevel-1, e I I , b uildsL2on-t he best -level-2, sellin g MPLS VPN inter area Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced candidate default, - per-user static route, o t-heODR t opics an*d d ep loy m ent archit ect ur es,U Volu m e I I pr ovid es r eader s w it h necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect uof re. last Par t I Iresort descr ibes Gateway is adv notanced set MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y1 stsubnets eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he 194.69.27.0/30 is subnetted, back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m t op ologies[200/0] and filt erin This par t also cov er s m ult i- car r ier MPLS VPN B or e adv anced 194.69.27.16 viag. 194.22.15.3, 00:05:46 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot R 198.121.63.0/24 ing . [120/1] via 192.168.2.33, 00:00:22, Ethernet6/1 MPLS and VPN Ar chit ect u res, Volumvia e I I ,194.22.15.3, also int rod uces00:06:02 t he lat est adv ances in cu st omer B 198.121.62.0/24 [200/0] int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

192.168.2.0/30 is subnetted, 1 subnets C

192.168.2.32 is directly connected, Ethernet6/1

All pack et s dir ect ed t ow ar d t h e 19 8. 121 .6 2. 0/ 2 4 sub net shou ld b e label- sw it ched acr oss t h e • Table of Content s Sup er Com and Eur oCom backb ones. How ev er, t he b ack - t o- b ack VRF solu t ion d oes not requ ir e • I ndex label sw it ch ing acr oss t h e ASBR- ASBR lin ks. Pack et s w ill be label- swit ched across each MPLS MP LS and V PN Ar chi te ctur e s, V olum e I I VPN b ack bon e and t hen be sent as I P pack et s bet w een ser v ice pr ovid er s. This concept is By Jim rat Guichard van Pepelnjak illust ed in , IFigur e 6- 1 5,, Jeff an dApcar a t r acer out e is pr ovided in Figur e 6- 1 6. Pr int ou t s for t he MPLS LSP fr om t h e Bank Cor p Sant a Clara CE r out er t o t he 1 98. 12 1. 62 .0 / 24 subn et ar e pr ovid ed in Ex am Pubple lish er: 6- 31. CiscoFigur Presse 6- 1 7 p r ovides an illust r at ion of t h e comp let e end - t o- end LSP for t he Bank Cor pe:VPN. Pub Dat Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Exa m pl e 6 - 3 1 . LSP Be t w ee n Ba nk Cor p Sit e s

SantaClara-CE#ping 198.121.62.1 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Type ser escape toent abort. v ice t osequence m any d iff er t yp es of cu st om er s Sending Echos tow198.121.62.1, timeout ises, 2 includ seconds: The n5, ew100-byte PE- CE r outICMP in g op t ions as ell as ot her adv anced f eat ur ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) !!!!! How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net ork percent (5/5), round-trip min/avg/max = 4/6/8 ms Success rate is w100 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone SantaClara-CE#traceroute 198.121.62.1 How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Type escape sequence to abort. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Tracing the route to 198.121.62.1 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools 1 192.168.2.34 msec msec 0 msec t hey n eed t o d ep loy 0 and m ain0t ain a secur e, hig hly av ailab le VPN. ! response from SuperCom SanJose MPLS and VPN Ar chit ect u res, Volum e I I ,PE-router b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of 194.22.15.9 [MPLS: Labels Exp 0] 4 msec 4 msec ser2v ice pr ovider access t echn olog ies18/19 ( dial, DSL, cab le, Et her net ) an d 4a msec v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o ! response from SuperCom int egr at e t h ese f eatP-router ur es in t o t hwithin e VPN bthe ack bon e. Part I Inetwork I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he 3 bone 192.168.2.37 Label 19 and Expalso 0] det 4 msec msec 4 secu msecrit y f eat ur es t o allow back and any at[MPLS: t ached VPN sit es, ailin g 4t he lat est m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN ! response SuperCom Paris deploy m en t s.from Fin ally , Par t I V pr ov id esASBR a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . 4 192.168.2.38 4 msec 0 msec 4 msec MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ! response fromit y, EuroCom Paris ASBR MPLS int egr at ion, secur and t r oubleshoot ing (Note: feat u res no essent ial labels) t o p rov iding t h e adv anced

5 10.2.1.22 [MPLS: Labels 27/19 Exp 0] 8 msec 4 msec 8 msec ! response from P-router within the EuroCom network 6 194.69.27.18 [MPLS: Label 19 Exp 0] 8 msec 4 msec 8 msec ! response from EuroCom Munich PE-router • •

Table of Content s I ndex 7 194.69.27.17 4 msec 4 msec *

MP LS and V PN Ar chi te ctur e s, V olum e I I

! response BankCorp Berlin CE-router By Jim Guichard , Ifrom van Pepelnjak , Jeff Apcar Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

SanJose-PE#show ip cef vrf BankCorp 198.121.62.0 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4 198.121.62.0/24,

version 16, cached adjacency to Serial4/0

0 packets, 0 bytes tag information set Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : local tag: VPN route head How ttag o int egr at e v arwith iou s rSe4/0, em ot e access t echn ologies in t oimposed t h e back{18 bone19} p r ovidin g VPN fast rewrite point2point, tags ser v ice t o m any d iff er ent t yp es of cu st om er s via 194.22.15.3, 0 dependencies, recursive The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork dr ess Tr an slat ion ( PE- NAT)via 194.22.15.3/32 next hopAd194.22.15.9, Serial4/0 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he valid cached adjacency cust om er net w ork tag rewrite with Se4/0, point2point, tags imposed { 18 19} The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN SuperComParis-ASBR#show mpls forwarding label 19 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Localof int Outgoing Prefix Bytes tag Outgoing Next Hop er - car r ier MPLS VPN serv ices tag Advtag ort rou VC blesh oroot Tunnel Id iques includ switched interface anced ing t echn in g r ou t er out pu t s t o en su re high av ailab ilit y 19 Untagged \ t he best - sellin g MPLS an d VPN MPLS and VPN Ar chit ect198.121.62.0/24[V] u res, Volum e I I , b uilds on Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e1040 I I pr ovid es rPO10/0/0 eader s w it h tpoint2point he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr VPN con nect iv it y includ in g t he int egr at ion of EuroComParis-ASBR# showibes ip adv cefanced vrf MPLS BankCorp 198.121.62.0 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m inadjacency g t he r eader10.2.1.22 w it h t he k now ledge of h ow t o 198.121.62.0/24, version 9, cached int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu0r itbytes y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he 0 packets, back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies tag information set and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oublocal leshoottag: ing . VPN route head MPLSfast and VPN chit ect u res, e I I , also int rod ucestags t he lat est adv ances in cu st omer tag Ar rewrite withVolum AT4/1/0, 10.2.1.22, imposed {27 19} int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

via 196.49.1.3, 0 dependencies, recursive next hop 10.2.1.22, ATM4/1/0 via 196.49.1.3/32 valid cached adjacency tag rewrite with AT4/1/0, 10.2.1.22, tags imposed { 27 19} •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Munich_PE#show mpls forwarding label 19 By Jim Guichard , I van Pepelnjak , Jeff Apcar

Local

Outgoing

Prefix

Bytes tag

Outgoing

or Tunnel Id

switched

interface

Next Hop

Pub lish er: Cisco Press

tagPub

tag or06,VC2 00 3 Dat e: Ju ne

I SBN: 1- 58 705 -1 12 -5

19

Untagged

Pages: 50 4

198.121.62.0/24[V]

\

1140

Et4/0

194.69.27.17

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Figu e egr 6 - at 1 5e .v ar Ba ck t o-otBack VRF Lab el Sw g abone n d pI rPovidin Pat ghs How t o rint iou s -r em e access t echn ologies in t iot tch h ein back VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Figu r e 6 - 1 6 . Tr a cer ou t e Be t w e en Ba nk Cor p San t a Cla r a an d Ber l in back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. ThisSit paret s also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Figu r e 6 - 1 7 . LSP Be t w e en Ba nk Cor p Sit es Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

External Multiprotocol BGP

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Alt hou he b ack - t o- b ack VRF solu pr ovides anle, easy imp lem entdataion optyion, clear ser v icegh pr tovider access t echn olog iest ion ( dial, DSL, cab Et her net ) an v ariet of ritout in g ly has som e sev er e scalin g issues in larg escale deploy ment s because it r equir es a VRF and pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o logical int egr er face - I ntf er VPN. cer tbainly note.app rop ew h en a anced lar g e num bermof VPNs m u st int at e per t h ese eatAS ur es in t oThis t h eisVPN ack bon Part I Iriat I det ails adv d ep loy ent issues be r eachable ser vice pr nov iders; yt her ef ore, difvferent label/ m etthod includin g secubret it yw, een ou t lining t he ecessar st eps t h easer ice p rov ider pr mefix ust dist t aker ibut t o pion rot ect he is needed. Th isany requ ent VPN is m et by ext dingdet Mult iprgott ocol t o surit ppor t VPNv4 er nal back bone and atirem t ached sit es, andenalso ailin he latBGP est secu y f eat ur es t oext allow neighb or sanced as w ell VPNv4and int er nal neig hbor par s. t also cov er s m ult i- car r ier MPLS VPN m or e adv t opasologies filt erin g. This deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Ex t er nal Mu lt ipr ot ocol BGP p r ovides t h e fu nct ionalit y t o adv er t ise VPNv4 pr efix / label t r oub leshoot ing . inf orm at ion across t h e ser v ice pr ovider b ound aries. The ad ver t isin g ASBR r eplaces t h e label st ack of t he VPN ef ect ix w it h aVolum locallye allocat lab eluces pr iort he t o ad isin ances g t he VPN out e. This is MPLS and VPN Ar pr chit u res, I I , alsoedint rod lat ver est tadv in curst omer necessar y becau se t he BGP session b et ween t he t w o ser v ice p rov ider s is ext er nal BGP, int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced so t h e

ASBR becom es t he next - hop of t he r out e and t er m inat es t h e LSP for t h at r out e. To pr eser v e t he LSP, t h e ASBR m u st allocat e a local label t h at cor respond s t o t he label st ack of t he rou t e w it hin t he local MPLS VPN net w ork . Th is new ly allocat ed lab el is set on packet s sent t ow ard t h e pr efix f rom t he ad jacent ser vice pr ov ider. This I nt er AS m odel is illust r at ed in Figur e 6- 1 8.

•

Figu rse Table of Content

•

I ndex

6 - 1 8 . M P- eBG P Con ne ct i vi t y M ode l

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

NOTE

How t o carr y cust om er m ult icast t r aff ic insid e a VPN Ther e is no r eq uirem ent t o r un an I GP or any ot her lab el dist ribu t ion pr ot ocol ot her tThe han lat BGP he- car I ntrier er ASenh link wh enent y ou deployin g Ext er nalmMult ot ocol dBGP. eston in tter ancem s t oare allow f or easier and or e ipr scalable ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y You can v iew t he con figur at ion of t he Super Com Par is ASBR and Eur oCom Paris ASBR in Ex am ple 32. Ar Aschit y ouectcan see, t he ASBR ot trhe equir e VRF conf igur atan ion, and t he in t er f ace MPLS and6-VPN u res, Volum e I I , bdoes uilds non best - sellin g MPLS d VPN tAr hat connect s t h e t w o r out er s is w it hin t he g lobal r out in g t able. ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Exa m pl e 6 - 3 2 . Ext er n al M P- BGP Conf i gur a t i on of ASBRs MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( ISuperComParis-ASBR S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o hostname int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he ! back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN interface POS10/0/0 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t rdescription oub leshoot ing .** interface to EuroCom Paris-ASBR MPLS and VPN 192.168.2.37 Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ip address 255.255.255.252 int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

! router bgp 10 no bgp default ipv4-unicast bgp log-neighbor-changes •

Table of Content s

•

I ndex

neighbor 192.168.2.38 remote-as 20 MP LS and V PN Ar chi te ctur e s, V olum e I I

neighbor 194.22.15.1 remote-as 10

By Jim Guichard , I van Pepelnjak , Jeff Apcar

neighbor 194.22.15.1 update-source Loopback0 Pub lish er: Cisco Press

noPub auto-summary Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

!

Pages: 50 4

address-family vpnv4 neighbor 192.168.2.38 activate Wit h MPLS and VPN Ar chit ect u res, Volum e I I , extended y ou' ll lear n : neighbor 192.168.2.38 send-community neighbor 194.22.15.1 activate How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s neighbor 194.22.15.1 send-community extended The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN exit-address-family Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork hostname EuroComParis-ASBR The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN ! back bone interface How t oPOS8/1/0 carr y cust om er m ult icast t r aff ic insid e a VPN The lat est ** in t erinterface - car rier enhto ancem ent s t o Washington allow f or easier and m or e scalable d ep loym ent description SuperCom ASBR of int er - car r ier MPLS VPN serv ices ip address 192.168.2.38 255.255.255.252 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ! MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ectbgp u res,20 Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced router t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eeddefault t o d ep loyipv4-unicast and m ain t ain a secur e, hig hly av ailab le VPN. no bgp MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN bgp log-neighbor-changes Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g neighbor 192.168.2.37 remote-as 10 pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues neighbor 196.49.1.3 remote-as 20 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow neighbor 196.49.1.3 update-source Loopback0 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN no auto-summary t r oub leshoot ing . ! MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

address-family vpnv4 neighbor 192.168.2.37 activate neighbor 192.168.2.37 send-community extended neighbor 196.49.1.3 activate • •

Table of Content s

neighbor 196.49.1.3 send-community extended I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

exit-address-family

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 External MP-BGP VPNv4 Route Exchange Pages: 50 4

Hav in g su ccessf ully en abled an ex t er nal BGP session bet w een t h e Super Com an d Eur oCom ASBRs, y ou mig ht t hink t h at VPNv 4 rou t es w ill be exch anged aut om at ically acr oss t he session. How ev er , if you look at t he r out es av ailable w it hin t he Su per Com back bone in Ex am ple 6- 33, MPLS and VPN Ar chit ect uesres, e IIw , ity h ou' learBGP n : t able, including t h e Bank Cor p yWit ouhw ill see t hat VPNv 4 r out d o Volum n ot exist inllt he r out es t h at ar e w it hin t he local au t onom ous sy st em . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Exa m pl e 6 - 3 3 . M P- eBGP Se ssion Est a bli sh m en t w i t h VPN v4 Pr e fi x Excha e PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Theng n ew Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w orkshow ip bgp neighbor SuperComParis-ASBR# The lat est is MPLS VPN secur it y f eat u res anAS d d 20, esignexternal s aim ed at link pr ot ect ing t h e MPLS VPN BGP neighbor 192.168.2.38, remote back bone BGP version 4, remote router ID 196.49.1.1 How t o carr y cust om er m ult icast t r aff ic insid e a VPN

BGP state = Established, up for 00:08:18 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS hold VPN serv icesis 180, keepalive interval is 60 seconds Last read 00:00:18, time Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Neighbor capabilities: MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN refresh: and1)received(new) Ar ch itRoute ect u res, Volum e Iadvertised ( 1 - 587 05- 0 02, f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools VPNv4 and lereceived t hey Address n eed t o d family ep loy and m ain tUnicast: ain a securadvertised e, hig hly av ailab VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of SuperComParis-ASBR# allcab summary ser v ice pr ovider accessshow t echnip ologbgp ies (vpnv4 dial, DSL, le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o BGP identifier AS number 10adv anced d ep loy m ent issues int egrrouter at e t h ese f eat ur es in t194.22.15.3, o t h e VPN b ack local bon e. Part I I I det ails includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he BGP bone tableand version is 28,VPN main routing table version back any at t ached sit es, and also det ailin g t he lat28 est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRc MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer 192.168.2.38 4 it y, 20and t r oubleshoot 13 13 feat u res 28 essent 0 ial 0t o 00:09:38 0 int egr at ion, secur ing p rov iding t h e adv anced

194.22.15.1

4

10

1470

1481

28

0

0 1d00h

0

The ab sen ce of VPNv 4 pr ef ix inf orm at ion on t he ASBRs is cau sed by t he aut om at ic r ou t efilt er ing mechan ism t h at w as d escr ibed in Ch apt er 9, " MPLS/ VPN Ar chit ect ur e Oper at ion, " of •MPLS and VPN Table Content s , Volum e 1 . Wit h t his f eat ur e enabled, t h e r out er only accep t s Ar of chit ect u res •VPNv 4 r out es I ndex if t h ey con t ain a r out e t ar get t hat mat ch es one of t he im p ort st at ement s w it h in MP and VVRFs. PN Ar chi s, V olum II t heLSlocal I ntetctur his ecase, noe VRFs ex ist on t h e ASBRs; t h er efor e, all VPNv 4 pr efix infJim orm at ion is dr opp ed . To r esolv By Guichard , I van Pepelnjak , Jeff Apcare t h is issue, y ou m ust conf igur e t h e no bgp de fa ul t r out e t a rge t fi lt e r com m and w it hin t he BGP pr ocess ( see Ex am ple 6- 34) . Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Exa m pl e 6 - 3 4 . Use of no bgp def a ul t r ou t e -t ar g et f il t er Com m a nd I SBN: 1- 58 705 -1 12 -5

Pages: 50 4

hostname SuperComParis-ASBR ! Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : router bgp 10 How default t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN no bgp ipv4-unicast ser v ice t o m any d iff er ent t yp es of cu st om er s no bgp default route-target filter The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he SuperComParis-ASBR# cust om er net w ork show ip bgp vpnv4 all summary BGP router identifier number The lat est MPLS VPN 194.22.15.3, secur it y f eat u reslocal an d d AS esign s aim ed10at pr ot ect ing t h e MPLS VPN back bone BGP table version is 5, main routing table version 5 How t o carr y cust om er m ult icast t r aff ic insid e a VPN 4 network entries and 4 paths using 724 bytes of memory The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent 3 BGPof path int er - attribute car r ier MPLSentries VPN servusing ices 168 bytes of memory anced t rou blesh oot ing t echn in g r ou t er out pu t s t o en su re high av ailab ilit y 1 BGPAdv AS-PATH entries using 24 iques bytesinclud of memory MPLS VPN Ar chit ect u res, Volum e I I ,using b uilds 24 on tbytes he bestof - sellin g MPLS an d VPN 1 BGPand extended community entries memory Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t0opics d d ep loy m cache ent archit ect ur es,using Volu m0e bytes I I pr ovid r eader s w it h t he necessar y t ools BGP an route-map entries ofesmemory t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. 0 BGP filter-list cache entries using 0 bytes of memory MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch itactivity ect u re. Par13/13 t I I descr ibes adv anced VPNscan con nect iv it y includ g t he int egr at ion of BGP prefixes, 16/12MPLS paths, interval 15 insecs ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it yV, ou t he nMsgSent ecessar y TblVer st eps t h InQ e ser OutQ v ice p rov ider m ust t ake t o p rot ect t he Neighbor ASt lining MsgRcvd Up/Down State/PfxRcd back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and m ult i- car r ier MPLS2 VPN 192.168.2.38 4 20 31 filt erin g. 31This par5t also0 cov er0s 00:02:41 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t194.22.15.1 r oub leshoot ing . 4 10 1488 1499 5 0 0 00:02:52 2 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE

• •

A r ou t e r ef resh is not sent w hen t he no bgp de fa ul t r out e - t a rg et fi lt e r com m and is ent er edTable on t he ASBR; t h er efor e, t he BGP session mu st be clear ed , or a sof t clearin g of Content s of t he BGP session m ust be perf or med, so t hat t he pr ev iously r ej ect ed r out es can b e I ndex r elear ned.

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

HavPub in glishdisab led Press t h e aut om at ic r out e f ilt er ing f eat u re, VPNv 4 pr efix inf orm at ion sen t b y ot her er: Cisco PE rPub outDat erse: in t h e Ju ne 06,same 2 00 3 MPLS VPN back bone is n o long er rej ect ed by t h e ASBRs. The p rev ious exam ple sh ows t hat t he Su perCom Par is ASBR h as lear ned r out es fr om t wo dif fer en t peer s: I SBN: 1- 58 705 -1 12 -5 19 2. 168 . 2. 38, wh ich is t h e Eur oCom Paris ASBR, and 19 4. 22. 1 5. 1, w h ich is t he Su per Com San Pages: 50 4 Jose PE r out er. By ex am ining how t he Su perCom Par is ASBR sees t he Ban kCorp 19 8. 121 . 62. 0/ 2 4 su bnet , w hich is r eachab le via t he Eur oCom Mu nich PE r out er , y ou can see in Ex am ple 6- 35 t hat t he nex t - hop f or t his r out e is, in f act , t he Eur oCom Par is ASBR.

Wit chit ect u res, I I , xy tou' ll lear on n: Exah MPLS m pl eand 6 -VPN 3 5 . ArCha nge of Volum BGPeNe - Hop

I n t er AS Li nk

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s SuperComParis-ASBR#show ip bgp vpnv4 all 198.121.62.0 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN BGP routing table for version 5 Net w ork Ad dr essentry Tr an slat ion99:5432:198.121.62.0/24, ( PE- NAT) Paths: available, table) How(1VRFs can be exbest t ended#1, int ono a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Advertised to non peer-group peers: The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone 194.22.15.1 20 How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er -from car rier enh ancem ent s(196.49.1.1) t o allow f or easier and m or e scalable d ep loym ent 192.168.2.38 192.168.2.38 of int er - car r ier MPLS VPN serv ices Origin incomplete, localpref 100, valid, external, best Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Extended Community: RT:20:123 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. As pr ev iouVPN sly stAr atchit ed, ect t heu res, ad ver t isin ge ASBR labeloft ot he r epMPLS r esentVPN a par t icular MPLS and Volum I I , b egallocat in s w itesh aa new br iefMPLS ref resher VPNv p ref ix . Par Th is isibes usedadv t o anced label- swit ch VPN t r aff ic ASBR-inASBR Fuatrtion herm Ar ch it4ect u re. t I label I descr MPLS conacross nect iv tithye includ g t he lin intk. egr of or e, tser hevadv er t ising ASBR in one MPLS VPN back bone b ecom es t he BGP nex t hop in t he ad jacen t ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g MPLS VPN b ack bon e, so t hat all t h e PE r ou t er s in t he adjacent MPLS VPN back bone use t he pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Exissues am ple label h at e adv er tur ising as bon t he e. second MPLS ack. int egrtat e tthhese f eat es inASBR t o t h eassigns VPN b ack Part I Ilabel I det in ailst he adv ancedlabel d ep st loy m ent 6- 3 6 sh ows t he t h e Bank client ell as t he tcor ding includin g secu r itlabel y , ou tallocat lining ion t he for n ecessar y stCor epspt hVPN e ser v ice ,pas rovwider m ust aker espon t o p rot ect label t he for w ar dingand inf or matation baseVPN ( LFI sit B) es, en tand r ies,also on t det he ailin Eur oCom is es ASBRs. back bone any t ached g t he an latdestSuper secuCom rit y f Par eat ur t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Exa pl e 6ing - 3. 6 . ASBR La be l All oca t ion f or VPN v4 Pr e fi xe s t r oubm leshoot MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

EuroComParis-ASBR# show ip bgp vpnv4 all tags Network

Next Hop

In tag/Out tag

Route Distinguisher: 10:4972 192.168.2.32/30 • •

192.168.2.37

Table of Content s

198.121.63.0

192.168.2.37

I ndex

notag/21 notag/25

MP LS and V PN Ar chi te ctur e s, V olum e I I

Route Distinguisher: 99:5432 By Jim Guichard , I van Pepelnjak , Jeff Apcar

194.69.27.16/30

196.49.1.3

24/22

196.49.1.3

25/19

Pub lish er: Cisco Press

198.121.62.0 Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

EuroComParis-ASBR# show mpls forwarding Local

Outgoing

Prefix

Bytes tag

Outgoing

Next Hop

Wit andorVPN u res, Volum y ou' ll lear n : interface tagh MPLS tag VC Ar chit or ect Tunnel Id e I I , switched 16 17 18 19

Pop How t o ser v ice Pop

tag 192.168.2.37/32 0 PO8/1/0 point2point int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN t o m any d iff er ent t yp es of cu st om er s tag 196.49.1.2/32 0 AT4/1/0 10.2.1.22

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Pop tag 192.168.2.32/30 0 AT4/1/0 10.2.1.22 Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

24

12305 0 er sit e t o prAT4/1/0 How VRFs can be 196.49.1.3/32 ex t ended int o a cust om ov ide sep ar at10.2.1.22 ion inside t he cust om er net w ork 12305 99:5432:194.69.27.16/30 \ The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN 0 AT4/1/0 10.2.1.22 back bone

25

99:5432:198.121.62.0/24 \ How12305 t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o and m or e10.2.1.22 scalable d ep loym ent 0 allow f or easier AT4/1/0 of int er - car r ier MPLS VPN serv ices

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y SuperComParis-ASBR#show ip bgp vpnv4 all tags MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar chNetwork it ect u res, Volum e I Next ( 1 - 587Hop 05- 0 02- 1)In , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tag/Out tag t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tRoute hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Distinguisher: 10:4972 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN 192.168.2.32/30 194.22.15.1 21/18 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g 198.121.63.0 194.22.15.1 25/24 pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Route Distinguisher: 99:5432 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow 194.69.27.16/30 192.168.2.38 notag/24 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN 198.121.62.0 192.168.2.38 notag/25 t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

SuperComParis-ASBR#show mpls forwarding Local

Outgoing

Prefix

Bytes tag

Outgoing

tag

tag or VC

or Tunnel Id

switched

interface

17

Pop tag

194.22.15.8/30

0

Et10/1/1

194.22.15.6

0

Et10/1/1

194.22.15.6

0

Et10/1/1

194.22.15.6

0

PO10/0/0

point2point

Et10/1/1

194.22.15.6

Et10/1/1

194.22.15.6

•

18 •

Table of Content s

Pop tag I ndex

194.22.16.0/24

MP LS and V PN Ar chi te ctur e s, V olum e I I

19

16

194.22.15.1/32

Next Hop

By Jim Guichard , I van Pepelnjak , Jeff Apcar

22

Pop tag

192.168.2.38/32

Pub lish er: Cisco Press

21

16 Pub Dat e: Ju ne 06, 2 00 3

10:4972:192.168.2.32/30

\

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

25

16

0 10:4972:198.121.63.0/24

\

0 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

NOTE The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Ex am ple 6- 36 sh ows t hat all I nt erAS r out es ar e show n in VPNv 4 for m at w it hin t he LFI B. VRFs This is so be t hat pr efix rem ain bet wide eensep t heartat w oion back bones. How can ex each t ended int o can a cust om er uniqu sit e t oe pr ov inside t he The exam ple also sh ows t hat only local aut on omou s syst em pr efix es ar e sh ow n w it h in t h e cust om er net w ork LFI B. ( No en t ries ar e av ailab le for r ou t es t hat are lear ned fr om t h e adjacent ne x tVPN pr ov ider. ) You will seesecur lat erit in hisu sect iond tdhat t his b eh ed avior d rect iv en The lat est MPLS VPN y fteat res an esign s aim at is pr ot ingbyt hteheMPLS hop f con figur at ion at t he ASBR r out ers. back- sel bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN I f youThe ex amin lat est e tinhe t erBan - carkCorp rier enh 19 ancem 8. 121 .ent 62.s0/t2o4allow su bnet f or en easier t ries and on bot m or h of e scalable t h e ASBRs, d ep loym y ou can ent see t hat of int t he er -Eur caroCom r ier MPLS Par isVPN ASBR serv has ices allocat ed a lab el valu e of < 25> t o t h at VPN pr ef ix, and t his lab el is used as t he < out > label on t he Su perCom Par is ASBR f or pack et s sent t ow ar d t he Adv anced rou blesh ing t echn includ g r oulabel t er out o en su high. av ailab ilit yis subn et . The EurtoCom Paroot is ASBR alsoiques has an out ginoing w itpu h tas vt alue of re < 19> This label t he VPN label t h at it receiv ed f r om it s int er nal session w it h t he or iginat in g PE r out er . You can MPLS and VPN chiting ecton u res, e I PE I , br uilds best sellin g MPLS Ex am ple 6- an 37.d VPN conf ir m t his by Ar look t heVolum Mu nich out er on , ast he show n -in Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLSNOTE and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice access DSL, her ) an label d a v ariet of r out in g Theprnovider ot ag en t r ies int echn t he olog pr evies ious( dial, ou t put indcab icatle, e t Et h at n net o local h as ybeen pr ot ocols ( I ed S- I for S, EI GRP, , ar mine in g tthe he 198 r eader w62 it h. 0/ t he h ow t o allocat t he p refand ix . I OSPF) f y ou ex am .1 21. 24k now subnledge et on of t he int egrSup at eert hCom ese fParis eat urASBR, es in t o ytou h e can VPNsee b ack bonte. I detvails d ep. loy m ent issues t hat hePart < I n ItIag> alueadv is anced < n ot ag> This m eans includin secu r itBy ,ent ourtylining t heed n ecessar epson t h et hser v ice p rov t akemted o pbrot t hatg no LFI is cr eat for t he yp st refix e ASBR, an dider t hismisust confir y ect t he back bone t ached sit es,ent and he latASBR est secu f eat es36. t o allow Exyam pleur6exam and iningany t h eatMPLS forVPN w ar ding r iesalso for det t h eailin Supgert Com in rit m or eHow advev anced t opEur ologies g. has Thisallocat par t also er s label, m ult i-and car r ier MPLS VPN er , t he oComand Parfilt is erin ASBR ed acov local a cor r espon ding deploy mBenent t s.r yFin , Par V am pr ov id es m et hodology forarad van LFI isally cr eat edt. IEx inat iona of t he MPLS f orw din g ced ent r MPLS ies for VPN t he Eur oCom t r oubPar leshoot ing . show s t hat an ent ry is av ailable f or t he 1 98. 1 21. 62 .0 / 24 subn et . is ASBR MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 6 - 3 7 . La be l All oca t ion a t Or i gin at in g PE Rout er

Munich_PE#show ip bgp vpnv4 all tags Network •

Next Hop

In tag/Out tag

Table of Content s

Route Distinguisher: 10:4972 • I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

192.168.2.32/30

192.168.2.37

notag/19

198.121.63.0

192.168.2.37

notag/20

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 Route Distinguisher: 99:5432 (BankCorp) I SBN: 1- 58 705 -1 12 -5

194.69.27.16/30 Pages: 50 4

0.0.0.0

17/aggregate(BankCorp)

198.121.62.0

194.69.27.17

19/notag

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Hav in g dist ribu t ed all t he label inf or m at ion acr oss t he Su perCom and Eu roCom back bone ple 6net w or ks, tconn w itthin t he Ban kCor How ev erp,r ovidin as Ex am How o intect egrivatitey vshould ar iou s be r emav otailable e access echn ologies in t opt hVPN. e back bone g VPN 38 shser ows, f ort osom e r eason, cont yp nect it ycut ost om t heer 1 98. v ice m any d iff er ent esivof s 12 1. 62. 0 / 24 su bnet is not available at t he Bank Cor p Sant a Clar a CE r out er . The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Exa m pl e 6 - 3 8 . Loss of Con ne ct i vi t y t o Ba nk Cor p Be r li n in San t a Cla r a How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN SantaClara-CE#show ip route 198.121.62.0 255.255.255.0 back bone % Network table How t onot carr in y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Ex amAdv inatanced ion of t he rouSan bleshJose oot ing PE trechn out eriques in Exinclud am plein6g r39 ouht er ighligh out pu t st st he t o cau en su sereofhigh t he av pr oblem ailab ilit . yI t is a classic BGP- 4 next - hop pr oblem associat ed w it h t h e com b in at ion of in t er nal and ext er nal MPLS Th and VPN 4Arnex chittect u res, , b62 uilds on subn t he best MPLS an d2 .3 VPN BGP. e BGP- hop of tVolum he 198e.1I I21. . 0/ 24 et is- sellin set t og 192 .1 68. 8, w hich is t he Ar it ect uPar res,isVolum I (is 1 -pr 587 05-is0 not 02- 1) , f rom Cisco t endin g int o m or e adv anced Euch roCom ASBR.e Th ef ix accessible w it hPr in ess. t h e Ex Super Com b ackb one; t h er efor e, t opics anrdout d ep m ent e I I prVRF. ovid es r eader s w it h t he necessar y t ools he BGP e loy is not im parchit ort edect inturoes, t heVolu Banm kCorp t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Exa m pl e 6 - 3 9 . BGP Ne xt -H op I na cce ssi ble t o Su pe r Com Backb one Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues SanJose-PE#show ip bgp vpnv4 all 198.121.62.0 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow BGP routing table entry for 99:5432:198.121.62.0/24, version 0 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Paths: (1 available, no best path) t r oub leshoot ing . Notand advertised MPLS VPN Ar chitto ect uany res, peer Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

20 192.168.2.38 (inaccessible) from 194.22.15.3 (194.22.15.3) Origin incomplete, localpref 100, valid, internal Extended Community: RT:20:123 •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Guichard , I van Pepelnjak , Jeff Apcar ToJim r ect ify t h is pr oblem, Super Com

can do one of t w o t hings. I t can eit her m ak e t he ASBR link av ailab le w it hin it s I GP, or it can chang e t he BGP- 4 next - hop of any r out es it receiv es fr om Eu roCom, ior tPress o adv er t isem ent w it hin t he local aut on om ous syst em . Pub lish er:pr Cisco Pub Dat e: Ju ne 06, 2 00 3

To in ject t h e ASBR link in t o t h e Super Com I GP, you could config ur e r ed ist r ibu t ion of conn ect ed I SBN: 1- 58 705 -1 12 -5 subn et s at t h e ASBR, or you could inclu de conn ect ed su bnet s int o t he I GP r un ning on t he ASBR Pages: 50 4 and t u rn t h em in t o passiv e int er faces . How ever , w henev er ex t er nal Mu lt ipr ot ocol BGP is conf ig ur ed f or a VPNv 4 adj acency , a / 32 host r out e for t he adj acen t ASBR is aut om at ically creat ed so t hat an LSP can be built fr om an ingr ess PE r ou t er t o t h e ASBR. Th er efor e, inj ect ion of t he ASBR ad dr ess int o t he I GP is st r aight f or war d; y ou only need t o r ed ist r ibu t e connect ed host rou t es int o t he I GP rou t ing pr ocess. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Sup er Com has elect ed t o chan ge t h e next - hop of t he r out es r at h er t han inject t h e adj acent ASBR' s I P add r ess int o t he I GP. As Ex am ple 6- 40 sh ows, conn ect iv it y w it hin t he Ban kCorp VPN t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN is nowHow available. ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN

Exa m pl e 6 - 4 0 . Cha nge of BGP Ne x t - Hop at Su pe r Com Pa r is ASBR Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork hostname SuperComParis-ASBR The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN ! back bone Howbgp t o carr router 10 y cust om er m ult icast t r aff ic insid e a VPN The lat est in t eripv4-unicast - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent no bgp default of int er - car r ier MPLS VPN serv ices no bgp default route-target filter Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y bgp log-neighbor-changes MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced neighbor 192.168.2.38 remote-as 20 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. neighbor 194.22.15.1 remote-as 10 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN neighbor 194.22.15.1 update-source Loopback0 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g no auto-summary pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues ! includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow address-family vpnv4 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN neighbor 192.168.2.38 activate t r oub leshoot ing . neighbor 192.168.2.38 extended MPLS and VPN Ar chit ect u res,send-community Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

neighbor 194.22.15.1 activate neighbor 194.22.15.1 next-hop-self neighbor 194.22.15.1 send-community extended exit-address-family •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

SanJose-PE#show ip bgp vpnv4 all 198.121.62.0 By Jim Guichard , I van Pepelnjak , Jeff Apcar

BGP routing table entry for 10:4972:198.121.62.0/24, version 32 Pub lish er: Cisco Press

Paths: (1 available, best #1, table BankCorp) Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

Not advertised to any peer Pages: 50 4

20, imported path from 99:5432:198.121.62.0/24 194.22.15.3 (metric 20) from 194.22.15.3 (194.22.15.3) Wit h MPLS and VPN Ar chit ect u res, Volum e I100, I , y ou' ll lear n :internal, best Origin incomplete, localpref valid, Extended Community: RT:20:123 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN SantaClara-CE#show ip route 198.121.62.0 255.255.255.0 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Routing forbe198.121.62.0/24 How entry VRFs can ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Known via "rip", distance 120, metric 1 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Tagback 20 bone Redistributing via How t o carr y cust omrip er m ult icast t r aff ic insid e a VPN The lat est by in t errip - car(self rier enhoriginated) ancem ent s t o allow f or easier and m or e scalable d ep loym ent Advertised of int er - car r ier MPLS VPN serv ices Last update from 192.168.2.34 on Ethernet3/1, 00:00:22 ago Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Routing Descriptor Blocks: MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch ect u res, Volum efrom I ( 1 - 587 05- 0 02- 1) , f rom Cisco Prago, ess. Ex t endin g int o m or e adv anced * it192.168.2.34, 192.168.2.34, 00:00:22 via Ethernet3/1 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d metric ep loy and ain ttraffic ain a secur e, hig count hly av ailab le VPN. Route ism1, share is 1 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g SantaClara-CE#ping 198.121.62.1 pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Type escape sequence to abort. m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Sending 5, 100-byte ICMP Echos to 198.121.62.1, timeout is 2 seconds: t r oub leshoot ing . !!!!! MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms

Ch anging of t h e next - hop addr ess at t h e adv ert ising ASBR has som e im plicat ion s. Whenever t he BGP n ex t - hop of a VPNv4 pr efix is chan ged, a new label h as t o b e assig ned b y t he BGP r• out er t h at chan ged t h e nex t - hop at t r ibut e. Th er efor e, w hen t he BGP nex t - hop of an eBGP Table of Content s VPNv 4 p ref ix is ch anged by t h e r eceiving ASBR, it has t o allocat e anot h er MPLS lab el for t he • I ndex VPNv 4 p ref ix pr ior t o ad ver t isem ent of t he r out e in t o t h e local MPLS VPN back bone. As a MP LS and V PN Ar chi te ctur e s, V olum e I I r esult , if t he ne x t - hop - sel f com m and is used on b ot h t he sending ASBR and t he r eceiv ing By Jim Guichard , I van hav Pepelnjak , Jeff Apcar ASBR, t hey each e t o allocat e an MPLS label f or ever y VPN r out e ex chang e bet w een t h e MPLS VPN b ack bon es. Pub lish er: Cisco Press

I f you e 06, in Ex Pub ex Datamin e: Ju ne 2 00am 3 ple 6- 41 t he Mu lt ip rot ocol BGP an d LFI B en t r ies f or t he 19 8. 121 . 62. 0/ 2 4 su bnet on t h e Super Com Par is ASBR again, you can see t h at a local lab el has I SBN: 1- 58 705 -1 12 -5 been allocat ed an d a subsequent LFI B ent r y h as been cr eat ed . Pages: 50 4

Exa m pl e 6 - 4 1 . End -t o-En d LSP W i t h in Ba nk Cor p VPN Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : SuperComParis-ASBR#show ip bgp vpnv4 all tags How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Network tag/Out tag ser v ice t o m any d iffNext er ent Hop t yp es of cuIn st om er s RouteThe Distinguisher: 10:4972 n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) 192.168.2.32/30 194.22.15.1 21/18 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he 198.121.63.0 25/24 cust om er net w ork 194.22.15.1 lat est MPLS VPN99:5432 secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN RouteThe Distinguisher: back bone 194.69.27.16/30 192.168.2.38 26/24 How t o carr y cust om er m ult icast t r aff ic insid e a VPN 198.121.62.0 192.168.2.38 27/25 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y SuperComParis-ASBR#show mpls forwarding MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Local Outgoing Prefix Bytes tag Outgoing Next Hop Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tag tag or VC or Tunnel Id switched interface t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. 17 Pop tag 0 s w it h a br ief Et10/1/1 MPLS and VPN Ar chit ect194.22.15.8/30 u res, Volum e I I , b eg in ref resher of194.22.15.6 t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of 18 v ice pr Pop tagaccess194.22.16.0/24 0 cab le, Et her Et10/1/1 ser ovider t echn olog ies ( dial, DSL, net ) an d a 194.22.15.6 v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o 19 egr at e16 0 e. Part I I I det Et10/1/1 194.22.15.6 int t h ese f eat ur es194.22.15.1/32 in t o t h e VPN b ack bon ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he 21 bone16and any at t ached 10:4972:192.168.2.32/30 back VPN sit es, and also det ailin g\ t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Et10/1/1 194.22.15.6 deploy m en t s. Fin ally , Par t I V pr ov id es a m et 0 hodology for ad van ced MPLS VPN t r oub leshoot ing . 22 Pop tag 192.168.2.38/32 0 PO10/0/0 point2point MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer 25 egr at ion, 16 secur it y, and 10:4972:198.121.63.0/24 \ ial t o p rov iding t h e adv anced int t r oubleshoot ing feat u res essent

0 26

24

99:5432:194.69.27.16/30

• 27

194.22.15.6

PO10/0/0

point2point

PO10/0/0

point2point

\

0 •

Et10/1/1

Table of Content s

25 I ndex

99:5432:198.121.62.0/24

\

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

0

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58sh 705 -1 12 t-5 Ex am ple 6- 42 ows he LSP for t he 1 98. 12 1. 62. 0 / 24 subnet , fr om t h e view point of t he Pages: San 50 4 Jose PE r out er . Figur e 6- 1 9 p r ovides an illust r at ion of t h is LSP. Sup er Com

Exa m pl e 6 - 4 2 . End -t o-En d LSP W i t h in Ba nk Cor p VPN Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : SanJose-PE#show ip cef vrf BankCorp 198.121.62.0 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m anyversion d iff er ent 19, t yp es of cu st adjacency om er s 198.121.62.0/24, cached to Serial4/0 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN 0 packets, 0 bytes Net w ork Ad dr ess Tr an slat ion ( PE- NAT) tag information set How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork local tag: VPN route head The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN fast tag rewrite with Se4/0, point2point, tags imposed {18 23} back bone viaHow 194.22.15.3, 0 dependencies, t o carr y cust om er m ult icast t r affrecursive ic insid e a VPN next hop 194.22.15.3/32 The lat est 194.22.15.9, in t er - car rier enhSerial4/0 ancem ent s via t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices valid cached adjacency Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y tag rewrite with Se4/0, point2point, tags imposed { 17 27} MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tSuperComParis-ASBR# hey n eed t o d ep loy and m ainmpls t ain aforwarding secur e, hig hly av ailab show label 27 le VPN. MPLS VPN Ar chit ectPrefix u res, Volum e I I , b eg in s w it htag a br ief ref resher ofNext t he MPLS Localand Outgoing Bytes Outgoing Hop VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser ovider t echn olog ies cab le, Et her net ) an d a v ariet y of r out in g tagv ice pr tag or access VC or Tunnel Id( dial, DSL, switched interface pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int t h ese f eat ur es99:5432:198.121.62.0/24 in t o t h e VPN b ack bon e. Part I I I\det ails adv anced d ep loy m ent issues 27 egr at e25 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g tPO10/0/0 he lat est secupoint2point rit y f eat ur es t o allow 1080 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . EuroComParis-ASBR# show mpls forwarding label 25 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Local

Outgoing

Prefix

Bytes tag

Outgoing

tag

tag or VC

or Tunnel Id

switched

interface

25

27

99:5432:198.121.62.0/24

\

1200 •

Table of Content s

•

I ndex

Next Hop

AT4/1/0

10.2.1.22

MP LS and V PN Ar chi te ctur e s, V olum e I I

EuroComParis-ASBR# show mpls forwarding label 25 detail By Jim Guichard , I van Pepelnjak , Jeff Apcar

Local

Outgoing

Prefix

Bytes tag

Outgoing

or Tunnel Id

switched

interface

Next Hop

Pub lish er: Cisco Press

tagPub

tag or06,VC2 00 3 Dat e: Ju ne

I SBN: 1- 58 705 -1 12 -5

25

27

Pages: 50 4

99:5432:198.121.62.0/24 1200

\ AT4/1/0

10.2.1.22

MAC/Encaps=12/20, MTU=4466, Tag Stack{27 19} Wit h MPLS00040000AAAA030000008847 and VPN Ar chit ect u res, Volum0001B00000013000 e I I , y ou' ll lear n : No output feature configured How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Munich_PE#show mpls forwarding label 19 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) LocalHow Outgoing Bytes Hop t he VRFs can be Prefix ex t ended int o a cust om er sit etag t o prOutgoing ov ide sep ar atNext ion inside cust om er net w ork tag tag or VC or Tunnel Id switched interface The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN 19 back Untagged 198.121.62.0/24[V] \ bone How t o carr y cust om er m ult icast t r aff ic 2280 insid e a VPN Et4/0

194.69.27.17

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

Figu r eect 6 -u 1res, 9 . Volum LSP ef or nk on Cor p best I n t -er ASg Con it y MPLS and VPN Ar chit I I , Ba b uilds t he sellin MPLSne anct d iv VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Multihop Multiprotocol eBGP for VPNv4 Prefix Exchange How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN to m d iff erofent es of st om s each of t he ser vice pr ov ider' s back bon es, Wit h tser hevgice r owin g any success t het yp VPN sercu vice w iterhin Sup er Com and Eur oCom hav e a r equir ement t o increase t he am ou nt of b andw idt h av ailable The tnhew in g op ionsem ass.w To ell achieve as ot her t adv ur es, VPN bet w een eir tPEw oCE autr out on omou s tsyst his, anced an ex tfreat a link is includ addeding betperw een t he w ork The Ad dr esss Tr anbslat ion ( tPENAT)b alance t r aff ic bet w een t he r ou t er s. The Par is Net ASBRs. link w ill e used o load conf ig ur at ion of t he new link is sh ow n in Ex am ple 6- 43. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Exa m pllat e est 6 - 4MPLS 3 . Addit ion italy fLi nk Bet en Pa r isedASBRs The VPN secur eat u res an w d deesign s aim at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN hostname SuperComParis-ASBR The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent ! of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y interface POS1/0/0 MPLS and VPN Ar ect u res, Volum e I Ito , b uilds on t he best - sellin g MPLS an d VPN description **chit first interface EuroCom Paris-ASBR Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep 192.168.2.41 loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools ip address 255.255.255.252 t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ! MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re.POS10/0/0 Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of interface ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g prdescription ot ocols ( I S- I S, GRP, andinterface OSPF) , ar m t he r eader w it h t he k now ledge of h ow t o **EIsecond toin gEuroCom Paris-ASBR int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r192.168.2.37 it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he ip address 255.255.255.252 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN thostname r oub leshoot ing . EuroComParis-ASBR MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ! int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

interface POS8/1/0 description ** first interface to SuperCom Paris-ASBR ip address 192.168.2.38 255.255.255.252 ! •

Table of Content s

interface POS9/0/0 • I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

description ** second interface to SuperCom Paris-ASBR By Jim Guichard , I van Pepelnjak , Jeff Apcar

ip address 192.168.2.42 255.255.255.252 Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Hav in g deployed t he n ew link , it is n ecessar y t o mak e som e chang es t o t h e pr ev ious BGP conf ig ur at ion so t hat bot h link s can b e used t o carr y t raf fic. Add ing t he n ew lin k is not en ough t o dist rib ut e t h e t r aff ic becau se all t he I nt er AS r out es ar e seen w it h a BGP nex t - hop add ress t hat is dir ect ly con nect ed t o t he ASBR. This is illu st rat ed in Ex am ple 6- 44, w hich show s t hat t he Super Com Par is ASBR sees all r out es f rom Eur oCom w it h a BGP n ex t - h op of 1 92. 16 8. 2. 38 . Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : This n ex t - h op is r eachable v ia t h e dir ect ly conn ect ed in t erf ace POSS10/ 0/ 0. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN

Exa m e 6t o- 4m4any . BGP Usag e son Su per Com Par i s ASBR serpl v ice d iff er Ne ent xt t yp-H es op of cu st om er

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) SuperComParis-ASBR#show ip bgp vpnv4 rd 99:5432 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust omversion er net w ork BGP table is 13, local router ID is 194.22.15.3 Thecodes: lat est MPLS VPN secur it yd f eat u res anhd d esign s aim*edvalid, at pr ot > ectbest, ing t h eiMPLS VPN Status s suppressed, damped, history, - internal back bone Origin codes: i - IGP, e - EGP, ? - incomplete How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Network Next Hop Metric LocPrf Weight Path Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Route Distinguisher: 99:5432 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN *>ch194.69.27.16/30 0 20 Ar it ect u res, Volum e I (192.168.2.38 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m?or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools 0 20 ? t*> hey198.121.62.0 n eed t o d ep loy and 192.168.2.38 m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser SuperComParis-ASBR# v ice pr ovider accessshow t echnip ologroute ies ( dial, 192.168.2.38 DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e entry t h ese f eat in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Routing forur es 192.168.2.38/32 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone via and "connected", any at t ached VPN sit es, and det ailin t he lat est secu rit yinterface) f eat ur es t o allow Known distance 0,also metric 0 g (connected, via m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally via , Par isis t I V pr ov id es a m et hodology for ad van ced MPLS VPN Redistributing t r oub leshoot ing . Advertised by isis metric 0 metric-type internal level-2 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int Routing egr at ion, Descriptor secur it y, and Blocks: t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

* directly connected, via POS10/0/0 Route metric is 0, traffic share count is 1

•

Table of Content s

To ach iev e t he r equ ir ed load b alan cin g, y ou can u se a Mult ih op Mult ipr ot ocol BGP session • bet w een t h eI ndex Super Com an d Eur oCom ASBRs. This session shou ld r u n b et w een t wo loopback MP LS and V PN Ar chi te ctur e s, V olum e I I int er faces ( for st ab ilit y reasons) . You can achiev e load b alancing by r ecu rsion of t he BGP nex t By Jimt o Guichard vanlyPepelnjak , Jeff hop t he d ir, Iect con nect ed Apcar int er faces. SupPub er Com oCom do n ot w an t t o r un an I GP bet w een t h eir ASBRs, so t he f irst par t of lish er: and Cisco Eur Press t he new config ur at ion is t o add st at ic r out es t h at p oint t o each ot h er ' s loopback int er faces. To Pub Dat e: Ju ne 06, 2 00 3 m ake su re t hat t he loopb ack in t erf aces ar e r each able v ia bot h of t h e link s, you need t w o st at ic I SBN: 1- 58 705 -1 12 -5 r out es, as show n in Ex am ple 6- 45. Figur e 6- 2 0 sh ows how t h e t w o ASBRs are con nect ed in t his Pages: env iron ment50. 4

Exa m pl e 6 - 4 5 . St at ic Rou t e s Be t w ee n ASBRs Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : hostname SuperComParis-ASBR How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s ! The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN ip route 196.49.1.1 Net w ork Ad dr ess Tr255.255.255.255 an slat ion ( PE- NAT)192.168.2.42 ip route 196.49.1.1 255.255.255.255 192.168.2.38 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN hostname EuroComParis-ASBR back bone !

How t o carr y cust om er m ult icast t r aff ic insid e a VPN

The lat est in t er - car rier enh ancem ent s t o192.168.2.41 allow f or easier and m or e scalable d ep loym ent ip route 194.22.15.3 255.255.255.255 of int er - car r ier MPLS VPN serv ices ip route 194.22.15.3 255.255.255.255 192.168.2.37 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Figu r e 6 - 2 0 . M u lt ihop M P- eBGP Bet w e e n ASBRs

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h t he r elev ant st at ic r out es in place, you can con figu re t he ASBRs f or a Mult ihop Wit MPLS andBGP VPNsession. Ar chit ectYou u res, , y ou' ll lear : face add resses as t he BGP peerin g Mu lthip rot ocol canVolum use teheI I loop back intner endp oin t s. The r elev ant config ur at ion f or b ot h ASBRs is show n in Ex am ple 6- 46. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Exa m pl e 6 - 4 6 . M u lt i hop M P-e BGP Conf i gur a t i on of ASBRs

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he hostname SuperComParis-ASBR cust om er net w ork ! The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone router bgp 10 How t o carr y cust om er m ult icast t r aff ic insid e a VPN neighbor 196.49.1.1 remote-as 20 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent neighbor 196.49.1.1 ebgp-multihop 255 of int er - car r ier MPLS VPN serv ices neighbor 196.49.1.1 update-source Adv anced t rou blesh oot ing t echn iquesLoopback0 includ in g r ou t er out pu t s t o en su re high av ailab ilit y ! MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced address-family t opics an d d ep loy m vpnv4 ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. neighbor 196.49.1.1 activate MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN extended Arneighbor ch it ect u re.196.49.1.1 Par t I I descrsend-community ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues hostname EuroComParis-ASBR includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow ! or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN m deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN router bgp ing 20. t r oub leshoot MPLS and VPN Ar chit ect u res, Volum e I I10 , also int rod uces t he lat est adv ances in cu st omer neighbor 194.22.15.3 remote-as int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

neighbor 194.22.15.3 ebgp-multihop 255 neighbor 194.22.15.3 update-source Loopback0 ! address-family vpnv4 • •

Table of Content s

neighbor 194.22.15.3 activate I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

neighbor 194.22.15.3 send-community extended

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Now t hI at a 1Mult ihop SBN: 58 705 -1 12Mu -5 lt ipr ot ocol BGP session is av ailab le bet w een t he ASBRs, we can com par e t he r eachabilit y inf orm at ion pr ov ided in Ex am ple 6- 47 w it h t h e out pu t of Ex am ple 6Pages: 50 4 44 t o see t hat t he BGP nex t - hop has ch anged. Th is next - hop is r eachab le via t he t w o par allel link s bet w een t he ASBRs.

Exa m pl e 6 - 4 7 . Cha nge of BGP Ne x t - Hop w i t h M u lt i hop M P-e BGP Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN SuperComParis-ASBR# ipt yp bgp vpnv4 rder99:5432 ser v ice t o m any d show iff er ent es of cu st om s BGP table version 5,g op local ID otis The n ew PE- CE ris out in t ionsrouter as w ell as her194.22.15.3 adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Status codes: s suppressed, d damped, h history, * valid, > best, i - internal How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he custcodes: om er net Origin i w-ork IGP, e - EGP, ? - incomplete The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Network Next Hop Metric LocPrf Weight Path How t o carr y cust om er m ult icast t r aff ic insid e a VPN Route Distinguisher: 99:5432 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices *> 194.69.27.16/30 196.49.1.1 0 20 ? Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y *> 198.121.62.0 196.49.1.1 0 20 ? MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools show 196.49.1.1 tSuperComParis-ASBR# hey n eed t o d ep loy and m ainip t ainroute a secur e, hig hly av ailab le VPN. Routing 196.49.1.1/32 MPLS and entry VPN Arfor chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of "static", distance metric 0 le, Et her net ) an d a v ariet y of r out in g serKnown v ice pr via ovider access t echn olog ies (1, dial, DSL, cab pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Descriptor int Routing egr at e t h ese f eat ur es inBlocks: t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he * bone 192.168.2.42 back and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Route metric ist 0, traffic count is 1 van ced MPLS VPN deploy m en t s. Fin ally , Par I V pr ov id es ashare m et hodology for ad t r oub leshoot ing . 192.168.2.38 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer metric is t 0, trafficing share is ial 1 t o p rov iding t h e adv anced int egr atRoute ion, secur it y, and r oubleshoot feat ucount res essent

Whenev er you u se Mult ihop BGP bet w een t w o ASBRs, t h er e is t he possibilit y t hat fu rt h er r out er s lie in t h e pat h bet w een t h e t w o BGP speaker s. The MPLS VPN ar ch it ect ur e r equir es t hat a p acket b e label- sw it ched t o t he or iginat or of a par t icular VPN r out e, and t his includ es ASBRs w hen you ar e r unn ing I nt erAS solu t ions. •

Table of Content s

•You can see Ifrndex om Ex am ple 6- 48 t hat t he Sup er Com Paris ASBR learn s all r out es f rom Eur oCom MP V PN Ar chiof te ctur e s, V olum I I w hich is t h e Eu roCom Par is ASBR. The su bseq uent LFI B w itLS h aand nex t - hop 19 6. 49. 1 .1 /e32, ent r y Guichard show s ,tIhvan at it has t w, o hs t o t h is next - hop, b ut t he ou t going label is set t o un t agged . By Jim Pepelnjak Jeffpat Apcar Pub lish er: Cisco Press

ExaPub mDat ple:e Ju6ne- 406,8 2. 00Supe r Com ASBR LDP Re qui r em e nt 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

SuperComParis-ASBR#show ip bgp vpnv4 rd 99:5432 BGP table version is 9, local router ID is 197.1.1.1 Wit h MPLS and VPN Ar chit ect u res, dVolum e I I , yhou' ll lear n : * valid, > best, i - internal Status codes: s suppressed, damped, history, Origin codes: i - IGP, e - EGP, ? - incomplete How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Network Next Hop Metric LocPrf Weight Path Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Route Distinguisher: 99:5432 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork *> 194.69.27.16/30 196.49.1.1 0 20 ? The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN *> 198.121.62.0 196.49.1.1 0 20 ? back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN SuperComParis-ASBR# show mpls forwarding 196.49.1.1 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Local Outgoing Prefix Bytes tag Outgoing Next Hop Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y tag tag or VC or Tunnel Id switched interface MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar u res, Volum e I196.49.1.1/32 ( 1 - 587 05- 0 02- 1) , f rom Ex t endin g point2point int o m or e adv anced 16ch it ectUntagged 0 Cisco Pr ess. PO1/0/0 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig le VPN. Untagged 196.49.1.1/32 0 hly av ailab PO10/0/0 point2point MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ocols ( I 49 S- I sh S, ows EI GRP, , ar ment in gryt he eader it h t he k now ledge of h tow t o all Exot am ple 6t hatand t he OSPF) un t agged caurses t h ewSuper Com Par is ASBR o send int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues pack et s for t he 19 8. 121 . 62. 0/ 2 4 su bnet w it h only on e label: t h e VPN label. The VPN label has includin secu y ,allocat ou t lining n ecessar y st ASBR. eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he a v alue g < 25 > ,r itas ed bt yhet he Eur oCom back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Exa m pl e 6 - 4 9 . La be l St a ck Pr i or t o LDP on ASBR Lin k s t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

SuperComParis-ASBR#show ip bgp vpnv4 rd 99:5432 tags Network

Next Hop

In tag/Out tag

Route Distinguisher: 99:5432 194.69.27.16/30 •

196.49.1.1

Table of Content s

198.121.62.0

•

196.49.1.1

I ndex

23/24 20/25

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

SuperComParis-ASBR#show mpls forwarding label 20 detail Pub lish er: Cisco Press

Local Pub

Outgoing Dat e: Ju ne 06, 2 00 3

Prefix

Bytes tag

Outgoing

switched

interface

Next Hop

I SBN: 1- 58 705 -1 12 -5

tag 20

tag or VC

or Tunnel Id

Recursive

99:5432:198.121.62.0/24

Pages: 50 4

\

0 Wit h MPLSRecursive and VPN Ar rewrite chit ect u res, Volum e I I , y ou' ll learTag n : Stack{25} via 196.49.1.1/32, 00019000 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s No output feature configured The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he The Su perom Com r outwer cust er net orkh as no way of kn owin g h ow m any d ev ices ar e b et w een it and t h e adj acen t ASBR. Therefor e, LDP/ TDP is requ ired on t he ASBR- ASBR link so t hat t he VPN lab el t hat t The he Eur Paris ASBR allocat es uisres n otanex pack e ting h eyt hr e each it . VPN To latoCom est MPLS VPN secur it y f eat d posed d esignon s aim edetats befor pr ot ect MPLS com plet e tbone he conf igur at ion of t he Su perCom and Eu roCom ASBRs, y ou mu st add t h e m pl s ip back com man d t o t he in t erf ace con figu rat ion , as show n in Ex am ple 6- 50. How t o carr y cust om er m ult icast t r aff ic insid e a VPN The carP rier enhfancem ention s t o on allow f or easier and Exa m pllat e est 6 - 5in0t er . -LD Con igu r at ASBR Li nk s m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y hostname SuperComParis-ASBR MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t!opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. interface POS1/0/0 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN interface toMPLS EuroCom Paris-ASBR Ardescription ch it ect u re. Par** t I Ifirst descr ibes adv anced VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g address 255.255.255.252 prip ot ocols ( I S- I 192.168.2.41 S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues tag-switching includin g secu r it yip , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow ! or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN m deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN interface t r oub leshootPOS10/0/0 ing . description **chit second EuroCom Paris-ASBR MPLS and VPN Ar ect u res,interface Volum e I I ,to also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

ip address 192.168.2.37 255.255.255.252 tag-switching ip

hostname EuroComParis-ASBR •

Table of Content s

•

I ndex

!

MP LS and V PN Ar chi te ctur e s, V olum e I I

interface POS8/1/0

By Jim Guichard , I van Pepelnjak , Jeff Apcar

description ** first interface to SuperCom Paris-ASBR Pub lish er: Cisco Press

ipPub address 255.255.255.252 Dat e: Ju ne192.168.2.38 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

tag-switching ip Pages: 50 4

! interface POS9/0/0 Wit h MPLS and VPN Ar chit ectinterface u res, Volumto e I ISuperCom , y ou' ll learParis-ASBR n: description ** second ip address 192.168.2.42 255.255.255.252 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s tag-switching ip The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he Hav incust g enom abled LDP acr oss each of t he ASBR link s, you can see in Ex am ple 6- 51 t hat t he LSP er net w ork has been creat ed. I n t h is case, t he LDP label is im plicit - n ull because t her e ar e no fu rt h er dev ices eenMPLS the tw o ASBRs. Thebet latwest VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How y cust m ult icastAft rtaff insid Exa m pl et o 6carr - 51 . Laom beerl St a ck e ric LD PeI asVPN Ena ble d on ASBR Lin k s The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices SuperComParis-ASBR#show mpls ldp binding 196.49.1.1 255.255.255.255 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y tiband entry: 196.49.1.1/32, rev MPLS VPN Ar chit ect u res, Volum e I I37 , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tag: 16 Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t opics an dlocal d ep loybinding: m ent archit ect ur es, t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. remote binding: tsr: 196.49.1.1:0, tag: imp-null MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g SuperComParis-ASBR# show pr ot ocols ( I S- I S, EI GRP, and mpls OSPF)forwarding , ar m in g t he 196.49.1.1 r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Local gOutgoing Prefix Bytes Outgoing Next Hopt o p rot ect t he includin secu r it y , ou t lining t he n ecessar y st eps t h etag ser v ice p rov ider m ust t ake back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow tag or t op VCologies or Tunnel Id g. This switched m or e advtag anced and filt erin par t also covinterface er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN 16 Pop ing tag 196.49.1.1/32 0 PO1/0/0 point2point t r oub leshoot . Pop tag PO10/0/0 point2point MPLS and VPN Ar chit ect196.49.1.1/32 u res, Volum e I I , also0int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

SuperComParis-ASBR#show mpls forwarding label 20 detail Local

Outgoing

Prefix

Bytes tag

Outgoing

tag

tag or VC

or Tunnel Id

switched

interface

• 20

Table of Content s Recursive 99:5432:198.121.62.0/24

•

Next Hop

\

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

0

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Recursive rewrite via 196.49.1.1/32, Tag Stack{25} Pub lish er: Cisco Press

00019000

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 705 -1 12 -5 No1- 58 output feature

configured

Pages: 50 4

Multihop Multiprotocol eBGP Between Route Reflectors Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : The last con iviou it y sop t ionot teh access at w e wtill consider at ion of pt hr e pr eviou s two HowI nttoerAS int egr atnect e v ar r em echn ologiesisinat ocom t h ebin back bone ovidin g VPN opt ionser s. vThis t he t eres nalofMult oter ocol ice topt o mion anyuses d iff er entExt yp cu stipr om s BGP fu nct ionalit y , along w it h Mult ihop bet w een t h e t w o serv ice pr ov id er s. The opt ion pr ovid es som e ad van t ages ov er t he ot her PE- CEwr it out op chap t ionst er, as winell ot her advced anced f eat uryes, includ scenarThe ios ndew iscussed hinin tghis cluas ding enhan scalabilit , r em ov aling of perLFI BVPN Netion w ork ess Tr an ( PEdu plicat at tAd hedrASBRs, anslat d tion he ab ilitNAT) y t o r em ov e VPN r out es alt og et her fr om t h e ASBRs. HowMu VRFs be BGP ex t ended intagain o a cust om ter sitchang e t o preov ide sep ar atpion inside t he Ex t er nal lt ipr can ot ocol is on ce used o ex local VPNv4 refix / label inf or mat ion custtom w ork bet w een h e er sernet v ice p rov ider s. Howev er, in st ead of exchan ging t his in for m at ion b et ween t he ASBRs, t h is opt ion pr ovid es t he abilit y t o exchan ge r out es dir ect ly bet w een r out e r eflect or s. VPNorsecur y fdeat u res d esign s iders aim edwill at nprototbect ingect t hly e MPLS VPN BecauThe se t lat he est r outMPLS e reflect s of tit he if fer ent an serdvice pr ov e dir conn ect ed, backfbone m ult ihop unct ionalit y is r equir ed t o allow for t he successfu l est ablish ment of a BGP session. How t oercarr icast rt rout affes ic insid The PE r out n exyt -cust h opom f orert hme ult VPNv4 t h at earae VPN exch anged bet w een t he r out e r ef lect or s ar e adv ert ised acr oss t he ASBR link , f or subsequent dist r ib ut ion w it hin t he ad jacen t ser vice The lat estminean t ers- car rier ancem s resses t o allowoff or and pr ov ider. This t hat t heenh loop backent add t h eeasier PE r out ersmt or hate scalable orig in at edtep heloym VPNent of int er car r ier MPLS VPN serv ices r out es in t he ot h er aut onom ou s sy st em m ust b e k now n t o t h e local aut onom ou s sy st em. You w ill see lat er in t his sect ion t h at y ou can d ep loy t his dist r ibut ion eit her t hr ou gh t he u se of an Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y I GP or st at ic rou t ing, or v ia BGP wit h ex t en sion s t o car r y MPLS label inf orm at ion. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Figur e 6- 2 1 sh ows how y ou can u se t his connect ivit y m od el bet w een t he Su perCom and Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Eu roCom net w or ks. t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN r et 6I I- descr 21 . M u ltadv ihop M MPLS P- eBGP Betnect w eiveitny includ Routineg Re le ct Ar ch it ectFigu u re. Par ibes anced VPN con t hef int egror at s ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit hin each of t h e ser v ice p rov ider b ack bon es, each PE r out er h as a Mult ipr ot ocol BGP session Wit andr VPN chit ect I I ex , ych ou'anges ll lear all n : of it s local VPNv 4 rou t es w it h t h e w it hh MPLS t he local out e Ar r eflect or u. res, The Volum PE r outeer r out e r eflect or. The conf igur at ion of t he Su perCom and Eu roCom r out e r eflect ors, t o supp ort t he ex chang e of r out es w it h local PE r out er s, is show n in Ex am ple 6- 52. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

NOTE

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he Ou r ex am ple conf igur at ion show s only on e rou t e r eflect or in each b ack bon e. I n a r eal cust om er net w ork deploy m en t , y ou sh ould use dual rou t e r ef lect or s f or r ed und ancy. Mult iple r out e r ef lect or s can su ppor t t he edg e t opology . The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Exa m pl e 6 - 5 2 . Con f igu r at ion of Supe r Com an d Eu r oCom Rout e The lat est Re f le ct or s in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y hostname SuperCom-RR MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t!opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. router bgp 10 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN remote-as 10MPLS VPN con nect iv it y includ in g t he int egr at ion of Arneighbor ch it ect u re.194.22.15.1 Par t I I descr ibes adv anced ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g 194.22.15.1 description PE-router prneighbor ot ocols ( I SI S, EI GRP, and OSPF) , ar m SanJose in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues neighbor 194.22.15.1 includin g secu r it y , ou t liningupdate-source t he n ecessar y stLoopback0 eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m!or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN vpnv4 t raddress-family oub leshoot ing . neighbor 194.22.15.1 activate MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

neighbor 194.22.15.1 route-reflector-client neighbor 194.22.15.1 send-community extended exit-address-family

•

Table of Content s

•

I ndex

hostname EuroCom-RR

MP LS and V PN Ar chi te ctur e s, V olum e I I

!

By Jim Guichard , I van Pepelnjak , Jeff Apcar

router bgp 20 Pub lish er: Cisco Press

neighbor 196.49.1.3 remote-as 20 Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

neighbor 196.49.1.3 description Munich PE-router Pages: 50 4

neighbor 196.49.1.3 update-source Loopback0 ! Wit h MPLS and VPN vpnv4 Ar chit ect u res, Volum e I I , y ou' ll lear n : address-family neighbor 196.49.1.3 activate How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s neighbor 196.49.1.3 route-reflector-client The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN neighbor 196.49.1.3 send-community extended Net w ork Ad dr ess Tr an slat ion ( PE- NAT) exit-address-family How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Now t h at y ou hav e est ab lish ed t he local BGP sessions, all local VPNv 4 pr ef ix/ lab el in for m at ion is av ailab t h ey rcust out eom r eflect You m u sticadv erteise t h is in for m at ion bet w een t he t w o ser v ice How let oatcarr er m or. ult icast t r aff insid a VPN pr ov iders via a Mu lt ih op Ext er nal Mult ipr ot ocol BGP session, as show n in Figur e 6- 2 1. Th e Thes lat er -iou carsrier enhur ancem s t ople, allow f or por easier and m or e scalable epeloym ent add it ion t o est t he in prt ev config at ion ent ex am t o sup t t his new BGP session,d ar show n in of int er car r ier MPLS VPN serv ices Ex am ple 6- 53. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

Exa m pl e 6 - 5 3 . M u lt i hop M P-e BGP Se ssion Be t w ee n Rou t e Ref le ct or s MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. hostname SuperCom-RR MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN ! ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Ar ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g router pr ot ocolsbgp ( I S-10 I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues neighbor 196.49.1.2 remote-as 20 y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he includin g secu r it y , ou t lining t he n ecessar back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow 196.49.1.2 mneighbor or e adv anced t op ologiesdescription and filt erin g. EuroCom-RR This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN ebgp-multihop 255 t rneighbor oub leshoot196.49.1.2 ing . neighbor 196.49.1.2 update-source Loopback0 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

! address-family vpnv4 neighbor 196.49.1.2 activate neighbor 196.49.1.2 send-community extended •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

hostname EuroCom-RR

By Jim Guichard , I van Pepelnjak , Jeff Apcar

! Pub lish er: Cisco Press

router bgp 2006, Pub Dat e: Ju ne

2 00 3

I SBN: 1- 58 705 -1 12 -5

neighbor 194.22.16.1 remote-as 10 Pages: 50 4

neighbor 194.22.16.1 description SuperCom-RR neighbor 194.22.16.1 ebgp-multihop 255 Wit h MPLS and VPN Ar chit ect u res, Volum e I I Loopback0 , y ou' ll lear n : neighbor 194.22.16.1 update-source !

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s address-family vpnv4 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN neighbor 194.22.16.1 activate Net w ork Ad dr ess Tr an slat ion ( PE- NAT) neighbor 194.22.16.1 send-community extended How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone So t hat y ou can su ccessf ully est ab lish t his session, each of t he r out e ref lect or s m ust b e r eachab le tby each ser vice pr ov ider; t her efor y ouemauVPN st leak t he r out es b et w een r out in g How o carr y cust om er m ult icast t r aff ic einsid dom ains. You can ach iev e t his in a num ber of w ay s, but in our ex amp le, st at ic rou t es hav e lat est - car rier enhThese ancemstent s troout allow f or easier e scalable ep loym ent been The con figur edinatt ereach ASBR. at ic es point t o t heand r outm e or reflect or adddress w it hin of int er car r ier MPLS VPN serv ices t he adjacent ser v ice p rov ider . The r out es ar e r edist r ib ut ed int o t he I GP at each ASBR, t he BGP session is cr eat ed , and VPNv 4 pr ef ix/ lab el in for m at ion is ex chang ed . Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Exa m pl e 6 - 5 4 . Successf u l Ex ch an ge of VPN v4 Rou t e s Be t w ee n Rou t e Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced f lean ctdord ep s loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tRe opics t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN SuperCom-RR# show bgp all MPLS summary Ar ch it ect u re. Par t I I ip descr ibesvpnv4 adv anced VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g BGP router 194.22.16.1, number pr ot ocols ( I S-identifier I S, EI GRP, and OSPF) , ar m inlocal g t he rAS eader w it h t10 he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues BGP table version 5, tmain routing table 5 ider m ust t ake t o p rot ect t he includin g secu r it y , ou tis lining he n ecessar y st eps t h eversion ser v ice p rov back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow 4 or network entries and 4and paths using 724 of ermemory m e adv anced t op ologies filt erin g. This parbytes t also cov s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN 3 BGPleshoot path ing attribute entries using 168 bytes of memory t r oub . MPLS VPN Arentries chit ect u res, Volum I I , alsoof int rod uces t he lat est adv ances in cu st omer 1 BGPand AS-PATH using 24e bytes memory int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

1 BGP extended community entries using 24 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP activity 4/12 prefixes, 4/0 paths, scan interval 15 secs •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Neighbor

V

AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

By Jim Guichard , I van Pepelnjak , Jeff Apcar

194.22.15.1

4

10

75

75

5

0

0 01:09:11

2

8

8

5

0

0 00:02:19

2

Pub lish er: Cisco Press

196.49.1.2 4 220 Pub Dat e: Ju ne 06, 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

SuperCom-RR#show ip bgp vpnv4 all BGP table version is 5, local router ID is 194.22.16.1 Wit h MPLS and VPN Ar chit ect u res, dVolum e I I , yhou' ll lear n : * valid, > best, i - internal Status codes: s suppressed, damped, history, Origin codes: i - IGP, e - EGP, ? - incomplete How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Network Next Hop Metric LocPrf Weight Path Net w ork Ad dr ess Tr an slat ion ( PE- NAT) RouteHow Distinguisher: VRFs can be ex10:4972 t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork *>i192.168.2.32/30 194.22.15.1 0 100 0 ? The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN *>i198.121.63.0 194.22.15.1 1 100 0 ? back bone RouteHow Distinguisher: t o carr y cust om99:5432 er m ult icast t r aff ic insid e a VPN The lat est in t er - car196.49.1.2 rier enh ancem ent s t o allow f or easier and m or e0 scalable *> 194.69.27.16/30 20 ? d ep loym ent of int er - car r ier MPLS VPN serv ices *> 198.121.62.0 196.49.1.2 0 20 ? Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tAlt opics an Ex d dam ep ple loy m ur es, m e I I prrovid r eader w it hlear t hened necessar t ools4 hou gh 6-ent 54 archit sh owsect t hat t heVolu Su perCom out eesr eflect orshas all t heyVPNv tr hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. out es f rom t he Eur oCom r out e reflect or , it also h ig hlight s a p rob lem in t h e for w ar ding pat h . The BGP nex t - hop f or t he r ou t es is 196 .4 9. 1. 2, wh ich is t h e addr ess of t he Eur oCom r out e MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN r ef lect or . Usin g t his I P ad dr ess as t he nex t - hop w ill cause all int er - sit e t r aff ic bet w een t he Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Bank Cor p Sant a Clar a and Ber lin sit es t o b e for w ar ded t h r ough t he Eur oCom rou t e r ef lect or , ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g w hich is clear ly not desir able. You w ill see lat er how t he end - t o- end LSP bet w een t he pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Bank Cor p sit es is b uilt u sin g I Pv 4 + Lab els on t h e ASBR- ASBR lin k, but for now , assu m e t hat int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Figur e 6- 2 2 sh ows t he p at h t hat t raf fic w ill t ak e b et w een t h e Bank Cor p sit es u sin g t h is includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he conf ig ur at ion. Ex am ple 6- 55 sh ows a pr int ou t of t h e LSP. back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Exa pl e 6ing - 5. 5 . Ba nk Cor p LSP t hr ou gh t h e Eu r oCom Rou t e Re f le ct or t r oubm leshoot MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

SanJose-PE#show ip cef vrf BankCorp 198.121.62.0 198.121.62.0/24, version 35, cached adjacency to Serial4/0 0 packets, 0 bytes tag information set • •

Table of Content s

local tag: VPN route head I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

fast tag rewrite with Se4/0, point2point, tags imposed {18 12310}

By Jim Guichard , I van Pepelnjak , Jeff Apcar

via 196.49.1.2, 0 dependencies, recursive Pub lish er: Cisco Press

next 194.22.15.9, Pub Dat e: hop Ju ne 06, 2 00 3

Serial4/0 via 196.49.1.2/32

I SBN: 1- 58 705 -1 12 -5

valid cached adjacency Pages: 50 4

tag rewrite with Se4/0, point2point, tags imposed {18 23}

Wit h MPLS and show VPN Ar chit ect u res, Volumlabel e I I , y ou' lear n : SuperCom-RR# mpls forwarding 18ll detail Local Outgoing Prefix Bytes tag Outgoing Next Hop How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s tag tag or VC or Tunnel Id switched interface 18

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN 25 196.49.1.2/32 1736 Et5/1 194.22.15.5 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) TagerStack{25} How MAC/Encaps=14/18, VRFs can be ex t endedMTU=1500, int o a cust om sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

SuperComParis-ASBR# show mpls forwarding label 25 detail How t o carr y cust om er m ult icast t r aff ic insid e a VPN lat est in t er - car rier enh ancem ent s t o allow tag f or easier and m or eNext scalable LocalTheOutgoing Prefix Bytes Outgoing Hop d ep loym ent of int er - car r ier MPLS VPN serv ices tag tag or VC or Tunnel Id switched interface Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 25 17 196.49.1.2/32 3275 PO10/0/0 point2point MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect uMAC/Encaps=4/8, res, Volum e I ( 1 - 587 05- 0 02- 1)Tag , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced MTU=4470, Stack{17} t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN EuroComParis-ASBR# show mpls forwarding label 17 detail Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Local Outgoing Prefix Bytes tag Outgoing Next Hop pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues tag tag or VC or Tunnel Id switched interface includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow 17 Pop tag 196.49.1.2/32 8107 AT4/1/0 10.2.1.22 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN MAC/Encaps=12/12, MTU=4474, Tag Stack{} t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

EuroCom-RR#show mpls forwarding label 23 detail Local

Outgoing

Prefix

Bytes tag

Outgoing

tag

tag or VC

or Tunnel Id

switched

interface

12310

19

99:5432:198.121.62.0/24

•

Table of Content s

•

I ndex

Next Hop

\

3286

AT1/1.1

point2point

MP LS and V PN Ar chi te ctur e s, V olum e I I

MAC/Encaps=12/16, MRU=4470, Tag Stack{19}

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

Munich_PE# show Pub Dat e: Ju ne 06, mpls 2 00 3 forwarding label 19 detail I SBN: 1- 58 705 -1 12 -5

Local

Outgoing

Prefix

Bytes tag

Outgoing

tag

tag or VC

or Tunnel Id

switched

interface

19

Untagged

198.121.62.0/24[V]

Pages: 50 4

Next Hop

\

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , 4668 y ou' ll lear n : Et4/0

194.69.27.17

MAC/Encaps=0/0, MTU=1504, Tag Stack{} How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How Figu VRFs rcan o apcust om er sit e t or pr ov ide sep ar ateion inside e 6be - 2ex 2 .t ended Ba nkint Cor LSP v ia Eu oCom Rout Re fl ectt he or cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Change of BGP Next-Hop at the Route Reflectors deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . So t hat y ou canArov er com t h eVolum for w ar issuint e trod hatuces w as thigh ligest ht ed inances t h e prinevious sect ion, a MPLS and VPN chit ect u eres, e ding I I , also he lat adv cu st omer new f eat ur e has b een int r odu ced t o p roh ibit t h e r out e r eflect or fr om r ew rit in g t h e BGP int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced next -

hop at t r ibu t e w hen adv er t ising rou t es t o ex t er n al neighb ors. Th is feat ur e is k now n as nex t hop - unchan ged . You m ust con figu re t he Sup er Com and Eur oCom rou t e r eflect or s t o use t h is feat u re, as sh own in Ex am ple 6- 56.

Exa m pl e 6 - 5 6 . Ne x t - Hop- Uncha ng ed Fe at ur e f or Rout e Re fl ect or s •

Table of Content s

•

I ndex

hostname SuperCom-RR MP LS and V PN Ar chi te ctur e s,

V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

!

Pub lish er: Cisco Press router bgp 10 Pub Dat e: Ju ne 06, 2 00 3 I SBN: 158 705 -1 12 -5 neighbor 196.49.1.2 remote-as 20 Pages: 50 4

neighbor 196.49.1.2 description EuroCom-RR neighbor 196.49.1.2 ebgp-multihop 255 neighbor 196.49.1.2 update-source Loopback0 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ! How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN address-family vpnv4 ser v ice t o m any d iff er ent t yp es of cu st om er s neighbor 196.49.1.2 activate The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) neighbor 196.49.1.2 next-hop-unchanged How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om196.49.1.2 er net w ork send-community extended neighbor The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone hostname EuroCom-RR How t o carr y cust om er m ult icast t r aff ic insid e a VPN !

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices router bgp 20 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y neighbor 194.22.16.1 remote-as 10 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN 194.22.16.1 Arneighbor ch it ect u res, Volum e I ( 1 -description 587 05- 0 02- 1)SuperCom-RR , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools neighbor t hey n eed t o194.22.16.1 d ep loy and mebgp-multihop ain t ain a secur e, 255 hig hly av ailab le VPN. neighbor 194.22.16.1 update-source MPLS and VPN Ar chit ect u res, Volum e I I , b egLoopback0 in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ! v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g ser pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o address-family int egr at e t h ese f eatvpnv4 ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he neighbor 194.22.16.1 back bone and any at t achedactivate VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN neighbor deploy m en 194.22.16.1 t s. Fin ally , Par tnext-hop-unchanged I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . neighbor 194.22.16.1 send-community extended MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Now t h at y ou hav e set t his conf igur at ion at t he r out e reflect or s, Ex am ple 6- 57 sh ows t hat t he Sup er Com rou t e r ef lect or lear ns all t he VPNv 4 r out es w it h in t h e Eu roCom net w or k w it h a nex t hop of t h e orig in at ing PE rou t er, wh ich in t his case is t he Munich PE r ou t er . You w ill see lat er in t his ch apt er how t he LSP bet w een t h e Bank Cor p sit es has ch anged so t hat it b yp asses t h e Sup er Com and Eur oCom rou t e r ef lect or s. •

Table of Content s

•

I ndex

Exa e 6Ar-chi 5 7te.ctur PE MP LS m andpl V PN e s, Rout V olum eeI rI Addr e ss Use d a s BGP Ne xt -H op By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press SuperCom-RR# show ip bgp vpnv4 all Pub Dat e: Ju ne 06, 2 00 3 I SBN: 158 705 -1 12 -5 BGP table version is 7, local router ID is 194.22.16.1 Pages: 50 4

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Network Next Hop Metric LocPrf Weight Path How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN RouteserDistinguisher: 10:4972 v ice t o m any d iff er ent t yp es of cu st om er s *>i192.168.2.32/30 0 anced 100f eat ur es, 0 includ ? The n ew PE- CE r out194.22.15.1 in g op t ions as w ell as ot her adv ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) *>i198.121.63.0 194.22.15.1 1 100 0 ? How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he om er net w ork 99:5432 Routecust Distinguisher: * *

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect 194.69.27.16/30 196.49.1.3 0 ing 20 t?h e MPLS VPN back bone 198.121.62.0 196.49.1.3 0 20 ? How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

anced t rouCapability blesh oot ing t echn includ in gof r ouBGP t er outNext-Hops pu t s t o en su re IPv4Adv + Labels for iques Exchange

high av ailab ilit y

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Hav in g dist ribu t ed all t he necessar y VPNv4 p ref ix in for m at ion b et ween t he r out e ref lect or s, t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools y ou m u st allow access t o t he PE r out er nex t - hop add r esses of t hose r out es. As pr eviously t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. m en t ioned in t h e Car r ier 's Car rier sect ion s, you can ach iev e t his in v ar iou s w ays, in clud ing t he follow ing MPLS and: VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g St at ic r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egrDy at enam t h ese f eatrou ur es in tpr o ot t h ocols e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues ic I GP t ing includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow BGP- and 4 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy mer enr ted s. Fin Parat ser I V vprice ov pidrov es ider a m et for 4ad van ced The p r ef op tally ion ,f or ishodology t o use BGP. The p robMPLS lem wVPN it h t h is appr oach, t r oub how evleshoot er , is ting h at. t h e LSP bet w een PE rou t ers is br oken at t he ASBR- ASBR link ; t h er efor e, y ou need t o ext en d BGP t o allow t he ad dit ion of MPLS lab els t o t he rou t es. You achieve t his andt he VPN ect e Iw I ,as also int rod uces t heCar lat rier est 's adv ances in cuions st omer tMPLS hr ou gh u seArofchit I Pv 4 u+res, LabVolum els t hat discussed in t he Carr ier sect ear lier in int egr ion, t his chat apt er.secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Now t h at y ou hav e decided t o use t h is fun ct ion alit y on t he Sup er Com / Eur oCom ASBR- ASBR link , t he fir st st ep of t h e config ur at ion is t o r ed ist r ibu t e t he local PE r out er ad dr esses int o BGP at t he ASBRs.

NOTETable of Content s

• •

I ndex

MP LS A and f urVtPN herArop chitte ion cturf or e s, inj V olum ect ing e II

t h e PE rou t er loopback add r esses in t o BGP is t o ru n r out er s and inj ect t he PE r out er loopb ack ad dr ess eit her t hr oug h redist r ibut ion or u se of t h e net w or k st at ement .

Pv4 + Labels dow n t, Jeff o t he PE By Jim IGuichard , I van Pepelnjak Apcar Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

58 705 rib -1 12ut -5ion, it is good pr act ice t o f ilt er t he specif ic r out es v ia a rou t e m ap so As w it hI SBN: any 1-r edist t hat only t h 50 e 4desired pr efix es ar e inj ect ed int o t he BGP t able an d pr opagat ed using I Pv4 + Pages: Lab els t o t he adjacent ASBR. These pr efix es sh ould only be t he loopb ack ad dr esses of PE r out er s t hat hold I nt erAS VPN cust om ers. To sim p lif y t he f ilt er ing conf ig ur at ion of t he r out e m ap, allocat e t h ese add resses f r om t he sam e ad dr ess b lock . The con figu rat ion of t h e Sup er Com and Eur oCom ASBRs t o su ppor t t his f ilt er ing is show n in Ex am ple 6- 58.

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Exa m pl e 6 - 5 8 . Filt er i ng a t ASBRs Du r in g Re dist r i but ion How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n SuperComParis-ASBR ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN hostname Net w ork Ad dr ess Tr an slat ion ( PE- NAT) !

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he custbgp om er router 10net w ork !

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

address-family ipv4 How t o carr y cust om er m ult icast t r aff ic insid e a VPN redistribute SuperCom level-2 The lat est inisis t er - car rier enh ancem ent s route-map t o allow f or IPV4+LABELS easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices ! Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y access-list 1 permit 194.22.15.0 0.0.0.255 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN route-map IPV4+LABELS Ar ch it ect u res, Volum e I ( 1 -permit 587 05- 010 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed d ep loy and match ipt oaddress 1 m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g hostname EuroComParis-ASBR pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int ! egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bonebgp and20 any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow router m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN ! t r oub leshoot ing . address-family ipv4 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, securisis it y, and t r oubleshoot ing route-map feat u res essent ial t o p rov iding t h e adv anced redistribute EuroCom level-2 IPV4+LABELS

! access-list 1 permit 196.49.1.0 0.0.0.255 route-map IPV4+LABELS permit 10 • •

match ip address 1

Table of Content s I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

NOTE Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

The con figur at ion show n in Ex am ple 6- 58 d oes not con t ain t he set m pls- l a be l Pages: 50 4 com man d w it h in t h e r out e m ap, wh ich w as r equir ed in t he Car rier 's Carr ier exam ple earlier in t his chap t er . Th e r eason for t his is t hat t h e filt erin g is p er f orm ed dur ing r ed ist r ibu t ion r at h er t han at t he BGP neighbor lev el; t her efor e, t his com m and is not necessar y. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Using t h is con figu r at ion , only t he 19 4. 22. 1 5. 1/ 32 ( San Jose PE r out er) pr efix is r edist rib ut ed int egr at e v ar s r emCom ot e access echnonly ologies t o6.t 49. h e 1. back bone p r ovidin VPNer ) int o I How Pv4 +t oLabels fr om t hiou e Super ASBR, tand t h e in19 3 / 32 ( Mun ich PEgr out ser v ice t o m any d iff er ent t yp es of cu st om er s pr efix is r edist rib ut ed fr om t h e Eur oCom ASBR. ew PECE r out g oprib t ions ast ow allow ell as tot her advrou anced eat ur es,lear includ perYou mThe ust nalso conf igur e rin edist ut ion he BGP t es tfhat are ned ing fr om t hVPN e Net w ork Ad dr ess Tr an slat ion ( PENAT) adj acen t ASBR t o b e inject ed in t o t h e local I GP. The r elev ant conf ig ur at ion for t h is r ed ist r ibu t ion is p r ovided in Ex am ple 6- 59. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Exa m pllat e est 6 - 5MPLS 9 . Redi r ibu onu res f r om 4 s+ aim Lab t o ing I GP The VPN st secur it y tfieat an d IdPv esign ed el at sprin ot ect t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN hostname SuperComParis-ASBR The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices ! Advisis ancedSuperCom t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y router MPLS and VPN Arbgp chit ect Volum e IPV4+LABELS-IN I I , b uilds on t he best - sellin g MPLS an d VPN redistribute 10u res, route-map Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t!opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. access-list 2 permit 196.49.1.0 0.0.0.255 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of route-map IPV4+LABELS-IN permit 10 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o match ip address 2 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he match mpls-label back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . hostname EuroComParis-ASBR MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ! egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced int

router isis EuroCom redistribute bgp 20 route-map IPV4+LABELS-IN ! access-list 2 permit 194.22.15.0 0.0.0.255 •

Table of Content s

route-map IPV4+LABELS-IN permit 10 • I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

match ip address 2

By Jim Guichard , I van Pepelnjak , Jeff Apcar

match mpls-label Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

NOTE Ex am ple 6- 59 sh ows t hat t he com m and m at ch m pls- la be l is used w it hin t he r ou t e Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : m ap. Th is en su r es t hat on ly BGP r ou t es wit h labels ar e r ed ist r ibu t ed int o t he I GP; t hese should be t he only r out es t hat are r eachable acr oss t he ASBR- link for PE rHow out ert /oPE erecon y . ot e access t echn ologies in t o t h e back bone p r ovidin g VPN introu egrtat v arnect iou sivritem ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Wit h all heork relevan t f iltTr eran s in t heNAT) last p iece of t he con figu rat ion is t o act iv at e t he BGP Nettw Ad dr ess slatplace, ion ( PEsession b et ween t he ASBRs, as sh ow n in Ex am ple 6- 60. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Exa m pl e 6 - 6 0 . Act i va t i on of I Pv4 + Lab el s Bet w e e n ASBRs

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

How t o carr y cust om er m ult icast t r aff ic insid e a VPN hostname SuperComParis-ASBR !

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

router 10t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Advbgp anced ! MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced address-family t opics an d d ep loy m ipv4 ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. redistribute isis SuperCom level-2 route-map IPV4+LABELS MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of neighbor 192.168.2.38 activate ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I192.168.2.38 S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o neighbor send-label int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN hostname EuroComParis-ASBR deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . ! MPLS and VPN router bgp 20Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

! address-family ipv4 redistribute isis EuroCom level-2 route-map IPV4+LABELS neighbor 192.168.2.37 activate •

Table of Content s

•

I ndex

neighbor 192.168.2.37 send-label MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

NowPub t hlish ater: t hCisco e VPNv4 Press an d BGP nex t - hop r out e ex change has been su ccessf ully config ur ed , Ex am r ovides Pubple Dat6e: 61 Ju nep06, 2 00 3 t h e end- t o- end LSP pat h f r om t he San Jose PE r out er f or t he Ban kCorp Berlin subn et 198 . 121 .6 2. 0/ 2 4. Figur e 6- 2 3 p r ovides an illust r at ion . I f you com par e t his LSP t o I SBN: 1- 58 705 -1 12 -5 t he LSP f r om Ex am ple 6- 55, y ou can see t hat t he r ou t e r ef lect or s ar e no longer w it hin t he pat h Pages: 50 4 bet w een Bank Cor p sit es.

Exa m pl e 6 - 6 1 . End -t o-En d LSP f or M H - M P- EBGP w i t h I Pv 4 + La be ls Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : SanJose-PE# show ipe vcef BankCorp 198.121.62.0 How t o int egr at ar iouvrf s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s 198.121.62.0/24, version 39, cached adjacency to Serial4/0 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN 0 packets, Net w ork0Adbytes dr ess Tr an slat ion ( PE- NAT) VRFs can beset ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he tagHow information cust om er net w ork local tag: VPN route head The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone fast tag rewrite with Se4/0, point2point, tags imposed {21 19} t o carr y cust0om er m ult icast t r aff ic insid e a VPN viaHow 196.49.1.3, dependencies, recursive The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent next hop 194.22.15.9, Serial4/0 via 196.49.1.3/32 of int er - car r ier MPLS VPN serv ices valid cached adjacency Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y with Se4/0, point2point, imposed 19} MPLStag and rewrite VPN Ar chit ect u res, Volum e I I , b uilds ontags t he best - sellin g{21 MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. SuperCom-Prouter#show mpls forwarding label 21 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Local Prefix Bytes tagnect Outgoing Ar ch it ectOutgoing u re. Par t I I descr ibes adv anced MPLS VPN con iv it y includ inNext g t he Hop int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g tag orand Tunnel pr ot ocolstag ( I S-or I S, VC EI GRP, OSPF)Id , ar m in g switched t he r eader w itinterface h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues 21 196.49.1.3/32 610 t h e ser v ice Et5/1 194.22.15.5 includin g26 secu r it y , ou t lining t he n ecessar y st eps p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN SuperComParis-ASBR# show mpls forwarding label 26 t r oub leshoot ing . Local Outgoing tag t he Outgoing Next in Hop MPLS and VPN Ar chit ectPrefix u res, Volum e I I , alsoBytes int rod uces lat est adv ances cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

tag

tag or VC

or Tunnel Id

switched

interface

26

19

196.49.1.3/32

560

PO10/0/0

point2point

Bytes tag

Outgoing

Next Hop

switched

interface

1200

AT4/1/0

10.2.1.22

Next Hop

EuroComParis-ASBR# show mpls forwarding label 19 •

Local •

Table of Content s

Outgoing I ndex

Prefix

MP LS and V PN Ar chi te ctur e s, V olum e I I

tag

tag or VC

or Tunnel Id

By Jim Guichard , I van Pepelnjak , Jeff Apcar

19

23

196.49.1.3/32

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

EuroCom-Prouter#show mpls forwarding label 23 Pages: 50 4

Local

Outgoing

Prefix

Bytes tag

Outgoing

tag

tag or VC

or Tunnel Id

switched

interface

Wit andtag VPN Ar chit ect u res, Volum e I I , 560 y ou' ll lear n : AT1/1.1 23 h MPLS Pop 196.49.1.3/32

point2point

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Munich_PE#show mpls forwarding label 19 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Local Outgoing Prefix Bytes tag Outgoing Next Hop Net w ork Ad dr ess Tr an slat ion ( PE- NAT) tag How tag or can VC be or TunnelintId switched VRFs ex t ended o a cust om er sit e t o printerface ov ide sep ar at ion inside t he cust om er net w ork 19 Untagged 198.121.62.0/24[V] \ The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN 1710 Et4/0 194.69.27.17 back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Figu r e 6 - 2 3 . En d-t o-En d LSP f or M H M P- e BGP w it h I Pv 4 + La bel s Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Summary I n t his chapt er , y ou saw t hat t he b ase MPLS VPN ar ch it ect u re migh t n ot p rov ide all of t he fu nct ionalit y y ou need f or cer t ain deploy ment scenar ios. So t hat y ou can m eet t h e •connect ivit y Table ofem Content requ ir en t s sfor t hese scenar ios, Cisco Syst em s I nc. has in t r oduced t he Car r ier ' s •Car r ier and I n ndex t erAS solu t ions. MP LS and V PN Ar chi te ctur e s, V olum e I I

To ease t he bur den of larg e r out ing t ables at t he PE r out er s, y ou can use t he Car rier 's Carr ier By Jim Guichard , I van Pepelnjak , Jeff Apcar ar ch it ect u re so t hat ex t er nal r out es ar e ex ch anged dir ect ly b et w een cust om er sit es. An y int er nal r out es such as BGP nex t - hops, ser ver add r esses, an d so on ar e ex ch anged w it h t he Pub lish er: Cisco Press MPLS VPN b ack bon e. Pub Dat e: Ju ne 06, 2 00 3

You can I SBN: est ablish 1- 58 705 -1 conn 12 -5ect iv it y w it hin a VPN t hat can span m ult iple serv ice pr ovid er foot pr int s by u sin g t he50I4nt er AS ar chit ect u re. Sev er al opt ions ex ist w it hin t his solut ion t hat pr ov id e Pages: flex ible ser v ice d ep loym ent , such as Mu lt ihop and Ex t ern al Mult ip rot ocol BGP sup por t .

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Chapter 7. Multicast VPN Mu lt icast is a pop ular feat u re u sed m ainly by I P- n et w or k s of Ent er pr ise cust om er s. Mult icast allow s t he ef ficient dist r ibut ion of inf orm at ion bet w een a sing le m ult icast sou r ce an d mu lt ip le r• eceiver s. AnTable ex am of as m u lt icast sour ce in a cor por at e net w or k w ould be a finan cial of ple Content inf orm at ion ser v er pr ovid ed by a t h ir d- par t y comp any such as Bloom berg 's or Reut ers. Th e • I ndex rMP eceiver s w ould be ind ividu al PCs scat t er ed ar oun d t he net w or k all r eceivin g t he sam e LS and V PN Ar chi te ctur e s, V olum e I I fin ancial infor m at ion fr om t h e ser v er . Th e m ult icast feat u re allow s a sin gle st ream of By Jim Guichard , I van Pepelnjak , Jeff Apcar inf orm at ion t o be t r ansm it t ed f r om a sour ce dev ice, r egar dless of h ow m any r eceiv er s ar e act ive for t h e infor m at ion fr om t h at sour ce dev ice. Th e rou t ers aut om at ically r eplicat e a Pub lish er: Cisco single copy of t hPress e st r eam t o each int er f ace w h er e m ult icast r eceiv er s can be r each ed . Dat Ju nelt icast 06, 2 00sign 3 TherPub ef or e,e: mu ificant ly r educes t he am ou nt of t raf fic r equir ed t o dist r ibut e inf orm at ion 1-t o58man I SBN: 705 -1y12int -5 er est ed par t ies. Pages: 50 4

This chap t er descr ibes in det ail how an MPLS VPN ser v ice p rov ider can pr ovid e m ult icast ser v ices b et w een m u lt ip le sit es of a cu st omer VPN t hat has an exist ing m ult icast net w or k or is int end in g t o d ep loy t he m ult icast f eat u re wit h in t heir net w ork . Th is feat ur e is k now n as m ult icast VPN ( mVPN) and is av ailab le fr om Cisco I OS 12. 2( 1 3) T onw ar d. Th is ch apt er includes an int r odu ct ion t o gener al I P Mu lt icast con cept s, an ov erall d escr ip t ion of t he m VPN Wit huMPLS VPN Arurchit Volum I I ion , y ou' lear nI P : Mu lt icast com pon en t m odif ied t o feat re andand archit ect e, ect a duetres, ailed descreipt of lleach supp ort t he mVPN feat ur e, and a case st ud y t hat show s how you can imp lem ent mVPN in an MPLS VPN b ack bon e. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Introduction to IP Multicast I P m ult icast is an eff icient mechan ism f or t r ansm it t ing dat a fr om a sin gle sour ce t o m any r eceiver s in a net w or k . The d est inat ion add ress of a mu lt icast p acket is alw ay s a mu lt icast gr oup ad dr ess. This ad dr ess com es fr om t h e I ANA block 22 4. 0. 0. 0– 239 .2 55. 25 5. 25 5. ( Befor e •t he con cept of Table of Content classless in st er dom ain r out ing , or CI DR, exist ed, t h is ran ge w as r efer red t o as •t he D- class. )I ndex A sou r ce t ran sm it s a m ult icast packet by u sing a mu lt icast gr oup addr ess, w hile MP LS and V PN er Arschi te ctur V olum m any r eceiv " list en"e s,f or t r afeficI I f rom t hat sam e g rou p ad dr ess. By Jim Guichard , I van Pepelnjak , Jeff Apcar

Ex am ples of applicat ions t h at w ou ld u se m u lt icast ar e au dio/ v id eo ser v ices such as I PTV, Wind ows Media Play er , conf erencing ser v ices such as Net Meet in g or st ock t ick er s, an d Pub lish er: Cisco Press fin ancial infor m at ion such as t hose t hat TI BCO and Reut er s pr ov id e. Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

NOTE I f you w ant t o gain a m or e com p let e or det ailed un derst and ing of I P m ult icast , t hen r ead t h e Cisco Pr ess b ook t it led Develop in g I P Mu lt icast Net w or k s ( I SBN 1- 57 870 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : 07 7- 9) or any ot her book t hat pr ovides an ov er v iew of m ult icast t ech nologies. You can obt ain fur t h er in for m at ion on ad van ced m ult icast t opics fr om ht t p: /t/owint w wegr . cisco.com / go/ mu . t echn ologies in t o t h e back bone p r ovidin g VPN How at e v ar iou s rip em otlte icast access ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Mu lt icast ack et e for arslat dedion t hr( oug h t h e net w or k by u sin g a m ult icast d ist r ib ut ion t r ee . Net wpork Adsdraress Trwan PE- NAT) The n et wor k is r esponsible f or r ep licat ing t h e sam e p ack et at each bifu rcat ion poin t ( t he poin t at whHow ich t hVRFs e br anches orkt ended ) in t h eintt roee. Th isom means only onesep cop p acktet can be fex a cust er sit et hat t o pr ov ide aryatof iont he inside het r av els ov er any par er t icular cust om net wlink ork in t he net w ork , m ak ing m ult icast t r ees ex t rem ely ef ficien t f or dist r ibut in g t h e same in for m at ion t o m any r eceiv er s. The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Ther eback ar e bone t w o t y pes of d ist r ibu t ion t r ees: sour ce t rees and shar ed t r ees. How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Source Trees The lat est in t er - car rier enh ancem ent s t o allow f or easier and

m or e scalable d ep loym ent

of int er - car r ier MPLS VPN serv ices AsourAdv ce tanced r ee is tt he for mt echn of dist r ibut ion t rinee. heremhigh ult icast t r affilit ic y rousimp bleshlest oot ing iques includ g r The ou t ersour outce puhost t s t o of entsu av ailab is locat ed at t he r oot of t he t r ee, and t he receiv ers are locat ed at t h e ends of t h e br anches. Mu lt icast af ficAr t rchit av els he souerce dow he best t ree- tsellin ow argd MPLS t he r eceiv s. Th e MPLS andt rVPN ectfr u om res, tVolum I I ,hbost uilds onn tthe an d er VPN forch w ar ding decision in05t er f0ace icast pack should be t ran sm based Ar it ect u res, Volumon e I w( hich 1 - 587 02- a 1)m , fult rom Cisco Pret ess. Ex t endin g int o itmt ed or eout advisanced t he an m ud ltdicast or ent war darchit in g t ect able. ThisVolu t abm leecon sist s ofesa r ser ies sofwm icast st at e en ries t h at ton opics ep loyf m ur es, I I pr ovid eader it hu ltt he necessar y t ools e cach edt oindtep heloy r out er . m Stain at et ain en tar ies f or e, a hig souhly rce av t r ee use h e not at ion ( S, G) pr onou nced S tar hey n eed and secur ailab le tVPN. com m a G. Th e let t er S r epr esent s t he I P addr ess of t he sour ce, and G r epr esent s t he g rou p MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN add ress. Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues NOTE includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow ot ion tof ionand is used f org.pack s t hat arecov t rav r ibutVPN ion m or eThe advnanced opdirect ologies filt erin Thisetpar t also er elin s m gultalon i- carg r aierdist MPLS t r ee. pack et tt rIavels ce ( or r ootfor ) t ow ard ced a receiv it is d eem ed deploy m enWhen t s. Finaally , Par V pr ovf rom id es aa sour m et hodology ad van MPLSer,VPN o be t r av dow n t he t ree. I f a packet is t r aveling fr om t h e r eceiver t ow ar d t he t r oubtleshoot ingeling . sour ce ( su ch as a cont r ol p ack et ) , it is deem ed t o be t r aveling up t h e t r ee. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

A sour ce t r ee is depict ed in Figur e 7- 1 . Th e host 1 96. 7. 2 5. 12 at t he r oot of t h e t r ee is t r ansm it t ing m ult icast packet s t o t he dest in at ion g rou p 239 .1 94. 0. 5 , of w hich t h er e ar e t w o int er est ed receiv er s. The for w ar ding cache ent r y f or t his m ult icast st r eam is ( 19 6. 7. 25. 1 2, 23 9. 194 . 0. 5) .

•

Table of Content s re Figu

•

I ndex

7 - 1 . Sou r ce Di st r ibu t i on Tr e e

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN tAr oub . lies t h at t he r out e b et w een t he m ult icast sour ce and r eceiver s is t he sourleshoot ce t r eeing imp shor t est av ailab le pat h; t her ef or e, sou rce t r ees ar e also r ef er r ed t o as shor t est pat h t r ees MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ( SPTs) . A separ at e sour ce t r ee ex ist s for ev ery sou rce t h at is t ran sm it t ing m ult icast pack et s, int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

even if t hose sour ces ar e t r ansm it t ing dat a t o t he sam e gr oup . This m eans t h at t h er e w ill be an ( S, G) for w ar ding st at e ent r y f or ever y act ive sour ce in t he n et w or k . Ref er r ing t o ou r earlier exam p le, if anot her sour ce, such as 19 6. 7. 25 .1 8, b ecam e act ive t hat was also t r ansm it t ing t o g rou p 239 .1 94. 0. 5 , t hen an addit ional st at e en t r y ( and a d iff er ent SPT) w ould be cr eat ed as ( 196. 7 .2 5. 18, 239 . 194. 0 .5 ) . Ther efor e, sou r ce t rees or SPTs p rov ide op t imal r out ing at t he cost of ad dit ional m u lt icast st at e in for m at ion in t h e net w ork . The im por t an t t h ing t o r emem ber ab out sour ce t r ees is t hat t he r eceiv in g en d can only j oin • Table of Content s t he sou rce t r ee if it h as kn ow ledg e of t he I P addr ess of t he sour ce t hat is t r ansm it t ing t he • I ndex gr oup in w hich it is int er est ed. I n ot her w or ds, t o join a sou rce t r ee, an ex plicit ( S, G) j oin MP LS and V PN Ar chi te ctur e s, V olum e I I m ust b e issu ed fr om t he r eceivin g end . ( This ex plicit [ S, G] j oin is issued b y t he last hop By JimerGuichard , I van Pepelnjak , Jeff .Apcar r out , not t he r eceiv ing host Th e receiv ing host mak es t he last hop r out er aw ar e t hat it w ant s t o r eceive dat a fr om a par t icu lar gr oup, and t he last hop rou t er figu r es ou t t h e r est . ) Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN:Trees 1- 58 705 -1 12 -5 Shared Pages: 50 4

Shar ed t rees dif fer fr om sou rce t r ees in t h at t h e r oot of t h e t r ee is a com mon p oin t som ew her e in t he n et w or k . This com m on p oint is refer r ed t o as t he r en dezvou s point ( RP) . The RP is t h e point at wh ich r eceiver s j oin t o lear n of act ive sour ces. Mult icast sour ces m ust tWit r ansm it t hand eir tVPN r af ficArt ochit t he When r eceiver join a mu h MPLS ectRP. u res, Volum e I I , ysou' ll lear n :lt icast g r oup on a shar ed t r ee, t he r oot of t h e t r ee is alway s t h e RP, an d mu lt icast t raf fic is t ran sm it t ed fr om t h e RP dow n t ow ar d t he r eceiv er s. Ther ef or e, t he RP act s as a go- bet w een f or t he sou rces and r eceiver s. An RPHow can tbe t he g rou ps tin t heologies n et worink t, oort hdeiffback er ent ran pges of mgult icast o int egrr oot at e fvor ar all iou m s rult emicast ot e access echn bone r ovidin VPN gr oupser s can h dif RPs. v iceb e t oassociat m any ded iff erwit ent t ypfer esen oft cu st om er s Mu lt icast war d in g ren t ries or taions shar reeasu se t he adv notanced at ion (f*eat , G) whinclud ich is ing p ronperounced The fnor ew PECE out in g fop asedw tell ot her ur,es, VPN st ar com a G.Ad Thdrisess is becau se ion all sou f or a p art icular gr oup sh ar e t he sam e t r ee. ( The Net m w ork Tr an slat ( PE-r ces NAT) m ult icast gr oup s go t o t h e same RP. ) Th er efor e, t he * or w ildcar d repr esen t s all sour ces. A How VRFs can be ended int2o. aI ncust sit e prltov ide sep t he shar ed t r ee is depict ed ex in tFigur e 7t hisom exer amp le,t omu icast t rafar ficatf rion ominside t he sou rce h ost cust om w ork 19 6. 7. 25 .1 8 er an net d 196 .7 .2 5. 12 t r av el t o t h e RP and t hen dow n t he t r ee t ow ar d t he t w o r eceiver s. Ther e are t w o r out ing ent r ies, one f or each of t he mu lt icast gr oups t hat sh are t he est MPLS it y .f194 eat u.0res d da esign s aim ed ifatmprore ot ect ing t h ebecome MPLS VPN t r ee: The ( * , 2lat 39. 1 94. 0. 5)VPN and secur ( * , 239 .7 )an . In shar ed t ree, sou rces act iv e bone for eitback h er of t hese t w o gr oup s, t her e w ill st ill be only t w o r out ing ent r ies due t o t he wildcar d r ep r esent ing all sour ces for t h at g rou p. How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Figu r e 7 - 2 . Sh ar e d D ist r i but ion Tr e e

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Shar ed t rees ar e not as opt im al in t heir r out in g as sou rce t r ees becau se all t r aff ic fr om How t o carr y cust om er m ult icast t r aff ic insid e a VPN sour ces m u st t r avel t o t he RP an d t hen f ollow t he sam e ( * , G) pat h t o receiv ers. How ever , t he amou of mu rou t enh ing ancem st at e infor ion r eq uired is less han of a sour t r ee. The nt lat est in tltericast - car rier ent smt at o allow f or easier and t m or et hat scalable d epce loym ent Ther efoforint e, er t her e ris t r ade-VPN of f bet w een - car iera MPLS serv ices opt im al r out in g v ersus t he am oun t of st at e inf orm at ion t hat m ust b e k ep t . Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Shar ed t rees allow t he receiv ing end t o ob t ain d at a f r om a m ult icast g rou p w it h out hav in g t o kMPLS now tand h e IVPN P ad Ar dr ess of tuhres, e sou r ce. Th I P ad essbest t h at- sellin n eeds t o be an kn d own is t h at of t h e chit ect Volum e IeI ,only b uilds on dr t he g MPLS VPN RP. This can b e config ur ed st at ically on each rou t er or lear ned dy nam ically b y m ism s Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or eechan adv anced Bootarchit st r apect Rout er (Volu BSR)m. e I I pr ovid es r eader s w it h t he necessar y t ools tsuch opicsasanAut d doepRP loyor m ent ur es, t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Shar ed t rees can b e cat eg or ized int o t w o t y pes: u nidir ect ional and bidir ect ion al. Unidir ect ional r ees e uessent ially wehat alrs eady cesMPLS t r ansm it t o t he MPLS and VPN tAr chitar ect res, Volum I I , has b eg in w it h been a br iefdiscussed; ref resher sour of t he VPN RP,chwh ichu re. t h en ds t he m adv ult icast t r aff ic dow n tcon he tnect ree iv t ow d t heinr g eceiv Ar it ect Parf orw t I I ar descr ibes anced MPLS VPN it yarinclud t he er ints.egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g I n ot a ocols bid ir ect ion al EI shar ed tand ree,OSPF) m ult icast can t r av elwup t h e t rof eehtow o r each pr ( I SI S, GRP, , ar mt rinaff g ic t he r eader it h and t he kdow nownledge to rint eceiver s. Bidir ect ional sh ared t r ees ar e usefu l in an an yt oany env iron m en t , w her e missues any egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent sour ces gansecu d receiv are evten r ib utyed t hr ough outv tice he pnrov et wider or k .mFigur 7- 3t oshpows a t he includin r it y , ers ou t lining helyn dist ecessar st eps t h e ser ust teake rot ect bidir ect ionand al t r ee. ce 196. 7 .2sit 5.es, 18 is t r ansm it t ing t og t twhe o rlat eceiver s Arit any df eat B for gr oup back bone any Sour at t ached VPN and also det ailin est secu ur es t o allow 23or 9.e194 7. Th teop mologies ult icast and t r afffilt ic erin fr omg.t hThis e sou rce h ostcov is fer orw arult ded in rbier ot hMPLS dir ectVPN ions as m adv. 0. anced par t also sm i- car follow s: deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Up t he t r ee t ow ard t h e r oot ( RP) . When t he t raf fic ar r ives at t he RP, it is t hen MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer t r ansm it t ed d own t h e t r ee t ow ard r eceiv er A. int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Dow n t he t ree t ow ar d r eceiv er B. ( I t does not need t o pass t h e RP. )

Figu r e 7 - 3 . Bidi r ect i on al Sha r e d Tr e e

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Bidir ect ional ees of fer oved im alit y ovPreress. unid ion gal int shar edorterees b eing Ar ch it ect u res,t rVolum e I im ( 1 -pr 587 05-r0out 02-ing 1) ,opt f rom Cisco Exirtect endin om advby anced able t o for w ar d dat a in bot h d irect ions w hile r et aining a m inim um amou nt of st at e t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools orm at ion. emand ber ,mstain at e inf or mat ion efer s tav o tailab h e am tinf hey n eed t o (dRem ep loy t ain a secur e, rhig hly le ount VPN. of ( S, G) or ( * , G) en t r ies t hat a rou t er mu st hold .) MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Multicast Forwarding pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , in ouat lining n ecessar y st eps ice pun rov ider f m t ake o p rot t he Packet for w ar ding r out ert he can be div ided in t ot ht we oser t yvpes: icast orust w ard in g tand muect lt icast back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow for w ar ding . The d iff er ence bet w een un icast for w ard ing and m ult icast for w ar ding can b e m or emadv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN sum arized as follow s: deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Unicast for w ar ding is concer n ed w it h w here t he pack et is goin g. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egrMu at ion, secur y, dand r oubleshoot u res ial t ocam p rove iding lt icast f or it war in g tis con cer neding witfeat h w her e essent t he packet f r om.t h e adv anced

I n unicast r out ing , t he for w ar ding decision is based on t h e dest in at ion ad dr ess of t he pack et . At each r out er along t he p at h, y ou can d er iv e t he next - h op for t h e dest inat ion by f in ding t he longest m at ch ent r y for t hat dest in at ion in t h e unicast r out in g t able. The un icast packet is t hen for w ar ded out t he int er face t h at is associat ed w it h t he nex t - hop . Forw ar din g of m ult icast p ack et s cannot be d one in t he sam e m ann er becau se t he dest inat ion is a mu lt icast g r oup addr ess t hat you w ill m ost lik ely n eed t o f or war d out m ult iple int er faces. •Mu lt icast g rou Table of Content p addr essessdo not appear in t he u nicast r out ing t ab le; t her ef ore, f or w ard in g of et s requ ires a diff erent pr ocess. This p r ocess is called Rev er se Pat h Forw ar ding •m ult icast pack I ndex ( RPF) MP LS and , anVdPNit Ar ischi t he te ctur basis e s, V for olum f ore wI Iard in g mu lt icast packet s in m ost m ult icast r out ing pr ot ocols. IBynJim parGuichard t icu lar ,, I RPF is used , wit Pr ot ocol I ndepend en t Mult icast ( PI M) , w hich is t he p rot ocol van Pepelnjak Jeff hApcar used and descr ibed t hr ough out t his chapt er . Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

RPF I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Ev ery mu lt icast packet receiv ed on an int er face at a r out er is sub ject t o an RPF check . Th e RPF check det er min es w h et h er t he p ack et is f or war d ed or d rop ped an d pr ev ent s loopin g of pack et s in t h e net w or k. RPF oper at es like t his: Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : When a m u lt icast p ack et ar r ives at t he r ou t er , t he sour ce ad dr ess of t hat p acket is check ed t o m ak e sur e t hat t he in com ing int er face ind eed lead s back t o t he sour ce. ( I n How intds, egritat is e von ar iou em ot access ot hert ow or t hesr rever see pat h. ) t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s I f t he check passes, t h en t h e m ult icast pack et is for w ar ded out t he r elev ant in t erf aces The in g op t .ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN ( bu t nnew ot tPEh e CE RPFr out int er face) Net w ork Ad dr ess Tr an slat ion ( PE- NAT) I f t he RPF ch eck f ails, t he pack et is discar ded. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he net wf or orkt he RPF check is r efer r ed t o as t he RPFint erf ace. Th e w ay t hat t his The incust t er fom aceerused int er face is det er min ed depend s on t he m ult icast r out in g p r ot ocol t hat is in u se. Th is chapt er Thenlat MPLS it y is f eat u res an wid d d esign s aim at prin ot Ent ect ing h e MPLS VPN is concer edest only w it hVPN PI M,secur w hich t he m ost ely u sed pred ot ocol er prt ise net w ork s. back bone PI M is d iscussed in t he next sect ion. PI M uses t he in for m at ion in t h e unicast r out in g t ab le t o det er min e t he RPF int erf ace. Figur e 7- 4 sh ows t he p rocess of an RPF check f or a packet t hat How cust om m ult t r aff icp ack insid VPN ar r iv es on ttohecarr w r yong int er er face. A icast m u lt icast etef raom t he sou rce 19 6. 7. 25 .1 8 arr iv es on int er face S0. A check of t he m ult icast r out in g t ab le show s t hat net w or k 19 6. 7. 25. 0 is The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent r eachab le on in t erf ace S1, n ot S0; t her efor e, t he RPF check f ails and t he p acket is dr opped. of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

r ee I7I ,- 4 . RPF ck -Fai lsg MPLS an d VPN MPLS and VPN Ar chit ect u res,Figu Volum b uilds on Ch t he ebest sellin Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Figur eNet 7-w 5 ork sh ows eckion f or( PEa mNAT) u lt icast p ack et t hat ar r ives on t h e cor r ect int er face. Ad drt he essRPF Tr anchslat The m u lt icast p ack et w it h sour ce ar riv es on in t er f ace S1, w hich mat ch es t he int er face f or t his How can be rou ex t tended int o Ther a cust ome,ert he sit eRPF t o pr idep asses sep ar at iont hinside net w or k inVRFs t he un icast ing t able. efor chov eck and e m ultt he icast cust net pack et is om r eper licat edw tork o t he int er faces in t he out g oing int erf ace list ( called t he olist ) for t h e m ult icast gr oup . The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Figu r e 7 - 5 . RPF Ch e ck Succee ds

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN I f t heNet RPF ch eck t oTr r efer t o ion t he( PEunicast w ork Ad hdras ess an slat NAT)r out ing t ab le for each arr iv in g mu lt icast packet , t his w ill h ave a det r im en t al aff ect on rou t er per for m ance. I n st ead , t he RPF int er face is cach ed How can inticast o a cust er sit e t orypr ov ide ion inside heding as p art of tVRFs he ( S, G) be or ex ( * t,ended G) m ult f orwom ar din g ent . Wh en sep t h ear mat ult icast for wt ar w ork ent r y cust is crom eater ed,net t he RPF int erf ace is set t o t he int er face t h at leads t o t he sour ce net w or k in t he unicast r out ing t ab le. I f t h e unicast r out in g t able chang es, t h en t h e RPF int er face is lat om est at MPLS secur u res up datThe ed aut icallyVPN t o r ef lect itt yhef eat chan ge.an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Ex am ple 7- 1 sh ows a m ult icast f orw ar ding ent r y f or ( 19 4. 22. 1 5. 2, 2 39. 19 2. 20. 1 6) . You can cust ulticast icastr out t r affing ic insid a VPN also rHow ef er ttoo tcarr his yent r y om as aermmult t ableeent r y . Th e pr esence of t h e sou rce in t he ( S, G) not at ion ind icat es t h at t his ent r y is associat ed wit h a sou rce t r ee or shor t est p at h t ree. estintinert er - carisrier ancem ent s two hich allowhas f orbeasier m or e scalable d ep ent The inThe comlat ing face t h eenh RPF int er face, een setand t o POS3/ 0. This set t inloym g of int er car r ier MPLS VPN serv ices m at ches t he n ex t - h op in t er f ace sh own in t he OSPF r out ing ent r y f or t he sour ce 19 4. 22. 1 5. 2. Ther e ar e t w o int er f aces in t he ou t going olist : Ser ial4 / 0 an d Ser ial4/ 2. The out going int er face Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y list pr ov ides t he in t er f aces t h at t h e m ult icast pack et should be r eplicat ed out . Ther ef ore, pack s t hat pass t heect RPF check fr om ce 194 .2 (-tsellin h ey mu st com on POS3 / 0) MPLSetand VPN Ar chit u res, Volum e Isour I , b uilds on. 22. t he15best g MPLS ane dinVPN tAr hat ar e dest ined t o gr oup 2 39. 19 2. 20. 1 6 ar e r eplicat ed out int er face Serial4/ 0 anadv d anced ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e Serial4/ 2 . t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Exa pl eVPN 7 - Ar 1 .chit Sour ee M aief r diref ng Ent rofy t he MPLS VPN MPLSmand ect u ce res, Tr Volum e Iu I ,ltbica eg inst s wFor it h awbr resher Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN00:03:30/00:03:27, b ack bon e. Part I I I detflags: ails adv anced d ep loy m ent issues (194.22.15.2, 239.192.20.16), sT includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone andinterface: any at t achedPOS3/0, VPN sit es, also det ailin g t he lat est secu rit y f eat ur es t o allow Incoming RPFand nbr 194.22.15.17 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s.interface Fin ally , Par tlist: I V pr ov id es a m et hodology for ad van ced MPLS VPN Outgoing t r oub leshoot ing . Serial4/0, Forward/Sparse-Dense, 00:03:30/00:02:55 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egrSerial4/2, at ion, secur itForward/Sparse-Dense, y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced 00:02:45/00:02:05

Routing entry for 194.22.15.2/32 Known via "ospf 1", distance 110, metric 2, type intra area • •

Last update from 194.22.15.17 on POS3/0, 1w5d ago Table of Content s

I ndex Routing Descriptor Blocks:

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar * 194.22.15.17, from 194.22.15.2,

Route metric Pub lish er: Cisco Press

1w5d ago, via POS3/0

is 2, traffic share count is 1

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

For comp let eness, a shar ed t ree r out in g ent ry is sh own in Ex am ple 7- 2. Th is en t r y repr esen t s all sour ces t ran sm it t in g t o gr oup 23 9. 25 5. 0. 20. The RPF in t erf ace is sh ow n t o be Fast Et her net 0/ 1 , w hich is t he nex t - hop int er face t o t he RP 19 6. 7. 25 .1 . Rem em b er t hat t he r oot of a shar ed t r ee ar e alway s t h e RP; t her ef or e, t he RPF in t erf ace for a shar ed t r ee is t he h MPLS VPNt oArt chit ect u res, Volum e I I , y ou' ll lear n : rWit ev er se p atand h back he RP. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN

Exa m pl e 7 - 2 . Sh ar e d Tr e e M ul t i cast For w ar d in g En t r y ser v ice t o m any d iff er ent t yp es of cu st om er s

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) (*, 239.255.0.20), 2w5d/00:00:00, RP 196.7.25.1, flags: SJCL How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he Incoming FastEthernet0/1, RPF nbr 192.168.2.34 cust om erinterface: net w ork The lat est MPLS VPNlist: secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Outgoing interface back bone FastEthernet0/0, Forward/Sparse, 00:03:29/00:02:54 How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices The ou t going int er face list s in t he p reced ing ex am ples ar e det erm ined by t h e par t icular Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y m ult icast pr ot ocol in use. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tPIM opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS chit ect umres, Volum e Iocols I , b eghin s wbiteen h a dev br ief ref resher t he MPLS Ov er tand he y VPN ear s,Arvar ious ult icast p rot ave eloped, su chofas D ist an ceVPN Vect or Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int at ion Mu lt icast Rout ing Pr ot ocol ( DVMRP) , Mu lt icast Open Sh or t est Pat h Fir st ( MOSPF)egr , and Corof e ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g eat e Base Tr ees ( CBT) . The char act erist ic t h at t h ese pr ot ocols hav e in comm on is t h at t h ey cr pr otuocols ( I SOSPF) ar mown in g tdhe r eader it h anisms. t he k nowTh ledge h ow tdoes o am lt icast r ouI S, t in EI g GRP, t able and based on t h, eir iscov er y mwech e RPFofcheck not int t h ese es in t o available t h e VPN binack bon e. Partr out I I I ing det ails adv anced d ep loy m ent issues useegr t hat e einfor m atf eat ion ur already t he u nicast t ab le. includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back andt hat anyisatt he t ached and alsoand detrelevan ailin g t he est chap secut rit ur es The pbone r ot ocol m ostVPN wid sit elyes, d ep loy ed t t olat t his er yisf eat PI M. As t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS VPN discussed pr eviously , PI M u ses t h e un icast r ou t in g t able t o discov er w het her t h e mu lt icast deploy en tarr s. Fin ally I V rpr ovint id es m etThe hodology pack et m has iv ed on, Par t het cor ect erfaace. RPF chfor eckad isvan indced ep enMPLS dent VPN becau se it does not oubon leshoot rt rely a paring t icu. lar pr ot ocol; it bases it s decisions on t h e con t ent s of t h e unicast r out in g t able. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr al at ion, it y,are and r oubleshoot ingmfeat t ose p rov iding adv anced Sever PI M secur mod es avtailable: d en se od eu(res PI Messent DM) , ial spar mod e ( PIt hMe SM) ,

Bidir ect ional PI M ( PI M Bi- Dir) , and a r ecen t add it ion k now n as Sou rce Specific Mu lt icast ( SSM) .

PIM DM •The d ep loymTable ent of of PI Content M DMs is dim inishing because it h as been p rov en t o b e ineff icient in o PI M SM. PI M DM is based on t h e assu mp t ion t hat f or ev er y subn et in t he •com par ison tI ndex net w or k, Vat one er exist MP LS and PNleast Ar chi te cturreceiv e s, V olum e I I s f or ever y ( S, G) m ult icast st r eam . Th er efor e, all m ult icast pack et s are pushed or flood ed t o ev er y par t of t h e net w or k. Rout er s t hat do not By Jim Guichard , I van Pepelnjak , Jeff Apcar w ant t o r eceiv e t he mu lt icast t raf fic b ecause t h ey do n ot h ave a r eceiver f or t hat ( S, G) sen d a p r une m essag e back up t h e t r ee. Br anches t h at d o not hav e r eceiver s ar e pr un ed of f, t he Pub lish er: Cisco Press r esult being a sour ce dist r ibut ion t r ee w it h b ran ches t hat hav e r eceiver s. Per iodically, t he Dat e: Ju ne 06, 00 3out , and m ult icast t r aff ic begins t o flood t hr ou gh t he n et w or k again pr unPub em essage t im2es I SBN: 1- 58 -1 12 un t il anot h er pr705 une is -5receiv ed. Pages: 50 4

PIM SM PI MhSM Wit MPLS is m and or eVPN efficient Ar chitt ect hanu res, PI M Volum DM in et hat I I , yitou' d oes ll lear n otn :u se flooding t o dist rib ut e t r af fic. PI M SM em ploy s t h e pull mod el, in w hich t r aff ic is dist rib ut ed on ly w here is it r eq uest ed . Mult icast t r aff ic is dist r ibut ed t o a br anch only if an ex plicit j oin m essag e has b een receiv ed for t h at How gr t ooup int egr atially, e v ar riou s r em t echn in t ot he t h shar e back ovidin g VPN m ult icast . I nit eceiv ersotine aaccess PI M SM netologies w ork join edbone t ree p( rroot ed at the t o ic m on anyt he d iffshar er ent es rof cu st RP) . Iser f t hveice t r aff edt yp t ree each esom a er cers t ain ban dw idt h t hr eshold, t h e last hop r out er ( t h at is, t h e one t o w hich t h e r eceiver is conn ect ed) can choose t o join a shor t est - pat h out in gs op aserw ell heropt adv es,sour includ t r ee t The o t h en ew sourPEce.CE Thris put t het ions r eceiv on as a motore imanced al patfheat t ourt he ce.ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

PIM Bi-Dir cust om er net w ork

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN PI M Biback D irbone cr eat es a t w o- w ay f or w ard in g t ree, as show n in Figur e 7- 3 . All m u lt icast r out in g ent r ies for b id irect ional g rou ps ar e on a ( * , G) shar ed t r ee. Because t r af fic can t r avel in bot h carr custt om eratmeult t r ion aff icisinsid dir ectHow ion s, t ot he amy oun of st inficast or m at k epte tao VPN a min im u m. Rout in g op t imalit y is im pr oved because t r aff ic does not hav e t o t rav el un necessarily t ow ar d t he RP. Sour ce t r ees The est fin - car rier enhm ancem entgsrou t o ps. allow f orect easier m in or et he scalable epov loym ar e nev er lat built ort er bid ir ect ional ult icast Bidir ional and t r ees serv iced pr id erent of int er car r ier MPLS VPN serv ices net w or k ar e cover ed in t he sect ion " Case St u dy of m VPN Op er at ion in Super Com " lat er in t h is chapt er . Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN SSM Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. SSM im p lies t h at t h e I P add ress of t he sou rce f or a p ar t icu lar gr oup is k now n befor e a j oin is MPLS VPN chit ect u res, e I Ied , bin egadd in s itwion it h taobr ref resher ofexist t he sMPLS issu edand . SSM in Ar Cisco I OS is imVolum p lem ent PIief M SM and cow it h VPN IP Ar it ect unre. descr on ibesPIadv anced MPLS VPNb con nect iv it yr ce includ g twhe inttegr ion of s Much lt icast et wPar or kt sI Ibased M SM. SSM alw ays uilds a sou t ree inbet een h e at r eceiver ser ovider access echn DSL,ancab le,- ofEt- ban her net an d a v ariet y of se r out in g andv ice t h e pr sou r ce. Th e soutrce is olog learies ned( dial, t hr ough out d m) echanism . Becau t he pr ot ocols ( I SEI GRP, and( S, OSPF) , ar m in gb tehe r eader h tsour he kce now ledge h ow o t he sour ce is kn owI S, n, an exp licit G) join can issued forwtithe t r ee t hatofobv iattes int egrfat t h ese ur es o t h eBecause VPN b ack e. arPart I I I det anced d ep loyassur m ented; issues need oreshar ed f teat rees andin tRPs. nobon RPs e r equir edails , optadv im al r ou t in g is includin secutrhitey ,mou t lining y stsour eps ce t h eand ser vr eceiver ice p rov. ider ake t oinnov p rot ect t he t r aff ic t rgavels ost dir ectt he patnhecessar bet w een SSMmisust a r tecent at ion in back bone net andw any t ached VPN m siten es, and ailin g tent he s, latpar est tsecu f eat ur ser es tvoice allow m ult icast or ks at and is r ecom ded f oralso newdet d ep loym icularritlyy in t he m advcore anced filt erin parical t also cov m ult car r ier MPLS VPNin t he pr or oveider f ort op anologies m VPN and env iron m eng.t .This A p ract d ep loyermsent ofi-SSM is discussed deploy t s. Fin Par I V pr overidat esion am hodology MPLS VPN sect ion,m "en Case St ually dy , of mtVPN Op inetSuper Com "for latad er van in tced h is ch apt er. t r oub leshoot ing . Mu lt icast is a pow er ful feat ur e t h at allow s t he ef ficien t on e- t o- m an y dist r ib ut ion of MPLS VPN Ar icast chit ect u res,t he Volum e I I ,ofalso rodion uces t he lat esteadv in is cutst inf ormand at ion. Mult uses con cept distint r ibut t r ees, w her t heances sou rce h eomer r oot of int at ion, y, ands tar r oubleshoot ing feat o pers rov iding t h e pack adv anced t heegr t ree an d secur t he r it eceiver e at t he leaves of ut hres e t essent r ee. Thial e rtout replicat et s at each

br anch of t he t ree, k now n as t he b ifur cat ion point . The t r ee is r ep resen t ed as a ser ies of m ult icast st at e ent r ies in each rou t er , an d packet s ar e f orw ar ded dow n t his t r ee ( t ow ar d t he leaves) by using RPF. Ther e ar e var ious mod es of m u lt icast op er at ion in net w ork s w it h t he m ost pop ular one bein g PI M SM.

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Enterprise Multicast in a Service Provider Environment The f un dam en t al pr ob lem t h at ser vice pr ov iders face t oday w h en of fer in g nat ive mu lt icast •ser v ices t o end Table cuofstContent omer s sis t he amou nt of mu lt icast dist rib ut ion in for m at ion ( t hat is [ S, G] •or [ * , G] st at I ndex es) t hat need s t o b e m aint ained t o p rov ide t h e m ost opt im al m u lt icast t raf fic MP and ion V PN. When Ar chi te ctur s, Vicast olum esour I I ce becomes act iv e w it hin a par t icular cust om er sit e, t he distLSr ibut a meult m Jim ult icast t r aff ic mPepelnjak ust t r av, el oug h t he ser v ice pr ovid er n et wor k t o r each all PE r out er s t hat By Guichard , I van Jefft hr Apcar hav e r eceiv er s conn ect ed t o CE r out er s f or t hat m ult icast gr oup. To p rev en t u nnecessar y t r aff ic deliver y, t he serv ice pr ov id er mu st av oid sendin g t raf fic t o PE rou t ers t hat hav e no Pub lish er: Cisco Press int er est ed receiv er s. To accom p lish t his g oal and achieve op t imal r out ing, each P r ou t er in e: Ju ne 06, 2 00 3 t he Pub netDat w ork mu st m aint ain st at e infor m at ion for all act iv e cust om er dist r ib ut ion t r ees. I SBN: 1- 58 705 -1 12 -5

How evPages: er , a 50 p rob lem arises in t hat t he ser v ice pr ovid er h as no visibilit y int o how it s en d 4 cust om er s m anag e m ult icast w it hin t heir ent erp r ise. I n addit ion, t he serv ice pr ov id er does not hav e cont r ol ov er t he dist ribu t ion of sou rces and r eceiver s or t h e num b er of g r oups t hat t he en d cust om er chooses t o u se. I n t his sit uat ion , t he P r out er s ar e requ ired t o sup por t an un boun ded am ou nt of st at e in for m at ion b ased on t he ent er pr ise cu st omer 's applicat ion of m ult Wit h icast MPLS. and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Figur e 7- 6 illust r at es t his scenar io in t he Sup er Com net w or k. ( This chapt er u ses Su perCom as t h eHow ex am n etat w or . ) iou As sshow t he f igur e, Super Com n at ive m lt icastg VPN t o ple int egr e vk ar r em not in e access t echn ologies in tpor tovides h e back bone p ruovidin ser v ices t o VPN cust om ers Fast Foods an d Eur oBank . I n t his exam p le, n at ive m u lt icast m eans ser v ice t o m any d iff er ent t yp es of cu st om er s t hat t he Super Com n et w or k pr ov ides bot h cust om ers wit h m ult icast serv ices v ia t he global m ult icast ab le byinusing st andas ard m ult ocedur es. f eat To obt aininclud m ult icast serv ices, The nr out ew ing PE- tCE r out g op t ions w ell asicast ot herpradv anced ur es, ing perVPN each Net Eur oBank ordrFast sition e m(ust lt im at ely connect t o a Su perCom glob al int er face w ork Ad ess Food Tr an sslat PE- uNAT) ( t h at is, one w it h no VRF d ef ined) . Mu lt icast t r affic t rav els across t h e Super Com n et wor k using How st andar d Ican P m be ult icast ; n o t uint nnels or encapsulat areide u sed The Fast Food st he VRFs ex t ended o a cust om er sit e tions o pr ov sep. ar at ion inside or ganizat has ee act iv e dist r ibut ion t r ees root ed at t w o sour ces ( A and B) . Sim ilarly , cust ion om er nett hr w ork Eu roBan k has t h r ee act iv e dist r ibut ion t r ees r oot ed at t h r ee sour ces ( C, D , and E) . Each of lathest VPN it y f eat d dect esign ed som at pr other ect eing e MPLS t heseThe t r ees as MPLS at least on esecur r eceiver t h uatres is an conn ed tsoaim a CE ew in tthhe globalVPN back net bone m ult icast w or k. How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Figu r e 7 - 6 . Su ppor t i ng Na t i ve En t e r pr ise M ul t i cast of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s To p r ovide opt PEim al mrult t r aff ic dist ut ion, gt onf eat P rur out er includ m ust ing holdpert heVPN st at e The n ew CE outicast in g op t ions as rwibell as ott he herWashin adv anced es, inf ormNet at ion forAdall rees. This lies equ ally t o any ot her P an d PE r out er s t h at ar e in t he w ork drsix esst Tr an slat ionapp ( PENAT) pat h of t h e dist r ib ut ion t r ees. Becau se all m ult icast rou t ing oper at es in t h e global Super Com t able,How it is VRFs possibcan le t be hatex mu lt icast int grooups t hat omer s use w ill lict t( he as w ould t ended a cust omdiff er er sitent e t ocu prstov ide sep ar at ionconf inside be t hecust case mwult ip le cu st om er s using t he sam e RFC 19 18 addr essing in a u nicast omwerit hnet ork net w or k) . To av oid t his sit uat ion, Super Com m ust allocat e each VPN a u niqu e ran ge of The lat est s. MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN m ult icast gr oup back bone The t ot al am ount of st at e inf or mat ion t h at t h e Super Com n et w or k m ust hold is det erm ined by Howt he t o cust carrom y cust om er m icast t r aff a VPN t he way er deploy s ult m ult icast in ic h isinsid net e w or k. For each uniqu e cust om er sou rce, a sep arat e st at e ent r y exist s in t he g lobal t ab le for each mu lt icast gr oup t hat sou r ce is ser ving . The esturines t ersuch - car rier enh ect ancem t o rallow f ort he easier and e scalable d ep Deploy inglat feat as bidir ionalent t rsees educes amou nt m of or mu lt icast st at e loym ent of int er car r ier MPLS VPN serv ices inf orm at ion r eq uir ed , alt hou gh t r affic dist ribu t ion is not as opt im al. Giv en t h at t h e am ount of st at e inf or mat ion is un boun ded ( can not be lim it ed) and t h e ser v ice p rov ider m ust allocat e anced t rou blesh oot ingt he t echn iques erult out pu t sserv t o en su in re thigh av ailab and mAdv anag e m ult icast gr oups, deploy minclud en t of inn gatrivou e tm icast ices h is man ner ilit is y not r ecom m en ded f r om a scaling and pr ov isioning st and point . MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, e Iide ( 1 -m 587 0 021) ,af rom Cisco Prid ess. t endin g int o mnet or w e ork adv is anced A com m on wayVolum t o p rov ult05icast ov er serv ice pr ov er IEx P or MPLS VPN to tov opics d d epicloy m ent ect ur es, m et uI Innels pr ovid eswreen eader it hert he necessar y at t ools er layangener r out ing archit encapsulat ion Volu ( GRE) bet CEs rwout s. This elimin es t he tneed hey nf or eedant oy dstep andmm le VPN. at loy e infor atain iont ain t o bae secur k ep t e, in hig t hehly P r av outailab ers becau se all m ult icast packet s bet w een VPN sit es ar e encapsulat ed by using GRE w it hin t h e ser v ice p rov ider net w or k . This MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN solut ion also allow s d iff er ent en t er pr ise cust om er s t o use ov er lapp ing mu lt icast gr oups. Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of How ev er , t he d isad van t age of t h is solu t ion is t hat u nless t he cust om er imp lem ent s a fu ll ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g m esh of GRE t u nnels bet w een CE r out er s, opt im al m ult icast r out in g is not achiev ed . I n fact , pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o m or e band w id t h can be w ast ed by m ult icast t r af fic back t r ack ing ov er diff erent GRE t u nnels int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues across t he P n et wor k . Fur t her t o t his, Mu lt icast over GRE is in herent ly unscalab le due t o t h e includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he pot ent ial num ber of t u nnels r equir ed an d t he am ount of oper at ional an d man agement back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow ov er head. m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy en t s. le Finm ally , Par Vovid pr ovinidges et hodology adcan van ced MPLS A m or emscalab odel fort Ipr m ua ltmicast w it h in afor VPN be der ivedVPN fr om t h e w ay topt r oub leshoot ing . im al u nicast r out ing is achieved in an MPLS VPN. MPLS and VPN I n an MPLS VPNAr chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

A P r out er m aint ains r ou t ing in for m at ion and labels for t h e global rou t ing t able on ly . I t does n ot hold r out ing or st at e in for m at ion for cust om er VPNs. A CE rou t er main t ains a rou t ing adj acency w it h it s PE rou t er neighb or only . CE r out er s do not peer w it h ot h er CE rou t ers but st ill hav e t he ab ilit y t o access ot h er CE rou t er s in t heir VPN t hr ough t h e m ost opt im al r out e t hat t he P net w or k pr ovid es. •As y ou w ill see, Tablet he of Content m VPN ssolu t ion t h at is im plem en t ed in Cisco I OS p rov ides a scalable an d •eff icient met Ihndex od of t r an sp ort in g m u lt icast t r af fic b et w een sit es of a VPN cu st omer an d h as MP LS andchar V PNact Ar chi te ctur V olum e I I in t he pr ev ious b ullet point s. similar erist ics ems,en t ioned By Jim Guichard , I van Pepelnjak , Jeff Apcar

I n a ser v ice pr ovid er n et wor k t h at is enab led w it h m VPN Pub lish er: Cisco Press

A Dat P re:out er 06, m aint Pub Ju ne 2 00 3ains

m u lt icast st at e en t ries f or t he g lobal r out in g t able only . I t d oes not hold st-5 at e ent r ies for cust om er VPNs. I SBN:m1-ult 58icast 705 -1 12 Pages: 50 4

A CE rou t er main t ains a mu lt icast PI M adj acency w it h it s PE r out er neigh bor only . CE r out er s do not hav e m ult icast peer ing s w it h ot her CE r out er s, but t hey can ex chang e m ult icast inf orm at ion w it h ot her CE r out er s in t he sam e VPN. The f ollow in g sect ions describe t he m VPN ar chit ect ur e as im plement ed by Cisco I OS. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

mVPN Architecture The m VPN solu t ion d iscussed in t his chap t er is based on sect ion 2 of Mu lt icast in MPLS/ BGP VPNs I n t er net dr aft ( dr af t - rosen- v pn - mcast ) . •Sect ion 2 of Table s aft descr ibes t he con cept of m ult icast d om ains in w hich CE r out ers t his Iof ntContent er net dr •m aint ain a PII ndex M adjacency w it h t heir local PE rou t er only , and not w it h ot her CE r out er s. As MP LSt and V PN te ctur ets, V olum e I I cy ch aract er ist ic is id en t ical t o t h at u sed in MPLS VPNs. m en ioned prAr evchi iously, his adj acen EnJim t er Guichard p rise cust omPepelnjak er s can , m t ain t heir ex ist ing m ult icast con figu rat ion s, su ch as PI M By , I van Jeffain Apcar SM/ PI M DM and any RP discover y m echan ism s, and t h ey can t r ansit ion t o an m VPN ser v ice by u sin g m u lt icast d om ain s w it hout conf ig ur at ion ch anges. P r out er s d o not hold st at e Pub lish er: Cisco Press inf orm at ion for indiv idual cu st om er sour ce t r ees; inst ead, t hey can h old as lit t le as a single Dat e: Ju ne 06, 2 00 3 st atPub e ent r y f or each VPN ( assum ing t hat PI M Bi- D ir is deploy ed ) r egar dless of t he nu mb er of I SBN: 58 705 -5 t hat VPN. m ult icast gr1oup s w-1it12 hin Pages: 50 4

I f a serv ice pr ov id er is using PI M SM in t h e core ( inst ead of PI M Bi- D ir) , t hen t he gr eat est am ount of st at e inf or mat ion t h at w ould be r equ ir ed in a P r out er w ou ld be rou ghly equ ivalent t o t he n um ber of PE rou t ers in t h e backb one m ult iplied by t h e num ber of VPNs d ef ined on t hose PE r out er s. This should be sign ificant ly less t han t he n um ber of pot ent ial cu st omer m ult oupVPN s. AltArhoug h yuou can r educe amllount Wit h icast MPLSgr and chit ect res, Volum e I I t,hyeou' lear nof: P- net w or k st at e inf orm at ion , t he r eal point t o n ot e her e is t hat w it h mu lt icast dom ains, r eg ard less of w hich m ult icast mod e t he ser v ice pr ovider is u sin g ( PI M SM, Bi- D ir , SSM) , t he am ou nt of st at e in for m at ion in t h e core is det How er mint oistint ic.egr The e inf n ott echn d ep en d on tin he mu lt at ecor v ar iouor s mat r em ion ot e does access ologies t ocust t h e omer back 's bone p icast r ovidin g VPN deploy mven t . t o m any d iff er ent t yp es of cu st om er s ser ice Cu st om er nnet or kCE s arr out e also t o uas se w well hatas ever m ultadv icast g rouf eat ps tur h ey eed wing it hout The ew wPEin g fr opee t ions ot her anced es, ninclud per-t he VPN possibilit y ork of over lap it hanotslat h erion VPNs. ese g rou ps ar e inv isib le t o t h e P r out er n et wor k , in Net w Ad dr essw Tr ( PE-Th NAT) t he sam e m ann er t hat VPN un icast rou t es are in visible t o P r out er s in an MPLS VPN net w or k. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Multicast Domain Overview The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed

at pr ot ect ing t h e MPLS VPN

back bone A m u lt icastt od carr om ain is aom seterofmmu lt icastt r- aff enab led veir tauVPN al r out ing and f orw ar din g inst an ces How y cust ult icast ic insid ( VRFs) t h at can sen d m ult icast t r af fic t o each ot her . These m ult icast VRFs ar e r ef err ed t o as m VRFs. icast ains of a ent cu st 's mu oupsmtor hat ex ist in ad ep parloym t icular TheMult lat est in tdom er - car riermap enhall ancem s omer t o allow f orlt icast easiergrand e scalable ent VPN tof o aint sing e global ult icast er - le caruniqu r ier MPLS VPNmserv ices gr oup in t he P- n et w or k . This is achiev ed by encapsulat ing t he orig in al cust om er mu lt icast packet s w it hin a pr ovider p ack et b y using GRE. anced roudrblesh oot t echn iques includ in g rue ou tm erult out pu t sgrtoup o entsu re thigh avvailab The dAdv est inat ion tad ess of t hing e GRE pack et is t h e uniq icast h at h e ser ice ilit y pr ov ider has allocat ed f or t h at m ult icast dom ain. The sour ce addr ess of t he GRE packet is t he MPLSpeer anding VPN Arress chit ect res,orig Volum e I I PE , b uilds an d VPN BGP add of ut he in at ing rou t eron . At he dif best fer en- sellin t globgalMPLS m ult icast gr oup add ress Ar ected u res, ( 1icast - 587dom 05- 0ain. 02- 1) f rom Cisco ess. endin g intm o ult m or e adv anced is ch r eqituir f or Volum ever y emIult Th, er efor e, t he Pr set of Ex all t cu st omer icast st at es ( * , 1 ) …( *an tGopics dNd) ep loybe m ent es, le Volu e I Iorpr( *ovid s vwice it h pt he , G can maparchit ped tect o aursing ( S,mG) , G)esinr eader t h e ser rovnecessar ider n et wyort ools k. t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g NOTE pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egrThe at e ut h eat urinesa in o ticast h e VPN b ack e. Part I I I det ails d ep loy ent issues seese of fGRE mt ult dom ain bon is not t he sam e as t h adv e ovanced er lay solut ionm in includin g secu r it y- t,o-ou t lining t het un n ecessar st eps bet t h ewser rov er ider m ustGRE t aket un t onels p rot ect t he w hich point p oint GRE nels arey used eenv ice CE pr out s. The back bone t ached sit es, ailin g tigur he lat est secu y nels f eat ur es bt oe allow used and here any ar e at b et w een VPN PE r out er s and in a also m ultdet icast conf at ion. The rit t un can m or econsidered adv anced tpoint op ologies filt erin g.nect Thision par t also m ult i-ed caror r ierevMPLS VPN - t o- m and ult ipoint con s if PI M cov SM er issdeploy en deploy t s. Fin ally Par t I V if pr usin ov idgesPIaMmBiet hodology for ad tvan VPN mm ulten ipoint - t om ,ult ipoint Dir . Ther ef or e, he ced u se MPLS of GRE for m u lt icast t r oubdom leshoot ainsing is .in herent ly mor e eff icient t han GRE ov er lay . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Each PE rou t er t hat is supp ort in g an m VPN cust om er is par t of t he m ult icast dom ain for t hat cust om er . Mult iple end cust om er s can at t ach t o a par t icu lar PE r ou t er , w h ich m ean s t hat t he PE r out er can b e a m em ber of m any m ult icast dom ains—on e for each mVPN cust omer w h o is connect ed t o it . On e of t he m aj or at t r act ion s of t he mu lt icast dom ain solut ion is t hat t he P r out er s do not need a soft w ar e up gr ade t o enable n ew mu lt icast feat ur es t o sup por t m VPNs. On ly nat iv e m ult icast is r eq uir ed in t he cor e net w or k t o su ppor t mu lt icast dom ains. The ad van t age of t h is • Table of Content s is t hat nat iv e m ult icast is a mat ur e t ech nology in Cisco I OS; t heref ore, t h e oper at ional r isk is • I ndex m inim ized in t he serv ice pr ov id er net w ork wh en d ep loy ing m ult icast dom ains. MP LS and V PN Ar chi te ctur e s, V olum e I I

The net w ork b uilds a defau m ult icast dist r ibut ion t r ee ( Defau lt - MDT) bet w een PE rou t er s By JimPGuichard , I van Pepelnjak , Jeff lt Apcar for each m ult icast dom ain by using a uniqu e m ult icast gr oup add ress t hat t h e ser v ice pr ovPub ider allocat These un iq ue m ult icast gr ou ps ar e r ef err ed t o as MDT- Gr ou ps. Each m VRF lish er: Cisco es. Press belongs t o a defau lt MDT. Theref ore, t h e am ount of st at e inf orm at ion t hat a P r out er m ust Pub Dat e: Ju ne 06, 2 00 3 hold is not a f un ct ion of t he num ber of cust om er m ult icast gr oups in t h e net w or k; inst ead, it I SBN: 1- 58 705 -1 12 -5 is t he num ber of VPNs. This con sider ably r educes t he am ou nt of st at e in for m at ion requ ir ed in Pages: 50 4 a P r out er . I f t he MD T is conf igur ed as a bid ir ect ional t r ee, t hen it is possible t o hav e a single ( * , G) m u lt icast st at e en t ry for each VPN. Figur e 7- 7 sh ows t he concept of mu lt icast d om ain s in t he Sup er Com net w or k. The Fast Food s and Eu r oBan k VPNs belong t o separ at e m ult icast d omain s. The Sup er Com cor e cr eat es a Defau lt - MDT each of t hese mu lt icast edom s by u sin Wit h MPLS andforVPN Ar chit ect u res, Volum I I , ain y ou' ll lear n :g t he MD T- gr oup addr esses 23 9. 192 . 10. 1 for Fast Foods an d 2 39. 19 2. 10. 2 f or Eur oBank . Th e PE rou t ers at San Jose and Par is join bot h Def ault - MDTs as t hey ar e connect ed t o t he Fast Foods an d Eur oBank sit es. The Howt on t o PE int regr v arlyiou s r em ot con e access t o t hfor e back p r ovidin g VPN Washing outatere on need s to nect t toechn t he ologies Def ault -inMDT t he bone Eu r oBank VPN. ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr anFigu slat ion r e( PE7 - NAT) 7 . M ul t icast Dom a ins How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Any Eur oBank or Fast Foods p ack et s t hat av elu res alonessent g t hese ault MD Tst h areeadv encapsulat int egr at ion, secur it y, and t r oubleshoot ingt rfeat ial Def to p rov- iding anced ed b y

using GRE. The sou rce of t h e out er p ack et is t h e Mult ipr ot ocol BGP peer in g ad dr ess of t he sen ding PE r out er, and t he d est inat ion is t h e appr op riat e MDT- gr oup add r ess. GRE essent ially hides t h e cust om er mu lt icast packet fr om t he P- net w ork and allow s us t o map m any m ult icast gr oup s in a VPN t o a sing le pr ovid er m u lt icast g r oup. Th e Sup er Com P r out er s only see t he sour ce and dest inat ion of t he ou t er I P header t h at Sup er Com allocat es. This sour ce and dest inat ion app ear as an ( S, G) st at e en t r y in t h e Sup er Com global m ult icast t ab le. Assu m in g t hat t he Sup er Com net w ork has been con figu red w it h PI M Bi- Dir , only t w o ( * , G) • Table of Content s st at es ar e r eq uired in each P r out er : ( * , 23 9. 19 2. 10. 1) and ( * , 239 . 192. 1 0. 2) . Th is com p ares • I ndex fav or ably w it h t he six st at es r eq uir ed in t he n at ive mu lt icast net w ork d escr ib ed ear lier in MP LS and V PN Ar chi te ctur e s, V olum e I I Figur e 7- 6 . Also n ot e in our exam p le t hat t he am oun t of st at e inf or m at ion in t he P- net w ork is By Jim Guichard , I vant Pepelnjak , Jeff Apcar alw ays boun ded o t w o ent ries r eg ar dless of h ow m any n ew sou rces and gr ou ps Fast Food s or Eu roBan k int r odu ce. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

NOTE

A P r out er is only aw ar e of t h e PE rou t er sou rce ad dr esses and t he MDT- Gr oup add resses t hat f or m t he MDTs. CE r out er t r af fic t r av eling along an MDT is for w ar ded in a GRE- encapsulat ed packet ( P- packet ) using t he MDT- gr oup add r ess as t h e dest inat ionVPN ( m ore onect t huisres, in t Volum he lat er MDTs" Wit h MPLS and Ar chit e Isect I , yion, ou' ll "lear n : ) . Th e GRE P- p ack et u ses I P only , and n o MPLS label h ead er s ar e app lied t o MDT t raf fic. On ly pur e I P m u lt icast exist s in t he cor e. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

NOTE

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust omwer m VPN ill net be w suork ppor t ed fr om I OS ver sion s 12. 2( 13) T and 12 .0 ( 23) S for Cisco 720 0 and 75 00 ser ies r out ers. Su ppor t for Cisco 1 000 0 ser ies r out er s w ill be available estv MPLS secur it y fCisco eat u res an d0 dseries esign sis aim ect0ing t hS. e MPLS frThe om lat I OS er sionVPN 1 2. 0( 2 3) SX, 1 200 suped porat edprinot12. ( 26) The VPN back bone init ial r elease w ill per m it a VPN t o p ar t icipat e only in a single m ult icast d omain ; access t o I n t ern et m ult icast or ot h er m u lt icast d om ain s w ill not be per m issible. How t o carr y cust om er m ult icast t r aff ic insid e a VPN How ev er , it is ex pect ed t hat t h is lim it at ion w ill be r emov ed in f ut ur e v ersions of IThe OS. lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices PI M SM or SSM ar e t he on ly m ult icast m odes su ppor t ed in t he P- net w or k for m VPN. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Toch suitmm ize,Volum t he g oals t he 05m ult icast solutPr ion areExas follow Ar ect uarres, e I ( 1of- 587 0 021) ,d fomain rom Cisco ess. t endin g s: int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey nTo eed t o er d epEnt loyerand m Mult ain t ain a tsecur e,omer hig hly le VPN.t o an MPLS VPN ser vice d eliv pr ise icast o cu st s wav hoailab su bscribe MPLSTo and VPN ize Ar chit u res, , b eg w itin h at he br ief refwresher he vMPLS VPN m inim t h eect am ountVolum of st ateeI Iinfor min atsion P- net or k ( t hofe tser ice p rov ider Ar ch itcore) ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of w hile pr ov id ing opt im al r out ing ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- Icu S,stEI GRP, , art omchoose in g t he trheader t he k now h ow to To allow om er s and t he fOSPF) r eedom eir oww n itmh ult icast gr ledge oup s, of m ult icast int egroper at e tat h ese eatode, ur esRP in tplacement o t h e VPN ,band ack bon e. Part I I I det ails adv anced d ep loy m ent issues ionsf m so on includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and mu anylt icast at t ached sit es, det ailin g t he estedsecu rit yt he f eat ur es o allow To allow in t hVPN e P- net w orand k t o also b e comp let ely seplat arat f rom oper at tion of m or e m adv ologies and ultanced icast int op t he cust om er filt neterin w org. k. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oubv leshoot The ar ious com ing . ponent s used t o deliver m ult icast dom ains are ex plained in t h e follow ing sect ions. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Multicast VRF On a PE r out er , each VRF can h ave an associat ed m ult icast r out ing and f orw ar din g t ab le conf ig ur ed , r ef err ed t o as a m ult icast VRF ( m VRF) . Th e m VRF is t h e PE rou t er ' s v iew in t o t h e ent er pr ise VPN m ult icast net w ork . Th e m VRF cont ains all t he m ult icast r out in g in for m at ion for t hat VPN. This inf or mat ion includ es t he st at e ent r ies for dist ribu t ion t rees or RP- t o- gr oup •m appin gs ( ifTable Content s PI M of SM is being used) . W hen a PE rou t er r eceiv es m ult icast dat a or cont r ol •pack et s fr omI ndex a CE r out er int er face in a VRF, m ult icast r out in g such as RPF ch eck s and MP and V PNwAr ctur eor s, med V olumon e I tI he associat ed m VRF. for LS w ar ding illchi beteperf By Jim Guichard , I van Pepelnjak , Jeff Apcar

The PE r out er also can config ur e m ult icast feat ur es or p rot ocols in t he con t ex t of t he m VRF. For exam ple, if t he cu st om er n et w or k w ere usin g st at ic RP conf igur at ions ( t hat is, it w as not Pub lish er: Cisco Press using Aut o- RP t o dist r ib ut e RP inf or mat ion ) , t hen t he PE r out er w ou ld n eed t o conf igur e t h e ne ent 06, 2ry 00in 3 for m at ion t hat w as bein g used in t he C- net w ork . Th e m ult icast r out ing samPub e stDat ate:ic JuRP I SBN: 58 705 -1 12 -5such as PI M, I GMP, and MSDP hav e been m odif ied t o operat e in t h e pr ot ocols in1-Cisco I OS cont exPages: t of an 50 4m VRF and as such only m odif y dat a st ru ct ur es and st at es w it h in t h at m VRF. Ex am ple 7- 3 sh ows t he PI M and MSDP com m and s available in t h e con t ext of a VRF.

Exa m pl eand 7 -VPN 3 . VRF-Aw M u ltei ca Conf igu Wit h MPLS Ar chit ect u ar res,e Volum I I ,st y ou' ll lear n : r a t ion Com m a n ds How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent tpim yp es vrf of cuEuroBank st om er s ? SuperCom_Paris(config)#ip The n ew PE- CE r out in g op t ions as w ell asfilter ot her adv anced f eat ur es, includ ing per- VPN accept-register Registers accept Net w ork Ad dr ess Tr an slat ion ( PE- NAT) accept-rp RP accept filter How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Candidate bootstrap router (candidate BSR) bsr-candidate The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN register-rate-limit Rate limit for PIM data registers back bone register-source Source address for PIM Register How t o carr y cust om er m ult icast t r aff ic insid e a VPN rp-address PIMenh RP-address Point) The lat est in t er - car rier ancem ent s (Rendezvous t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices rp-announce-filter Auto-RP announce message filter Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y rp-candidate To be a PIMv2 RP candidate MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN send-rp-announce announcement Ar ch it ect u res, Volum e I ( 1Auto-RP - 587 05- 0send 02- 1)RP , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools Auto-RP discovery message tsend-rp-discovery hey n eed t o d ep loy and m ain t ain asend securRP e, hig hly av ailab le VPN. (as RP-mapping agent) MPLS and VPN Ar chit ect u res, Volum e I I ,switching b eg in s w it hthreshold a br ief ref resher of t he MPLS VPN spt-threshold Source-tree Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser olog ies (Source dial, DSL, cab le, EtMulticast her net ) an d a v ariet y of r out in g ssmv ice pr ovider access t echn Configure Specific pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es inPIM t o t hDM e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues state-refresh State-Refresh configuration includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V prmsdp ov id esvrf a mEuroBank et hodology? for ad van ced MPLS VPN SuperCom_Paris(config)#ip t r oub leshoot ing . default-peer Default MSDP peer to accept SA messages from MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int description egr at ion, secur it y, and Peer t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced specific description

• •

filter-sa-request

Filter SA-Requests from peer

mesh-group

Configure an MSDP mesh-group

originator-id

Configure MSDP Originator ID

peer

Configure an MSDP peer

Table of Content s

I ndex redistribute

Inject multicast route entries into MSDP

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak Filter , Jeff ApcarSA sa-filter

sa-limit Pub lish er: Cisco

Press

messages from peer

Configure SA limit for a peer

Pub Dat e: Ju ne 06, 2 00 3

sa-request

I SBN: 1- 58 705 -1 12 -5

Pages: 50 4

Configure peer to send SA-Request messages to

shutdown

Administratively shutdown MSDP peer

timer

MSDP timer

ttl-threshold Configure TTL Thresold for MSDP Peer Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN serion v icet ot ot he m any iff erds entint yp espof st om s le, t here are sev er al m ult icast show I n addit comdman t he revcu ious exer amp com man ds t h at sup por t VRF con t ex t s. Th ese ar e show n in Ex am ple 7- 4. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Exa m pl eVRFs 7 - 4can . VRF-Aw ar eintMo ua ltcust i caom st ershow m sep an ds How be ex t ended sit e t o Com pr ov ide ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone SuperCom_Paris#show ip pim vrf EuroBank ? How t o carr Global y cust omAutoRP er m ult icast t r aff ic insid e a VPN autorp information The lat est inBootstrap t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent bsr-router router (v2) of int er - car r ier MPLS VPN serv ices interface PIM interface information Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y mdt Multicast tunnel information MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced neighbor PIM neighbor information t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. rp PIM Rendezvous Point (RP) information MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN rp-hash beibes chosen based on VPN group Ar ch it ect u re. Par tRP I I to descr adv anced MPLS conselected nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues SuperCom_Paris#show ip msdp vrf EuroBank includin g secu r it y , ou t lining t he n ecessar y st eps t h?e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow count m or e adv ancedSAt opcount ologiesper andAS filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN peer Peer Status t r oub leshoot ingMSDP . sa-cache MPLS and VPN MSDP Ar chitSource-Active ect u res, Volum e Cache I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

summary

MSDP Peer Summary

SuperCom_Paris#show ip igmp vrf EuroBank ? groups • •

IGMP group membership information Table of Content s

interface

I ndex

IGMP interface information

MP LS and V PN Ar chi te ctur e s, V olum e I I

membership

IGMP membership information for forwarding

By Jim Guichard , I van Pepelnjak , Jeff Apcar

tracking

IGMP Explicit Tracking information

Pub lish er: Cisco Press

udlr Pub Dat e:

IGMP Ju ne 06, 2 00 3

undirectional link multicast routing information

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Ex am ple 7- 5 sh ows t he com m ands t o enable m ult icast f or t he Eur oBank VRF. The ip m ul t icast - rout i ng vr f enab les mu lt icast r ou t ing on t he associat ed Eur oBank VRF. I n add it ion , any mu lt icast in t er f aces in t he Eur oBank VRF w ill also requ ire PI M t o be enabled, as Wit h MPLS ectrse u res, Volum e I The I , y ou' lear n :M ad jacencies t hat can exist ar e show n w it hand t h eVPN ip pAr imchit spa com m and. v arlliou s PI discussed in t he f ollow ing sect ion. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Exa m pl e 7 - 5 . En ab li ng M ul t i cast in a VRF

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex vrf t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he ip multicast-routing EuroBank cust om er net w ork ! The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone interface Serial0/0 How forwarding t o carr y cust om er m ult icast t r aff ic insid e a VPN ip vrf EuroBank The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent ip address 192.168.2.26 255.255.255.252 of int er - car r ier MPLS VPN serv ices ip pim sparse Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLSNOTE and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of I f t pr heovider ip v rf access f orw art echn di ngolog comies m and is DSL, r em ovcab ed le, f r om t henet PE) ran out ser v ice ( dial, Et her d er a vconf arietigur y ofatrion, out in g not only e GRP, ip a ddr ess com,marand ov red f r omwany VRFs, pr ot ocols ( I S-is I S,t hEI and OSPF) m inrgem t he eader it h tassociat he k nowed ledge of hbut ow tthoe ip rse com m and r em ov ed. int egrpiatme spa t h ese f eat ur es in t oist halso e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN PIM Adjacencies t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Each t h at h asit m icast r out ing enabled a essent sing le ial PI Mt oinst aniding ce cr eat onanced t he PE int egrVRF at ion, secur y, ult and t r oubleshoot ing feathas u res p rov t h eed adv

r out er . This VRF- specific PI M in st ance for m s a PI M adj acency w it h each PI M- enabled CE r out er in t hat m VRF. The cust om er m ult icast r out ing ent r ies t hat each PI M inst an ce cr eat es ar e specif ic t o t h e corr espond in g m VRF. I n addit ion t o t he CE r out er PI M adjacency , t he PE r out er f or ms t w o ot h er t yp es of PI M adj acen cies. The f irst is a PI M adjacency w it h ot her PE r out ers t hat hav e m VRFs in t he sam e m ult icast dom ain. This PE rou t er PI M ad jacen cy is accessible t hr ough t he m ult icast t u nnel int erf ace ( MTI ) and is u sed t o t r an sp ort m ult icast inf orm at ion bet w een m VRFs ( t hr ou gh a • Table of Content s MDT) across t he back bone. MDTs and MTI s ar e describ ed lat er in t his chapt er . Th e PE r ou t er • I ndex PI M ad jacencies ar e m aint ain ed by usin g t he sam e PI M inst an ce t hat is used bet w een t h e PE MP LS and V PN Ar chi te ctur e s, V olum e I I r out er and CE r out er f or t h e associat ed m VRF. By Jim Guichard , I van Pepelnjak , Jeff Apcar

The second t y pe of PI M ad jacency is creat ed by t h e global PI M inst ance. The PE r out er m aint lobalPress PI M adjacencies w it h each of it s I GP neigh bor s, w hich w ill be P r out er s, or Pubains lish er:gCisco dir ect ly conn ect ed PE rou t er s ( t hat are also pr ovidin g a P r out er f un ct ion ) . The g lobal PI M Pub Dat e: Ju ne 06, 2 00 3 inst ance is u sed t o cr eat e t he m u lt icast d ist r ibu t ion t r ees ( MDTs) t hat con nect t he mVRFs. I SBN: 1- 58 705 -1 12 -5

Pages: 50 4

NOTE CE r out er sVPN do not forect m uPIres, M adjacencies h lleach Wit h MPLS and Ar chit Volum e I I , wit y ou' lear not: her, nor does a CE r out er for m an adj acency w it h a PE r out er b y using t he g lob al PI M in st ance. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Figur e 7- 8 sh ows t he d if fer en t t y pes of PI M adj acencies in t h e Sup er Com net w ork f or t h e Fast Food A CE PI Mr out adjinacency ex istas s bwet he San Fran cisco s CE erVPN and The sn VPN. ew PEg op t ions ellween as otther adv anced f eat Fast ur es,Food includ ingr out perSan Jose as Tr w ell as bet t he Lyon Fast Food s CE r out er and t h e Par is PE r out er . Net wPE orkrou Adt er dr,ess an slat ionw( een PE- NAT) Becau se t he Fast Food s m VRFs ar e par t of t h e same mu lt icast dom ain, a PI M adj acen cy is be ex t ended cust omt ers. er sitBot e tho San pr ovJose ide sep ar Par at ion inside he hav e act iveHow bet wVRFs een tcan he San Jose and int Paroisa PE rou and is PE rou t ers cust omMeradnet w ork sep arat e PI jacen cy in t h e global t able t o t he Washin gt on P r out er . The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

Figu r e 7 - 8 . PI M Adj acen cie s

How t o carr y cust om er m ult icast t r aff ic insid e a VPN

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

MDTs MDTs are mu lt icast t unn els t h r ough t he P- net w ork . MDTs t r anspor t cu st om er m ult icast t r af fic encapsulat ed in GREs t h at ar e par t of t he sam e m ult icast dom ain. The t w o t yp es of MDTs ar e •as f ollow s: Table of Content s •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

The D e fa ul t - M D T— An m VRF uses t his MDT t o send low - band w id t h m ult icast t r aff ic or t r aff ic t hat is dest ined t o a wid ely d ist r ibut ed set of r eceiver s. The D ef ault - MD T is alw ays used t o send mu lt icast con t r ol t r aff ic bet w een PE rou t ers in a mu lt icast dom ain.

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub The Dat e:D Ju a tne a -06, MD2 00 T— 3

This MDT t y pe is u sed t o t u nnel h igh- b andw idt h sour ce t r aff ic t hr oug h t he P- net ork t o-5int er est ed PE rou t ers. D at a- MDTs av oid unn ecessar y f lood ing of I SBN: 1- 58w 705 -1 12 cust om50er4 mu lt icast t raf fic t o all PE r out er s in a m ult icast dom ain. Pages:

Default-MDT Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : When a VRF is m ult icast en abled ( as descr ibed in Ex am ple 7- 5) , it m ust also b e associat ed w it h a Def ault - MDT. The PE r out er alw ays builds a Defau lt - MDT t o p eer PE r out er s t hat hav e How atee config v ar iouur s ed r emMD ot eT-access t echness. ologies o VRF t h e back bone r ovidin g VPNlt m VRFs w ittho tint heegr sam gr oup addr Ev erin y tm is conn ect ped t o a Defau ice t oismcrany d iffan er ent t yp es MDT. ser AnvMDT eat ed d m aint ainofedcuinst tom he er P-sn et w or k b y using st andar d PI M m ech anism s. For exam p le, if PI M SM w er e being used in t he P- net w ork , PE r out er s in a The nm ew CEdom r outain in g wop t ions as wer ell each as otot her ur shar es, includ ingf or perVPN par t icular ultPEicast ould discov h eradv b yanced join infgeat t he ed t ree t he Net w ork Ad dr ess Tr an slat ion ( PENAT) MDT- gr oup t hat is r oot ed at t he ser vice pr ov ider' s RP. How VRFs can t ended int o af orcust er Foods sit e t o VRF pr ovis ideshsep arin at ion inside t he The con figur at ion of be t heexDef ault - MDT t heom Fast ow n Ex am ple 76. cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

Exa m pl bone e 7 - 6 . Conf i gur a t i on of t he D ef a ul t - M DT back How t o carr y cust om er m ult icast t r aff ic insid e a VPN

ip vrf TheFastFoods lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices rd 10:26 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y route-target export 10:26 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Arroute-target ch it ect u res, Volum e I ( 110:26 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced import t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tmdt hey default n eed t o d 239.192.10.1 ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o The ex am ple show s t h at only a sin gle add it ional com m and is requ ired for t he ex ist ing VRF int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues conf ig ur at ion. Upon app licat ion of t he m dt de fa ult com m and, a m ult icast t u nnel int er face is includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he creat ed w it hin t he Fast Food s m VRF, w hich p r ovides access t o t he MDT- Gr oup 23 9. 19 2. 10. 1 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow w it hin t he Su perCom net w or k. I f ot her PE rou t er s in t h e net w ork are con figu red w it h t he m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN sam e gr oup, t hen a shar ed or sou rce t r ee is bu ilt bet w een t h ose PE r out er s. deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE

• •

En abling m ult icast on a VRF d oes not guar ant ee t h at t h er e is an y m ult icast act iv it y on a CE r out er in t er f ace, on ly t hat t her e is a p ot en t ial for sou r ces and r eceiv er s t o exist . Af t er m ult icast is en abled on a VRF and a Default - MDT is conf igur ed, t he PE r out er j oin s t he Def ault - MDT f or t hat dom ain r eg ard less of w het her sour ces or r eceiver s ar e act ive. Th is is necessar y so t hat t he PE r out er can build PI M adj acenTable cies tofo Content ot her PE rou t ers in t h e same d om ain an d t h at at t he ver y least , s m VPN cont r ol in for m at ion can be ex ch anged. I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

NOTE Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

At pr esent , an m VRF can belong only t o a sing le Def ault - MD T; t h er efor e, ext ran et s Pages: 50 4 cannot be f or med bet w een m VPNs.

When a PE r out er j oins an MDT, it becom es t he r oot of t hat t ree, and t h e rem ot e p eer PE MPLS and VPN I , y ,ou' ll lear n :PE r out er b ecom es a leaf of t he MD T rWit outher s become leavAr eschit of ect t heu res, MD T.Volum ConveerIsely t he local t hat is r oot ed at r em ot e PE r out er s. Bein g a r oot an d a leaf of t he sam e t r ee allow s t h e PE r out er t o par t icip at e in a m ult icast dom ain as bot h a send er and r eceiv er . Figur e 7- 9 How egr at e v ar s r em t echn ologies illust rat es tt oheint MDT r oot aniou d leav esotine taccess h e Super Com n et w orinkt.o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Figu r e 7 - 9 . M DT Root s a nd Le av es

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oubNOTE leshoot ing . MPLSI nand Ar pchit u res, I , also esteach adv ances inercurst omer ourVPN exam le, ect t here ar Volum e t h r eee (IS, G) stint at erod enuces t r ies,t he onelatfor PE r out oot of int egrgratoup ion,2secur y,10. and r oubleshoot ingize feat u res ialsttat o ep rov iding h e fadv 39. 19it2. 1. tYou can m inim t he amessent oun t of in for m attion or tanced h e MDT

in t he P- n et w or k t o a sing le ( * , 239 .1 92. 1 0. 1) . Th is can b e done by eit her set t in g t he PI M spt - t h reshold t o in finit y f or t h e MDT- Gr ou p or by deploy ing PI M Bi- Dir . How ev er , doing so w ou ld chan ge t he MDT fr om a sou rce t r ee t o a shar ed t r ee, w hich in t u rn could aff ect r out ing opt im alit y .

As m ent ioned pr ev iously , w hen a PE r out er for w ar ds a cust omer m u lt icast p ack et on t o an • Table of Content s MDT, it is encapsulat ed w it h GRE. Th is is so t h at t h e m ult icast gr oup of a p art icular VPN can • I ndex be m ap ped t o a sing le MDT- g rou p in t he P- net w ork . Th e sour ce addr ess of t he out er I P MP LS and V PN Ar chi te ctur e s, V olum e I I header is t h e PE Mult ipr ot ocol BGP local peer ing ad dr ess, and t h e dest in at ion ad dr ess is t he By Jim Guichard , I vaness Pepelnjak , Jeff MDTGr oup addr assign ed Apcar t o t he m ult icast d omain. Ther ef ore, t he P- net w or k is only concer n ed w it h t he I P ad dr esses in t he GRE h ead er ( allocat ed by t h e ser v ice p rov ider ) , not t he Pub cu lish st om - specif er: er Cisco Pressic addr essing . Pub Dat e: Ju ne 06, 2 00 3

The p acket is t hen f or w ard ed in t he P- n et wor k b y using t he MDT- Gr oup m ult icast add ress I SBN: 1- 58 705 -1 12 -5 ju st like any ot h er m u lt icast p ack et w it h nor m al RPF ch eck s being don e on t he sour ce add ress Pages: 50 4 ( w hich, in t h is case, is t he orig in at ing PE) . W hen t h e pack et ar riv es at a PE r out er fr om an MDT, t he encapsulat ion is r em ov ed an d t he or iginal cu st om er m ult icast pack et is f orw ar ded t o t he cor respond ing m VRF. The t ar get m VRF is der ived fr om t h e MDT- Grou p ad dr ess in t h e dest inat ion of t he encapsulat ion header . Ther ef or e, using t his pr ocess, cust om er m ult icast pack et s are t unn eled t hr oug h t h e P- net w or k t o t he app r opr iat e MDT leav es. Each MDT is a Wit h MPLS ult icast VPNt uAr nnels chit ect f orum res, in g Volum t he m eultI Iicast , y ou' dom ll lear ain. n: m esh of m and I n Cisco I OS, access t o t he MD T is r ep r esent ed as t he MTI and is discussed in a follow ing HowCisco t o int egr cr at eat e v es ar iou s rtem ot e int access ologies in t oupon t h e conf backigur bone p r ovidin g VPN sect ion. I OS t h is un nel er facet echn aut om at ically at ion of t he MD T. ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

NOTE

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om net w ork GRE, aserd ef ined in RFC 278 4, is t he defau lt encapsulat ion m et hod for t h e m ult icast t un nel. A f ut u re p ossibilit y is t o encapsulat e t he cu st omer p ack et w it h MPLS est fMPLS y f eat u.res anfdordwar esign at is prdotescrib ect ingedt hin e MPLS (The m ultlat icast orw arVPN ding secur u singitlabels) This d insgaim m eted hod t he VPN back bone dr af t RFC far inacci- mp ls- m u lt icast , " Usin g PI M t o Dist r ibu t e Lab els f or Mu lt icast Rou t es, " w h ich y ou can obt ain f rom ht t p: / / w w w . iet f .or g / . How ever , at t he t im e of y custer om er lym pur ult icast t r aff ic insidion e a and VPN f orw ar din g is sup por t ed f or wHow r it intgo tcarr his chapt , on e I P encapsulat m ult icast dom ains. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Figur e 7- 1 0 sh ows t he p rocess of cu st om er pack et encapsulat ion across an MDT. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools e t7ain - 1 a0 secur . M De,T hig Pack etailab Encapsul t hey n eed t o d ep loy Figu and mrain hly av le VPN. at ion MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

For clar it y in t his an d fur t h er ex am ples, any inf orm at ion per t aining t o t he cust om er net w or k w ill be p receded b y a " C- " an d in for m at ion p er t ainin g t o t he pr ovider n et wor k w ill b e pr eceded by a " P- " . For ex am ple, a pack et or iginat ing f r om a cust om er net w or k w ill be r ef err ed t o as a C- p ack et , and a PI M j oin m essage in t h e ser v ice p rov ider n et w or k w ill be r ef err ed t o as a P- join . Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : I n t he ex amp le, a sour ce at San Fran cisco is sending t r af fic t o a r eceiv er at Fast Food s Ly on by u sin g t he gr oup ( *e, v23 255 The Defau lt -ologies MDT forint the Foodbone s m ult ain How t o int egr at ar9. iou s r .0 em. 20) ot e. access t echn o tFast h e back p ricast ovidindom g VPN has been defin ed t o be 2 39. 19 2. 10. 1, and t his v alue is conf igur ed on each of t he Fast Food s ser v ice t o m any d iff er ent t yp es of cu st om er s VRFs. The San Jose PE r out er encapsulat es m ult icast t r aff ic dest in ed t o t he g r oup 23 9. 255 20 fr omCE t hreout sour .1 2. at as t h eotFast San fFr sit e ining to a P- Pack The. 0. n ew PEin gceop195 t ions as2.w6ell her Foods adv anced eatancisco ur es, includ perVPN et by u sin g GRE en capsulat ion. Th e Typ eofServ ice by t e of t h e Cpack et is also copied t o t h e PNet w ork Ad dr ess Tr an slat ion ( PE- NAT) pack et . The sour ce add ress of t he P- packet is t he BGP peerin g ad dr ess of t h e San Jose PE r out erHow ( 1 94. 22 .1can 5. 2)be , and t he d est add MDTGrsep oupar( 2 2. 10 .1 ) . When VRFs ex t ended intinat o aion cust omress er sitise tthe o pr ov ide at39. ion19 inside t he t he P-cust packet iv es at t h e Par is PE r out er , t h e encapsulat ion is st r ipp ed an d t h e or iginal Com erarrnet w ork pack et is f orw ar ded t o t h e r eceiver . The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

NOTE The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent er - car r ier MPLS VPN ices Iof t isintr ecomm ended t hat t heserv MDTgr ou p ad dr esses for t he P- net w or k be t aken fr om t he ran ge def in ed in RFC 236 5, " Ad min ist r at iv ely Scoped I P Mu lt icast . " Th is en su res t rou blesh t echn iques erfer out su re high av ailab ilit y tAdv hat anced t he pr ovision ofoot muing lt icast dom ain sinclud does inn gotr ou int ter e pu w itths tt o heen sim ult aneous supp ort of I nt er net m ult icast in t he P- net w ork . MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Data-MDT

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser access olog- MD ies T( dial, le, Etther an a v ariet y ofr ibut r outed in gt o all Anyv ice t rafpr ficovider of fer ed t o t het echn D ef ault ( v ia DSL, t h e mcab ult icast unnnet el )int erdface) is dist pr ocols EI GRP, OSPF) ar m in g t he r, eader it h tof hewkhet now ledge ofe hr ow t oer s ar e PEotr out ers( ItShatI S,are par t ofand t h at m ult,icast d omain r eg ardwless her act iv eceiv int egrm atVRF e t h ese ur es in ter o .t hFor e VPN bon e. t h Part I I I det ailst h adv d ep sely loy mdist ent rib issues in an at t hf eat at PE r out highb-ack band w id applicat ions at anced h ave spar ut ed includin it yigh , ou t lining ecessar st necessary eps t h e serflooding v ice p rovt oider aker out t o perrot r eceiver gs,secu t his rm t pose t h tehe prnoblem ofyun dorm must ant t PE s. ect To t he back bonee and t ached VPN sit es, and aalso ailin t hebelatcreat est secu y inim f eat ur t o allow ov er com t his,any a spat ecial MD T gr oup called Datdet a- MD T gcan ed t oritm izeest he m or einadv anced t op ologies andt ofiltPE erin g.t ers Thist hat par thav also coviver m ultreceiv i- car rers. ier MPLS VPN flood g by sen ding dat a only rou e act e sVPN Th e Dat a- MDT is deploy ennam t s. Fin ally ,if Par t IV prlar ov idmes m et st hodology ad van ced w MPLS creat edmdy ically a par t icu ultaicast ream ex for ceeds a band id t h tVPN hr esh old . Each VRF t r oubhav leshoot ing . of Dat a- MD T gr ou ps allocat ed t o it . can e a pool MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE Not e t h at t h e Dat a- MD T is on ly cr eat ed f or dat a t r aff ic. All m ult icast con t r ol t r aff ic t r av els on t h e Default - MDT t o ensur e t hat all PE r out er s r eceiv e cont r ol in for m at ion.

•When a t raf fic Table of Content t h reshold iss exceed ed on t he Def ault - MD T, t he PE r out er t hat is con nect ed t o •t he VPN sourI ndex ce of t he m ult icast t r af fic can sw it ch t he ( S, G) f r om t he D ef ault - MD T t o a g rou p MP LS anded V PN Arhchi olum associat wit t hteectur Date s, a-VMD T.e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 NOTE I SBN: 1- 58 705 -1 12 -5

The r at50 e 4at w hich t he t h reshold is check ed is a fix ed v alue, w hich v aries bet w een Pages: r out er plat f or ms. Th e ban dw idt h t hr esh old is check ed per ( S, G) m u lt icast st r eam r at her t h an an agg r eg at e of all t r aff ic on t he Def ault - MDT.

Wit VPN u res, Volum I I , yfrou' ll lear n : t hat has been con figu red on t he ThehgMPLS r oup and select ed Ar forchit t heect Dat a- MDT is teaken om a pool VRF. For each sour ce t hat exceed s t he con figu red band w idt h t hr esh old, a new Dat a- MDT is creat ed fr om the avatailab leiou pool f or ot t hat VRF. Itfechn t herologies e ar e minore b andw idtphr ovidin sour ces t han How t o int egr e v ar s r em e access t o thighh e back bone g VPN t her e ser ar ev ice gr oup s av ailab le in t h e pool, t h en t h e gr oup t hat has been r ef erenced t he least is t o m any d iff er ent t yp es of cu st om er s select ed an d r eused. This im plies t hat if t he p ool cont ains a sm all num b er of g rou ps, t h en a Dat a-The MDTn m t hCE aver out m or h an on eashigh - band id t hadv souanced rce u sin g ur it .es, A sm all Dat MDVPN T pool ewigh PEineg top t ions w ell as otwher f eat includ ing aperensurNet es twhat t he am oun t of st at e in for m at ion in t he Pnet w ork is min im ized. A larg e Dat aork Ad dr ess Tr an slat ion ( PE- NAT) MDT pool allow s m or e opt im al r ou t in g ( less likely f or sour ces t o shar e t he sam e Dat a- MDT) at t heHow ex pense increased st at e int in o foramcust at ion ork . sep ar at ion inside t he VRFs of can be ex t ended ominer t he sit eP-t onet prwov ide cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

NOTE

How t o carr y cust om er m ult icast t r aff ic insid e a VPN The D at a- MDT is t r igger ed only b y an ( S, G) ent r y in t he m VRF, not a ( * , G) ent r y . IThe f a cust omin ert er VPN u sing M Bi-ent Dirsor e sp tf-or t hreasier esholdand is set t oe inf init y , t hen t he ent lat est - carisrier enhPI ancem t ot h allow m or scalable d ep loym Defau lt --MDT is used allserv t r affices ic r eg ar dless of b andw idt h . of int er car r ier MPLSf or VPN Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and7-VPN chithow ect u tres, Volum , batuilds on pool t he best sellin MPLS VRF. an d VPN Ex am ple 7 shAr ows o config ur e IaI D a- MDT f or t- he EurgoBank Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tExa hey m n eed and imgur ain taain a secur higD hly pl et o7d-ep 7 loy . Conf t i on of e, t he atav a-ailab M DleT VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g ip vrf EuroBank pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues rd 10:27 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow route-target export 10:27 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN route-target import 10:27 t r oub leshoot ing . mdt and default 239.192.10.2 MPLS VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

mdt data 239.192.20.32 0.0.0.15 threshold 1 [list ]

The m dt da t a sp ecifies a r an ge of add resses t o be u sed in t he Dat a- MDT pool. Specify ing t he m ask 0. 0. 0. 15 allow s y ou t o use t h e r ange 2 39. 19 2. 20 .3 2 t hr ough 23 9. 192 . 20. 47 as t h e add ress pool. • Table of Content s •

I ndex

Becau se t hese are m u lt icast g r oup addr esses ( D- class add resses) , t h er e is n o concept of a MP LS and V PN Ar chi te ctur e s, V olum e I I subn et ; t her efor e, you can use all add r esses in t h e m ask r an ge. The t h r eshold is specif ied in By Jim itGuichard k ilob s. I n t h, Iisvan exPepelnjak am ple, ,aJeff t hrApcar eshold of 1 kilobit per secon d h as been set , w hich m ean s t hat if a m u lt icast st r eam exceed s 1 Kbps, t h en a Dat a- MD T is cr eat ed. The m dt da t a com m and can alsoPub lim t he cr eat ion of D at a- MDT t o p art icular ( S,G) VPN en t ries by sp ecify ing t hese lishiter: Cisco Press addPub resses in an < accesslist > . Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

When a PE r out er cr eat es a Dat a- MDT, t h e m ult icast sou rce t r af fic is encapsulat ed in t he 50 4 sam e Pages: man ner as t h e Defau lt - MDT, b ut t he dest inat ion gr oup is t ak en f r om t he Dat a- MDT pool. An y PE rou t er t hat has in t er est ed r eceiver s needs t o issue a P- j oin f or t he Dat a- MD T; ot her w ise, t h e r eceiver s cannot see t he C- p ack et s because it is n o long er act iv e on t he Defau lt - MDT. For t his t o occur , t h e sour ce PE r out er m u st inf orm all ot her PE r out er s in t he m ult icast dom ain of t he ex ist ence of t h e new ly cr eat ed D at a- MDT. This is achieved by h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' n :ef ault - MD T cont ainin g t he cust om er ' s tWit r ansm it t ing a special PI Mlike cont rol message onll tlear he D ( S, G) t o Dat a- MD T gr oup m app ing. Th is m essage is called a Dat a- MDT join . t o intjoin egr at v arinv iouitsatrion em ot access echn ologies in t oh et hnew e back p r ovidin VPNe The DHow at a- MDT isean t oepeer PE trou t ers t o j oin Datbone a- MDT if t h eyg hav sered v ice t o merany ent espond t yp es ofin cu st om er sThe m essage is car r ied in a UDP p ack et int er est receiv s indtiff h eercorr g mVRF. dest ined t o t h e ALL- PI M- ROUTERS gr oup ( 22 4. 0. 0. 13 ) w it h UD P por t num b er 3 232 . The ( S, The n ew PECE r out g ver op ttions advlengt anced ur es, includ ing G, Dat a- MDT) m appin g isinad ised as by wuell sinas g t ot heher t y pe, h , fveat alue ( TLV) for m at per, as VPN sh ow n Net in Figur ew 7-ork 1 1. Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Figu r e 7 - 1 1 . D at a- M DT Joi n TLV For m at

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr atreout t h er ese es in t ot he t h e( S, VPN ackabon e. Part I detjoin ails tadv d epTloy enthav issues Any PE s tfheat at ur r eceive G, bDat MDT) mapI Iping he anced Dat a- MD if tm hey e includin r itm y ,VRF ou t lining he nsour ecessar y strou epst ert htehat serinit v ice rovt ider m ust t akewtait o ps rot ect al t he r eceiver gs secu in t he f or G. t The ce PE iatped h e Dat a- MDT sever back bone andeany at t ached VPN sit es,stand also g taheMDT. lat estThe secu rit y fis eat ur es t o allow second s befor sendin g the m ult icast r eam on tdet o t ailin he Dat delay necessary to m or e radv anced t oprologies g. aThis t also sm i- T car r ier an MPLS VPNpack et allow eceivin g PE out er s tand im e filt t o erin build pat hpar b ack t o cov t h eerDat a-ult MD r oot d avoid deploy m ensw t s.itFin ally fr , Par I V pr ovault id es a m et hodology for ad van ced MPLS VPN loss w hen ching om t t he Def - MDT. t r oub leshoot ing . The D at a- MDT is a t r an sient en t it y t hat exist s as lon g as t he b andw idt h t h reshold is being MPLS and Artchit ectbuandw res, Volum e I I below , also int t he tlat adv omer t o exceed ed . VPN I f t he r af fic idt h f alls t herod t h uces r eshold, heest sour ceances is sw itinchcu edst back int at ion,- MDT. secur itTo y, avoid and t rtoubleshoot ingwfeat t ht e anced t heegr Default r ansit ions bet eenu tres h e essent MDTs, ial t r aft oficp rov on lyiding rev er s tadv o t he Default -

MDT if t he D at a- MDT is at least one min ut e old.

NOTE PE r out ers t hat do n ot h ave mVRF r eceiv er s for t he Dat a- MDT w ill cache t h e ( S, G, Table of Content s Dat a- MDT) m ap pings in an int er nal t ab le so t hat t he join lat en cy can be min im ized • I ndex if a r eceiv er appear s. The Dat a- MDT j oin message is sen t ev er y m inu t e by t h e MP LS sour and Vce PNPEAr chi te ctur e s, dV olum I I ed ( S, G, MDT) m apping s ar e aged out aft er t h ree r out er an an y ecach By Jim m Guichard inut es, Iifvan t h Pepelnjak ey ar e n,ot Jeffr efr Apcar esh ed . •

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Figur e 7- 1 2 sh ows t he op er at ion of a Dat a- MDT in t h e Super Com n et w or k . I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Figu r e 7 - 1 2 . D at a- M DT Op er a t ion Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar it ectku res, I ( dw 1 - 587 0 02, f rom Cisco ess.edExatt endin g is intheadq o m or uar e adv anced Euch roBan has aVolum high eban idt h05sour ce 1) ( 196 . 7. 25. 12 ) Pr locat it s Par t ers t hat is tser opics loy m entk archit ect urgr es, Volu I I .0 pr .ovid r eader s whas it h an t heinnecessar t ools v icinan g dt hdeepEu roBan m ult icast oup 23m 9.e255 20. es This gr oup t er est edyr eceiver tinhey eed t o San d ep loy and m ain a secur higs hly av ibe ailab EurnoBank Fr ancisco. Thteain follow ing e, st ep descr t hlee VPN. oper at ion of t he Dat a- MDT: MPLS and Ar chit ect u res, Volum e I I Paris , b eg bineg sw it ht oa tbr ief ref.resher of tther he eaf MPLS St e pVPN 1 . The sou rce at Eur oBank ins r ansmit Shor t ly t er,VPN it exceeds Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of t he band wid t h t hr eshold . ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I SS, EIPar GRP, and OSPF) , ar m int hgatt he w it t he k now ledge of hw ow St e p 2 . I The is PE r out er n ot ices t h reeader sou r ce ishex ceeding t h e band id ttho int egr at t h ese fand eat urcres t o at hneew VPN ack bon Part I det ails advranced ent issues t hreeshold eatines DatbaMD T fe. rom t heI I pool configu ed f or dt ep he loy EurmoBank VRF, includin secu r it y ,239 ou t.1 lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he in gt his case 92. 2 0. 32. back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv t opPar ologies g. tThis also cov erofs tm ultDi-at car ier MPLS St e anced p 3 . The is PE and r outfilt er erin ad ver ises tpar h e tex ist ence he a-rMDT via a VPN UDP p ack et deploytm encont t s. Fin allyt he , Par t IV pr6. ov7.id25 es.1a2,m 2et39. hodology for, 239 ad van ced MPLS hat ains TLV ( 19 25 5. 0. 20 . 192 .2 0. 32) . VPN This TLV descr ibes t r oub leshoot . t he Dating a- MDT t hat t he cu st om er 's ( S, G) is bein g sw it ched over t o. MPLS and Ar chit ectJose u res,PE Volum e I rI eceives , also intt hrod advmances in on cu st omer St e pVPN 4 . The San r out er e (uces S, G,t he Datlat a- est MD T) app ing t he Defau lt int egr at ion,and secur it y, oubleshoot ing .1feat res essent o p rov idingnet t hw e ork adv. anced MDT issu esand a P-tjroin f or ( * , 239 92.u20 . 32) t o t ial h e tSup er Com Th is allow s

t he San Jose PE r out er t o join t he t ree f or t he Dat a- MDT in t he Sup er Com net w or k. St e p 5 . The PE r out er in Washing t on also receiv es t he ( S, G, D at a- MDT) m apping bu t does n ot issu e a P- j oin becau se n o int er est ed r eceiver s ar e connect ed t o it . I nst ead, t h e PE r out er cach es t he ent r y f or fu t ur e r eference.

• •

St e p 6 . Aft er w ait ing f or t hr ee second s, t he Par is PE r out er begin s t o t ran sm it t he m ult icast dat a for ( 196 .7 . 25. 12 , 23 9. 255 .0 . 20) over t h e Dat a- MDT 2 39. 19 2. 20. 3 2. Th e Table of Content s t hr ee- second delay is r eq uir ed t o en su re t hat t he n et w or k h as had enough t im e t o I ndex creat e t he Dat a- MDT.

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

MTI Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

The MTI is t he repr esent at ion of access t o t he mu lt icast dom ain in Cisco I OS. MTI appear s in Pages:as 50 an 4 int er face called Tun nelx , w her e x is t he t u nnel n um ber. For ev ery mu lt icast t he mVRF dom ain in w h ich an m VRF par t icipat es, t her e is a cor respon ding MTI . ( Not e t h at t h e cur r en t I OS im plem en t at ion su ppor t s on ly one dom ain per m VRF. ) An MTI is essen t ially a gat ew ay t hat connect s t h e cu st omer env ir onm en t ( m VRF) t o t h e ser v ice p r ovider 's global env ir onm en t ( MD T) . Any C- packet s sent t o t h e MTI ar e encapsulat ed int o a P- pack et ( u sing GRE) and for ded and along t heArMD T.ect When PE reout sends t ont :h e MTI , it is t he r oot of t hat MDT; Witwhar MPLS VPN chit u res,t he Volum I I ,ery ou' ll lear w hen t he PE r out er r eceiv es t raf fic f r om an MTI , it is t h e leaf of t hat MDT. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN NOTE Net w ork Ad dr ess Tr an slat ion ( PE- NAT) On ly a single MTI is necessary t o access a mu lt icast dom ain. The sam e MTI is used VRFs ber ex t ended cust t o Dprefov ide- MD sepTarorattion tHow o for w ard tcan r af fic egar dless int of ow ah et h erom it er is tsit o et he ault o minside ult iplet he Dat acust om er net wed ork MDTs associat w it h t hat m ult icast dom ain. The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone PI M ad jacencies ar e f or med t o all ot her PE r out ers in t h e m ult icast dom ain via t he MTI . o carr y custicom er m ult r aff e a or VPN Ther efHow or e, t for a specif mVRF, PEicast r ou tter PIicMinsid neighb s ar e all seen as r eachab le via t he sam e MTI . The MTI is t r eat ed by an m VRF PI M inst ance as if it wer e a LAN int er face. All PI M The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent LAN pr oced ur es ar e v alid over t h e MTI . of int er - car r ier MPLS VPN serv ices The PE r out er sends PI M cont r ol m essag es acr oss t he MTI so t h at m ult icast f orw ar ding t r ees Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y can be creat ed bet w een cust om er sit es t h at ar e sep ar at ed by t he P- n et w or k . The f or w ard ing t r ees r efer r ed t o here are v isible only in t he C- net w or k, not t he P- net w or k . To allow m ult icast MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN for w ar ding bet w een a cust omer 's sit es, t he MTI is par t of t he ou t going int er face list ( olist ) f or Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t he ( S, G) or ( * , G) st at es t h at or iginat e fr om t h e m VRF. t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. The MTI is creat ed dy nam ically u pon con figu rat ion of t h e Default - MDT an d can not be exp licit ly conf ig ur ed . PI M Sp ar se- Dense ( PI M SD) m od e is aut om at ically en abled so t h at MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN v ariou s cust omer g rou p mod es can be su ppor t ed. For ex am ple, if t he cust om er w er e using Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of PI M D M ex clu siv ely , t h en t h e MTI w ould be added t o t h e olist in t he m VRF w it h t he en t ry ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g m ar ked For w ar d/ Dense t o allow dist r ibut ion of t r aff ic t o ot her cu st omer sit es. I f t he PE r out er pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o neighb or s all sen t a pr une message back , and no pr un e over r ide w as r eceived, t hen t he MTI int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues in t he olist ent r y w ould be set t o Pr un e/ D en se ex act ly as if it w ere a LAN int er face. I f t he includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he cust om er net w ork wer e r unn ing PI M SM, t hen t he MTI wou ld b e added t o t he olist only on t h e back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow r ecept ion of an ex plicit j oin f r om a r em ot e PE rou t er in t he m ult icast dom ain. m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer NOTE int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Alt hou gh t he MTI can not be conf igur ed ex plicit ly , it deriv es it s I P p rop er t ies fr om t he sam e int er face b ein g u sed for Mult ipr ot ocol BGP peer ing . This is u su ally , b ut not necessar ily , t h e loopback 0 in t er f ace, an d t his int er face m ust b e m ult icast enabled.

The MTI is not accessib le or v isible t o t he I GP ( such as OSPF or I SI S) op er at ing in t he cust om er net w ork . I n ot her w or ds, n o un icast rou t ing is for w ar ded ov er t he MTI because t he • Table of Content s int er face does n ot ap pear in t he un icast rou t ing t able of t h e associat ed VRF. Because t he RPF • I ndex check is perf or med on t he u nicast r out ing t able f or PI M, t raf fic r eceiv ed t h rou gh an MTI has MP LS and V PN Ar chi te ctur e s, V olum e I I dir ect im plicat ion s on cu rr ent RPF pr ocedur es. By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press RPF Check Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 50 4 ent al requ irem en t of m ult icast r out in g. Th e RPF check en sur es t hat mu lt icast RPF isPages: a fu ndam t r aff ic has ar r ived fr om t he cor rect int er face t h at leads b ack t o t h e sour ce. I f t his ch eck passes, t he m ult icast pack et s can b e dist rib ut ed out t he app rop r iat e int erf aces aw ay fr om t he sour ce. RPF consist s of t w o pieces of in for m at ion: t he RPFint erf ace an d t he RPFneighbor . The RPF int er face is used t o per for m t he RPF ch eck by mak ing sur e t hat t he mu lt icast packet ar r iv es on and t he int er fAr ace it ect is supp t o,e as erllmlear inedn :b y t he u nicast r out ing t ab le. Th e RPF Wit h MPLS VPN chit u res,osed Volum I I ,dyetou' neighb or is t h e I P add ress of t he PI M adj acency . I t is used t o for w ar d m essag es such as PI M join s or pr un es for t he ( * , G) or ( S, G) ent r ies ( back t ow ard t h e r oot of t h e t r ee wh er e t h e How t o int egr at e. The v ar iou s r int emerf ot eace access t echn ologies in t o ted h e dur back bone ovidin sour ce or RP resides) RPF and neighb or ar e creat ing contprrol p lange VPN set u p v iceort o( S, m any d iff t ypg es omderinsg, t h e RPF check is execut ed using t he RPF of a ( ser * , G) G) ent r yer. ent Du rin d atofa cu f orstwar int er face cached in t he st at e en t r y. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN I n an Net m VPN virdr onm , t hslat e RPF can b e cat eg or ized int o t hr ee t y pes of mu lt icast w orkenAd essent Tr an ion (check PE- NAT) pack et s: How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork C- p ack et s r eceived fr om a PE rou t er cust om er in t er f ace in t h e m VRF The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Ppack et s r eceiv ed fr om a PE r ou t er or P r out er in t er f ace in t h e global rou t ing t able back bone

Cp ack s r eceived ommaultmicast ult icast uninsid nel int erVPN face in t he m VRF How t o et carr y cust omfrer t r afft ic ea The RPF t h -ecar fir rier st t wenh o cat eg ories for m fed per and leg acy RPF pr oced ur es.loym Theent Thecheck lat est for in t er ancem ent sist per o allow or as easier m or e scalable d ep int er face ionMPLS is gleaned fr om t h e unicast r out in g t able and cached in a st at e en t ry . of intinf erorm - carat r ier VPN serv ices For C- p ack et s, t he C- sou r ce look up in t he VRF unicast r out in g t able r et u rn s a PE r out er int er face associat ed blesh w it h oot t h at VRF. Foriques P- packet s,int g h er ou P- tsou r ce pu look in su t he lob alav r out ingilit y Adv anced t rou ing t echn includ er out t s up t o en reghigh ailab t able r et ur ns an in t er f ace con nect ed t o an ot her P rou t er or PE r out er. The r esu lt s of t hese MPLS and Ar chit res, int Volum e I I , b uilds on t he best - sellin g MPLS an d VPN look ups ar VPN e u sed as tect he uRPF er face. Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t hir egor C- p ack et sect t hat ar eVolu r eceived anesMTI , is tsr eat edt he a lit t le dif ferent ly and tThe opics and dcat d ep loyym, ent archit ur es, m e I I frprom ovid r eader w it h necessar y t ools eq uirnes m odif t o ttain he w t h ee,( S, * , G)lestVPN. at e is creat ed. C- packet s in t h is tr hey eedsom t o ed ep loy icat andion m ain a ay secur higG) hlyorav( ailab cat egor y or ig inat ed f r om r em ot e PE r out er s in t he n et w or k an d h ave t rav eled acr oss t he PMPLS VPN chit ect res, e I It he , b eg in s w itpheraspect br iefive, ref resher ofpacket t he MPLS VPNhav e net w orand k v ia t heArMDT. Thuer eforVolum e, fr om m VRF's t h ese Cs m ust Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr ofg, been r eceiv ed on t h e MTI . How ev er , because t he MTI does not par t icipat e in unicastatr ion out in ser v iceupprof ovider access iesd(oes dial,not DSL, cab ) an a v ariet of r tout g e to a look t h e Csour cet echn in t holog e VRF r et ur n le, t heEtt her unnnet el in t erfdace. I n st yead, he in r out pr ocols I S-wI S, EI GRP, anddist OSPF) ar m g t heiprr eader it h tas he ak now ledge of hfrow t heot Csour( ce ill hav e been r ibut, ed byin Mult ot ocol wBGP VPNv 4 pr efix omt ot he int egr f eat urisesiminptlies o t h teh VPN boning e. Part I I det r em ot at e e PEt hr ese out er . Th at t h be ack r eceiv int erIface isails act adv uallyanced in t hed ep P- loy netm w ent ork .issues I n t his includin g secu , ou t lining he n ecessar y stso eps t h eifser ider m ust ect t he case, t he RPF pr itr yocedu re h ast been m od if ied t hat Muvltice iprpotrov ocol BGP hast ake learnt oedp rot a pr ef ix back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow t hat cont ains t he C- sou rce ad dr ess, t he RPF int er face is set t o t he MTI t hat is associat ed w it h m or emadv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN t hat VRF. deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egrNOTE at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The m od if ied RPF int erf ace pr oced ur e is applicable on ly t o m VRFs t hat ar e par t of a single m ult icast dom ain. Alt houg h t he m ult icast dom ain arch it ect ur e can su ppor t m ult iple d omain s in an m VRF, t h e cu r rent Cisco im plem ent at ion lim it s an mVRF t o one d om ain .

•The p r ocedu Table s ing t he RPF neighb or has also b een m odified. I f t h e RPF int er face re forofdContent et er m in •is set t o t he IMTI ndex, t hen t he RPF n eig hbor m u st be a r em ot e PE r out er . ( Rem emb er t hat a PE MP LSer and V PNs Ar ctur e s, V olumt eo Iot I h er PE rou t er s v ia t h e MTI . ) Th e RPF n eigh bor is select ed r out f orm PIchi M te adj acencies accor d in g t o ,tI w o cr it eria. ,Fir , t he RPF neighb or m ust b e t he BGP n ex t - hop t o t he C- sour ce, By Jim Guichard van Pepelnjak JeffstApcar as ap pears in t h e rou t ing t able f or t hat VRF. Second, t he sam e BGP next - h op addr ess mu st app ear as a PI M neighbor in t h e adj acency t ab le for t he m VRF. This is t he r eason t h at PI M Pub lish er: Cisco Press m ust u se t he local BGP peer ing ad dr ess w hen it sends hello packet s acr oss t he MDT. Pub Dat e: Ju ne 06, 2 00 3 Refer encin g t he BGP t able is d one once d ur ing set u p in t he con t rol plane ( t o cr eat e t he RPF 1- 58 705 -5 d at a is f or war d ed , ver ificat ion only needs t o t akes p lace on t h e ent r ies)I SBN: . W hen m u-1lt12 icast 4 cach edPages: RPF50 infor m at ion.

Multiprotocol BGP MDT Updates and SSM Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : When a PE r out er cr eat es a Defau lt - MDT gr oup, it up dat es all it s p eer s by u sin g Mult ipr ot ocol BGP. Th e Mult ip rot ocol BGP u pdat e p r ovides t w o pieces of inf or mat ion : t h e MDT- Grou p How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN creat ed and t he r oot addr ess of t he t ree ( w hich is t he BGP peer in g ad dr ess of t he PE r out er ser v ice t o m any d iff er ent t yp es of cu st om er s t hat or iginat ed t he m essag e) . At pr esen t , t his in for m at ion is used only t o supp ort P- net w or k s t hat use I f an T- in Grgoup r angeasiswenab f or SSM, t h en fteat h e ur sou rce t r ee ing is j oin edVPN TheSSM. n ew PECEMD r out op t ions ell asled ot her adv anced es, includ perim mediat ely . This d if fer s fr om PI M SM, w h er e t h e shar ed t r ee t hat is r oot ed at t he RP is Net w ork Ad dr ess Tr an slat ion ( PE- NAT) init ially joined. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he I f an cust MDTGrer oup om netr ang w orke has b een con figu red t o operat e in SSM m ode on a PE r out er , t h en t hat PE r out er needs t o kn ow t h e sou r ce ad dr ess of t h e MDT r oot t o est ab lish an ( S, G) st at e. This isThe p rov in t heVPN Mu ltsecur ip rot ocol BGP u pdat PE r outed er satt hat he latided est MPLS it y f eat u res an de.d For esign s aim pr otdo ectnot ing use t h e SSM, MPLS t VPN inf ormback at ion r eceived is cach ed in t he BGP VPNv 4 t ab le. bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent

NOTE of int er - car r ier MPLS VPN serv ices On e anced of t he tprou rimblesh ar y adv es isiques t hat includ SSM dinoes n ott er d ep enpu d ton wh Adv oot ant ing ag t echn g r ou out s t oRPs, en su reich high av ailab ilit y elim inat es t h e RP as a sing le point of failur e. A p ract ical exam p le of SSM oper at ion MPLSwand VPN Ar ect u res,lat Volum I I ,chap b uilds it h MDTs ischit d iscussed er in et he t er on . t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. The MDT- Gr oup is car ried in t h e BGP upd at e m essage as an ex t en ded com m un it y at t r ib ut e b y MPLS and Ar chitof ect0x u res, Volum b eg s w itort h sa tbr reffor resher of lyt he MPLS using t he tVPN yp e code 00 09. The eatItIr ,ibu t einsupp heiefAS m at on and is shVPN ow n in Ar ch iteect Figur 7-u1re. 3. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secuFigu r it y , ou st eps h eCom ser v ice rovitider m tust t ake r et lining 7 - 1 3t he . Mn ecessar D T Exty en detd m pun y At r ibu t et o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The r oot addr ess of t he MDT is car r ied in t he BGP MP_REACH_NLRI at t r ibu t e ( AFI = 1 and SAFI = 1 28) by u sing t h e same for m at as a VPN- I Pv4 add ress. We r efer t o it as an m VPN- I Pv4 add ress. How ev er, no lab el in for m at ion is car r ied in t he NLRI p ort ion of t he at t r ib ut e. Th e MDT r oot ad dr ess is car r ied in 2B: 4B ( AS # : Assig ned Nu mb er ) r out e dist ing uish er for m at bu t w it h a t y pe cod e of 0x 000 2. Th e r out e d ist ing uisher for t he r oot ad dr ess is sh own in Figur e 7- 1 4.Table of Content s • •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Figu r e 7 - 1 4 . Rout e D ist i ngu ishe r f or M DT Root Addr e ss

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : NOTE The RD t yp e cod e 0x 00 02 con flict s w it h t he of ficial r out e d ist ing uisher for m at How itt oionintas egrd at e vibared iouins RFC r em ot e access t echn ologies in t o" available t h e back bone defin escr 254 7bis " BGP/ MPLS VPNs, f r om p r ovidin g VPN ser v ice any d iff ent t yp es w ofillcuev stent omually er s be ch anged t o av oid con flict w it h t he ht t p: / / wtwo wm. iet f .or g .erTh is value st andar d . The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

NOTE The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone I nf orm at ion abou t Dat a- MDTs is n ot car ried in Mult ipr ot ocol BGP messages. The Dat a- MDT j oin m essag e is used f or t h is pur pose. How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Figur e 7- 1 5 sh ows how t h e Defau lt - MDT wou ld b e creat ed by using Mu lt ip r ot ocol BGP up datAdv es ifanced Supert Com w eroot e config ur ediques t o operat e in in gSSM on tlys. t For h erepuhigh rp oses of t hilit is y rou blesh ing t echn includ r ou tm erode out pu o entsu av ailab exam ple, assum e t hat t he SSM r ang e has b een defined t o be 23 9. 192 . 10. 0/ 2 4. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools e 7m - 1ain 5 .t ain M ualtsecur ipr ot P Upda t e s an d SSM t hey n eed t o dFigu ep loy rand e, ocol hig hly BG av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Figur e 7- 1 5 d escr ibes t he cr eat ion of t h e Defau lt - MDT as follow s: How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN St ve ice p 1 t.oThe EurdoBank VRF hecuPar is PE ser m any iff er ent t ypon es tof st om er srou t er is enabled for m ult icast an d is conf ig ur ed w it h t he D ef ault - MD T gr ou p of 2 39. 19 2. 10. 2 . The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN St ewpork 2 . Ad The r oution er g( PEen erNAT) at es a Mult ipr ot ocol BGP upd at e m essage t o bot h t h e Net drPar essisTrPE an slat Washing t on and San Jose PE r out er p eer s. ( Not e: This u pdat e m essage is gener at ed evenVRFs if SSM n otexutsed. ) The e om conterain f ollowin in ar forat mion at ion: How canis be ended int oupadat cust sitset he t o pr ov ide gsep inside t he cust om er net w ork - AnMPLS MDT VPN ex t ensecur ded it com m unit y at e f ors aim t h e ed MDT t het hfeorm The lat est y f eat u res antdr ibdut esign at gr proup ot ectining MPLS VPN 10 : 239 .1 92. 1 0. 2, w her e 10 is t h e aut on omou s syst em nu m ber of Super Com . back bone They inf orm ater ionmin he MP_ REACH_NLRI at t r ib ut e cont ain s a VPNv 4 st yle How t o- carr cust om ultticast t r aff ic insid e a VPN add ress w it h a r out e d ist in guisher of 2 : 1 0 : 2 7 , w h er e 2 is t he r out e d ist in guisher t y peinsignif yinrier g t hat his r out e sd ist uisher is par t and of an r oot addr ess. The lat est t er - car enhtancem ent t o ing allow f or easier m MDT or e scalable d ep loym 1 0ent :2 7 t her ier rouMPLS t e distVPN inguserv ish er definit ion ( AS: Assign ed Nu mb er ) fr om t h e Eur oBank of int eris - car ices VRF. Th e I P add ress in t he NLRI and t h e next - hop bot h use t h e Paris PE r out er Adv anced blesh BGPt rou peer ing oot adding resst echn of 19iques 4. 22.includ 1 5. 1. in g r ou t er out pu t s t o en su re high av ailab ilit y St e p 3 . When t he San Jose PE r out er r eceiv es t he BGP upd at e, it im m ed iat ely issues a MPLS and VPN chit ect u15 res, I I10. , b 2) uilds t he best -pr sellin g MPLS an dj oin VPNis issued P- j oin t o Ar ( 19 4. 22. . 1, Volum 23 9. 19e2. by on u sin g SSM ocedur es. The Ar ch it ect u res, Volum e IJose ( 1 - 587 02-pr1)ev , iou f rom Pr ess. ExVRF t endin o m orme uadv anced because t he San PE 05r out0er slyCisco d ef ined an m t o tgh int e same lt icast t opics dom an d ain d ep(loy m ent archit ect ur es,ofVolu I I 1pr same gr oup addr ess 239m .1e92. 0.ovid 2) . es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. St e p 4 . The W ash in gt on PE r out er also r eceives t h e BGP updat e, but because it does MPLS and VPNe Ar ect u res, Volum I I , biteg s w it br ief resher t he MPLS VPN not hav anchit m VRF in t hat domeain, stin ores t hheaupd at eref f or fu t ur eofr ef erence. Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o mVPN Flags int egr at e State t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back andst any at t ached sitcr es, det ailin lat rest rit yr ies f eatassociat ur es t o ed allow Severbone al new at e flags h aveVPN been eatand ed talso o id en t ify mgultt he icast outsecu ing ent m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS VPN w it h mu lt icast dom ains. These flags are sh own in Table 7 - 1. deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing. m feat u res essent p rov iding t h e adv anced Tab le 7 -1 VPN St at eialFlt oags

Fla g D e scri pt i on Z

• •

D e t ai l

Mu lt icast Tun nel

This f lag ap pear s in m u lt icast ent r ies in t he g lob al m ult icast r out ing t able. I t sign ifies t hat t he m u lt icast p ack et s ar e r eceived or t r ansm it t ed on a mu lt icast t unn el ( MDT) en t r y. This flag app ear s only if m VRFs ar e pr esent on t he PE r out er t h at is associat ed w it h t his Table of Content s ent ry . Th e Z f lag d irect s t hat t he P- packet sh ould be d eencapsulat ed t o r eveal t h e C- p ack et . I ndex

MP V PN ArMDTchi te ctur e s,This V olum e I Iap pear s Y LS andJoined f lag

in m u lt icast ent r ies for t he m VRF. I t sig nifies t hat ( * , G) or ( S, G) is being r eceived over a Dat a- MDT gr oup . An en t r y w it h t he Y flag sig nifies t hat t his PE r out er r eceiv ed a D at a- MDT join m essage f r om a sour ce PE r out er and has issued a join t ow ar d it .

dat a for t his Dat a Gr oup By Jim Guichard , I van Pepelnjak , Jeff Apcar Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

y

I Sending SBN: 1- 58 705 t o -1 12 -5

MDT-50Dat Pages: 4 a Gr oup

This f lag ap pear s in m u lt icast ent r ies for t he m VRF. I t sig nifies t hat dat a for t his ( * , G) or ( S, G) is being t r ansm it t ed ov er a D at a- MDT gr oup . The y flag sig nifies t hat t his PE r out er in st ig at ed a new Dat aMDT for t his cust om er ( S, G) .

Becau se only singAr le chit MTIect exist s inVolum t he meVRF ult icast Wit h MPLS andaVPN u res, I I , yper ou' llmlear n : dom ain, b ot h t he D at a- MDT and t he Default - MDT u se t he sam e t un nel int er face for cu st omer t r af fic. The Y/ y f lags ar e necessar y t o d ist in guish Def ault - MD T t r af fic f rom Dat a- MDT t r aff ic and ensur e t hat cust om er How rtout o int egrent at reies v aruse iou st he r em otreect access echn h er ing back p rer ovidin g VPN m ult icast ing cor MDT-tD at a ologies gr ou p biny troeft er t obone an int nal t able ser vsice m any d iffaer MDT) ent t ypmap es of cu s. st om er s t hat hold t het o( S, G, Dat ping n ew PECEt rhe outv in g op asatweell ass ot her tadv anced f eat urtes, Ex amThe ple 78 sh ows alue oft ions t h e st flag fr om h e Par is PE r ou er . includ D o noting bepercon VPN cer ned orkexAd dr ess anpslat ion NAT) w it h tNet he w cont t of t h e Tr out ut sh ow( PEn h er e. A f ull d iscussion on t h e oper at ion of m VPN in t h e Sup er Com net w ork is in clu ded in a lat er sect ion . How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Exa m pllat e est 7 - 8MPLS . m VVPN PN secur St aitt ye fFla The eat ug res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN SuperCom_Paris#show ip mroute 239.192.20.32 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent [snip] of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS239.192.20.32), and VPN Ar chit ect u1d18h/00:03:23, res, Volum e I I , b uilds on t he best - sellin g MPLSBCan (*, RP 194.22.15.3, flags: Z d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tBidir-Upstream: opics an d d ep loy m Null, ent archit ectnbr ur es,0.0.0.0 Volu m e I I pr ovid es r eader s w it h t he necessar y t ools RPF t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Outgoing interface list: MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Forward/Sparse, Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Serial4/0, 1d18h/00:02:30 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o MVRF EuroBank, Forward/Sparse, 1d18h/00:00:00 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN SuperCom_Paris#show ip and mroute vrf EuroBank 239.255.0.20 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t[snip] r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

(196.7.25.12, 239.255.0.20), 1d18h/00:03:22, flags: T Y Incoming interface: Tunnel0, RPF nbr 194.22.15.1 Outgoing interface list: Ethernet5/0, Forward/Sparse-Dense, 1d18h/00:02:50 •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

The ex am ple show s out put fr om t w o com m and s. The f irst com m and show s t h e en t r y for a Dat a- MDT 2 39. 19 2. 20 .3 2 in t h e global m u lt icast r ou t in g t able. The Z f lag is set t o show it is Pub lished er: wit Cisco associat h Press a m ult icast t unn el. The second com m and sh ow s an en t r y in t h e Eu roBan k Pub fDat Ju ne 3 .7 . 25. 12 , 23 9. 255 .0 . 20) . This ent r y hap pens t o be r eceiv in g t raf fic m VRF or e:t he st 06, at e2 (00196 fr om t he ( 2 39. I SBN: 1- 5819 7052. -120. 12 -532 ) D at a- MDT in t h e global t able as sign aled by t he Y f lag, alt h ough t he corPages: r elat ion 50 4 is not show n in t he out p ut . Det ailed ex am ples on t he op er at ion of t he D at aMDT ar e pr ov id ed in t he lat er sect ion t it led " Case St u dy of m VPN Op er at ion in Super Com . "

mVPN Forwarding Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Forw ar din g can be d ivided int o t w o cat egor ies: C- pack et s t hat are receiv ed f r om a PE r out er How t ot erf intace egr at ar iou(sexr em ot e access t echn ologies in et t o st hr eceived e back bone g tVPN cust om er in inemv VRF cluding t h e MTI ) , and P- p ack fr omp raovidin PE rou er iceicast t o mint any iff erTo entsimp t yp es omassu er s m e t hat cont r ol check s such as t im e- t o- live globalser mvult erf dace. lif yoft hcu inst gs, ( TTL) and RPF are alw ay s successful. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

C-Packets Received from a PE Router Customer How VRFs can be ex t ended int o a cust om er sit e t o Multicast pr ov ide sepInterface ar at ion inside t he cust om er net w ork The f ollow in g d escr ibes t hesecur st eps ak es swaim hened a m riv esVPN at t he The lat est MPLS VPN it yt hf at eattuhe resr out an er d dtesign atult pricast ot ectpack ing t et h e ar MPLS back bone PE r out er fr om a VRF int er f ace: How St e pt o1 carr . A Cy cust Packet om er ar rm iv ult es icast on ant rVRFaff ic conf insidigeur a ed VPN PE r out er int er face. The in t er - cart hat rier is enh ancem entfsort ot hat allow orface easier and ly m or e scalable epVRF. loym ent St e lat p 2est . The VRF config ur ed int fer im plicit id en t if ies t hedm of int er - car r ier MPLS VPN serv ices St e p 3 . An RPF check is done on t he C- p ack et , an d if successfu l t he C- pack et is Adv blesh t echn g r ou rer high ilit y r epanced licat edt rou based onoot t h ing e con t entiques s of t hinclud e olistinfor t het er ( S,out G)puort s( t*o, en G) su ent y in tav heailab m VRF. The olist m igh t cont ain m ult icast - en abled in t er f aces in t he sam e m VRF, in w hich case MPLS and ect ufres, I I ,dbm uilds on t he best - sellin g MPLS d VPN packVPN et forAr wchit ar ding ollowVolum s st anedar u lt icast p rocedu res. The olist an m igh t also cont ain a Ar ch it ect u res, Volum e I ( 1 587 050 021) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t un nel int er face t h at conn ect s t h e m ult icast dom ain. t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey nSt eed ainain t ains a av ailab e pt o4 .d ep I f tloy he and olist m cont a secur t u nnele,inhig t erhly f ace, t h en le t h VPN. e pack et is encapsulat ed b y using GRE, w it h t he sour ce being t he BGP p eer ing addr ess of t he local PE r out er and t h e MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN dest inat ion being t he MDT Gr ou p ad dr ess. The decision on w h et h er t he Def ault - Gr oup Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of or t h e Dat a- MD T g rou p is select ed depends on w h et h er t he y f lag is set on t he ( S, G) ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g ent r y in t he m VRF. Th e Typ e- of- Serv ice by t e of t h e C- pack et is copied t o t h e P- packet . pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues St e p 5 . The C- Packet is now a P- Packet in t h e global mu lt icast r ou t ing t able. includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow St e p 6 . The P- packet is for w ard ed all t he w ay t h rou gh t he P- n et wor k b y using st andar d m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN m ult icast pr oced ur es. P r out er s ar e unaw ar e of any mVPN act iv it y an d t reat t he pack et deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN as n at iv e m ult icast . t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int P-Packets egr at ion, Received secur it y, and from t r oubleshoot a PE Router ing feat Global u res essent Multicast ial t o pInterface rov iding t h e adv anced

The f ollow in g d escr ibes t he st eps t h at t he r out er t ak es w hen a m ult icast pack et ar riv es at t he P r ou t er fr om anot her P r out er or PE r ou t er in t h e global rou t ing t able: St e p 1 . A P- packet arr iv es f r om a PE r out er in t er f ace in t h e global n et wor k .

• •

St e p 2 . The P- packet ' s corr esp ondin g ( S, G) or ( * , G) ent r y is look ed u p in t he global of Content m r out eTable t ab le, an d a sglobal RPF check is don e. I ndex

MP LS and e s, ch V olum St eVpPN3Ar . Ichi f tte hectur RPF eck eisI I successfu l,

t he P- packet is replicat ed ou t an y P- net w or k olist for it s ( S, G) or ( * , G) ent r y . At t his p oin t , t h e Ppack et is st ill being t r eat ed as n at iv e m ult icast .

int er faces appear t he By Jim Guichard , I vant hat Pepelnjak , Jeffin Apcar Pub lish er: Cisco Press

St e p 4 . I f t he ( S, G) or ( * , G) ent r y h as t he Z f lag set , t hen t h is is a D ef ault - or Dat aMDT w it h an associat ed m VRF; t h er efor e, t he P- packet mu st be de- en cap su lat ed t o SBN: 1- 58 705 -1 12 -5 rIev eal t h e C- pack et .

Pub Dat e: Ju ne 06, 2 00 3

Pages: 50 4

St e p 5 . The d est inat ion m VRF of t he C- p ack et is d er iv ed f rom t he MD T- gr oup add ress in t he P- p ack et . The in com ing MTI is also r esolved fr om t he MDT- gr oup addr ess. St e p 6 . The C- pack et is pr esent ed t o t he t ar get mVRF, w it h t h e app rop riat e MTI set as t he in comVPN ing Ar intchit er face. The Volum RPF check ifies t his Wit h MPLS and ect u res, e I I , ver y ou' ll lear n :t u nnel in t er f ace. St e p 7 . The C- pack et is once again a nat ive mu lt icast packet , b ut it r esides in t he How t o int at w e or v ar s rCempot e et access t echned ologies o t icast h e back r ovidin g VPN cust om er 'egr s net k.iou The ack is r eplicat t o all inmt ult - en bone abled pint er faces in t he ser v ice tthoatmap any d iff erinent es of st om s or ( * , G) ent r y. m VRF pears t h et yp olist forcu t he ( S,erG) The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Case Study of mVPN Operation in SuperCom Now t h at t h e v ariou s com p onent s an d p rocedur es of m VPN h ave b een cover ed , it is u sef ul t o consolid at e t his in for m at ion in t o a case st ud y of m VPN oper at ion in t h e Super Com n et wor k . •Figur e 7- 1 6 Table of tContent sh ows he Sups er Com net w or k t opology t o be used f or t he case st udy . •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Figu r e 7 - 1 6 . Supe r Com m VPN Ne t w or k

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices anced rou blesh t echn iques includ in oBank g r ou t er outFast pu t sFood t o en re high av ailab ilit y Sup erAdv Com is su tppor t ing toot w oing mVPN cust omer s: Eur and s. su Each of t hese cust om er s is p art icipat in g in a separ at e m ult icast d omain v ia t he PE r out er s at San Jose, MPLS andt on, VPN ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Washing anAr d chit Par is. Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tEu opics ankd has d eptloy m ent archit ect es,San Volu e I I pr ovid es ingt r eader w it hPar t he y et ools roBan h r ee sit es locat edurat Frm ancisco, Wash on , sand is. necessar One act iv sour ce is tconnect hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ed t o t he Paris CE r ou t er t hat pr ovid es a m ult icast st ream t o an int er est ed receiv er at t he Wash ingt on CE r out er . Ev en t houg h t he San Fran cisco CE r out er d oes not h ave receiv ers, MPLS and VPN ArSan chit ect u res, I , con b egnect in s sw it ief oBank ref resher oficast t he MPLS VPN t he mVRF in t he Jose PE Volum rou t er estIill t oh t ah ebrEur mu lt dom ain ( in t h e Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of event t hat a r eceiv er does become act iv e at t he CE r ou t er ) . Th e Eu roBan k net w or k has b een ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g conf ig ur ed w it h PI M SM m ode, and t h e RP is locat ed at t h e Par is CE r out er, denot ed in Figur e 7pr GRP, and OSPF) , ardmist inrgibu t he w itper h tCom he k now ledge of hbeen ow t oconf ig ur ed 16otbocols y RPE(.I SRPI S, inf EI orm at ion is st at ically t edr eader . The Su net w or k has int ese f eat ur es in t ooBank t h e VPN b ack e. Part I I Ir out deter ails anced ep 2loy( show m ent nissues so egr t h atatteh tehDefau lt - MDT Eur u ses b etbon w een all PE s isadv 2 39. 19 2.d10. includin g secu r it y , eou7-t lining n ecessar y st t hMDTs e ser var icee pcreat rov ider m ust t ake t or esses p rot ect t he pr eviou sly in Figur 7 ) , antdhet he Eu roBan k eps Dat aed by using add fr om back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow t he ran ge 23 9. 19 2. 20. 32 –23 9. 192 . 20. 47 . Fast Foods has t w o sit es locat ed at San Fr an cisco and m e adv ologies andnect filt erin par tFran alsocisco cov er sm ulter i- car Lyor on. Oneanced act iv et op sour ce is con ed tg. o tThis he San CE r out anrdier p rMPLS ovidesVPN a m ult icast deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN st r eam t o an int er est ed receiv er at t he Lyon CE r out er . The Fast Foods n et w or k has been t r oubigleshoot . at e in SSM m ode; t heref ore, t h e Ly on CE r out er has issued a sour ce- specific conf ur ed t oing oper C- j oin t o t h e ser v er at Fast Food s San Fr ancisco. The Sup er Com net w ork has been con figu red so MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer t hat t he Default - MDT Fast Foods uses bet w een all PE r out er s is 23 9. 192 .1 0. 1 ( show n pr ev iously int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

in Figur e 7- 7 ) . Th e Dat a- MD Ts ar e creat ed by using add resses f r om t he ran ge 23 9. 192 . 20. 16 –23 9. 192 .2 0. 31 .

NOTE •

Table of Content s Bot h Fast Foods and Eur oBank are u sin g t he m ult icast r ange 239 .2 55. 0. 0 / 16 for I ndex m ult icast ser v ices w it hin t heir VPNs. This f ollow s t he conv ent ion laid ou t in RFC 236 5 MP LS and V PN Ar chi te ctur e s, V olum e I I for t he u se of sit e local ad dr essing. Because Fast Food s and Eu roBan k are in d if fer ent By Jim m Guichard , I van Pepelnjak ult icast dom ains, t h, Jeff er eApcar is n o conf lict of t he 2 39. 25 5. 0. 0/ 1 6 r ang e. •

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Sup er Com is using AS 10 and h as deploy ed PI M Bi- D ir. This m ean s t hat alt hou gh t he r out in g in 58 705 -1 12 -5 t he corIeSBN: is n1-ot t h e m ost opt im al, t h e am ount of st at e infor m at ion is k ep t t o a m inim um . Th e Pages: 50 4 act s as t he RP ( d en ot ed in t he figu re b y RP S) an d ser ves as t he r oot of all MDT Par is PE rou t er shar ed t r ees in t h e Sup er Com global space. The Super Com RP t o gr oup m apping inf or mat ion is dist r ibut ed v ia Aut o- RP. Lat er in t he ch apt er, you w ill learn abou t t he oper at ion of PI M SSM in t he Super Com n et w or k as an alt er nat ive t o PI M SM. The Jose, t on, d Par is PE er out s join t hen :Eur oBank m u lt icast d om ain Wit hSan MPLS and Washing VPN Ar chit ectan u res, Volum I I , er y ou' ll lear ( 23 9. 192 . 10. 2) because t hey hav e a Eur oBank mVRF configu r ed ( r egar dless of w h et h er r eceiver s ar e act ive) . Only t he San Jose an d Par is PE r out er s join t he Fast Foods m ult icast dom ain ( 239 192 .1at 0.e1)v.arTh e sWashing PE r out er ologies d oes not Fast Foodpsr ovidin dom ain becau se How t o .int egr iou r em ot e t on access t echn in tjoin o t h tehe back bone g VPN it d oes FastdFood s VRF ed. sernot v icehav t o emaany iff er ent t ypconf es ofigur cu st omFigur er s e 7- 7 sh ows t he logical v iew of t he D ef ault MDTs in t h e Super Com n et wor k . The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN TableNet 7 - 2wpork r ovides a suTr man mar y ion of t h( PEe t opology in for m at ion in t h e Super Com n et wor k t o assist in Ad dr ess slat NAT) un derst an ding t he ex am ples in t h e follow ing sect ions. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Tab le 7 -2 . Supe r Com Top ol ogy I nf or m at ion How t o carr y cust om er m ult icast t r aff ic insid e a VPN Com p an y Si t e/ Ca t eg ory I tem V a lue The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Sup er is ( PE erices ) Lo0 : 19 4. 22. 1 5. 1/ 32 ofCom int er - car r ier Par MPLS VPNRout serv Backb one San Jose ( PE Rout er ) Lo0 : 19 4. 22. 1 5. 2/ 32 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Washing t on ( PE Lo0 : 19 4. 22. 1 5. 3/ 32 MPLS and VPN Ar chitRou ect ut er res, ) Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Cir cuit Adect dr ur esses > CE . 2. 0/ 24y t ools t opics an d d ep loy m ent archit es, Volu mPE< e I I -pr ovid es r eader s w it 19 h t2. he168 necessar t hey n eed t o d ep loy PI and m ain t ain a secur e, hig hly av ailab le VPN. M Mod e Bidir ect ional MPLS and VPN Ar chitPI ect in s wezv it hous a brPoin ief ref of5.t he Mu res, Volum e I I , b egRend t resher19 22. MPLS 1 5. 1 ( VPN Su per Com Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ( Aut o- RP) Par is) ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Food (sI S- I S, EI GRP, San Jose ( CE Rout 19ledge 5. 12.of 2 .0h/ow 24 t o prFast ot ocols and OSPF) , arer m)in gSub t henet r eader w it h t he k now int egr at e t h ese f eat ur es in t o t (hCE e VPN ack e. ce Part I I det ails adv anced ep2loy San Jose Routber ) bon Sour Gr Ioup ( 19 5. d 12. .6 ,m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider 23 m ust t ake t o p rot ect t he 9. 255 . 0. 30) back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies parnet t also cov er s m ult i- car ier Ly on and filt erin g. ThisSub 10r.2 . 1.MPLS 0/ 24 VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN PI M Mod e SSM t r oub leshoot ing . MDT Defau lt 23 9. 192 . 10. 1 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y,MDT and t r oubleshoot ing feat Datuares essent ial t o p rov iding 23 9. 192 t h e .adv 20. anced 16 / 28

Eu roBan k

Par is ( CE Rou t er )

Sub net

19 6. 7. 25 .0 / 24

Par is ( CE Rou t er )

Sour ce Gr oup

( 19 6. 7. 25 .1 2, 23 9. 255 . 0. 20)

Washing t on ( CE Rou t er )

Sub net

19 6. 7. 26 .0 / 24

•

San Jose ( CE Rout er ) Table of Content s

Sub net

10 .2 . 1. 0/ 24

•

I ndex

Mod e

Spar se

Rend ezv ous Poin t ( St at ic)

19 6. 7. 25 .1 ( Eur oBank Par is)

Defau lt

23 9. 192 . 10. 2

Dat a

23 9. 192 . 20. 32 / 28

PI M

MP LS and V PN Ar chi te ctur e s, V olum e I I

PI M , Jeff Apcar By Jim Guichard , I van Pepelnjak Pub lish er: Cisco Press MDT Pub Dat e: Ju ne 06, 2 00 3

MDT

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

PIM SM in the SuperCom Network As hig hlight ed t hr oug hout t his chap t er, t he on ly requ ir em en t on t h e cor e n et w or k is t h at n at ive Wit h icast MPLSbe and VPN Ar. chit ect se u res, e IgI ,Au y ou' lear n : applicable P- net w or k int er face in m ult enab led Becau w e Volum ar e u sin t o-llRP, each Sup er Com is con figu red w it h t he com man d ip p im spa rse - de nse- m ode . To keep t he m ult icast r out ing st at e t o a m inim um , PI M Bi- Dir m ode is also enab led on each Sup er Com rou t er w it h t h e How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN global comm and ip p im b idi r- ena bl e . ( I n add it ion , Bi- Dir m ust be enabled for in divid ual ser v ice t o m any d iff er ent t yp es of cu st om er s gr oup s. ) The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Aut o- RP is u sed t o d ist r ibu t e t he Def ault - MD T ( 2 39. 19 2. 10. 0 / 24) and Dat a- MDT Net w ork Ad dr ess Tr an slat ion ( PE- NAT) ( 23 9. 192 . 20. 0/ 2 4) ran ges of gr oup add resses t o all ot h er P r out er s and PE r out ers. Th is is accomHow p lished bycan conf t he Paris r out h ee RP forovSu ) ,ion as inside show n t in VRFs beigur exing t ended int o aPE cust omerer ( tsit t o pr ideperCom sep ar at heEx am ple 79. cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

Exa m pl bone e 7 - 9 . Au t o-RP Conf igu r a t ion f or Supe r Com back How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in tstandard er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent ip access-list MDT-Range of int er - car r ier MPLS VPN serv ices permit 239.192.10.0 0.0.0.255 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y permit 239.192.20.0 0.0.0.255 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced ! t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ip pim send-rp-announce Loopback0 scope 64 group-list MDT-Range bidir MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN ipchpim scope 64con nect iv it y includ in g t he int egr at ion of Ar it ectsend-rp-discovery u re. Par t I I descr ibes Loopback0 adv anced MPLS VPN ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he You can dist rat ibut ion ofVPN RP in at ionalso by exam inin the oup - t o-rit r en back bonev erif andy any t ached sitfor es,mand det ailin g gt he latgr est secu y fdezvou eat ur ess point t o allow m or appin g cache her and PE rou er , g. as This sh owpar n int also Ex am pleer710. m e adv anced on t opanot ologies filt terin cov sm ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

Exa m pl e 7 - 1 0 . Con f ir m i ng Au t o- RP I n for m a t ion MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

SuperCom_Washington#show ip pim rp map PIM Group-to-RP Mappings

Group(s)239.192.10.0/24 • •

Table of Content s

I ndex RP 194.22.15.1 (SuperCom_Paris), v2v1, bidir

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Info Guichard , I van Pepelnjak , Jeff Apcar source: 194.22.15.1 Pub lish er: Uptime: Cisco Press

(SuperCom_Paris), elected via Auto-RP

3d15h, expires: 00:02:52

Pub Dat e: Ju ne 06, 2 00 3

Group(s)239.192.20.0/24 I SBN: 1- 58 705 -1 12 -5

Pages: 50 4

RP 194.22.15.1 (SuperCom_Paris), v2v1, bidir Info source: 194.22.15.1 (SuperCom_Paris), elected via Auto-RP Uptime: 3d15h, expires: 00:02:55 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice to m any iff er t yp es cu stand om er s D at a- MDT w ill operat e in Bi- Dir m od e and The ou t pu t conf irm s t hdat t hent e Defau lt -of MDT t he t hat t he root of t he sh ared t r ees cr eat ed f rom t hese gr oups w ill b e t he Par is PE r out er . This The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN m ean s t hat all t r af fic f or Defau lt - and Dat a- MDTs w ill f low via t he Par is PE r out er . I f Bi- Dir Net w ork Ad dr ess Tr an slat ion ( PE- NAT) m ode w er e not en abled, t h en a sh ort est p at h t r ee w ou ld ev en t ually be cr eat ed f or each Defau lt or DatHow a- MDT by can using S, G) pair eadom ofer( *sit , G) ould or e st at e VRFs be an ex t(ended int o in a st cust e t.oThat pr ovwide sepcreat ar at e ionm inside t he inf ormcust at ion in t he n et w or k , bu t it mig ht p r ovide a m or e opt im al r out e. om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone

NOTE How t o carr y cust om er m ult icast t r aff ic insid e a VPN BiDirlatmest ode as- car only b een abled f or MDTf or gr oup r anges inort he Su perCom The in ht er rier enh en ancem ent s ttoh eallow easier and m e scalable d ep loym ent net w or This n otVPN p reclude t h e use of ot h er av ailable m odes such as PI M SM or of int erk.- car r ierdoes MPLS serv ices SSM for ot h er mu lt icast gr oups. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN PI M u stu res, also Volum be enab t he er f ace hat Mult iprPr otess. ocol Ex BGP usesg for s peer ing anced add ress. Ar ch m it ect e Iled ( 1 -on 587 05-in0t021) , ftrom Cisco t endin int oit m or e adv is an imdpor t an t m because t h eect addr essVolu on tm hat t erovid f aceesis r used of t h e MDT and is tThis opics d ep loy ent archit ur es, e I in I pr eaderas s wt hiteh rtoot he necessar y t ools in PI hello essages ia tahesecur MTI e, . All Com r out er s use loopb ack 0 as t heir BGP tcarr heyied n eed t oMd ep loy m and m ain tvain higt he hly Su avper ailab le VPN. int er face and h ave m ult icast enab led, as show n in Ex am ple 7- 11 f or t h e Par is PE r out er . MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider t echn iesu (ltdial, DSL, her net ) an a v ariet r out in g Exa m pl e 7 - 1access 1 . Ena bl inolog gM ica st oncabt hle,e EtBGP Pe e rding I ntyeroff ace pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bonebgp and10 any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow router m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN no synchronization t r oub leshoot ing . no bgp default ipv4-unicast MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

bgp log-neighbor-changes neighbor 194.22.15.2 remote-as 10 neighbor 194.22.15.2 update-source Loopback0 neighbor 194.22.15.3 remote-as 10 • •

Table of Content s

neighbor 194.22.15.3 update-source Loopback0 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

no auto-summary

By Jim Guichard , I van Pepelnjak , Jeff Apcar

! Pub lish er: Cisco Press

[snip] Pub Dat e:

Ju ne 06, 2 00 3

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

interface Loopback0 ip address 194.22.15.1 255.255.255.255 Wit MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ip hpim sparse-dense-mode !

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Enabling Multicast in VRFs How VRFs can be ex t ended int o a

cust om er sit e t o pr ov ide sep ar at ion inside t he

cust om er net w ork Aft er The b asiclatmu icast has t he of t he Super n et w or ouMPLS can enable estlt MPLS VPNbeen securen it abled y f eat uinres ancor d deesign s aim ed Com at pr ot ect ingk ,t hy e VPN m ult icast on each of t he Fast Foods an d Eur oBank VRFs. The con figu rat ion s v ary slight ly back bone depend in g on w h et h er a Dat a- MDT is requ ir ed ( t hat is, mu lt icast sou rces or iginat e f r om t his VRF) How an d wh icast m ode cust omicerinsid is using. t o ich carrm y ult cust om er m ultt he icast t r aff e a VPN Ex amThe ple 7t herier confenh igurancem at ion ent for st he Fast Food VRF. and Ev ery Fast Foods VRF he lat12 estshinows t er - car t o allow f or seasier m or e scalable d epuses loymt ent sam eof Default MDT 2 39. 19 2. 10. 1 .ices The D at a- MDT ran ge of 2 39. 19 2. 20. 1 6/ 28 is used for an y int er --car r ierofMPLS VPN serv m ult icast st r eam on t h e Defau lt - MDT t hat ex ceeds 1 Kb ps. Not e t h at t h e m dt da t a com m and only nAdv eeds t o bet rou applied t o ting he PE r out er atinclud San Jose hist sPE outsu errehas a Fast Food anced blesh oot t echn iques in g r because ou t er outtpu t or en high av ailab ilitsy sour ce con nect ed . How ev er, if Fast Foods VPN sou rces exist ed at ot h er PE r out er s, t hen t he MPLS and chitmect u res, Volum I I , b uilds onicast t he best sellin MPLS an sam em dt VPN da t aAr com ands cou ld b eeapplied. Mult r out-ing is genabled ond t VPN he VRF b y using Ar u res, Volum I ( 1v- rf 587 05-m 0 02, f romin Cisco Exassociat t endin g ed int w o itmhort he e adv anced t hech ipit ect m ul t ica st - routeing com and.1)Each t erf acePrtess. hat is Fast Foods tVRF opics an d es d epPIloy ect.urBecau es, Volu m e IFoods I pr ovid esch r eader it h tSSM, he necessar r equir Mm t oent be archit enab led se Fast h as osen st owuse y ou muy stt ools m ak e t he tVRF hey aw n eed o dt ep and ain titain a secur hly r av VPN.r out ing ent r ies in t h e Fast Foods ar et of h isloy fact so m t hat can cr eat ee,t hhig e cor ectailab m ultleicast m VRF. You can accom plish t h is wit h t h e ip p im v rf Fast Foods ssm ra nge com m and. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider t echn ologsies dial, DSL, cab net ) an d a v ariet y of r out in g Exa m pl e 7 - 1access 2 . Fast Food m( VRF Conf igle, urEt a her t ion pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow ip vrf FastFoods m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN rd 10:26 t r oub leshoot ing . route-target export MPLS and VPN Ar chit ect u10:26 res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

route-target import 10:26 mdt default 239.192.10.1 mdt data 239.192.20.16 0.0.0.15 threshold 1

San Jose PE only

! •

Table of Content s

•

I ndex

ip multicast-routing vrf FastFoods MP LS and V PN Ar chi te ctur e s, V olum e I I

!

By Jim Guichard , I van Pepelnjak , Jeff Apcar

interface Serial4/0 Pub lish er: Cisco Press

ip Pub vrfDatforwarding e: Ju ne 06, 2 00 3FastFoods I SBN: 1- 58 705 -1 12 -5

ip address 192.168.2.18 255.255.255.252 Pages: 50 4

ip pim sparse-mode ! Wit MPLS andFastFoods VPN Ar chit ssm ect u res, Volum e I I , y ou' ll lear n : ip hpim vrf range FastFoods_Site_Local_Scope !

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s ip access-list standard FastFoods_Site_Local_Scope The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN permit 239.255.0.0 0.0.255.255 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The Eur oBank igurVPN at ionsecur show am ple is ssim ilar MDT rVPN ang es The lat estconf MPLS it yn fin eatEx u res an d7-d 13 esign aim edt oatFast pr otFoods. ect ing (tThe h e MPLS dif fer ,back of cour se! ) Eur oBank is usin g a st at ic RP configu r at ion; t herefor e, y ou mu st conf ig ur e bone each Eur oBank VRF w it h a st at ic gr oup t o RP m app in g by using t he com m and ip p im v rf Eur oBank How t orpcarr - a ddr y cust ess. om There m Dat ultaicast MDTt rconf aff icigur insid ateion a VPN is only r equir ed at t he Paris PE r out er because t he only sour ce Eur oBank h as is in it s Paris sit e. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Exa m pl e 7 - 1 3 . Eur oBa n k m VRF Conf i gur a t i on

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced vrfanEuroBank tip opics d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. rd 10:27 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Arroute-target ch it ect u re. Par texport I I descr10:27 ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g 10:27 prroute-target ot ocols ( I S- I S, import EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues mdt default includin g secu r239.192.10.2 it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow mdt 239.192.20.32 0.0.0.15 1 cov er Paris only m or edata adv anced t op ologies and filt erin g.threshold This par t also s m ultPE i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN ! t r oub leshoot ing . ip multicast-routing vrf Volum EuroBank MPLS and VPN Ar chit ect u res, e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

! interface Serial0/0 ip vrf forwarding EuroBank ip address 192.168.2.26 255.255.255.252 •

Table of Content s

•

I ndex

ip pim sparse-mode

MP LS and V PN Ar chi te ctur e s, V olum e I I

!

By Jim Guichard , I van Pepelnjak , Jeff Apcar

ip pim vrf EuroBank rp-address 196.7.25.1 EuroBank_Site_Local_Scope Pub lish er: Cisco Press

!

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

ip access-list standard EuroBank_Site_Local_Scope Pages: 50 4

permit 239.255.0.0 0.0.255.255

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Multicast Tunnel Interfaces

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

When t he Def ault - MD T is conf igur ed, t h e Super Com PE r out er im m ediat ely cr eat es a t u nnel The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN int er face by usin g t he I P char act erist ics fr om t he loopb ack 0 int erf ace. A Mu lt ip rot ocol BGP Net w ork Ad dr ess Tr an slat ion ( PE- NAT) up dat e m essage is t hen sent t o all t he ot h er PE r ou t er s t h at ar e BGP peers t o signal t he exist ence of t he n ew Defau lt - MDT. Th e PE rou t er issues a P- join t o t he Sup er Com RP f or t h e How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he Defau lt - MDT gr oup. cust om er net w ork Ex am ple 7- 14 sh ows som e int er est in g in for m at ion w h en a Default - MDT is conf igur ed, in t his The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN case on t he Eu roBan k VRF at t he Su perCom Par is PE rou t er. Tunn el0 is used as t he MTI for t h e back bone Eu roBan k m VRF. The int er f ace char act erist ics show t h at t r af fic ent er ing Tunn el0 is encapsulat ed by u sin g GRE w it yh cust a dest ion ofic239 .1 92. . 2 ( D ef ault - MD T) an d a sour ce addr ess o How t o carr ominat er m ultaddr icastess t r aff insid e a10 VPN 19 4. 22. 1 5. 1 ( lear ned fr om loopb ack 0) . The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent I nsideoft hint e er Eur oBank VRF, you - car r ier MPLS VPNcan servsee icest w o PI M- enabled in t er f aces. Serial0/ 0 is t he connect ion t o t he Eur oBank CE r out er in Par is, an d Tunn el0 is t he MTI t hat pr ov ides access t o an d fr om t h e DefauAdv lt - MDT. MTI is toot reat edt echn as a iques m ult iaccess int face; t herefor edav r ou t er ilit ( DR) ancedTht e rou blesh ing includ in g er r ou t er out pu t s te, o aendesig su re nat high ailab y w it h t he I P ad dr ess 1 94. 2 2. 15. 3 has b een select ed by using nor m al PI M d esignat ed r out er elect ruVPN les. Th PI ect M ad jacen cies teh Iat e f orm over t h-esellin MTI garMPLS e d iscussed in a f ollow ing MPLSion and Ar e chit u res, Volum I , ar b uilds onedt he best an d VPN sect e t Volum hat t hee tIunn operat modCisco e andPrt hess. e neighbor ntoism2, ichanced Ar chion. it ectNot u res, ( 1 -el 587 05- 0 es 02-in1)SD , f rom Ex t endincou g int or w e hadv espond t oloy t he herarchit PE rect outur eres, s. Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tcorr opics an d ds ep m ot ent t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS ect u oBa res, Volum I I t, ibca egst in s Tun w it h ne a brl ief Exa mand pl eVPN 7 - Ar 1 4chit . Eur n k Meul I nref t eresher r f aceof t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN Line b ack bon e. Part I Ion I det ails adv anced d ep loy m ent issues 02:05:15: %LINEPROTO-5-UPDOWN: protocol Interface Tunnel0, changed includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone state to and up any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . SuperCom_Paris#show interface tunnel0 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Tunnel0 is up, line protocol is up Hardware is Tunnel Interface is unnumbered. Using address of Loopback0 (194.22.15.1) MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, • •

Table of Content s

reliability 255/255, txload 1/255, rxload 1/255 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Encapsulation TUNNEL, loopback not set

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Keepalive not set Pub lish er: Cisco Press

Tunnel (Loopback0), destination 239.192.10.2 , fastswitch Pub Dat e: source Ju ne 06, 2194.22.15.1 00 3 I SBN: 1- 58 705 -1 12 -5

TTL 255

Pages: 50 4

Tunnel protocol/transport GRE/IP Multicast, key disabled, sequencing disabled Checksumming of packets disabled, fast tunneling enabled Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : [snip] How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s SuperCom_Paris#show ip pim vrf EuroBank interface The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Address Interface Ver/ DR insideDR How VRFs can be ex t ended int o a cust om er sit e t o Nbr pr ov ide Query sep ar at ion t he cust om er net w ork Mode Count Intvl Prior The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN 192.168.2.26 Serial0/0 v2/S 1 30 1 0.0.0.0 back bone 194.22.15.1 Tunnel0 v2/SD 2 How t o carr y cust om er m ult icast t r aff ic insid e a VPN

30

1

194.22.15.3

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices t rou oot ing iques in g r ou out t o BGP en su upd re high avessage ailab ilittyh at Ex amAdv ple anced 7- 15 sh owsblesh debug out pt echn ut fr om t h einclud San Jose PEt er r out erpu oft st he at e m w as r eceived fr om t he Par is PE rou t er w hen t he Eu roBan k Defau lt - MDT was cr eat ed. Th e MDT MPLS VPNmAr chity ect res, on t he bestis- sellin g MPLS d VPN ext endand ed com unit at turib ut eVolum showes ItIh,atb uilds t h e MDT gr oup 23 9. 192 . 10. 2anand t hat t he root of Ar ch it ect u res, Volum e I ( 1 587 050 021) , f rom Cisco Pr ess. Ex t endin g int o m22 or e t his g r oup is 194 .2 2. 15 .1 , as show n in t he m VPN- I PV4 ad dr ess 2 : 10: 27: 1 94. .1 adv 5. 1/anced 3 2. t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Exa pl eVPN 7 - Ar 1 5chit . Eur n k MeDT e ief ref resher of t he MPLS VPN MPLSmand ect u oBa res, Volum I I , bBGP eg in s uwpda it h a tbr Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o BGP(2): nexthop ?, issues int egr at e 194.22.15.1 t h ese f eat ur es rcvd in t o t hUPDATE e VPN bw/ ack attr: bon e. Part I I I det194.22.15.1, ails adv anced dorigin ep loy m ent includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he localpref extended community MDT:10:239.192.10.2 back bone and100, any at t ached VPN sit es, andRT:10:27 also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN BGP(2): 194.22.15.1 2:10:27:194.22.15.1/32 deploy m en t s. Fin ally , Parrcvd t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Ex am ple 7- 16 sh ows t he cont ent s of t he BGP VPNv4 t ab le on t he San Jose PE rou t er for t he MD T up dat es it h as r eceived fr om it s p eer s. Tw o r out e dist in guisher ent r ies corr esp ond t o t he Fast Food s ( 2: 1 0: 26 ) and Eur oBank ( 2: 10: 2 7) m u lt icast d om ain s. Each PE r out er t hat has adv ert ised a Defau lt - MDT for t hese d om ain s is list ed un der t he r ou t e dist ingu ish er ent ry . As y ou can see, if you ex clud e t he local San Jose PE r out er ent r y , t her e is one p eer f or Fast Food s ( Par is PE r out er 19 4. 22. 15 . 1) , an d t h er e ar e t w o peer s f or Eu r oBank ( Par is PE rou t er and Washing t on PE r out er 19 4. 22. 15 . 3) , as p er t he Su perCom t opology . •

Table of Content s

•

I ndex

Exa e 7Ar-chi 1 6te.ctur De lt -M MP LS m andpl V PN e s,f au V olum e I I D T Sum m a r y BGP VPN v4 Ta ble By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press SuperCom_SanJose#show ip bgp vpnv4 all | begin 2:10:26 Pub Dat e: Ju ne 06, 2 00 3 1- 58 705 -1 12 -5 Route I SBN: Distinguisher: 2:10:26 Pages: 50 4

*>i194.22.15.1/32

194.22.15.1

*> 194.22.15.2/32

0.0.0.0

100

0 ? 0 ?

Route Distinguisher: 2:10:27 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : *>i194.22.15.1/32 194.22.15.1 100 0 ? How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN *> 194.22.15.2/32 0 ? ser v ice t o m any d iff0.0.0.0 er ent t yp es of cu st om er s *>i194.22.15.3/32 100f eat ur es, 0 includ ? The n ew PE- CE r out194.22.15.3 in g op t ions as w ell as ot her adv anced ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Ex am ple 7- 17 sh ows t he d et ails of t h e Eur oBank and Fast Foods MDT ent r ies r eceived via lat est MPLS VPN y f eat u res Mu lt ipThe rot ocol BGP f rom t hesecur Par isit PE r out er . an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Exa m pl e 7 - 1 7 . De t a il M D T BGP Ent r y

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices SuperCom_SanJose#show ipingbgp vpnv4 194.22.15.1 Adv anced t rou blesh oot t echn iquesall includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLSrouting and VPN table Ar chit ect u res, for Volum e I I , b uilds on t he best - sellin g MPLS 38 an d VPN BGP entry 2:10:26:194.22.15.1/32, version Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tPaths: opics an(1 d d available, ep loy m ent archit ect#1, ur es,noVolu m e I I not pr ovid es r eader s wto it h EBGP t he necessar best table, advertised peer) y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Not advertised to any peer MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Local ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI(metric GRP, and 66) OSPF) , ar m in g t he r eader(194.22.15.1) w it h t he k now ledge of h ow t o 194.22.15.1 from 194.22.15.1 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includinOrigin g secu r itincomplete, y , ou t lining t he n ecessar y 100, st eps valid, t h e ser v internal, ice p rov ider mdt, m ust tno-import, ake t o p rot ect t he localpref best back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t opCommunity: ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Extended RT:10:26 MDT:10:239.192.10.1 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oubrouting leshoot ing . BGP table entry for 2:10:27:194.22.15.1/32, version 37 MPLS and Ar chit ect u res, I I ,table, also int rod t he lat est to advEBGP ancespeer) in cu st omer Paths: (1VPN available, bestVolum #1, eno notuces advertised int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Not advertised to any peer Local 194.22.15.1 (metric 66) from 194.22.15.1 (194.22.15.1) Origin incomplete, localpref 100, valid, internal, mdt, no-import, best • •

Table of Content s

Extended Community: RT:10:27 MDT:10:239.192.10.2 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

NOTE I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

As discussed pr eviou sly , t h is BGP inf or mat ion is cur r ent ly accessed only b y SSM pr oced ur es. All rou t ers cache t his inf orm at ion r eg ard less of w het her t h ey are conf ig ur ed t o use SSM. Ot her uses for t his inf or mat ion ar e cur r en t ly being inv est ig at ed . Wit h MPLS VPN u res, e I Ir ,out y ou' : t en ded com m unit y , it is not Ev en tand houg h t hAr e chit BGPect upd at e Volum cont ains e tllarlear get nex im por t ed int o a VRF because of t he p r esence of t he MDT ex t en ded com m un it y at t r ibut e. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s CE rand out in g op t ions ase wbeen ell ascrot her anced f eatt im ur es, Now tThe h at nt hew e mPEVRFs t he MTI s hav eat ed adv , it is a good e t oinclud ex aming ine pert he VPN MDTs Net w ork Ad dr ess Tr an slat ion ( PENAT) t hat hav e b een cr eat ed in t h e cor e of t h e Super Com n et wor k . How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Multicast Distribution Trees

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone The Su per Com net w or k creat es a separ at e, b id irect ional t r ee for each of t he Fast Foods an d Howk m t o ult carr y cust om er m icast st t r andar aff ic insid Eu roBan icast dom ains b yultusing d PI eMapVPN rocedur es. Ex am ple 7- 18 sh ows t he g lob al m ult icast r out ing t ab le for t h e Par is PE r ou t er . Th e ot her PE r out er s t hat ar e w it hin t he The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Sup er Com net w ork hav e sim ilar ( * , G) ent ries. of int er - car r ier MPLS VPN serv ices The m u lt icast d om ain s ar e r ep resen t ed b y a b id irect ional ent ry , d en ot ed w it h t he B f lag. Th e Z Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y flag signif ies t h at t his ent r y is a m u lt icast t unnel an d t hat a m VRF is conn ect ed t o it , in dicat ed by t he C f lag. Th e associat ed VRF app ear s in t he olist of t h e ent r y . The olist ent r y also show s MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Serial0/ 2 , w hich is a glob al int er face t hat connect s t o t he ot h er Super Com r out er s. Becau se t he Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Par is PE rou t er is t he RP, t he Bid ir - u pst r eam field is n ull. I f t his r out er w ere not t he RP, t his f ield t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools w ould cont ain t he local int er face in t he d irect ion of t he RP. t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Exa plu ere.7Par - 1 t8I.I Par PEadv Glanced obalMPLS M u ltVPN ica st Tabinle Ar ch itm ect descri s ibes conRout nect iv iti ng y includ g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he SuperCom_Paris#show ip mroute back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m e adv anced Routing t op ologiesTable and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN IPorMulticast deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot Flags: D - ing Dense, . S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, MPLS and Ar chit ect Volum eR I I-, also int rod ucesFt he lat est adv ances L VPN - Local, P u-res, Pruned, RP-bit set, - Register flag,in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel Y - Joined MDT-data group, y - Sending to MDT-data group •

Table of Content s

•

I ndex

Outgoing interface flags: H - Hardware switched MP LS and V PN Ar chi te ctur e s, V olum e I I

Timers: Uptime/Expires

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Interface state: Interface, Next-Hop or VCD, State/Mode Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

(*, 239.192.10.1), 06:00:44/00:03:12, RP 194.22.15.1, flags: BCZ Pages: 50 4

Bidir-Upstream: Null, RPF nbr 0.0.0.0 Outgoing interface list: Wit h MPLS VPN Ar chit ect u res, Volum e I I , y ou' ll 06:00:44/00:00:00 lear n : MVRF and FastFoods, Forward/Sparse-Dense, Serial0/2, Forward/Sparse-Dense, 06:00:44/00:02:57 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN (*, 239.192.10.2), 06:00:44/00:03:22, RP 194.22.15.1, flags: BCZ Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Bidir-Upstream: RPF int nbr How VRFs can beNull, ex t ended o a 0.0.0.0 cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Outgoing interface list: The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN MVRF EuroBank, Forward/Sparse-Dense, 06:00:44/00:00:00 back bone Serial0/2, How t o carr y Forward/Sparse-Dense, cust om er m ult icast t r aff ic 06:00:45/00:02:31 insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Advmu anced t rou oot ing iques includ er out t s all t o rou en su res.high av ailab ilit yt he An MDT lt icast enblesh t r y does nott echn necessarily h aveint gher ou Z ft lag setpuon t er For exam p le, Washing t on PE r out er h as a con nect ion only t o t he Eur oBank CE r ou t er ; t her ef ore, it has n o MPLS VPN Ar u res, b uilds bestt he - sellin MPLSMD an dT (VPN need tand o or iginat e chit ( beect t he rootVolum ) or t eremI Iin, at e ( beon t het he leaf) FastgFoods 23 9. 19 2. 10. 1) . Ar ch it ect u res, Volum e I ( 1 587 050 021) , f rom Cisco Pr ess. Ex t endin g int o m MDT or e adv entanced ry h as The W ash in gt on PE m ult icast t able is show n in Ex am ple 7- 19. Th e Fast Foods tonly opicst han dd ep loy archit ectsurt es, m e I It on pr ovid r eader sw necessar eB f lag setm, ent w h ich m ean hat Volu Washing just es passes t r af ficit h st rt he aight t hr ougyh.t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Exa plu ere.7Par - 1 t9I.I W a sh in gt PEMPLS Gl obal u nect lt ica Routining Taintble Ar ch itm ect descr ibes advon anced VPN M con iv st it y includ g t he egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues SuperCom_Washington#show ipn ecessar mroutey st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he includin g secu r it y , ou t lining t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow IPorMulticast m e adv anced Routing t op ologiesTable and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Flags: D - ing Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, t r oub leshoot . L VPN - Local, P u-res, Pruned, RP-bit set, - Register flag,in cu st omer MPLS and Ar chit ect Volum eR I I-, also int rod ucesFt he lat est adv ances int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel Y - Joined MDT-data group, y - Sending to MDT-data group •

Table of Content s

•

I ndex

Outgoing interface flags: H - Hardware switched MP LS and V PN Ar chi te ctur e s, V olum e I I

Timers: Uptime/Expires

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Interface state: Interface, Next-Hop or VCD, State/Mode Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

(*, 239.192.10.1), 3d23h/00:03:27, RP 194.22.15.1, flags: B Pages: 50 4

Bidir-Upstream: Serial4/0, RPF nbr 194.22.15.22 Outgoing interface list: Wit h MPLS and Forward/Sparse-Dense, VPN Ar chit ect u res, Volum e07:54:24/00:03:09 I I , y ou' ll lear n : POS3/0, Serial4/0, Bidir-Upstream/Sparse-Dense, 07:54:24/00:00:00 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN (*, 239.192.10.2), 3d23h/00:03:30, RP 194.22.15.1, flags: BCZ Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Bidir-Upstream: nbrom 194.22.15.22 How VRFs can beSerial4/0, ex t ended intRPF o a cust er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Outgoing interface list: The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN POS3/0, back boneForward/Sparse-Dense, 07:54:24/00:03:30 Serial4/0, How t o carr y Bidir-Upstream/Sparse-Dense, cust om er m ult icast t r aff ic insid e a 07:54:26/00:00:00 VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent MVRF EuroBank, Forward/Sparse-Dense, 07:54:27/00:00:00 of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect uPIM res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced mVRF Adjacencies t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. I n each m VRF, PI M ad jacen cies ar e f orm ed wit h t h e associat ed Fast Foods or Eur oBank CE MPLS VPN Ar chit u res, e Iot I ,her b egPE in sr out w iters h a in br tief resher t heain. MPLS VPN r out er and s, and also overectt he MTIVolum t o t he h eref m ult icast ofdom Ex am ple 7- 20 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion ofTh e show s t h e adj acencies t hat are for m ed at t he Par is PE r out er f or Eur oBank and Fast Foods. ser v ice ovider echn dial, an a v ariet y ofel0 r out g oBank exam pleprsh ows t access hat t het Par isolog PE ries out(er hasDSL, cr eatcab ed le, t w oEtther unnnet el )int erdfaces: Tunn forinEur pr ot ocols ( I SI S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o and Tun nel1 f or Fast Food s. int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu t lining t he n ecessar st eps t h eed serover v ice Tu p rov ider m ust t ot ake o p rot ect PE t he For Eu roBan k, r titwy o, ou PI M ad jacencies h ave ybeen f orm nnel0—one t h e t San Jose back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow r out er ( 1 94. 22 .1 5. 2) and t he ot her t o t he Washing t on PE r out er ( 194 .2 2. 15. 3 ) —becau se bot h of m or e adv ologies filt erin Thisispar s m ult i- car rse iert he MPLS VPNb eh aves as t hese PE ranced out erst op hav e a Eurand oBank VRFg.t hat mut ltalso icastcov ener abled . Becau t u nnel deploy m en t s. m Finedium ally , Par t I designat V pr ov id ed es ar out m et adPE vanr out cederMPLS a m u lt iaccess , t he erhodology elect ed isfort he w it h VPN t he h ig hest I P t r oub leshoot . add ress or t hing e high est nom inat ed pr ior it y . ( I n our ex amp le, all t he p rior it ies are set t o a defau lt of 1. ) MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int at ion, secur it y, and VRF t r oubleshoot u res PI essent t o p rov t h e Jose adv anced Tunegr nel1 in t he Fast Foods has f orming ed feat a single M adjial acency t o iding t he San PE r out er , w it h

t hat PE r out er also being elect ed t he DR. The PI M adj acencies t o CE r ou t er s in bot h VRFs ar e for m ed in t h e nor m al m anner . Not e t h at t h e neighb or add resses on t h e t un nels are also t hose used for BGP peerin g.

Exa m pl e 7 - 2 0 . VRF PI M Adj acen cie s •

Table of Content s

•

I ndex

SuperCom_Paris#show pime I vrf EuroBank neighbor MP LS and V PN Ar chi te ctur e s,ip V olum I By Jim Guichard , I van Pepelnjak , Jeff Apcar

PIM Neighbor Table Pub lish er: Neighbor

Cisco Press

Interface

Uptime/Expires

Ver

DR

Pub Dat e: Ju ne 06, 2 00 3 I SBN: Address

1- 58 705 -1 12 -5

Prio/Mode

Pages: 50 4

192.168.2.25

Serial0/0

02:47:14/00:01:32 v2

1 / B S

194.22.15.2

Tunnel0

02:46:38/00:01:37 v2

1 / B S

194.22.15.3 Tunnel0 02:46:38/00:01:38 v2 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

1 / DR B S

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN SuperCom_Paris#show pimt yp vrf FastFoods ser v ice t o m any d iffip er ent es of cu st om er sneighbor PIM Neighbor Table The n ew PECE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Neighbor Interface Uptime/Expires Ver DR How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Address Prio/Mode The lat est MPLS FastEthernet0/1 VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing 192.168.2.21 08:35:18/00:01:38 v2 t h e MPLS 1 / BVPN S back bone 194.22.15.2 Tunnel1 08:34:38/00:01:40 v2 1 / DR B S How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing mVRF Routing Entries

t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Now t h at t h e MDTs are set u p and t he PE r out er PI M adjacencies hav e been f or med, you can t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools look at t he m ult icast r out in g t ab les t hat hav e been cr eat ed in each of t he m VRFs. Ex am ple 7- 21 t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. show s t h e rou t ing t ables f or t he Eur oBank VRF at t h e Par is and Washingt on PE r out er s. The San Jose PE r out er does act iv e ereceiv ect ed t o of the EuMPLS roBanVPN k San MPLS and VPN Ar chitnot ect uhav res,e Volum I I , b ers eg inor s wsour it h ces a br conn ief ref resher t he Fran ore, it s adv Eur anced oBank MPLS m ult icast out nect in g tiv able is empint g y. t For pur poses Ar ch cisco it ect u m re.VRF; Par t t heref I I descr ibes VPN rcon it y includ he int egr at ionofof clarit y , t h e out p ut has been clipp ed t o sh ow r elev ant in for m at ion only. ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Exa m pl e 7 -r it2y1, .ouMt lining u lt i ca stn ecessar Rou t i ng Tabt hle f or Eur oBa k ust VPN includin g secu t he y st eps e ser v ice p rov idern m t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . SuperCom_Paris#show ip mroute vrf EuroBank MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer [snip] int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

(*, 239.255.0.20), 09:15:02/00:03:02, RP 196.7.25.1, flags: S Incoming interface: Serial0/0, RPF nbr 192.168.2.25 Outgoing interface list: Tunnel0, Forward/Sparse-Dense, 09:15:02/00:03:02 •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

SuperCom_Washington#show ip mroute vrf EuroBank By Jim Guichard , I van Pepelnjak , Jeff Apcar

[snip] Pub lish er: Cisco Press

(*,Pub 239.255.0.20), Dat e: Ju ne 06, 2 00 3 4d01h/00:03:27, RP 196.7.25.1, flags: S I SBN: 1- 58 705 -1 12 -5

Incoming interface: Tunnel0, RPF nbr 194.22.15.1 Pages: 50 4

Outgoing interface list: Ethernet5/0, Forward/Sparse, 4d01h/00:03:27 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Look ing at t he Par is PE r out er ( * , 239 .2 55. 0. 2 0) r ou t in g en t ry , y ou can see t hat t he in coming ser v ice t o m any d iff er ent t yp es of cu st om er s int er face is Ser ial0 / 0, w hich con nect s t o t he Eu roBan k Par is CE r out er w her e t he sour ce r esides. The olist Tunr nel0 hich means hatasany m ult icast t r afff eat ic t hat is includ dest ined o t hVPN is The con n ewt ain PE-s CE out in, gwop t ions as w tell ot her adv anced ur es, ing tperint er face is encapsulat ed and t r ansmit t ed v ia t he Default MDT. Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Ther eHow is a VRFs r eceivcan er for * , t 23 9. 25 int 5. 0. at om t heerWashing t on h ichinside y ou can be (ex ended o 20) a cust sit e t o pr ovPE iderou sept er ar,atwion t he see in t h e Washing t on mVRF r out ing t able. The in coming int er face is Tu nnel0, an d t he olist cont ain s cust om er net w ork Et h er n et 5 / 0, w h ich point s t o t h e Fast Foods Wash ingt on CE r out er . The Eur oBank W ash in gt on CE r out er lat h as C- join t ow t hueres Eu an roBan k RP s( 196 5. 1) over Tu nnel0. The estissued MPLS aVPN secur it yarfdeat d d esign aim.7 ed.2at pr ot ect ing t h e MPLS VPN back bone The m u lt icast p ack et s r eceiv ed fr om t he Eu r oBan k Par is sou r ce ar e d e- encapsu lat ed and for w arHow ded ttoo carr t h e yEucust roBan not tbecau t hee incom om kermmVRF, ult icast r aff ic se insid a VPN ing int er face is Tun nel0 , bu t b ecause of t he global ent r y f or t h e Eur oBank MDT ( * , 23 9. 19 2. 10. 2) hav ing t he Z flag set . This can be am pleent 7-s19, w hich f show s t heand Wash ingt on PE r out erloym 's g lob conf irThe m edlat b yest r efinert er r ing back o Ex - car rier tenh ancem t o allow or easier m or e scalable d ep ental m ult icast out ingr ier t abMPLS le. of intrer - car VPN serv ices The inAdv comanced ing Tun nel0 in toot er f ace used t o ver ify t in h eg RPF fort st he oBank sour t rou blesh ing tisechn iques includ r ou tcheck er out pu t o Eur en su re high avce ailab ilit y ( 19 6. 7. 25 .1 2) , as sh ow n in Ex am ple 7- 22. Not ice t hat t h e RPF neigh bor is t h e BGP p eer ad dr ess of t he and ParisVPN PE Ar r out erect w her e 19 6. 7. 25 . best - sellin g MPLS an d VPN MPLS chit u res, Volum e I.1 I ,2borigin uilds at onedt he Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tExa hey m n eed loy. RPF and mIain t ainm aa secur ailab le kVPN. pl et o7d-ep 22 n for t ione, fhig orhly Euav r oBan Sour ce MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g SuperCom_Washington#show ip rpf vrf EuroBank 196.7.25.12 pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues RPF information for Eurobank_Paris_Source (196.7.25.12) includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow RPF interface: Tunnel0 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN RPF neighbor: SuperCom_Paris (194.22.15.1) t r oub leshoot ing . RPF route/mask: 196.7.25.0/24 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

RPF type: unicast (bgp 100) RPF recursion count: 0 Doing distance-preferred lookups across tables

•

Table of Content s

•

I ndex

The Eur oBank r out in g t ables sh ow n h er e ar e in t he PI M SM st eady st at e; t hat is, t he r out in g MP LS and V PN Ar chi te ctur e s, V olum e I I ent r ies are con nect ed t o t he shar ed t r ee. No sour ce dat a is flow ing ( or t he spt - t h reshold has n ot By Jim Guichard , I vanEu Pepelnjak been m et ) fr om r oBank, Jeff ParApcar is; t her ef or e, no shor t est p at h t ree h as been b uilt b ack t o t he Par is sour ce. I f t her e w ere, y ou w ould see an ( S, G) ent r y inst ead of just ( * , G) . I f an ( S, G) lish er:ed, Cisco ent rPub y exist t hPress en it w ould sw it ch over t o a D at a- MDT ( assu ming t h e t hr esh old w as ex ceeded) . YouPub w illDatlear e: Junnet he 06, op 2 00er 3 at ion of t he D at a- MDT in a fu rt her sect ion. I SBN: 1- 58 705 -1 12 -5

Now is a good t im e t o look at t he mu lt icast rou t ing en t r ies f or Fast Food s, sh ow n in Ex am ple 7Pages: 50 4 23 . Once again, u nnecessar y inf orm at ion has b een clip ped. Fast Food s is oper at ing in SSM m ode; t h er efor e, t h e rou t ing ent r ies ar e d en ot ed b y t he s f lag st at in g t hat t his ent r y is par t of an SSM g rou p. SSM does n ot use a RP, an d it alw ays uses a sour ce t ree ( S, G) in st ead of a shar ed t r ee ( * , G) . As y ou can see, Tunn el1 app ear s in t he olist at t h e San Jose PE r out er an d is t he in com ing int er face at t he Paris PE r out er , signif ying t h at t h e sour ce is at San Jose. I n it ially , Wit and VPNf low Ar chit Volum-eMDT; I I , y ou' t he ht MPLS raf fic st r eam s ovect er ut res, he Default w hllenlear t h en :MDT t hr esh old is ex ceeded, t h e t r aff ic st r eam sw it ches ov er t o t h e Dat a- MD T. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Exa m pl e 7 - 2 3 . M u lt i ca st Rou t i ng Tab le f or Fast Food s VPN

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) SuperCom_SanJose#show ip mroute How VRFs can be ex t ended int o a vrf cust FastFoods om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork [snip] The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone 239.255.0.30), 04:15:49/00:02:35, flags: sT (195.12.2.6, How t o carr y cust om er m ult icast t rRPF aff ic nbr insid192.168.2.17 e a VPN Incoming interface: Serial4/0, The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent Outgoing interface list: of int er - car r ier MPLS VPN serv ices Tunnel1, Forward/Sparse-Dense, 04:15:49/00:02:35 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced SuperCom_Paris#show ip mroute vrf FastFoods t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. [snip] MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN (195.12.2.6, flags: s Ar ch it ect u re. Par239.255.0.30), t I I descr ibes adv14:25:19/00:02:50, anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Incoming Tunnel1, RPF pr ot ocols ( I S-interface: I S, EI GRP, and OSPF) , ar m innbr g t he194.22.15.2 r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Outgoing list: includin g secuinterface r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or eFastEthernet0/1, adv anced t op ologiesForward/Sparse, and filt erin g. This 14:25:19/00:02:50 par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Theegr imatpor t ansecur t t h ing r emem ber ab out amessent ples is he iding Su perCom net w or k is int ion, it y,t oand t r oubleshoot ingt hese feat uex res ialt hat t o ptrov t h e adv anced

obliv ious t o t he m ult icast m ode of op er at ion in t he Fast Food s or Eu r oBank net w or ks. Th e MTI int r insically sup por t s PI M SD m ode; t heref ore, t h e cust om er ' s ch oice of m u lt icast m od e, RP placement , or RP- t o- gr oup dist r ib ut ion m et h od is of lit t le r elev ance t o t he Su perCom net w or k.

Data-MDT Operation •

Table of Content s

•As m ent ioned I ndex pr ev iously , due t o t h e absence of receiv er s or sour ces, t h e San Fr ancisco MP and kV PN Ar chiat te ctur V olum e I PE I Eu LS roBan m VRF t hee s, San Jose r out er does not hav e r out in g ent r ies, as show n in Ex am ple 7-Jim 2 4.Guichard You can seePepelnjak t h at alt,hou gh t he Eur oBank m VRF is em pt y, t he San Jose PE rou t er is st ill By , I van Jeff Apcar join ed t o t he Eur oBank Def ault - MDT shar ed t r ee ( * , 239. 1 92. 10 .2 ) , r egar dless of w h et h er Eu roBan k San Fr ancisco has r eceiv er s ( or sou rces) . Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3 -5 Exa mI SBN: pl e 1-758- 705 2 4-1. 12San Jose PE Eur oBa nk m V RF a nd Globa l M DT Ent r y Pages: 50 4

SuperCom_SanJose#show ip mroute vrf EuroBank Wit hMulticast MPLS and VPN Ar chit Table ect u res, Volum e I I , y ou' ll lear n : IP Routing Flags: D How t o ser vLice -

Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN tLocal, o m any P d iff-erPruned, ent t yp esRof-cuRP-bit st om er sset, F - Register flag,

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN T - SPT-bit set, J - Join SPT, M - MSDP created entry, Net w ork Ad dr ess Tr an slat ion ( PE- NAT) X VRFs - Proxy Join Timer int Running, A er - sit Candidate MSDP How can be ex t ended o a cust om e t o pr ov ide sepAdvertisement, ar at ion inside t he cust om er net w ork U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Y bone - Joined MDT-data group, y - Sending to MDT-data group back Outgoing flags: H icast - Hardware switched How t interface o carr y cust om er m ult t r aff ic insid e a VPN Timers: The lat Uptime/Expires est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Interface state: Interface, Next-Hop or VCD, State/Mode Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 -ip 587mroute 05- 0 02-239.192.10.2 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced SuperCom_SanJose#show t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t[snip] hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser pr ovider access03:50:40/00:02:41, t echn olog ies ( dial, DSL, le, Et her net ) an d a v ariet (*,v ice 239.192.10.2), RPcab 194.22.15.1, flags: BCZy of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int Bidir-Upstream: egr at e t h ese f eat ur es in t o t h eRPF VPNnbr b ack bon e. Part I I I det ails adv anced d ep loy m ent issues POS3/0, 194.22.15.18 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone andinterface any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Outgoing list: m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN POS3/0, Bidir-Upstream/Sparse-Dense, 03:49:35/00:00:00 t r oub leshoot ing . MVRF EuroBank, Forward/Sparse-Dense, 03:50:40/00:00:00 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

This m eans t h at an y t r aff ic t hat t he sour ce in Eur oBank Paris sends is not only r eceived by t h e Washing t on PE r out er ( wh ich has an in t er est ed r eceiv er in it s p at h) , b ut t he P- p ack et also is r ep licat ed along t he D ef ault - MD T t ow ar d t he San Jose PE rou t er. At San Jose, t he P- p ack et is decapsulat ed, an d as t her e is no for w ard ing en t r y for t his C- p ack et in t he Eur oBank m VRF, it is dr opp ed . This p rocess is illu st r at ed in Figur e 7- 1 7. •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Figu r e 7 - 1 7 . Un ne ce ssar y Re pli cat ion of Pa ck et s in M D T

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN To ov er com e t h is pr oblem, you can use a D at a- MDT t o send pack et s only t o t he PE r out er s t hat The lated estinintthere -tcar ent s t o nallow easier d ep loym ar e int er est r affrier ic. Ienh n t hancem e Super Com et w orf kor, assu m eand t hatmtor hee tscalable wo act ive sour cesent at of int er car r ier MPLS VPN serv ices Fast Food s San Jose an d Eur oBank Par is h ave st ar t ed t o t r ansm it m ult icast t r af fic. Aft er t hese st r eam s ex ceed t he MD T t hr eshold ( set at 1 Kbp s) , t hey sw it ch ov er t o a sep arat e Dat a- MDT. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y The D at a- MDT gr oup is t ak en f r om t he p ool of add resses con figur ed on t he r esp ect iv e VRF at t he sou rce PE r out er s ( t hat is, San Jose PE r out er for Fast Food s and Par is PE rou t er for MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Eu roBan k) . Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools The Par is PE r out er j oins t he Dat a- MD T ( * , 239 .1 92. 2 0. 16) for Fast Foods, and t h e Washingt on t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. PE r out er join s t he D at a- MDT ( * , 2 39. 19 2. 20 .3 2) for Eur oBank . The D at a- MDTs t hat are cr eat ed ar e illu st rat ed in Figur e 7- 1 8. Not ice t hat t h e San Jose PE r out er d oes not j oin t he Eu r oBank MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Dat a- MDT; t herefor e, it does not r eceiv e u nw ant ed m ult icast t r aff ic. Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues - 1t 8 . Act i ve D at a-y M DTst hfeor k a Foods includin gFigu securr itey ,7ou lining t he n ecessar st eps serEu v icer oBan p rov ider mnd ust tFa akestt o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Using t h e Eu roBan k m ult icast st ream as an ex amp le, you w ill see t he pr ocess of cr eat ing t he int egr atEur e v oBank ar iou s is r em ot e access t echn ologies initt oialt ht er aff back pe r ovidin g VPN Dat a-How MDT.t oBecause operat in g in PI M SM, t he in ic frbone om t h Eur oBan k Paris serisv sent ice t oovmerany er ent yp est ooft he cu st om er s Washin gt on CE r out er . A sour ce t r ee sour ce t hed iff shar ed t ree Eur oBank ( 19 6. 7. 25 .1 2, 2 39. 25 5. 0. 20 ) is b uilt back t o Eu roBan k Par is fr om Eu roBan k Washing t on w it h in The ncont ew PEr outing in gstop t ionsd as w ell ot herThis adv is anced f eat es, st includ VPN t he mVRF ext CE follow andar PI M SMasr ules. an imp orur t ant ep; ifing t hepersour ce weork drain ess on Tr an slat NAT) t r aff icNet w er t o Ad r em t he ( *ion , G)( PEsh ar ed t r ee, t hen it w ould be ineligible t o be sw it ched t o a Dat a- MDT. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om erhan net On t he ot her d,wtork h e Fast Foods net w ork d oes not need t o sw it ch fr om a sh ar ed t r ee becau se it u ses SSM. Ther ef ore, all of Fast Foods' t r aff ic is alway s on a sou rce t r ee and elig ible t o be est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN sw it chThe ed tlat o a Dat a- MDT. back bone Ex am ple 7- 25 sh ows t he m ult icast r out in g ent r ies for t he Eur oBank m VRF at t he Par is PE r out er . Howsee t o tcarr cust icast VPN You can hat yt her e om ar eert wmo ult ent r ies:t rtaff heicshinsid arede tar ee en t r y ( * , 2 39. 25 5. 0. 20 ) an d t h e new ly creat ed sou r ce t ree ent r y ( 1 96. 7. 25 . 12, 239. 2 55. 0. 20 ) . The in t erest ing t hing ab out t he sour ce The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent t r ee en t r y is t hat t he " y" flag is set . This m eans t h at t h e sou r ce t ree ent r y has sw it ched fr om t h e of int er - car r ier MPLS VPN serv ices Defau lt - MDT ( becau se t he t h reshold w as exceed ed ) an d is n ow sen ding it s t r af fic by usin g t he Dat a-Adv MDT v ia Tu nnel0. anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Exa plu eres, 7 -Volum 2 5 . Eur k m VRF in g Pr En t r iEx est endin a t Su per Com Par is Ar ch itm ect e I ( oBa 1 - 587n050 021) , fRout rom Cisco ess. g int om or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect uip res,mroute Volum evrf I I , bEuroBank eg in s w it h a br ief ref resher of t he MPLS VPN SuperCom_Paris#show Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser ice pr oviderRouting access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g IP vMulticast Table pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at eDt h-ese f eat ur S es -in tSparse, o t h e VPNB b-ack bon e. Group, Part I I I det advGroup, anced dCep-loyConnected, m ent issues Flags: Dense, Bidir s -ails SSM includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back boneL and any at t ached VPN sit es, also det ailin g lat est secuflag, rit y f eat ur es t o allow - Local, P - Pruned, R -and RP-bit set, F t-heRegister m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m T en t s.SPT-bit Fin ally , Par t I VJpr-ovJoin id es aSPT, m et hodology ad van cedentry, MPLS VPN set, M - MSDPforcreated t r oub leshoot ing . X - Proxy Join Timer Running, A - Candidate MSDP Advertisement, MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, t r oubleshoot ing feat u res essent ial Report, t o p rov iding e adv anced Tunnel U - secur URD,it y, I and - Received Source Specific Host Z -t hMulticast

Y - Joined MDT-data group, y - Sending to MDT-data group Outgoing interface flags: H - Hardware switched Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim 239.255.0.20), Guichard , I van Pepelnjak , Jeff Apcar (*, 2d02h/stopped,

RP 196.7.25.1, flags: S

Incoming interface: Serial0/0, RPF nbr 192.168.2.25 Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Outgoing interface list: I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Tunnel0, Forward/Sparse-Dense, 2d02h/00:03:10

(196.7.25.12, 239.255.0.20), 00:11:06/00:03:23, flags: Ty Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Incoming interface: Serial0/0, RPF nbr 192.168.2.25 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Outgoing interface list: ser v ice t o m any d iff er ent t yp es of cu st om er s Tunnel0, Forward/Sparse-Dense, 00:11:12/00:03:10 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork When t he t hr eshold f or ( 19 6. 7. 25. 1 2, 23 9. 25 5. 0. 20) w as exceed ed , t h e Paris PE r out er sent a Dat a-The MDTlat TLV oin m essag e over e Defau t o t hs eaim Washingt an ding San PE VPN r out er s. est j MPLS VPN secur it yt hf eat u res lt an- MDT d d esign ed at pron ot ect t h eJose MPLS Becauback se t he Washing t on PE rou t er has an int er est ed receiv er, it im m ed iat ely j oined t he new bone Dat a- MDT, w her eas t he San Jose PE r out er ju st cach ed t h e m essage. Ex am ple 7- 26 sh ows t he PI M dHow eb ugt omcarr essages y custt hat om er t hemWash ult icast ingtt ron aff ic PEinsid r outeera out VPN put . Not e t hat t he m essag es sh own h er e ar e fr om t wo PI M in st an ces. PI M( 1) is t he in st ance r unn in g in t h e m VRF, and PI M( 0) is t he est inThe t er -Dcar rier enhjoin ancem ent s t oind allow f ort heasier m ort reaff scalable d ep. loym globalThe instlat ance. at aMDT m essage icat es at Eurand oBank ic for ( 196 7. 25.ent 12 , of int er car r ier MPLS VPN serv ices 23 9. 255 . 0. 20) w ill be sw it ch ed ov er t o t he Dat a- MDT g r oup 239 .1 92. 20 . 32. This pr om pt s t he Washing t on PE r out er t o issu e a P- j oin for ( * , 23 9. 192 .2 0. 32 ) so t h at it can cont in ue t o receiv e Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y t he t raf fic. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Exa m pl e 7 - 2 6 . Eur oBa n k Da t a -M DT TLV Join M e ssa ge t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN PIM(1): join for MPLS (196.7.25.12,239.255.0.20) Ar ch it ect uMDT re. Par t I I TLV descrreceived ibes adv anced VPN con nect iv it y includ in g MDT-data: t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g 239.192.20.32 pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues PIM(1):g MDT-data added includin secu r it y , ougroup t lining (*,239.192.20.32) t he n ecessar y st eps t h e ser v on ice pinterface: rov ider m ustLoopback0 t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow PIM(0): Check t op RPologies 194.22.15.1 into the par (*,t also 239.192.20.32) entry m or e adv anced and filt erin g. This cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN PIM(0): Building triggered (*,G) Join / (S,G,RP-bit) Prune message for t r oub leshoot ing . 239.192.20.32 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

I f you look at t he r out in g en t ries f or t he Eur oBank m VRF in t h e Washingt on PE r out er , as show n in Ex am ple 7- 27, y ou see t h at t h e sour ce t r ee ent r y h as t he " Y" f lag set , ind icat ing t h at r eceiv e t r aff ic for ( 196 .7 . 25. 12 ,2 39. 2 55. 0. 20 ) h as been sw it ched t o Dat a- MDT.

•

s Exa m pl e Table 7 - 2 7of.Content Eur oBa n k m VRF Rout in g En t r i es a t t he W a sh in gt on PE •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

SuperCom_Washington#show ip mroute vrf EuroBank Pub lish er: Cisco Press

IP Pub Multicast Routing Table Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, Pages: 50 4

L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, Wit h MPLS VPN Ar chit ect u res, Running, Volum e I I , Ay ou' ll lear n : X and - Proxy Join Timer - Candidate MSDP Advertisement, U How t o ser v ice Y -

URD, I - Received Source Specific Host Report, Z - Multicast Tunnel int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN t o m any d iff er ent t yp es of cu st om er s Joined MDT-data group, y - Sending to MDT-data group

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Outgoing interface flags: H - Hardware switched Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Timers: How Uptime/Expires VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Interface state: Interface, Next-Hop or VCD, State/Mode The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone (*, 239.255.0.20), 5d19h/stopped, RPic 196.7.25.1, How t o carr y cust om er m ult icast t r aff insid e a VPN flags: S The lat est in t er - car rier enh ancem ent snbr t o allow f or easier and m or e scalable d ep loym ent Incoming interface: Tunnel0, RPF 194.22.15.1 of int er - car r ier MPLS VPN serv ices Outgoing interface list: Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Ethernet5/0, Forward/Sparse, 5d19h/00:03:24 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t(196.7.25.12, hey n eed t o d ep 239.255.0.20), loy and m ain t ain a00:45:48/00:03:28, secur e, hig hly av ailabflags: le VPN. TY MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Incoming interface: Tunnel0, RPF nbr 194.22.15.1 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Outgoing interface list: pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Ethernet5/0, Forward/Sparse, 00:45:48/00:03:24 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egrNOTE at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The p r ocedu re for cr eat in g t he Fast Food s Dat a- MD T is t h e same as Eur oBank ex cep t t hat a diff er ent pool of ad dr ess is u sed. I t w ould be sup er f lu ous t o cover t h e scenar io again for Fast Foods.

Now t h at t h e Dat a- MDTs hav e been cr eat ed, t h e last t hin g t o exam ine is t he ent r ies in t h e Sup er Com global mContent u lt icasts t ab le. Ex am ple 7- 28 sh ows t he m ult icast r out in g ent r ies at t he Par is • Table of PE r out er. Un necessar y in for m at ion, such as Aut o- RP ent r ies, has been pr uned ( par don t he pun ) • I ndex fr om t he out put t o im pr ov e r ead abilit y of t he ex am ple. You can see t hat t w o add it ional shar ed MP LS and V PN Ar chi te ctur e s, V olum e I I t r ee rou t ing ent r ies cor r espon d t o t h e t w o Dat a- MDTs ( 2 39. 19 2. 20 .1 6 an d 239 .1 92. 20 . 32) . By Jim Guichard , I van Pepelnjak , Jeff Apcar Becau se t he Par is PE r out er has a r eceiver in t he Fast Foods m VRF, it has j oin ed t h e Fast Foods Dat a- MDT an d is for w ard ing t r aff ic fr om ( * , 239 . 192. 1 0. 16) t o t he Fast Food s m VRF. The Z flag Pub lish Cisco indicat eser: t his is Press a m ult icast t un nel, and t he C f lag in dicat es t hat an m VRF is con nect ed. The Par is t er leaf PubPE Datrou e: Ju ne is 06,a2 00 3 of t he ( * , 23 9. 192 .1 0. 16 ) ent r y . I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Exa m pl e 7 - 2 8 . Par i s PE D at a - M DT Rout in g En t r i es

SuperCom_Paris#show ip Wit h MPLS and VPN Ar chit ectmroute u res, Volum e I I , y ou' ll lear n : [snip] How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell ot her adv anced f eat ur es, (*, 239.192.10.1), 2d03h/00:03:28, RPas194.22.15.1, flags: BCZinclud ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Bidir-Upstream: Null, RPF nbr 0.0.0.0 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om erinterface net w ork list: Outgoing The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Serial0/2, Forward/Sparse-Dense, 1d17h/00:03:16 back bone MVRF FastFoods, Forward/Sparse-Dense, 2d03h/00:00:00 How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices (*, 239.192.10.2), 2d03h/00:03:18, RP 194.22.15.1, flags: BCZ Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Bidir-Upstream: Null, RPF nbr 0.0.0.0 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Outgoing Ar ch it ect u res,interface Volum e I ( 1list: - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools Forward/Sparse-Dense, t hey MVRF n eed tEuroBank, o d ep loy and m ain t ain a secur e, hig hly2d03h/00:00:00 av ailab le VPN. Forward/Sparse-Dense, 2d03h/00:02:38 MPLSSerial0/2, and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o (*, 194.22.15.1, int egr239.192.20.16), at e t h ese f eat ur es 00:50:15/00:03:26, in t o t h e VPN b ack bon e.RPPart I I I det ails advflags: anced dBCZ ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Bidir-Upstream: Null, VPN RPF sit nbr back bone and any at t ached es, 0.0.0.0 and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Outgoing deploy m en t s.interface Fin ally , Par tlist: I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Serial0/2, Forward/Sparse-Dense, 00:50:12/00:03:20 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egrMVRF at ion,FastFoods, secur it y, andForward/Sparse-Dense, t r oubleshoot ing feat u res 00:50:15/00:00:00 essent ial t o p rov iding t h e adv anced

(*, 239.192.20.32), 19:08:21/00:03:27, RP 194.22.15.1, flags: BZ Bidir-Upstream: Null, RPF nbr 0.0.0.0 Outgoing interface list: • •

Table of Content s I ndex Forward/Sparse-Dense, 01:12:54/00:03:19 Serial0/2,

MP LS and V PN Ar chi te ctur e s, V olum e I I

[snip] By Jim Guichard , I van Pepelnjak , Jeff Apcar Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

Ther e is somet h in g in t erest ing about t he last en t r y ( * , 2 39. 1 92. 10 .3 2) , w h ich is t he Dat a- MD T 50 4 for EurPages: oBank . No C flag is pr esent , wh ich ind icat es t h at n o m VRF is conn ect ed. Th is is because t he Paris PE r out er is sendin g t r af fic t o t his t u nnel f r om it s connect ed sour ce; t h e PE rou t er is not r eceiving t r af fic f rom t he t u nnel. The Paris PE r out er is t h e r oot of t h e ( * , 239 .1 92. 10 . 32) ent r y only . To howand t heVPN Eur oBank or uFast S,I IG) arne: m apped t o a par t icular Dat a- MDT, y ou Witsee h MPLS Ar chit ect res,Foods Volum( e , yent ou'rllies lear use t h e show i p p im m dt com m and. Ex am ple 7- 29 sh ows t he ( S, G, Dat a- MDT) d et ails f or bot h act iv e m ult icast st ream s at t he Par is PE r out er. The re cei ve com m and show s t hat t h e Paris How t o int egr at et he v arDat iouas MDT r em ot239. e access t echn ologies in t oFoods t h e back r ovidin VPN PE r out er has j oined 1 92. 20 .1 6 for t h e Fast soubone rce t rpee ( 19 5.g12 .2 .6 , ser .v0. ice t o. m anysen d iffdercom ent mt yp es show of cu ssttom and hatert sh e Paris PE r out er is encapsu lat in g t raf fic f r om 23 9. 255 30) The t he Eur oBank sour ce ( 1 96. 7. 25 . 12, 2 39. 2 55. 0. 20 ) an d is sendin g it t o t he Dat a- MDT The. 20. n ew 23 9. 192 32PE. CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

Exa m pl e 7 - 2 9 . Fast Food s an d Eu r oBan k D at a- M DT M app in gs cust om er net w ork

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone SuperCom_Paris#show ip pim vrf FastFoods receive detail How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r iergroups MPLS VPN icesFastFoods Joined MDT-data forserv VRF: Adv anced t rou blesh ootsource: ing t echn iques includ in g r ou t er out group: 239.192.20.16 0.0.0.0 ref_count: 1 pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e2d04h/00:03:23/00:03:00, I I , b uilds on t he best - sellin g OIF MPLScount: an d VPN (195.12.2.6, 239.255.0.30), 1, flags: sTY Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. SuperCom_Paris#show ip pim vrf EuroBank mdt send MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of MDT-data send list for VRF: EuroBank ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o (source, group) MDT-data group ref_count int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he (196.7.25.12, 239.255.0.20) 239.192.20.32 1 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . The exand am ple show refVolum _counte valu e. I f int t h erod Dat a- MDTs inest a pool for a giv enstmomer VRF h ave MPLS VPNalso Ar chit ectsu ares, I I , also uces t he lat adv ances in cu been ex haust ed due t o m any act iv e high ban dw idt h sour ces, t hen Dat aMDTs ar e r eu int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv ancedsed based

on t he ent ry t hat h as t he low est r ef_ cou nt .

SSM in the SuperCom Core You can d ep loy t he Su perCom core w it h SSM inst ead of PI M SM. Doing so ob viat es t h e need f or •a RP, w hich Table of Content s es a single p oin t of f ailu r e. Th e config ur at ion t o enable SSM for MDT in t u rn elimin at •gr oup s is simp I ndex le ( see Ex am ple 7- 30) . Th is con figu rat ion is ap plied t o all Super Com r ou t er s in MP LS and V PNt o ArMDTchi te ctur e s, V m olum e in I I gs. The MDT- Ran ge access- list con t ains t h e addr ess r anges place of RP gr oup app tBy hat he Super Com n et w or, Jeff k uses Jim tGuichard , I van Pepelnjak Apcarf or bot h Defau lt - MDT and Dat a- MD T. This access- list is associat ed wit h SSM by u sin g t h e ip p im ssm ra nge g lobal com m and; t her ef or e, any m ult icast t r aff ic t hat cont ains t hese d est inat ion g rou p ad dr esses uses SSM cont r ol pr ocedu res. Not e t h at Pub lish er: Cisco Press bot h t h e Defau lt - MDT and Dat a- MD T r anges ar e p art of t he SSM r ange. Pub Dat e: Ju ne 06, 2 00 3

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Exa m pl e 7 - 3 0 . Ena bl in g SSM

ip pim ssm range MDT-Range Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ! How t o int egrstandard at e v ar iou sMDT-Range r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ip access-list ser v ice t o m any d iff er ent t yp es of cu st om er s permit 239.192.10.0 0.0.0.255 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) permit 239.192.20.0 0.0.0.255 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Whenback a Subone perCom PE r out er creat es a new Defau lt - MDT t hr ough u ser conf igur at ion, it is signaled by a Mult ipr ot ocol BGP upd at e t o all it s peers, as discussed p rev iously. W hen a local PE r out erHow r eceives t hyecust up dat rce t r tee join is issu back t o t he origin at or of t he BGP t o carr ome, eramsou ult icast r aff ic insid e aedVPN m essage if t h e follow ing condit ions ar e m et : The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices The D ef ault - MD T gr ou p ad dr ess m at ches t h e local SSM r ang e. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y A local m VRF is con figu red w it h t he sam e Default - MDT g rou p. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ex ch amitple 31 Volum sh ows et he ug05out0pu f or, ft rom he BGP u pdat e and he corgr int espon PI Manced j oin f r om Ar ect u7-res, I ( 1d -eb 587 02-t 1) Cisco Pr ess. Ex ttendin o mding or e adv of an t hed Sup er Com t ers.ect Thurises, rouVolu t er has ed es a BGP u pdat 19 4. 22. 1y5.t ools 2 ( wh ich tone opics d ep loy m entrou archit m e IrIeceiv pr ovid r eader s w ite hfrtom he necessar the PEt ain r outaersecur ) st at g t hly hat av it ailab has cr ed a new Defau lt - MDT thap heypens n eedt ot obed ep loySan andJose m ain e,inhig leeat VPN. 23 9. 192 . 10. 2 ( Eur oBan k VPN) . Becau se t his r out er m eet s t he cond it ion s st at ed p rev iously , it im mediat issu sour ce join to e ( 194. 2. 15. 192. 0. 2) for t hofe tDefau lt - MDT. MPLS andely VPN Ares chitaect u res, Volum I I , b2eg in s 2, w it239 h a . br ief1ref resher he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ma inul g tthe h t he k now ledge of h ow t o Exa m pl (eI S7 I-S, 3 1EI. GRP, Joinand in gOSPF) t he ,Daref - Mr eader DT U wsiitng SSM int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies andUPDATE filt erin g.w/This par t nexthop also cov er194.22.15.2, s m ult i- car r ier origin MPLS VPN BGP(2): 194.22.15.2 rcvd attr: ?, deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t rlocalpref oub leshoot ing . 100, extended community RT:10:27 MDT:10:239.192.10.2 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

BGP(2): 194.22.15.2 rcvd 2:10:27:194.22.15.2/32

PIM(0): Send v2 Join on Serial0/2 to 194.22.15.2 for (194.22.15.2/32, 239.192.10.2), S-bit •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

How d oes t he m ult icast r out ing t ab le diff er w hen y ou ar e using SSM? Comp ar e t he Par is PE r out er r out ing t ab le in Ex am ple 7- 32 u sin g SSM w it h t he sam e t able u sin g PI M Bi- Dir show n Pub lish er: in Cisco Press pr eviou sly Ex am ple 7- 18. Wit h PI M Bi- D ir, t here w er e only t wo ( * , G) shar ed t r ee ent ries: onePub f orDat each t h e2 00 Eu3roBan k and Fast Foods mu lt icast dom ains. As y ou can see in Ex am ple 7e: Juof ne 06, 32 , w itIhSBN: SSM, ou-1hav 1- 58y705 12 -5e fiv e ent r ies repr esen t ed b y t he s f lag. Because t hese ar e all sour ce t r ees, Pages: y ou hav e m ore opt im al r out ing because t r aff ic does not hav e t o t r aver se t he RP. 50 4 Thr ee of t he ent ries in Ex am ple 7- 32 ar e sour ce t r ees t hat are r oot ed at r em ot e PE r out ers. Th e Par is PE rou t er has j oined t h ese sour ce t r ees ( by using SSM) based on Defau lt - MDT infor m at ion r eceived in t he Mu lt ip rot ocol BGP u pdat e; t her ef ore, t he I f lag has been set for t h ese ent r ies. The Par is PE r out er f orw ar ds t raf fic r eceiv ed f r om t hese ent r ies t o t he cor r esp onding m VRF in MPLS and VPNt hr Aree chitI ect res, Volum , yt ou' lear n : D ef ault - MD T ( 2 39. 19 2. 10. 2) tWit he holist . Of t hese enturies, t w o aree IfIor he llEur oBank connect ing t o t he San Jose and Washing t on PE r out er s, and t he t hir d is f or t h e Fast Foods Defau lt - MDT ( 239 . 192. 1 0. 1) con nect in g t o t he San Jose PE r out er . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN v ice m any iff er entint yp cu 7st om Exes amofple 32 er d os n ot h ave t h e I f lag set . Th ese ent r ies The otser her t w ot or out in g dent ries r ep r esent t he sour ce t r ees f or t he t w o Defau lt - MDTs r oot ed at t he Par is PE rou t er . Not e t he S of The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN t he ( S, G) is 194 . 22. 15 .1 , w hich is t he loopb ack 0 int er face add ress of t he Paris PE r out er . The Net w ork Ad dr ess Tr an slat ion ( PE- NAT) r em ot e PE r out er s issu e a cor r espon ding SSM join back t o t he Par is PE rou t er. The out going int er faces point t o t he Sup er Com cor e n et w or k . How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Exa m pllat e est 7 - 3MPLS 2 . Par PE itGl M an u ltd ica st sRout i ng Tab leing Usin SSM The VPNi ssecur y fobal eat u res d esign aim ed at pr ot ect the g MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN SuperCom_Paris#show ip mroute The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - carRouting r ier MPLSTable VPN serv ices IP Multicast AdvDanced t rou blesh ing t echn includGroup, in g r ou tser -out pu t Group, s t o en suCre-high av ailab ilit y Flags: - Dense, S -oot Sparse, B iques - Bidir SSM Connected, MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN L - Local, P - Pruned, R - RP-bit set, F - Register flag, Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools T - SPT-bit set, J - Join SPT, M - MSDP created entry, t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. X VPN - Proxy Timer Running, A s-wCandidate MSDP Advertisement, MPLS and Ar chitJoin ect u res, Volum e I I , b eg in it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of U ovider - URD, I - tReceived Source Specific Report, Multicast ser v ice pr access echn olog ies ( dial, DSL, cab le, Host Et her net ) an d aZ v ariet y of r out inTunnel g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Joined y bon - Sending group int egr at eYt h-ese f eat ur MDT-data es in t o t h e group, VPN b ack e. Part I I Ito detMDT-data ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Outgoing interface flags: - es, Hardware back bone and any at t ached VPNH sit and alsoswitched det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Timers: Uptime/Expires deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Interface state: Interface, Next-Hop or VCD, State/Mode MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

(194.22.15.1, 239.192.10.1), 00:04:22/00:03:27, flags: sTZ Incoming interface: Loopback0, RPF nbr 0.0.0.0 Outgoing interface list: Serial0/2, Forward/Sparse-Dense, 00:02:45/00:03:25 •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

(194.22.15.2, 239.192.10.1), 00:03:02/00:02:57, flags: sTIZ By Jim Guichard , I van Pepelnjak , Jeff Apcar Incoming interface: Serial0/2, RPF nbr 194.22.15.2 Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 Outgoing interface list: I SBN: 1- 58 705 -1 12 -5

MVRF Pages: FastFoods, 50 4 Forward/Sparse-Dense, 00:03:02/00:00:00

(194.22.15.1, 239.192.10.2), 00:04:23/00:03:25, flags: sTZ Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Incoming interface: Loopback0, RPF nbr 0.0.0.0 Outgoing interface How t o int egr at e v arlist: iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Serial0/2, Forward/Sparse-Dense, 00:02:47/00:03:24 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int00:03:04/00:02:45, o a cust om er sit e t o prflags: ov ide sep ar at ion inside t he (194.22.15.2, 239.192.10.2), sTIZ cust om er net w ork Incoming interface: Serial0/2, RPF nbr 194.22.15.2 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Outgoing interface list: How t EuroBank, o carr y cust om er m ult icast t r aff ic insid 00:03:04/00:00:00 e a VPN MVRF Forward/Sparse-Dense, The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices (194.22.15.3, 239.192.10.2), 00:03:10/00:02:45, flags: Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t sTIZ s t o en su re high av ailab ilit y Incoming interface: Serial0/2, nbron194.22.15.2 MPLS and VPN Ar chit ect u res, Volum e I I ,RPF b uilds t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Outgoing interface list: t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MVRF EuroBank, Forward/Sparse-Dense, 00:03:10/00:00:00 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o SSM a- MDT message t o te.r igPart ger IaI Ij oin sw itanced ch over t oloy t he Dat aMDT. int egralso at e tuses h eset he f eatDat ur es in t o tjoin h e VPN b ack bon det and ails adv d ep m ent issues The w ayg itsecu does er s slight fr om PI Meps SM.t hThe D at a- MDT join m essage t ains includin r it yt h, is oudiff t lining t he nly ecessar y st e ser v ice p rov ider ust t akeont olypcon rot ect t het h e ( S, G, Dat aMDany T) m ing. VPN PI M SM only uir es MDT, a (ur * , es Dat MDT) Pback bone and atapp t ached sit es, andr eq also dett he ailinv alue g t heoflatDat esta-secu rit ysof eat t oa-allow join issu ed ow ar d t and he r endezv ous p oint t he cov receiv PEi- car rou rt ier er. MPLS How evVPN er , SSM m or ecan advbe anced t opt ologies filt erin g. This parbt yalso er sing m ult r eq uir es t het s.sour ores iginat PE r out erfor , so hat ced a ( SPE, Dat a- MD T) P- j oin can deploy m en Fin ce allyaddr , Paress t I Vofprt he ov id a m in etghodology adtvan MPLS VPN be issued. Thing e v. alu e of S- PE is deriv ed f r om t he RPF neighb or of S in t h e ( S, G, Dat a- MD T) t r oub leshoot m appin g. Th is is ver ified in t he debug and RPF out pu t in Ex am ple 7- 33. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 7 - 3 3 . Join in g t he D at a- M DT Usi ng SSM

PIM(1): MDT join TLV received for (196.7.25.12,239.255.0.20) MDT-data: 239.192.20.32 •

Table of Content s

PIM(1): MDT-data group (194.22.15.1,239.192.20.32) added on interface: Loopback0 • I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

PIM(0): Send v2 Join on Serial4/0 to 194.22.15.22 for ( 194.22.15.1/3 By Jim Guichard , I van Pepelnjak , Jeff Apcar

2, 239.192.20.32), S-bit Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 PIM(0): Building Join/Prune message for 239.192.20.32 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

SuperCom_Washington#show ip rpf vrf EuroBank 196.7.25.12 RPF information for Eurobank_Paris_Source (196.7.25.12) Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : RPF interface: Tunnel0 RPFHow neighbor: SuperCom_Paris t o int egr at e v ar iou s r em ot e(194.22.15.1) access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s RPF route/mask: 196.7.25.0/24 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN RPFNet type: unicast w ork Ad dr ess Tr(bgp an slat100) ion ( PE- NAT) RPFHow recursion VRFs can count: be ex t ended 0 int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Doing distance-preferred lookups across tables The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Summary Cisco Sy st em s Mu lt icast - VPN feat ur e is based on t he m ult icast dom ain solu t ion d escr ib ed in sect ion 2 of dr aft - r osen- v pn- m cast , " Mu lt icast in MPLS/ BGP VPN, " wh ich y ou can f in d at •ht t p: / / w w w .Table s iet f .orofgContent . Mu lt icast dom ains allow a ser vice p rov ider t o off er mVPN ser v ices t o •t heir cust omIers ndexby using nat iv e m ult icast in g t echn iques in t he cor e. Nat ive m u lt icast is a MP LSurand V PN Ar chi te ctur s, V olum e I I t her efor e, st abilit y of t he P- n et w or k is p rot ect ed becau se n o m at e t echnology on eCisco I OS; new eat ur es, Ior w ar e ,up ades need t o be p er f orm ed on t he P rou t er s. By Jim fGuichard vansoft Pepelnjak JeffgrApcar Scalabilit y of t he solut ion is ensur ed because t h e P- net w or k has n o v isibilit y int o t he Cisco Press custPub omlish erer: 's m ult icast net w or k. All mVPN t r aff ic is car r ied inside a single m ult icast t u nnel f or Dat e:Th Juenenum 06, 2ber 00 3 of m ult icast t u nnels in t he p rov ider net w or k is pr edict able an d is t hatPub VPN. I SBN:ly1-low 58 705 -5 t he nu mb er of pot ent ial m ult icast g rou ps in all VPNs. signif icant er -1t h12an Pages: 50 4

From t he end cust om er ' s point of v iew , n o chan ges need t o be m ade in t h e net w or k t o connect t o a m VPN ser vice. The ser vice pr ov ider can sup por t all cu st om er m odes, including PI M SM, PI M D M, PI M SSM, and any t yp e of cu st omer r endezv ous p oin t t opology . Rou t ing opt im alit y is imp rov ed in t h e P- net w or k v ia t he u se of sp ecial t u nnels f or high Wit MPLS chit ect u e res, Volum I I ise , y ou' ll lear banhdw idt h and sourVPN ces tAr h at ensur t h at ent erepr m ult icastn :t r aff ic is deliv ered only t o PE rou t er s t hat hav e an int er est ed receiv er . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Chapter 8. IP Version 6 Transport Across an MPLS Backbone •Most of t oday Table of Content s id er and ent erp rise n et w or k s ar e based on t h e ver sion of I nt er net 's serv ice pr ov •Pr ot ocol ( I P,I ndex also k now n as I Pv4 ) t h at w as d esign ed in t he 1 970 s and early 1 980 s. Sev eral MP LSsand V PN chi te ctur e s, Vof olum I ver sion 6 , or I Pv 6) w as st an dar dized. I Pv 6 p r ovides a y ear ag o, a Ar n ew ver sion I P e( I P larJim gerGuichard addr ess space and ,tJeff ightApcar er in t eg r at ion of n et w or k serv ices ( su ch as I P Qualit y of By , I van Pepelnjak Serv ice) w it h t he net w or k - lay er pr ot ocol. Press I Pv6Pubislish g er: ainCisco ing increasing accept an ce, p redom inan t ly in t he m obile m ar ket s. Most of t he Ju ne 06, 00 3t er p rise net w or ks w ill need t o su ppor t it in t he y ears t o com e. Recent ly , ser vPub iceDat pre:ovider or2 en I SBN: 1- 58 705r-1 12uced -5 Cisco Sy st em s int od a new I OS f eat ur e t hat allows t r anspor t of I Pv 6 d at agr am s across t he Mult ipr ot Label Sw it ch ing ( MPLS) - enab led I Pv4 b ack bon e, givin g t he net w or k Pages: 50ocol 4 designer s and net w or k m anager s a seam less m igr at ion pat h t ow ar d t h e nex t - gener at ion I P net w or ks.

This chap t er discu sses t he business dr iver s t hat r eq uir e I Pv6 deploy m en t in t oday ' s net w or ks, an over v iew of I Pv 6 t r anspor t acr oss an MPLS b ackb one, a b rief int r odu ct ion t o I Pv 6 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : add ressin g an d rou t ing, as w ell as in- dept h design and config ur at ion g uidelines for deployin g I Pv6 - ov er - MPLS t r anspor t in y our net w ork . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

IPv6 Business Drivers Mor e t h an a decade ago, t he I nt er net ar chit ect s w ho w er e w or kin g w it h in t h e I nt ern et En gineer ing Task For ce ( I ETF) r ealized t hat w it h t h e pr ed ict ed gr ow t h in I n t er net usage, t he cur r en t I nt er net w ou ld q uick ly r un out of I P add r esses. A w orld wid e ef for t w as launched t o •design a nexTable of Content t - gener at ion IsP ( codenam ed I P: next gener at ion, or I Png ) . Sever al d if fer en t •pr oposals w ere I ndex su bm it t ed t o t he wor k ing gr oup , including r eusin g t he ex ist ing Op en Sy st em MP and nect V PN ion Ar chi( te ctur s, ot V olum e Iand I I ntLS er con OSI ) epr ocols r unn in g, f or exam p le, TCP on t op of Conn ect ionless Net w ork Prot,ocol ( CLNP) . , Jeff HowApcar ev er , d ue t o a n um ber of r easons, t h e w or king g rou p select ed By Jim Guichard I van Pepelnjak anot h er pr oposal t h at ex t en ded t he I P ad dr esses fr om 3 2 b it s t o 1 28 bit s, w hile r et aining t he m ajor it y of ot h er p r opert ies of t h e cu r rent I P. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 While I Png w as b eing d esigned, anot her t echn olog y, net w ork addr ess t ran slat ion ( NAT) , SBN: 705of -1 12 ext endIed t h1-e 58 life t h-5 e ex ist ing I nt ern et for at least a decad e, if n ot lon ger. Wit h a sig nificant Pages: 50add 4 por t ion of I P ress space dedicat ed t o pr iv at e I P add r esses and w it h ev er y one d ep loy ing NAT at t he ed ge bet w een a pr ivat e net w ork an d t he p ublic I nt er net , t h e gr ow t h in I P ad dr ess ut ilizat ion slow ed con sid er ably . Man y people believed t hat I Pn g ( off icially nam ed I P ver sion 6, or I Pv6 ) w ould follow t he slim accept an ce of OSI pr ot ocols and nev er reach wid e deploy m en t . A y ear or t w o ago, t here w er e alm ost no com m ercially av ailab le im ent and at ionVPN s of Ar I Pv6 eit uher t he host in llt hlear e net Witplem h MPLS chit, ect res,inVolum e I Is ,or y ou' n :w or king equ ip m en t .

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

NOTE

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN NAT d escr ib ess ed inTrm in NAT) Ch apt er 4, " Vir t ual Rout er Connect ivit y . " Net wisork Ad dr anore slatdet ionail ( PEHow VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork As is u su ally t he case in t h e net w or king w or ld, m any com plet ely unr elat ed d ev elop m en t s hav e The shif tlat ed est t h eMPLS w holeVPN I nt er net it usag e par adigm mad e net k ot desig nerst hint erest ed in secur y f eat u res an d dand esign s aim ed watorpr ect ing e MPLS VPN I Pv6 yback et ag bone ain . These dev elopm ent s in clu de t he follow in g: How t o carr y cust om er m ult icast t r aff ic insid e a VPN Cha nge s in a ppl ica t ion conce pt s— A f ew year s ago, m ost applicat ions w ere design ed by sinest g t he t o- ser v er dat a ent ex chang e parf or adigm ( suand ch as a e user br ow sin g loym on a ent Theu lat in t client er - car- rier enh ancem s t o allow easier m or scalable d ep w These licat ions ar e w ell suit ed t o NAT b ecau se on ly t he serv er s need ofeb intser er -ver car )r .ier MPLSapp VPN serv ices pu blic I P add resses, w her eas t he clien t s can use pr ivat e addr esses. New Adv licat anced t rou blesh ing t echn iques includ r ou push t s aring t o en schemes su re high sim av ailab app ions—m ost noot ot ably I P t elephon y, I n tin ergnet - wt er ideout fileilar tilit o y Napst er , and I nt er net gam es—r eq uire client - t o- client d at a ex ch ange. Alt h ough y ou can MPLSmand u res, Volum e sI Iw, ork b uilds on tNAT he best - sellin g MPLS an d im VPN akeVPN somAr e chit of t hect ese ap plicat ion acr oss b ound aries, t he NAT plem ent at ion s Ar ch ithav ect ue res, Volum e ually I ( 1 - 587 0 02, f rom Ciscoind Pr ess. endint go-int o mapplicat or e advion. anced t o be cont in upd05at ed t o 1) supp ort each iv iduEx al tpeerpeer t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey nCha eednge t o dsep m ain t ainssa m secur e, hig le lyVPN. inloy I ntand er net a cce e t hod s—hly Un av t il ailab r ecent , m ost I P h ost s wer e locat ed in pr iv at e ent erp r ise n et w or k s ( w her e t he w h ole net w ork w ou ld u se only a f ew pub lic I P MPLSadd andresses) VPN Aror chit ect u dres, e ect I I , ions b eg in a er brnet ief ref of pub t he lic MPLS VPNesses used ial- Volum u p conn t os tw h it e hI nt ( w resher her e t he I P addr Ar ch itcould ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr ion of be r ecy cled am ong sev eral users) . Wit h t h e w idesp read deploy ment of bratoadb and ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g I nt er net , m ost hom e u ser s hav e p er m anent con nect ion s t o t he I nt er net an d in m any pr ot ocols I S, eEIaGRP, , ared m in t he IrPeader w it hf or t he k now ledge of h. ow t o cases( I rSequir con stand ant OSPF) ly allocat pug blic add ress each hom e u ser int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g nge secusr itiny , I ou t lining hes— n ecessar st eps t h e tser p rov ider medustI Pt ake to m p rot Cha P p la t fortm A f ew yyear s ago, he vwice idest - deploy p lat for w ect as t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o pr obab ly t he p er sonal com pu t er ( PC) . Wit h t h e pr edict ed deploy m en t of an I P p rotallow ocol m or e st adv t opile ologies and g.idesp This rpar also cov i- car reld ier and MPLS VPN ackanced on mob p hones anfilt d terin he w eadt deploy mer enst m ofult h andh w ireless deploy m en t s. tFin , Par t Ibe V pr es a m et hodology adevan ced rMPLS dev ices, herally e should a ov sigidnificant incr ease in for fu t ur I P add essingVPN need s. Not t r oub sur leshoot ing . t he f irst user s w h o hav e b een ask ing f or deploy ment - qualit y I Pv 6 sof t w are pr isin gly, ar e t he wir eless and m obile p hone op er at or s. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr atilit ion, secur y, and t o dp rou rov iding h e adv Av ailab y of d epitloym ent -t rqoubleshoot ualit y I Pv6ing softfeat w arueres in essent I P hostial s an t er s dtoes not anced solv e t he

pr im ary pr oblem of ser v ice p rov ider s w ho wou ld lik e t o deploy t he I Pv 6 pr ot ocol. Ser v ice pr ov iders wh o ar e deploy ing new p rot ocols or solut ion s in t heir net w ork mu st r et ain t h e st abilit y and f unct ionalit y of t h eir ex ist in g b ack bon es. Th er efor e, t he in t r oduct ion of new fu nct ionally usually st ar t s w it h a cont r olled d ep loy m ent of a pilot net w ork , w hich is only lat er follow ed by a t ig ht ly m anag ed lar ge- scale d ep loy m ent . Th is requ irem en t ef fect iv ely r ules out im mediat e lar ge- scale net w ork - w ide I Pv 6 deploym ent . •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Deployment of IPv6 in Existing Networks A ser vice pr ov ider can u se var ious m et hod s if it w ant s t o deploy a pilot I Pv 6 net w or k, based on t he t ran sp ort t opolog y used in t he net w ork cor e. These m et h ods includ e t he f ollow in g: •

Table of Content s

I f t he nIet w or k cor e is I P- based , I P t u nnels can be bu ilt bet w een edg e rou t ers t hat ndex supp ort Art he I Pv 6 epr ocol,e Ias MP LS and V PN chi te ctur s, ot V olum I show n in Figur e 8- 1 . Th ese t u nnels t hen act as p oint - t opoint link s supp ort in g t he I Pv 6 p rot ocol. Th e I Pv6 pack et s t hat ar e ex chang ed b et w een By Jim Guichard , I van Pepelnjak , Jeff Apcar t he ed ge r out er s can b e t r anspor t ed t ran sp ar en t ly acr oss t he backb one encapsulat ed in I P p ack et s. •

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Figu r e 8 - 1 . I Pv 6 Tr an spor t Acr oss I Pv4 Tu nn el s

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How carr y kcust m ult icast ic insid e a VPN ( Fr am e Relay or Asy nchr onous I f t het on et w or corom e iserusing Lay ert r2aff WAN t echnology Tr ansfer Mod e [ ATM] ) , addit ional vir t ual cir cuit s ( VCs) can b e deploy ed dir ect ly bet w een The latge estr out in t er ancem o allow or easier m or e scalable loym t he ed er-scar t o rier t ranenh sp or t t h e ent I Pv s6 tpack et s fsepar at elyand fr om t he r egular I dPep t raf fic, ent as of int er car r ier MPLS VPN serv ices show n in Figur e 8- 2 . A sim ilar app roach also can b e used in an MPLS- based cor e im plem ent in g cir cu it t r anspor t over MPLS. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced r em ent 8 - 2archit . I Pv 6 urTr f ic mI se ITr a ovid nspor t e d Th De dica ed t opics an dFigu d ep loy ect es,afVolu I pr es r eader s writoug h t hehnecessar y tt ools Vi r t ua l Ci r cu it s t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Neit her solu t ion scales well in lar ge net w or ks; t her ef or e, each is diff icu lt t o ex t end bey ond a few - nod e pilot net w ork . Th er e ar e t w o reasons f or t his: The I P t unn els or vir t ual cir cuit s m ust be conf igur ed m an ually unless adv anced au t oWit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : discover y/ au t o- pr ov isionin g m echanism s ar e used , w hich in t r oduces sev eral r est r ict ion s and com plex it ies. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN A f ull m esh of I P t unn els or vir t ual cir cuit s is r equir ed b et ween all ed ge r out er s t o en able ser v ice t o m any d iff er ent t yp es of cu st om er s opt im um en d- t o- end t r anspor t acr oss t h e pr ovid er backb one. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN As in m any ot h er scenar ios, t he MPLS t echnology off er s anot her alt er n at ive: t he t r anspor t of Net w ork Ad dr ess Tr an slat ion ( PE- NAT) I Pv6 d at agr am s acr oss an MPLS- en abled I Pv 4 b ack bon e. This solut ion, kn own as I Pv 6 pr ov ider ( or , pr int ov id a scalab t oide t hesep I Pv - deploy ment Howedge VRFsr out canerbe ex6PE) t ended o es a cust om er lesitsolu e t ot ion pr ov ar6atear ionlyinside t he pr oblem . I t h as t he f ollow in g ch aract er ist ics: cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN The I Pv 6 pr ot ocol is deploy ed on ly on select ed PE r ou t er s. back bone The PE r out er s use Mult ipr ot ocol BGP ( MP- BGP) session s t o ex chang e I Pv 6 r out es across How t o carr y cust om er m ult icast t r aff ic insid e a VPN t he backb one. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent MPLS labels ar e assign ed t o I Pv6 r out es by t he PE r out er s and exchan ged d irect ly of int er - car r ier MPLS VPN serv ices bet w een t h e PE rou t er s ( m u ch like VPN r out es) . Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y The I Pv 6 dat agr am s ar e t r anspor t ed acr oss t h e MPLS backb one b y using a t w o- lev el labelArst ack. st lab el e label is t he LDPel of t he egr ess MPLSMPLS and VPN chit ectThe u res,f irVolum e Iin I , t bh uilds onstt ack he best - sellin g assig MPLSned an dlab VPN PE r out er. ( You cou ld also u se anot her PEPE Label Dist r ibut ion Pr ot ocol [ , such Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m orLD e P] adv ancedas second label is t he assig ned lab el. y t ools t opicsRSVPan d dTE.) ep loyThe m ent architlabel ect urin es,t he Volu m e st I Iack pr ovid es rPEeader sw it h ItPv he6necessar t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. The ov er all ar ch it ect ur e of t h e 6PE solut ion is sh ow n in Figur e 8- 3 . MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Figu r e, ar 8 -m3in. g6 tPE ch it ur e pr ot ocols ( I S- I S, EI GRP, and OSPF) he rAr eader we it hctt he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Ev en if y ou ar e a casual r eader, you p rob ably im mediat ely r ecogn ized t h e close sim ilar it ies ( sum m arized in Table 8 - 1) bet w een t he 6 PE solut ion and t h e MPLS VPN solut ion. There is only on e sig nificant diff erence b et w een t he t w o solut ion s: The MPLS VPN solu t ion sup por t s Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : m ult iple inst an ces of I Pv 4 on t h e sam e PE r out er ( each one r un ning in it s isolat ed VRF) , w her eas t he 6PE solut ion supp ort s only a sing le in st ance of I Pv6 on each PE r out er ( using a globalHow I Pv6t or out ingatan f oriou war in gott able) . int egr e dv ar sd r em e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Tab le 8 -1 . Sim il ar i t i es a nd Di f fe r en ce s Bet w ee n M PLS VPN an d 6 PE How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Funct ion MPLS V PN I m pl em e nt a t ion 6 PE I m pl e m e nt a t ion Theerlat est Each MPLSVRF VPNissecur it y f eat resance an d dofesign ed at ot ect MPLS IVPN PE r out an isolat ed uinst I Pv 4s aim Each PEprrou t er ing hast haeglobal Pv 6 back bone r out ing and fr om a r out ing and f or war din g r out ing and f or war din g t able. for w ar ding per sp ect iv e. How t o carr y cust om er m ult icast t r aff ic insid e a VPN Ex chang e of Rou t e dist ingu ish er s ar e pr epend ed t o Nat iv e I Pv 6 pr efix es are The lat est IinPv4 t er -rcar s t o4allow f or Aeasier andged m orbet e scalable outrier es, renh esuancem lt in g inent VPNv rou t es. exchan w een t hed ep PEloym ent r out es of int er car r ier MPLS VPN serv ices label is assig ned t o each VPNv 4 r out e. r out er s. I n som e I OS bet w een PE VPNv 4 r out es an d associat ed labels ar e im plem ent at ion s, a f ix ed set of 16 r out er s Adv anced texchan rou blesh oot ingw een t echn iques g r ou t erlabels out puist sassig t o enned su ret ohigh av ailab ilit y ged bet PE r ou t includ er s in in MPt he 6PE fu nct ionalit y . I n ot her BGP upd at es. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN im plem ent at ion s, each I Pv6 r out e Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced is assig ned a dedicat ed lab el. t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eedt ht oe d ep loy and m ain t ain a secur e, figur hig hly VPN. Building MPLS label im posit ion is con ed av inailab le I dent ical. t he for w ard ing t able f or r out es r eceived for w ar ding MPLS chit ect u res, e Ier I ,. bTh egeint op s w lab it h el a br fr om a r em ot eVolum PE r out in ief ref resher of t he MPLS VPN t able and VPN Ar Ar ch it ect u re. Part he t I Ilab descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of el st ack is t he LD P- label ser v ice pr oviderassociat access ed t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g wit h t h e MP- BGP next - hop, pr ot ocols ( I S- I S, EI GRP, and label OSPF) in g t he r eaderinw it h t he k now ledge of h ow t o and t h e next is, tar h emlabel r eceived int egr at e t h ese tf he eat MPur esBGP in t oupd t h eatVPN b ack bon e. ar Part e. Bot h lab els e I I I det ails adv anced d ep loy m ent issues includin g secu r itplaced y , ou t lining n ecessar st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he in t het he for w ard ing tyable. back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Packet for w ar ding

Lab el st ack is p r ep en ded t o ingr ess I dent ical. pack et s receiv ed fr om t h e CE r out ers. Packet t r anspor t acr oss t he p rov ider back bone is based on t he t op lab el in t h e label st ack, and t he r em ot e PE rou t er act s on t he b ot t om label in t h e label st ack.

•

Table of Content s

•

I ndex

MP LS chap and VtPN chinow te cturm e s, This er Ar w ill ovVeolum on et oI I a quick int r od uct ion t o I Pv6 , follow ed by an in- dept h discussion of, I6PE concept ,sJeff and d esign scenar ios. The 6 PE con cept s and desig n scenar ios w ill By Jim Guichard van Pepelnjak Apcar be illust r at ed wit h t h e fam iliar Super Com case st udy . Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Quick Introduction to IPv6 This sect ion d iscusses t he basics of I Pv6 t o allow t hose of y ou w h o ar e not fam iliar w it h I Pv 6 t o follow t h e discu ssions in t h is ch apt er. I f y ou ar e int er est ed in an in- d ep t h descr ipt ion of •I Pv6 , y ou can Table Content s or mat ion at ht t p: / / w w w . cisco.com / go/ ip v6 . f in dofm or e inf •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

IPv6 Addressing

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Cisco I Pv6Pubulish seser:12 8- bPress it add resses, display ed as a seq uence of 16 - bit f ield s, separ at ed by colons. Dat ple, e: Ju ne 06, 2 00 3 8: 00 00: 0 000 : 000 0: 00 5c: 711 3: df ae is a valid I Pv6 add ress. To r educe For Pub exam 1 234: 567 t he t ypI ing t s, -1y12 ou-5can om it leading zer oes in each 1 6- bit field. Th er efor e, y ou cou ld w r it e SBN: ef 1-for 58 705 t he pr Pages: ev ious50ad 4 dr ess in shor t er for m as 123 4: 56 78: 0 : 0: 0: 5c: 711 3: df ae. Fu r t herm or e, because long seq uences of z er oes ar e ex pect ed t o be quit e com m on in I Pv6 ad dr esses, y ou can replace a ser ies of cont ig uous z er o- v alue 16 - bit field s w it h a dou ble colon. Ther efor e, you can sh ort en t he pr ev ious I Pv 6 addr ess t o 12 34: 5678 : : 5c: 71 13: d fae.

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

NOTE How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s To ensu re u nam bigu ous int er pr et at ion of I Pv 6 addr esses, y ou can use t h e doub le colon on ly once w it hin an I Pv 6 addr ess. I f y ou w er e t o use t he doub le colon t w o or The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN m or e t imes, t h e sequ en ce bet w een doub le colon s ( such as t he st r ing 34 56 in Net w ork Ad dr ess Tr an slat ion ( PE- NAT) seq uence 12 34: : 3 456 : : 9abc) cou ld b e placed in m ult iple posit ions w it h in t h e 12 8 bit s, cr eat incan g amb I Pvint 6 add How VRFs be ig exuous t ended o a resses. cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN I Pv6 ad dr esses back bone are divid ed int o a v ar iable- leng t h pr ef ix and a h ost por t ion ( similar t o I Pv4 add resses) . Th e addr ess pr efix is com posed of a num ber of ( ad min ist r at iv ely d ef ined) f ield s t hat wHow ill not e.ult The h ost por ion of I Pv 6 addr ess is usually a 64- b it long t o be carrd yiscussed cust om her er m icast t r aff ic tinsid e an a VPN I n t erf ace I D , com put ed f rom t he MAC add ress of t he rou t er or host in t erf ace, as sh ow n in Figur eThe 8- 4lat . est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

Figu r e 8 - 4 . I Pv 6 Add r ess St r uct ur e

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

NOTE

IHow Pv6 pt orefix int egr es ar at e w v ar ritiou t ens wr em it h ot t he e access st and ard t echn p ref ologies ix not at inion. t o t hFor e back ex am bone ple,p you r ovidin w ould g VPN wser r itveice a 2t 0om bitany long d iffI Pv er ent 6 prtefix yp est hof at cu stst arom ts w eritsh 123 4: a00 0 as 123 4: a00 0: : / 2 0. ( Ev en t houg h on ly t he 2 0 m ost sign ificant bit s ar e non - zer o, y ou st ill need t o w r it e n ew PEr out tThe he leadin g 3CE 2 bit s.) in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he custset omverar net You can iousw ork par t s of t he I Pv 6 ad dr ess t o special values in t he d est inat ion I Pv 6 add ress t o in dicat e t o an I Pv 6 host or r ou t er a v ariet y of I Pv 6 d at agr am d eliv er y m et hods as followThe s: lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Howcast t o carr cust om ult icast t r aff a VPN Any addyresses ( iderenmt ical t o sub netic binsid roadecast in I Pv 4) , w h er e t h e host p or t ion of t h e I Pv6 ad dr ess is zer o. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - addr car r ier MPLS VPN are servidices Unicast esses, w hich en t ical t o I Pv 4 u nicast add resses, w her e t he host p ort ion of t he I Pv 6 addr ess is non- zer o. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Mu lt icast ad dr esses st art in g w it h FF0 0: : / 8 ( m ost sign if ican t 8 bit s are all ones) . The MPLSt and chit res, Volum e ult I I ,icast b uilds oness t heisbest - sellin gwit MPLS d VPN r aditVPN ionalArI Pv 4 ect all-uones local m addr replaced h I Pvan 6 ad dr ess FF02: : 1 Ar ch it(ect res, Volum e I ( 1 -m 587 0 02, f rom all-unodes link - scope ult05icast add1)ress) . Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tThe hey unnicast eed t oI Pv6 d ep loy and ain t ain a secur e,r at hig ad dr essmspace is ad minist ivhly ely av d ivailab idedleintVPN. o p ublic an d p r iv at e p ort ion s of t he I Pv 6 addr ess space based on t h e fir st bit s of t he I Pv 6 ad dr ess as follow s: MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice prress ovider access ies com ( dial, le,h Et hering net )I Pv4 an d add a v rariet y ofThr out in g Add space 0: : /t9echn 6 prolog ovides patDSL, ibilit ycab w it exist esses. e I Pv4 pr ot ocols ( I S- is I S,simp EI GRP, and , arlow m in- g he r3eader t he k now ledge add ress ly cop ied OSPF) int o t he or tder 2 b it s wofit ht he I Pv 6 addr ess of w ithhow t h teo r est of int egrtat h ese f eatess ur es in t o zero. t h e VPN e. Part I I I I det adv anced loy m entt oissues hee ItPv 6 addr being Theb Iack Pv4bon - comp at ible Pv6ails ad dr esses ared ep assigned nodes includin , ou t lining y st eps t hablish e ser v au icet om p rov m ust t ake tacross o p rot ect w itgh secu dualr itpry ot ocol st ackt he s ann decessar ar e u sed t o est atider ic I Pv6 t u nnels an t he back bone I Pv4 and b ackany bon at e. t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and NOTE VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

I Pv4 - comp at ible I Pv6 ad dr esses can use I Pv 4- com pat ible sy nt ax , w her e t he v alue of t he last 32 bit s is ex pr essed as dot t ed decim al, such as : : 19 2. 16 8. 1. 1.

Add ress space 20 00: : / 3 is cur r en t ly assig ned t o global I Pv 6 add resses, w hich can b e agg regat ed . • •

Table of Content s

Add ress space FEC0: : / 10 is t he p r iv at e ad dr ess space ( called sit e- local addr ess sp ace) , I ndex similar t o net w or k 10. 0 .0 .0 / 8 in I Pv 4.

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard Add ress, I van space Pepelnjak FE80 :, Jeff : / 10Apcar is link - local

addr ess sp ace, in w hich t he link I Pv 6 ad dr esses ar e aut om at ically con st ru ct ed fr om t he FE80 : : / 10 pr efix an d 6 4- bit int er face ident if ier . dr ess space serv es a sim ilar fu nct ion as unn um bered I Pv4 link s. I Pv6 r out er s PubThis lish er:ad Cisco Press should not for w ar d packet s t h at h ave lin k- local sour ce or dest inat ion addr esses. Pub Dat e: Ju ne 06, 2 00 3

I SBN: 1- 58 705 -1 12 -5 I Pv6 also d ef ines t w o special add resses: Pages: 50 4

: : 1 is t he loop back add ress. Pack et s t h at h ave : : 1 as t he sour ce or t he dest in at ion add ress w ill nev er leav e an I Pv 6 host or r out er. : : ( all- z er oes) is t he unspecif ied ad dr ess, w hich is used in aut om at ic ad dr ess Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : assig nm en t d ur ing t he h ost init ializat ion p rocess ( sim ilar t o using an all- zer o I P ad dr ess in DHCP requ est s) . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN The pser ublic I Pvt o6 m addr r ictoflycuaggr egat v ice anyess d iffsp er ace ent is t ypstes st om er sab le; a cust om er w ho is ch anging his I nt er net serv ice pr ov id er ( I SP) m ust r enu mb er t he w hole n et w or k . How ever , t he net w ork r en umThe berninew g inPEI Pv 6 rnout et wor s is signif t h an t h e net ores, k r en um ber g inVPN I Pv 4 CE in gkop t ions asican w ellt lyassim ot pler her adv anced f eatwur includ inginpernet w or ks. Each I Pv 6 host is r equir ed t o supp ort m or e t han one I Pv 6 addr ess on each Net w ork Ad dr ess Tr an slat ion ( PE- NAT) int er face, giv ing t he n et w or k d esigner s t he abilit y t o conf igur e ov erlap ping " old" and " new " I Pv6 sub s in can t he net w or k simuint lt aneously. Hownet VRFs be ex t ended o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork lat est MPLS VPN secur it y f eat u res an d d esign s aim ed IPv6The Neighbor Discovery back bone

at pr ot ect ing t h e MPLS VPN

How t o carr y cust om er m ult icast t r aff ic insid e a VPN As com put er n et w or k ing ev olv ed , fir st w it h t he in t r oduct ion of lower - cost w or kst at ions and lat er w it h lat t he enrier t of enh I P on p er sonal pu t er s, easier sever aland pr ot w ere d esign ed t oent The estdeploy in t er -m car ancem ent s tcom o allow f or mocols or e scalable d ep loym ease tof heint adm inist r at iv e t asks volvices ed w it h larg e- scale deploy m en t of I P d ev ices. I nit ially , er - car r ier MPLS VPNinserv I Pv4 d id n ot supp or t aut omat ic addr ess assignm ent or host con figu r at ion ; all I P- r elat ed par amAdv et er s h adt rou t o be conoot figu redt echn m anually ever Many - onsupr ocolsavwailab er e ilit y anced blesh ing iques on includ inyg IrP ouhost t er .out pu t sadd t o en reothigh lat er dev eloped w it hin t he I Pv 4 su it e of pr ot ocols t o ad dr ess t h ese issu es. Th ese ad d- on MPLS and included VPN Ar chit ectst u res, Volum e I(IBOOTP) , b uilds an on dt he - sellin MPLS anat d ion VPNPr ot ocol pr ot ocols Boot rap Pr ot ocol D ynbest amic Hostg Conf igur Ar ch it ect e ad I ( 1dr- ess 587 assignm 05- 0 02- 1) , ,f rom ess. t endin gy int or e( Iadv anced ( DHCP) , uwres, hichVolum h andle ent and Cisco I CMP Pr Rout erEx Discover Pr ootm ocol RDP) or tDHCP, opics an d d epcan loy m archit es,discov Volu m e I (I DHCP pr ovidt hr esough r eader w it h t he t ools w hich beent u sed for ect rouurt er ery a sdefault gatnecessar ew ay optyion ). t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. I n I Pv 6, most of t hese t asks ar e h andled by a sing le pr ot ocol, r ed esigned I CMP, w h ich can, MPLS VPNt hAr chit ect res, e I I ing , b eg in ss:w it h a br ief ref resher of t he MPLS VPN am ongand ot her ings, p erufor m Volum t he f ollow t ask Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Neig (hbor discov ery . and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o pr ot ocols I S- I S, EI GRP, int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Laygersecu 3 t roitLayer 2 m app in gn ecessar ( ARP in yI Pv4 ) . t h e ser v ice p rov ider m ust t ake t o p rot ect t he includin y , ou t lining t he st eps back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Verif icat ion of neighb or r each abilit y . m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Ch eck ing t he u niqueness of t he in t er f ace id en t ifier in t he au t ocon figu rat ion pr ocess. t r oub leshoot ing . Aut om at ic ad dr ess assignm ent . W it h st at eless au t oconfig ur at ion, a node can get an I Pv 6 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer add ress w it h no in volv em ent fr om a cen t ral ser v er . ( No DHCP ser v er is necessar y w it h int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

I Pv6 . ) Rou t er discov ery . Verif icat ion of for w ar ding pat h av ailabilit y. ( A h ost can q uery t he n ex t - hop r out er t o inqu ire wh et her t he p at h t o t h e dest inat ion is st ill av ailable.) • •

Redir ect ion of pack et s sent t o t he w r ong r out er ( ident ical t o I Pv4 I CMP r ed irect Table. of Content s m essages) I ndex

MP andcan V PNsee Ar chi te ctur V olum e I I list , sev er al t asks hand led by d iff er ent pr ot ocols wit h in t h e As LS y ou fr om t hees, pr eceding I Pv4 rot ocol, I van su it Pepelnjak e are hand by a sin gle pr ot ocol w it hin t he I Pv 6 add ress suit e. Mor eov er , By Jim p Guichard , Jeffled Apcar I Pv6 sup por t s m any m ech anisms t hat w er e u nav ailab le on m ost I Pv 4 host s ( such as neighb or discover y and v er ificat ion of for w ar ding pat h av ailab ilit y ) . Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

IPv6 Pages: Routing 50 4

Tech nically , I Pv 6 r ou t ing is sim ilar t o I Pv 4 r out ing. The m aj or diff erence is t h e adm inist r at ive r eq uir em ent for st r ict ag gr eg at ion of p ublic I Pv 6 p r ef ixes. Lik e I Pv4 r out in g, I Pv 6 r out in g is pr efix b ased, wit h t h e pack et s bein g f or w ard ed t ow ar d t he m ost specific m at ching pr efix . Wit h MPLS Arinchit res, Volum e I I , ymou' ll ied leartno: sup por t I Pv 6, in clu ding Rout in g Most of t heand I PvVPN 4 r out g pect r otuocols h ave been odif I nf orm at ion Pr ot ocol ( RI P) , I nt er m ed iat e Syst em - t o- I nt er m ed iat e Syst em ( I S- I S) , Op en Shor t est Pat h First ( OSPF) , and Bor der Gat ew ay Pr ot ocol ( BGP) . Some min or m odificat ions How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN w ere m ad e t o RI P, I S- I S, an d BGP as f ollow s: ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN RI P updat es car r y I Pv6 pr efix es inst ead of I Pv 4 p r ef ixes. Net w ork Ad dr ess Tr an slat ion ( PE- NAT) New t y pe- len gt h- value ( TLV) p airs hav e been d ef ined in I S- I S t o su ppor t I Pv 6 r out ing . How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust omaddr er net w ork A n ew ess fam ily w it hin st andar d Mult ipr ot ocol BGP is used t o ex ch ange ex t ern al I Pv6 r out es. The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN OSPF-back for - Ibone Pv 6 is a com plet ely n ew pr ot ocol t hat has on ly con cept ual sim ilar it y w it h it s I Pv4 count er par t . Not sur pr isin gly, OSPF for I Pv 6 is t he last I Pv6 r out ing pr ot ocol t o be How t o carr y cust om er m ult icast t r aff ic insid e a VPN im plem ent ed in Cisco I OS. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Configuring IPv6 in Cisco IOS

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS andigur VPN u res, Volum e Iilar I , bt uilds on t he I Pv6 conf atAr ionchit in ect Cisco I OS is sim o configu r in gbest any- sellin ot herg rMPLS out in ganprdotVPN ocol. I t Ar ch it ect u res, Volum e I ( 1 587 050 021) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced inv olves t h e follow ing st ep s: t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. 1 . The I Pv 6 rou t ing m ust b e en abled w it h a global conf igur at ion comm an d ip v6 un ica st MPLSrou andt ing VPN. Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser pr ovider access echn ies (red dial,onDSL, Et her ) an v ariet y of r outess in g 2 v. ice I Pv6 ad dr esses mutst be olog con figu t he rcab outle, er int er f net aces w itdh at he ip v6 a ddr pr ot ocols ( I SI S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o pr efix/ lengt h com m and. int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin secu r it y ,, ou t lining ecessar y st epsb et hconfig e ser vur iceedp rov m ust t ake be t o re p rot 3 . Altgern at ively unn um bert he ed nint er faces can w it hider ip v6 un num d ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o lin allow int erf ace, or you can decide t o enable an int er face f or I Pv 6 p rocessing u sing on ly km or e local adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS VPN add resses on t h at subn et w it h t he ip v6 e na ble com m and. deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot 4 . Nam es ing can. be assign ed t o I Pv 6 addr esses w it h t he ip v6 host nam e ad dr ess com m and, or y ou can u se a DNS ser ver , specif ied w it h t he ip n am e - ser ve r com m and for MPLSnam and e/ VPN chitrect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer addAr ress esolut ion. int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE

• •

The ip n am e - ser ve r com m and accept s I Pv 4 and I Pv6 ad dr esses t o sup por t D NS ser v ers r eachable ov er I Pv4 or I Pv 6. Table of Content s I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

IPv6 Interior Routing Protocol Configuration ThePub in lish t er er: ior Cisco r outPress in g p r ot ocol con figu rat ion closely f ollow s t he I S- I S conf ig ur at ion pr ocess in DatIe:Pv6 Ju neint 06, 00 3 r out ing pr ot ocol ( RI P or I S- I S) is conf igur ed in a t w o- st ep pr ocess: I Pv4Pub . An er2ior I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

1 . An int erior rou t ing pr ot ocol ( RI P or I S- I S) is config ur ed and st ar t ed. 2 . The r ou t ing pr ot ocol is app lied t o an int er face w it h an in t erf ace- lev el con figu rat ion com man d. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Table 8 - 2 su mm ar izes t he com m ands u sed t o con figu re I Pv 6 RI P an d I Pv 6 I S- I S. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Tab le 8 -2 . Con f igu r in g I n t er i or Rout i ng Pr ot ocol s w i t h I Pv6 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) VRFs can exetscri ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he ComHow m a nd Sy nt a xbe D pt i on cust om er net w ork ip v6 r out e r r ip This g lobal conf igur at ion com m and st ar t s t he I Pv 6 RI P p rocess. nam e The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone ip v6 r ip nam e This in t er f ace- level conf igur at ion com m and st ar t s t h e select ed I Pv6 e na ble RI Perprm ocess on tt rhe t er f ace. How t o carr y cust om ult icast affspecified ic insid e ainVPN ip v6 r ip nam e This in t er f ace- level com m and inser t s a defau lt r out e in t he select ed The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent I Pv6 RI P pr ocess and st ar t s an nouncing t h e defau lt r out e ov er t he de fa ul t of int er - car r ier MPLS VPN serv ices select ed int er face. in for m a t i on ori giAdv na tanced e t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y rou t er i si s nam e This g lobal conf igur at ion com m and st ar t s an I S- I S r out ing pr ocess. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN ne NET r out05er -0level conf igur Cisco at ion comm conf igur eso an I SS Net w or k Ar cht it ect u res, Volum e IThis ( 1 - 587 02- 1) , f rom Pr ess. and Ex t endin g int m or e Iadv anced t it y ect Tit ur le es, ( NET) out ingesp rrocess. t opics an d d ep loy m ent En archit Volufor m et he I I rpr ovid eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ip v6 r out e r i sis This in t er f ace- level conf igur at ion com m and enab les I S- I S r out in g on select ed int nam eand VPN Ar chit ectt he MPLS u res, Volum e I er I , face. b eg in s w it h a br ief ref resher of t he MPLS VPN Ar it ect u re. Par ibes MPLS VPN concomm nect ivand it y includ int egr ion of a ch ddr essfa m il yt I I descr This r outadv er -anced level conf igur at ion select sintgh et he I Pv6 addatress ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in gd ip v6 fam ily conf ig ur at ion w it h in t he I S- I S r out ing p rocess. Th e st andar pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o di st ance , m ax i m u m - pa t hs, de fa ul t - i nfor m at i on , or sum m a r yint egr at e t h ese f eat ur esprineft oixt hcom e VPN b ackcan bonte. Part I I dettails adv anced d6 epIloy m ands h en be I used o con figu re I Pv S- Im S ent issues includin g secu r it y , ou t lining n s. ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he par amt he et er back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN Most of t he ot h er t r oub leshoot ing . r ou t in g pr ot ocol concep t s k now n fr om I Pv 4 ar e alr eady av ailab le in Cisco I OS im plem en t at ion of I Pv 6, in clu ding t hese: MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

St and ard access list s t hat ar e conf ig ur ed w it h t he ip v6 a cce ss- li st com m and. Rou t e m aps t h at can be u sed t o cont rol rou t e r ed ist r ibu t ion. Th e rou t e m aps h ave been ext end ed w it h add it ion al m at ch com m ands t o sup por t t h e I Pv6 pr efix an d n ex t - h op m at ching, inclu ding m at ch ip v6 a ddr ess, m at ch ip v6 ne x t - hop , an d m at ch ip v6 rou t e- sou rce com m ands. • •

Rou t e r ed ist r ibu t ion conf igur ed wit h t h e re di st rib ut e com m and. As w it h I Pv 4, rou t e Table of Content s r ed ist r ibu t ion can be conf igur ed bet w een r out ing pr ot ocols or b et w een lev els w it hin t h e I ndex I S- I S r out ing pr ot ocol.

MP LS and V PN Ar chi te ctur e s, V olum e I I

Rou t e filt er sPepelnjak configu r, Jeff ed w it h t he By Jim Guichard , I van Apcar

di st rib ut e - l ist com m and.

Pub lish er: Cisco Press

IPv6 PubBGP Dat e: Configuration Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

Under Pages: st anding 50 4 t h e con cept of I Pv6 BGP config ur at ion is ex t r em ely sim p le for n et w or k engineer s w ho h ave alr eady m ast ered t he con cept of BGP addr ess- f amilies by d ep loy ing MPLS VPN solut ion s. The I Pv 6 BGP conf igur at ion of a Cisco r out er in volv es t he f ollowin g st eps: Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : 1 . St ar t ing t he BGP r out in g p rocess w it h t he rou t er b gp a s- n u m b e r com m and. t o ing int egr at en eigh v ar iou access t echn ologies t o twh itehback p r ovidin gm VPN 2 . How Specify BGP borssr em in tot hee BGP r out er conf ig ur atinion t h e bone ne ig hbor com and. ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

NOTE How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust The om erBGP net ne w ork ig hbor com m and accept s I Pv 4 and I Pv6 ad dr esses as BGP neighb or s. Theabling lat estt he MPLS VPN secur u res s aim ed ata ct priot ecteing t hme and MPLS VPN 3 . En ex ch ange of I it Pvy 6f eat pr efix esan w dit hd esign t he ne ig hbor v at com issu ed back un derbone t he a ddr ess- fa m il y ip v6 . How t o carr y cust om er m ult icast t r aff ic insid e a VPN Most of t he st and ard BGP m echan ism s ar e av ailab le w it hin I Pv 6 BGP, such as t h e follow ing: The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv ert ising I Pv6 p ref ix es w it h t he ne t w ork st at em ent or t he re di st rib ut e com m and Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Specify ing t he BGP sour ce addr ess wit h t h e ne ig hbor ip v6 - a d d r ess up dat e- sou rce MPLSip and ectt u e I I at , bion uilds onman t he d. best - sellin g MPLS an d VPN v6 -VPN e n a Ar b lechit d - in erres, fa ceVolum con figur com Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and NOTE VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider The ne ig access hbor tipechn v6 - olog a d d ries ess ( dial, up dat DSL, e- sou cabrce le, com Et hermnet and ) an is donly a v ariet m eaning y of ful r outifin g pr ot ocols (yI ou S- Icon S, EI GRP, , arbet m inwgeen t heI rPv eader it h t he figur e aand BGPOSPF) session 6 endwpoint s. k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone andring anyBGP at t ached VPN es, andt he also ailin g t he latily est secu rit y f eat ur es t o allow Con figu peer gr oupsit sw it hin I Pvdet 6 ad dr ess f am m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Using ound d ou boun d idrou e m et aps an d ot h for er BGP f iltced er s MPLS VPN deploy m en tinb s. Fin allyan , Par t ItV pr ov es t a hodology ad van t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE BGP rou t e agg regat ion w it h t he a ggr eg at e - a ddr e ss com m and is cur r en t ly not supp ort ed in I Pv 6 BGP.

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

In-Depth 6PE Operation and Configuration As alr ead y discussed in t he int r odu ct ion t o t his chap t er , t he I Pv6 - ov er - MPLS t r anspor t ( 6PE) uses concep t s t hat ar e similar t o t he MPLS VPN ar ch it ect ur e, as f ollow s: •

Table of Content s

•

I ndex

I Pv6V PN r out arctur e ex chVanged w een MP LS and Ares chi te e s, olum e I bet I

t he PE r out er s and t h e CE r out er s. Cont r ar y t o MPLS VPN ar chit ect ur e, t hese rou t es ar e en t er ed int o t he glob al I Pv6 r out ing t ab le on t he PE By Jim Guichard , I van Pepelnjak , Jeff Apcar r out er s, w hereas in t he MPLS VPN ar ch it ect ur e, t h e VPNv4 r out es ar e ent er ed in t he v irt u al r out ing an d f or war d in g in st an ce ( VRF) t ab les. ( As of t he pu blicat ion of t h is book , PubCisco lish er: ICisco OS dPress oes not su ppor t I Pv 6 VPNs. ) Pub Dat e: Ju ne 06, 2 00 3

Lab els1-ar58e705 assigned t o local I Pv 6 r ou t es as t hey ar e r ed ist r ibu t ed int o I Pv6 BGP. I SBN: -1 12 -5 Pages: 50 4

I Pv6 r out es an d associat ed labels ar e exchan ged b et w een PE r out er s in MP- BGP session s r unn ing bet w een I Pv4 endp oint s. The I Pv 6 Cisco Ex pr ess For w ar ding ( CEF) for w ar ding t able is b uilt on t h e ingr ess PE r out er s by u sin g t h e LD P- assign ed or Resour ce Reser v at ion Pr ot ocol ( RSVP) - t r aff ic Wit h MPLS andinVPN Ar chit ectned u res,lab Volum I , IyPv4 ou' llnlear : an d MP- BGP- pr opag at ed label f or engineer g ( TE) - assig el foret Ihe ex t -nhop t he dest in at ion I Pv 6 pr ef ix. How intet egr e v ar iouby s rt em e access echn in t osw t hiteched, back bone p r ovidin g VPN I Pv6 tpoack s rat eceived h e ot ingr ess PE trou t erologies s ar e CEFlab eled w it h an MPLS ser v ice t o m and any for d iffwerarent es gofan cu LSP st omter label st ack, dedt yp alon owsar d t he egr ess PE r out er . The n ew g op ases w ell as ot adv anced eat per- VPN When t hePEegCE ressr out PEinrou t ert ions r eceiv incom ingher labeled packfet s, ur it es, perinclud for m sing a label Net wup. orkTh Adedr ess Trlabel an slat PE- NAT) look MPLS m ion ight( point t o an ag gr egat e I Pv 6 r out e, in w hich case t h e egr ess PE r out er m ust p er f orm an ad dit ional I Pv 6 looku p b ef or e it f orw ar ds t he p ack et t ow ar d How VRFs can t ended t he dest in at ionbe CEex r ou t er . int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork This sect ion of fer s an in - dept h descript ion of ev er y com ponent of t he 6 PE solut ion list ed The VPN it y f eat u res an dI OS d esign s aim prdotmon ect ing t h eg MPLS pr eviou slylat , test og etMPLS h er wit h t hsecur e associat ed Cisco config ur ated ionatan it orin com m VPN ands. back bone The Su per Com back bone, show n in Figur e 8- 5 , is u sed as a sam ple n et w or k d ep loy ing pilot I Pv6 serv ices. How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Figu r e 8 - 5 . Su per Com I Pv6 Pi lot Ne t w or k

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone t ached es, and detaailin g tI he estw or secu rit ywfeen eat ur t o allow The Su per and Com any ser vat ice pr ovidVPN er dsit ecided t o dalso ep loy p ilot Pv6lat net k bet t hes e San Jose m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS VPN and Washing t on PE r ou t er s. The pilot I Pv 6 b ack bon e t hat oper at es acr oss t h e Super Com deploy m enbone t s. Finsu ally , Par I V pr a mim etor hodology for aad vana.ced MPLS back ppor t s tt est sitov esidinesBalt e and Sant Clar Th MPLS e I Pv 6VPN add ress r anges of tt he r oub leshoot ing . Balt im or e and Sant a Clar a t est sit es as w ell as t h e I Pv6 add resses u sed in t he Su perCom back bone are ou t lined in Table 8 - 3. Lin k- local ad dr esses ( not show n in t h e t able) ar e u sed on MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer t he PE- CE link s. int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Tab le 8 -3 . I Pv 6 a nd Re le va nt I Pv4 Addr e ss Assig nm e nt f or Supe r Com Backb one a nd Pil ot Sit es •

Com p an y Si t e

Table of Content s

• CE r out er s I Sant ndex a Clar a

Su bne t 12 05: 6 700 : 0: 1: : / 64

MP LS and V PN Ar chi te ctur e s, V olum e I I

Balt im ore

12 05: 6 700 : 0: 2: : / 64

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Sup er Com San Jose ( Loopb ack 0) Pub lish er: Cisco Press

13 07: 8 000 : : 2/ 1 28 19 4. 22. 1 5. 2/ 32

Pub Dat e: Ju ne 06, 2 00 3

on I SBN: 1-Washing 58 705 -1 12 t-5

( Loopb ack 0)

Pages: 50 4

13 07: 8 000 : : 3/ 1 28 19 4. 22. 1 5. 3/ 32

IPv6 Route Exchange Between PE Routers and CE Routers Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

The f irHow st sttep in egr 6PE is t he est ablishm out ing pr ot b et een o int at solut e v arion iou sdeploym r em ot e ent access t echn ologies ent in t oof t hae rback bone p rocol ovidin g wVPN t he PE r out er s an d t h e CE r out er s, w hich f ollow s t he st and ard I Pv 6 d esign and conf igur at ion ser v ice t o m any d iff er ent t yp es of cu st om er s r ules and w ill not be cov er ed in det ail in t h is ch apt er. The Su perCom desig ners decid ed t o use I Pv6 RI P as t hePEPECE r out ocol. way redist r ibut ion f(eat RI Pv MP- BGP) w ill VPN be The n ew CE r out in ing g opptrot ions as wOn elle-as ot her adv anced ur 6 es,t oinclud ing perused Net t o simp lif y t h e I Pv 6 r out ing set up, and t he PE r out er s w ill adv er t ise t h e I Pv 6 defau lt w ork Ad dr ess Tr an slat ion ( PE- NAT) r out e t o t he CE rou t ers in I Pv 6 RI P up dat es, as show n in Figur e 8- 6 . Th e r esult ing conf igHow ur at ions t hebePE t er s an CEom r out in tar h eatfollow ing exam VRFson can exrtou ended intdo tahecust er ersits eart oe included pr ov ide sep ion inside t he ples. cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Figu r e 8 - 6 . I Pv 6 Access Rou t i ng in Supe r Com Pilot N et w or k How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar Parigur t I Iatdescr MPLS con nect y includ in gint t he int egr Asch t hiteect firustre. conf ion stibes ep , adv an Ianced Pv 6 addr essVPN is config ur ediv it on t he LAN er face ofatt hion e of ser v ice pr ovider access t echn ologint ieser( face dial, of DSL, Eter heruses net ) aan d a- local v ariet y of r outand in g RI P Sant a Clar a CE r out er . Th e WAN t h e cab CE le, r out link add ress, pr ocols I S-on I S,LAN EI GRP, ar m in t he r eader w itah rtout he er k now t o ple 8- 1. is ot conf ig ur(ed and and WANOSPF) in t er ,f aces ofgt h e Sant a Clar , asledge show nof inh ow Ex am int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back at t ached VPNr a sitCE es, and ailin latfest y f eat ur es t o allow Exa bone m pl eand 8 -any 1 . Sa nt a Cla Roualso t e rdet I ni t iag lt he Con igusecu r atrition m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . SantaClara# MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

interface Ethernet0/0 no ip address ipv6 address 1205:6700:0:1::1/64 ipv6 rip RTR enable •

Table of Content s

•

I ndex

!

MP LS and V PN Ar chi te ctur e s, V olum e I I

interface Serial0/0

By Jim Guichard , I van Pepelnjak , Jeff Apcar

description *** Link to PE_SanJose *** Pub lish er: Cisco Press

noPub ipDataddress e: Ju ne 06,

2 00 3

I SBN: 1- 58 705 -1 12 -5

ipv6 enable Pages: 50 4

ipv6 rip RTR enable ! Wit h MPLS and rip VPN RTR Ar chit ect u res, Volum e I I , y ou' ll lear n : ipv6 router How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The I Pv 4 and Pv6CE add resses arteions confas igur ed as on ot t he ack in tfer f ace of includ t he San The n ew IPEr out in g op w ell herloopb adv anced eat ur es, ingJose per- PE VPN r out erNet , and ip v6 e na ble enab les for w ard ing of I Pv 6 dat ag ram s on t h e PECE link b y using a w ork Ad dr ess Tr an slat ion ( PE- NAT) link - local I Pv 6 add ress on t his int er face. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

NOTE back bone

You e t oom specify t hicast e lin klocal I Pv 6eaddr ess w hen u sin g t h e ip v6 e na ble Howdo t o not carrhav y cust er m ult t r aff ic insid a VPN com man d. Th e lin k- local I Pv 6 addr ess used on t he in t er f ace is aut om at ically com ed frinom h e rier MACenh addr ess of t he in allow t er f ace. The put lat est t er -tcar ancem ent s to f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y The loop back int er face belongs t o an I Pv6 r out in g p rocess ( I Pv6 RI P) and an I Pv 4 r out ing MPLS and chitI ect res, Volum I I also , b uilds on ur t he sellin MPLS anind t er VPN pr ocess ( inVPN t eg r Ar at ed S- IuS) . I Pv6 RI Pe is config ed best on t-he PE-gCE WAN f ace, as sh own in Ex ple 8- 2.Volum Th e IePv6 r out e is t heExSan Jose PEor out o t he Ar cham it ect u res, I ( 1defau - 587 lt 050 021) annou , f rom nced Ciscof rom Pr ess. t endin g int m orere tadv anced a an Clar CEloy r out er varchit ia I Pvect 6 RI tSant opics d ad ep m ent urP. es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS res, Volum e I I , be egrinI snwititihala Conf br ief ref of t he MPLS VPN Exa mand pl eVPN 8 - Ar 2 .chit Saect n uJose PE Rout igresher ur a t ion Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues PE_SanJose# includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow interface Loopback0 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN ip address 194.22.15.2 255.255.255.255 t r oub leshoot ing . ip router isis MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

ipv6 address 1307:8000::1/128 ipv6 rip RIPv6 enable ! interface Serial1/0 • •

Table of Content s

description *** Link to Santa Clara site *** I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

no ip address

By Jim Guichard , I van Pepelnjak , Jeff Apcar

ipv6 enable Pub lish er: Cisco Press

ipv6 rip RIPv6 Pub Dat e: Ju ne 06, 2enable 00 3 I SBN: 1- 58 705 -1 12 -5

ipv6 rip RIPv6 default-information originate Pages: 50 4

! ipv6 router rip RIPv6 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN The in it ial con figu r at ion of t h e Washingt on PE r out er ( show n in Ex am ple 8- 3) is sim ilar t o t he ser v ice t o m any d iff er ent t yp es of cu st om er s init ial conf igur at ion of t he San Jose PE r out er w it h an I Pv 4 addr ess and I Pv6 add ress conf igThe ur edn ew on tPEhe CE loop back face,as w hich elon gs tadv o t he I Pv 4f eat andurIes, Pv 6includ r out ing ocesses. r out in gint opert ions w ell bas ot her anced ingprperVPN The PECE WAN link uses lin klocal I Pv 6 ad dr ess an d par t icipat es in I Pv 6 RI P r out ing . Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

Exa m plom e 8er- net 3 . wWork a shi ngt on PE Rou t er I nit ia l Con fi gu r at i on cust The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone PE_Washington# How t o carr y cust om er m ult icast t r aff ic insid e a VPN interface Loopback0 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices ip address 194.22.15.3 255.255.255.255 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ip router isis MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN address 1307:8000::3/128 Aripv6 ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools ipv6 ript oRIPv6 t hey n eed d ep loyenable and m ain t ain a secur e, hig hly av ailab le VPN. ! MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of interface Serial5/0 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o description site int egr at e t h ese *** f eat urLink es in tto o t hBaltimore e VPN b ack bon e. *** Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he no bone ip address back and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN ipv6 m enable deploy en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . ipv6 rip RIPv6 enable MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer ipv6 default-information originate int egr atrip ion, RIPv6 secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

! ipv6 router rip RTR

•The in it ial con Table Content figuofr at ion ofs t h e Balt imor e CE r out er ( sh ow n in Ex am ple 8- 4) is sim ilar t o t he • I ndex init ial conf igur at ion of t he San t a Clar a CE rou t er. The I Pv 6 sub net is conf igur ed on t h e LAN MP and V PN te ctur e s, VIolum I I dr ess is u sed on t he WAN int er face. Bot h in t erf aces int LS er face, andArachilink - local Pv 6ead par t icipat e in, I tvan he Pepelnjak I Pv 6 RI P r out in g p rocess. By Jim Guichard , Jeff Apcar

Pub lish er: Cisco Press

ExaPub mDat ple:e Ju8ne- 406,. 2Bal 00 3 t im or e CE Rout e r I n it i al Conf ig ur a t ion I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Baltimore# interface Ethernet0/0 Wit and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : noh MPLS ip address ipv6 address 1205:6700:0:2::1/64 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s ipv6 rip RTR enable !

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

interface Serial0/0 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork description *** Link to PE_Washington *** The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN no ip address back bone ipv6How enable t o carr y cust om er m ult icast t r aff ic insid e a VPN lat RTR est inenable t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent ipv6The rip of int er - car r ier MPLS VPN serv ices ! Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ipv6 router rip RTR MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Wit h t he I Pv 6 rou t ing config ur ed on t he PE r out er s and t h e CE r out er s, t he I Pv 6 r ou t in g MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN t ables on t he PE r out er s w ill cont ain t he local r out es an d t he r out es r eceiv ed f rom t he Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of at t ached CE r out ers. ( The I Pv6 r out in g t able fr om PE_SanJose is includ ed in Ex am ple 8- 5. ) ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Exa m pl e 8 -r it5y., Iou Pv 6 Rout g Ta ble ont hPE_ nJose includin g secu t lining t he nin ecessar y st eps e serSa v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN PE_SanJose#show ipv6 route t r oub leshoot ing . IPv6 Routing Table 5 entries MPLS and VPN Ar chit ect-u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea R

1205:6700:0:1::/64 [120/2] via FE80::206:28FF:FEE9:9E80, Serial1/0

•

LC •

Table of Content s

1307:8000::1/128 [0/0] I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

via ::, Loopback0

By Jim Guichard , I van Pepelnjak , Jeff Apcar

L

FE80::/10 [0/0] Pub lish er: Cisco Press

Null0 Pubvia Dat e: ::, Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

L

FF00::/8 [0/0] Pages: 50 4

via ::, Null0

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : The I Pv 6 rou t ing t ables on t he CE rou t er s cont ain t h e local rou t es, t he r out es ad ver t ised by t he at t ached PE r out er , and t h e defau lt I Pv6 r out e. ( The I Pv6 r out in g t able fr om t h e How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Sant aClara CE r out er is show n in Ex am ple 8- 6. ) ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN

Exa m plweork8 -Ad 6 .drIess PvTr 6 an Rout in (gPETa ble on San t a Cla r a CE Rout er Net slat ion NAT)

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork SantaClara#show ipv6 route The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN bone Table - 6 entries IPv6 back Routing How o carr y cust om er icast t rSaff-ic Static, insid e a VPN Codes: C tConnected, L m - ult Local, R - RIP, B - BGP The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea of int er - car r ier MPLS VPN serv ices Timers: Uptime/Expires Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced [0/0] tLopics1205:6700:0:1::1/128 an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. via ::, Ethernet0/0, 2d19h/never MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN C ch it1205:6700:0:1::/64 [0/0] Ar ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g via ( I::, 2d19h/never pr ot ocols S- I S,Ethernet0/0, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues R 1307:8000::1/128 [120/2] includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow viaanced FE80::208:20FF:FE3D:541C, Serial0/0, 19:10:54/00:02:31 m or e adv t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN L t r oubFE80::/10 leshoot ing . [0/0] via VPN ::, Ar Null0, MPLS and chit ect u2d19h/never res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

L

FF00::/8 [0/0] via ::, Null0, 2d19h/never

R

::/0 [120/2] via FE80::208:20FF:FE3D:541C, Serial0/0, 19:21:09/00:02:31

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

MP-BGP Session Establishment and Route Redistribution Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

The second st ep in t he 6 PE solut ion deploy m en t is t h e est ab lishm ent of int er - PE Mult ipr ot ocol I SBN: 1- 58 705 -1 12 -5 BGP session s and t he redist r ibut ion of PE- CE r ou t es in t o t h e I Pv6 Mu lt ip r ot ocol BGP, as Pages: 50 4 show n in Figur e 8- 7 .

Figu r e 8 - 7 . M P-BGP I Pv 6 Rou t in g in t h e Su pe r Com N et w or k Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN est in tw erill - car t o tallow f or easier and scalable ent Alt houThe gh lat MPBGP carrier r y tenh he Iancem Pv 6 prent efixses, h e session s bet w eenmtor h ee PE rou t er ds ep m loym u st be of int er car r ier MPLS VPN serv ices est ablish ed bet w een I Pv 4 end point s. Th is en su r es t hat t he MP- BGP nex t - hop is an I Pv4 add ress associat ed wit h an LD P- assign ed label- swit ched pat h ( LSP) acr oss t he MPLS Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y back bone. Th is sect ion focuses on a simp le ex am ple in w hich t h e MP- BGP sessions ar e est ablish dir ect ly bect et ween he PE er out s. A mon or tehe comp ex am ple including MPLS andedVPN Ar chit u res, tVolum I I , er b uilds bestlex - sellin g MPLS an d VPNBGP r out e rAr efch lect or s in t he MPLS b ackb one w ill be p resent ed at t he en d of t his chapt it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g inter o .m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools The con figur at ion t ask s in t h is st ep ar e t h e sam e as wh en d ep loy ing an MPLS VPN solut ion: t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS VPNBGP Ar chit ect u res,r un Volum eg 4in are s w itcon h afigu br ief resher MPLS VPN 1 . I and nt er nal sessions ning eovI Ier, bI Pv redref bet w een of PEt he r out ers by using t h e Ar ch itloopback ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of in t er f aces as t h e sour ce I P add resses of t h e BGP session s. ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back boneNOTE and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Wit t heally in t,r oduct Pves 6, aCisco I OS supp for or t sadr unn g BGP sessions b et ween deploy m en t s.h Fin Par t Iion V prof ovIid m et hodology van in ced MPLS VPN I Pv6 end point s. How ever , t he 6PE solu t ion r equir es BGP session s bet w een I Pv4 t r oub leshoot ing . endp oin t s. MPLS 2 . The and ex VPN chang Ar chit e ofect I Pv u res, 6 r out Volum es iseact I I ,ivat also edint ovrod er uces t heset he session lat ests by advuances sing t hine cu nestigomer hbor int egraat ction, i v atsecur e com it y, m and and wt ritoubleshoot hin t he a ddr ingessfeatfa u res m ilessent y ip v6ialof t tohe p rov BGP iding rou t h ing e adv pr ocess. anced

3 . I GP r ou t es are r edist r ibut ed int o MP- BGP b y using t he re di st rib ut e com m and w it hin a ddr ess- fa m il y ip v6 . I n t he Su perCom net w or k, t he I Pv 6 RI P r out es as w ell as t h e connect ed I Pv 6 su bnet s ar e r edist rib ut ed in t o MP- BGP, r esult in g in t he BGP conf ig ur at ions show n in Ex am ples 8- 7 an d 8- 8 .

•

Table of Content s

Exa m pl e I8ndex - 7 . I Pv 6 BGP Con f igu r at ion on PE_ San Jose • MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

PE_SanJose# Pub lish er: Cisco Press Pub Dat e: Ju ne router bgp 1006,

2 00 3

I SBN: 1- 58 705 -1 12 -5

neighbor 194.22.15.3 remote-as 10 Pages: 50 4 neighbor 194.22.15.3 update-source Loopback0 ! Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : address-family ipv6 neighbor activate How t o194.22.15.3 int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s redistribute rip RIPv6 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN redistribute Net w ork Ad connected dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

Exa m pl bone e 8 - 8 . I Pv 6 BGP Con f igu r at ion on PE_ W a sh in gt on back How t o carr y cust om er m ult icast t r aff ic insid e a VPN

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent PE_Washington# of int er - car r ier MPLS VPN serv ices router bgp 10 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y neighbor 194.22.15.2 remote-as 10 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Arneighbor ch it ect u res, Volum e I ( 1 -update-source 587 05- 0 02- 1) , f Loopback0 rom Cisco Pr ess. Ex t endin g int o m or e adv anced 194.22.15.2 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey ! n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN address-family ipv6 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g neighbor 194.22.15.2 activate pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues redistribute rip RIPv6 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow redistribute connected m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Aftegr er tat heion, MP-secur BGP itsessions e act iv e, ting he Ifeat Pv 6urres outessent es ar e ial ex ch bet wt heen t heanced PE r out er s, int y, and t rar oubleshoot t o anged p rov iding e adv

as can be v erif ied w it h t he show bg p ipv 6 com m and, sh ow n in Ex am ple 8- 9 on t h e Washing t on PE r out er .

Exa m pl e 8 - 9 . I Pv 6 BGP Ta ble on PE_ W a sh in gt on •

Table of Content s

PE_Washington#show bgp ipv6 • I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

BGP table version is 3, local router ID is 194.22.15.3 By Jim Guichard , I van Pepelnjak , Jeff Apcar

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 00 3IGP, e - EGP, ? - incomplete Origin codes: i 2I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Network

Next Hop

Metric LocPrf Weight Path

* i1205:6700:0:1::/64 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ::FFFF:194.22.15.2 2 ? p r ovidin g VPN How t o int egr at e v ar iou s r em ot e access t echn ologies in100 t o t h e back0bone ser v ice t o m any d iff er ent t yp es of cu st om er s *> 1205:6700:0:2::/64 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN 2 32768 ? Net w ork Ad dr ess Tr:: an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he * i1307:8000::1/128 ::FFFF:194.22.15.2 cust om er net w ork 0 100 0 ? The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone *> 1307:8000::3/128 :: 0 32768 ? How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices The g lobal I Pv 6 BGP t ab le on t he Washing t on PE r out er con t ains t w o locally or iginat ed I Pv 6 r out es: t hanced e localt rou loop backoot inting er face and t h einclud subnet h ereBalt imor sit eilit y Adv blesh t echn iques in gt hat r ou is t err eceived out pu t s frt oom entsu high aveailab v ia I Pv6 RI P. I t also cont ains t wo BGP rou t es t hat ar e receiv ed fr om t he San Jose PE r out er . Please n ot e t hatArtchit he rem e I Pv 6 BGP es ar e m ore d et ailed est igat ion MPLS and VPN ect uot res, Volum e I Ir out , b uilds onnot t heused. best -A sellin g MPLS an dinv VPN using t he show bg p ipv 6 p r ef ix com m and ( show n in Ex am ple 810) rev eals t hat t heanced Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv PEloy r out er con sider s ur t he Jose r out eresu nr eachab tWashing opics antdond ep m ent archit ect es,San Volu m e PE I I pr ovid r eader s wle. it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS ect u res, I I , b eg h a br ief ref resher of t he MPLS VPN Exa mand pl eVPN 8 - Ar 1 0chit . San t a ClVolum ar a eSubn etin isnw itt he BGP Tab le on Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of PE_ W a sh in gt on ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he PE_Washington#show bgp ipv6 1205:6700:0:1::/64 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or erouting adv ancedtable t op ologies filt1205:6700:0:1::/64, erin g. This par t also covversion er s m ult i-0car r ier MPLS VPN BGP entryand for deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN tPaths: r oub leshoot ing . (1 available, no best path) MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Not advertised to any peer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Local ::FFFF:194.22.15.2 (inaccessible) from 194.22.15.2 (194.22.15.2) Origin incomplete, metric 2, localpref 100, valid, internal

•

Table of Content s

•

I ndex

The r eason f or t h is seem in gly un ex pect ed b eh avior is sim ple; if y ou w an t t o ensur e I Pv6 MP LS and V PN Ar chi te ctur e s, V olum e I I t r anspor t bet w een I Pv6 BGP peer s, t h e BGP n ex t - h op ( ex pr essed as an I Pv 6 addr ess) m ust By Jim Guichard , I van Pepelnjak , Jeff Apcar be r eachable, gu aran t eeing t h at an end- t o- en d I Pv 6 pat h exist s b et w een t h e BGP peer s. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

NOTE Pages: 50 4

Ev en if t h e BGP session is est ablish ed bet w een I Pv 4 en dpoint s, t he BGP next - hop add ress assig ned t o an I Pv6 pr efix is an I Pv 6 ad dr ess d er iv ed f rom an I Pv 4 BGP endp oin t an d mu st be r eachable t h rou gh t he I Pv 6 for w ar ding t able. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Wit h t he t rad it ion al I Pv 4/ I Pv6 t ools, y ou can not sat isfy t he r equir ement t hat t he rem ot e I Pv 4 How- hop t o intisegr at e v arleiou r em ot6e addr access ologies in t oing t h eI Pv back bone pt hr ovidin g VPN BGP next reachab ass an I Pv esst echn w it hout deploy 6 across e w hole ser v ice m anysolut d iffion er ent of cunstpr om er s is t he 6 PE solut ion , w hich som ew hat back bone. Thteo only t o ttyp h isesdesig oblem r elax es t he I Pv 6 BGP n ex t - h op checks, as you 'll see in t he nex t sect ion. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Labeled IPv6canMP-BGP Prefixes How VRFs be ex t ended int o a cust om er

sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The 6 PE solut ion r eplaces t he r eq uir em ent for an end - t o- end I Pv 6 pat h b et w een t h e BGP Thet slat est VPN secur d dLSP esign sw aim at Ipr t h et sMPLS endp oin w it h aMPLS r equir ement forit yanf eat enud-res t o-an end bet eenedt he Pvot4ect ening dpoin of t heVPN MPback bone BGP session . To ensur e successfu l t r anspor t of I Pv 6 dat ag ram s acr oss t his LSP, a lab el st ack m ust b e used an d t he MPLS labels assig ned t o I Pv6 p ref ix es ( t he second label in t he label How t o carr y cust om er m ult icast t r aff ic insid e a VPN st ack) m ust b e ex chang ed b et w een t he PE r out ers t oget her w it h t he I Pv 6 pr ef ixes. This fu nct ionalit y is enabled w it h a sin gle com man d, ne ig hbor sen d- l ab el , conf igur ed wit h in t h e The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent a ddr ess- fa m il y ip v6 of t he BGP rou t ing pr ocess. of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch itNOTE ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools From t he conf igur at ion per sp ect iv e, t he n eed t o enab le MPLS lab el ex chan ge t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. m anually is on e of t he m aj or dif ferences bet w een MPLS VPN and 6PE configu r at ion. elsVPN ar eAr alw ayect s exchan ged f or f amily , w herof east he t heMPLS labelVPN MPLSLab and chit u res, Volum e ItIh, eb VPNv4 eg in s wadd it h raess br ief ref resher f ort ItIhedescr I Pv 6ibes addr ess fam ily m ustVPN b e configu edit yminclud anually Ar ch itexchan ect u re.gePar adv anced MPLS con nectriv in .g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues The Cisco I OS im plem ent at ion of t h e 6PE solu t ion com bines t h e t r anspor t of I Pv 6 pr ef ixes includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he w it h MP- BGP, as sp ecified in RFC 25 45 w it h t he t r anspor t of lab eled pr efix es w it h MP- BGP as back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow specif ied in RFC 3 107 . Accor din g t o RFC 310 7, t h e I Pv6 pr efix an d t he MPLS label t og et her m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN for m t he Net w ork Lay er Reach abilit y I n for m at ion ( NLRI ) of MP- BGP. deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . The cap abilit y t o ex ch ange lab eled I Pv 6 pr efix es b et ween BGP n eigh bor s is negot iat ed w it h BGP cap abilit y adv ert isement , as specif ied in RFC 2 842 . Lab eled I Pv 6 pr efix es are ex chang ed MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer bet w een BGP neighb ors only if bot h neighb or s adv er t ise t he I Pv 6 capabilit y t oget h er w it h t h e int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

new I Pv 6 + Lab els capab ilit y .

NOTE • •

I f only one of t he BGP neighb ors adv er t ises t he I Pv 6 capab ilit y , u nlabeled I Pv 6 Table of Content s r out es ar e exchan ged on t h at BGP session. Th is scenar io r equir es an en d- t o- end I Pv6 p atI ndex h b et ween t hese neig hbor s.

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Wit h t he ex chang e of lab eled I Pv6 pr efix es con figu red in t he Sup er Com backb one ( see Pub lish er: Cisco Press Ex am ple 8- 11) , t h e San Jose and Washingt on PE r out er s agr ee on ex chang ing labeled I Pv6 Pub Dat e: Ju ne 06, 2 00 3 pr efix es, w h ich y ou can v er ify wit h t h e show i p b gp ne igh bor com m and ( out p ut sh ow n in I SBN: 1- 58 705 -1 12 -5 Ex am ple 8- 12) . Pages: 50 4

Exa m pl e 8 - 1 1 . Con f igu r in g M P- BGP Ex ch an ge of La be le d I Pv5 Pr ef i xe s Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : PE_SanJose# How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s router bgp 10 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN address-family ipv6 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) neighbor 194.22.15.3 send-label How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN PE_Washington# back bone Howbgp t o carr router 10 y cust om er m ult icast t r aff ic insid e a VPN The lat est in t eripv6 - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent address-family of int er - car r ier MPLS VPN serv ices neighbor 194.22.15.2 send-label Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools pl et o8d-ep 1 loy 2 . Iand Pv6 + t La ls Cap abi t yailab Ne got i at ed Be t w ee n tExa hey m n eed m ain ain be a secur e, hig hlyli av le VPN.

PE_ W a sh in gt on a nd PE_ San Jose MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, , ar m in g t he r eader w it h t he k now ledge of h ow t o PE_Washington#show ipand bgpOSPF) neighbor int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r itis y , ou t lining t he n ecessar y stAS eps10, t h einternal ser v ice p rov ider m ust t ake t o p rot ect t he BGP neighbor 194.22.15.2, remote link back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op filt erinID g. This par t also cov er s m ult i- car r ier MPLS VPN BGP version 4,ologies remoteand router 194.22.15.2 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub BGPleshoot stateing=. Established, up for 00:01:08 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Last read 00:00:08, hold time is 180, keepalive interval is 60 seconds int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Neighbor capabilities: Route refresh: advertised and received(old & new) Address family IPv4 Unicast: advertised and received Address family IPv6 Unicast: advertised and received •

Table of Content s

ipv6 MPLS Label capability: advertised and received I ndex

•

MP LS and V PN Ar chi te ctur e s, V olum e I I

Received 1233 messages, 0 notifications, 0 in queue

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Sent 1233 messages, 0 notifications, 0 in queue Pub lish er: Cisco Press

Default minimum Pub Dat e: Ju ne 06, 2 00 3time between advertisement runs is 5 seconds I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

As soon as t he ne ig hbor sen d- l ab el com m and is config ur ed in t he BGP r out ing p rocess, t he PE r out er m ust allocat e labels for I Pv 6 r out es and assig n t hose labels t o all I Pv 6 rou t es t hat or iginat e in t he I Pv 6 BGP t able. The labels allocat ed by t he 6 PE solut ion can b e inspect ed w it h Wit h MPLSmand res,mVolum e hich I I , ypou' ll uces lear nt:he ou t put in Ex am ple 8- 13 on t h e t he show pl sVPN for wArachit r dinect g ucom and, w rod Washing t on PE r out er . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Exa m pl e 8 - 1 3 . Loca l La bel s Al loca t e d by t h e 6 PE Solu t ion on Thea sh n ewinPEPE_ W gtCE onr out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w orkmpls forwarding-table PE_Washington#show The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Local Outgoing Prefix Bytes tag Outgoing Next Hop back bone tag

tag or VC or Tunnel Id switched How t o carr y cust om er m ult icast t r aff ic insid e a VPN

interface

16

tag 194.22.15.16/30 0 allow f or easier Se5/3 ThePop lat est in t er - car rier enh ancem ent s t o and m or e194.22.15.25 scalable d ep loym ent of int er - car r ier MPLS VPN serv ices 17 17 194.22.15.2/32 0 Se5/3 194.22.15.25 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 18 Pop tag 194.22.15.4/32 0 Se5/3 194.22.15.25 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN 19ch it ectAggregate 2490 Ar u res, Volum e IIPv6 ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools Aggregate IPv6 0 hly av ailab le VPN. t20 hey n eed t o d ep loy and m ain t ain a secur e, hig MPLS and VPN Ar chit ectIPv6 u res, Volum e I I , b eg in 21 Aggregate 0 s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin y , ou t VPN liningimt he n ecessar y ,stweps ser v ice ider ust ned t aket ot oeach p rot ect t he Con t rar yg tsecu o t her itMPLS plem ent at ion her teh ae separ at ep rov label is m assig VPNv 4 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow r out e, a fix ed set of no m ore t han 16 labels is assign ed t o all I Pv6 r out es sup por t ed w it h t he m or ef unct adv ionalit anced yt .op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN 6PE deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egrNOTE at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Dif ferent Cisco I OS releases use d if fer ent lab el allocat ion st rat eg ies. Som e r eleases allocat e a pool of 16 labels and shar e t he sam e label b et w een m u lt ip le I Pv 6 r out es if needed. Ot her r eleases allocat e one lab el for each I Pv 6 r out e, elim inat in g t he ext ra I Pv6 look up at t he egr ess 6 PE rou t er . For t un at ely , t h e label assig nm en t st r at egy is egr ess PE r out er - specif ic and does not aff ect t he ov er all 6PE ar ch it ect ur e.

•

Table of Content s

• ndex Becau se t he Inu m ber of I Pv6 r out es in any PE r out er could easily exceed 1 6 r ou t es, all of LS and V PN act Ar chi te ctur e s, olum e II tMP hese labels as ag gr egVat e labels ( see t he d iscussion of eff ect s of I P rou t e sum m arizat ion on MPLS LSPs in Volum e I, Jeff of MPLS By Jim Guichard , I van Pepelnjak Apcar and VPN Ar chit ect u res ) , r equir ing an addit ion al I Pv6 look up in t h e egr ess PE r out er . Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

NOTE Pages: 50 4 From t he p er spect iv e of t h e 6PE solut ion, a sin gle label w ould be en ough t o su ppor t t he en d- t o- end t r anspor t of I Pv 6 dat ag ram s b et w een PE r out er s. Sixt een labels are used t o ensur e load sh ar in g in t h e MPLS cor e b ased on t he secon d lab el in t h e label st ack. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN The MPLS labtels in divid Pvst6om p ref ser v ice o massigned any d iff ert o ent t yp esual of Icu erix s es by bot h t he local PE r out er and r em ot e PE r out ers can be in spect ed w it h t he show bg p la be ls com m and, w hich p rod uces t he pr int ou t inn ew Ex am 14 in ong op t h et ions Washing t onas PEotr out . anced f eat ur es, includ ing per- VPN The PE-ple CE8r out as w ell herer adv Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How ex t ended intls o aAssocia cust om ert sit o ipr ar at ionRout insidees t heon Exa m pl eVRFs 8 - 1can 4 . be M PLS La be e de tw t hovIide Pvsep 6 BGP cust w ork PE_ W a om sh er in net gt on The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone PE_Washington#show bgp labels How t o carr y cust om er m ult icast t r aff ic insid e a VPN Network Hop label/Out labeland m or e scalable d ep loym ent The lat est in t er - carNext rier enh ancem entIn s to allow f or easier of int er - car r ier MPLS VPN serv ices 1205:6700:0:1::/64 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y ::FFFF:194.22.15.2 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN nolabel/22 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey1205:6700:0:2::/64 n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u:: res, Volum e I I , b eg20/nolabel in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v1307:8000::1/128 ice pr ovider access t::FFFF:194.22.15.2 echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues nolabel/23 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back1307:8000::3/128 bone and any at t ached det ailin g t he lat est secu rit y f eat ur es t o allow :: VPN sit es, and also 21/nolabel m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS chit ect u res, Volum e ou I I ,t put also, tint ucesbg t he estlsadv ances cu st omer As w it and h t heVPN cor rAr espon ding MPLS VPN herod show p lat la be p r in t out in is nonin t uit iv e int at ion, it y, and t r oubleshoot ing feat ialgt olab p rov t h e adv anced andegr r equir essecur car efu l inspect ion of t h e incom in gu res andessent out goin els iding as f ollows:

The locally or ig inat ed I Pv 6 BGP r ou t es hav e an in com ing label ( w h ich t he ot her PE r out er s w ill use t o reach t hese d est inat ion s) , but no out g oin g lab el ( m uch lik e VPNv 4 r out es) .

• •

Table of Content s I ndex NOTE

MP LS and V PN Ar chi te ctur e s, V olum e I I

The locally or ig inat ed I Pv 6 r out es w ill hav e out g oing lab els only w hen t he Cisco I OS su ppor t s t h e I Pv6 LD P bet w een t h e PE rou t ers and t he CE r out er s.

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju6 neBGP 06, 2 r00 3 es The I Pv out

r eceiv ed f r om r em ot e PE r out er s hav e an out g oing label ( w hich is I SBN:by 1- 58 705local -1 12 -5PE r out er t o bu ild t h e I Pv 6 CEF t able) , bu t n o incom ing label. used t he Pages: 50 4

NOTE Wit h MPLS and chit ectorig u res, Volum e 6I I rou , y ou' ll lear : Sim ilar ly tVPN o t heArlocally in at ed I Pv t es, t he nincom ing label w ill only m ak e sen se wit h t h e supp ort of I Pv6 LD P bet w een t h e PE rou t ers and t he CE r out er s. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Wit h tThe he ex chang ofr out MPLS at tas achwed o I ot Pv6 es, t he BGP n ex hop check in Cisco n ew PE- eCE in glab opels t ions ellt as herr out adv anced f eat ur es,t - includ ing perVPN I OS isNet sligh t ly mod ified. An I Pv6 BGP r out e is consider ed r each able if t he I Pv 6 BGP n ex t - hop w ork Ad dr ess Tr an slat ion ( PE- NAT) is an I Pv4 - com p at ib le addr ess and t he PE r out er has receiv ed a label for t he I Pv 4 addr ess fr om How it s dow nst rcan eambeneighb or, inint dicat t her ane en o- ide endsep LSP ow ar dinside t h e r em VRFs ex t ended o aing cust omeerissit t o dprtov artat ion t heot e BGP peer. cust Youom caner vnet er ify t his r elax at ion by insp ect ing t he I Pv 6 BGP t able on t he Wash in gt on PE w ork r out er ( show n in Ex am ple 8- 15) . As soon as t h e exchan ge of labeled I Pv 6 p ref ix es is conf igThe ur edlat , test he MPLS I Pv 6 MPr out t hat ar eanr eceived h e at San ar e VPN VPNBGP secur it yesf eat u res d d esignfrsom aimt ed pr Jose ot ect PE ing r tout h e er MPLS selectback ed an d in st alled in t h e I Pv6 r out ing t ab le. bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Exa m pl e 8 - 1 5 . BGP Ta bl e on PE_ W ashi ng t on

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y PE_Washington#show bgp ipv6 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN BGP version local router ID Cisco is 194.22.15.3 Ar ch ittable ect u res, Volum eis I ( 15, - 587 05- 0 021) , f rom Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools codes: h hly history, valid, > best, i - internal tStatus hey n eed t o d ep s loysuppressed, and m ain t ain da damped, secur e, hig av ailab le* VPN. Origin codes: - ect IGP, - EGP, MPLS and VPN Arichit u res,e Volum e I I?, b-egincomplete in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Network LocPrf Weight int egr at e t h ese f eat ur es Next in t o t hHop e VPN b ack bon e. Metric Part I I I det ails adv anced Path d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he *>i1205:6700:0:1::/64 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par::FFFF:194.22.15.2 t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . 2 100 0 ? MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer *> egr 1205:6700:0:2::/64 int at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

::

2

32768 ?

*>i1307:8000::1/128 ::FFFF:194.22.15.2 0 *> 1307:8000::3/128 :: •

Table of Content s

•

I ndex

0

100

0 ? 32768 ?

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

The I Pv 6 rou t ing t able on t h e Washingt on PE r out er ( d isplay ed in Ex am ple 8- 16) also indicat es t hat t h e I Pv 6 BGP dest in at ions ar e r eachab le via I Pv6 - MPLS ( indicat ing t he Pub lish er: Cisco Press deploy m en t of 6 PE solut ion) . Pub Dat e: Ju ne 06, 2 00 3

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Exa m pl e 8 - 1 6 . I Pv6 Rou t i ng Tab le on PE_ W a sh in gt on

PE_Washington#show ipv6 route Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : IPv6 Routing Table - 6 entries How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP ser v ice t o m any d iff er ent t yp es of cu st om er s

B

I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) 1205:6700:0:1::/64 [200/0] How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he viaom ::FFFF:194.22.15.2, IPv6-mpls cust er net w ork

R

B

LC

1205:6700:0:2::/64 [120/2] The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone via FE80::230:94FF:FE9B:D940, Serial5/0 How t o carr y cust om er m ult icast t r aff ic insid e a VPN 1307:8000::1/128 [200/0] The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN servIPv6-mpls ices via ::FFFF:194.22.15.2, Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 1307:8000::3/128 [0/0]

MPLS and chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN via VPN ::, Ar Loopback0 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tLopics an d d ep loy[0/0] m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools FE80::/10 t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. via ::, Null0 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of L FF00::/8 [0/0] ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o via ::, Null0 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . IPv6 Datagram Forwarding Across an MPLS Backbone MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The 6 PE solut ion enab les I Pv 6 dat agr am f or war d in g acr oss an MPLS- enab led I Pv4 - only back bone in w hich t he P r out ers do n ot sup por t t he I Pv6 p rot ocol. Th e I Pv6 dat ag r ams t r anspor t ed acr oss t he backb one t h er efor e hav e t o be encapsulat ed in an MPLS f r ame b y t he ingr ess PE rou t er. Sim ilar ly t o t h e I Pv4 MPLS im plement at ion , t he MPLS lab el st ack s associat ed wit h t h e I Pv6 r out es ar e st or ed in t he CEF t ab le called f or w ard ing in for m at ion base ( FI B) . Due t o t h is dependency , t he I Pv 6 CEF mu st be enab led on t he PE r out er s w it h t he ip v6 cef com m and so t h at t h e label im posit ion on incom ing I Pv 6 dat ag ram s is enab led . •

Table of Content s

Aft er t he I Pv 6 CEF sw it ch ing has been en abled , y ou can use t h e show i pv 6 ce f com m and t o I ndex inspect t h e I Pv6 FI B and t he MPLS lab els t hat are im posed in f r ont of t he I Pv6 d at agr am s. MP LS and V PN Ar chi te ctur e s, V olum e I I The I Pv 6 FI B fr om t h e Washingt on PE r out er is d isplay ed in Ex am ple 8- 17. •

By Jim Guichard , I van Pepelnjak , Jeff Apcar

ExaPubmlishpler:e Cisco 8 - 1Press 7 . I Pv6 FI B on PE_ W ash ing t on Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

PE_Washington#show ipv6 cef 1205:6700:0:1::/64 nexthop ::FFFF:194.22.15.2 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : fast tag rewrite with Se5/3, 194.22.15.25, tags imposed: {17 22} How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN 1205:6700:0:2::/64 ser v ice t o m any d iff er ent t yp es of cu st om er s nexthop FE80::230:94FF:FE9B:D940 The n ew PECE r out in g op t ions as w ell asSerial5/0 ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) 1307:8000::1/128 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he nexthop ::FFFF:194.22.15.2 cust om er net w ork The lat est rewrite MPLS VPNwith securSe5/3, it y f eat u194.22.15.25, res an d d esign s aim ed imposed: at pr ot ect ing e MPLS VPN fast tag tags {17t h23} back bone 1307:8000::3/128 How t o carr y cust om er m ult icast t r aff ic insid e a VPN Receive The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices FE80::/10 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Receive MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN FF00::/8 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools Receive t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Asotex pect ed, PvGRP, 6 r ouand t es receiv JosewPE havledge e a label pr ocols ( I S-tIhe S, IEI OSPF)ed , arf rmom in gt he t heSan r eader it h rtout he er k now of h st owack to associat ed wit h t h em . Th e fir st label in t h e label st ack , { 17} , is t he LDP label assign edissues t o t he int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent BGP next hop r(itPE_San Jose) tby e dow nst r eam ( P_Vienna) . The in tthe he includin g -secu y , ou t lining he tnhecessar y st eps tneighb h e ser or v ice p rov ider m ust tsecon ake t od plab rotelect st ack, { 22}and or any { 23}at, t is t h e one ned t o also t h e Idet Pv6ailin r out b ylat t he ot rit e PE r out can back bone ached VPNassig sit es, and g et he estr em secu y f eat urer. es You t o allow use t hadv e show ceologies f or t heand show m plg. s ip bi ndi t o ichcar eckr ier t h eMPLS cor r ect n ess of t h e m or e ancedi pt op filt erin This par tngs alsocom covmerand s m ult VPN show bg p la be ls com m and t o ch eck t h e cor r ect n ess of fir st lab el in t h e label st ack and t he deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN tt rhe second label in t he label st ack . The ou t put f rom t he Washin gt on PE rou t er is displayed in oub leshoot ing . Ex am ple 8- 18. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 8 - 1 8 . La be ls Used in I Pv6 Labe l St ack on PE_ W ash in gt on

PE_Washington#show ip cef 194.22.15.2 194.22.15.2/32, version 16, cached adjacency 194.22.15.25 •

Table of Content s

0 0 bytes • packets, I ndex MP LS and V PN Ar chi te ctur e s, V olum e I I

tag information set

By Jim Guichard , I van Pepelnjak , Jeff Apcar

local tag: 17 Pub lish er: Cisco Press Pub Dat e: tag Ju ne 06, 2 00 3 fast rewrite

with Se5/3, 194.22.15.25, tags imposed: {17}

I SBN: 1- 58 705 -1 12 -5

viaPages: 194.22.15.25, Serial5/3, 0 dependencies 50 4 next hop 194.22.15.25, Serial5/3 valid cached adjacency Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : tag rewrite with Se5/3, 194.22.15.25, tags imposed: {17} PE_Washington#show How t o int egr at e vbgp ar ioulabels s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Network Next Hop In label/Out label The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN 1205:6700:0:1::/64 Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex ::FFFF:194.22.15.2 t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork nolabel/22 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone 1205:6700:0:2::/64 How t o carr y cust om insid e a VPN ::er m ult icast t r aff ic20/nolabel The lat est in t er - car::FFFF:194.22.15.2 rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent 1307:8000::1/128 of int er - car r ier MPLS VPN serv ices nolabel/23 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 1307:8000::3/128 21/nolabel MPLS and VPN Ar chit ect u:: res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Wit h t and he I Pv 6 CEF b ein ed eonI I t, he Washing and Jose PE outMPLS er s, t he en d- t oMPLS VPN Ar chit ectgu conf res, igur Volum b eg in s w it ht on a br ief San ref resher of trhe VPN end b ett wI Ieen t heibes Sant a Clar a an d Balt im or e sit es ivisit op er at ion andintt he Ar ch IitPv6 ect upat re. hPar descr adv anced MPLS VPN con nect y includ in al, g t he egrend at ionuser of s canv ex t e t he taccess ra ce ipt echn v6 com and( dial, on t he CEcab r out s ther o vnet er ify it ,das aminple ser iceecu pr ovider ologmies DSL, le,erEt ) an a vshow arietny in of Ex r out g 819ot . ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o pr int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back VPN sit es, and Sa alsont det ga t het o latBa est ltsecu Exa bone m pl eand 8 -any 1 9 .atIt ached Pv6 Tr ace fr om a ailin Cl ar i m rit oryef eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . SantaClara#trace ipv6 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Target IPv6 address: baltimore Source IPv6 address: santaclara Numeric display? [no]: Timeout in seconds [3]: •

Table of Content s

•

I ndex

Probe count [3]:

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van , Jeff Apcar Minimum Time toPepelnjak Live [1]:

Maximum Time Pub lish er: Cisco to PressLive [30]: Pub Dat e: Ju ne 06, 2 00 3

Priority [0]: I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Port Number [33434]: Type escape sequence to abort. Tracing the route to Baltimore (1205:6700:0:2::1) Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at4e vmsec ar iou s0 r msec em ot e4access 1 1307:8000::1 msec t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s 2

* * * The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) 3 1307:8000::3 0 msec 0 msec 4 msec

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he 4 Baltimore (1205:6700:0:2::1) 4 msec 4 msec 0 msec cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent NOTE of int er - car r ier MPLS VPN serv ices You m ust u se t he ext en ded I Pv 6 t ra ce com m and in t he Sup er Com pilot b ecause t h e AdvCE anced ingadt echn iqueswinclud r ou usable t er out pu en suce re I high PElink st rou u seblesh lin k-oot local dr esses, h ich arineg not as t tshteo sour Pv 6 av ailab ilit y add resses of r egular I Pv 6 dat ag ram s. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tThe heyt ra n eed t ot pu d ept loy andesmt he ain ingr t ain ess a secur e, thig av ailab le VPN. ce ou includ PE rou er hly ( PE_San Jose – 1307 : 80 00: : 1 ) , t he eg ress PE r out er ( PE_Washingt on – 1 307: 800 0: : 3) , and t he t arg et CE r out er . MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar cht it re.t pu Part talso I I descr ibes con nect iv m it yedinclud in g t he hint at ion raect ceuou includ es aadv nuanced mb er MPLS of unr VPN each able int er iat e hops—t e egr P r out er sof The ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g t hat ar e un able t o send t he I Pv 6 I CMP replies back t o t he CE r out er s. pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or eNOTE adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN I CMP t r oubThe leshoot ingr .eplies bein g g en er at ed by t h e int er mediat e P r out er s hav e alw ays pr esent ed a pr oblem becau se t he P r out ers hav e no in for m at ion about t he MPLSdest andinat VPN chit ectt ruan res, e I Iag , also he -lat est in cu st omer ionArof t he sp Volum ort ed dat ram int or rod t heuces net wtork lay er adv pr otances ocol being int egrt rat ion, secur anspor t ed. it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

An int erim solut ion , docum ent ed in Ch apt er 5, " Ad van ced MPLS Topics" of Volum e I of MPLS and VPN Ar chit ect u res , w as d ev eloped t o supp ort I Pv4 MPLS b ack bon es. Using t h is solu t ion, t h e P r out er s send an I Pv 4 I CMP r eply t o t he p ack et or iginat or using t he lab els t hat are at t ach ed t o t he in com ing dat ag r am, hoping t h at t h e egr ess PE r out er w ill for w ar d t he pack et back t o t he or igin at ion. The solut ion w or k s for I Pv4 d at agr am s only and f ails com plet ely w hen f aced w it h I Pv 6 dat ag ram s t hat are t r anspor t ed acr oss t he MPLS backb one. •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

The vice pr ov iders wh o, Jeff d epApcar loy pilot By Jimser Guichard , I van Pepelnjak

I Pv 6 b ack bon es can accep t t h is som ew hat und esir ed behav ior or t h ey can opt im ize t h e end user ex per ien ce b y disabling t he I Pv 6- t o- MPLS TTL pr opag at ion w it h t h e no m p ls i p prop aga t e - t t l f orw a rde d com m and. This com man d mak es Pub lish er: Cisco Press t he MPLS backb one com plet ely inv isible t o t he CE r out er s, r esult ing in a clean I Pv 6 t ra ce Pub Dat e: Ju ne 06, 2 00 3 bet w een t h e CE r out ers, as sh ow n in Ex am ple 8- 20. For a det ailed descr ipt ion of t his I SBN: 58 705 -1 12er -5 t o Ch apt er 5 of Volu me I of t he MPLS and VPN Ar chit ect u res b ook. com man d, p1-lease r ef Pages: 50 4

Exa m pl e 8 - 2 0 . I Pv6 Tr ace fr om Sa nt a Cl ar a t o Ba lt i m or e w i t h Di sa bl ed TTL Pr opa ga t ion i n Su per Com Ba ck bon e Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : SantaClara#trace ipv6 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Target IPv6 address: baltimore Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Source HowIPv6 VRFsaddress: can be ex santaclara t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Numeric display? [no]: The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Timeout seconds [3]: 1 backin bone ProbeHow count [3]: t o carr y cust om er m ult icast t r aff ic insid e a VPN Minimum The lat Time est to in t erLive - car rier [1]: enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Maximum Time to Live [30]: 5 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Priority [0]: MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, [33434]: Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Port Number t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tType hey nescape eed t o d sequence ep loy and m t ain a secur e, hig hly av ailab le VPN. toainabort. MPLS and the VPN route Ar chit ect Volum e (1205:6700:0:2::1) I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Tracing tou res, Baltimore Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int 1 egr1307:8000::1 at e t h ese f eat ur0esmsec in t o 4 t h emsec VPN 0 b ack bon e. Part I I I det ails adv anced d ep loy m ent issues msec includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back and any at4t ached sit es,4 and also det ailin g t he lat est secu rit y f eat ur es t o allow 2 bone 1307:8000::3 msec VPN 4 msec msec m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin(1205:6700:0:2::1) ally , Par t I V pr ov id es a4mmsec et hodology van ced MPLS VPN 3 Baltimore 4 msecfor0ad msec t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE When TTL pr opagat ion is d isabled in an MPLS VPN backb one, a u ser w h o execut es a t ra ce on a CE r out er w ill usually not see t he egr ess PE r out er b ecause t h at r out er per for m s only a label looku p and is not aff ect ed w it h t h e I P TTL. I n t h e 6PE case, t he lab els t hat t he egrs ess PE r out er s assig n t o I Pv 6 p ref ix es ar e agg regat e lab els, • Table of Content and t h e eg ress PE r out er per for m s an I Pv6 look up and corr esp ondin g d ecr ement of • I ndex I Pv6 TTL, m akin geits, visible MP LS and V PN Ar chi te ctur V olum e tI o I t he I Pv 6 t ra ce com m and. By Jim Guichard , I van Pepelnjak , Jeff Apcar

lish er:s Cisco ThePub r esult of t hPress e I Pv 6 t r ace acr oss t h e Super Com b ack bon e r aise an int er est ing issue: The egr ess PEe:r out Pub Dat Ju neer06,r eceiv 2 00 3 es t he incom ing I Pv6 t ra ce d at agr am ov er an MPLS LSP, n ot ov er a ph ysical int er face. I SBN: 1- 58 705 -1The 12 -5 sour ce I Pv6 ad dr ess of t h e r et u rn ing I CMP p ack et is u su ally t he I Pv 6 add ress of t he in com ing int er face, w her eas t he incom ing MPLS LSP has no associat ed I Pv 6 Pages: 50 4 add ress. Which I Pv 6 addr ess w ould t hen be used t o send I CMP p ack et s as r esponses t o t h e I Pv6 p ack et s w it h TTL= 1?

The Cisco I OS 6PE im plement at ion ad dr esses t his concern . One of t he g lob al I Pv6 ad dr esses conf ig ur ed on t he rou t er is chosen as t h e addr ess used as t he sour ce I Pv6 add ress in I CMP h MPLS VPN Ar chit ectint u res, Volum I I efer , y ou' ll lear n : add ress select ion p rocess. You can rWit ep lies. As and u su al, loopback er faces ar ee pr red in t he also m anually specify t h e I Pv6 add ress y ou wan t t o use in t he I CMP r esp onses t o pack et s r eceived ov er MPLS LSP w it h t he m pl s ipv 6 sou rce- in t er fa ce com m and. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Complex 6PE Deployment Scenarios This sect ion show s h ow y ou can use t h e 6PE fu nct ionalit y in mor e com plex net w or k desig n scenar ios. These scenar ios w ill include BGP r out e ref lect or s and BGP con feder at ions as w ell as •int er aut onom Table Content s ou s of syst em 6PE f unct ionalit y . •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

BGP Route Reflectors

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

BGPPub rou t ee:r Ju efne lect or2s00ar Dat 06, 3 e t h e m ost comm on m et hod of scaling BGP- b ased net w or ks an d are com mon ly used in-1larg I SBN: 1- 58 705 12 -5er ser vice p rov ider net w or ks. Th e concep t of BGP r out e r eflect ors is exp lain ed in gr eat det ail in I n t ern et Rou t ing Ar ch it ect ur es, p ublished b y Cisco Pr ess. The use Pages: 50 4 of BGP rou t e r ef lect or s in an MPLS VPN env iron ment is add ressed in Volum e I of MPLS and VPN Ar chit ect u res . Ad van ced BGP r ou t e r ef lect or scen ar ios are d escr ibed ear lier in Ch apt er 6, " Lar g e- Scale Rou t ing and Mult iple Ser vice Pr ov id er Conn ect iv it y" of t his b ook, wh ich add resses v ar ious d esigns wh er e r out e r ef lect or s ar e link ed bet w een ad jacen t ser vice pr ov ider net w or ks. I n t his sect ion , y ou' ll see h ow t he in t r oduct ion ( or pr esence) of r out e Wit h MPLS and VPN Ar chit u res, e Iect I , sy ou' lear nf unct : r ef lect or s in a ser vice pr ovect ider netVolum w or k aff t h ell 6PE ionalit y . The p r im ar y f unct ion of BGP r out e ref lect or s is t o pr opagat e rou t es receiv ed fr om int er nal How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN BGP neighbor s t o ot her in t er nal BGP n eig hbor s w hile ensur ing ( w it h addit ional BGP ser v ice t o m any d iff er ent t yp es of cu st om er s at t r ibut es) t hat t hese rou t es do n ot st ar t loop ing insid e t he aut onom ous sy st em. While r ef lect ing t h e r out es, t he BGP r out e r eflect ors are not allow ed t o chang e t he reflect ed r out e The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN ( NLRI ) , it s nex t - hop, or any ot her BGP at t rib ut es at t ached t o t h e r out e. Net w ork Ad dr ess Tr an slat ion ( PE- NAT) The f act t h at t h e r out e r eflect ors do n ot chan ge t h e NLRI ( wh ich com bines an I Pv6 pr efix an d How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he an MPLS label w hen t he 6 PE f unct ionalit y is u sed ) or t h e nex t - hop ( t he I Pv 4 addr ess of t he PE cust om er net w ork r out er t r anslat ed in t o an I Pv6 ad dr ess) m ak es t hem t r anspar ent t o t h e 6PE f unct ionalit y . Ther eThe ar e,lathow , aVPN f ew secur desigitnyruf eat lesutres hat an y ou ust consider in 6PE neting w ortks h r out e est ever MPLS d dmesign s aim ed at pr ot ect h e wit MPLS VPN r ef lectback or s:bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The BGP r out e reflect or s m ust sup por t t h e 6PE fu nct ionalit y t o be able t o accept and pr opag at e in I Pv6 prancem efix es.ent s t o allow f or easier and m or e scalable d ep loym ent The lat est t er - + carLabels rier enh of int er - car r ier MPLS VPN serv ices I Pv6 r out in g m u st be enab led on BGP r ou t e r ef lect or s; ot h er w ise, y ou w ill not be able t o confanced ig ur e tthe Pv 6 BGP ad dr ess iques f am ilyinclud on t h in e gr out r eflect ors. Adv rouIblesh oot ing t echn r ouet er out pu t s t o en su re high av ailab ilit y Pv 6 +Ar Lab session ust b on e act ivat ed -bet w een r out eanr eflect MPLSThe and I VPN chitels ect uMPres,BGP Volum e II , m b uilds t he best sellin g MPLS d VPNors and t heir neighb or s. Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools Rou t e r ef lect ing m ust be conf ig ur ed w it hin t h e I Pv 6 add ress fam ily ( similar ly t o t he t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. r eq uir em ent t hat r out e r eflect in g b e config ur ed separ at ely f or t h e VPNv4 add ress ) . Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN MPLSfam andilyVPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Not all ser v ice p rov ider s w ill w ant t o deploy t he 6PE f unct ionalit y ( w hich m ig ht requ ire ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g deploy m en t of n ew er I OS r elease) in t heir r out e reflect or s. Ot her serv ice pr ov id er s w ou ld lik e pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o t o avoid t he addit ional bur den placed on t he rou t e r ef lect or s w it h t he in t rod uct ion of anot her int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues add ress fam ily . ( Alt hou gh t his bu r den w ill b e sm all in it ially , it w ill g row w it h t he exp ansion of includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he t he I Pv 6 I nt ern et .) I n bot h cases, deploy ing dedicat ed 6PE r out e ref lect or s can solv e t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow pr oblem . Alt ern at ively , you can use a com binat ion of VPNv 4 and 6PE r out es on one set of m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN r out e r eflect ors and I Pv 4 on anot h er set . deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . I m agine t h at t h e Super Com ser vice pr ov ider has alr eady deploy ed a BGP rou t e r ef lect or in it s MPLS VPN b ack bon e. This r out e r eflect or has t he loopb ack I P addr ess 194 .2 2. 15. 1 00 and is MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer adj acen t t o t he Vienna P r out er . Th e BGP sessions amon g PE r out er s in Par is, San Jose, and int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Washing t on wou ld t hen b e r ep laced by a hub - and- spok e t op olog y of BGP session s, sh ow n in Figur e 8- 8 . Th e r elevan t p art s of t he r out er conf igur at ion of t he RR_Vienna and m odif ied conf ig ur at ion of t he SanJose PE r out er ar e show n in Ex am ples 8- 2 1 an d 8- 2 2.

Exa m pl e 8 - 2 1 . Con f igu r at ion of RR_ Vie nn a •

Table of Content s

•

I ndex

router 10 MP LS and bgp V PN Ar chi te ctur e s,

V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

no synchronization

Pub lish er: Cisco Press neighbor 194.22.15.1 remote-as 10 Pub Dat e: Ju ne 06, 2 00 3 I SBN: 158 705 -1 12 -5 neighbor 194.22.15.1 update-source Loopback0 Pages: 50 4

neighbor 194.22.15.1 route-reflector-client neighbor 194.22.15.2 remote-as 10 neighbor 194.22.15.2 update-source Loopback0 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : neighbor 194.22.15.2 route-reflector-client How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN neighbor ser v ice194.22.15.3 t o m any d iff erremote-as ent t yp es of10 cu st om er s neighbor 194.22.15.3 The n ew PE- CE r out inupdate-source g op t ions as w ellLoopback0 as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) neighbor 194.22.15.3 route-reflector-client How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork no auto-summary !

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone address-family vpnv4 How t o carr y cust om er m ult icast t r aff ic insid e a VPN neighbor 194.22.15.1 activate The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices neighbor 194.22.15.1 route-reflector-client Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y neighbor 194.22.15.1 send-community extended

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN 194.22.15.2 Arneighbor ch it ect u res, Volum e I ( 1 -activate 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools neighbor t hey n eed t o194.22.15.2 d ep loy and mroute-reflector-client ain t ain a secur e, hig hly av ailab le VPN. neighbor 194.22.15.2 send-community extended MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of neighbor 194.22.15.3 activate ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o neighbor 194.22.15.3 int egr at e t h ese f eat ur es in troute-reflector-client o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he neighbor 194.22.15.3 extended back bone and any at t achedsend-community VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur r oubleshoot featluect res or essent o p rov idingNt het e adv anced Figu r eit y,8 -and 8 . tBGP Routing e Ref i n ial Sut per Com w or k

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How e vodi ar iou s r em ot e faccess in tSan o t h eJose back bone p r ovidin g VPN Exa m pl et o 8int - 2egr 2 .atM fi ed Con igu r att echn ionologies of PE_ ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) router bgp 10 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he neighbor 194.22.15.100 remote-as 10 cust om er net w ork neighbor 194.22.15.100 update-source The lat est MPLS VPN secur it y f eat u res anLoopback0 d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone no auto-summary How t o carr y cust om er m ult icast t r aff ic insid e a VPN ! The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent address-family of int er - car r iervpnv4 MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y neighbor 194.22.15.100 activate MPLS and VPN Ar chit ect u res, send-community Volum e I I , b uilds extended on t he best - sellin g MPLS an d VPN neighbor 194.22.15.100 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS VPN ect uor res, Volumt oe rI ef I ,lect b egtin it h6 a+ br iefels refad resher t heilyMPLS I f t he and sam e r outArechit r eflect is used hes w I Pv Lab dr essoff am bet wVPN een t he Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int ion of San Jose and Washingt on PE r out er s, t he I Pv 6 rou t ing w ill hav e t o b e config ur edegr onatt he ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g RR_Vien na, an d t he I Pv6 + Labels add ress fam ily w ill hav e t o be act iv at ed f or t he San Jose pr ot ocols ( I SI S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o and Washing t on PE r ou t er BGP n eigh bor s, as show n in Ex am ple 8- 23. int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Exa m pl e 8 - 2 3 . PE Conf igu r a t ion on RR_ Vie nn a m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . ipv6 unicast-routing MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

! router bgp 10 address-family ipv6 neighbor 194.22.15.2 activate • •

Table of Content s

neighbor 194.22.15.2 route-reflector-client I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

neighbor 194.22.15.2 send-label

By Jim Guichard , I van Pepelnjak , Jeff Apcar

neighbor 194.22.15.3 activate Pub lish er: Cisco Press

neighbor 194.22.15.3 route-reflector-client Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

neighbor 194.22.15.3 send-label Pages: 50 4

Alt ern at ively , t he Su perCom engineer s m ig ht w ant t o deploy a 6PE- sp ecific BGP r out e Wit h MPLS and Ar chit ect IuPres, Volum II 2 , 2. y ou' lear r ef lect or ( wit h tVPN h e loopback ad dr ess 1e94. 15.ll10 1) nt :hat w ould b e used ex clu siv ely t o supp ort t he I Pv 6 pilot , as sh own in Figur e 8- 9 . Th is rou t e r ef lect or , w h ich is not par t of a pr odu ct ion n et w or k , can t hen r un a less- t est ed I OS r elease because it s f ailu re w ill not af fect How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN t he pr oduct ion MPLS VPN back bon e. ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

Figu r e 8 - 9 . De dicat e d 6 PE BGP Rou t e Ref le ct or

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN The BGP r out conf att ion of ov t he Sana Jose and Washin PE rouMPLS t er s wVPN ill n eed t o in clud e deploy m en t s.erFin allyigur , Par I V pr id es m et hodology for gt adon van ced tt his n ew BGP neig hbor . Only t he I Pv 6 + Lab els addr ess fam ily w ill be act ivat ed on t he n ew r oub leshoot ing . BGP session s, as show n in Ex am ple 8- 24. Th e BGP conf igur at ion of t he RR_6 PE is alm ost ident ical t he Ar RR_Vienna config ur at in Exint amrod pleuces 8- 21. MPLS andt oVPN chit ect u res, Volum e ion I I , also t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 8 - 2 4 . Suppor t f or D edi ca t e d 6 PE Rou t e Ref le ct or Con f igu r ed on PE_ San Jose

PE_SanJose(config)# •

Table of Content s

•

I ndex

router bgp 10

MP LS and V PN Ar chi te ctur e s, V olum e I I

neighbor 194.22.15.101 remote-as 10

By Jim Guichard , I van Pepelnjak , Jeff Apcar

neighbor 194.22.15.101 update-source Loopback0 Pub lish er: Cisco Press

noPub neighbor 194.22.15.101 activate Dat e: Ju ne 06, 2 00 3 !

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

address-family ipv6 neighbor 194.22.15.101 activate Wit h MPLS and VPN Ar chit ect usend-label res, Volum e I I , y ou' ll lear n : neighbor 194.22.15.100 How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s n ew PE- CE r out g op t ions as wUsing ell as otBGP her advConfederations anced f eat ur es, includ ing 6PEThe Deployment ininNetworks

per- VPN

Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he Anot h er solu t ion ad dr essing t he scalabilit y issues of t h e I BGP sessions is t he BGP cust om er net w ork conf ed er at ions, w hich ar e used signif ican t ly less of t en t h an t he BGP r out e r eflect or s. Wh en using BGP con feder at ions, t he aut onom ous sy st em is int er nally div id ed int o a n um ber of The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN sm aller aut onom ous sy st em s, called m em ber au t onom ous sy st em s. The EBGP session s back bone bet w een t h e m em ber au t onom ous sy st em s b eh ave lik e EBGP sessions w it h r espect t o BGP r out e How p roptagat iony rcust ules. only d if fert ren w een int r aconfeder at ion EBGP session s and o carr omTh ere m ult icast affce ic bet insid e a VPN t he real EBGP sessions is t hat most of t he BGP at t r ibut es ( wit h t h e ex cept ion of AS- pat h) r em ain unlat chest anged a prenh efixancem is pr op agat acr oss in t r acon ion EBGP session. The in t erw-hen car rier ent s t oedallow f or an easier and feder m or eatscalable d ep loym ent of int er - car r ier MPLS VPN serv ices BGP con feder at ions can be used in t w o com m on desig n scenar ios: Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y h oleAraut onom s sy st eme (Iall emb er s syst em s) uses one I GP and t he MPLSThe and wVPN chit ect u ou res, Volum I, m b uilds on aut t heonom best ou - sellin g MPLS an d VPN BGP next hop is unchan ged on an int r aconf ed er at ion EBGP session. This design is Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced ible h t he 6 PEect f un ionVolu alit ymbecau seovid t heesNLRI ( I Pv6 ph refix label) and the t opicscom an dpat d ep loywmitent archit urctes, e I I pr r eader s w it t he+necessar y t ools BGP next hop are unchan ged as t he I Pv 6 + Labels p refix is p r opagat ed across t h e t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. aut on om ous syst em . MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN m em t onom ous syanced st em uses sep ar at enect I GP, t h e BGP n exint t - hegr opatision of Ar ch itEach ect u re. Parber t I I au descr ibes adv MPLSa VPN con iv itand y includ in g t he chang ed on an int r aconfeder at ion EBGP session w it h t he ne ig hbor ne x t hop - sel ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out infg com man d. Th is design is not com pat ib le wit h t h e 6PE fu nct ionalit y because t he cu pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o rr ent plement ates ioninin I OSb dack oes not ovide he ails ab ilitadv y t anced o r e- ordigin at emtent he MPLS int egr6PE at e tim h ese f eat ur t o Cisco t h e VPN bon e. pr Part I I I tdet ep loy issues label if t he ex t - hop ged. includin g secu r it yBGP , ou nt lining t heisnchan ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Ther e is anot h er rest r ict ion associat ed wit h d ep loy ing 6PE f unct ionalit y in BGP net w ork s u sing m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN BGP con feder at ions: Th er e m ust be a pat h bet w een each pair of 6 PE- enab led r out ers on deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN w hich all m em ber - AS b ound ary r ou t er s sup por t t h e I Pv6 f unct ionalit y . I Pv6 r out in g m u st be t r oub leshoot ing . conf ig ur ed on all t h ese r out er s t oget h er wit h t h e ex chang e on I Pv6 + Labels pr efix es acr oss int r aconf er atAr ionchit EBGP s. e I I , also int rod uces t he lat est adv ances in cu st omer MPLS andedVPN ect u session res, Volum int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Inter-AS 6PE Deployment The d ep loym ent of 6PE fu nct ionalit y across m ult ip le ser vice pr ov iders is best han dled w it h a design in w h ich each ser v ice pr ovid er u ses t he 6PE f unct ionalit y int er nally and ex ch anges t h e I Pv6 t r af fic w it h adj acent ser v ice p r ovider s using nat iv e I Pv 6 p ack et f or war d in g. Consid er , for exam ple, a scenar io in w hich t he I Pv 6 cust om er of Super Com w ou ld lik e t o conn ect a t h ird I• Pv6 sit e connect ed t o anot h er ser v ice p rov ider , as show n in Figur e 8- 1 0. ( Th e int er nal Table of Content s det ails of t he East Com b ack bon e ar e not kn ow n t o t he Su per Com engin eer s. ) •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Figu r e 8 - 1 0 . Ex t e nde d I Pv6 Pi lot Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone I n t his scenar io, t h e best solut ion is for each ser v ice p r ovider t o consid er t he ot h er ser v ice pr ov ider CE yrou t erom t hat I Pv 6 tBGP ex ch Howast oacarr cust er uses m ult icast r aff ict oinsid e ange a VPNI Pv 6 pr ef ixes. Nat iv e I Pv6 BGP r unn ing bet w een I Pv6 endp oint s can be u sed bet w een t hese ser v ice p r ovider s t o ex chang e lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent I Pv6 pThe refix es. of int er - car r ier MPLS VPN serv ices The r elev ant par t s of t he Washing t on PE r out er con figur at ion ar e show n in Ex am ple 8- 25. Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Exa m pl e 8 - 2 5 . Na t i ve I Pv6 BGP Se ssi on Conf i gur e d Bet w e en Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced PE_ W a sh in gt on a nd East Com PE Rout er t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN interface Ar ch it ect u re.Serial5/0 Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Linkand to OSPF) EastCom *** prdescription ot ocols ( I S- I S,*** EI GRP, , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues no ip gaddress includin secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow address 1307:8000:1::1/120 mipv6 or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN enable t ripv6 oub leshoot ing . ! MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

router bgp 10 bgp log-neighbor-changes neighbor 1307:8000:1::2 remote-as 65001 ! •

Table of Content s

•

I ndex

address-family ipv6

MP LS and V PN Ar chi te ctur e s, V olum e I I

neighbor 1307:8000:1::2 activate

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Aft er t he I Pv1-658BGP b et ween Super Com an d East Com is est ablish ed , t he Wash ingt on I SBN: 705 -1session 12 -5 PE r out er r eceives I Pv 6 BGP pr efix inf or m at ion f r om t he East Com r out er , as show n in Pages: 50 4 Ex am ple 8- 26.

Exa m pl e 8 - 2 6 . I Pv6 Pr ef i x for Ne w Yor k Sit e Re ce iv ed by PE_ W a sh in gt on Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN PE_Washington#sh ipv6 ser v ice t o m anybgp d iff er ent t1205:6700:0:3::/64 yp es of cu st om er s The n ew PECE rentry out in g op t ions as w ell as ot her adv anced f eat ur BGP routing table for 1205:6700:0:3::/64, version 8 es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Paths: (1 available, best #1, table Global-IPv6-Table) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net ork peer-group peers: Advertised to wnon The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN 194.22.15.2 back bone 5001 How t o carr y cust om er m ult icast t r aff ic insid e a VPN 1307:8000:1::2 from 1307:8000:1::2 (10.0.0.1) The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Origin IGP, localpref 100, valid, external, best Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced hed IdPv pr m efix pr opag t he m SanJose PE es rourteader er over + LabelsyMPBGP tWhen opics tan ep6 loy entis archit ectatured es,t oVolu e I I pr ovid s wan it hI Pv t he6 necessar t ools t h teo BGP nextand - h op is aut oma at icallye,chan gedavt o t h eleI Pv 4 add ress of t he Wash ingt on PE tsession, hey n eed d ep loy m ain t ain secur hig hly ailab VPN. r out er ( t r anslat ed, of cour se, int o an I Pv 6 addr ess) , r equ ir ing no add it ion al conf ig ur at ion on andingt VPN ectJose u res,PE Volum e s. I I ,The b egI in it h apbr resher of tJose he MPLS VPN tMPLS he Wash onArorchit San r ou t er Pvs6wBGP r efief ix ref t hat t he San PE r out er Ar ch it ect u Parnt in I I descr adv Ex amibes ple 827.anced MPLS VPN con nect iv it y includ in g t he int egr at ion of r eceives isre. show ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egrm atpl e teh ese es w in tYor o t hk e VPN bon I I detSan ails adv anced d ep loy m ent issues Exa 8 - 2f eat 7 . urNe I Pvb6ack Pr efe. ix Part on IPE_ Jose includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Finbgp ally , ipv6 Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN PE_SanJose#sh 1205:6700:0:3::/64 t r oub leshoot ing . BGP routing table entry for 1205:6700:0:3::/64, version 12 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Paths: (1 available, best #1, table Global-IPv6-Table) Not advertised to any peer 5001 ::FFFF:194.22.15.3 (metric 30) from 194.22.15.3 (194.22.15.3) • •

Table of Content s

Origin IGP, localpref 100, valid, internal, best I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Summary The 6 PE solut ion ( I Pv 6 t ran sp or t acr oss I Pv 4- on ly MPLS backb one) allow s a seam less non in t r usive d ep loym ent of I Pv 6 pilot n et wor k s acr oss ex ist in g I Pv 4 cor es w it hou t t h e •com plex it iesTable of Content s h ot her ear ly- d ep loym ent solut ion s ( such as I Pv6 t un nels across associat ed w it •I Pv4 b ack bon I ndex es) . Th e solu t ion is sim ilar in it s con cept t o t he MPLS VPN solut ion ; I Pv 6 MPMP LS is and chiw teit ctur s, Vcapab olum e ilit I I y t o exchan ge MPLS labels associat ed w it h I Pv 6 pr ef ixes BGP exVtPN endAred h tehe bet w een t h e ,PE t er s. Th e labels By Jim Guichard I vanrou Pepelnjak , Jeff Apcar associat ed w it h I Pv6 pr efix es are t hen used t oget h er wit h LD P- allocat ed labels t o I Pv 4 BGP nex t - hop s t o b uild MPLS lab el st ack s in I Pv6 FI B t ables. The MPLS label st acks, w h en im posed in fr ont of I Pv6 d at agr am s, en able t r anspar ent t ran sp ort of Pub lish er: Cisco Press I Pv6 d at agr am s fr om an ing ress PE rou t er ov er an I Pv 4- only MPLS b ack bon e t o an egr ess PE e: Ju ne 06, 2 00 3 r outPub er , Dat w hich p er f orm s an ot her I Pv 6 look up and f orw ar ds t he I Pv 6 d at agr am t ow ar d it s fin al I SBN: dest inat ion.1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Part IV: Troubleshooting Ch apt er 9 Tr ou bleshoot in g of MPLS- Based Solut ion s •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Chapter 9. Troubleshooting of MPLSBased Solutions •All of t h e pr ev Table Content s in t h is book h ave d iscussed a var iet y of adv anced or new iousofch apt ers •Mu lt ip rot ocolI ndex Label Sw it ching ( MPLS) - based ap plicat ion s, ran ging fr om rem ot e access, MP LS ort and of V PN Ar chi te ctur olum e I I an d m u lt i- v ir t ual p r iv at e n et w or k ( VPN) oper at ion of CE supp new r out in ge s,prVot ocols, r out s t o t he inclusion of, Jeff n ewApcar I P ser v ices w it hin t h e MPLS VPN ar chit ect u re, in clud ing By JimerGuichard , I van Pepelnjak secur it y an d I P mu lt icast . Th is chapt er f ocu ses on t r oub leshoot ing serv ice pr ov id er net w ork s designed arou nd MPLS- b ased solut ions. Pub lish er: Cisco Press

Pubse Datte: ne 06, 2based 00 3 Becau heJuMPLSsolut ions en com pass a larg e solut ion sp ace, it ' s alm ost im possib le I SBN: 705leshoot -1 12 -5 ing scen arios in one ch apt er . As is usually t h e case w h en t ack lin g t o cov er all 1t r58 oub com plex t opics Pages: 50 4 in lim it ed space, t his ch apt er pr ov id es a gener ic bluepr int t hat y ou can t ailor t o in div id ual p ref er ences, t rou blesh oot ing st y les ( st ar t ing w it h t h e m ost obv ious t est s v ersus m et hodically t est ing ev er y t hing f rom scr at ch) , an d in divid ual MPLS- based solut ion s. This chapt er also p r esent s t r oub leshoot in g scenar ios for t w o of t he m ost com m on MPLS- b ased solut ions: I n t er net ser v ices r unn ing acr oss an MPLS back bone, and VPN ser vices off ered on tWit op hof MPLS VPN t echnolog y.u res, Volum e I I , y ou' ll lear n : MPLS and VPN Ar chit ect

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Introduction to Troubleshooting of MPLS-Based Solutions Most MPLS- based solu t ion s ( w it h t he n ot able except ion of MPLS qu alit y of ser vice [ QoS] , •w hich is not Table of Content s book ) follow t he sam e concept u al ar ch it ect ur e: cust om er cont r ol cov ered in t his •plane operatIion ndex , pr ov ider cont r ol plan e operat ion , and dat a plan e operat ion . MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Customer Control Plane Operation Pub lish er: Cisco Press Dat e:inJu 06,ct2ion 00 3s ar e perf or m ed by t he cust om er con t r ol plane: ThePub f ollow gne f un I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Cu st om er r out in g inf or m at ion is ex ch anged bet w een PE r out ers and CE r out ers. Cu st om er r out in g inf or m at ion is p rop agat ed bet w een PE rou t er s, m ost com m only w it h t he help of Mu lt ipr ot ocol Bord er Gat ew ay Pr ot ocol ( MP- BGP) . MPLS lab els are ex changed t oget h er w it h t h e cu st omer r out in g in for m at ion t o f acilit at e t h e dat a for w ar ding w it h an Wit h MPLS VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : MPLSand label st ack. Cu st om er r out in g inf or m at ion r eceiv ed acr oss t he MPLS back bone is pr opagat ed t o CE rHow out ert os.int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN

Provider Control Plane Operation Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

VRFs cansolu bet ion ex tsended intan o aendcusttom er dsit e elt o sw pr ov ide ion inside t he PE Most How MPLSbased r ely on o- en lab it ch edsep p atar h at ( LSP) b et ween r out ercust s foromcuerst net om w erork dat a f orw ar ding . These pat h s need t o be b uilt t h r ough out t he ser v ice pr ov ider net w or k befor e cust om er dat a can b e for w ar ded successfu lly . Label Dist r ibut ion The( lat VPNu sed secur y f eat tuhese res an d hs. d esign s aim ed ot ect ing t h e MPLS Pr ot ocol LDest P) isMPLS u su ally t oit build pat I n some ( raraterpr ) cases, MPLS t r af fic VPN back bone engineer in g ( MPLS- TE) is used dir ect ly bet w een t h e PE rou t ers t o bu ild t h e t r aff ic- eng in eer ed LSPs direct ly bet w een PE r out er s. There ar e also n et wor k s t h at w ould use gener ic r out e How tion o carr y cust er m icast t r aff ic insid a rVPN encapsulat ( GRE) t uom nnels dirult ect ly b et ween t he ePE out er s, in w hich case t he LSP is only a single h op long . The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices anced Operation t rou blesh oot ing DataAdv Plane

t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Most of t he MPLS set up and deploy ment pr oblem s occu r in t he cont r ol p lane; af t er t he Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced r out ing inf or mat ion has been exch anged bet w een PE rou t er s an d CE rou t ers an d t he LSP has t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools been b uilt b et ween PE r out er s, t he MPLS- b ased dat a for w ar ding across t h e Pr ovider n et w or k t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ( P- net w or k ) usu ally w or k s. There are, h ow ev er, a f ew sit u at ions in w hich t h e dat a plane fu nct ionalit y causes net w ork - w ide p r oblem s. The t hr ee most comm on pr oblem s ar e t hese: MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider echnLSP ologbet ies w( dial, an d a visariet ofidr out in gt r ol Ther e is no access en d- t o-t end een tDSL, h e PEcab roule, t erEt s.her Altnet hou) gh t his a pry ov er con pr ot ocols ( I SI S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o plane pr oblem, it usually m anif est s it self on t he dat a plane. int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin secu r itlab y , el oust t lining ecessar st eps e ser v iceagpram rov ider m ust tCisco ake t oExp p rot ect t he Theg MPLS ack ist he n otnim posedy on custt h om er dat s b ecause ress back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Forw ar din g ( CEF) is n ot op er at ional on t he ingr ess int er face. m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy en t s. 2Fin ally t I V comm pr ov idonly es aamLAN et hodology for w adeen vanMPLS ced MPLS VPN Am Layer d ev ice, Par ( most sw it ch) bet nod es can not h andle t he t r oub incr leshoot easeing in. Lay er 2 pay load size t hat is caused b y MPLS label st ack imp osit ion. Refer t o t he sect ion " Ov ersized Pack et I ssu es" lat er in t h is ch apt er for mor e d et ails. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int at ion, secur it y,ofand oubleshoot feation u res essentinv ialolves t o p rov iding t h eon adv Theegr t rou blesh oot ing anyt r MPLSbaseding solut usually m or e t han e anced com p onent

of t he solut ion . Becau se t he MPLS f orw ar din g in t he ser vice pr ov ider back bone is cr ucial t o t he deploym ent of MPLS- b ased solu t ions, it mak es sen se t o check t he cor r ect MPLS for w ar ding in t he b ack bon e befor e f ocusin g on cust om er r out ing inf orm at ion exchan ge or for w ar ding of cust om er dat agr am s. A t yp ical MPLS t rou blesh oot in g session includes t h e follow ing st ep s: • 1. •

of Content Ch eck tTable h e MPLS for wsar ding across t h e ser v ice p r ovider b ack bon e. Fix t h e P- net w or k I ndex label dist r ibut ion pr ocess or t he P- n et wor k f or w ard in g issues if necessary .

MP LS and V PN Ar chi te ctur e s, V olum e I I

. Guichard Ch eck t,hI van e r out ing inf, Jeff ormApcar at ion By2 Jim Pepelnjak

exchan ge bet w een CE r out er s and PE r out er s, bet w een t he PE r out er s acr oss t he MPLS b ack bon e, and bet w een PE rou t ers an d CE rou t ers.

Pub lish er: Cisco Press

3 . Ch eck t h e cu st omer d at agr am f orw ar din g. Pub Dat e: Ju ne 06, 2 00 3

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4 ar e described in mor e d et ail lat er in t h is ch apt er . This chap t er focuses All t h ree st eps pr im arily on MPLS VPN as t he MPLS ap plicat ion r unn ing acr oss t h e P- net w or k. You can easily app ly t he p rocedur es discussed her e t o an y ot her MPLS ap plicat ion s discu ssed in p rev iou s chapt er s of t h is book .

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Troubleshooting the MPLS Backbone MPLS is simp le t o conf igur e an d t r ou bleshoot . Not m any t hing s can g o w r ong, and r ecent I OS v er sions ( such as I OS r elease 1 2. 2) ch eck m ost of t h e pr erequ isit es f or successf ul MPLS oper at ion befor e MPLS- relat ed conf igur at ion comm an ds can be ent er ed . •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

NOTE

Pub lish er: Cisco Press

MPLS is so t r anspar ent in sim ple I P n et wor k s t hat do not use adv anced MPLS r unnin g on ly on t he edge rou t ers) or MPLS applicat ions I SBN: 158 705or -1 12 -5 ( MPLS VPNs MPLSTE) t hat it is som et imes h ard t o det ect t hat MPLS is not oper at ional. The fir st pr oblem s usually ar ise w hen y ou ar e t r ying t o deploy Pages: 50 4 adv anced MPLS feat ur es.

Pub Datue:res Ju ne 06, 2 00 feat ( such as3 BGP

I f you encoun t er MPLS- r elat ed pr oblem s in you r net w or k, you should check t he f ollow ing Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : t hin gs f ir st . ( Th e nex t sect ion cont ains det ailed inst r uct ions on how t o p er for m t hese ch eck s. ) How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN I s CEF en abled? MPLS r equir es CEF becau se it is t h e only sw it ch in g mechanism t h at can ser v ice t o m any d iff er ent t yp es of cu st om er s pr ov ide t h e necessary f or w ard in g st r u ct u res r equir ed b y t he MPLS lab el imp osit ion com . CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN The ponent n ew PENet w ork Ad dr ess Tr an slat ion ( PE- NAT) I s MPLS enabled on all rou t er s? How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he I s MPLS disabled on an y of t he int er f aces? cust om er net w ork Befor e goin g in dept h int o MPLS t r oubleshoot ing , it is alw ay s v aluable t o fir st per for m a The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN simp le t est descr ibed in t h e follow ing sect ion t o v erif y w het her t h e en d- t o- end LSP bet w een back bone t he PE r out er s is op er at ional. Th is t est usually also y ield s t he I P addr ess of t he r out er causing t he LSP t o t br eak.y cust om er m ult icast t r aff ic insid e a VPN How o carr The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

NOTE Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y somAr e chit r areect cirucum ances, ht wor t t h e LSP MPLSUnder and VPN res, st Volum e ItIh,ebenduildst oonend t heLSP bestcheck - sellinmig g MPLS ankd, bu VPN bet w een t h e PE rou t er s w ou ld st ill be br oken. I f t h e cust om er dat agr am f or d in g Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or ewar adv anced ill d does or k archit aft er ect y ouurhav check t he ot pot ent lem s, y ouy t ools t opicsstan d epnot loy mwent es, eVolu m eedI I all pr ovid eshrer eader s wial it h pt rob he necessar ight t hav e encount b r oken LSP. , you w ould need t o t hey m n eed o d ep loy and er m ed ain such t ain aa secur e, hig hlyAtavt hat ailabpoint le VPN. per for m in- dept h MPLS t r oubleshoot ing. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Verifying End-to-End LSP int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he On e bone of t heand m ost com on reasons en ddet MPLS it ysecu pr oblem s isur a es b rok back any at tmached VPN sitf or es,endandt oalso ailin gconn t heect lativ est rit y f eat t o en allow LSP. I n m any ap plicat ion s ( such as MPLS VPN or MPBGP r un ning only on edge rou t ers) m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN , an LSP should he ,wPar hole etes wor f rom ingr essforlab sw ced it ch MPLS r out erVPN ( LSR) t o eg ress deploy m en t span s. Fin tally t IMPLS V pr ovnid a km, et hodology adelvan LSR. I n t hese cases, t he LSRs in t he m iddle of t he net w or k usually cann ot pr op agat e t r oub leshoot ing . un lab eled pack et s sent fr om in gr ess t o eg r ess LSR; t h er efor e, a br eak in t h e LSP result s in a loss conVPN nect iv y . ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer MPLSofand Aritchit int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Ther e ar e t hr ee comm on r easons for a br eak in an end - t o- end LSP: An LSR in t he pat h p er f orm s ad dr ess sum m ar izat ion. An I P r out er in t he p at h does not su ppor t MPLS.

•

The P- net w ork is usin g Open Shor t est Pat h Fir st ( OSPF) as it s int er ior r out ing pr ot ocol, of Content and t h eTable su bnet masks on t h e PE rou t er ' s loopback int er face is n ot equ al t o / 32.

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

NOTE

Pub lish er: Cisco Press Pub e: ault Ju ne , 06, 2 00 3 announ ces ByDat def OSPF

all loop back int er faces w it h t h e / 32 sub net m ask r eg ar dless of -1 t h12e-5act ual sub net m ask config ur ed on t he in t erf ace. Th e m ism at ch I SBN: 1- 58 705 bet w een Pages: 50 4t h e su bnet m ask an noun ced w it h OSPF and t he su bnet mask an noun ced w it h LDP br eak s t h e last hop in t he LSP.

You can easily ch eck w het her t here is an op er at ional en d- t o- end LSP bet w een a p air of PE MPLS VPN Arof chit ect uprres, Volum I I ,t he y ou' : r out er . The p r in t out s in clud ed in rWit outher s w itand h t he help TTL opagat ion eon inllgrlear essnPE t he pr ocedu re t hat follow s use a sam ple n et wor k show n in Figur e 9- 1 . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

r er out 9 -in1g. op I Pt ions Addr e ell ssias ngot her in tadv heanced Samfpl w or k The n ew Figu PE- CE as w eateurNe es, tinclud ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Use t he f ollow ing pr ocedur e t o ch eck t h e end- t o- en d LSP bet w een a pair of LSRs: MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect 0502- 1)p,rop f rom Cisco Pr ess. t endin intt he o minorgre ess advLSR anced St eupres, 1 . Volum En ableet Iim( 1e-- t587 o- liv e (0TTL) agat ion for localEx p ack et s gon w it h t opics tan eps loy archit es, Volu mm e and. I I pr ovid es r eader w it h t he tnecessar y t ools hedmdpl ip m prent opag at eect - t t ur l local com Per f orm t he t rsace f rom he ing ress LSR t hey nteed ep loy m ain tYou ain shou a secur av ailab ow art od dt he egrand ess LSR. ld e, seehig allhly LSRs in t hlee VPN. for w ar ding pat h w it h MPLS labels display ed at ev er y hop except t he last on e, as show n in Ex am ple 9- 1. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Exa m pl e 9 - 1 . Tr a ce r out e fr om I n gr ess LSR t o Eg r ess LSR w i t h pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o TTL gaest ion int egr at e t h Pr eseopa f eat ur in t o En t h e abl VPNed b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Ingress#trace deploy m en t s. FinEgress ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Type escape sequence abort. ing feat u res essent ial t o p rov iding t h e adv anced int egr at ion, secur it y, and to t r oubleshoot

Tracing the route to Egress (192.168.3.1)

1 192.168.3.10 [MPLS: Label 20 Exp 0] 913 msec 1202 msec 1034 msec 2 192.168.3.14 [MPLS: Label 22 Exp 0] 1013 msec 902 msec 901 msec • •

Table of Content s I ndex 3 192.168.3.18 [MPLS: Label 23 Exp 0] 1102 msec 1102 msec 377 msec

MP LS and V PN Ar chi te ctur e s, V olum e I I

4 192.168.3.22 1190, Jeff msec 1005 By Jim Guichard , I van Pepelnjak Apcar

msec 789 msec

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

St e p 2 . Disable t h e TTL pr opagat ion f or local packet s on t h e ingr ess LSR w it h t h e no I SBN: 705opag -1 12 -5at e - t t l local com m and and per for m t h e same t ra ce com m and. You m pl s 1-ip58pr Pages: 50 4 should see only t he last LSR in t h e for w ar ding pat h, as show n in Ex am ple 9- 2.

Exa m pl e 9 - 2 . Tr a ce r out e fr om I n gr ess LSR t o Eg r ess LSR w i t h TTL Pr opag at ion Di sa bl ed Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Ingress#trace ser v ice t o mEgress any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Type escape sequence to abort. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he Tracing theer route to Egress (192.168.3.1) cust om net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone 1 192.168.3.22 1190 msec 1005 msec 789 msec How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices I f, how ev er , a d ev ice in t h e for w ar ding pat h b reak s t he LSP ( f or ex amp le, d ue t o r out e Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y sum m arizat ion ) , t hen t he t ra ce com m and ( w it h TTL d isab led ) show s m or e t han one hop but pr obab ly less t h an t he w hole f orw ar din g p at h ( as display ed by t he t ra ce com m and w it h TTL MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN pr opag at ion enab led ) . An ex am ple ind icat in g a br ok en LSP du e t o r out e su mm ar izat ion on PAr ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced 2 is display ed in Ex am ple 9- 3. Th e fir st I P ad dr ess in t he ex am ple is usu ally t h e I P ad dr ess of t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t he rou t er w here t he LSP br eaks, w h ich is t he id eal st art in g p oint f or y our t rou blesh oot in g. t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Exa plu ere.9Par - 3 t. ITr a ce ibes r outadv e anced fr om MPLS I n grVPN esscon LSR r essin gLSR Alon gion a of Ar ch itm ect I descr necttivoit Eg y includ t he int egr at ser Br ok v iceen pr ovider LSP (access TTL Pr t echn opa olog gaies t i on ( dial, I sDSL, D isabl cab le, edEt)her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Ingress#trace Egress m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Type escape sequence to abort. MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced Tracing thesecur route to Egress (192.168.3.1)

1 192.168.3.14 208 msec 309 msec 677 msec 2 192.168.3.18 789 msec 970 msec 729 msec • •

3 192.168.3.22 901 msec 1098 msec 629 msec Table of Content s I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Other Quick Checks Aft er y ou hav e v er if ied t hat t he LSP b et w een PE r out er s is br ok en, y ou sh ould perf or m a f ew m or e quick MPLS- relat ed ch eck s befor e y ou go in t o in- dept h MPLS t r oubleshoot ing: •

Table of Content s

•

I ndex

I s CEF abled g lobally on MP LS and V PN en Ar chi te ctur e s, V olum e Iev I ery

r ou t er in t h e pat h ?

By Jim Guichard , I van Pepelnjak , Jeff Apcar

You ver ify p rop er operat ion of CEF w it h t he show i p ce f su m m a ry m on it oring com man d, w hich should pr odu ce a pr int ou t sim ilar t o t he one show n in Ex am ple 9- 4.

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN:m 1-pl 58 705 Exa e 9-1-124-5. Cor r ect sh ow ip ce f su m m ar y Pr i nt ou t Pages: 50 4

Router#show ip cef summary IP CEF switching (Table Wit h MPLS andwith VPN Ar chit ect u res, Volum Version e I I , y ou' ll87), lear nflags=0x0 : 51 routes, 0 reresolve, 0 unresolved (0 old, 0 new) How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN bytes, ser54 v iceleaves, t o m any30 d iffnodes, er ent t yp37896 es of cu st om er 90 s inserts, 36 invalidations The ew PECE r out inelements, g op t ions as ell as ot0her adv anced f eat ur es, includ ing per- VPN 0 nload sharing 0 wbytes, references Net w ork Ad dr ess Tr an slat ion ( PE- NAT) universal per-destination load sharing algorithm, id E2D347E4 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust er resets, net w ork 1 revisions of existing leaves 2 om CEF The lat est MPLS VPN it y f995 eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN refcounts: 1038secur leaf, node back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN Adjacency Table has 5 adjacencies The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y f, how ev er CEF ablede on rouon t er ,t he t hen t he samge MPLS com man and r esu lt s in a MPLSI and VPN Ar,chit ectisu not res, en Volum I I , tbhe uilds best - sellin d VPN Exeam ple 9- 5) . similar p rin t out wit h a sm all er r or not if icat ion at t he end ( high lig ht ed in Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Exa m pl e 9 - 5 . sh ow ip ce f su m m ar y Pr i nt ou t w i t h CEF Disa ble d MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, andsummary OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Router#show ip cef int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin secuwithout r it y , ou t lining t he n ecessar y stVersion eps t h e ser v ice flags=0x0 p rov ider m ust t ake t o p rot ect t he IP gCEF switching (Table 61), back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv t op ologies and filt erin g. This par t also er s0mnew) ult i- car r ier MPLS VPN 0 anced routes, 0 reresolve, 0 unresolved (0 cov old, deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . 0 leaves, 0 nodes, 0 bytes, 78 inserts, 78 invalidations MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer 0 load sharing elements, 0 bytes, 0 references int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

universal per-destination load sharing algorithm, id 01C20606 3 CEF resets, 0 revisions of existing leaves refcounts:

• •

0 leaf, 0 node

Table of Content s

%CEF not running I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

PubI lish er: Cisco Press s MPLS enabled? Pub Dat e: Ju ne 06, 2 00 3

You ver LSRI SBN: 1-ify 58 705 -1 12w-5ide MPLS op er at ion w it h t he show m pl s for w a r din g- t a bl e com m and, wPages: hich 50 sh4ould pr oduce a pr int out sim ilar t o t hat show n in Ex am ple 9- 6.

Exa m pl e 9 - 6 . Cor r ect sh ow m pls f or w ar di ng - t abl e Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Router#show mpls forwarding-table How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Local Prefix Next Hop ser v ice t Outgoing o m any d iff er ent t yp es of cu st om er s Bytes tag Outgoing tag or r out VC in g or switched The n ew tag PE- CE op tTunnel ions as wId ell as ot her adv anced interface f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) 16 Untagged 192.168.21.0 255.255.255.0 \ How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork 0 Se0/0.1 point2point The MPLS VPN secur it y f eat u res an d d esign s aim ed \ at pr ot ect ing t h e MPLS VPN 17 lat est Untagged 192.168.20.0 255.255.255.0 back bone 0 Se0/0.2 point2point How t o carr y cust om er m ult icast t r aff ic insid e a VPN 18 18 192.168.22.0 255.255.255.0 \ The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices 0 Se0/0.1 point2point Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y 19 21 192.168.3.2 255.255.255.255 \ MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN 0 point2point Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex tSe0/0.1 endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools 192.168.3.1 t hey n20 eed t o d22 ep loy and m ain t ain a secur e,255.255.255.255 hig hly av ailab le VPN.\ Se0/0.1 point2point MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it0h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues I f, ghow evrer h ave nt he ot conf igur ed MPLS he vLSR, henider t hemsam comt man d ect t he includin secu it y, , you ou t lining n ecessar y st eps ton h e tser ice p trov ust et ake o p rot 9- 7. display s an r or m essage ilar and t o t he own back bone and anyerat t ached VPN sim sit es, alsoone detsh ailin g tin heEx latam estple secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub Exa leshoot m ing pl e. 9 - 7 . sh ow m pls f or w ar di ng- t abl e Pr in t out w it h M PLS

Di sa bl ed

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Router#show mpls forwarding-table Tag switching is not operational. CEF or tag switching has not been enabled. • •

No TFIB currently Table of Content s allocated. I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Ther e is also a t hir d p ossibilit y : MPLS has been en abled b ut , f or some reason, CEF has ( Cisco I OS does not allow y ou t o conf ig ur e MPLS w it h CEF Pub Dat e: Ju nefr06, 3 r elease 1 2. 2 onw ar d. ) I n t his case, t he show m pl s for w a r din gdisabled om2 00 I OS t aI SBN: ble 1com m and indicat es t hat MPLS is not oper at ional d ue t o lack of CEF sup por t , as 58 705 -1 12 -5 show in4 Ex am ple 9- 8. Pages:n50

Pubbeen lish er:dCisco isab Press led aft er w ar d.

Exa m pl e 9 - 8 . sh ow m pls f or w ar di ng- t abl e Pr in t out w it h CEF Di sa bl ed Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr atmpls e v ar forwarding-table iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN Router#show ser v ice t o m any d iff er ent t yp es of cu st om er s Tag switching is not operational. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net wor ork tag Ad drswitching ess Tr an slathas ion ( not PE- NAT) CEF been enabled. How VRFs can be ex t ended int o a cust om er sit e t o prtag ov ideOutgoing sep ar at ion inside he Local Outgoing Prefix Bytes Next tHop cust om er net w ork tag tag or VC or Tunnel Id switched interface The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN IThe s MPLS enabled onrier all enh in t erf aces?ent s t o allow f or easier and m or e scalable d ep loym ent lat est in t er - car ancem of int er - car r ier MPLS VPN serv ices When y ou h ave ver ified t h e ov er all MPLS st at us on a LSR, y ou shou ld check t he MPLS st at u s of indiv idual int erf aces wit h ting h e tshow m pl sinclud in t erinfagce com and, rod out ilit y Adv anced t rou blesh oot echn iques r ou t er m out pu t sw thich o enpsu re uces high pr avint ailab similar t o t he on e in Ex am ple 9- 9. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tExa opicsman entow archit m e I IPr prin ovid es r eader s w it h t he necessar y t ools plded ep 9 -loy 9 .msh m ect plsur ies, nt Volu er f ace t out t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I interfaces descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Router#show mpls ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, andIPOSPF)Tunnel , ar m in g t he r eader w it h t he k now ledge of h ow t o Interface Operational int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining Yes t he n ecessar y st eps Serial0/0.1 No Yest h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and Serial0/0.2 Yesfilt erin No g. This par Yest also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN tSerial0/0.5 r oub leshoot ing . Yes No Yes MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The show m pl s in t er fa ce p r in t out indicat es w het her MPLS has been conf ig ur ed on an int er face ( t h e I P colum n) and w het her it is oper at ional ( t h e Ope r at i ona l colum n) . New I OS r eleases wit h LDP sup por t d isp lay t he LD P conf igur ed ( TDP or LDP) on t he int er face in t he I P colum n. •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

NOTE

By Jim Guichard , I van Pepelnjak , Jeff Apcar

The show m pl s in t er fa ce com m and display s only t h e int erf aces on w h ich MPLS has been conf ig ur ed . Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 50 4d pr Pages: oper an

For secu r e MPLS operat ion in y our net w or k , enable MPLS on all link s bet w een y our cor e r out er s and disable it on all link s t h at conn ect you r core rou t er s t o insecu re devices ( ext er nal net w ork s or cu st om er r out er s) —unless, of cou rse, y ou h ave deployed t he Car rier 's Car r ier solut ion . Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

NOTE How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s MPLS is alw ays operat ion al on fr am e- mod e MPLS int er faces t hat do not sup por t per ot ocol negot iatinion bet w een r out s ( such LAN int er faces,ing Fr peram eVPN The- pr n ew PE- CE r out g op t ions asad w jacen ell as t ot hereradv ancedasf eat ur es, includ Relay linkAd s, dr or ess HDLC link s)ion . A (r PEout NAT) er in dicat es t hat MPLS is not operat ion al ov er a Net w ork Tr an slat PPP link if t he MPLS- sp ecific LCP is not negot iat ed successfu lly . Sim ilarly , a r out er How can int beer exface t ended intATM o a cust omwerher sitee tthe o pr ov ide at ion st inside he m ar ksVRFs an ATM in LCm ode LDP hassep n otarbeen ar t ed t as custoperat om er ion netal. w ork non The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

MPLS Control Plane Troubleshooting I f t he q uick ch eck s hav e not discover ed ob vious pr oblems, it is t im e t o g o int o in- dept h t r oub leshoot ing . St ar t w it h t he con t r ol plane t rou blesh oot ing fir st because t he dat a plane •does n ot w orTable of Content k pr oper ly unts il t he labels ar e exchan ged bet w een adj acent LSRs t hr oug h t h e •cont r ol p lan eI ndex pr ot ocols ( Tag Dist rib ut ion Prot ocol [ TDP] or LDP) . The cont r ol p lane oper at ion MP LS and Ved PN in Ar chi te ctur e s,2V. olum e I I is display Figur e 9By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press

Figu r e 9 - 2 . Con t r ol Pla ne Ope r at i ons i n an LSR

Pub Dat e: Ju ne 06, 2 00 3

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Con t rol plane t rou blesh oot in g is focused p rim ar ily on t he pr esen ce of TD P/ LDP session s bet w een adj acen t r out er soot and exchan geinclud of labels. I n t- er dept h pu t r oub inghigh of TDP/ LDP Adv anced t rou blesh ingt ht eechn iques in g r ou out t s t oleshoot en su re av ailab ilit y oper at ion and lab el ex chan ge is usually a result of sof t w ar e er r or and is b est lef t t o Cisco MPLS and VPN eer Ar chit Sy st em s engin s. ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Verify Local TDP/LDP Parameters

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of St arv tice t he r ol access p lan e ttrechn oubleshoot by ver ify ing t heEtTDP/ LDP setdt ing of tyheoflocal ser prcont ovider olog iesing ( dial, DSL, cab le, her net ) an a vsariet r out rinout g er w it h t he show t a gsw i t ch ing t dp p ar am e t er s ( for TD P) or show m pl s ld p p ar am e t pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o er s ( f oregr LDP) com in ab ack pr int oue. t similar t he one show n ind ep Exloy ammple 10. int at e .t hThese ese f eat urm esand in tso rtesult h e VPN bon Part I I It odet ails adv anced ent9-issues Par am etgersecu s in ryou prtint ou t tshou not dev iat e t oo u ch f rom t he on m esust in Ex amtple 9- 10 includin it y , rou lining he nld ecessar y st eps t h emser v ice p rov ider t ake o p rot ect t he un less y ouand havany e m anually TDPand set talso in gs.det ailin g t he lat est secu rit y f eat ur es t o allow back bone at t achedchang VPN ed sit es, m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oubm Exa leshoot pl e 9ing - 1. 0 . show t ag- sw i t ch in g t dp par a m et er s Pr i nt ou t MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Router#show tag-switching tdp parameters Protocol version: 1 Downstream tag pool: min tag: 16; max_tag: 100000 Session hold time: 180 sec; keep alive interval: 60 sec • •

Table of Content s

Discovery hello: holdtime: 15 sec; interval: 5 sec I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Discovery directed hello: holdtime: 180 sec; interval: 5 sec

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

NOTE

Most com m only , a m ism at ch in TDP hello and hold t im er s b et w een ad jacent LSRs causes TDP f ailur es ( det ailed in t he nex t sect ion ) . I n larg e net w or ks or in st r ess- t est env iron ment s, wh er e a sin gle LSR m ust allocat e m or e t han 10 0, 00 0 lab els ( such as Wit h MPLS and Ar chit Volum I I t,ery ou' learin n :g t w o MPLS VPN n et w or k s) , y ou an asyn ch VPN ron ous sy stect emu res, b ound ary e rou conllnect m ust chan ge t h e m axim um lab el w it h t he m pl s la be l ra nge con figur at ion com man d. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN NetCorrect w ork Ad dr ess Tr an slat ionof ( PENAT) Verify Operation TDP/LDP Hello Protocol How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Next , ch eck t h e corr ect oper at ion of t he TDP/ LDP hello pr ot ocol w it h t he show t a gsw i t chin g t dp discove ry or show m pl s ld p d iscov e ry com m ands. Th ese com m ands The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN display all MPLS- enabled in t erf aces an d t he neigh bor s pr esent on t hem in a p rin t out sim ilar back bone t o t he on e in Ex am ple 9- 11. How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Exa m The pllat e est 9 - 1in1t er . -show car rier tenh agancem sw i tent chsin t ogallow t dpf or discov easier er and ym Prorin e scalable t ou t d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Router#show tag-switching tdp discovery MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Local TDP Identifier: t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey 192.168.3.5:0 n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN TDP Discovery Sources: Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Interfaces: pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Serial0/0.1: xmit includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Serial0/0.2: xmit/recv m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN TDP Id: 192.168.3.3:0 t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The p r in t out sh ould display at least on e TDP/ LDP n eigh bor b eing p resen t t h r ough each MPLSenabled in t erf ace. MPLS- enabled int erf aces t hat hav e no neig hbor s p resen t on t h em ( lik e t h e Serial0/ 0 . 1 in t er f ace in t h e pr ev ious pr in t out ) indicat e f ault y MPLS oper at ion. Th e comm an d pr int ou t d isplay s on ly t he k ey w or d x m i t n ex t t o in t er f aces t h at h ave n o MPLS neigh bor s. The TD P/ LDP hello pr ot ocol m igh t not discover ad jacen t LSRs f or sev eral r easons, b ut t he follow ing ones occur m ost com m only: • •

Table of Content s I ndex

MPLS is not config ur ed on t he adjacent LSR or on t he conn ect ing int er face in t he adj acen t LSR. Perf or m t he quick check s f rom t he p rev ious sect ion on t he ad jacent LSR.

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Ther e is a p r ot ocol mism at ch b et ween adjacent LSRs. For ex amp le, one of t he LSRs ight suppPress ort only TDP, w hereas t h e ot her sup por t s only LDP. I t is also possib le t hat Pubmlish er: Cisco one end of t link has been conf ig ur ed f or TDP operat ion , w her eas t he ot h er end h as Pub Dat e: Ju ne 06,h 2e00 3 been con figur ed for LDP operat ion . I f you r LSR is r unn in g I OS r elease 12 .0 ST, 12 .2 T, or I SBN: 1- 58 705 -1 12 -5 12 .3 or g r eat er , y ou can m ak e it biling ual w it h t he m pl s la be l prot ocol bot h in t er f ace Pages: 50 4 conf ig ur at ion com m and. An access list is blockin g in com ing UDP p ack et s f rom adjacent LSRs. Check f or t h e pr esence of access list s w it h t he show i p i nt e rf ace com m and and v er ify t heir cont ent w it h t he show a cce ss- li st com m and. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s NOTE The out in g top w ell as see ot her anced f eatyur perAft er nyew ou PEhavCE e vrer if ied hatt ions y ourasLSR can ad adv jacent LSRs, oues, muinclud st pering for m t h VPN e Net w dr ess Tr an slat ion ( PE-TDP NAT) sam e ork t estAd s on all ad jacent LSRs. or LDP sessions st ar t only aft er b ot h LSRs can see each ot her . How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork latyest VPN secur it yevf eat aner d dsyesign s aim ed atLSR pr otdect ings tt hh ee MPLS VPNLSR Som etThe im es ou MPLS will encoun t er an en ustres r ang m pt om : Your et ect adj acent back bone bu t claims t her e is no rou t e t o t he adj acen t LSR, as show n in Ex am ple 9- 12. How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Exa m pllat e est 9 - 1in2t er . -show agsw i tent chsin t dpf or discov ym Prorin t ou t w di tep h loym No ent The car rier tenh ancem t ogallow easier er and e scalable Rou tofe int t oer t- car h er ier AdjMPLS acen t LSR VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN tag-switching Ar chit ect u res, Volum I I , b uilds on t he best - sellin g MPLS an d VPN Router#show tdp ediscovery Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tLocal opics an d d Identifier: ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools TDP t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. 192.168.3.3:0 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch itDiscovery ect u re. Par tSources: I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of TDP ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Interfaces: int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Serial0/0.1: xmit/recv back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv ancedTDP t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Id: 192.168.3.5:0 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Serial0/0.2: xmit MPLS and Serial0/0.5: VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer xmit/recv int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

TDP Id: 192.168.3.2:0; no route

The ex planat ion f or t his b eh avior is sim ple. As y ou migh t r em em ber f r om Ch apt er 2, " Fram e- Mod e MPLS Oper at ion, " in Volum e 1 of MPLS and VPN Ar chit ect u res , t h e TDP or LDP r un bet w een sTDPident if ier s of t he adj acen t LSRs ( usually t h e I P add resses of t he •sessions ar e Table of Content loopback in t er f aces) . These I P add r esses mu st be r eachable f r om t he ad jacent LSRs; • I ndex ot her w ise, t h e TCP session cannot be est ablished. I n our pr in t out , t he I P ad dr ess 1 92. 1 68. 3. 2 MP LS and V PN Ar chi te ctur e s, V olum e I I ( t h e TDP id en t ifier of LSR r eachab le t hr ough t h e int er face Serial0/ 0 . 5) is n ot r eachable by t he By Jim Guichard , I van Pepelnjak , Jeff Apcar local r out er . To f ix t his er ror , in sp ect you r r out ing pr ot ocol conf igur at ions and en su re t hat t he I P ad dr esses used f or TDP id en t ifiers are annou nced t o adjacent LSRs. For m or e det ails, Pub lish Press please refer:erCisco t o Ch apt er 2 of MPLS and VPN Ar chit ect u res, Volu m e 1 . Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4 Check TDP/LDP Sessions

Wit h t he ad jacent LSRs successfu lly ex chang ing t he TDP/ LDP hello pack et s, t h e TDP/ LDP session sh ould st ar t imm ediat ely. To v er ify t he st at e of t h e TDP session s, use t he show t a gsw i t chin g t dp ne igh bor com m and. Similar ly, use t he show m pl s ld p n ei ghb or com m and tWit o ver h MPLS ify t hand e st at VPN e ofArLDP chit ect sessions. u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

NOTE

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Netshow w ork Ad slat ( PEThe m dr pless s ldTr p an com mion ands areNAT) available on ly in Cisco I OS releases t h at supp ort LD P ( I OS releases 1 2. 0ST, 1 2. 2T, an d all mainst r eam r eleases st ar t ing w it h VRFs can o a cust er sit em t oplpr sepmarands at ionalso inside t he IHow OS r elease 1 2.be 3) . ex I nt ended t hese rint eleases, t hom e show s ov ld ide p com display w ork tcust he stom at er e ofnet t he TD P sessions or n eig hbor s. The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone The show t a g- sw i t ch ing t dp n ei ghbor com m and pr odu ces p rint out sim ilar t o t hat show n How o carr er m mand, ult icast aff ic insid a VPN in Ex am plet 913. yI ncust t hisom com yout rshould seee TDP/ LD P sessions b eing est ablish ed w it h all neigh bor s display ed in t he show t a g- sw i t ch ing t dp d iscov e ry p r in t out . The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Exa m planced e 9 - 1t rou 3 . blesh show t agswiques i t ch in g t dp ou Adv oot ing t echn includ in g rdiscov ou t er outer puyt sPr t o in entsu ret high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tRouter#show opics an d d ep tag-switching loy m ent archit ecttdp ur es,neighbor Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Peer TDP Ident: 192.168.3.5:0; Local TDP Ident 192.168.3.3:0 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect uTCP re. Par t I I descr ibes adv anced MPLS VPN-con nect iv it y includ in g t he int egr at ion of connection: 192.168.3.5.11002 192.168.3.3.711 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols State: ( I S- I S, EI GRP, and , ar m in g 83/47; t he r eader w it h t he k now ledge of h ow t o Oper; PIEsOSPF) sent/rcvd: ; Downstream int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g Up secutime: r it y , ou00:37:52 t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies sources: and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN TDP discovery deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshootSerial0/0.1 ing . MPLS and Addresses VPN Ar chit ect u res, to Volum e I ITDP , also int rod uces t he lat est adv ances in cu st omer bound peer Ident: int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

192.168.3.17

192.168.3.14

192.168.3.5

Peer TDP Ident: 192.168.3.2:0; Local TDP Ident 192.168.3.3:0 TCP connection: 192.168.3.2.711 - 192.168.3.3.11001 State: Oper; PIEs sent/rcvd: 4/4; ; Downstream • •

Table of Content s

Up time: 00:00:24 I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

TDP discovery sources:

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Serial0/0.5 Pub lish er: Cisco Press

Addresses Pub Dat e: Ju ne 06, 2 00 3bound

to peer TDP Ident:

I SBN: 1- 58 705 -1 12 -5

192.168.22.3

192.168.3.18

192.168.3.21

150.1.32.1

192.168.3.26

192.168.3.2

Pages: 50 4

150.1.31.5

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : The show t a g- sw i t ch ing t dp n ei ghbor com m and display s t he d et ails of t he TCP con nect ion bet w een t h e adj acent LSRs, t he st at us of t he TDP/ LDP session ( t h e est ab lished session is How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN indicat ed w it h t h e St at e: Oper p r in t out ) , t he int er faces t hr ou gh w hich t h e adj acent LSR is ser v ice t o m any d iff er ent t yp es of cu st om er s r eachab le ( display ed in t he TDPdiscov ery sou rces sect ion of t h e pr int ou t ) , and t h e I P add resses igurCE edr on adjt acen ( show in tadv he anced Add resses b ound t o peer en t The nconf ew PEouttinhe g op ions tasLSR w ell as otnher f eat ur es, includ ingTDP per-I dVPN sect ion) . Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Ther eHow ar e only fewbe r eason s w hyint t hoeaTDP session etide w een LSRs w ou ld n ot VRFsacan ex t ended custor omLDP er sit e t o prbov sepad arjacent at ion inside t he st ar t af t er t he n eigh bor h ad b een discover ed t h rou gh t he TD P or LDP h ello pr ot ocol: cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Ther e is no r out e t o t he TD P/ LDP ident ifier of t he adjacent LSR. back bone An incomin g access list is b lock ing TCP packet s. How t o carr y cust om er m ult icast t r aff ic insid e a VPN See t he p rev ious sect ion f or m ore det ails on solv in g t hese pr oblem s. The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er Check the Label Exchange

out pu t s t o en su re high av ailab ilit y

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar res,eVolum e I t (hat 1 - 587 0 02, f rom Cisco ess. t endin int o mLSRs, or e adv anced Aftch erityect ouuhav v er if ied t he05TDP or 1) LDP session s exPrist b etEx w een adgjacent check twopics antdh e d ep loy mhav ente archit es, Volu e IIIPpr es run eader s w it h t he ion necessar y t ools het her LSRs assignect edurlabels to m t he provid ef ixes der considerat . The com m and tt hey n eed o dlab ep loy mat ain t ain a secur hlyshow av ailab le sw VPN. o disp lay tthe el inand for m ion base ( LI B)e,ishig t he t a gi t ch ing t dp b ind ing s or show m pl s ld p b ind ing s com m and ( depend in g on t he I OS r elease y ou ar e using) . These MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN com man ds display t h e labels t hat t he local LSR an d all adj acent LSRs assign t o a specif ied I P Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of pr efix ( or all I P pr efix es) , as sh ow n in Ex am ple 9- 14. ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow NOTE m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m show en t s. Fin , Par t Iing V prt ov a ing m etshodology ad vansced VPN The t a ally g- sw i t ch dpidbes ind com m andfordisplay onlyMPLS t h e labels t r oubassig leshoot neding t o. I P p refix es by local an d ad jacent LSRs—it d oes not d isp lay t he labels act ually used in MPLS labeled d at agr am f orw ar ding . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Exa m pl e 9 - 1 4 . show t ag- sw i t ch in g t dp bin din gs Pr in t ou t

Router#show tag-switching tdp bindings 192.168.3.1 32 •

tib entry: Table 192.168.3.1 of Content s 255.255.255.255, rev 14

•

I ndex

tag: MP LS and Vlocal PN Ar chibinding: te ctur e s, V olum e II

21

By Jim Guichard , I van Pepelnjak , Jeff Apcar

remote binding: tsr: 192.168.3.2:0, tag: 23

Pub lish er: Cisco Press

remote binding: tsr: 192.168.3.3:0, tag: 21

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

NOTE Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : LSRs t hat use independent cont r ol lab el assign ment , inclu ding all Cisco r out er s, should assig n a label t o any I P p ref ix , ex cept t h ose lear ned t hr ough use of BGP. LSRs oreder ediou cont r ol ot lab assign mentologies , inclu ding Cisco ATM swit ches, How t ohat intuse egr at v ar s r em e el access t echn in t o tmh ost e back bone p r ovidin g VPN should labdels onent ly wh edstt om o do ser v iceassig t o mnany iff er t ypen es ask of cu er so s by t h e upst r eam neigh bor s ( dow n st r eam - on- dem and label allocat ion) . Please ref er t o Ch apt er 2 of MPLS and The Ar n ew r out in gmop weelldet asails ot her adv anced f eat ur tes, includ ing per- VPN VPN chitPEectCE u res , Volu e t1ions f or as m or on label assign m en m odes. Net w ork Ad dr ess Tr an slat ion ( PE- NAT) I n any case, t he label t h at t h e nex t - hop LSR assig ns should be visible in t he local How VRFs can be exwt ended int o aend cust er sit e t o pr sep ar at ion inside t he LI B; ot her wise, y ou ill n ot h ave - tom o- end MPLS forov w ide ar ding. cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone You should follow t w o pat h s of inv est igat ion w hen t he LI B cont ent s d o not m at ch y our exp ect at ions: How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in tlabels er - car only rier enh ancem entpsref t oixallow easier and scalable d ept loym LSRs assign t o non - BGP es in ft or heir I P r out ingmtor abele. I f t h e nex - hop ent of inthas er - car MPLS VPN LSR notr ier pr ovided a labserv el t oices a pr ef ix in t he I P r out in g t able of t he local LSR, it m ig ht be b ecau se t he nex t - hop LSR has a dif fer en t p refix in it s I P rou t ing t able ( p ossibly du e Adv anced t rou t o rou t e sum mblesh arizatoot ioning ) . t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLSLab andelVPN Ar chit ectis u res, II , b t he best g MPLS d VPN dist rib ut ion fu rt hVolum er filt e ered wuilds it h anonaccess list- sellin specified w it han t he t a g- sw it chi ng Ar ch itaect res, Volum I (1 587 0502-dow 1) , nf rom Cisco Pris ess. Ex t endin g int ig o ur m ed or elabel adv anced dvuer t isetag e com m-and. I f t0he st r eam LSR u sing a m isconf t opicsadv an ert d dising ep loyaccess m ent archit es, und Volu I I ect pr ovid esillr not eader s w iteh at he y ht ools list , tect he ur LSR ermine sp ion w receiv labnecessar el alt houg it w as t hey nassig eed ned t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ( b ut not dist rib ut ed) by t he dow nst r eam LSR. A good m et hod t o cat ch t his sym p t om is t o in sp ect t he ou t put of t he show m pl s for w a r din g- t a bl e com m and ( a MPLSsam andple VPN res, Volum , bple eg in9-s 6) w it a br ieffor refun resher of tou het going MPLS labels VPN f or prAr intchit ou tect is uav ailable in eExI Iam , h look ing t agged Ar ch itdest ect uinat re. ions Par t tIhat I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of are r eachable t h rou gh dow nst r eam P r ou t er s. ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

MPLS Data Plane Troubleshooting Wit h t he MPLS con t rol plane w or k ing pr operly , t h e MPLS dat a plane shou ld w or k w it hou t fu r t her t r oubleshoot ing . Ther e ar e, how ev er , t w o cases in w hich t he MPLS op er at ion on t he •dat a plane mig Table ht of b eContent aff ectsed: •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

CEF sw it chin g m igh t n ot be fun ct ion al on indiv idual in t erf aces.

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Non- MPLS d ev ices in t h e for w ar ding pat h m ight aff ect pr opag at ion of lab eled packet s. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Monitoring Interface-Level CEF Pages: 50 4

Con figu ring CEF on t he LSR does not guar ant ee t h at t h e CEF sw it ching w ill be perf or med on all int er faces. For ex am ple, y ou can disable CEF sw it ch in g on an ind iv idu al ph ysical int er face w it h t he no ip rou t e- ca che cef in t er f ace con figu rat ion com man d. You can ver ify p rop er CEF operh at ion on ind Ar iv idu intu er face w it het he ce f ni nt Wit MPLS andanVPN chitalect res, Volum I I , show y ou' ll lear : e rf ace com m and. Prop er CEF oper at ion is in dicat ed w it h a p rin t out sim ilar t o t he one in Ex am ple 9- 15. ( Th e crit ical line in t he pr int out is high lig ht ed. ) How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Exa m pl e 9 - 1 5 . show ce f i nt e r f ace Pr i nt out The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he Router#show serial 0/0 cust om er cef net winterface ork Serial0/0 (if_number The lat is est up MPLS VPN secur it4) y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Corresponding hwidb fast_if_number 11 How t o carr y cust om er m ult icast t r aff ic insid e a VPN Corresponding hwidb firstsw->if_number 4 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - Protocol car r ier MPLS VPN serv ices Internet processing disabled Adv anced t rou oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Hardware idb isblesh Serial0/0 MPLS and VPN Ar chittype ect u res, e I I , b uilds Fast switching 5, Volum interface type on 56t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d switching d ep loy m ent enabled archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools IP CEF t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. IP CEF Feature Fast switching turbo vector MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Input fast flags 0x1, Output fast flags 0x0 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o ifindex 2(2) int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Slot 0 Slot unit 0 VC -1 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Transmit limit accumulator 0x0 (0x0) deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . IP MTU 1500 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

CEF m ig ht be conf ig ur ed on an int er face bu t n ot b e operat ion al if t he in t er f ace uses an encapsulat ion met h od t hat CEF d oes n ot sup por t ( f or ex amp le, in Cisco I OS release 1 2. 2, CEF is not enabled on Et her net sub in t erf aces t h at h ave 802 .1 q encapsu lat ion ) or if y ou hav e conf ig ur ed an ot her I OS f eat ur e on t he int er face t h at is n ot com pat ible w it h CEF ( such as gener ic t r aff ic sh aping ) . •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim NOTE Guichard , I van Pepelnjak , Jeff Apcar

I nt erer:faceel CEF Pub lish Ciscolev Press

sw it ching is needed only on ingr ess in t erf aces t hat r eceiv e I P pack et s on wh ich t h e ingr ess LSR perf or ms t he label im posit ion pr ocess. CEF Pub Dat e: Ju ne 06, 2 00 3 sw it ch in g is not need ed t o for w ard labeled p ack et s or t o for w ar d unlabeled I P I SBN: 1- 58 705 -1 12 -5 pack et s. Pages: 50 4

Oversized Packet Issues Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Anot h er com m on dat a plane p rob lem has not h ing t o d o w it h t he LSRs b ut w it h t h e Lay er 2 dev ices insert edegr betatweeen h em ( most LAN sw it ch MPLS label im posit ion How t o int v ar tiou s r em ot e comm accessonly t echn ologies ines) t o t. hThe e back bone p r ovidin g VPN pr ocess cr eases t h e dsiz I Pes packet byom 4 er byst es per label im posed. Th e r esult ing p ack et ser in v ice t o m any iffeerof entant yp of cu st m ight be t oo lar ge f or t he p hy sical m edia it m ust t r av erse, r esult in g in a n eed for packet The at n ew r outple, in g op t ions as et ot her f eatrur es, sinclud ing 0perfr ag ment ion .PEForCE exam a 150 0-as by tweell p ack w it hadv t hranced ee labels esult in a 153 b ytVPN e Net dr ess ionlab ( PEEt h er n et wfrork am eAd( 12 b ytTr esan f orslat t he elsNAT) an d 18 by t es for t h e Et h er net header / t railer ) . How ev er , not all app licat ions su ppor t packet fr agm ent at ion and r eassem b ly ( for ex am ple, How dVRFs cany be exwt ended om a ed cust sit ly e tconf o pr ig ovur ide ar at ion, inside Pat h MTU iscover f ails h en perint for ovom er er poor edsep f irew alls) for cingt he t he cust om erner nettw net w or k desig o ork ex t end t he max im um lengt h of t h e pack et on t he p hy sical m edia. This act ion m igh t , on t he ot her han d, adv er sely im pact t h e oper at ion of som e LAN sw it ches t h at lat est MPLS secur it ycalled f eat u res an d d esign do notThe su ppor t larg e frVPN am es ( also giant f r am es) .s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent NOTE of int er - car r ier MPLS VPN serv ices

Som e equipm ent m anuf act ur er s r efer t o fr am es only slig ht ly lar ger t han t h e Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y m axim um fr am e siz e sp ecified in t he Et h er n et st andar ds as bab y gian t s. MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools The lab eled packet size issue usu ally af fect s only t h e for w ar ding of lar ge pack et s, result ing in t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. an int er est ing sym p t om: The pi ng com m and w or ks b et ween t he t w o en dpoint s, but t he app licat ions can not p ass usef ul dat a. To t est for t he p resen ce of t his sym p t om, perf or m t he MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN ext end ed pi ng f r om t he in gr ess t o t he eg ress r out er w it h var y ing pack et sizes. I f t he pi ng Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of com man d d isp lay s p ack et loss at packet sizes, y ou p r obably h ave an LSR t h at d oes n ot ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g supp ort f ull- size I P packet s w it h im posed labels or a Lay er 2 d ev ice t hat does not supp ort pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o giant f ram es in t he f orw ar din g p at h. int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN NOTE t r oub leshoot ing . Please r efer t o Ex am ple 9- 16 f or a sam p le t rou blesh oot ing session . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

MPLS VPN Troubleshooting Con t rar y t o MPLS, w hich is sim ple t o con figu re and t r oublesh oot , MPLS VPN t echn ology encom passes a num ber of u nder lying concept s an d t echn olog ies, r ang in g fr om v ar iou s r out ing pr ot ocols ( such as Rou t ing I n for m at ion Prot ocol [ RI P] , Open Shor t est Pat h First •[ OSPF] , an d Table of Content Bor der Gat ewsay Pr ot ocol [ BGP] ) t o comp lex r ou t in g design s, including cont r olled •t w o- w ay r edist I ndex ribu t ion bet w een rou t ing pr ot ocols, usually cont r olled w it h a cce ss- l ist s or MP and PN Ar chi te ctur e s, V olum e I I rouLSt em Vaps. By Jim Guichard , I van Pepelnjak , Jeff Apcar

This sect ion f ocu ses ex clu siv ely on t h e MPLS VPN- specif ic t r oublesh oot ing t opics. You can f in d an in- dept h d iscussion of t h e und er ly ing t ech nologies in a nu mb er of Cisco Press book s, Pub lish er: Cisco Press includin g t h ese: Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

Adv anced Pages: 50 4 I P Net w or k Design b y Don Slice, Russ Whit e, an d Alv ar o Ret ana ( I SBN: 15 787 009 73) Rou t in g TCP/ I P, Volu m e I an d Rou t in g TCP/ I P, Volu m e I I b y Jeff Doy le ( I SBN: 15 787 004 18 and 157 870 089 2) Wit h MPLS VPNt ing Ar chit ect u res, Volum e I I ,Halabi y ou' ll (lear n : 157 870 233 X) I n t ernand et Rou Ar ch it ect ur es b y Sam I SBN: Lar ge- Scale I P Net w or k Solut ions b y Khalid Raza and Mar k Tur ner ( I SBN: 1 578 700 841 ) How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice m any dCisco iff er ent esk sofbcu om erine s Paq uet an d D iane Teare ( I SBN: Build ingt o Scalable Nett yp wor y st Cat h er 15 787 022 83) The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN w ork dr ess Tr slat ion ( PE-in NAT) MPLSNet VPN t r ouAd bleshoot inan g som et imes volv es in - dept h t r oub leshoot ing of t h e r out ing pr ot ocols deploy ed b et w een t he PE r out ers and CE r out er s. Var ious rou t ing pr ot ocols How can PE be rex t ended intCE o ar out custerom er esit e t o ssed pr ov in idet hsep ar at ion heess supp ort ed VRFs bet w een out er s and s ar discu e follow inginside Cisco tPr cust om er net w ork book s: The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone RI P in Rou t in g TCP/ I P, Volu m e I an d Rou t in g TCP/ I P, Volu m e I I b y Jeff Doy le ( I SBN: 15 787 004 18 and 157 870 089 2) How t o carr y cust om er m ult icast t r aff ic insid e a VPN BGP in I n t ern et Rou t ing Ar ch it ect ur es b y Sam Halabi ( I SBN: 157 870 233 X) The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er r ierNet MPLS serv ices OSPF in- car OSPF w or VPN k Design Solut ions b y Thom as M. Thom as ( I SBN: 1 578 700 469 ) Adv anced blesh oot t echn iques includ r ouPepelnj t er out pu o en su high av1) ailab ilit y EI GRP in EIt rou GRP Net w oring k Design Solu t ion s b yinIgvan akt s( I tSBN: 15re787 0165 MPLSI and ArIchit ectwu or res, Volum eSolut I I , bions uildsb yonAbe t heMart bestey - sellin g MPLS an d VPN S- I SVPN in I SS Net k Design ( I SBN: 157 8702 208 ) Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLSNOTE and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider accessart eechn olog iessolely ( dial,f or DSL, cabconv le, Et her net )and an ddoa not v ariet y of r out These r ef er ences pr ov id ed y our enience necessar ilyin g pr ot ocols ( I S- I S, GRP, andenOSPF) m in g tsheofr eader w it h t he k now ledge of h ow t o r ep r esent an EI end orsem t b y t ,hearau t hor t his b ook. int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or echap adv tanced t opa ologies filtVPN erin g. t also ultsti-omer car r ier This er uses sim ple and MPLS n etThis w or kpar hav ing j cov ust er onsemcu w itMPLS h t w oVPN CE r ou t er s deploy m enPE t s. r Fin I V ing pr ovas id es meetr hodology adnvan MPLS and t h ree outally er s , ( Par onet act a ra out eflect or ) , for sh ow in ced Figur e 9- 3VPN . t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y,Figu and trr oubleshoot resPLS essent ial t oNpet rovwiding e 9 - 3 . Saing m feat pleuM V PN or k t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Quick MPLS I SBN: 1- 58 705VPN -1 12 -5 Checks Pages: 50 4

As alw ay s, you should st ar t y our t rou blesh oot ing ef for t s w it h a f ew qu ick checks t o v erif y t hat y ou ar e u sin g t he r ight t ools t o t rou blesh oot t h e pr oblem . Follow ing ar e t h e quick checks in t he MPLS VPN case: Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Can y ou ping bet w een CE r out er s? How t oeint v ar iouLSP s r em otw e een access t echnand ologies in t oPEt hreout back bone p r ovidin g VPN I s t her anegr enat d-et oend bet ing ress egr ess er s? ser v ice t o m any d iff er ent t yp es of cu st om er s I s CEF en abled on PE- CE in t erf aces? The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork NOTE The end lat est VPNt est secur it y cover f eat ued resinant he d d"esign aim ed att oprEnd ot ectLSP" ing tsect h e MPLS The - t o-MPLS end LSP w as Verif syin g Endion VPN back bone earlier in t his chap t er . How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent When t hese qu ick checks fail t o r esolv e you r pr oblem , it is t im e f or m or e in- dept h MPLS VPN of int er - car r ier MPLS VPN serv ices t r oub leshoot ing . Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect the u res, CE Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Pinging Between Routers Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tThe hey f ir n eed t o d ep loyshould and m alw ain tays ain perf a secur avnect ailab st check y ou or me,ishig t hehly con ivle it yVPN. check bet w een t he CE r ou t er s. Man y pr oblems repor t ed t o b e net w or k pr oblems t ur n out t o be en d h ost , app licat ion MPLS and VPN u res, e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN soft w ar e, or ev Ar enchit endect user pr Volum oblems. Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser ovider access olog an dt era tvoariet of ess r outCE in g Thev ice sim pr plest connect ivittyechn ch eck isies t h e( dial, pi ngDSL, f r omcab t hele,in Et grher essnet CE) rou t h e yegr pr ot ocols ( I SI S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o r out er . How ev er , ev en t his w ell- p r oven met h od can fail in int er est in g w ay s in an MPLS VPN int atment e t h ese f eateur es in VPN t o t h net e VPN e. pPart I I I det ailsCE adv ep loy issues envegr iron . Som MPLS w orbkack s dobon not r opagat e PEciranced cuit sudbnet sm t oent ot her sit es includin r it yor , ou t he nI ecessar st eps t h e tser ice pplerov ust at ake t o pt er rottect eit her byg dsecu esign b yt lining om ission. n t heseynet w or ks, h e vsim piider ng fm r om CE rou o t he back any at t ached VPNThe sit es, and g t he rlat rit use y f eat ur es allow anot hbone er CEand r out er alw ays f ails. pack et salso t hat det t heailin p inging outest er secu sends t he I P tinot erf ace m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult icar r ier MPLS VPN conf ig ur ed on t he CE- PE link as t he sour ce I P add ress, and t he pinged r out er has n o r et ur n deploy pat h . m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE

• •

The q uest ion " Sh ould t he PE- CE cir cuit su bnet s be in clu ded in t h e VPN r out ing ?" h as no clear an sw er . I nt uit iv ely , t he answ er w ould be " y es, " but some design s do not include t hese su bnet s in VPN r out in g f or good r eason s. I f y ou t hink t he PE- CE subn et s sh ould be par t of VPN r out in g b ut t hey ar e not pr opagat ed bet w een PE r out er s, you hav e p rob ably for g ot t en t o config ur e re di st rib ut e conne ct ed in t h e VRF ad dr ess f am ily con figu rat ion w it hin t he BGP r out ing p rocess. Table of Content s I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By JimpGuichard vanofPepelnjak , Jeff The r oper w, Iay using pi ngApcar in t h e

MPLS VPN env iron ment is t h e ex t end ed pi ng u sin g t he I P ad dr ess conf igur ed on t h e LAN in t erf ace of t he CE r out er as t he sour ce I P add r ess. I f t his pi ng orer: k s,Cisco t he Press MPLS VPN net w or k is pr obably w or k ing cor r ect ly . How ever , t o en su r e t hat Pubwlish t he Pub user applicat ions not en count er u nexp ect ed pr oblem s, y ou sh ould alway s p er f orm t he Dat e: Ju ne 06, 2 00 do 3 ext endIed p in g wit h v ar iou s pack et sizes t o v er if y t hat t her e ar e no h idden pr oblems relat ed SBN: 1- 58 705 -1 12 -5 t o I P pack et fr agm ent at ion w it hin t he p r ovider b ack bon e. As discu ssed pr ev iously in t his Pages: 50 4 chapt er , t h e label im posit ion p rocess in creases t he size of an I P pack et . The r esu lt in g packet m ight be t oo lar ge f or t he p hy sical m edia it needs t o t r aver se, r esu lt ing in a need f or pack et fr ag ment at ion , w hich mig ht f ail f or v arious reasons ( in clud ing incorr ect oper at ion of Pat h MTU d iscov er y du e t o misconfig ur ed a cce ss- l ist s) . I t ish MPLS Wit easy t and o ch eck VPNf or Ar chit t hisect cond u res, it ion Volum t h r ough e I I , tyhe ou'ex ll tlear ended n : pi ng w it h v ar ying p ack et sizes per for m ed on t h e CE r out er. St ar t t h e ex t end ed pi ng on t h e ingr ess CE r out er and specif y t he follow ing par am et er s ( as sh ow n in Ex am ple 9- 16) : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Sour ce add ress is t he I P addr ess of t he LAN int er face on t he CE rou t er. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN The on' tAd Frdr agm b itslat is ion set ((PEt o pr event fr agm ent at ion in t he MPLS VPN net w ork t o Net wDork essen Trtan NAT) int er fer e w it h t he t est ) . How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er netvwarork Packet sizes y fr om MTU size m inu s 32 by t es ( 8 labels in label st ack —a cond it ion y ou should alm ost nev er en cou nt er) t o t he MTU size ( 1 500 by t es in m ost net w or ks) . The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN I f t heback ex t en bone ded pi ng st ar t s losing pack et s as y ou n ear t he MTU size, y ou h ave t o check t he MTU sizes in y our MPLS VPN net w or k and t he giant f r am e su ppor t on you r LAN sw it ches, as Howint oprcarr y scust om er m t r aff det ailed eviou sect ions ofult t hicast is ch apt eric. insid e a VPN The lat9est rier ses enhst ancem s t oing allow e scalable d ep loym I n Ex am ple 16,intthere- car r espon opp edent com backf or at easier packetand sizem1or 497 ( 14 80 plus 17 ent of int er car r ier MPLS VPN serv ices successful respon ses) , indicat ing t h at t h e net w or k can not pr opagat e lab eled pack et s lar ger t han 1 500 by t es ( 14 96 by t es of I P pay load plus on e label in t he label st ack ) . Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Exa m pl e 9 - 1 6 . Ext en de d PI NG w i t h Sw e e pin g Pa ck et Siz es Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. CE-A#ping MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Protocol [ip]:access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g ser v ice pr ovider pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Target address: int egr at eIP t h ese f eat ur es203.1.0.1 in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Repeat [5]: 1 back bonecount and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Datagram deploy m en size t s. Fin[100]: ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Timeout in seconds [2]: MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Extended [n]:t r oubleshoot y int egr at ion,commands secur it y, and ing feat u res essent ial t o p rov iding t h e adv anced

Source address or interface: 203.1.4.1 Type of service [0]: Set DF bit in IP header? [no]: y Validate reply data? [no]: •

Table of Content s

• I ndex Data pattern [0xABCD]: MP LS and V PN Ar chi te ctur e s, V olum e I I

Loose, Strict, Record, Timestamp, Verbose[none]: By Jim Guichard , I van Pepelnjak , Jeff Apcar Sweep range of sizes [n]: y Pub lish er: Cisco Press

Pub Dat e: Ju ne 06, 2 00 3

Sweep min size [36]: 1480 I SBN: 1- 58 705 -1 12 -5 4 SweepPages: max 50 size

[18024]: 1500

Sweep interval [1]: Type escape sequence to abort. Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Sending 21, [1480..1500]-byte ICMP Echos to 203.1.0.1, timeout is 10 seconds: How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN !!!!!!!!!!!!!!!!!M.M. ser v ice t o m any d iff er ent t yp es of cu st om er s Success rate is 80 percent (17/21), round-trip min/avg/max = 448/457/471 ms The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork

Check for CEF Switching

The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Sim ilar t o pu r e MPLS operat ion , in most I OS r eleases, MPLS VPN r elies on CEF sw it ching of pack et s receiv ed fr om t h e CE r out er by t h e PE r out er. CEF m u st be conf igur ed on t he PE How t o carr y cust om er m ult icast t r aff ic insid e a VPN r out er ( w hich is usually not an issue b ecau se MPLS w ou ld n ot w or k ot her w ise) as w ell as on indiv idual PECEinint faces. can v erif CEF at ion idual dint faceent The lat est t erer - car rier You enh ancem entyspr t ooper allow f oroper easier andonman or eindiv scalable eper loym w it h tof heint show f i nt e rf ace mices and. Prop er CEF op er at ion is ind icat ed w it h a pr int out er - carce r ier MPLS VPNcom serv similar t o Ex am ple 9- 17. ( Th e crit ical line in t he pr in t out is high lig ht ed. ) Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLSmand ect u res,ce Volum b uildsPr oni nt t heout best - sellin g MPLS an d VPN Exa pl eVPN 9 - Ar 1 7chit . show f i nteeI Ir,f ace Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Router#show cef interface serial 0/0 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re.is Parup t I I(if_number descr ibes adv Serial0/0 4)anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI hwidb GRP, and OSPF) , ar m in g 11 t he r eader w it h t he k now ledge of h ow t o Corresponding fast_if_number int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t liningfirstsw->if_number t he n ecessar y st eps t h4e ser v ice p rov ider m ust t ake t o p rot ect t he Corresponding hwidb back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erindisabled g. This par t also cov er s m ult i- car r ier MPLS VPN Internet Protocol processing deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . is Serial0/0 Hardware idb MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Fast switching type 5, interface type 56 int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

IP CEF switching enabled IP CEF Feature Fast switching turbo vector Input fast flags 0x1, Output fast flags 0x0 ifindex 2(2) • •

Table of Content s

Slot 0 Slot I ndex unit 0 VC -1

MP LS and V PN Ar chi te ctur e s, V olum e I I

Transmit limit accumulator 0x0 (0x0) By Jim Guichard , I van Pepelnjak , Jeff Apcar

IP MTU 1500 Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Som et im es CEF is config ur ed on an int erf ace but is not oper at ional b ecause t h e int er face uses an en capsulat ion m et hod t h at CEF does n ot supp or t or b ecause y ou hav e config ur ed an ot her I OS f eat ur e on t he in t er f ace t hat is in com p at ib le w it h CEF. A com m on ex am ple in t he MPLS VPN env ir onm en t in clud es con figu rin g g en er ic t r aff ic shapin g ( GTS) on t he PE- CE int er face because t his f eat ur e is incom pat ible w it h CEF sw it ching . Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

In-Depth MPLS VPN Troubleshooting I n- dept h MPLS VPN t r oubleshoot ing is usually per for m ed ex clu siv ely on t he cont r ol p lan e. The few MPLS VPN- sp ecific er ror s t hat can occu r on t he d at a p lan e ar e alm ost alw ays a r esult of a •soft w ar e bu gTable Content andofare bests lef t t o t h e Cisco Syst em s engineer s. •

I ndex

To u nder stPN and t hete ctur st eps MPLS MP LS and V Ar chi e s, in V olum e I IVPN t rou blesh oot ing, it is w or t h r e- exam ining t h e st ep s t hat an I P pr efix u nder t akes as it is pr opag at ed f r om t he egr ess CE r out er t o t he ing ress CE r out er , By Jim Guichard , I van Pepelnjak , Jeff Apcar as show n in Figur e 9- 4 . Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58r705 Figu e -1 9 12 - 4-5.

Rou t e Pr opag at i on Acr oss M PLS VPN Ne t w or k

Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLSNOTE and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Youprm ig ht be conf used y t heiesclaim t hecab I Ple, pr efix isnet pr op agat f r omy tof her out eg ress ser v ice ovider access t echnbolog ( dial,t hat DSL, Et her ) an d aed v ariet in g CE r out erI S, t o EI t he in grand ess CE r out, er y ou mu berledge t hat tof heh Iow P pr pr ot ocols ( I SGRP, OSPF) ar.mHow in g ever t he r, eader w itsth rtem he em k now t oefix es edurinest he e dir ect ion he dat flow ( alw s fr omd ep d ow r eam int egrarateeprt hopag ese fat eat in t op o t posit h e VPN b ack bonof e. tPart I I Ia det ails advay anced loynst m ent issues t owgarsecu d upst r out ers) e egr ess r out mu st ann ounce it sust I Pt pr ef ixes t o ect t he t he includin r it yr ,eam ou t lining t he. Th n ecessar y stCE eps t h eerser v ice p rov ider m ake t o p rot ingr ess CEany r out t o en able hees, packet flow det in ailin t he op e est dir ect ionrit. y f eat ur es t o allow back bone and ater t ached VPN tsit and also g tposit he lat secu m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . The f ollow in g st eps are n eeded t o t ran sp or t an I P pr efix acr oss t he MPLS VPN backb one: MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Stion, e p 1secur . Theitegr ess tCE r out er sening ds feat t h e uprres efixessent t o t he t h rou a CEPE r out ing int egr at y, and r oubleshoot ialPE t orpout roveriding t hgh e adv anced

pr ot ocol. Alt ern at ively , t he p r ef ix is con figu red st at ically on t h e PE rou t er . St e p 2 . The PE r out er in st alls t h e pr efix int o one or mor e VRF rou t ing t ables.

• •

St e p 3 . The I P pr ef ix is r ed ist r ibu t ed f r om t he r out in g t able int o t he MP- BGP t ab le. I n t his p r ocess, t he I P pr ef ix is pr epended w it h t h e r out e d ist ing uisher. Variou s BGP at t r ibut es, includ in g ex t ended comm u nit y r out e t ar g et ( RT) , are at t ach ed t o t he MP- BGP r out e. Table of Content s I ndex

St e p 4 . The MP- BGP p r ef ix is pr opagat ed acr oss t he MPLS VPN n et wor k .

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim Guichard Pepelnjak , JeffprApcar St e p 5, .I van Best MP- BGP efix es

receiv ed b y I ngr ess PE r ou t er are in st alled in VRF rou t ing t ables conf igur ed on t h e PE rou t er based on t he RT at t ach ed t o t he MP- BGP p ref ix and heer:RT conf igur ed for im por t in t h e VRF. Pub tlish Cisco Press Pub Dat e: Ju ne 06, 2 00 3

St e p 16 58 . Pr ef-1 ixes I SBN: 705 12 -5f r om t he VRF r out ing t able ar e r edist r ib ut ed in t o t he PE- CE r ou t ing pr ot ocol an d p rop agat ed t o t h e ingr ess CE r out er. Pages: 50 4 Based on t he pr ocess of pr opag at ing I P pr efix es bet w een cu st omer sit es, t he MPLS VPN t r oub leshoot ing shou ld f ollow t hese maj or st eps: Wit h MPLS St e pand 1 . Ch VPN eckArt chit h e CEect uPE res, r out Volum in g ex e ch I I ,ange. y ou' ll lear n : St e p 2 . Ch eck t h e r out e exp or t f unct ionalit y . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser meck any tdh iff t yp ion es of st omVPN er s rou t es. St ve ice p 3 t.oCh e er pr ent opagat of cu MPLS The CE rt out g op t ions w ell asalit ot her St e npew 4 . PECh eck h e rinout e im por as t f un ct ion y . adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) St e p 5 . Ch eck t h e PE- CE r out in g ex ch ange. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN securExchange it y f eat u res an d d esign s aim ed Egress CE-PE Routing

at pr ot ect ing t h e MPLS VPN

back bone

How t o carr y cust om er m ult icast t r aff ic insid e a VPN The egr ess CE- PE r out in g ex chang e is ver ified b y using t he show i p r out e v rf pr ot ocol com man d on t h e egr ess PE r out er , w her e pr ot ocol st an ds f or t he PE- CE r out ing pr ot ocol u sed The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent in t he VRF und er obser v at ion. ( A sam p le pr int out is included in Ex am ple 9- 18. ) Ver ify t h at t h e of int er - car r ier MPLS VPN serv ices r out e t o t he cu st om er LAN is pr esent in t he VRF rou t ing t able an d t h at it point s t o t h e exp ect ed out g oing int erf ace nex t -ing hop.t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Adv anced t rouand blesh oot MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Exa plu eres, 9 -Volum 1 8 . VRF t in0g02-Ta e onCisco a PE Rout Ar ch itm ect e I ( 1 -Rou 587 051) bl , f rom Pr ess. Ex ter endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum PE4#show ip route vrf vpna ripe I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser pr ovider access t echn olog ies ( dial, DSL, le, Et her net ) an d a v ariet ySerial0/0.100 of r out in g R v ice203.1.4.0 255.255.255.0 [120/1] via cab 150.1.31.18, 00:00:24, pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN is b ack bon e. Part I I4I det ails adv anced d ep loy m ent issues 203.1.0.0 255.255.255.255 subnetted, subnets includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone 203.1.0.4 and any at t ached VPNvia sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow R [120/1] 150.1.31.18, 00:00:24, Serial0/0.100 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer I f you d o not see t he cust om er rou t e in t he VRF rou t ing t able, check t he PE- CE r out ing pr ot ocol int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

conf ig ur at ion on b ot h PE an d CE rou t er s. Th e best com man d t o use is t h e show i p p rot ocols [ v rf n a m e ] com m and t hat display s t he act u al set t in gs of t h e r out ing pr ot ocols in a VRF. Th e sam ple pr int ou t in Ex am ple 9- 19, t ak en fr om t h e eg ress PE r out er, sh ow s t he f ollow in g:

1 . RI P is ru nning in t he VRF v pna. • 2. •

Table of Content s o BGP. RI P is redist r ibut ed int I ndex

. and RI PVis one int face ial0 / 0. 100 MP3LS PNru Arnning chi te ctur s, Ver olum e I Ser I

( int er face t ow ar d t he CE rou t er ) .

By Jim Guichard , I van Pepelnjak , Jeff Apcar

4 . RI P ver sion 2 is r unn in g.

lish er: Press 5 .PubThe RICisco P r out ing pr ot ocol is r eceiv ing upd at es fr om I P ad dr ess 1 50. 1 .3 1. 18 ( CE r out er ) . Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

Exa mPages: pl e 5094- 1 9 . show i p pr ot ocols Pr in t ou t on t he Egr e ss PE Rou t e r

Egress#show ip protocols vrf vpna Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Routing Protocol is "rip" (1) Sending seconds, next due in 24 How t oupdates int egr at eevery v ar iou 30 s r em ot e access t echn ologies in t oseconds t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Invalid after 180 seconds, hold down 180, flushed after 240 The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w orkupdate Ad dr essfilter Tr an slatlist ion ( PEOutgoing forNAT) all interfaces is not set How VRFs can befilter ex t ended int ofor a cust ominterfaces er sit e t o pr ov sepset ar at ion inside t he Incoming update list all isidenot cust om er net w ork Redistributing: rip, bgp 3(2) The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Default version control: send version 2, receive version 2 How t o carr y cust om er m ult icast t r aff ic insid e a VPN Interface Send Recv Triggered RIP

Key-chain

The lat est in t er - car rier enh ancem ent s(4) t o allow f or easier and m or e scalable d ep loym ent Serial0/0.100(3) 2 2 of int er - car r ier MPLS VPN serv ices Maximum path: Adv anced t rou4blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Routing forArNetworks: MPLS and VPN chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced 150.1.0.0 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Routing Information Sources: MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Distance Last VPN Update Ar ch itGateway ect u re. Par t I I descr ibes adv anced MPLS con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g (5) 150.1.31.18 120 , ar m in 00:00:22 pr ot ocols ( I S- I S, EI GRP, and OSPF) g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Distance: is t 120) includin g secu r(default it y , ou t lining he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Som e of t he m ost com m on m ist ak es t hat you can find in t his t r ou bleshoot in g st ep ( apar t fr om and rVPN u res, I I , er also intin rod uces t hefollow lat estinadv tMPLS he usual out inAr g chit p r otect ocol conVolum figu rateion ror s) clud e t he g: ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

The PE- CE r out ing pr ot ocol is n ot conf igur ed. ( Th e oper at or conf ig ur ed t h e global rou t ing pr ot ocol, not t he VRF r out ing pr ot ocol. ) RI P ver sion 1 is r unn in g in t h e VRF. RI P v er sion 1 is not su ppor t ed in MPLS VPN env iron ment s.

• •

Aut o- su mm ar y is conf ig ur ed in t he rou t ing pr ot ocol. Cust om ers w ho h ave m igr at ed t o Tableenv of Content s t s usually h ave d iscont ig uous su bnet s t h at r equir e r out ing p rot ocol MPLS VPN ir onm en aut o- suI ndex mm ar izat ion t o be t ur ned off .

MP LS and V PN Ar chi te ctur e s, V olum e I I

OSPF r out esPepelnjak ar e r eceiv f rom By Jim Guichard , I van , Jeffed Apcar

t he CE r out er wit h t h e dow n bit set becau se an ot her PE r out er r edist ribu t ed t hem int o OSPF.

Pub lish er: Cisco Press

Cu st om er BGP r out es ar e ignor ed becau se t hey ar e pr opagat ed bet w een cust om er sit es t hat use t h e same BGP au t onom ous sy st em n um ber .

Pub Dat e: Ju ne 06, 2 00 3

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

I n t his st ep, y ou mig ht also not ice und esir ed behav ior of m ult ihom ed cu st omer sit es t hat use r out ing pr ot ocols ot h er t han BGP. Th ese sit es mig ht receiv e MPLS VPN r out es f r om one PE r out er and send t hem t o anot h er PE r out er , as show n in Figur e 9- 5 . Because t he CE rou t es alw ays t ake pr ecedence ov er I BGP r out es exchan ged bet w een PE rou t er s ( ad m in ist r at iv e disthance int er nal Ar BGP 2 00) , t ran sit ter aff flowll slear ov er Wit MPLSofand VPN chitisect u res, Volum I I ,icy ou' n : a m ult ih omed cust omer sit e. Clear ly , t his is undesired behav ior because t he cu st om er sit es in an MPLS VPN solut ion shou ld not act as t r ansit point s. An exam ple of such a set up is display ed in Figur e 9- 5 . How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ewr PEg op asssi ot her anced eataurCu es, st includ Figu e 9CE - 5r.out Trinan sittions Tr aasf fiwcellPa ngadv Thr ougf h oming e r perSit eVPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN The f ollow g sequ en,ce oft ev s occu in et t he sam ple for netad w or k: ced MPLS VPN deploy m enint s. Fin ally Par I Ven prtov id es r as m hodology van t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer 1 . Sit e- A sends it s rou t es t o PE- C. int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

2 . The r ou t es fr om Sit e- A ar e r edist ribu t ed in t o MP- BGP and p rop agat ed t o PE- A and PE- B. Bot h PE rou t ers in st all t he MP- BGP r out e in t o t h eir VRF r out ing t ab les. Tr aff ic flow fr om Sit e- B t o Sit e- A is opt im al. 3 . The MP- BGP r ou t e is r ed ist r ibu t ed int o RI P on PE- A and pr op agat ed t o t h e mu lt ihom ed sit e. 4 . The m u lt ih om ed sit e for w ar ds t h e r eceived RI P r out e t o it s ot h er neighbor , PE- B. At t his Table of Content s m om en t , PE- B has t w o r out es av ailab le t ow ard Sit e- A: I nt er nal MP- BGP rou t e w it h • I ndex adm inist r at ive dist ance 200 , and RI P rou t e w it h adm inist rat iv e dist ance 1 20. Therefor e, MP LS and V PN Ar chi te ctur e s, V olum e I I PE- B inst alls t he RI P r out e int o it s VRF rou t ing t able and ign ores t h e MP- BGP r out e it By Jim Guichard Pepelnjak r eceives, I van f rom PE- C. , Jeff Apcar •

5 .PubTrlish aff flowPress f r om Sit e- B t o Sit e- A is no lon ger opt im al b ecause it follow s t he rou t e PE- B er:icCisco m u lt ih om PE- A PE- C Sit e- A. Pub Dat e: Ju ne 06, 2ed 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

NOTE The easiest fix t o t he p rob lem illust r at ed in Figur e 9- 5 is a consist ent deploy m en t of BGP on allVPN mu ltAr ihom es. Volum Most ot sn inv Wit h MPLS and chit ed ect usitres, e her I I , ysolut ou' llion lear : olv e chan ging t he adm inist r at ive dist ance of indiv idual r ou t ing pr ot ocols or even indiv idual r ou t es w it hin a r out in g p r ot ocol and should be av oided. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN ( PE- NAT)

Route Export Net w ork Ad dr ess Tr an slat ion

be ex ended int oess a cust e troeceiv pr oved idet he sepr ar inside he r out er WhenHow y ou VRFs h ave can ver ified t ht at t h e egr PE rom outer er sit h as outateion fr om t h e tCE netewfix orked p ot en t ial er ror s) , v er if y t hat t he r out e receiv ed fr om t h e CE r out er is ( and tcust h at om y ouer hav r ed ist r ibu t ed int o BGP by u sing t h e show i p r out e v rf nam e p ref ix com m and, as show n in lat20. est Th MPLS VPNimsecur it y f eat rest he an pr d dint esign atert prised ot ectbing t h eline MPLS VPN ing Ex amThe ple 9e m ost por t ant lin eu in ou t sisaim t h eed Adv y bgp in dicat back bone t hat t he cu st omer 's I P pr ef ix is indeed adv er t ised b y MP- BGP. How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

NOTE

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y On e of t he m ost com m on MPLS VPN config ur at ion m ist ak es is t he om ission of r out e r ed ist r ibu t ion in t o BGP, w it hout w hich t h e connect ivit y b et ween PE r out er s cann ot b e MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN est ablish ed . Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLSmand Exa pl eVPN 9 - Ar 2 0chit . De ect ut res, a il ed Volum show e I I , ibpegrin ou s wt e it hPr a br inief t ou reftresher on PE of tRout he MPLS er VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h eseip f eat ur es invrf t o t hvpna e VPN203.1.4.0 b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Egress#show route includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone entry and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Routing for 203.1.4.0 255.255.255.0 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov120, id es ametric m et hodology for ad van ced MPLS VPN Known via "rip", distance 1 t r oub leshoot ing . Redistributing via rip, bgp 3 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int Advertised egr at ion, secur and3 t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced byit y, bgp

Last update from 150.1.31.18 on Serial0/0.100, 00:00:20 ago Routing Descriptor Blocks: * 150.1.31.18, from 150.1.31.18, 00:00:20 ago, via Serial0/0.100 • •

Route metric is 1, traffic share count is 1 Table of Content s I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Aft er y ou v er ify t hat t he cust om er r out e is r edist rib ut ed in t o MP- BGP, v er ify t he r out e distPub ingu and RT at t ach ed t o t he cust om er r out e w it h t he show i p b gp vp nv 4 v rf nam e lishish er: er Cisco Press pr efix com m and show Pub Dat e: Ju ne 06, 2 00 3n in Ex am ple 9- 21. Th e r out e dist ing uish er valu e is sh ow n in t h e BGP r out ingI SBN: t able1- 58 en705 t r y-1for line, an d t he RT is show n in t h e Ex t ended Com m unit y line. 12 -5 Pages: 50 4

Exa m pl e 9 - 2 1 . BGP Pr e f ix i n Eg r ess PE Rou t e r

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Egress#show ip bgp vpnv4 vrf vpna 203.1.4.0 BGP routing version How t o inttable egr at eentry v ar iou for s r em3:10:203.1.4.0/24, ot e access t echn ologies in t o t h e 9back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s Paths: (1 available, best #1, table vpna) The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Advertised nonTrpeer-group peers: Net w ork Adto dr ess an slat ion ( PENAT) 192.168.3.3 How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Local The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone 150.1.31.18 from 0.0.0.0 (192.168.3.4) How t o carr y cust om er mmetric ult icast t1, r afflocalpref ic insid e a VPN Origin incomplete, 100, weight 32768, valid, sourced, best The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Extended Community: RT:3:10 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools f youn eed g et unex pect r out d ist in guisher or hig RThly v alues, ch le eckVPN. t h e VRF conf igur at ion w it h t h e tI hey t o d ep loyed and meain t ain a secur e, av ailab show i p v rf d et a i l com m and, w hich r esu lt s in a pr int ou t sim ilar t o Ex am ple 9- 22. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser Exa v ice m pl pr ovider e 9 - 2access 2 . VRF t echn Deolog fi niies t i on ( dial, onDSL, Egrcab e ss le, Rout Et her net er) Sh an dow a vs ariet Exypor of r out t Rou in g t e pr ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o M ot ap int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv ancedipt opvrf ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Egress#show detail deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oubvpna; leshootdefault ing . VRF RD 3:10 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Interfaces: int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Serial0/0.100 Connected addresses are not in global routing table Export VPN route-target communities RT:3:10 • •

Table of Content s

Import VPN route-target communities I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

RT:3:10

By Jim Guichard , I van Pepelnjak , Jeff Apcar

No import route-map Pub lish er: Cisco Press

Export Pub Dat e: route-map: Ju ne 06, 2 00 3 SetRT I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Anot h er com m on sou r ce of u nexp ect ed RT v alues is t h e exp ort r out e m aps, w h er e user s t end t o for get t he a ddi t iv e k ey wor d in t he set e xt com m u nit y com m and. For ex am ple, a r out e m ap sh ow n in Ex am ple 9- 23 er ases t he r out e t arg et 3: 1 0 f r om a m at chin g p ref ix w hen u sed in Wit MPLS andon VPN Ar chit ectr out u res, e I I , y ou' ll itlear : e t ar get 3: 22 , as display ed in t he hVRF v pna egress PE er Volum an d replaces it w h rnout Ex am ple 9- 24. How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

Exa m pl e 9 - 2 3 . Exp or t Rout e M ap Used on Eg r ess Rou t e r

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can permit be ex t ended route-map SetRT 10 int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork match ip address prefix-list SetRT The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN bone set back extcommunity rt 3:22 How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

Exa m pl e 9 - 2 4 . De f au lt VRF Com m u ni t y I s Lost D ue t o Expor t Rou t e M a pAdv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools PE4#show ip bgp vpnv4 vrf vpna 203.1.0.4 t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. BGP entry 3:10:203.1.0.4/32, 33 of t he MPLS VPN MPLSrouting and VPN table Ar chit ect u res, for Volum e I I , b eg in s w it h a brversion ief ref resher Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Paths: (1 available, bestolog #1, vpna) ser v ice pr ovider access t echn ies table ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int Advertised egr at e t h ese to f eatnon ur es peer-group in t o t h e VPN peers: b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he 192.168.3.3 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Local deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . 150.1.31.18 from 0.0.0.0 (192.168.3.4) MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer incomplete, metric ing 1, localpref 100, 32768, valid, int egr atOrigin ion, secur it y, and t r oubleshoot feat u res essent ial weight t o p rov iding t h e adv ancedsourced,

best Extended Community: RT:3:22

•

Table of Content s

Propagation • I ndex of MPLS VPN Routes MP LS and V PN Ar chi te ctur e s, V olum e I I

The r ou t es t hat t he egr ess PE r out er r edist r ibut es int o MP- BGP need t o be p r opagat ed t o t h e By Jim Guichard , I van Pepelnjak , Jeff Apcar ingr ess PE rou t er. Ver ify t hat t he ing ress PE rou t er r eceives t h e BGP r out e w it h t h e show i p bg p v pn v4 rd t ar get pr efix com m and, a sam ple of w hich is sh ow n in Ex am ple 9- 25. Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3

Exa mI SBN: pl e 1-958- 705 2 5-1. 12M-5P- BGP Rout e Recei ve d f r om Eg r ess Rou t e r Pages: 50 4

Ingress#show ip bgp vpnv4 rd 3:10 203.1.4.0 BGP routing Wit h MPLS and table VPN Ar entry chit ect ufor res, 3:10:203.1.4.0/24, Volum e I I , y ou' ll lear n :version 21 Paths: (1 available, best #1, table vpna) How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN v ice t o m anyto d iffany er ent t yp es of cu st om er s Notseradvertised peer The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Local Net w ork Ad dr ess Tr an slat ion ( PE- NAT) 192.168.3.2 (metric 10) from 192.168.3.2 (192.168.3.2) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Origin incomplete, metric 3, localpref 100, valid, internal, best The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Extended Community: RT:3:10 back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent An MPm ight notVPN be pserv ropices agat ed fr om t h e egress t o ingr ess PE r out er f or sever al ofBGP int errou - cart er ier MPLS r easons: Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y VPNv 4 session b et w een t he PE ers has ot been act iv at ed. Veran ifyd tVPN h at t h e VPNv4 MPLSAand VPN Ar chit ect u res, Volum e I Ir out , b uilds on nt he best - sellin g MPLS sessions ar e act ive w it h t h e show i p b gp ne igh bor com m and, w hich r esu in anced a Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or elt sadv intdou t sim t o archit t h e one in es, Ex am ple t opicspran d ep loy ilar m ent ect ur Volu m 9e I26. I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLSExa and m VPN Volum e I I , b egEst in s awbli it h sh a bred ief w refitresher of t he plAr e chit 9 - 2ect 6 u. res, BGP Se ssion h Anot he MPLS r PE VPN Rout er Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egrIngress#show at e t h ese f eat urip es in t o tneighbor h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues bgp 192.168.3.2 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at tis ached VPN sit es, and also det ailin t he lat est secu BGP neighbor 192.168.3.2, remote AS 3,g internal linkrit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy mBGP en t s.version Fin ally , Par I V pr ov id es a m et for ad van ced MPLS VPN 4, tremote router IDhodology 192.168.3.2 t r oub leshoot ing . BGP state = Established, up for 00:41:40 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Last read 00:00:40, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received • •

Table of Content s

Address family VPNv4 Unicast: advertised and received I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Received 60 messages, 0 notifications, 0 in queue

By Jim Guichard , I van Pepelnjak , Jeff Apcar

Sent 51 messages, 0 notifications, 0 in queue Pub lish er: Cisco Press

Route Pub Dat e: Ju ne refresh 06, 2 00 3

request: received 0, sent 0

I SBN: 1- 58 705 -1 12 -5

Default minimum time between advertisement runs is 5 seconds

Pages: 50 4

VPNv 4 sessions mig ht b e act ive, b ut t he r out e r eflect or client s hav e not been conf igur ed Wit h MPLS VPN Ar chit ect , y or ou'clien ll lear : ust b e config ur ed sep ar at ely f or each on t heand VPNv 4 session s. u(res, The Volum r out e e refI Ilect t sn m add ress fam ily .) Verif y t he p r oper r out e r eflect or client con figu rat ion on t he rou t e r ef lect or wit h t h e show i p b gp ne igh bor com m and. Focus on t he inf orm at ion display ed How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN abou t t h e VPNv4 ad dr ess f amily , as show n in Ex am ple 9- 27. ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Exa e dr9ess - 2 7Tr. an BGP Rout Re f le ct or Cl ie nt Con fi gu r ed on VPNv 4 Net wm orkplAd slat ion ( PE-eNAT)

Sessi on How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat estip MPLS secur it y 192.168.3.1 f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN RR#show bgpVPN neighbor back bone BGP neighbor is 192.168.3.1, remote AS 3, internal link How t o carr y cust om er m ult icast t r aff ic insid e a VPN BGP version 4, remote router ID 192.168.3.1 The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices BGP state = Established, up for 00:44:11 Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Last read 00:00:10, hold time is 180, keepalive interval is 60 seconds MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN capabilities: Ar ch it ectNeighbor u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools refresh: advertised and t hey n eed Route t o d ep loy and m ain t ain a secur e, higreceived(new) hly av ailab le VPN. Unicast: advertised received MPLS and Address VPN Ar chitfamily ect u res,IPv4 Volum e I I , b eg in s w it h a br iefand ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Address family advertised ser v ice pr ovider access t echnVPNv4 olog iesUnicast: ( dial, DSL, cab le, Et herand net ) received an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o messages, 0 notifications, in ails queue int egr at Received e t h ese f eat54 ur es in t o t h e VPN b ack bon e. Part I I0I det adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Sent 0 notifications, in gqueue back bone and63 anymessages, at t ached VPN sit es, and also det0ailin t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN refresh 0, sentfor0 ad van ced MPLS VPN deploy mRoute en t s. Fin ally , Parrequest: t I V pr ov idreceived es a m et hodology t r oub leshoot ing . Default minimum time between advertisement runs is 5 seconds MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[... part of the printout deleted ...]

For address family: VPNv4 Unicast BGP table version 41, neighbor version 41 • •

Table of Content s I ndex Index 1, Offset 0, Mask 0x2

MP LS and V PN Ar chi te ctur e s, V olum e I I

Route-Reflector Client By Jim Guichard , I van Pepelnjak , Jeff Apcar 3er:accepted Pub lish Cisco Press

prefixes consume 180 bytes

Pub Dat e: Ju ne 06, 2 00 3

Prefix advertised 24, suppressed 0, withdrawn 0

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4 Number

of NLRIs in the update sent: max 4, min 0

Connections established 1; dropped 0 Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Last reset never How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The ewr out PE-erCE outtindgrop op an t ions asBGP w ellr out as eotifher adv anced ur es, includ VPN The n PE mrigh MPit has no m atf eat ch ing r out e t ar ing get .per( Non e of Net w ork Ad dr ess Tr an slat ion ( PENAT) t he rou t e t ar get s at t ached t o t he r out e ar e conf igur ed in a VRF.) I n t his case, v er if y t h e VRF set t ing s w it h t h e show i p v rf d et a i l com m and. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The Import lat est MPLS VPN secur it y f eat u res an d d esign s aim ed Route

at pr ot ect ing t h e MPLS VPN

back bone The b est MP- BGP r out e t h at a rem ot e PE r out er r eceives is im por t ed int o t he VRF r ou t in g t able How t o carr y cust om er m ult icast t r aff ic insid e a VPN ( assum in g t here is a m at ch in r out e t arg et s configu r ed in t he VRF and r out e t ar get s at t ach ed t o t he r out e) . Ver ify t h at t h e r out e is in ser t ed int o t he VRF r out ing t ab le w it h t h e show i p The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent rou t e vr f nam e p ref ix com m and, as show n in Ex am ple 9- 28. of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch itNOTE ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools I n com plex env iron ment s t hat hav e m ult ihom ed cu st om er sit es, a PE r out er m ight t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. r eceive mor e t h an on e MP- BGP r out e t ow ar d t he sam e dest inat ion. I n t h ese cases, andar d BGP rou t eu select ion r ueles erinmsinweitw rouref t e resher is t he best r out e VPN MPLSstand VPN Ar chit ect res, Volum I I ,dbeteg h hich a br ief of t he MPLS egar dless e tibes ar getadv s atanced t achedMPLS t o t hVPN e r out e) nect . Youiv can u se any at tegr r ibut e t oof Ar ch it( rect u re. Par tofI Ir out descr con it y includ in g BGP t he int at ion inf lu en ce t he r out e select ion pr ocess; how ev er , you ar e ad vised n ot t o use t he MED ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g at t r ibut e IifS,you r ed istand r ibuOSPF) t e BGP rou esg int o rRI P or OSPF becau se ledge t he RIof P/ h OSPF pr ot ocols ( I SEI GRP, , ar mtin t he eader w it h t he k now ow t o m et ric of t h e r ed ist r ibu t ed r out e is t aken fr om t he MED at t ribu t e. int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy , Par I V pr ov id es ea m hodology fort ad ced MPLS Exa mmplenet s.9 -Fin 2 8ally . M P-tBGP Rout I netse rte d in h evan VRF RoutVPN i ng Tab le t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur and t vrf r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced Ingress#show ipit y, route vpna 203.1.4.0

Routing entry for 203.1.4.0 255.255.255.0 Known via "bgp 3", distance 200, metric 3, type internal Redistributing via rip • •

Advertised by rip metric transparent Table of Content s I ndex

Last update from 192.168.3.2 00:14:42 ago

MP LS and V PN Ar chi te ctur e s, V olum e I I

By Jim GuichardDescriptor , I van Pepelnjak Blocks: , Jeff Apcar Routing

*Pub 192.168.3.2 lish er: Cisco Press(Default-IP-Routing-Table), from 192.168.3.2, 00:14:42 ago Pub Dat e: Ju ne 06, 2 00 3

Route metric is 3, traffic share count is 1

I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

AS Hops 0

Wit MPLS Ar rchit ect us res, , y in ou'grlless learPE n : r out er r eceiv es is not im por t ed int o Therh e ar e tand hr eeVPN m ain eason t hatVolum a rou tee I tI he t he VRF: How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o in m any erget ents,t yp es ofcan cu stbom er sified easily w it h t he show i p v rf d et a i l Mism at ch r outdeiff t ar w hich e ver com man d. The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Adr ed dr ess slat ionTh( PEMiscon figu im pTr oran t m a p. e prNAT) int out show n in Ex am ple 9- 29 in clu des a sam ple conf ig ur at ion er r or w her e t he VRF r ef er s a nonex ist ent r out e m ap . As y ou can see in t h e How VRFs beBGP ex t ended introeceived a cust om e t oess pr ov sep he in t o t h e pr int ou t , t hcan e MProu t e is by ert h sit e ingr PEide r out erarbat ution notinside in ser tt ed cust om er net w ork VRF r out in g t able. Fu r t her inv est igat ion r eveals t hat t h e rou t e- m ap t hat t he im p or t m ap com m and r ef ers t o does n ot ex ist . The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone Max im um VRF rou t e limit has b een ex ceed ed . How t o carr y cust om er m ult icast t r aff ic insid e a VPN

Exa m pllat e est 9 - 2in9t er . -Mcar P-rier BGP I n sefrort eeasier d D ue Im por t Mdap The enhRout ancemeentNsot t o allow andt o m or e scalable ep loym ent Con fofigu r at ion r or VPN serv ices int er - car r ierEr MPLS Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar ect uvpnv4 res, Volum e I I , b203.1.4.0 uilds on t he best - sellin g MPLS an d VPN Ingress#show ipchit bgp rd 3:10 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tBGP opics an d d ep table loy m ententry archit for ect ur3:10:203.1.4.0/24, es, Volu m e I I pr ovid esversion r eader s w67 it h t he necessar y t ools routing t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. Paths: (1 available, best #1, table NULL) MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I to descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Not advertised any peer ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o Local int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t10) he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he 192.168.3.2 (metric from 192.168.3.2 (192.168.3.2) back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced incomplete, t op ologies andmetric filt erin g. par t also 100, cov er svalid, m ult i- car r ier MPLS best VPN Origin 3,This localpref internal, deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . Community: RT:3:10 Extended MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer Ingress#show ip route vrf vpna int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP • •

Table of Content s

i - I ndex IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

MP LS and V PN Ar chi te ctur e s, V olum e I I

* - candidate default, U - per-user static route, o - ODR By Jim Guichard , I van Pepelnjak , Jeff Apcar

P - periodic downloaded static route Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5

Gateway of50last resort is not set Pages: 4

R

203.1.1.0 255.255.255.0 [120/1] via 150.1.31.2, 00:00:01, Serial0/0.100

Wit h MPLS and VPN255.255.255.255 Ar chit ect u res, Volum I I , y ou' ll lear1n :subnets 203.1.0.0 is esubnetted, R

C

How 203.1.0.1 t o int egr at e[120/1] v ar iou s rvia em ot150.1.31.2, e access t echn00:00:01, ologies in t o Serial0/0.100 t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s 150.1.0.0 255.255.255.252 is subnetted, 1 subnets The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN isandirectly connected, Serial0/0.100 Net w150.1.31.0 ork Ad dr ess Tr slat ion ( PENAT)

Ingress#show detail How VRFs ip can vrf be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork VRF vpna; default RD 3:10 The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN Interfaces: back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN Serial0/0.100 The lat estaddresses in t er - car rier enhnot ancem s t o allow f or easier and m or e scalable d ep loym ent Connected are in ent global routing table of int er - car r ier MPLS VPN serv ices Export VPN route-target communities Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y RT:3:10 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced Import VPN route-target communities t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. RT:3:10 MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Import route-map: NoSuchMap Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g Noocols export pr ot ( I S- I route-map S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues Ingress#show includin g secu r itroute-map y , ou t lining NoSuchMap t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow route-map NoSuchMap notand found m or e adv anced t op ologies filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NOTE Rou t e im por t is a period ic pr ocess cont r olled by t he bg p scan - t i m e i m port par am et er , w h ich has a defau lt v alue of 15 secon ds. Ther ef or e, t her e cou ld b e a 1 5second g ap b et w een t he t im e t hat t h e MP- BGP rou t e is r eceived and t he t ime t hat it app ear s in t he VRF r out ing t ab le. Sim ilarly , any con figu rat ion chan ge t ak es ef fect w it hin t he n ex t 15 second s. •

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Redistribution of MPLS VPN Routes and Ingress PE-CE Routing Exchange Pub lish er: Cisco Press By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub Dat e: Ju ne 06, 2 00 3 I SBN: 12isconf -5 The last , b ut1- 58 oft705 en-1m ig ur ed, par t of t he MPLS VPN r out e pr op agat ion pr ocess is t he Pages: 50 4 sen ding of t he rou t es receiv ed v ia MP- BGP f r om r em ot e cu st om er sit es t o t h e CE r out er . Com m on con figu rat ion er ror s in t his p ar t includ e t he f ollow ing :

Rou t es not bein g r edist r ibut ed fr om MP- BGP int o t he PE- CE r out ing p rot ocol Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Rou t es bein g redist r ibut ed w it h illegal m et r ic How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

NOTE The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) A less comm on design er r or occur s in n et wor k s t h at use MED t o p rop agat e t h e I GP m et ricVRFs acr oss BGP b ack e. I fom y ou t ing pr otsep ocols such a d esign How cant he be MPex t ended int obon a cust er m sitixe rou t o pr ov ide ar atinion inside t he ( or m anually chan ge MED v alues) , y ou could end up in a sit uat ion in wh ich a rou t e is not cust om er net w ork pr opag at ed t o a RI P neighb or because t he RI P hop count t r ansfer r ed f rom t he BGP MED at test r ibuMPLS t e is tVPN oo high. The lat secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN You can v erif y w het her a rou t e is r ed ist r ibu t ed f r om MP- BGP int o t he PE- CE rou t ing pr ot ocol w it h tThe he show p trer out e rier v rf nam p ref ixent com m allow and. Af or pr easier int out tand akenm fr t h e ingrdess rou t er lat est iin - car enh eancem s to orom e scalable ep loym entis included inerEx amrple 9- 30. VPN serv ices of int - car ier MPLS Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

Exa m pl e 9 - 3 0 . M P- BGP Rout e Recei ve d f r om Anot he r PE Rout er I s N ot MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ad ve r t i se d t o CE Rou t e r

Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

Ingress#show ipchit route vrfVolum vpnae 203.1.4.0 MPLS and VPN Ar ect u res, I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Routing for 203.1.4.0 255.255.255.0 ser v ice pr entry ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o 3", 3, I Itype internal intKnown egr at e via t h ese"bgp f eat ur es indistance t o t h e VPN200, b ack metric bon e. Part I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he Redistributing ripVPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow back bone and any atvia t ached m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN Lastm update 192.168.3.2 ago for ad van ced MPLS VPN deploy en t s. Finfrom ally , Par t I V pr ov id es00:16:00 a m et hodology t r oub leshoot ing . Routing Descriptor Blocks: MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer (Default-IP-Routing-Table), fromial192.168.3.2, int* egr192.168.3.2 at ion, secur it y, and t r oubleshoot ing feat u res essent t o p rov iding t h00:16:00 e adv ancedago

Route metric is 3, traffic share count is 1 AS Hops 0

of Content s I• n t he show Table i p r out e v rf nam e p ref ix p r in t out , ch eck t h e follow ing: •

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I

Pr esence of Redist ribu t in g v ia pr ot ocol line, in dicat in g t hat t he MP- BGP r out e is r ed ist r ibu t ed int o t he PE- CE r out ing p rot ocol

By Jim Guichard , I van Pepelnjak , Jeff Apcar

PubPr lish er: CiscoofPress esence Adv ert ised Pub Datounced e: Ju ne 06, ann t o2 t00 h 3e

b y pr ot ocol m et r ic value line, in dicat in g t hat t he r out e is act u ally CE r out er

I SBN: 1- 58 705 -1 12 -5

I n Ex am ple 9- 30, t h e r out e is n ot ad ver t ised t o t he CE r out er s because it is r edist r ib ut ed fr om Pages: 50 4 MP- BGP int o RI P w it h t he d ef ault m et r ic v alue of 16 , w hich eq uals RI P in finit y ( in dicat in g un reachable r ou t e) . Aft er t h e PE rou t er con figu rat ion is f ixed, t he PE r out er st ar t s ann ouncing t he RI P r out e t o t h e CE r out ers ( see Ex am ple 9- 31) . Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

Exa m pl e 9 - 3 1 . Rou t e I s Ad ve r t i se d t o t h e CE Rou t e r Af t er t he Re di st r ibu t i on M e t r i c I s Fix ed How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PEIngress#conf t CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) Enter configuration commands, one per line. End with CNTL/Z. How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork Ingress(config)#router rip The lat est MPLS VPN secur it y f eat u res anipv4 d d esign ed at pr ot ect ing t h e MPLS VPN Ingress(config-router)#address-family vrfs aim vpna back bone Ingress(config-router-af)#redistribute bgp 3 metric 2 How t o carr y cust om er m ult icast t r aff ic insid e a VPN Ingress(config-router-af)#^Z The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Ingress# Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y Ingress#show ip route vrf vpna 203.1.4.0 MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Routing for e203.1.4.0 Ar ch it ect uentry res, Volum I ( 1 - 587 05-255.255.255.0 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools Known distance metric typele internal t hey n eedvia t o d "bgp ep loy 3", and m ain t ain a 200, secur e, hig hly 3, av ailab VPN. MPLS Redistributing and VPN Ar chitvia ect u res, rip Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of serAdvertised v ice pr oviderby access rip tmetric echn olog2ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int Last egr at eupdate t h ese f eat ur es192.168.3.2 in t o t h e VPN 00:16:47 b ack bon e. ago Part I I I det ails adv anced d ep loy m ent issues from includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow Routing Descriptor Blocks: m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodologyfrom for ad van ced MPLS VPN * 192.168.3.2 (Default-IP-Routing-Table), 192.168.3.2, 00:16:47 ago t r oub leshoot ing . Route metric is 3, traffic share count is 1 MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr atAS ion,Hops secur0it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

Summary I n t his chapt er , y ou saw guid elines f or t r oubleshoot ing MPLS- based solut ions. Most of t hese solut ions r equir e an end- t o- en d LSP b et w een r out er s at t he edg e of t he P- net w ork . Th er efor e, check ing t h is LSP w it h a t ra ce com m and in com bin at ion w it h disabled TTL p rop agat ion is •alw ays a good Table of tContent s . Should y ou f ind t hat t he LSP w or k s as exp ect ed, focus on t h e st ar ing point •t r oub leshootIing ndexof t h e solu t ion t h at is d ep loyed on t op of t he MPLS back bone; ot her wise, fix MP and V PN Ar chi te ctur e s,. V olum e I I t heLSMPLS backb one f ir st By Jim Guichard , I van Pepelnjak , Jeff Apcar

Let ' s also conclude t h is chapt er w it h a shor t not e on t h e t r oublesh oot ing pr ocess it self . Th is chapt er p resent ed on ly one of t h e possib le appr oaches t o MPLS t r oublesh oot ing. You w ill, Pub lish er: Cisco Press ov er t ime and based on y our ex perience, pr obab ly find anot h er appr oach t hat w ill give you Pub Dat e: Ju ne 06, 2 00 3 qu ick er r esult s b ased on er r or s y ou encoun t er m ost comm on ly in y our n et wor k . For exam p le, I SBN: 58t705 -5 w it h t he end - t o- en d LSP check fir st , check for pr oblem s w it h lar ge y ou m igh t w1-an t o-1st12art 50 4 at ion n ex t , and only t hen go t o f ur t her t r oub leshoot in g st eps. How ever , t h e pack etPages: pr opag dist r ibut ion of comm on er ror s v ar ies f r om one n et wor k t o anot h er ; t her ef ore it is im possib le t o give you a recipe t hat w ill be op t im al in all cir cum st ances. The MPLS b ackb one t r oub leshoot ing shou ld st ar t w it h a f ew qu ick checks perf or med on all LSRs in y our w ork Wit h MPLS andnet VPN Ar:chit ect u res, Volum e I I , y ou' ll lear n : I s CEF ching led hee LSR? How t o sw intitegr at e enab v ar iou s ron emtot access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s I s MPLS enabled on t he LSR? The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN I s MPLS enabled on all in t erf aces? Net w ork Ad dr ess Tr an slat ion ( PE- NAT) I f t hese quick checks d o n ot solve you r pr oblem, you h ave t o go int o con t rol- p lane How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he t r oub leshoot ing and p er f orm t he f ollow ing checks: cust om er net w ork The lat est MPLS VPN secur y fteat u res d esign s aim ed pr atotprocol? ot ect ing t h e MPLS VPN Ar e adj acent LSRs discov erited hr ou gh an t hed TDP/ LDP hello back bone Do t he LSRs hav e r out es t o t he TDP/ LDP ident if ier of t h e adj acent LSR? How t o carr y cust om er m ult icast t r aff ic insid e a VPN I s t he TCP session est ab lished aft er t h e adj acent LSR is d iscover ed? The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of er -lab car els r ierex MPLS VPN bet serv Ar eintt he ch anged wices een adj acen t LSRs? oot ting echn iques includ r ouect t er lyout pu ttshat t o ten reP/high ailab ilit y Aft er Adv y ou anced hav e vt rou er if blesh ied t hat he tcon t rol plane w or in k sgcorr and hesuTD LDPav sessions ar e est ab lished and labels ar e exchan ged, v erif y t he cor r ect operat ion of t h e MPLS dat a plane MPLS andf ollow VPN ing Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN w it h t he checks: Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey nI seed t ooperat d ep loyion and m ain secur VPN.im posit ion is p er f orm ed on CEF al on t het ain in graess int e, er fhig acehly w hav er ailab e t h elelabel t he I P pack et s? MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch itIect u re.e Par ibes advbet anced VPNess conand necteg ivress it y includ s t her an tenI Id-descr t o- end LSP w eenMPLS t h e ingr LSR?in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols EI GRP,y ou andarOSPF) ar m in g in t he r eader t hee kpack nowet ledge Does( It Sh eI S, pr oblem e t r ou,bleshoot g af fect onwlyit hlarg s? of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues I n t he MPLS VPN virt lining onm ent , tn h ecessar e commyonst eps err ort hs einclud e t hese: includin g secu r it y ,enou t he ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN The r epor t edally pr,oblem is pr not MPLS VPN pfor robad lem ev MPLS en n etVPN wor k p rob lem , b ut deploy m en t s. Fin Par t I V ovrideally es a an m et hodology vanorced an applicat ion or user pr oblem . t r oub leshoot ing . b ackb one does n ot supp t a lar e en ough size. MPLSThe and MPLS VPN Ar chit ect u res, Volum e I I ,oralso intgrod uces t heMTU lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

En d- t o- end LSP is br ok en bet w een t h e ingr ess and egr ess PE r out er s. I f t hese quick checks d o n ot solve you r pr oblem, you m ust go in t o MPLS- VPN t r oub leshoot in g and v er if y all st ep s in MPLS VPN r out e p rop agat ion: Ex chang e of r out ing inf orm at ion fr om CE rou t er t o PE r out er • •

of Content Redist r Table ibut ion of custsom er rou t e int o MP- BGP ( also ch eck f or cor rect v alues of RD and RT at t hI ndex is st ep )

MP LS and V PN Ar chi te ctur e s, V olum e I I

Pr opagat ion of MP- BGP r out e acr oss MPLS VPN b ack bon e

By Jim Guichard , I van Pepelnjak , Jeff Apcar

I m por t of MP- BGP r out e in t o VRF rou t ing t able on t h e receiv ing PE r out er Pub lish er: Cisco Press Pub Redist Dat e: rJuibut ne 06, ion2 00 of3 MP- BGP

r out e int o PE- CE r ou t ing pr ot ocol and pr opag at ion of t he r ed ist r1ibu ed -1r 12 out I SBN: 58t705 -5e t o t h e CE r out er . Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ]

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBO L] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] _Hlt1 02 145 91 _Hlt1 02 145 92 _Hlt1 02 147 57 _Hlt1 03 631 74 _Hlt1 10 506 21 _Hlt1 10 594 52 •

Table of Content s

_Hlt1 17 364 95 •

I ndex

_Hlt1 365V 56PN Ar chi te ctur e s, V olum e I I MP LS17and _Hlt1 39 748 66 By Jim Guichard , I van Pepelnjak , Jeff Apcar _Hlt1 39 749 10 _Hlt1 39 749 25 lish er: _Hlt1Pub 39 756 54 Cisco Press Dat50 e: Ju ne 06, 2 00 3 _Hlt1Pub 57 872 _Hlt1 57 873 I SBN: 04 1- 58 705 -1 12 -5 _Hlt1 69Pages: 607 18 50 4 _Hlt1 71 032 49 _Hlt1 71 032 53 _Hlt1 71 034 23 _Hlt1 71 244 10 _Hlt1 71 246 18

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : _Hlt1 71 246 51 _Hlt1 71 246 83 _Hlt1 74How 854 61t o _Hlt1 81ser 416v36 ice

int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN t o m any d iff er ent t yp es of cu st om er s

_Hlt1 81 472 39 _Hlt1 82The 133 19 n ew _Hlt1 82Net 221w 68ork

PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Ad dr ess Tr an slat ion ( PE- NAT)

_Hlt1 82 261 77 _Hlt1 83How 979 38VRFs

om er _Hlt1 88cust 111 37

can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he net w ork

_Hlt1 89 734 36

lat est _Hlt1 89The 757 32

MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

_Hlt1 89back 757 94bone _Hlt1 89 883 69 _Hlt1 90How 359 18t o

carr y cust om er m ult icast t r aff ic insid e a VPN

_Hlt1 90 433 87

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices _Hlt2 07 669 62 _Hlt1 90 437 52 _Hlt2 07 691 56

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

_Hlt2 90 981 92 _Hlt2 99 123 39

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN _Hlt2 99 123 87 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced c111 26 277 t_To opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools _To c111 26 278 t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. _To c111 26 279 _To c111and 26 280 MPLS VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN _Toch c111 26 281 Ar it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of _To c111 282 ser v ice26pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g _To c111 26 pr ot ocols283 ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o _Toegr c111at 26e284 int t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues _To c111 26g285 includin secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he _To c111 26 286 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow _Toor c111 26 287 m e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN _To c111 26 deploy m 288 en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN _To c111 26 289 ing . t r oub leshoot _To c111 26 290 _To c111and 26 291 MPLS VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer _Toegr c111at 26ion, 292 secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced int

_To c111 26 293 _To c111 26 294 _To c111 26 295 _To c111 26 296 _To c111 26 297 _To c111 26 298 _To c111 26 299 _To c111 26 300

•

Table of Content s

•

I ndex

_To c111 26 301

_To c111 26 302 MP LS and V PN Ar chi te ctur e s, V olum e I I _To c147 53 547 By Jim Guichard _To c147 53 548 , I van Pepelnjak , Jeff Apcar _To c147 53 549 _To c147 53 550 Pub lish er: Cisco Press _To c147 551 Pub 53 Dat e: Ju ne 06, 2 00 3 _To c147 53 552 I SBN: 1- 58 705 -1 12 -5 _To c147 53 553 Pages: 50 4 _To c147 53 554 _To c147 53 555 _To c147 53 556 _To c147 53 557 _To c147 53 558

Wit h MPLS _To c147 53 559and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : _To c147 53 560 _To c147 53 562

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

_To c147 53 563 _To c147 53 564 _To c147 53 565

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

_To c147 53 567 _To c147 53 568

_To c147 53 572 How VRFs _To c147 53 573 cust om er

can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he net w ork

_To c147 53 574 _To c147 53 575 The lat est

MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

_To c147 53 576 back bone _To c147 53 577 _To c147 53 578 How to

carr y cust om er m ult icast t r aff ic insid e a VPN

_To c147 53 580

The lat est _To c154 40 108

in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent MPLS VPN serv ices

of40int _To c154 109er - car r ier _To c154 40 110

Adv anced _To c154 40 111

t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

_To c154 40 112

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN _To c154 40 113 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced _To c154 40 114 t_To opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools c154 40 115 t_To hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. c154 40 116 _To c154 40 118

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN _To c154 40 119 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of _To c154 40 120 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g _To c154 40 121 pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o _To c154 40 122 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues _To c154 40 123 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he _To c154 40 124 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow _To c154 46 397 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN _To c154 46 398 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN _To c154 46 399 t r oub leshoot ing . _To c154 46 400 _To c154 46 401

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer _To c154 46 402 int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

_To c154 46 403 _To c154 46 404 _To c154 46 405 _To c154 46 407 _To c154 46 408 _To c154 46 409 _To c154 46 410 _To c154 46 411

•

Table of Content s

•

I ndex

_To c154 46 412

_To c154 46 413 MP LS and V PN Ar chi te ctur e s, V olum e I I _To c154 46 414 By Jim Guichard _To c154 46 415 , I van Pepelnjak , Jeff Apcar _To c154 46 416 _To c154 46 417 Pub lish er: Cisco Press _To c154 418 Pub 46 Dat e: Ju ne 06, 2 00 3 _To c154 46 419 I SBN: 1- 58 705 -1 12 -5 _To c154 46 420 Pages: 50 4 _To c154 46 421 _To c154 46 422 _To c154 46 423 _To c195 27 343 _To c195 27 344

Wit h MPLS _To c195 27 345and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : _To c195 27 358 _To c204 66 975

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

_To c204 66 977 _To c204 66 979 _To c204 66 982

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

_To c204 66 983 _To c204 66 984

_To c204 66 986 How VRFs _To c204 66 987 cust om er

can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he net w ork

_To c204 66 988 _To c204 66 989 The lat est

MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

_To c204 66 991 back bone _To c208 39 612 _To c208 39 614 How to

carr y cust om er m ult icast t r aff ic insid e a VPN

_To c208 39 615

The lat est _To c208 39 616

in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent MPLS VPN serv ices

of39int _To c208 617er - car r ier _To c208 39 618

Adv anced _To c208 39 621

t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

_To c208 39 622

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN _To c208 39 623 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced _To c208 39 625 t_To opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools c208 39 626 t_To hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. c208 39 627 _To c208 39 628

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN _To c208 39 632 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of _To c208 39 633 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g _To c208 39 635 pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o _To c208 39 636 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues _To c208 39 637 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he _To c208 39 638 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow _To c208 39 639 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN _To c208 39 641 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN _To c208 39 642 t r oub leshoot ing . _To c208 39 643 _To c208 39 645

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer _To c208 39 646 int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

_To c208 39 648 _To c208 39 650 _To c208 39 651 _To c208 39 652 _To c208 39 653 _To c208 39 655 _To c208 39 656 _To c208 39 659

•

Table of Content s

•

I ndex

_To c208 39 660

_To c208 39 661 MP LS and V PN Ar chi te ctur e s, V olum e I I _To c208 39 662 By Jim Guichard _To c208 39 665 , I van Pepelnjak , Jeff Apcar _To c208 39 666 _To c208 39 667 Pub lish er: Cisco Press _To c208 669 Pub 39 Dat e: Ju ne 06, 2 00 3 _To c208 39 671 I SBN: 1- 58 705 -1 12 -5 _To c208 39 673 Pages: 50 4 _To c208 39 674 _To c211 65 405 _To c211 65 408 _To c211 65 409 _To c211 65 410

Wit h MPLS _To c211 65 411and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : _To c211 65 412 _To c211 65 413

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

_To c211 65 414 _To c211 65 415 _To c211 65 416

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

_To c211 65 418 _To c211 65 419

_To c211 65 420 How VRFs _To c211 65 421 cust om er

can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he net w ork

_To c211 65 422 _To c211 65 423 The lat est

MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

_To c211 65 424 back bone _To c211 65 425 _To c211 65 426 How to

carr y cust om er m ult icast t r aff ic insid e a VPN

_To c211 65 427

The lat est _To c211 65 428

in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent MPLS VPN serv ices

of03int _To c291 230er - car r ier _To c291 03 232

Adv anced _To c291 03 233

t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

_To c291 03 234

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN _To c291 03 235 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced _To c291 03 236 t_To opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools c291 03 237 t_To hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. c291 03 238 _To c291 03 239

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN _To c291 03 240 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of _To c291 03 242 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g _To c291 03 244 pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o _To c291 03 245 int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues _To c291 03 246 includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he _To c291 03 247 back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow _To c291 03 248 m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN _To c291 03 251 deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN _To c291 03 252 t r oub leshoot ing . _To c291 03 253 _To c291 03 254

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer _To c291 03 255 int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

_To c291 03 257 _To c291 03 258 _To c291 04 048 _To c333 66 983 _To c333 66 984 _To c333 66 985 _To c333 66 986 _To c333 66 987

•

Table of Content s

•

I ndex

_To c333 66 988

_To c333 66 989 MP LS and V PN Ar chi te ctur e s, V olum e I I _To c333 66 990 By Jim Guichard _To c333 66 991 , I van Pepelnjak , Jeff Apcar _To c333 66 992 _To c333 66 993 Pub lish er: Cisco Press _To c333 994 Pub 66 Dat e: Ju ne 06, 2 00 3 _To c333 66 995 I SBN: 1- 58 705 -1 12 -5 _To c333 66 996 Pages: 50 4 _To c333 66 997 _To c333 66 998 _To c333 66 999 _To c333 67 000 _To c333 67 001

Wit h MPLS _To c333 67 003and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : _To c333 67 004 _To c333 67 005

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

_To c333 67 006 _To c333 67 008 _To c333 67 009

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

_To c333 67 010 _To c333 67 011

_To c333 67 012 How VRFs _To c333 67 013 cust om er

can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he net w ork

_To c333 67 014 _To c333 67 016 The lat est

MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

_To c476 11 019 7 2nd back bone _To c476 11 019 9 2nd _To c476 11 020 How t o6

carr y cust om er m ult icast t r aff ic insid e a VPN

_To c476 11 020 7 2nd

The lat7est _To c530 83 864

in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent MPLS VPN serv ices

of83int _To c530 864er 8 - car r ier _To c530 83 864 9

Adv anced _To c530 83 865 0

t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

_To c530 83 865 2

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN _To c530 83 865 3 Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced _To c530 83 865 4 t_To opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools c530 83 865 6 t_To hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. c530 83 865 7 _To c532 20 487 4

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN _To c532 20 487 7 Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of _To c532 20 487 8 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g _To c532 20 488 2 pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o 6PE int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues design ing with BGP co nfederat ion s includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he design ing with BGP r out e ref lect ors 2nd 3rd back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow in t er -AS 6PE deploym en t 2nd m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN in t er -MP- BGP session est ablishm en t 2nd 3rd deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN I Pv6 d ata gram fo rwarding across MPLS back bon e 2nd 3rd 4t h t r oub leshoot ing . I Pv 6 r out e ex chan ge bet ween CE an d PE rou t er s 2nd 3rd

lab eled I Pv 6 MP-BGP pr ef ix es, conf ig uring 2nd 3rd 4t h

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer rout e redist ribu tion 2nd 3rd int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

versu s MPLS VPN 6PE ( I Pv 6 prov ider edge r out er)

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A ] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] AAA per -VRF AAA 2nd 3rd 4t h 5t h RADI US 2nd AV p airs 2nd VSAs 2nd access prot ocolsTable of Content s • DHCP 2nd 3rd 4t h • I ndex PPPand V PN Ar chi te ctur e s, V olum e I I MP LS L2TP 2nd By Jim Guichard , I van Pepelnjak , Jeff Apcar LCP 2nd 3rd RADI US 2nd Pub er: Cisco AVlish p airs 2nd Press Pub Dat2nd e: Ju ne 06, 2 00 3 VSAs VPDNs I SBN: 2nd 3rd 1- 584t705 h -1 12 -5 access tPages: echnology 50 4int egrat ion with MPLS-ba sed VPNs 2nd access- list s lim it in g a ccess t o PE/ CE circuit s 2nd 3rd 4t h 5t h accessin g com m on ser vices wit h PE-NAT 2nd 3rd address pools ODAPs 2nd 3rd 4t h 5t h 6t h 7t h

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : addressin g

I Pv6 2nd inHow t er face t oI Dint egr at e public a ddress space ser v ice to m any

v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN d iff er ent t yp es of cu st om er s

adv anced MPLS VPN remot e access f ea tu res of Cisco I OS Sof twa re ODAPs 3rd PE4t h 5t h 6t h 7t in h g The2nd n ew CE r out

op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN ( PE- NAT)

per -VRF 4t h 5tTr h an slat ion Net wAAA ork2nd Ad3rd dr ess Adv ert isin g Rou t er f ield (LSA) ant ilabel How spoofin VRFs g 2nd can

er applicatcust ions om ( MPLS)

be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he net w ork

arch itect u re

late est con t The rol plan

MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

bonein g trback oubleshoot verif yin g label excha nge 2nd

How carrTDP/ y cust ereters m ult icast verif yin tgolocal LDP om param 2nd

t r aff ic insid e a VPN

verif yin g TDP/ LDP Hello prot ocol 2nd

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices cust om er con t rol plan e verif yin g TDP/ LDP session st at e 2nd

dat a plan e 2nd

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

dat a plane plan e

oubleshoot in g 2nd 3rd 4t h MPLStr and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN point -t o- point a rchit ect ure 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h 14t h 15t h 16t h 17t h 18t h 19t h 20t h Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced st 22n d 23rd 24t h 25t h 26t h 27t h 28t h 29t h 30t h 31st 32n d 33rd 34t h 35t h 36t h 37t h 38t h 39t h 40t h 41st 42n d 43rd t21 opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools 44 t h 45t h 46t h 47t h 48t h 49t h 50t h 51st 52n d 53rd 54t h 55t h 56t h 57t h 58t h 59t h 60t h 61st 62n d 63rd 64t h 65t h 66t h t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. 67 t h 68t h 69t h 70t h 71st 72n d 73rd 74t h 75t h 76t h 77t h 78t h 79t h 80t h 81st 82n d 83rd 84t h 85t h 86t h 87t h 88t h 89t h 90 t h 91st 92nVPN d 93rdAr94t h 95t h 97t h 98t he99t 104resher t h 105 t hof106 t h 107 t h 108 t h 109 t h MPLS and chit ecth u96t res, Volum I I h, 100 b egt hin101 s wstit102 h andbr103 iefrdref t he MPLS VPN 11 0t 113 t h 115 t h 116 t h anced 117 t h 118 t h 119VPN t h 120 t h 121 st iv 122 123 rd 124 125 int t h 126 Ar chh it111 ectt hu 112 re. t hPar t tIhI 114 descr ibes adv MPLS con nect it yndinclud in gt ht he egrt hat127 iont h of 12 8t h 129 t h 130 t h 131 st 132 nd 133 rd 134 t h 135 t h 136 t h 137 t h 138 t h 139 t h 140 t h 141 st 142 nd 143 rd 144 t h 145 ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in gt h 14 6t pr othocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o provat id er tr ol plan int egr e con t h ese f eate ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues select ing 2nd 3rd 5t ht lining 6t h 7t h 8t h 9tnhecessar 10t h 11t hy 12t h 13tthh 14t h 15t h 16t 17tider h 18tm h 19t h 21st 23rdt he includin g secu r it4t y ,h ou t he st eps e ser v ice phrov usth t20t ake t o p22n rotdect 24 t h 25t h 26tand h 27t any h 28t hat29t h 30t h VPN 31st 32n 33rd 34t halso 35t hdet 36tailin h 37t g h 38t 39t h 40tsecu h 41strit42n 43rd h 46t h back bone t ached sit des, and t heh lat est y fdeat ur44t es ht o45tallow 47 tor h 48t h 49t h 50t h t51st 52n d 53rdand 54t hfilt 55t h 56t 57t h 58t h t59t h 60tcov h 61st d 63rd 64tr h h 66t h VPN 67t h 68t h 69t h m e adv anced op ologies erin g.h This par also er s62n m ult i- car ier65tMPLS 70 t h 71stm72n 73rd h 75t h 76t 78tidh es 79ta h m 80tet h hodology 81st 82n d 83rd 85t hced 86t hMPLS 87t h 88t h 89t h 90t h 91st 92n d deploy endt s. Fin74t ally , Par t IhV77t prhov for 84t adhvan VPN 93 rd 94t h 95t h 96t h 97t h 98t h 99t h 100 t h 101 st 102 nd 103 rd 104 t h 105 t h 106 t h 107 t h 108 t h 109 t h 110 t h 111 t h 112 t h t r oub leshoot ing . 11 3t h 114 t h 115 t h 116 t h 117 t h 118 t h 119 t h 120 t h 121 st 122 nd 123 rd 124 t h 125 t h 126 t h 127 t h 128 t h 129 t h 130 t h 131 st 13 2n d 133 rd VPN 134 t h Ar 135 t h 136 137 t hVolum 138 t h 139 t h 141 st 142 nd 143 rd 144 t h 145 t h ances 146 t h in cu st omer MPLS and chit ecttuh res, e I tIh, 140 also int rod uces t he lat est adv ATMegr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced int

PPPoA conf iguring DSL access t o MPLS VPN 2nd 3rd 4t h at t ribut es (BGP) UPDATE au t hent icat or aut h en t icat ion CE-t o- CE 2nd 3rd 4t h LCP

• •

neighbor aut h en t icat ion 2nd

Table of Content s

bet ween PE rout ers 2nd

I ndex

on P-net work s 2nd MP LS and V PN Ar chi te ctur e s, V olum e I I on PE/ CE cir cuit s 2nd 3rd 4t h By Guichard , Jeff Apcar autJim om at ic r out e ,f Iiltvan erin Pepelnjak g AV (a tt ribu t e v alue) pairs 2nd Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B ] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] back - to- back VRFs 2nd 3rd back bon e conn ect in g wit h vir tu al ro ut er 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h tr oubleshoot in g verif yin g end- t o-en d LSP 2nd back bon e conn ect iv it y of Content s • Table in Car rier Õs Carrier • I ndex archit ect ure 2nd g te bet ween PE/ eCEI Irout ers 2nd MP LS dyn andamic V PNrou Artin chi ctur e s,CSC V olum ex t ernal rout e ex cha nge 2nd 3rd 4t h By Jim Guichard , I van Pepelnjak , Jeff Apcar in t er nal r out e exchan ge 2nd sta tic rou tin g bet ween CSC PE/ CE rout ers 2nd 3rd Pub lish er: 2nd Cisco3rd Press backdoor links 4t h 5t h 6t h BGP Pub Dat e: Ju ne 06, 2 00 3 bet ween I SBN: PE/1CE 58rout 705ers -1 12 2nd -5 3rd ex t ended Pages:comm 50 4 un ity at tr ib ut es f or OSPF rot u er s 2nd 3rd I Pv6 conf ig urat ion on Cisco I OS So ft ware 2nd mu lt i- VRF conf igurat ion 2nd 3rd 4t h 5t h rout e f ilterin g on CSC CE r out ers to PE rou ter links UPDATE au t hent icat or at t ribut e BOOTP m essag es 2nd 3rd 4t h

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] C rout ers C- pack et s forwar din g 2nd capabilit y vrf -lit e com man d CarrierÕs Carrier ar chit ect ure 2nd

• •

back bone connect ity Content 2nd Tableivof s dyn amic rou tin g bet ween CSC PE/ CE rout ers 2nd I ndex

t ernal exte cha nge 2nd 3rd 4t MP LS ex and V PNrout Arechi ctur e s, V olum e hI I in t er nal r out e exchan ge 2nd By Jim Guichard , I van Pepelnjak , Jeff Apcar sta tic rou tin g bet ween CSC PE/ CE rout ers 2nd 3rd hierarchica l VPNs 2nd 3rd 4t h Pubelish er: Cisco Press rout t y pes 2nd 3rd Pub om Datere:edge) Ju ne devices 06, 2 00 3 CE (cust CE rou ters I SBN: 1- 58 705 -1 12 -5 cont Pages: rolling rout 50 4es inj ect ed in t o VRF 2nd wit h eBGP 2nd 3rd wit h Mu lt ip rot ocol BGP 2nd 3rd wit h OSPF 2nd wit h RI Pv2 2nd GRE t un neling

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : m ult i-VRF f un ction alit y

BGP conf igurat ion 2nd 3rd 4t h 5t h conf iguring 2nd 3rdat4teh v5tar h iou 6t h s7trhem 8t hot e How t o int egr OSPF 2ndd 3rd h ser vcon icefigu t orait m on any iff er4tent

access t echn ologies in t o t h e back bone p r ovidin g VPN t yp es of cu st om er s

overlappin g VPN con figur at ion 2nd 3rd 4t h pin ging weenPE2ndCE Thebet n ew

r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Tr an slat ion ( PE- NAT)

wit hNet f irewa ll fu nct lit y w ork Adiona dr ess

CE- t o-CE au t hent icat ion 2nd 3rd 4t h CE- t o-CE How Aut hVRFs en t icatcan io n Token be ex t ended CEF

int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

cust om er net w ork

verif yin g operat ion

The lat est CEF swit ching

MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

bone verifback yin g 2nd CHAP

How carrak y ecust th reeway thoandsh 2nd om er

m ult icast t r aff ic insid e a VPN

Cha pterNum ber 2nd

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices prevent in g ov erlap

circu it addresses

Cisco I OS Soft ware

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

adv anced MPLS VPN remot e a ccess f eatu rs

2nd 3rd 4t h 5t h 6t h 7t h MPLSODAPs and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN per -VRF AAA 2nd 3rd 4t h 5t h Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced I Pv 4+ Lab els 2nd 3rd t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools next hop exchange 2nd 3rd 4t h t hey BGP n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. rout e f ilterin g on CSC CE r out ers to PE rou ter links 2nd 3rd 4t h 5t h I Pv 6 and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN MPLS 2nd t3rd h 5t h ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Ar ch itconf ectiguring u re. Par I I 4tdescr MPLS VPN rem ot e access feat ur es 2nd ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g com man ds pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o capability f- lit e f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues int egr at e t vr h ese ip v rf receive includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he redbone istr ibu t and e bgp any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow back show ip rou t e v rf 2nd m or e adv anced t op 3rd ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN show mpls int erface deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN show vpd n sessio t r oub leshoot ing .n com mon server VRF conf igurat oin com paring MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer MPLSatVPN d 6 PE it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced int egr ion,ansecur

con figur ing 6PE I Pv6 d ata gram fo rwarding across MPLS back bon e 2nd 3rd 4t h lab eled I Pv 6 MP-BGP pr ef ix es 2nd 3rd 4t h rout e ref lect or s 2nd 3rd wit h BGP con federat ions wit h BGP rou t e reflect ors 2nd 3rd

• •

Cisco I OS Soft ware

Table of Content s

I Pv6 2nd 3rd 4t h 5t h

I ndex

dia l backup f or MPLS VPN access 2nd 3rd MP LS and V PN Ar chi te ctur e s, V olum e I I dial-in access By Jim via Guichard I van2nd Pepelnjak Apcar direct I,SDN 3rd 4t h, Jeff 5t h 6t h 7t h 8t h 9t h via L2 TP VPDN 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h 14t h 15t h 16t h 17t h 18t h 19t h 20t h 21st dia l- out access viaPress LSDO 2nd 3rd Pub lish er: Cisco downloading at ic2 r00 out Pub Dat e: Ju nest06, 3 es 2nd 3rd 4t h LAC/ NAS conf igurat ion I SBN: 1- 58 705 -1 12 -5 RADI US at tr ibut es Pages: 50 4 verif yin g VRF-awar e LSDO operat ion 2nd 3rd VHG/ PE rout er conf igurat ion 2nd 3rd dia l- out access wit h out LSDO 2nd DSL access t o MPLS VPN 2nd 3rd PPPoA 2nd 3rd 4t h 5t h 6t h 7t h 8t h

Wit h MPLS and3rdVPN Arh chit ect PPPoE 2nd 4t h 5t 6t h 7t h u res, Volum e I I , y ou' ll lear n : RFC 14 83 bridged en capsu la tion 2nd RFC 14 83 rou ted encapsu lat io n

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

MPLS VPN access

via cable 2nd 3rd 4t h 5t h 6t h 7t h MPLS VPN remot e access

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

ODAPs 2nd 3rd 4t h 5t h 6t h 7t h per -VRF AAA 2nd 3rd 4t h 5t h sham -linksVRFs 2nd 3rd 4t hbe How can VRF cust om er

ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

net w ork

mu lt i- VRF fu nct ionalit y 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h 14t h 15t h 16t h 17t h PE-NAT 4t h 5tVPN h 6t h 7t h 8t h it9tyh f10t h 12t h 14t hs 15t h 16t h ot 18tect h 19t h 20t The lat2nd est3rdMPLS secur eathu11t res anhd 13t d esign aim edhat17tpr ing t h he

MPLS VPN

select based on source I P a ddress 2nd 3rd 4t h backion bone con nect ion- orien t ed VPNs 2nd 3rd techHow nologies or implem en tom in g er 2ndm ult icast t o fcarr y cust

t r aff ic insid e a VPN

con nect ionless VPNs 2nd 3rd con nectThe ivit y

lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent MPLS VPN serv ices

of intI SPs er - 2nd car r ier bet ween

back-t o-b ack VRFs 2nd 3rd

Adv anced t rou blesh t echn ex t ernal Mult iprot ocol BGP oot 2nd ing 3rd 4t h 5t h iques 6t h 7t h includ 8t h 9t h in g

r ou t er out pu t s t o en su re high av ailab ilit y

Mult ihop MP- eBGP 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h

MPLSreq and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN uirement s 2nd Ar ch itrout ecte udist res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced ribu t io n a cross ASBR-ASBR links 2nd 3rd 4t h 5t h 6t h tcon opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tr ol plan e t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. tr oubleshoot in g verif yin g label excha nge 2nd

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN verif yin g local TDP/ LDP param t er s 2nd Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of verif yin g TDP/ LDP Hello prot ocol 2nd ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g verif yin g TDP/ LDP session st at e 2nd pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o con tr ollin g int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues access t o ext ran et VPNs 2nd includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he LSA t y pe generat ion at PE ro ut ers 2nd back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow rout es in ject ed in to VRF 2nd m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN wit h eBGP as PE/ CE rout ing prot ocol 2nd 3rd deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN wit h Mu lt ip rot ocol BGP 2nd 3rd t r oub leshoot ing . wit h OSPF as PE/ CE rout ing prot ocol 2nd wit h RI Pv2 2nd

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer core net work s int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

visibilit y t o cust om er VPN 2nd cu sto mer cont rol plane

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] dat a plane 2nd dat a plane plan e ov ersized packet s tr oubleshoot in g 2nd tr oubleshoot in g 2nd Dat 4t h of 5t hContent 6t h 7t h s8t h 9t h • a-MDT 2nd 3rd Table Dat a-MDT join s • I ndex defau rou t V esPN Ar chi te ctur e s, V olum e I I MP LSlt and shared I nt ernet a ccess By Jim Guichard , I van Pepelnjak , Jeff Apcar Def ault - MDT mu lt icast t unn el int erf aces 2nd 3rd Pub- lish er: 2nd Cisco Press Def ault MDTs Pub deploy ingDat e: Ju ne 06, 2 00 3 6PE I SBN: 1- 58 705 -1 12 -5 BGP rout e Pages: 50ref 4 lect or s 2nd 3rd in t er -AS deploy ment 2nd I Pv6 d ata gram fo rwarding across MPLS back bon e 2nd 3rd 4t h I Pv 6 r out e ex chan ge bet ween PE an d CE rou t er s 2nd 3rd lab eled I Pv 6 MP-BGP pr ef ix es 2nd 3rd 4t h MP-BGP session est ablish ment 2nd 3rd

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : wit h exist in g BGP conf ederat ion s

I Pv6 2nd 3rd sham -linkst o How dev icesser v ice

int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN t o m any d iff er ent t yp es of cu st om er s

MPLS 2nd 3rd DHCP 2nd 4t h The3rdn ew DHCP Relay Net w ork

PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Ad dr ess Tr an slat ion ( PE- NAT)

VPN su pport 2nd 3rd 4t h 5t h 6t h dial b acku How p f or VRFs MPLS can VPN access be ex 2nd t ended 3rd

cust om er dial-in access

int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

net w ork

via direct I SDN 2nd 3rd

ThePE latrout ester MPLS VPN it y NAS/ conf igurat ion secur 2nd

f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

back RADI USbone serv er at t ribut es 2nd SOHO r out er conf igu rat ion

How carr cust om er verif yintgodialin y o per ation

m ult icast t r aff ic insid e a VPN

via L2 TP VPDN 2nd

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices conf iguring access bet ween RADI US serv ers 2nd 3rd 4t h

aggregat ing rem ot e u ser h ost addr esses 2nd NAS/ LAC conf igurat ion

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

RADI US serv er at t ribut es 2nd 3rd 4t h 5t h

yin g dial- in 2nd 3rd 4t h MPLSverif and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN VHG/ PE rout er conf igurat ion 2nd 3rd Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tdial-ou opicst access an d dvia ep LSDO loy m 2nd ent 3rd archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools downloading st at ic r out es 2nd 3rd 4t h t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. LAC/ NAS conf igurat ion RADIand US atVPN tr ibut es MPLS Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN verif yin guVRF-awar operat ion adv 2nd 3rd Ar ch it ect re. Par te ILSDO I descr ibes anced MPLS VPN con nect iv it y includ in g t he int egr at ion of VHG/ PE rout er conf igurat ion 2nd 3rd ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g dial-ou t access witIhou LSDO 2ndand OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o pr ot ocols ( I SS, t EI GRP, direct dial in access via I SDN 2nd int egr at e t h ese f eat ur es in3rd t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues NAS/ PEgrout er conf 2nd t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he includin secu r it yigurat , ou tion lining RADI US serv er at t ribut 2nd back bone and any atest ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow SOHO r out er conf igu ion m or e adv anced t opratologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN verif yin dialo per ation deploy mgen t s.inFin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN dist ribut ion t rees t r oub leshoot ing . Defa ult -MDT DMT (Discret Mu ltitAr on chit e) ect u res, MPLS and eVPN

Volum e I I , also int rod uces t he lat est adv ances in cu st omer DOCSI int egrSat ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

MPLS VPN access v ia ca ble 2nd 3rd 4t h 5t h head en d PE rou t er con figu rat io n verif yin g con figu rat ion 2nd dot t ed decim al n ota tion I Pv 6 a ddresses down lo ading st atic rou tes fr om AAA serv er 2nd 3rd 4t h DSL

• •

MPLS VPN access

Table of Content s

conf iguring 2nd 3rd 4t h 5t h 6t h

I ndex

via PPPoA 2nd 3rd 4t h 5t h 6t h 7t h 8t h MP LS and V PN Ar chi te ctur e s, V olum e I I via PPPoE 2nd 3rd 4t h 5t h 6t h 7t h By Jim ic Guichard dynam r out ing , I van Pepelnjak , Jeff Apcar bet ween CSC PE/ CE rou ters 2nd Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] eBGP cont rolling rout es inj ect ed in t o VRF 2nd 3rd egress CE-PE r out ing exch ange tr oubleshoot in g 2nd 3rd EI GRP

•

Ext ern al I n forTable mat ion ended sComm un ity at t ribut es of Ext Content

•

PE-CE connect ivit y I ndex

t ended atetrs,ib V utolum e ( BGP) MP LS ex and V PNcomm Ar chiun te ity ctur e I I2nd req uirement s 2nd By Jim Guichard , I van Pepelnjak , Jeff Apcar rout e pr opagat ion with Mult iprot ocol BGP 2nd sepa rat ion of VPN ro ut ing info rmat ion 2nd 3rd Pub lishrout er: eCisco Press VRF t y pes 2nd Pub Dat e: Ju ne 06, 2 00 3 enabling mu lt icast I SBN:in 1VRFs 58 705 2nd -1 12 -5 end- t o-end LSP50 4 Pages: verif yin g 2nd Et h er net PPPoE conf iguring DSL access t o MPLS VPN 2nd 3rd ex ten ded BGP com mu nit ies

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : ex ten ded com mu nit y at t ribut e

CE-t o- CE Aut hent icat ion Token ex ten ded comtmu nit yegr at t ribut How o int at eev(BGP) ar iou s for EI GRP routt es 2nd ser v ice om any

r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN d iff er ent t yp es of cu st om er s

ex ten ded com mu nit y at t ribut e (BGP) for OSPF rout es 2nd 3rd extern al rou tn esew The

PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN ( PE- NAT)

ex chNet ange VPN sit es 3rd ion 4t h w bet orkween Ad dr ess Tr 2nd an slat ex tr anet VPNs restrHow ictin g VRFs access can 2nd

be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F ] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] FI B ( forwar ding in for mat ion base) f ilt ering rout es accessing PE/ CE circuit s 2nd 3rd 4t h 5t h f ir ewalls co-locat ing f or I nt ernet access 2nd

•

PE-NAT sh ared f irewall fu nct ionsalit y 2nd 3rd 4t h 5t h Table of Content

•

restr ictin g access I ndext o ex t ran et VPNs 2nd

fMP orwarding LS and V PN Ar chi te ctur e s, V olum e I I C-pack et s 2nd By Jim Guichard , I van Pepelnjak , Jeff Apcar P-pack et s Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G ] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] GRE creatin g v irt ual link s b et ween adjacen t rou ters 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h MDTs Dat a- MDT 2nd 3rd 4t h Defa ult MDTs 2nd

• •

MTI 2nd Table of Content s

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] HFC (h ybr id f ib er- coax ial) 2nd 3rd 4t h HFC net work s conf iguring MPLS VPN access via cable 2nd hidin g core n et work addresses hierarchical VPNs 2nd 3rd 4t h • Table of Content s hu ernet access • b-an d-spoke IInt ndex wit h global rout g te t able MP LS and V PN Arin chi ctur2nd e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] imp et u s f or I Pv6 im plement at ion 2nd imp lem ent ing 6PE BGP rout e ref lect or s 2nd 3rd in t er -AS deploy ment 2nd

•

I Pv6 d ata gram MPLS back bon e 2nd 3rd 4t h Tablefoofrwarding Contentacross s

•

I Pv 6 r out eI ndex ex chan ge bet ween PE an d CE rou t er s 2nd 3rd

eled I PvAr 6 MP-BGP preefs,ixV esolum 2nd e3rd MP LS lab and V PN chi te ctur I I 4t h MP-BGP session est ablish ment 2nd 3rd By Jim Guichard , I van Pepelnjak , Jeff Apcar wit h exist in g BGP conf ederat ion s I Pv6 2nd 3rd Pub lish er:ioCisco Press mot ivat n f or 2nd Pub Datt e: Jutrne 3 nm en t independen con ol 06, label2 00 assig ingr ess CEI SBN: PE rou 1- 58 tin705 g exchan -1 12 -5ge tr oubleshoot in4g 2nd 3rd Pages: 50 inh er en t secu rity capabilit ies address space separat ion 2nd 3rd core n et work visibilit y 2nd resistan ce t o label spoof ing 2nd sta tic labels 2nd

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : int er- AS 6 PE deploy ment 2nd

int er- MP-BGP session est ablish ment (6 PE) 2nd 3rd int erdepart m en ionat e How t ot isolat int egr int erf ace I Pv6) serI Dv (ice to

v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN m any d iff er ent t yp es of cu st om er s

int erf ace-level CEF monThe it or inng ew 2nd PE- CE

r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Tr an slat ion ( PE- NAT)

int eriorNet routw ing protAd ocol ork dr ess

I Pv6 conf ig urat ion on Cisco I OS So ft ware 2nd int erna How l rou tesVRFs

can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

er ween net wVPN orksit es 2nd ex chcust angeom of bet I n tern et

Thening lat est MPLS provisio access 2nd

VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

back CE r outbone ers wit h f irewa ll fu nct iona lit y def ault rout es

How tcoo carr y cust firewall locat ion 2nd om er

m ult icast t r aff ic insid e a VPN

hub- and- spoke t opology with global rou tin g t able 2nd

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices back-t o-b ack VRFs 2nd 3rd

int erprov ider conn ect iv it y

ex t ernal Mult iprot ocol BGP 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

Mult ihop MP- eBGP 2nd 3rd 4t h 5t h 6t h

ween rout e r ef lecto rs 2nd 3rd 4t h 5t h MPLSbetand VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN req uirement s 2nd Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced rout e dist ribu t io n a cross ASBR-ASBR links 2nd 3rd 4t h 5t h 6t h t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools I P addressing t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. DHCP Rela y su pport 3rd ect 4t h u 5tres, h 6t h Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN MPLSVPN and VPN 2nd Ar chit I P mu ltica Ar ch it ectstu re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of t rees access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g serdistr v iceib ut prion ovider in service pr ovider 2ndOSPF) 3rd pr ot ocols ( I SI S, environm EI GRP,ent and , ar m in g t he r eader w it h t he k now ledge of h ow t o MDT int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues mBGP u pdat es 3rdt lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he includin g secu r it 2nd y , ou m ultbone icast do mains back and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow te flags 2nd t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN m or esta adv anced mu tlicast for warding 2nd, Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN deploy m en t s. Fin ally mVPN case stu dy 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h 14t h 15t h 16t h 17t h 18t h 19t h 20t h 21st 22n d t r oub leshoot ing . 23 rd PI M and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer MPLS M ion, Bi- Dir secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced int egrPIat

PI M DM PI M SM SSM RPF 2nd RPF check s 2nd 3rd shared tr ees 2nd source t rees 2nd ip v rf r eceiv e com m and

•

Table of Content s

•

I ndex

I P- int erarea r out es

I PCP (I nt ernet Pro tocol Con tr ol Prot ocol) MP LS and V PN Ar chi te ctur e s, V olum e I I I PSec ov er MPLS 2nd By Jim+ Guichard , I van I Pv4 Labels 2nd 3rd Pepelnjak , Jeff Apcar rout e f ilterin g on CSC CE r out ers to PE rou ter links 2nd 3rd 4t h 5t h I Pv 4+ Labels Pub lish er: Cisco Press BGP - hop exch 3rd 4t h Pub next Dat e: Ju ne 06,ange 2 002nd 3 I Pv 6

I SBN: 1- 58 705 -1 12 -5

6PE

Pages: 50 4 design ing BGP conf eder at ion s

design ing with BGP r out e ref lect ors 2nd 3rd in t er -AS 6PE deploym en t 2nd in t er -MP- BGP session est ablishm en t 2nd 3rd I Pv6 d ata gram fo rwarding across MPLS back bon e 2nd 3rd 4t h

Wit h MPLS andMPVPN chit ectconf u res, e I4t I ,h y ou' ll lear n : lab eld I Pv6 BGPAr prefixes, igurinVolum g 2nd 3rd rout ex ch ange bet ween CE a nd PE rout ers 2nd 3rd rout e redist ribu tion 2nd 3rd

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

addressing 2nd

dot ted decimal not at ion in t er face I D BGP

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

conf iguring on Cisco I OS Soft ware 2nd confHow iguringVRFs on Cisco canI OS beSoft exware t ended

int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

deploying 2nder3rd cust om net w ork int erior rout in g prot oco l conf on MPLS Cisco I OS Softsecur ware 2nd Theiguring lat est VPN it y

f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

motback ivat io nbone f or implem en t ation 2nd neighbor discovery routHow ing 2nd to

carr y cust om er m ult icast t r aff ic insid e a VPN

I Pv6 addressin g

The lat estspace in t er - car rier public a ddress I S-I S

enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices

PE-CE connect ivit y

Adv1anced t rou level t opology 2ndblesh 3rd 4toot h ing

t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

level 1- 2 t opology 2nd 3rd

MPLSlevel and2 tVPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN opology 2nd Ar ch itreq ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced uirement s 2nd t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools rout e pr opagat ion with Mult iprot ocol BGP 2nd t hey rout n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. ing loop prevent ion 2nd sepa rat ion of VPN ro ut ing info rmat ion 2nd

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN I SDN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of dia l- in access 2nd 3rd ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g NAS/ PE rout er conf igurat ion 2nd pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o RADI US serv er at t ribut es 2nd int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues SOHO r out er conf igu rat ion includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he verif yin g dial- in o per ation back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow I SPs m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN conn ect iv it y bet ween 2nd deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN back-t o-b ack VRFs 2nd 3rd t r oub leshoot ing . ex t ernal Mult iprot ocol BGP 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h

Mult ihop MP- eBGP 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer req uirement s 2nd int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

rout e dist ribu t io n a cross ASBR-ASBR links 2nd 3rd 4t h 5t h 6t h

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] key chain s

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] L2 TP VPDNs dia l- in access 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h 14t h 15t h 16t h 17t h 18t h 19t h 20t h 21st L2 TP (La yer 2 Tun nelin g Prot ocol) 2nd label dist ribu tion

•

bet ween CSCTable PE and rou ters of CE Content s 2nd 3rd 4t h

label exchan ge I ndex • verif yin gV2nd MP LS and PN Ar chi te ctur e s, V olum e I I label spoo fing By Jim Guichard , I van Pepelnjak , Jeff Apcar resistan ce t o 2nd LAC (Layer 2 Access Con cent rat or) Pub lish serv er: Cisco Press large-scale ice prov iders PubierÕs Dat e: Ju ne ar 06, 2 00 Carr Carrier chit ect3ure back I SBN: bone1-connect 58 705 -1 iv 12 ity -5 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h rout e t y pes Pages: 50 42nd 3rd La yer 2 services versu s MPLS VPNs 2nd 3rd LCP ( Link Cont rol Prot ocol) aut hent icat ion CHAP

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : th ree- way h andsh ak e

LDP on PE-CE 2nd 3rd How lin t oksint egr at4t e hv ar iou s

r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN

lab el vdist bet ween PE an d es CE rof outcu ersst2nd ser iceribut t o ion m any d iffCSC er ent t yp om3rd er s4t h sta tic defau lt rou tes on CSC CE rou t er s 2nd trThe ansport address usage 2nd n ew PE- CE r out in g tr ansport Net waddress ork Adusage dr ess

op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Tr an slat ion ( PE- NAT)

LDP (Label Distr ibut ion Prot ocol) level 1 How I S- I S tVRFs opologies can

be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

cust om net w ork deploying 2nder3rd 4t h level 1-2 I S- I S t opologies

The lat est deploying 2nd 3rdMPLS

VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

level 2 back I S- I S bone t opologies deploying 2nd

Howf orwardin t o carrg yin form custatom m ult icast LFI B (label ion er base)

t r aff ic insid e a VPN

LI B (label in for mat ion base)

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices limit ing access t o PE/ CE circu it s wit h access- lists 2nd 3rd 4t h 5t h limit ing access on ext ran et VPNs 2nd linking

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

virt u al rou t er t o MPLS VPN backbon e 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h LSAs

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Advert ising Rout er field Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced cont rolling t yp e generat ion at PE rou t er s 2nd t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools tLSDO hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. dia l- out access 2nd 3rd ic r out esu2nd 4t h MPLSdownloading and VPN stAratchit ect res,3rd Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN igurat Ar ch itLAC/ ectNAS u re.conf Par t I I ion descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of RADIpr US at tr ibutaccess es ser v ice ovider t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g verif yin g VRF-awar LSDO and operatOSPF) ion 2nd ,3rd pr ot ocols ( I S- I S, EIeGRP, ar m in g t he r eader w it h t he k now ledge of h ow t o VHG/ PE rout er conf igurat ion 2nd int egr at e t h ese f eat ur es in t o t h3rd e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues LSR- wide MPLS operat includin g secu r it yion , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he verif yin g 2nd back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow LSRs 3rdanced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN m or e2ndadv cont rol ion s, Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN deploy m plane en t s.operat Fin ally t r oub leshoot ing .

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M ] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] m axim um r out es co mm and cont rolling rout es inj ect ed in t o VRF m BGP MDT u pdat es 2nd 3rd MD5

•

key ch ains

MDT •

Table of Content s I ndex

updat es V2nd MP LS and PN 3rd Ar chi te ctur e s, V olum e I I MDT- Grou ps By Jim Guichard , I van Pepelnjak , Jeff Apcar MDTs Dat a- MDT 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h Pub lish er: Cisco Press Defau lt - MDT Pub e: Jut unn ne 06, 2 erf 00 3aces 2nd 3rd muDat lt icast el int Defa ult I SBN: -MDTs 1- 58 2nd 705 -1 12 -5 MTI Pages: 2nd 50 4 SSM 2nd 3rd m essages Dat a- MDT j oins DHCP 2nd 3rd 4t h RADI US 2nd

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : Miercom

compar ison of Lay er 2 -ba sed VPNs and MPLS VPNs 2nd 3rd m onit oring How

t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN d iff er ent t yp es of cu st om er s

in t erser facelev elt o CEF v ice m 2nd any

OSPF pr ocesses inside VRF 2nd 3rd m ot ivatThe ion fonr ew I Pv6PEim plem at ion CE ent r out in g2nd op t ions MPLS

as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

LSRs 2nd 3rd MPLS VPN How

VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

cust om er net ork access via cable 2nd w 3rd 4t h 5t h head-end PE rou t er con figur at io n

Theyinlat estfigu MPLS verif g con rat ion VPN 2nd

secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

back access v ia bone DSL conf iguring 2nd 3rd

How 2nd t o carr y hcust om erh 8t mhult icast PPPoA 3rd 4t 5t h 6t h 7t

t r aff ic insid e a VPN

PPPoE 2nd 3rd 4t h 5t h 6t h 7t h

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices RFC 14 83 rou ted encapsu lat io n

RFC 14 83 bridged en capsu la tion 2nd MPLS VPN Su perback bone

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

MPLS-based VPNs 2nd

access t echn ology in tegrat ion 2nd MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN pen ult imat e hop popping Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced tech nologies in vo lved 2nd 3rd t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools MTI 2nd t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. m ult i-VRF f unction ality BGP and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN MPLS 2nd t3rd h 5t h ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of Ar ch itconf ectiguring u re. Par I I 4tdescr conf iguring 2nd 3rd 4t h 5t h 7t holog 8t h ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g ser v ice pr ovider accessh t6techn OSPF pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o 2nd 3rd ur 4t es h in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues int egrconf at eiguring t h ese f eat m ult icast dom ains r2nd includin g secu it y ,3rd ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he stabone te flagsand 2nd any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow back m ult f orwardin m oricast e adv ancedg t2nd op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN m ult icastm roen ut ing ble ally ent ry deploy t s. taFin , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN m ult icast t u nnel in t er faces 2nd 3rd t r oub leshoot ing . Mu ltih op MP-eBGP 2nd 3rd 4t h 5t h 6t h bet ween e r ef rsect 2ndu 3rd h 5t h MPLS androut VPN Arlecto chit res,4t Volum e I I , also int rod uces t he lat est adv ances in cu st omer Mu ltipr BGP int egroto at col ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

cont rolling rout es inj ect ed in t o VRF 2nd 3rd EI GRP r out e prop agat ion 2nd ex ten ded com mu nit y at t ribu tes CE-t o- CE Aut hent icat ion Token m VPN case st ud y 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h 14t h 15t h 16t h 17t h 18t h 19t h 20t h 21st 22n d 23rd m VPN ar chit ectu re 2nd

• •

mu lt icast dom ains 2nd 3rd mVRF 2nd

Table of Content s I ndex

PI M adjacen cies 2nd MP LS and V PN Ar chi te ctur e s, V olum e I I m VPN f orwardin g By Jim Guichard , I van Pepelnjak , Jeff Apcar C-pack et s 2nd P-pack et s m VPN stlish at e er: f lags 2ndPress Pub Cisco m VRF 2nd Pub Dat e: Ju ne 06, 2 00 3 PI M adjacen cies 2nd I SBN: 1- 58 705 -1 12 -5 rout ing ent ries 2nd 3rd 4t h 5t h 6t h 7t h Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N ] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] NAS ( net work acces serv er) NAT 2nd 3rd [ See also PE- NAT] tr anslat ion t able neigh bor au t hent icat ion 2nd bet ween PE rout ers 2nd

• •

on P-net workTable s 2nd of Content s on PE/ CE cir cuit s 2nd 3rd 4t h I ndex

neigh discovery MP LSbor and V PN Ar chi te ctur e s, V olum e I I I Pv6 By Jim Guichard , I van Pepelnjak , Jeff Apcar net work archit ect ure point -t o- point a rchit ect ure 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h 14t h 15t h 16t h 17t h 18t h 19t h 20t h er: Cisco 21 st Pub 22nlish d 23rd 24t h Press 25t h 26t h 27t h 28t h 29t h 30t h 31st 32n d 33rd 34t h 35t h 36t h 37t h 38t h 39t h 40t h 41st 42n d 43rd e:h Ju47t neh06, 3 h 50t h 51st 52n d 53rd 54t h 55t h 56t h 57t h 58t h 59t h 60t h 61st 62n d 63rd 64t h 65t h 66t h 44 t h Pub 45t hDat 46t 48t2h00 49t 67 t h 68t IhSBN: 69t h 1-70t 58h705 71st -1 12 72n -5d 73rd 74t h 75t h 76t h 77t h 78t h 79t h 80t h 81st 82n d 83rd 84t h 85t h 86t h 87t h 88t h 89t h 90 t h 91st 92n d50 93rd Pages: 4 94t h 95t h 96t h 97t h 98t h 99t h 100 t h 101 st 102 nd 103 rd 104 t h 105 t h 106 t h 107 t h 108 t h 109 t h 11 0t h 111 t h 112 t h 113 t h 114 t h 115 t h 116 t h 117 t h 118 t h 119 t h 120 t h 121 st 122 nd 123 rd 124 t h 125 t h 126 t h 127 t h 12 8t h 129 t h 130 t h 131 st 132 nd 133 rd 134 t h 135 t h 136 t h 137 t h 138 t h 139 t h 140 t h 141 st 142 nd 143 rd 144 t h 145 t h 14 6t h select ing 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h 14t h 15t h 16t h 17t h 18t h 19t h 20t h 21st 22n d 23rd 24 t h 25t h 26t h 27t h 28t h 29t h 30t h 31st 32n d 33rd 34t h 35t h 36t h 37t h 38t h 39t h 40t h 41st 42n d 43rd 44t h 45t h 46t h

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n :

47 t h 48t h 49t h 50t h 51st 52n d 53rd 54t h 55t h 56t h 57t h 58t h 59t h 60t h 61st 62n d 63rd 64t h 65t h 66t h 67t h 68t h 69t h 70 t h 71st 72n d 73rd 74t h 75t h 76t h 77t h 78t h 79t h 80t h 81st 82n d 83rd 84t h 85t h 86t h 87t h 88t h 89t h 90t h 91st 92n d 93 rd 94t h 95ttho 96t 97t hat98t 99t h 100 h 101 nd 103t echn rd 104ologies t h 105 t h 106 h 108 tbone h 109 t hp r110 t h 111 112 t h How inthegr e vh ar iou s r tem ot st e 102 access in t ot h t107 h e t back ovidin gt hVPN 11 3t h 114 115 ttho 116 t h 117 h 118 t h 119 t hes 120of t h cu 121ststom 122er nds 123 rd 124 t h 125 t h 126 t h 127 t h 128 t h 129 t h 130 t h 131 st sertvh ice m any dtiff er ent t yp 13 2n d 133 rd 134 t h 135 t h 136 t h 137 t h 138 t h 139 t h 140 t h 141 st 142 nd 143 rd 144 t h 145 t h 146 t h

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] ODAPs (on -dem and address pools) 2nd 3rd 4t h 5t h 6t h 7t h of f- net access t o MPLS VPN feat ures of Cisco I OS services 2nd olist om itt in g leading zeroes in I Pv6 address not at ion OSPF •

•

Table of Content s

aut hent icat ion on CE rou ters I ndex

contand rolling rout edein VRF 2nd MP LS V PN Ares chiinj teect ctur s,t oV olum e II mu lt i- VRF conf igurat ion 2nd 3rd 4t h By Jim Guichard , I van Pepelnjak , Jeff Apcar PE-CE connect ivit y basic operat ion 2nd 3rd Pub lishrolling er: Cisco cont LSAPress t ype generat ion 2nd Pub e: Ju ne 06, 00at 3 tr ib ut e ( BGP) 2nd 3rd ex tDat ended comm un2ity mon I SBN: it or in1g 58 p rocesses 705 -1 12in -5side VRF 2nd 3rd MPLS VPN ckb one Pages: 50Superba 4 process-id req uirement s rout er-id, m odif yin g rout ing loop prevent ion 2nd sham -links

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : VPN client backdoor lin ks 2nd 3rd 4t h 5t h 6t h

ov erlapping circuit addresses avoidin g How

t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN

overlapping ig urat oner CE routters 2nd of 3rdcu 4tst h om er s ser v VPN ice conf to m anyiond iff ent yp es overload NAT ov ersized packet The n ews

PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Tr an slat ion ( PE- NAT)

tr oubleshoot in gAd 2nd Net w ork dr ess

How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P ] [ R] [ S] [ T] [ U] [ V] [ W ] P- net work s aut hent icat ion 2nd P- pack et s forwar din g PAP passiv e in terf aces • Table of Content s PDBs ( Prot ocol Descript • I ndex or Blo cks) PE id erV edge) ices MP(p LSrov and PN Ar dev chi te ctur e s, V olum e I I PE rou ters By Jim Guichard , I van Pepelnjak , Jeff Apcar 6PE conf iguring Pub lish er: design ingCisco with Press BGP co nfederat ion s Pub Dat e: ne 06, 2 00 3 e ref lect ors 2nd 3rd design ingJuwith BGP r out in tIer SBN: -AS 16PE 58deploym 705 -1 12en -5 t 2nd inPages: t er -MP-50 BGP 4 session est ablishm en t 2nd 3rd I Pv6 d ata gram fo rwarding across MPLS back bon e 2nd 3rd 4t h I Pv 6 r out e ex chan ge bet ween CE an d PE rou t er s 2nd 3rd rout e redist ribu tion 2nd 3rd 6PElabeled I Pv6 MP-BGP pref ixes, co nfigu ring 2nd 3rd 4t h aut hent icat ion bet ween 2nd

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : PE- CE con nect ivit y EI GRP ex t ended un ity ib utiou e ( BGP) 2nd How t ocomm int egr at eat vtr ar s r em ot e req seruirement v ice t os 2nd m any

access t echn ologies in t o t h e back bone p r ovidin g VPN d iff er ent t yp es of cu st om er s

rout e pr opagat ion with Mult iprot ocol BGP 2nd sepa VPNCE ro utr out ing info 2nd as 3rdw ell Theratnion ewofPEin grmat opion t ions VRF e t y pes 2nd Netrout w ork Ad dr ess

as ot her adv anced f eat ur es, includ ing per- VPN

Tr an slat ion ( PE- NAT)

I S- I S level How1 VRFs t opology can 2nd be 3rd ex 4t ht ended

int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

cust1-om net w2nd ork3rd level 2 t er opology level 2 t opology 2nd

The lat est MPLS req uirement s 2nd

VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

back rout e prbone opagat ion with Mult iprot ocol BGP 2nd rout ing loop prevent ion 2nd

How o carr y cust ominfo errmat m ult sepa rattion of VPN ro ut ing ionicast 2nd

t r aff ic insid e a VPN

OSPF

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices cont rolling LSA t ype generat ion 2nd basic operat ion 2nd 3rd

ex t ended comm un ity at tr ib ut e ( BGP) 2nd 3rd

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

mon it or in g p rocesses in side VRF 2nd 3rd

Superba ckb one MPLSMPLS andVPN VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN process-id Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced req uirement s t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools er-id, m odif yin g t hey rout n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. rout ing loop prevent ion 2nd

MPLSsham and-links VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN ks 2nd 3rd adv 4t h 5t h 6t h MPLS VPN con nect iv it y includ in g t he int egr at ion of Ar ch itVPN ectclient u re. backdoor Par t I I lin descr ibes anced overlappin g circuit addr esses ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g PE-ot CEocols links ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o pr LDP 2nd 4t h f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues int egr at e 3rd t h ese lab elgdist ributr it ion CSC tPE CE r out ers 2nd 3rd t4t includin secu y ,bet ouween t lining heanndecessar y st eps h he ser v ice p rov ider m ust t ake t o p rot ect t he sta tic defau rou tes back bone andlt any at2nd t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow ansport address 2nd and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN m or etr adv anced t opusage ologies PENAT deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN accessing com mon t r oub leshoot ing . serv ices 2nd 3rd comm on server VRF con figu rat ion conf iguring 2nd Ar 3rdchit 4t h ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer MPLS and VPN cust om er VRF con figu rat ion 4t h int egr at ion, secur it y, and2ndt r 3rd oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

NAT pool conf igura tion 2nd shared firewalls 2nd 3rd 4t h 5t h PE/ CE circu it s aut hent icat ion 2nd 3rd 4t h lim it in g a ccess wit h access- lists 2nd 3rd 4t h 5t h penu ltim at e ho p poppin g per-VRF AAA 2nd 3rd 4t h 5t h phy sical sit e sur veys

• •

Table of Content s

per from ing 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h 14t h 15t h 16t h 17t h 18t h 19t h 20t h 21st 22n d 23rd

I ndex

24 t h 25t h 26t h 27t h 28t h 29t h 30t h 31st 32n d 33rd 34t h 35t h 36t h 37t h 38t h 39t h 40t h 41st 42n d 43rd 44t h 45t h 46t h MP LS and V PN Ar chi te ctur e s, V olum e I I 47 t h 48t h 49t h 50t h 51st 52n d 53rd 54t h 55t h 56t h 57t h 58t h 59t h 60t h 61st 62n d 63rd 64t h 65t h 66t h 67t h 68t h 69t h By Guichard , I van74t Pepelnjak , Jeff Apcar 70 Jim t h 71st 72n d 73rd h 75t h 76t h 77t h 78t h 79t h 80t h 81st 82n d 83rd 84t h 85t h 86t h 87t h 88t h 89t h 90t h 91st 92n d 93 rd 94t h 95t h 96t h 97t h 98t h 99t h 100 t h 101 st 102 nd 103 rd 104 t h 105 t h 106 t h 107 t h 108 t h 109 t h 110 t h 111 t h 112 t h 11 3tPub h 114 t h 116 t h 117 t h 118 t h 119 t h 120 t h 121 st 122 nd 123 rd 124 t h 125 t h 126 t h 127 t h 128 t h 129 t h 130 t h 131 st lisht her:115 Cisco Press 13 2nPub d 133 rde:134 t h 135 136 Dat Ju ne 06, t2h00 3 t h 137 t h 138 t h 139 t h 140 t h 141 st 142 nd 143 rd 144 t h 145 t h 146 t h PI M I SBN: 1- 58 705 -1 12 -5 adjacen cies 2nd Pages: 50 4 PI M Bi- Dir PI M DM PI M SM SSM PI M adj acencies 2nd

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : pingin g bet ween CE rout ers 2nd point - t o-poin t arch itect u re 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h 14t h 15t h 16t h 17t h 18t h 19t h 20t h 21st

How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

22 nd 23rd 24t h 25t h 26t h 27t h 28t h 29t h 30t h 31st 32n d 33rd 34t h 35t h 36t h 37t h 38t h 39t h 40t h 41st 42n d 43rd 44t h 45 t h 46t h 47t h 48t h 49t h 50t h 51st 52n d 53rd 54t h 55t h 56t h 57t h 58t h 59t h 60t h 61st 62n d 63rd 64t h 65t h 66t h 67t h 68 t h 69t h 70t h 71st 72n d 73rd 74t h 75t h 76t h 77t h 78t h 79t h 80t h 81st 82n d 83rd 84t h 85t h 86t h 87t h 88t h 89t h 90t h

The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT)

91 st 92n d 93rd 94t h 95t h 96t h 97t h 98t h 99t h 100 t h 101 st 102 nd 103 rd 104 t h 105 t h 106 t h 107 t h 108 t h 109 t h 110 t h 11 1t h 112 t h 113 t h 114 t h 115 t h 116 t h 117 t h 118 t h 119 t h 120 t h 121 st 122 nd 123 rd 124 t h 125 t h 126 t h 127 t h 128 t h

12 9t h 130 t h 131 st 132 nd 133 t h 135 tint h 136 137 t om h 138 139 h 141 142 nd 143 rd 144 t h 145 t h 146 t h How VRFs can be rd ex134 t ended o at hcust ert hsit e t tho140 prtov idest sep ar at ion inside t he PPP

cust om er net w ork

L2TP 2nd LCPThe

lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

aut hentbone icat ion back CHAP PPPoA

How t o carr y cust om er m ult icast t r aff ic insid e a VPN

conf iguring MPLS VPN access via DSL 2nd 3rd 4t h PPPoE

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent

int erMPLS - carVPN r ieraccess MPLSviaVPN ices confof iguring DSL serv 2nd 3rd prev ent ing

anced t rou I S- IAdv S ro ut ing loops 2ndblesh oot ing

t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

rout ering loops bet ween OSPF sit es 2nd

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN priv at e I P addresses Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced NAT tprocessopics id an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. select ing for VPN clien t s process- id valu e (OSPF)

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN propag ation of MPLS VPN rou t es Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of tr oubleshoot in g 2nd ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g provider cont rol plane pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o provisionin g int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues I nt ernet access 2nd includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he CE r out ers wit h f irewa ll fu nct iona lit y back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow def ault rout es m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN firewall co- locat ion 2nd deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN hub- and- spoke t opology with global rou tin g t able 2nd t r oub leshoot ing . OSPF VPN custo mers 2nd

pub lic address space

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer I Pv 6 a ddresses int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R ] [ S] [ T] [ U] [ V] [ W ] RADI US 2nd AV p airs 2nd VSAs 2nd reach abilit y of core n et wor ks 2nd redist ribut e b gp Table com m and • of Content s redist ribut ion •

I ndex

tr oubleshoot g chi 2ndte3rd MP LS and V PNinAr ctur e s, V olum e I I redun dancy By Jim Guichard , I van Pepelnjak , Jeff Apcar dia l backup f or MPLS VPN access 2nd 3rd rem ote access Pub lish er: 3rd Cisco DHCP 2nd 4t hPress Pub Dat e: Ju ne 06, 2 00 3 PPP L2TP I SBN: 2nd1- 58 705 -1 12 -5 LCP 2nd 3rd Pages: 50 4 RADI US 2nd AV p airs 2nd VSAs 2nd VPDNs 2nd 3rd 4t h rem ote access to MPLS VPN

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : feat ures of Cisco I OS services 2nd via cable 2nd 3rd 4t h 5t h head t erat con io ns Howentdo PE introu egr e figu v arrat iou verif g con ion d2nd ser yin v ice t ofigu m rat any iff er ent

r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN t yp es of cu st om er s

renu mberin g I Pv 6The a ddresses n ew PE- CE requirem entw s ork Net

r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Ad dr ess Tr an slat ion ( PE- NAT)

for EI GRP PE- CE conn tect ivit y 2nd for IHow S-I S PEVRFs CE connect can be iv it yex 2nd t ended

int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

custPE-CE om erconet w ork of OSPF nnect ivity 2nd 3rd 4t h process-id

The -links lat est sham

MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

back resist ance t o bone label spoofin g 2nd sta tic labels 2nd revea linHow g

t o carr y cust om er m ult icast t r aff ic insid e a VPN

core n et work addresses

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices conf iguring MPLS VPN access via DSL 2nd

RFC 1 48 3 b ridged encap sulat ion RFC 1 48 3 r out ed encapsulat ion

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

conf iguring MPLS VPN access via DSL RFC 3 10 7 support 2nd 3rd

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN rout e f ilterin g on CSC CE r out ers to PE rou ter links Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced RI Pv 2 t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools aut hent icat ion on CE rou ters t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. cont rolling rout es inj ect ed in t o VRF 2nd key ch ainsVPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN MPLS and rouch te expor Ar it ect tu re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of in g 2nd sertrvoubleshoot ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g rou te impor t pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o tr oubleshoot in g 2nd int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues rou te leakin includin g gsecu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he rou te redist ion any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow back boneribut and 6PE 2nd 3rd m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN rou ter reflect deploy m enors t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN conf iguring 6PE. deploymen t 2nd 3rd t r oub leshootining rou ter- id ( OSPF) modif yin g VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer MPLS and rou ters int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

6PE rou tin g I Pv6 2nd rou tin g loops bet ween I S- I S sit es prevent in g 2nd prevent in g bet ween OSPF sit es 2nd RPF 2nd

•

Table of Content s

•

I ndex

RPF ( Reverse Pat h Fo rwarding)

RPF check 2nd 3rd MP LS and V PN Ar chi te ctur e s, V olum e I I RPF in t erf ace By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S ] [ T] [ U] [ V] [ W ] secret k ey s Securing a Cisco Ro ut er wh it epaper secur it y address space separat ion 2nd 3rd au th ent icat ion CE-t o- CE 2nd 3rdof4tContent h Table s

• •

compar ing Lay er 2 -based VPNs and MPLS VPNs 2nd I ndex

coreand n et V work visibilit 2nde s, V olum e I I MP LS PN Ar chi teyctur neighbor aut h en t icat ion 2nd By Jim Guichard , I van Pepelnjak , Jeff Apcar bet ween PE rout ers 2nd on P-net work s 2nd Pub onlish PE/er: CECisco cir cuitPress s 2nd 3rd 4t h Pub Datcee: t oJulabel ne 06, 2 00ing 3 2nd resistan spoof staI tic SBN: labels 1- 582nd 705 -1 12 -5 separat ion of EI50 GRP Pages: 4 VPN rout ing inf orm at io n 2nd 3rd serv ice prov iders conn ect iv it y bet ween 2nd back t- t o-back VRFs 2nd 3rd ex t ernal Mult iprot ocol BGP 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h Mult ihop MP- eBGP 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : req uirement s 2nd

rout e dist ribu t io n a cross ASBR-ASBR links 2nd 3rd 4t h 5t h 6t h remHow ot e access serv ices t o int egr at e sh am lin ks v ice ser

v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN t o m any d iff er ent t yp es of cu st om er s

sh am- lin ks confThe iguring 2ndPE3rd CE 4t h n ew

r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN ( PE- NAT)

sh ared Net I n t ern access witess h d ef w et ork Ad dr Trault anrout slatesion sh ared t rees dist ribu How tionVRFs t rees

can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

cust om er 2nd net w ork shared tr ees sh ow ip rout e v rf co mm and 2nd 3rd

MPLS VPN sh ow mThe pls inlat terfest ace co mm and

secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

back bonecom man d sh ow v pdn session sit e su rv ey s

How y ph ysica l sitteosucarr rveys

cust om er m ult icast t r aff ic insid e a VPN

per form ing 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h 14t h 15t h 16t h 17t h 18t h 19t h 20t h 21st 22n d

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices 47t h 48t h 49t h 50t h 51st 52n d 53rd 54t h 55t h 56t h 57t h 58t h 59t h 60t h 61st 62n d 63rd 64t h 65t h 66t h 67t h 68t h

23 rd 24t h 25t h 26t h 27t h 28t h 29t h 30t h 31st 32n d 33rd 34t h 35t h 36t h 37t h 38t h 39t h 40t h 41st 42n d 43rd 44t h 45t h 46 t h

69 t h 70t h 71st 72n d 73rd 74t h 75t h 76t h 77t h 78t h 79t h 80t h 81st 82n d 83rd 84t h 85t h 86t h 87t h 88t h 89t h 90t h 91st

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

92 nd 93rd 94t h 95t h 96t h 97t h 98t h 99t h 100 t h 101 st 102 nd 103 rd 104 t h 105 t h 106 t h 107 t h 108 t h 109 t h 110 t h 111 t h 11 2t h 113 t h 114 t h 115 t h 116 t h 117 t h 118 t h 119 t h 120 t h 121 st 122 nd 123 rd 124 t h 125 t h 126 t h 127 t h 128 t h 129 t h

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN 13 0t h 131 st 132 nd 133 rd 134 t h 135 t h 136 t h 137 t h 138 t h 139 t h 140 t h 141 st 142 nd 143 rd 144 t h 145 t h 146 t h Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced es tsitopics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools rce I P address tsou hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. as VRF select ion crit er ia 2nd 3rd 4t h sou rce t and rees MPLS

VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN t rees Ar dist ch itribu ecttion u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of source t rees 2ndaccess t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g ser v ice pr ovider SSM 2nd 3rd 4t h pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o st ategr e f lags int at e2nd t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues st at ic def ault r out es includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he on bone CSC CEand rout ers back any2ndat t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow st ator icelabels m adv 2nd anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN st at ic NAT deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN st ic r out ing t rat oub leshoot ing . bet ween CSC PE/ CE rou ters 2nd 3rd st ru ctu reand of I Pv6 ad Ar dresses MPLS VPN chit ect u res,

Volum e I I , also int rod uces t he lat est adv ances in cu st omer in t erat face I D secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced int egr ion,

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T ] [ U] [ V] [ W ] TDP/ LDP Hello prot ocol verif yin g 2nd TDP/ LDP session st at e verif yin g 2nd t hree-way han dshak e

•

CHAP

Table of Content s

t•racerou te com man d I ndex rev ealing hidden core net work MP LS and V PN Ar chi te ctur e s, Vaddresses olum e I I t ransla tion t ables By Jim Guichard , I van Pepelnjak , Jeff Apcar t ransport add ress u sage 2nd 3rd t roub lesh oot ing Pubrol lishplane er: Cisco Press cont Pub Dat ne 06, 2 00 3 2nd verif yine:g Ju label excha nge verif I SBN: yin g 1local 58 705 TDP/ -1LDP 12 -5param eters 2nd verif yin g 50 TDP/ Pages: 4 LDP Hello prot ocol 2nd verif yin g TDP/ LDP session st at e 2nd dat a plane plan e mon it or in g in t erf ace-level CEF 2nd oversized pack ets 2nd egr ess CE- PE rou tin g exchan ge 2nd 3rd

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : MPLS VPN ro ut e propa gat ion 2nd

MPLS VPN ro ut e redist ribut ion 2nd 3rd routHow e ex port t o 2nd int egr at e routser e imvport ice 2nd t o m any

v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN d iff er ent t yp es of cu st om er s

t roub lesh oot ing MPLS back bone verifThe yin g n endLSPr 2nd ewt o-en PE-dCE out in g

op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN ( PE- NAT)

t roub lesh ootwing MPLSbased t io ns Net ork Ad dr esssolu Tr an slat ion cust om er con t rol plan e operat ion dat aHow plan eVRFs operatcan ion 2nd be

ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

net ewoperat ork ion provcust id er om con trer ol plan t un neling GREThe

lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

back gbone creatin lin ks bet ween adj acent r out ers 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h L2TP

How t o carr y cust insid e ha 12t VPN dia l- in VPDN access 2ndom 3rd er 4t hm5tult h 6ticast h 7t h t8tr aff h 9tic h 10t h 11t h 13t h 14t h 15t h 16t h 17t h 18t h 19t h 20t h 21st MDT

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices MDTs mBGP u pdat es 2nd 3rd Dat a- MDT 2nd 3rd 4t h

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

Defa ult -MDTs 2nd

2nd MPLSMTI and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN mu lt icast t unn el int erf aces 2nd 3rd Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced VPDNs 2nd 3rd 4t h t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN.

MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U ] [ V] [ W ] un icast f orwardin g UPDATE aut h en t icato r at t ribu te (BGP)

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V ] [ W ] VCs ( v irt ual cir cuit s) v erifing conn ect iv it y bet ween CE rou ters 2nd v erify ing CEF operat ion

•

CEF swit ch in g 2nd of Content s Table

on VPDNs 2nd 3rd 4t h • dia l- in accessI ndex en d-t oen d LSP 2ndte ctur e s, V olum e I I MP LS and V PN Ar chi lab el ex ch ange 2nd By Jim Guichard , I van Pepelnjak , Jeff Apcar local TDP/ LDP para met er s 2nd LSR-wide MPLS oper at ion 2nd Pub lish er: roCisco Pressgat ion 2nd MPLS VPN ut e propa Pub LDP Dat e: Ju ne 06,ocol 2 002nd 3 TDP/ Hello prot TDP/ LDP I SBN: session 1- 58 705 st ate -1 12 2nd -5 VPDNs 2nd 3rd 50 4t h Pages: 4 dia l- in access 2nd aggregat ing rem ot e u ser h ost addr esses 2nd conf iguring access bet ween RADI US serv ers 2nd 3rd 4t h NAS/ LAC conf igurat ion RADI US serv er at t ribut es 2nd 3rd 4t h 5t h

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : verif yin g dial- in 2nd 3rd 4t h

VHG/ PE rout er conf igurat ion 2nd 3rd VPDNs How ( v irt ualt op rivat e dialu rk) s int egr at ep nvetwo ar iou VRF

r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s

mon it or in g OSPF pro cesses 2nd 3rd PE-NAT The

n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN ( PE- NAT)

accessing serv ices 2nd 3rd Net w orkcom Admon dr ess Tr an slat ion comm on server VRF con figu rat ion conf How iguring VRFs 2ndcan 3rd be 4t h

ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he

cust er net ork cust omom er VRF con w figu rat ion 2nd 3rd 4t h NAT pool conf igura tion 2nd

The lat est MPLS VPN it y shared firerwalls 2nd 3rd 4t h secur 5t h

f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN

back bone on source I P a ddress 2nd 3rd 4t h select ion based v irt ual rout ers

How carr backbone y cust om er 3rd m ult aff ea VPN lin kin g tt oo MPLS 2nd 4t hicast 5t h 6t thr 7t h ic 8t hinsid 9t h 10t h 11t h 12t h 13t h VRF ( virt u al rou t in g an d f orward in g)

The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices BGP conf igurat ion 2nd 3rd 4t h 5t h

m ult i-VRF f un ction alit y

conf iguring 2nd 3rd 4t h 5t h 6t h 7t h 8t h

Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y

OSPF con figu rat ion 2nd 3rd 4t h

VRF-aware suppor t for DHCP Relay 2nd 3rd 4t h 5t h 6t h

MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN VRFs Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced address space separat ion t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools back -t o-b ack 2nd 3rd t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. cont rolling inj ected rout es 2nd h eBGP as Ar PE/chit CE rout prot ocol 2nd e3rd MPLSwitand VPN ecting u res, Volum I I , b eg in s w it h a br ief ref resher of t he MPLS VPN h OSPF PE/t CE ing ibes prot ocol 2nd Ar ch itwitect u re. as Par I I rout descr adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of wit hpr RIovider Pv2 as PE/ CE routtinechn g protolog oco l 2nd 4t h 5t h ser v ice access ies 3rd ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g en abling mu lt icast 2nd pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o VSAs (v at endor at t ribut es)in 2nd int egr e t-specific h ese f eat ur es t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing .

MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ K ] [ L] [ M] [ N] [ O ] [ P] [ R] [ S] [ T] [ U] [ V] [ W ] whit epapers Secu ring a Cisco Rout er

•

Table of Content s

•

I ndex

MP LS and V PN Ar chi te ctur e s, V olum e I I By Jim Guichard , I van Pepelnjak , Jeff Apcar

Pub lish er: Cisco Press Pub Dat e: Ju ne 06, 2 00 3 I SBN: 1- 58 705 -1 12 -5 Pages: 50 4

Wit h MPLS and VPN Ar chit ect u res, Volum e I I , y ou' ll lear n : How t o int egr at e v ar iou s r em ot e access t echn ologies in t o t h e back bone p r ovidin g VPN ser v ice t o m any d iff er ent t yp es of cu st om er s The n ew PE- CE r out in g op t ions as w ell as ot her adv anced f eat ur es, includ ing per- VPN Net w ork Ad dr ess Tr an slat ion ( PE- NAT) How VRFs can be ex t ended int o a cust om er sit e t o pr ov ide sep ar at ion inside t he cust om er net w ork The lat est MPLS VPN secur it y f eat u res an d d esign s aim ed at pr ot ect ing t h e MPLS VPN back bone How t o carr y cust om er m ult icast t r aff ic insid e a VPN The lat est in t er - car rier enh ancem ent s t o allow f or easier and m or e scalable d ep loym ent of int er - car r ier MPLS VPN serv ices Adv anced t rou blesh oot ing t echn iques includ in g r ou t er out pu t s t o en su re high av ailab ilit y MPLS and VPN Ar chit ect u res, Volum e I I , b uilds on t he best - sellin g MPLS an d VPN Ar ch it ect u res, Volum e I ( 1 - 587 05- 0 02- 1) , f rom Cisco Pr ess. Ex t endin g int o m or e adv anced t opics an d d ep loy m ent archit ect ur es, Volu m e I I pr ovid es r eader s w it h t he necessar y t ools t hey n eed t o d ep loy and m ain t ain a secur e, hig hly av ailab le VPN. MPLS and VPN Ar chit ect u res, Volum e I I , b eg in s w it h a br ief ref resher of t he MPLS VPN Ar ch it ect u re. Par t I I descr ibes adv anced MPLS VPN con nect iv it y includ in g t he int egr at ion of ser v ice pr ovider access t echn olog ies ( dial, DSL, cab le, Et her net ) an d a v ariet y of r out in g pr ot ocols ( I S- I S, EI GRP, and OSPF) , ar m in g t he r eader w it h t he k now ledge of h ow t o int egr at e t h ese f eat ur es in t o t h e VPN b ack bon e. Part I I I det ails adv anced d ep loy m ent issues includin g secu r it y , ou t lining t he n ecessar y st eps t h e ser v ice p rov ider m ust t ake t o p rot ect t he back bone and any at t ached VPN sit es, and also det ailin g t he lat est secu rit y f eat ur es t o allow m or e adv anced t op ologies and filt erin g. This par t also cov er s m ult i- car r ier MPLS VPN deploy m en t s. Fin ally , Par t I V pr ov id es a m et hodology for ad van ced MPLS VPN t r oub leshoot ing . MPLS and VPN Ar chit ect u res, Volum e I I , also int rod uces t he lat est adv ances in cu st omer int egr at ion, secur it y, and t r oubleshoot ing feat u res essent ial t o p rov iding t h e adv anced