1 MPLS VPN Topologies 1-2 MPLS VPN Topologies Copyright  2000, Cisco Systems, Inc. Simple VPN with Optimal Intra-VPN Routing Review Questions Answer the following questions n What are the basic requirements for simple VPN service? Any site can talk to any other site and optimal routing is provided across the backbone. n What are the routing requirements for simple VPN service? The usage of traditional routing protocols such as: static routing, RIPv2, OSPF or BGP to advertise customer networks between the PE-routers and the CE-routers. n Which PE-CE routing protocol would you use for simple VPN service? RIP version 2. n How many VRFs per PE-router do you need to implement simple VPN service? One for all sites in the simple VPN. n How do you integrate RIP running between PE and CE with MP-BGP running in the MPLS VPN backbone? RIPv2 routes from CE site are redistributed into MP-BGP, transported across backbone and redistributed back into PE-CE routing protocol (RIPv2). n When would you use static routing between PE and CE routers? For single-connection sites with one IP prefix. n When would you be able to use default routing from PE toward CE? Usually, when the CE routers has one single connection to the MPLS VPN backbone (stub sites). n When would you use OSPF between PE and CE routers? For large VPN customers where the customer insists on using OSPF for migration or intra-site routing purposes. n What are the drawbacks of offering OSPF as the PE-CE routing protocol to your customers? The number of VRFs that can support OSPF on a single PE-router is limited by the overall process number (32). Copyright  2000, Cisco Systems, Inc. Release Date: August 2000 1-3 Using BGP as the PE-CE Routing Protocol Review Questions Answer the following questions n When would you use BGP as the PE-CE routing protocol? When a site has more than one connection into the MPLS backbone. When a customer has a large number of sites (appx. more than 100). If the customer is also an ISP with its own AS number. n When would you use the same AS number for several sites? If there is a large number of sites and there are not enough private AS numbers available. If the customer is an ISP with its own AS number. n When would you use a different AS number for every site? If VPNs do not overlap and do not have more than 1024 sites. n Which BGP features would you use to support the customers that use the same AS number at multiple sites? "AllowAS-in" for multihomed sites using a hub-and-spoke topology. "AS-override" to be able to propagate routes from one site to another site. 1-4 MPLS VPN Topologies Copyright  2000, Cisco Systems, Inc. Overlapping Virtual Private Networks Review Questions Answer the following questions n What are the typical usages for overlapping Virtual Private Networks? Separating an enterprise network into VPNs, which have access only to the central VPN. Interconnecting two or more enterprise networks by using an extranet VPN. n What are the connectivity requirements for overlapping VPNs? An additional VPN for overlapping sites. n What is the expected data flow within overlapping VPNs? Routing for data flow between any pair of sites (if permitted) is still optimal. Data flow between two sites is permitted if they are part of the same VPN. n How many VRFs do you need to implement three partially overlapping VPNs? How many route distinguishers? How many route targets? One VRF per set of sites with the same VPN membership per PE router; one RD per VRF (three); at least two route targets. n How would you select a routing protocol to use in an overlapping VPN solution? Overlapping VPN topology does not influence the design criteria for selecting the IGP. Copyright  2000, Cisco Systems, Inc. Release Date: August 2000 1-5 Central Services VPN Solutions Review Questions Answer the following questions n What are the typical usages for central services VPN topology? Extranets interconnecting enterprise networks by using central (proxy) servers Intranet with separated departments having access to the central servers n What is the connectivity model for central services VPN topology? All clients have access to the central VPN but not to each other n How do you implement central services VPN topology? A separate VRF for each client (ClientVPN) and one VRF per PE router connecting a server site (CentralVPN). One RT for CentralVPN->ClientVPN route propagation and another RT for all ClientVPN->CentralVPN. n How many route targets do you need for a central services VPN solution with two server sites and 50 client sites? How many route distinguishers? 52 route targets and 51 route distinguishers n How do you combine central services VPN topology with simple VPN topology? We need one VRF per VPN for sites that have access to other sites in the customer VPN, but no access to the Central Services VPN, one VRF per VPN for sites that have access to Central Services VPN, and one VRF for the Central Services VPN . 1-6 MPLS VPN Topologies Copyright  2000, Cisco Systems, Inc. Hub-and-Spoke VPN Solutions Review Questions Answer the following questions n When would you deploy hub-and-spoke VPN topology? When the customer wants all packets to flow through the central site. n What is the main difference between central services VPN topology and hub- and-spoke VPN topology? Central services VPN does not forward packets between client sites. n What is the main difference between simple VPN topology and hub-and-spoke VPN topology? Simple VPN have optimal routing between sites. n Describe the routing information flow in hub-and-spoke topology. Spoke sites can only exchange routing information through the hub site. Spoke routes are imported into hub VRF on the PE router. Spoke routes are announced to the hub site and announced over a different hub router and PE-CE interface to PE. Spoke routes from hub site are imported into spoke VRF on the hub site. Spoke routes are announced to other spokes and imported into spoke VRFs. n Describe the packet forwarding in hub-and-spoke topology. The traffic exchanged between individual spoke sites flows through the central hub site. n How many PE-CE links do you need at the spoke sites? One. n How many PE-CE links do you need at the hub sites? Two. n Do you need two CE routers at the hub site? No. n Do you need two PE routers to connect the hub site? No. n Which routing protocol would you use between the P-network and the hub site? BGP. Copyright  2000, Cisco Systems, Inc. Release Date: August 2000 1-7 n n n Which BGP features are necessary to support BGP as the routing protocol at the hub site? Allowas-in on the eBGP session at the PE router connecting the hub site; only standard features at the hub CE routers. n Which BGP features are necessary to support BGP as the routing protocol at the spoke site if all sites use the same AS number? As-override feature on all eBGP sessions between PE and CE spoke routers (also applies to the hub site); only standard features at the spoke CE routers. 1-8 MPLS VPN Topologies Copyright  2000, Cisco Systems, Inc. Managed CE-Router Service Review Questions Answer the following questions n When would you need managed CE router service? When the service provider manages CE routers and needs access to all of them from a single point. n How do you implement managed CE router service? Central Services model is used except that only loopback address are imported into the CS-VPN. n What’s the main difference between managed CE router service and usual central services VPN topology? Export maps are used to tag loopback addresses to be imported into the Management VPN. . 1 MPLS VPN Topologies 1-2 MPLS VPN Topologies Copyright  2000, Cisco Systems, Inc. Simple VPN with Optimal Intra -VPN Routing Review. Central Services VPN, one VRF per VPN for sites that have access to Central Services VPN, and one VRF for the Central Services VPN . 1-6 MPLS VPN Topologies