MPLS virtual private networking is the most scalable VPN solution ever devel- oped. Border Gateway Protocol (BGP) is used to distribute VPN information across the MPLS network. An IGP, such as OSPF or IS-IS, is employed to dis- tribute routing information among MPLS network elements. MPLS label bind- ings are distributed among other MPLS peers via label distribution protocol (LDP), whereas BGP is used to distribute label bindings for external routes, such as those within each VPN.
MPLS requires separate VPN routing and forwarding (VRF) tables or route- forwarding instances for each VPN provisioned. Separate forwarding tables ensure that subscribers of a specific VPN cannot reach destinations outside their VPN.
These VPN-specific forwarding tables are created using BGP multiprotocol extensions. MPLS VPNs use VPN IP version 4 (IPv4) Address Families, consisting of an 8-byte route distinguisher and ending with a 4-byte IPv4 address, to for- ward VPN information among BGP peers.
VPN membership is statically configured on a per port or per interface basis.
Each interface or sub-interface on the label edge router is configured with a unique route distinguisher.The purpose of the route distinguisher is to allow the system to create distinct routes to IPv4 address prefixes.The route distinguishers are known only to the MPLS network elements and are unknown to the cus- tomer edge router or routers.
A route distinguisher can be up to 8 bytes long.The 8-byte field is comprised of a 4-byte autonomous system number and a 4-byte subscriber number that is assigned by the provider.
When a subscriber router sends a packet to the MPLS LER, the LER verifies which interface the packet was received on and performs a lookup in the VPN- specific forwarding information base.The forwarding information base supplies the outgoing interface and two labels.The first label is used to reach the destination
LER in the MPLS network, and the second label is used to determine how to handle the packet at the egress LER. More specifically, the second label is used to determine how to forward the packet to the correct outgoing VPN interface at the MPLS network egress.
An MPLS VPN is a lot easier to configure than it looks.Table 12.1 reviews the VPN portion of a sample IOS configuration from a MPLS provider edge LSR, and explains the command syntax.
Enable <password>
!
Configure Terminal
!
ip vrf Red
rd 65050:1
route-target export 65050:1 route-target import 65050:1
!
!
ip vrf Blue
rd 65051:1
route-target export 65051:1
Log in to router Enter enable mode
Enter global configuration mode Creates a new VPN routing table called Red
Creates the route distinguisher (AS number: ID) that is bound to the VPN routing table Red
Exports routing information to the target MPLS VPN extended community Imports routing information from the target MPLS VPN extended community Creates a new VPN routing table called Blue
Creates the route distinguisher (AS number: ID) that is bound to the VPN routing table Blue
Exports routing information to the target MPLS VPN extended community Table 12.1MPLS VPN Configuration and Explanation
Configuration Explanation
Continued
route-target import 65051:1
!
!
!
interface FastEthernet2/0 ip vrf forwarding Red ip address x.x.x.x y.y.y.y
!
interface FastEthernet2/1 ip vrf forwarding Blue ip address x.x.x.x y.y.y.y
!
router ospf 100
network a.a.a.a m.m.m.m area 0
!
router ospf 17 vrf Red
network a.a.a.a .m.m.m.m area 0
redistribute bgp 65500 metric-type 1 subnets
!
router bgp 65500
Imports routing information from the target MPLS VPN extended com- munity
Fast Ethernet Interface
Associates interface with the Red VPN
IP address and mask Fast Ethernet Interface
Associates interface with the Blue VPN
IP address and mask
Enables OSPF routing process 100 Specifies the networks directly con- nected to the router and identifies OSPF area membership
Enables OSPF routing process 17 for the Red VPN
Specifies the networks directly con- nected to the router and identifies OSPF area membership
Redistributes BGP routes and Injects BGP routes into OSPF as type 1 routes
Enables BGP routing for autonomous system 65500
Table 12.1Continued
Configuration Explanation
Continued
no synchronization
no bgp default ipv4-unicast neighbor z.z.z.z remote-as 65500 neighbor z.z.z.z update-source loop- back 0
!
address-family ipv4 vrf Red redistribute ospf 17
No autosummary exit-address-family
!
address-family ipv4 vrf Blue redistribute static
redistribute static connected exit-address-family
!
address-family vpnv4 neighbor a.a.a.a activate
neighbor a.a.a.a send-community extended
Since all MPLS routers are running BGP, synchronization is disabled, resulting in the network converging more quickly.
Specifies the IBGP neighbor and autonomous system number
Forces the router to use the IP address assigned to loopback 0 as the source address for BGP packets
Configures the address family for VRF Red
Redistributes routes from ospf to BGP Red VPN routing table
Disables summarization
Exits address family configuration mode
Configures the address family for VRF Blue
Redistributes static routes Redistributes connected routes Exits address family configuration mode
Configures the address family using VPN IPv4 prefixes
Activates IBGP neighbor
Forward VPN extended attributes Table 12.1Continued
Configuration Explanation
In order to understand the information in Table 12.1, consider the following example of a real world MPLS application. A service provider needs to provide virtual private networking services to two local Intranets via MPLS. One
Intranet, known as the RED VPN, will have a 10MB Ethernet connection to the provider.This subscriber owns a router and plans to use the provider as the default gateway to their HQ facility.The other Intranet, known as the BLUE VPN, will have a 100MB connection to the provider.This subscriber is running OSPF and plans to use the provider to form Area 0.
The subscribers and the provider are using overlapping private address space.
This is allowed because once an interface is configured as part of a VPN, it is removed from the global routing table. Each VPN will have its own virtual route- forwarding instance, resulting in secure transport across the MPLS cloud.
Multiple OSPF routing processes are required in order to exchange topology information between the subscriber and the provider.The provider runs an internal OSPF routing process to exchange reachability information among other MPLS peers.The details of this example are depicted in Figure 12.8.
The following is the configuration for PC LSR A.
!
version 12.1
!
Figure 12.8MPLS VPN Configuration Example
Provider Core LSR A
10.10.30.0/24 10.10.20.0/24
Provider Edge LSR B
Provider Edge LSR C
10.10.40.0/24 10.10.50.0/24
Customer Edge LSR D
Customer Edge LSR E RED VPN
BLUE VPN BLUE VPN
RED VPN 10.10.70.1
10.10.70.2 10.10.60.1
10.10.60.2
hostname LSR-A
!
ip subnet-zero ip cef
!
interface Loopback0
ip address 10.10.10.1 255.255.255.255 no ip directed-broadcast
!
interface Ethernet1/0 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface Ethernet1/1 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface Ethernet1/2 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface Ethernet1/3 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface FastEthernet2/0
tag-switching ip
!
interface FastEthernet2/1 IP unnumbered loopback0 tag-switching ip
!
!
router ospf 10
network 10.0.0.0 0.255.255.255 area 0
!
ip classless no ip http server
!
no cdp run
!
line con 0
exec-timeout 0 0 transport input none line aux 0
line vty 0 4 password cisco no login
! end
The following is the configuration for PE LSR B.
!
version 12.1
!
hostname LSR-B
!
ip subnet-zero ip cef
!
ip vrf RED
rd 65050:1
route-target export 65050:1 route-target import 65050:1
!
ip vrf BLUE rd 65051:1
route-target export 65051:1 route-target import 65051:1
!
interface Loopback0
ip address 10.10.10.2 255.255.255.255
!
interface Ethernet1/0 ip vrf forwarding RED
ip address 10.10.20.1 255.255.255.0
!
interface Ethernet1/1 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface Ethernet1/2 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface Ethernet1/3 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
IP unnumbered loopback0 tag-switching ip
!
interface FastEthernet2/1 ip vrf forwarding BLUE
ip address 10.10.60.1 255.255.255.0
!
router ospf 10
network 10.0.0.0 0.255.255.255 area 0
!
router ospf 20 vrf BLUE
network 10.0.0.0 0.255.255.255 area 0 redistribute bgp 65500 metric-type 1 subnets
!
router bgp 65500 no synchronization
no bgp default ipv4-unicast
neighbor 10.10.10.3 remote-as 65500
neighbor 10.10.10.3 update-source loopback 0
!
address-family ipv4 vrf BLUE redistribute ospf 20
no autosummary exit-address-family
!
address-family ipv4 vrf RED redistribute static
redistribute static connected exit-address-family
!
address-family vpnv4
neighbor 10.10.10.3 activate
neighbor 10.10.10.3 send-community extended
!
ip classless
no ip http server
!
no cdp run
!
line con 0
exec-timeout 0 0 transport input none line aux 0
line vty 0 4 password cisco no login
! end
The following is the configuration for PE LSR C.
!
version 12.1
!
hostname Edge-LSR-C
!
ip subnet-zero ip cef
!
ip vrf RED rd 65050:1
route-target export 65050:1 route-target import 65050:1
!
ip vrf BLUE rd 65051:1
route-target export 65051:1 route-target import 65051:1
!
interface Loopback0
ip address 10.10.10.3 255.255.255.255
!
interface Ethernet1/0 ip vrf forwarding Red
ip address 10.10.30.1 255.255.255.0
!
interface Ethernet1/1 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface Ethernet1/2 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface Ethernet1/3 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface FastEthernet2/0 IP unnumbered loopback0 tag-switching ip
!
interface FastEthernet2/1 ip vrf forwarding BLUE
ip address 10.10.70.1 255.255.255.0
!
router ospf 10
network 10.0.0.0 0.255.255.255 area 0
!
router ospf 20 vrf BLUE
network 10.0.0.0 0.255.255.255 area 0 redistribute bgp 65500 metric-type 1 subnets
!
router bgp 65500 no synchronization
no bgp default ipv4-unicast
neighbor 10.10.10.2 remote-as 65500
neighbor 10.10.10.2 update-source loopback 0
!
address-family ipv4 vrf BLUE redistribute ospf 20
no autosummary exit-address-family
!
address-family ipv4 vrf RED redistribute static
redistribute static connected exit-address-family
!
address-family vpnv4
neighbor 10.10.10.2 activate
neighbor 10.10.10.2 send-community extended
!
!
ip classless no ip http server
!
no cdp run
!
line con 0
exec-timeout 0 0 transport input none line aux 0
line vty 0 4
no login
! end
The following configuration is for CE LSR D.
!
version 12.1
!
hostname LSR-D
!
ip subnet-zero ip cef
!
interface Ethernet1/0
ip address 10.10.40.1 255.255.255.0
!
interface Ethernet1/1 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface Ethernet1/2 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface Ethernet1/3 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface FastEthernet2/0
ip address 10.10.60.2 255.255.255.0
!
interface FastEthernet2/1 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
!
router ospf 20
network 10.0.0.0 0.255.255.255 area 0
!
ip classless no ip http server
!
no cdp run
!
line con 0
exec-timeout 0 0 transport input none line aux 0
line vty 0 4 password cisco no login
! end
The following is the configuration for CE LSR E.
!
version 12.1
!
hostname LSR-D
!
ip subnet-zero ip cef
!
interface Ethernet1/0
ip address 10.10.50.1 255.255.255.0
!
interface Ethernet1/1 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface Ethernet1/2 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface Ethernet1/3 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
interface FastEthernet2/0
ip address 10.10.70.2 255.255.255.0
!
interface FastEthernet2/1 no ip address
no ip directed-broadcast shutdown
no cdp enable
!
!
router ospf 20
network 10.0.0.0 0.255.255.255 area 0
!
ip classless no ip http server
!
no cdp run
!
line con 0
exec-timeout 0 0 transport input none line aux 0
line vty 0 4 password cisco no login
! end
VPN Scalability
VPN scalability is a critical issue for most service providers. In Cisco’s case, IOS releases after 12.0(5) can support one million VPN sites. One million sites can be broken down as 1,000 VPNs with 1,000 sites each, or 10,000 VPNs with 100 sites each.
Reducing the Load on Network Cores
Cisco’s architecture is based on the peer-to-peer model and does not require that all routers in network know about every VPN configured on the network. An MPLS router must know only about the VPNs that are directly connected. LSRs in the core do not need to know anything about the VPNs provisioned in the network, as long as there are no VPN subscribers directly connected to them.