Transcript Document
Using MPLS/VPN for Policy
Routing
Walt Prue With Significant Help From Ken
Lindahl and Jim Warner
Sponsored by CENIC (Corporation for
Education Network Initiatives in California
1
7/8/2015
Introduction
Cisco suggested MPLS/VPN as a possible
solution to CENIC’s policy routing needs.
CENIC needs to know if it will scale to
the requirements of the network.
2
7/8/2015
Agenda
Define Problem
Examine Cisco’s ability to solve our
problem
Viability of Cisco’s solution
Junipers Compatibility with Cisco’s
MPLS/VPN
3
7/8/2015
Overview
Does it scale to 100,000+ routes?
Can the existing equipment be used?
Can it be maintained?
Can CENIC introduce technology with
minimal disruption?
Can Junipers play too?
4
7/8/2015
Vocabulary
MPLS (MultiProtocol Label Switching)
VPN (Virtual Private Network)
VRF (VPN Routing and Forwarding)
PE (Provider Edge) router
P (Provider) router
CE (Customer Edge) router
5
7/8/2015
MPLS
Label
Exp S
TTL
IP
14
IP
IP
P
23
IP
17
PE
Tag
in
1
…
14
Tag
out
55
…
23
I/F
out
4
…
2
IP
P
Tag
in
1
…
23
Tag
out
44
…
17
I/F
out
7
…
1
PE
Tag
in
1
…
17
Tag
out
72
…
-
I/F
out
9
…
6
7/8/2015
MPLS Issues
MPLS over ethernet
MTU discovery
TTL
Traceroute Across MPLS Enabled Net
MPLS and ATM
7
7/8/2015
MPLS/VPN
PE
10.1.1.1
PE
134.1.17.1
ip vrf cust-a
rd 1:100
route-target export 1:100
route-target import 1:100
BGP Table
route
10.1.1.0
RD
1:100
cust-a VRF
Route
Nexthop
10.1.1.0
10.1.1.1
128.1.0.0
192.168.6.0 10.1.1.1
192.168.6.0 1.100
128.2.0.0
134.1.17.1
8
7/8/2015
Policy Routing on CENIC
ISP-A
ISP-B
Cisco
SB
Campus
SB
CIT
CIT
Campus
ESnet
UCLA
Campus
UCLA
USC
USC
Campus
9
7/8/2015
Routing Connectivity Matrix
Routing Connectivity Matrix:
ISPA
ISPA
X
ISPB
X*
SB
X
Cisco
Caltech UCLA
X
USC
ESnet
-
ISPB
X*
X
X
X
-
SB
X
X
X
X
X
X
X
-
Cisco Caltech UCLA
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
USC
X
X
X
X
X
-
ESnet
X
X
X
KEY
--X means can receive these routes
- means can not receive these routes
theoretically ISPA could transit to ISPB but we will
use BGP filters to block this kind of routing.
MPLS/VPN
however won't block such traffic.
10
7/8/2015
Cisco’s MPLS/VPN
Current rel. 12 software can’t support 100,000
routes
Engine 1 gigabit ethernet ports couldn’t support
MPLS/VPN
MPLS/VPN doesn’t currently support multicast
Cisco can forward MPLS traffic at near OC-12
line rates with engine 0 line cards
A workaround solution exists for multicast and
100,000 routes problem
11
7/8/2015
Configuring and Maintaining
MPLS/VPN
Configuring and syntax was straight forward (see
below)
Troubleshooting was reasonable but a bit
different than net engineers are used to
Installing on existing network would be
disruptive
Each campus would need two logical ports for
access to multicast and ISP service (use to reduce
installation disruption )
Cisco has MPLS/VPN Tools Available
12
7/8/2015
Syntax (Global)
ip vrf VPN-A
rd 52:1
route-target import
12334:1
route-target import
4556:1
route-target export
52:1
route-target import 52:1
13
7/8/2015
Per CE I/F
interface serial0
ip vrf forarding VPN-A
ip address 10.1.2.3 255.255.255.0
14
7/8/2015
Per Trunk I/F
interface serial4/0/0
ip mpls
mpls label-distribution ldp
ip address 1.2.3.4 255.255.255.0
Or globally as:
mpls label protocol ldp
15
7/8/2015
Routing
router bgp 11422
no bgp default ipv4-unicast
neighbor 2.3.4.5 remote-as 11422
neighbor 2.3.4.5 update-source loopback0
...
16
7/8/2015
Routing (cont.)
address-family ipv4 vrf VPN-A
neighbor 1.2.3.4 remote-as 52
neighbor 1.2.3.4 activate
no auto-summary
no syncronization
exit-address-family
address-family vpnv4
neighbor 2.3.4.5 activate
neighbor 2.3.4.5 send-community extended
exit address-family
17
7/8/2015
Junipers and MPLS/VPN
Compatible if LDP used instead of TAG
distribution
A bit more complex to configure
Can handle 200,000+ routes
Can forward at OC-12 Line Rates
18
7/8/2015
Summary
MPLS/VPN can be used to solve our
policy routing problems
Ciscos can’t do MPLS/VPN with full
routes or supporting multicast today
With a modified network design
MPLS/VPN may be our solution
19
7/8/2015
Where to Get More Information
RFC2547 BGP/MPLS VPNs
RFC 3031 Muliprotocol Label Switching
Architecture
MPLS and VPN Architectures – Cisco
Press
Juniper Documentation CD-ROM Release
5.0
20
7/8/2015