Professional Documents
Culture Documents
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-1
Describe overlapping VPNs
Describe central service VPNs and advanced VRF features
Describe managed CE router service
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-2
Overlapping VPNs
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-3
Access
Aggregation
IP Edge
Core
Residential
Mobile Users
Business
IP Infrastructure Layer
MPLS
Backbone
Customer B (2) PE1 PE2 Customer B (1)
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-5
At least one customer site needs to be reachable by sites in different
VPNs:
- A service provider may provide services to many customers.
- Some service provider customers may want connectivity to one of their
partners through the MPLS network.
- Limit visibility between different departments in an organization.
SP
Shared
resources Shared
resources
Customer A
Customer C
Customer A Customer C
Customer B
Customer B
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-6
Customer A (1) Customer A (2) Customer B (1) Customer B (2)
Import Import
Export Export
RT 1:210 RT 1:220
Import
Customer A Export Customer B
(Central) RT 1:1000 (Central)
RD 1:211 RD 1:221
Customer A Customer B
(Central) (Central)
RD 1:211 RD 1:221
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-9
vrf CustomerA-Cent vrf CustomerB-Cent
description Customer A Cent description Customer B Cent
address-family ipv4 unicast address-family ipv4 unicast
import route-target import route-target
1:210 1:220
1:1000 1:1000
export route-target export route-target
1:210 1:220
1:1000 1:1000
! !
Import
Customer A Export Customer B
(Central) RT 1:1000 (Central)
RD 1:211 RD 1:221
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-10
router bgp 64500 router bgp 64500
vrf CustomerA vrf CustomerA
rd 1:210 rd 1:210
address-family ipv4 unicast address-family ipv4 unicast
redistribute connected redistribute connected
! !
vrf CustomerB vrf CustomerB
rd 1:220 rd 1:220
address-family ipv4 unicast address-family ipv4 unicast
redistribute connected redistribute connected
vrf CustomerA-Cent vrf CustomerB-Cent
rd 1:211 rd 1:221
address-family ipv4 unicast address-family ipv4 unicast
redistribute connected redistribute connected
! !
Import
Customer A Export Customer B
(Central) RT 1:1000 (Central)
RD 1:211 RD 1:221
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-11
Central Service VPNs
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-12
Multiple VPNs need to share a
common set of servers:
VPN D - VPNs are called clients.
(Client)
Servers reside in central services
VPN E
VPN:
(Client)
- VPNs are called servers.
Clients from other VPNs cannot
communicate with each other.
Central Services
VPN
(Server)
VPN C
(Client)
VPN A
(Client)
VPN B
(Client)
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-13
Import Client VPN routes:
Export
RT 1:220 - Exported to the server site
VPN B
(Client) Export Server VPN routes:
RD 1:220 RT 1:501
Import - Exported to client sites
Export
Import - Exported to servers sites
RT 1:210
RT 1:502
No route exchange between
Export
VPN A
Import RT 1:502
client sites
(Client) Import
RD 1:210 RT 1:502 RT 1:501
Export
RT 1:502
Central Services VPN
Export (Server)
RT 1:501 RD 1:500
Import
RT 1:501
Import
Export
RT 1:500
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-14
Clients can talk to servers:
- Client VRF contains server routes.
VPN B
(Client) Servers can talk to clients:
RD 1:220
- Server VRF contains client routes.
Clients cannot communicate:
- Client VRFs do not contain routes
VPN A from other clients;
(Client)
RD 1:210 Make sure that there is no
client-to-client leakage across
Central Services VPN
(Server) server sites.
RD 1:500
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-15
Client sites:
- Use a separate VRF per client site.
- Use a unique RD on each client site.
- Import and export routes within customer sites.
- Export routes to server sites.
- Import routes from server sites.
Server sites:
- Use one VRF for each service type.
- Use a unique RD on each service type.
- Import and export routes within server sites.
- Export server site routes to clients.
- Import routes from client sites.
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-16
VPN A
(Client) Central Services VPN
RD 1:210 (Server)
MPLS RD 1:500
PE1 PE-CS-1
VPN B
(Client)
RD 1:220
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-17
Customers run a simple VPN.
Only A-Central and B-Central need access to central servers.
Solution:
- Combine a simple VPN and central services VPN.
- Configure a separate VPN per customer.
- Configure a separate VRF for central servers.
- Configure a separate VRF for clients that need access to central servers (per
site).
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-18
Combination of rules from:
- Overlapping VPN
- Central services VPN
Only central sites need access to central servers.
Configuration steps:
- Configure the customer VPN import-export RT in all VRFs participating in the
customer VPN.
- Configure a unique import-export RT in every VRF that is only a client of
central servers.
- Configure the central services import and export RTs in VRFs that participate
in the central services VPN.
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-19
Selective import:
- This feature allows you to specify additional criteria for importing routes into
the VRF.
Selective export:
- This feature allows you to specify additional RTs that are attached to exported
routes.
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-20
VRF import criteria are more specific than just the match in RT:
- Import only routes with specific BGP attributes
- Import routes with specific prefixes or subnet masks
Route policy is used to make the route import selection more specific.
Use the import route-policy <name> command in VRF configuration
submode.
PE-1#
vrf CustomerA
address-family ipv4 unicast Customer A PE-1
import route-policy CustA-Policy
import route-target
1:210
!
export route-target
1:210
!
route-policy CustA-Policy
if destination in (192.168.1.0/24) then
pass
endif
end-policy
PE-2
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-21
Routes from a VRF might have to be exported with different RTs:
- Export management routes with particular RTs.
An export route policy is used to set extended community RTs.
PE-1#
vrf CustomerA
address-family ipv4 unicast
import route-target
1:210 Customer A PE-1
!
export route-policy ExportPol
export route-target
1:210
!
route-policy ExportPol
if destination in (192.168.1.0/24) then
set extcommunity rt 1:555 additive
else
pass
endif
end-policy PE-2
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-22
Managed CE Router Service
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-23
Service providers use network management VPN to manage the CE
routers of all VPNs:
- Central server NMS needs access to the loopback address of all CE routers.
- Similar to central services and simple VRFs
- CE routers participate in the central services VPN.
- Only loopback addresses of the CE routers are exported into the central
services VPN.
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-24
Create one VRF per customer VPN per PE router:
- Assign the same RD to each customer VRF.
Create an NMS VRF on the central services PE router:
- Assign a unique RD to the NMS VRF.
PE-CS
Customer A Customer B
RD 1:210 NMS Server RD 1:220
RD 1:500
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-25
Customer A (1) Customer A (2)
RD 1:210 RD: 1.210
MPLS
Customer B (2)
Backbone Customer B (1)
PE1 PE2
RD 1:220 RD 1.220
PE-CS
Customer A NMS Server Customer B
RD 1:210 RD 1:500 RD 1:220
vrf CustomerA
address-family ipv4 unicast
import route-target vrf NMS_Servers
1:210 address-family ipv4 unicast
1:500 import route-target
export route-policy MGMT_Pol 1:500
export route-target 1:501
1:210 export route-target
! 1:500
route-policy MGMT_Pol !
if destination in (192.168.1.0/24) then
set extcommunity rt 1:501 additive
else
pass
endif
end-policy
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-26
Overlapping VPNs are used to provide connectivity between segments
in two VPNs.
Central services VPNs offer the following:
- Customers can access common services.
- Customers cannot communicate with each other.
- Route policies can be used for selective route import and export.
Service providers can access the management loopback interface of CE
routers. Service providers use:
- NMS VRF
- Export route policy
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-27
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-28