MPLS VPN TOI eosborne@cisco.com Course Number Presentation_ID © 2001, Cisco Systems, Inc Agenda • How MPLS VPN works • What Code Is MPLS VPN In? • Platform Issues in Implementation Lab Demo - config TOI-VPN eosborne â 2001, Cisco Systems, Inc How MPLS­VPN Works • Concepts and goals • Terminology • Connection model • Forwarding • Mechanisms • Topologies • Scaling • Configuration TOI-VPN eosborne © 2001, Cisco Systems, Inc MPLS­VPN  What is a VPN ? • An IP network infrastructure delivering private network services over a public infrastructure Use a layer backbone Scalability, easy provisioning Global as well as non-unique private address space QoS Controlled access Easy configuration for customers TOI-VPN eosborne â 2001, Cisco Systems, Inc VPNModelsưTheOverlaymodel Private trunks over a TELCO/SP shared infrastructure Leased/Dialup lines FR/ATM circuits IP (GRE) tunnelling • Transparency between provider and customer networks • Optimal routing requires full mesh over over backbone TOI-VPN eosborne â 2001, Cisco Systems, Inc VPNModelsưThePeermodel Both provider and customer network use same network protocol • CE and PE routers have a routing adjacency at each site • All provider routers hold the full routing information about all customer networks • Private addresses are not allowed • May use the virtual router capability Multiple routing and forwarding tables based on Customer Networks TOI-VPN eosborne © 2001, Cisco Systems, Inc VPN Models ­ MPLS­VPN:  The True Peer model • Same as Peer model BUT !!! • Provider Edge routers receive and hold routing information only about VPNs directly connected • Reduces the amount of routing information a PE router will store • Routing information is proportional to the number of VPNs a router is attached to • MPLS is used within the backbone to switch packets (no need of full routing) TOI-VPN eosborne â 2001, Cisco Systems, Inc Agenda Concepts and goals • Terminology • Connection model • Forwarding • Mechanisms Topologies Scaling Configuration TOI-VPN eosborne â 2001, Cisco Systems, Inc MPLS­VPN Terminology • Provider Network (P-Network) The backbone under control of a Service Provider • Customer Network (C-Network) Network under customer control • CE router Customer Edge router Part of the C-network and interfaces to a PE router TOI-VPN eosborne © 2001, Cisco Systems, Inc MPLS­VPN Terminology • Site Set of (sub)networks part of the C-network and colocated A site is connected to the VPN backbone through one or more PE/CE links • PE router Provider Edge router Part of the P-Network and interfaces to CE routers • P router Provider (core) router, without knowledge of VPN TOI-VPN eosborne © 2001, Cisco Systems, Inc 10 Baseline (No Traffic) CPU Comparison Small VPN: 500 VRFs (11 routes per-VRF) NPE225 – 262 MHz NPE300 – 262 MHz NPE400 – 350 MHz RSP8 – 250 MHz TOI-VPN eosborne © 2001, Cisco Systems, Inc 128 Sizing Provider Edge (PE) Memory Considerations P -4 BG # of local VPN routes # of provisioned VRFs # of backbone BGP peers (paths) # of neighbors and type of connectivity PF OS IC AT ST Spread of IP addressing structure # of remote VPN routes Unique or non-unique RD allocation ? Several factors determine Memory Usage TOI-VPN eosborne © 2001, Cisco Systems, Inc 129 Sizing Provider Edge (PE) Memory Considerations BGP Memory Routing Table CEF MPLS IDB Several Areas of Memory Usage TOI-VPN eosborne © 2001, Cisco Systems, Inc 130 Sizing Provider Edge (PE) BGP Memory ndc-brighton# show ip bgp v a s BGP Memory BGP router identifier 10.3.1.9, local AS number BGP table version is 21, main routing table version 21 network entries and paths using 189 bytes of memory BGP path attribute entries using 108 bytes of memory BGP AS-PATH entries using 48 bytes of memory BGP extended community entries using 24 bytes of memory BGP route-map cache entries using bytes of memory BGP filter-list cache entries using bytes of memory BGP activity 8/58 prefixes, 8/6 paths, scan interval 15 secs Mp = (N*128) + (P*60) + (Pa * 24) + (Ec * 24) Mp = Total memory used by PE in Bytes N = Number of BGP network entries P = Number of path entries Pa = Number of AS_PATH entries Ec = Number of Extended Community entries TOI-VPN eosborne © 2001, Cisco Systems, Inc 131 Sizing Provider Edge (PE) Routing Table Memory Routing Table Memory ndc-brighton# show memory summary | include IP: Control Block  0x60567BB0 33184 101 3351584 IP: Control Block ndc-brighton# show ip route vrf testing summary  IP routing table name is testing(1) Source connected Networks Subnets Overhead 64 Memory (bytes) 144 External: Internal: Local: internal Total 1164 64 1308 Each VRF consumes : • IP control block -> 33,184 bytes • Network Descriptor Block (NDB) per route (64 bytes) • Routing Descriptor Block (RDB) per path (144 bytes) TOI-VPN eosborne © 2001, Cisco Systems, Inc 132 Sizing Provider Edge (PE) MPLS Memory ndc-brighton# show memory allocating-process total | include TFIB tag_ MPLS Memory   0x60DC5D54 8101672 125 TFIB tag_rewrite chunk 0x60DC5DB4 4141564 0x60DC5DA4 65540 TFIB tag_info chunk 0x60DC5D44 65540 TFIB tag_rewrite chunk 64 TFIB tag_info chunk   ndc-brighton# show memory allocating-process total | include TIB   0x60FC7E10 24228 134 TIB entry MPLS forwarding memory (TFIB) consumes one 'taginfo‘ (64 bytes) per route, plus one forwarding entry (104 bytes) for each path TOI-VPN eosborne © 2001, Cisco Systems, Inc 133 Sizing Provider Edge (PE) IDB Memory IDB Memory ndc-brighton# show memory summary | include IDB   Software IDB 0x602F88E8 4692 42228 *Hardware IDB* 0x602F8904 2576 23184 *Software IDB* Hardware IDB Interface Description Block Hardware IDB: 4692 bytes (One per physical interface) Software IDB: 2576 bytes (One per interface and per sub-interface) Note: The amount of memory required will differ from platform to platform TOI-VPN eosborne © 2001, Cisco Systems, Inc 134 PE VRF Memory Sizing NO VPN routes Used Memory 8,187,968 MB TOI-VPN eosborne © 2001, Cisco Systems, Inc Used Memory 56,243,216 MB Used Memory 69,631,904 MB 135 VPN Memory Comparison TOI-VPN eosborne © 2001, Cisco Systems, Inc 136 PE Memory Sizing Design Rules • ~ 60-70K per VRF 33K for base VRF control block, other memory such as CEF, TFIB overhead, IDBs and so on • ~800-900 bytes per route (includes CEF, TFIB and RIB Memory in BGP) • Remember IOS uses memory! • Remember Internet Routes! • Remember to leave transient memory Recommended to leave ~ 20MB free TOI-VPN eosborne © 2001, Cisco Systems, Inc 137 PE Memory Sizing Design Observations • 128 MB platforms are very limited (NPE 225, 3640 *NOT* suitable for full Internet table and VPNs!!!) • 256 MB Minimum recommended on PE devices • Limit the number of RDs per VRF in the same VPN unless you require iBGP load balancing with RRs TOI-VPN eosborne © 2001, Cisco Systems, Inc 138 VRF and Route Limits Summary • VRF Limits Constrained mainly by CPU Between 500 & 1000 VRFs for static routing (depending on platform – 10 routes per VRF) Between 250 & 500 VRFs if using EBGP or RIPv2 (depending on platform - 500 routes per VRF) • VPN & Global Route Limits Constrained mainly by available memory With 256 MB, 200,000 routes total (IPv4 and VPNv4) If Internet table is present, this reduces the memory available for VPNs (Current calculations are near 65 Meg for 100K Internet routes – with tightly packed attributes) TOI-VPN eosborne © 2001, Cisco Systems, Inc 139 Agenda • How MPLS VPN works • What Code Is MPLS VPN In? • Platform Issues in Implementation Lab Demo - config TOI-VPN eosborne â 2001, Cisco Systems, Inc 140 Core Topology G SR2 O C3PO S N3 P O S /1 O C3PO S N2 P O S /0 to v p n ATM OC 12 to v p n M AT G SR1 12 OC O C 192 N5 P O S /0 O C 48 N4 P O S /0 P O S /0 SR P12 N6 P O S /0 O C48 N8 O C48 N7 P O S /0 P O S /0 G SR3 P O S /1 P O S /0 G SR8 P O S /0 P O S /0 G SR G SR O C12 N10 P O S /0 P O S /1 O C12 N11 P O S /0 O C12 N12 G SR7 O C 12 N13 P O S /1 P O S /0 G SR TOI-VPN eosborne © 2001, Cisco Systems, Inc 141 VPN toplogy VXR 12 VXR15 VXR13 BG P R IP N20 N21 VXR16 N 28 N26 O SPF AS3402 N2 BG P N2 N 22 N2 AS65001 N2 N 25 G SR G SR1 N3 VXR14 VXR 10 AS65501 N 31 VXR 11 VXR NOTES: -VXR15,16,12,11 are PEs -VXR14,13,10,9 are CEs -all CEs have 192.168.1.x as their RID -GSR6 is VPNv4 RR TOI-VPN eosborne © 2001, Cisco Systems, Inc 142 ... any VPN knowledge TOI -VPN eosborne © 2001, Cisco Systems, Inc 17 MPLS VPN Connection Model VPN_ A VPN_ A iBGP sessions 10.2.0.0 CE VPN_ B 10.2.0.0 CE 11.5.0.0 CE PE P P P P VPN_ A PE CE 10.1.0.0 VPN_ A... (VRF) on PE routers TOI -VPN eosborne © 2001, Cisco Systems, Inc 15 MPLS VPN Connection Model Site­4 Site­1 VPN C VPN A Site­3 Site­2 VPN B • A site belonging to different VPNs may or MAY NOT... point between VPNs • If two or more VPNs have a common site, address space must be unique among these VPNs TOI -VPN eosborne © 2001, Cisco Systems, Inc 16 MPLS VPN Connection Model • The VPN backbone