8-Complex MPLS Layer 3 VPNs

Complex MPLS Layer 3 VPNs
2012 Cisco and/or its affiliates. All rights reserved. SPEDGE v1.03-1
Describe overlapping VPNs
Describe central service VPNs and advanced VRF features
Describe managed CE router service
Overlapping VPNs
Access
Aggregation
IP Edge
Core
Residential
Mobile Users
Business
IP Infrastructure Layer
Access Aggregation IP Edge Core
Complex MPLS Layer 3 VPNs are part of the Cisco IP NGN

infrastructure layer.
Layer 3 VPNs are usually configured on IP edge devices.
MPLS runs on IP core devices.
Customer A (1) Customer A (2)
MPLS
Backbone
Customer B (2) PE1 PE2 Customer B (1)
Central sites communicate

with each other
Customer A Customer B
(Central) (Central)
Central sites are reachable from multiple VPNs:

- Overlapping VPN
IP addressing in common sites should not overlap:
- NAT can be used when networks overlap.
At least one customer site needs to be reachable by sites in different
VPNs:
- A service provider may provide services to many customers.
- Some service provider customers may want connectivity to one of their
partners through the MPLS network.
- Limit visibility between different departments in an organization.
SP
Shared
resources Shared
resources
Customer A
Customer C
Customer A Customer C
Customer B
Customer B
Customer A (1) Customer A (2) Customer B (1) Customer B (2)
RD 1:210 RD 1:210 RD 1:220 RD 1:220
Import Import
Export Export
RT 1:210 RT 1:220
Import
Customer A Export Customer B
(Central) RT 1:1000 (Central)
RD 1:211 RD 1:221
Customer A (central) import and export:

- RT 1:210 (customer VPN)
- RT 1:1000 (overlapping VPN)
Customer B (central) import and export:
- RT 1:220 (customer VPN)
- RT 1:1000 (overlapping VPN)
Customer A (1) Customer A (2) Customer B (1) Customer B (2)
RD 1:210 RD 1:210 RD 1:220 RD 1:220
(Central) (Central)
RD 1:211 RD 1:221
Customer A (central) client can communicate with:

- All Customer A sites (customer VPN)
- Customer B central site (overlapping VPN)
Customer B (central) client can communicate with:
- All Customer B sites (customer VPN)
- Customer A central site (verlapping VPN)
Configure a new VRF instance for the central site:
- Import and export RTs for remote sites.
- Import and export RTs for overlapping sites.
Update BGP configuration:
- Set RD for the central site.
- Under the proper address family (IPv4 or IPv6), configure route redistribution.
vrf CustomerA-Cent vrf CustomerB-Cent
description Customer A Cent description Customer B Cent
address-family ipv4 unicast address-family ipv4 unicast
import route-target import route-target
1:210 1:220
1:1000 1:1000
export route-target export route-target
1:210 1:220
1:1000 1:1000
! !

RD 1:210 RD: 1.210
MPLS
Customer B (2)
Backbone Customer B (1)
PE1 PE2
RD 1:220 RD 1.220
Import
RD 1:211 RD 1:221
router bgp 64500 router bgp 64500
vrf CustomerA vrf CustomerA
rd 1:210 rd 1:210
redistribute connected redistribute connected
! !
vrf CustomerB vrf CustomerB
rd 1:220 rd 1:220
vrf CustomerA-Cent vrf CustomerB-Cent
rd 1:211 rd 1:221
! !

RD 1:210 RD: 1.210
MPLS
Customer B (2)
PE1 PE2
RD 1:220 RD 1.220
Import
RD 1:211 RD 1:221
Central Service VPNs
Multiple VPNs need to share a
common set of servers:
VPN D - VPNs are called clients.
(Client)
Servers reside in central services
VPN E
VPN:
(Client)
- VPNs are called servers.
Clients from other VPNs cannot
communicate with each other.
Central Services
VPN
(Server)
VPN C
(Client)
VPN A
(Client)
VPN B
(Client)
Import Client VPN routes:
Export
RT 1:220 - Exported to the server site
VPN B
(Client) Export Server VPN routes:
RD 1:220 RT 1:501
Import - Exported to client sites
Export
Import - Exported to servers sites
RT 1:210
RT 1:502
No route exchange between
Export
VPN A
Import RT 1:502
client sites
(Client) Import
RD 1:210 RT 1:502 RT 1:501
Export
RT 1:502
Central Services VPN
Export (Server)
RT 1:501 RD 1:500
Import
RT 1:501
Import
Export
RT 1:500
Clients can talk to servers:
- Client VRF contains server routes.
VPN B
(Client) Servers can talk to clients:
RD 1:220
- Server VRF contains client routes.
Clients cannot communicate:
- Client VRFs do not contain routes
VPN A from other clients;
(Client)
RD 1:210 Make sure that there is no
client-to-client leakage across
Central Services VPN
(Server) server sites.
RD 1:500
Client sites:
- Use a separate VRF per client site.
- Use a unique RD on each client site.
- Import and export routes within customer sites.
- Export routes to server sites.
- Import routes from server sites.
Server sites:
- Use one VRF for each service type.
- Use a unique RD on each service type.
- Import and export routes within server sites.
- Export server site routes to clients.
- Import routes from client sites.
VPN A
(Client) Central Services VPN
RD 1:210 (Server)
MPLS RD 1:500
PE1 PE-CS-1
VPN B
(Client)
RD 1:220
vrf CustomerA vrf Server

import route-target import route-target
1:210 1:500
1:502 1:501
export route-target export route-target
1:210 1:500
1:501 1:502
! !
vrf CustomerB
address-family ipv4 unicast
import route-target
1:220
1:502
export route-target
1:220
1:501
!
Customers run a simple VPN.
Only A-Central and B-Central need access to central servers.
Solution:
- Combine a simple VPN and central services VPN.
- Configure a separate VPN per customer.
- Configure a separate VRF for central servers.
- Configure a separate VRF for clients that need access to central servers (per
site).
Combination of rules from:
- Overlapping VPN
- Central services VPN
Only central sites need access to central servers.
Configuration steps:
- Configure the customer VPN import-export RT in all VRFs participating in the
customer VPN.
- Configure a unique import-export RT in every VRF that is only a client of
central servers.
- Configure the central services import and export RTs in VRFs that participate
in the central services VPN.
Selective import:
- This feature allows you to specify additional criteria for importing routes into
the VRF.
Selective export:
- This feature allows you to specify additional RTs that are attached to exported
routes.
VRF import criteria are more specific than just the match in RT:
- Import only routes with specific BGP attributes
- Import routes with specific prefixes or subnet masks
Route policy is used to make the route import selection more specific.
Use the import route-policy <name> command in VRF configuration
submode.
PE-1#
vrf CustomerA
address-family ipv4 unicast Customer A PE-1
import route-policy CustA-Policy
import route-target
1:210
!
export route-target
1:210
!
route-policy CustA-Policy
if destination in (192.168.1.0/24) then
pass
endif
end-policy
PE-2
Routes from a VRF might have to be exported with different RTs:
- Export management routes with particular RTs.
An export route policy is used to set extended community RTs.
PE-1#
vrf CustomerA
import route-target
1:210 Customer A PE-1
!
export route-policy ExportPol
export route-target
1:210
!
route-policy ExportPol
set extcommunity rt 1:555 additive
else
pass
endif
end-policy PE-2
Managed CE Router Service
Service providers use network management VPN to manage the CE
routers of all VPNs:
- Central server NMS needs access to the loopback address of all CE routers.
- Similar to central services and simple VRFs
- CE routers participate in the central services VPN.
- Only loopback addresses of the CE routers are exported into the central
services VPN.
Create one VRF per customer VPN per PE router:
- Assign the same RD to each customer VRF.
Create an NMS VRF on the central services PE router:
- Assign a unique RD to the NMS VRF.

RD 1:210 RD: 1.210
MPLS
Customer B (2)
PE1 PE2
RD 1:220 RD 1.220
PE-CS
RD 1:210 NMS Server RD 1:220
RD 1:500
RD 1:210 RD: 1.210
MPLS
Customer B (2)
PE1 PE2
RD 1:220 RD 1.220
PE-CS
Customer A NMS Server Customer B
RD 1:210 RD 1:500 RD 1:220
vrf CustomerA
import route-target vrf NMS_Servers
1:210 address-family ipv4 unicast
1:500 import route-target
export route-policy MGMT_Pol 1:500
export route-target 1:501
1:210 export route-target
! 1:500
route-policy MGMT_Pol !
set extcommunity rt 1:501 additive
else
pass
endif
end-policy
Overlapping VPNs are used to provide connectivity between segments
in two VPNs.
Central services VPNs offer the following:
- Customers can access common services.
- Customers cannot communicate with each other.
- Route policies can be used for selective route import and export.
Service providers can access the management loopback interface of CE
routers. Service providers use:
- NMS VRF
- Export route policy

8-Complex MPLS Layer 3 VPNs

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

8-Complex MPLS Layer 3 VPNs

Uploaded by

Copyright:

Available Formats

Complex MPLS Layer 3 VPNs

Access Aggregation IP Edge Core

Complex MPLS Layer 3 VPNs are part of the Cisco IP NGN

Central sites communicate

Central sites are reachable from multiple VPNs:

RD 1:210 RD 1:210 RD 1:220 RD 1:220

Customer A (central) import and export:

RD 1:210 RD 1:210 RD 1:220 RD 1:220

Customer A (central) client can communicate with:

Customer A (1) Customer A (2)

Customer A (1) Customer A (2)

vrf CustomerA vrf Server

Customer A (1) Customer A (2)

You might also like