Docstoc

Cisco MPLS and VPN architectures

Document Sample
Cisco MPLS and VPN architectures Powered By Docstoc
					• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

services based on MPLS VPN technology in a secure and scalable way. This book is part of the Networking Technology Series from Cisco Press, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers.

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

Copyright

WithMPLS the Authors Architectures, Volume II , you'll learn: About and VPN
About the Technical Reviewers About the integrate various How to Content Reviewer Acknowledgments service to many Introduction

remote access technologies into the backbone providing VPN different types of customers

The new PE-CE routing options as well as other advanced features, including per-VPN Who Should Read This Book? Network Address Translation (PE-NAT) How This Book Is Organized
Icons Used in This Book

How VRFs can be extended into a customer site to provide separation inside the Command Syntax Conventions customer network
Part I. Introduction

The latest MPLS VPN Architecture Overview and designs aimed at protecting the MPLS VPN Chapter 1. MPLS VPN security features backboneVPN Terminology MPLS How to carry customer multicast traffic inside a VPN
Connectionless VPNs MPLS-Based VPNs The latest inter-carrier enhancements to allow for easier and more scalable deployment New MPLS VPN Developments of inter-carrier MPLS VPN services Summary Connection-Oriented VPNs

Advanced troubleshooting techniques including router outputs to ensure high availability Part II. Advanced PE-CE Connectivity MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Feature Enhancements for MPLS VPN Remote Access Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics andOverview of Access Protocols and Procedures II provides readers with the necessary tools deployment architectures, Volume they need Providing Dial-In Access to an MPLS VPN to deploy and maintain a secure, highly available VPN.
Providing Dial-Out Access via LSDO Chapter 2. Remote Access to an MPLS VPN

MPLS and Providing Dial-Out AccessVolumeLSDObegins with a brief refresher of the MPLS VPN VPN Architectures, Without II , (Direct ISDN) Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Providing Dial Backup for MPLS VPN Access service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Providing DSL Access to an MPLS VPN protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to Providing Cable Access to an VPN backbone. Part III details advanced deployment issues integrate these features into theMPLS VPN Advanced outlining the necessary steps including security,Features for MPLS VPN Remote Access the service provider must take to protect the backbone Summary attached VPN sites, and also detailing the latest security features to allow and any more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Chapter 3. PE-CE Routing Protocol Enhancements and Advanced Features deployments. Finally, PartOSPFprovides a methodology for advanced MPLS VPN PE-CE Connectivity: IV troubleshooting. PE-CE Connectivity: Integrated IS-IS MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Summary integration, security, and troubleshooting features essential to providing the advanced
PE-CE Connectivity: EIGRP

Chapter 4. Virtual Router Connectivity Configuring Virtual Routers on CE Routers Linking the Virtual Router with the MPLS VPN Backbone VRF Selection Based on Source IP Address Performing NAT in a Virtual Router Environment Summary Part III. Advanced Deployment Scenarios

• •

Chapter 5. Protecting the MPLS-VPN Backbone

Table of Contents Index

Inherent Security Capabilities MPLS and VPN Architectures, Volume II Neighbor Authentication ByJim Guichard, Ivan Pepelnjak, Jeff Apcar CE-to-CE Authentication Control of Routes That Are Injected into a VRF Publisher: Cisco Press PE to CE Circuits Pub Date: June 06, 2003 Extranet Access ISBN: 1-58705-112-5 Internet Access Pages: 504 IPSec over MPLS Summary Chapter 6. Large-Scale Routing and Multiple Service Provider Connectivity Large Scale Routing: Carrier's Carrier Solution Overview

WithMPLS and VPN Architectures, Volume II , you'll learn:
Label Distribution Protocols on PE-CE Links BGP-4 Between PE/CE Routers

Carrier Backbone Connectivity

How Hierarchical VPNs: Carrier'sremote access technologies into the backbone providing VPN to integrate various Carrier MPLS VPNs service to many different Differentof customers types Service Providers VPN Connectivity Between The new PE-CE routing options as well as other advanced features, including per-VPN Chapter 7. Multicast VPN Network Address Translation (PE-NAT)
Introduction to IP Multicast Summary

How Enterprise Multicast in a Service Provider Environment to provide separation inside the VRFs can be extended into a customer site customer Architecture mVPN network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Case Study of mVPN Operation in SuperCom backbone
Summary Chapter 8. IP Version 6 Transport Across an MPLS Backbone How to carry customer multicast traffic inside a VPN IPv6 Business Drivers MDTs

The latest inter-carrierExisting Networks to allow for easier and more scalable deployment Deployment of IPv6 in enhancements of inter-carrier MPLS VPN services
Quick Introduction to IPv6 In-Depth 6PE Operation and Configuration Advanced troubleshooting techniques including router outputs to ensure high availability Complex 6PE Deployment Scenarios

MPLS and Summary VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Part IV. Troubleshooting topics and deployment architectures, Volume II provides readers with the necessary tools Chapter 9. Troubleshooting of MPLS-Based Solutions they need to deploy and maintain a secure, highly available VPN.
Introduction to Troubleshooting of MPLS-Based Solutions

MPLS and Troubleshooting the MPLSVolume II , begins with a brief refresher of the MPLS VPN VPN Architectures, Backbone Other Quick describes advanced MPLS VPN connectivity including the integration of Architecture. Part IIChecks MPLS Control Plane Troubleshooting service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to MPLS Data Plane Troubleshooting integrate these features into the VPN backbone. Part III details advanced deployment issues MPLS VPN Troubleshooting including security, outlining the necessary steps the service provider must take to protect the In-Depth MPLS VPN Troubleshooting backbone and any attached VPN sites, and also detailing the latest security features to allow Summary more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Index deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Copyright
Copyright© 2003 Cisco Systems, Inc. Cisco Press logo is a trademark of Cisco Systems, Inc. • Table of Contents
• Index

Published by: MPLS and VPN Architectures, Volume II Cisco Press ByJimWest 103rd Street 201 Guichard,Ivan Pepelnjak,Jeff Apcar Indianapolis, IN 46290 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by Pub Date: June 06, 2003 any means, electronic or mechanical, including photocopying, recording, or by any ISBN: 1-58705-112-5 information storage and retrieval system, without written permission from the publisher, Pages: 504 except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Library of Congress Cataloging-in-Publication Number: 619472051122 WithMPLS and VPN Architectures, Volume II , you'll learn:
Publisher: Cisco Press

Warning and Disclaimer
How to integrate various remote access technologies into the backbone providing VPN service to many to provide information about This book is designed different types of customers MPLS and VPN architectures. Every effort has been made to make this book as complete and as accurate as possible, but no warranty The is implied. or fitness new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems, How VRFs can be extended into a customer site to provide separation inside the Inc. shall have neither liability nor responsibility to any person or entity with respect to any customer network loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc. How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow Trademark Acknowledgments for easier and more scalable deployment of inter-carrier MPLS VPN services All terms mentioned in this book that are known to be trademarks or service marksavailability Advanced troubleshooting techniques including router outputs to ensure high have been appropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the MPLS andof this information. Use of a II , builds on book should not MPLS and VPN affecting accuracy VPN Architectures, Volume term in this the best-selling be regarded as Architectures, any trademark or service mark. Cisco Press. Extending into more advanced the validity of Volume I (1-58705-002-1), from topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.

Feedback Information

MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Each book is crafted with care and precision, undergoing rigorous development that involves protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to the unique expertise of members from the professional technical community. integrate these features into the VPN backbone. Part III details advanced deployment issues including feedback outlining the necessary steps the service If you have any comments Readers' security, is a natural continuation of this process. provider must take to protect the backbone and any could improve sites, and also this book, the otherwise alter features to allow regarding how we attached VPN the quality of detailing or latest security it to better suit moreneeds, youtopologies and filtering. e-mail at also covers multi-carrier MPLS VPN your advanced can contact us through This part feedback@ciscopress.com. Please make deployments. Finally, Part IV and ISBN a methodology for advanced MPLS VPN sure to include the book title provides in your message. troubleshooting.

Credits

MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

We greatly appreciate your assistance.

Publisher Editor-In-Chief
•

John Wait John Kane Anthony Wolfenden Sonia Torres Chavez Scott Miller Edie Quiroz Amy Moss Patrick Kanouse Grant Munroe Lori Lyons Karen A. Gill Matt Birkner, Dan Tappan Monique Morrow

Cisco Representative

Table of Contents

Program Manager •Cisco Press Index
MPLS and VPN Architectures, Volume II

Manager, Marketing Communications, Cisco Systems Cisco Marketing Program Manager
Publisher: Cisco Press Acquisitions Editor Pub Date: June 06, 2003 ISBN: 1-58705-112-5

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Production Manager
Pages: 504 Development Editor

Project Editor Copy Editor Technical Editors WithMPLS and VPN Architectures, Volume II , you'll learn: Content Editor

How to integrate various remote access technologies into the backbone providing VPN Team Coordinator Tammi Ross service to many different types of customers Book Designer Gina Rexrode The new PE-CE routing options as well as other advanced features, including per-VPN Cover Designer Louisa Adair Network Address Translation (PE-NAT) Production Team Mark Shirar How VRFs can be extended into a customer site to provide separation inside the Indexer Tim Wright customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment Corporate HeadquartersVPN services of inter-carrier MPLS Cisco Systems, Inc. 170 West Tasman Drive Advanced troubleshooting techniques including router outputs to ensure high availability San Jose, CA 95134-1706 USA and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN MPLS www.cisco.com Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Tel: 408 526-4000 topics and deployment architectures, Volume II provides readers with the necessary tools 800 553-NETS (6387) they need to deploy and maintain a secure, highly available VPN. Fax: 408 526-4100 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN European Headquarters Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Cisco Systems International BV service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Haarlerbergpark EIGRP, and OSPF), arming the reader with the knowledge of how to protocols (IS-IS, Haarlerbergwegfeatures into the VPN backbone. Part III details advanced deployment issues integrate these 13-19 1101 CH security, outlining the necessary steps the service provider must take to protect the including Amsterdam The Netherlands backbone and any attached VPN sites, and also detailing the latest security features to allow www-europe.cisco.com more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Tel: 31 0 20 357 1000Part IV provides a methodology for advanced MPLS VPN deployments. Finally, Fax: 31 0 20 357 1100 troubleshooting. Americas Headquarters MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Cisco Systems, Inc. and troubleshooting features essential to providing the advanced integration, security,

170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters • Table of Contents Cisco Systems, Inc. • Index Capital Tower MPLS and VPN Architectures, Volume II 168 Robinson Road ByJim Guichard, Ivan Pepelnjak, Jeff Apcar #22-01 to #29-01 Singapore 068912 www.cisco.com Press Publisher: Cisco Tel: +65 6317 7777 Pub Date: June 06, 2003 Fax: +65 6317 7799 ISBN: 1-58705-112-5
Pages: 504 Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the Cisco.comWeb site at www.cisco.com/go/offices.

Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia and VPN Architectures, Czech Republic Denmark WithMPLS • Costa Rica • Croatia • Volume II , you'll learn: • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway How to integrate various Portugal Puerto Rico • Romania • Russia • Saudi Arabia VPN • Peru • Philippines • Poland • remote access technologies into the backbone providing • service to many • Slovakia • Slovenia • South Scotland • Singapore different types of customers Africa • Spain • Sweden Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • The new PE-CE Vietnam • Zimbabwerouting options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) Copyright © 2003 Cisco Systems, Inc. All rights reserved. CCIP, CCSP, the Cisco Arrow logo, How VRFs can be extended into customer site to provide separation inside the the Cisco Powered Network mark, theaCisco Systems Verified logo, Cisco Unity, Follow Me customer network Browsing, FormShare, iQ Net Readiness Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The latest MPLS VPN security features and designs iQuick Study are service marks of The Fastest Way to Increase Your Internet Quotient, andaimed at protecting the MPLS VPN Ciscobackbone Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Systems, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco How to carry customer multicast traffic inside a VPN Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast scalable deployment The latest inter-carrier enhancements to allow for easier and more Step, GigaStack, Internetinter-carrier MPLS VPNiQ Expertise, the iQ logo, LightStream, MGX, MICA, the of Quotient, IOS, IP/TV, services Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, SMARTnet,techniques including router outputs to ensure high availability Advanced troubleshooting StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. II , builds on the best-selling MPLS and VPN MPLS and VPN Architectures, Volume Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced All other trademarks mentioned in this document or Web site are the the necessary tools topics and deployment architectures, Volume II provides readers withproperty of their respective to deploy and maintain word partner does not imply a partnership relationship they need owners. The use of the a secure, highly available VPN. between Cisco and any other company. (0303R) MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Printed in thePart II describes advanced MPLS VPN connectivity including the integration of Architecture. USA service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow To my wife Sadie, for putting up with me writing also covers multi-carrier MPLS VPN more advanced topologies and filtering. This partanother book and the long lonely nights associated with such an undertaking. To methodologyAimee and Thomas, who always help to deployments. Finally, Part IV provides a my children for advanced MPLS VPN keep me smiling.—Jim troubleshooting.

Dedications

To my wife Karmen, who was always II , also introduces the latest advances in customer MPLS and VPN Architectures, Volume there when I needed encouragement or support. To my children Maja and Monika, who waited patiently foressential to providingmany integration, security, and troubleshooting features my attention on too the advanced

occasions.—Ivan To my wife Anne, who is an exceptional person in every way. To my children Caitlin, Conor, and especially Ronan: Despite his constant efforts to reboot my PC, I managed to lose a draft only once.—Jeff

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

About the Authors
Jim Guichard, CCIE No. 2069, is a Technical Leader II within the Internet Technologies Division (ITD) at Cisco Systems. During the past six years at Cisco and previously at IBM, Jim has been involved in the design, implementation, and planning of many large-scale WAN and • Table of Contents LAN networks. His breadth of industry knowledge, hands-on experience, and understanding • Index of complex internetworking architectures have enabled him to provide valued assistance to MPLS and VPN Architectures, Volume II many of Cisco's larger service provider customers. His previous publications include MPLS ByJim Guichard, Ivan Pepelnjak, Jeff Apcar and VPN Architectures, by Cisco Press. Ivan Pepelnjak, CCIE No. 1354, is the Chief Technology Advisor and member of the board Publisher: Cisco Press with NIL Data Communications (www.NIL.si), a high-tech data communications company Pub Date: June 06, 2003 that focuses on providing high-value services in new-world service provider technologies. ISBN: 1-58705-112-5 Ivan has more than 10 years of experience in designing, installing, troubleshooting, and operating large corporate and service provider WAN and LAN networks, several of them already deploying MPLS-based virtual private networks (VPNs). He is the author or lead developer of a number of highly successful advanced IP courses covering MPLS/VPN, BGP, OSPF, and IP QoS, and he is the architect of NIL's remote lab solution. Ivan's previous WithMPLS and VPN Architectures, Volume II , you'll learn: publications include MPLS and VPN Architectures and EIGRP Network Design Solutions, by Cisco Press. How to integrate Design Consulting Engineer in the into the backbone providing VPN Jeff Apcar is a Senior various remote access technologiesAsia Pacific Advanced Services service to many different types the Cisco lead group at Cisco Systems. He is one of of customers consultants on MPLS in the region and has designed MPLS networks for many service providers in AsiaPac using packet-based and The new PE-CE has also designed and maintained large IP router networks (500+ cell-based MPLS. Jeffrouting options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) nodes) and has a broad and deep range of skills covering many facets of networking communications. How VRFs can be extended into a customer site to provide separation inside the customer network Jeff has more than 24 years of experience in data communications and holds Dip. Tech (Information Processing) and B.App.Sc (Computing Science) (Hons) from the University of The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Technology, Sydney, Australia. backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced
Pages: 504

About the Technical Reviewers
Matthew H. Birkner, CCIE No. 3719, is a Technical Leader at Cisco Systems, specializing in IP and MPLS network design. He has influenced multiple large carrier and enterprise designs worldwide. Matt has spoken at Cisco Networkers on MPLS VPN technologies in both the U.S. • Table of Contents and EMEA over the past few years. A "double CCIE", he has published the Cisco Press book, • Index Ciscoand VPN Architectures, Volume II Internetwork Design. Matt holds a BSEE from Tufts University, where he majored in MPLS electrical engineering.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Dan Tappan is a distinguished engineer at Cisco Systems. He has 20 years of experience with internetworking, having worked on the ARPANET transition from NCP to TCP at Bolt, Publisher: Cisco Press Beranek, and Newman. For the past several years, Dan has been the technical lead for Pub Date: June 06, 2003 Cisco'sISBN: 1-58705-112-5 of MPLS (tag switching) and MPLS/VPNs. implementation
Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

About the Content Reviewer
Monique Morrow is currently CTO Consulting Engineer at Cisco Systems, Inc. She has 20 years of experience in IP internetworking that includes design, implementation of complex customer projects, and service development for service providers. Monique has been involved • Table of Contents in developing managed network services such as remote access and LAN switching in a • Index service provider environment. She has worked for both enterprise and service provider MPLS and VPN Architectures, Volume II companies in the United States and in Europe. She led the Engineering Project team for one ByJim Guichard, Ivan Pepelnjak, Jeff Apcar of the first European MPLS-VPN deployments in 1999 for a European service provider.
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Acknowledgments
Every major project is a result of teamwork, and this book is no exception. We'd like to thank everyone who helped us in the long writing process: our development editor, Grant Munroe, who helped us withContents • Table of the intricacies of writing a book; the rest of the editorial team from Cisco Press; and especially our reviewers, Dan Tappan, Matt Birkner, and Monique Morrow. They • Index not only VPN Architectures, Volume II omissions, but they also included several useful suggestions corrected our errors and MPLS and to improve the quality of this publication.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Jeff would like to thank his management team Tony Simonsen, Michael Lim, and Steve Smith, for Publisher: Cisco Press and encouragement to do the book. Also special thanks to the guys in providing the time the Pub Date: June 06, 2003 Nick Stathakis, Ron Masson, and George Lerantges, who let him hog AsiaPac Lab Group, lots of ISBN: 1-58705-112-5 gear. Last, Jeff would like to thank Jim and Ivan for inviting him to collaborate with them.Pages: 504 Finally, this book would never have been written without the continuous support and patience of our families, especially our wives, Sadie, Karmen, and Anne.

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Introduction
Since our first MPLS book (MPLS and VPN Architectures) was published by Cisco Press a few years ago, MPLS has matured from a hot leading-edge technology—supporting Internet services andTable of Contents leased-line–based VPN solution—to a set of solutions that are successfully • deployed in large-scale service provider networks worldwide. A number of additional • Index solutionsVPN Architectures, Volume II had to be developed to support the needs of these networks, and many additional MPLS and IOS services were made VPN-aware to enable the service providers to deploy the services ByJim Guichard, Ivan Pepelnjak, Jeff Apcar they were already offering within the new architectural framework. Therefore, it was a natural step to continue on the path we charted with the first book and describe the Publisher: Cisco Press enhancements made to MPLS architecture or its implementation in Cisco IOS in MPLS and VPN Architectures:2003 Pub Date: June 06, Volume II.
ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Who Should Read This Book?
This book is not designed to be an introduction to Multiprotocol Label Switching (MPLS) or virtual private networks (VPNs); Volume I (MPLS and VPN Architectures) provides you with that knowledge. This book is intended to tremendously increase your knowledge of advanced • Table of Contents MPLS VPN deployment scenarios and enable you to deploy MPLS and MPLS VPN solutions in a • Index variety of complex designs. Anyone who is involved in design, deployment, or MPLS and VPN Architectures, Volume large-scale MPLS or MPLS VPN networks should read it. troubleshooting of advanced or II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

How This Book Is Organized
Although this book could be read cover-to-cover, it is designed to be flexible and allow you to easily move between chapters and sections of chapters to cover just the material that you need more information on. If you do intend to read them all, the order in the book is an • Table of to use. excellent sequence Contents
• Index
MPLS and VPN Architectures, Volume II Part I: Introduction ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Chapter 1, "MPLS VPN Architecture Overview," serves as a refresher to the information contained within MPLS and VPN Architectures. It does not describe the MPLS or MPLS VPN Publisher: Cisco Press technology in detail; if you need baseline MPLS or MPLS VPN knowledge, read MPLS and VPN Pub Date: June 06, 2003 Architectures: Volume I first.
ISBN: 1-58705-112-5

Part II: Advanced PE-CEConnectivity Pages: 504 Chapter 2, "Remote Access to an MPLS VPN," discusses integration of access technologies such as dial, DSL, and cable into an MPLS VPN backbone. This chapter shows how you can integrate various access technologies into the backbone, thereby providing VPN service to many types of customers. WithMPLS and VPN Architectures, Volume II , you'll learn: Chapter 3, "PE-CE Routing Protocol Enhancements and Advanced Features," builds on Volume 1 of the MPLS and VPN Architectures book and introduces more advanced options/features for How to integrate various remote access technologies into the backbone providing VPN OSPF connectivity as well as support for IS-IS and EIGRP routing protocols. service to many different types of customers Chapter 4, "Virtual Router Connectivity," discusses the use of the VRF constructs to build The new PE-CE routing options as well as other advanced features, including per-VPN virtual router type connectivity, extending the VRF concept to the CE router. This chapter also Network Address Translation (PE-NAT) discusses new VRF-related features, including VRF-lite and PE-based network address translation (PE-NAT). extended into a customer site to provide separation inside the How VRFs can be customer network Part III: Advanced Deployment Scenarios The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Chapter 5, "Protecting the MPLS-VPN Backbone," looks at various security issues within the backbone backbone and describes the necessary steps that a service provider must take to protect the backbone and any customer VPN sites. traffic inside a VPN How to carry attached multicast Chapter 6, "Large-Scale Routing and Multiple Service Provider and more scalable deployment The latest inter-carrier enhancements to allow for easier Connectivity," describes the advanced features, designs, and topologies that were made possible with the enhancements of inter-carrier MPLS VPN services to Cisco IOS since the first MPLS and VPN Architectures book was written. Advanced troubleshooting techniques including router outputs to ensure high availability Chapter 7, "Multicast VPN," discusses the deployment of IP multicast between VPN client sites. and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN MPLS Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Chapter 8, deployment 6 Across an MPLS Backbone," discusses a model (6PE) that gives the topics and "IP Version architectures, Volume II provides readers with the necessary tools service providers an and maintain a secure, connectivity across an MPLS-enabled IPv4 they need to deploy option to provide IPv6 highly available VPN. backbone. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Part IV: Troubleshooting Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Chapter 9, "Troubleshooting of MPLS-Based Solutions," provides a streamlined methodology protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to for identifying faults in MPLS solutions and troubleshooting an MPLS VPN backbone. integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Icons Used in This Book
Throughout this book, you will see the following icons used for networking devices:
• • Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) The following icons are used for peripherals and other devices: How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to The following icons are used for networks and network connections: integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows: • Table of Contents
• Index
MPLS and VPN Architectures, Volume II

Vertical bars (|) separate alternative, mutually exclusive elements. Square brackets [ ] indicate optional elements.

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

Pub Date: June 06, 2003

Braces { } indicate a required choice.
ISBN: 1-58705-112-5 Braces within brackets [{ }] indicate a required choice within an optional element. Pages: 504

Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Part I: Introduction
Chapter 1 MPLS VPN Architecture Overview
• • Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Chapter 1. MPLS VPN Architecture Overview
• Table of Contents

Virtual private networks (VPNs) have recently received a lot of attention from equipment • Index manufacturers, consultants, network designers, service providers, large enterprises, and end MPLS and VPN Architectures, Volume II usersGuichard,theirPepelnjak,Jeff Apcar over traditional enterprise networks. As with most due to Ivan cost advantages ByJim technologies, the foundation for today's VPN networks and underlying technologies was created more than 20 years ago. During its development, end users discovered that it made Publisher: Cisco Press financial sense to replace links between sites in their own private network with virtual Pub Date: across a shared infrastructure. The assumption for doing this was that a shared connectionsJune 06, 2003 ISBN: 1-58705-112-5 environment (or VPN) is equivalent in terms of security and privacy to the network (links) it was replacing. Pages: 504 This chapter reviews the basic Multiprotocol Label Switching (MPLS) and MPLS-based VPN concepts and terminologies to ensure an understanding of the terms used in this book. It also covers the latest developments in the MPLS VPN arena and how they enable the service provider to offer new MPLS-based services, such as remote access into an MPLS-based VPN WithMPLS and VPN Architectures, Volume II , you'll learn: or Internet Protocol (IP) multicast within a VPN. These developments are also described in depth in later chapters. How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

NOTE Address Translation (PE-NAT) Network

The new PE-CE routing options as well as other advanced features, including per-VPN

You can find more extended descriptions of these to provideand additional MPLS or How VRFs can be in-depth into a customer site concepts separation inside the VPN background information in Ivan Pepelnjak and Jim Guichard's MPLS and VPN customer network Architectures (Volume I), published by Cisco Press, which is a prerequisite to understanding this book. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

MPLS VPN Terminology
Since the early days of X.25 and Frame Relay (the two technologies initially used to deploy VPN services), many different technologies have been proposed as the basis to enable a VPN infrastructure. These ranged from Layer 2 technologies (X.25, Frame Relay, and • Table of Contents Asynchronous Transfer Mode [ATM]) to Layer 3 technologies (primarily IP) or even Layer 7 • Index technologies. IBM once had a product that transported IP datagrams over Systems Network MPLS and VPN (SNA) application sessions, and TGV (a company later acquired by Cisco Architecture Architectures, Volume II Systems) had implemented IP transport over DECnet sessions. Not surprisingly, with such a ByJim Guichard, Ivan Pepelnjak, Jeff Apcar variety of implementation proposals, the overall terminology in the field has changed dramatically. This book uses the terminology introduced with the MPLS-based VPN. Publisher: Cisco Press
Pub Date: June 06, 2003 MPLS VPN-based terminology is based on a clear distinction between the service provider ISBN: 1-58705-112-5 network (P-network) and the customer network (C-network), as shown in Figure 1-1. Pages: 504

Figure 1-1. MPLS VPN-Based Terminology
WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN The P-network is always topologically contiguous, whereas the C-network is usually clearly backbone delineated into a number of sites (contiguous parts of the customer network that are connected to carry customer multicast traffic inside a VPN How in some way other than through the VPN service). Note that a site does not need to be geographically contained; if the customer is using a VPN service for its international The latest inter-carrier enhancements country. connectivity only, a site could span a whole to allow for easier and more scalable deployment of inter-carrier MPLS VPN services The devices that link the customer sites to the P-network are called customer edge (CE) Advanced troubleshooting techniques including router outputs to ensure are availability devices, whereas the service provider devices to which the CE routers connect high called provider edge (PE) devices. In most cases, the P-network is made up of more than just the PE MPLS and VPN Architectures, are called P builds on theifbest-selling MPLS implemented with routers. These other devices Volume II , devices (or, the P-network is and VPN Architectures, Volume routers). Similarly, the additional Layer 3 devices in the customer sites Layer 3 technology, P I (1-58705-002-1), from Cisco Press. Extending into more advanced topics andno direct connectivity to theVolume II provides readers with the necessary tools that have deployment architectures, P-network are called C routers. they need to deploy and maintain a secure, highly available VPN. VPN technologies have evolved into two major approaches toward implementing VPN MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN services: Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Connection-oriented OSPF), arming the reader with the knowledge of between protocols (IS-IS, EIGRP, andVPN— The PE devices provide virtual leased lines how to the CE devices. These into the VPN lines are called virtual circuits (VCs). The VCs can be integrate these featuresvirtual leased backbone. Part III details advanced deployment issues permanent, established out-of-band steps service provider network take to protect the including security, outlining the necessaryby the the service provider must management team (calledpermanent virtual circuits, and also They can also be security features to allow backbone and any attached VPN sites, or PVCs).detailing the latesttemporary, established on moredemand by the CE devicesfiltering. This part also covers that the PE devices understand. advanced topologies and through a signaling protocol multi-carrier MPLS VPN (These VCs are Part switched virtual circuits, or SVCs). deployments. Finally,called IV provides a methodology for advanced MPLS VPN troubleshooting. Connectionless VPN— The PE devices participate in the connectionless data transport MPLSbetween CE devices. It is unnecessary for the service provider or the customer to and VPN Architectures, Volume II , also introduces the latest advances in customer establish VCs in these VPNs, except features essential to PE and CE routers if the integration, security, and troubleshootingperhaps between the providing the advanced

service provider uses switched WAN as its access network technology.

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Connection-Oriented VPNs
Connection-oriented VPNs were the first ones to be introduced. They offer a number of clear advantages, including the following:
• • Table of Contents

The service provider does not need to understand the customer's network; the service Index provider just provides virtual MPLS and VPN Architectures, Volume II circuits between the customer sites.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

The service provider is not involved in the customer's routing (as shown in Figures 1-2 and 1-3), and it doesn't need to know which Layer 3 protocols the customer is Publisher: Cisco Press deploying. Consider, for example, the network shown in Figure 1-2. The VPN network is Pub Date: June 06, 2003 Frame Relay VCs; therefore, the service provider is unaware of the implemented with routing protocols that the customer is using. From the customer's routing perspective, ISBN: 1-58705-112-5 the customer routers are directly adjacent (linked with virtual point-to-point links), as Pages: 504 shown in Figure 1-3.

WithMPLS and VPN Architectures, Volume II , you'll learn:

Figure 1-2. Connection-Oriented VPN: Physical Topology

How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

Figure 1-3. Connection-Oriented VPN: Customer Routing

Perspective Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Connection-oriented VPNs also have several obvious disadvantages: All VCs between the customer sites have to be provisioned, either manually by the service provider network management team or by the CE devices. Even if the VCs are established automatically by the CE devices, these devices need to be configured with enough information to establish the links through the signaling protocol of choice.
• •

The CETable of Contents routers must exchange the routing information with other CE routers, resulting Index in more router adjacencies, slower convergence, and generally more complex routing MPLS and VPN Architectures, Volume II setups.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003

NOTE

ISBN: 1-58705-112-5

If you are interested in more of the advantages and disadvantages of connectionPages: 504 oriented or connectionless VPNs, you can find them in Chapter 8, "Virtual Private Network (VPN) Implementation Options," of Jim Guichard and Ivan Pepelnjak's MPLS and VPN Architectures (Volume I), published by Cisco Press, 2002. WithMPLS and VPN Architectures, Volume II , you'll learn: Modern connection-oriented VPNs are implemented with a variety of different technologies, including theintegrate various remote access technologies into the backbone providing VPN How to following: service to many different types of customers They can PE-CE routing options traditional other advanced features, including per-VPN The new be implemented with as well as connection-oriented Layer 2 technologies (X.25, Frame Relay, or ATM) (PE-NAT) Network Address Translation or with connectionless Layer 2 technologies, such as virtual LANs (VLANs). How VRFs can be extended into a customer site to provide separation inside the They can also be implemented with tunnels that are established over public Layer 3 customer network infrastructure (usually over public IP infrastructure—most commonly the Internet). These VPNs can use Layer 3 over Layer 3 tunnels, such asat protecting theencapsulation The latest MPLS VPN security features and designs aimed generic routing MPLS VPN (GRE), which is described in RFC 2784, or tunnels based on IP security (IPSec) backbone technology. These VPNs can also use Layer 2 over Layer 3 tunnels, which are most commonly found in dial-up access networks to VPN How to carry customer multicast traffic inside aimplement virtual private dialup networks (VPDNs). The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Connectionless VPNs
Contrary to connection-oriented VPNs, connectionless VPNs propagate individual datagrams that the CE devices send across the P-network. This approach, although highly scalable as proven by today's Internet, does impose a number of limitations on the customers:
• • Table of Contents Index

The customers can Volume II MPLS and VPN Architectures,use only the

Layer 3 protocol that the service provider supports. This was a serious drawback Apcar years ago, but it is quickly becoming a moot issue a few ByJim Guichard, Ivan Pepelnjak, Jeff because most networking devices now support IPv4.
Publisher: Cisco Press The customers

Pub Date: June 06, 2003 connectionless network,

must use addresses coordinated with the service provider. In a every P device must be able to forward every individual datagram to its final destination; therefore, each datagram must have a unique ISBN: 1-58705-112-5 destination address, known to every P device, as shown in Figure 1-4. Pages: 504

Figure 1-4. Packet Propagation on Connectionless VPNs
WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability The simplicity of CE router configuration in a connectionless VPN world, as well as the MPLS and to support IP-based VPN services together with public IPMPLS andon the common capability VPN Architectures, Volume II , builds on the best-selling services VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced infrastructure, prompted many service providers to consider the rollout of connectionless VPN topics and deployment architectures, these services was initially quite low necessary tools services. However, the acceptance of Volume II provides readers with the because the they need to deploy and maintain a secure, highly available VPN. customers were unwilling to renumber their existing network infrastructure to comply with the service provider's addressing requirement. Clearly, a different VPN technology was MPLS and VPN Architectures, Volume II , of a connectionless refresher of the MPLS VPN needed that would combine the benefits begins with a brief VPN (simple CE router Architecture. Part lack of explicit provisioning of theconnectivity includingthe benefits of aof configuration and II describes advanced MPLS VPN virtual circuits) with the integration service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing connection-oriented VPN (such as the support of overlapping address spaces and the protocols (IS-IS, EIGRP, and in the P arming the reader with the knowledge of how to simplicity of data forwarding OSPF), devices). integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

MPLS-Based VPNs
MPLS-based VPN technology uses a combination of connection-oriented and connectionless VPN technologies, including the following features:
• • Table of Contents

The interface between the CE routers and the PE routers is connectionless. No additional Index configuration is needed on the CE devices. MPLS and VPN Architectures, Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

The PE routers use a modified IP forwarding paradigm; a distinct IP routing and forwarding table (called virtual routing and forwarding table, or VRF) is created for each Publisher: Cisco Press customer.
Pub Date: June 06, 2003

The customer's addresses are extended with 64-bit route distinguishers to make ISBN: 1-58705-112-5 nonunique 32-bit IP addresses globally unique within the service providers' backbone. Pages: 504 The resulting 96-bit addresses are called VPNv4 addresses. A single routing protocol is run between the PE routers for all VPN customers. Modified Border Gateway Protocol (BGP) with multiprotocol extensions is used in this function. WithMPLSPE routersArchitectures, Volume (called label-switched paths, or LSPs) to transport The and VPN use MPLS-based VCs II , you'll learn: the customer's datagrams between PE routers. Additional MPLS labels are inserted in front of the customer's IP datagrams to ensure their proper forwarding from ingress PE How to integrate various remote access technologies into the backbone providing VPN routers toward the destination CE router. service to many different types of customers The LSPs between all PE routers are established automatically based on the IP topology The new PE-CE routingunnecessary to configure advanced features, includingpaths. of the P-network. It is options as well as other or manually establish these per-VPN Network Address Translation (PE-NAT) The mapping between the customer's destination addresses and LSPs leading toward How VRFs can routers is performed automatically based on separation inside the the egress PE be extended into a customer site to provide the BGP next-hops. customer network The following sections will briefly refresh your MPLS and MPLS VPN knowledge. For more indepthThe latest MPLS VPN securityMPLS VPNand designs aimed at protecting the MPLSMPLS discussion of the MPLS and features technology, please refer to Cisco Press's VPN backbone and VPN Architectures (Volume I). For more details on ATM-based MPLS implementations, refer to Advanced M PLS Design and Implementation, published by Cisco Press. How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment

The of inter-carrier MPLS VPN services MPLS Technology
Advanced troubleshooting techniques including router outputs to ensure high availability In essence, the MPLS technology combines the richness of IP routing and the simplicity of hop-by-hop label switching of Frame Relay or ATM to provide the seamless integration of the MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN connection-oriented forwarding with the IP world. Due to their dual nature (they operate on Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced both the IP layer as well as the label-switching layer), the MPLS devices are called label topics and deployment architectures, Volume II provides readers with the necessary tools switch routers (LSRs). This section describes the typical operation of MPLS devices, focusing they need to deploy and maintain a secure, highly available VPN. on the simplest MPLS application: forwarding of IP datagrams across an MPLS network. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN All devices in an MPLS network run IP routing protocols on their control plane to build IP Architecture. Part II describes advanced MPLS VPN connectivity including the integration of routing tables. In MPLS devices that support IP forwarding, the IP routing tables are used to service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing build IP forwarding tables, also called forwarding information base (FIB). In MPLS devices protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to that support only label forwarding (such as the ATM switches with MPLS functionality), the IP integrate these features into the VPN backbone. Part III details advanced deployment issues routing FIB does not exist. The IP routing operation of the MPLS control plane is shown in including security, outlining the necessary steps the service provider must take to protect the Figure 1-5. backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

Figure 1-5. LSRs Build the IP Routing Table

MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II

After the IP routing tables have been built, MPLS labels are assigned to individual entries in ByJim Guichard, Ivan Pepelnjak, Jeff Apcar the IP routing table (individual IP prefixes) and propagated to adjacent MPLS devices through aLabel Distribution Protocol (LDP).
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5

NOTE

Pages: 504

In usual MPLS operation, labels are not assigned to BGP destinations because the router always reaches BGP destinations through recursive lookup on BGP next-hop. Therefore, BGP destinations can be reached through the label that is associated WithMPLSthe BGP next-hop for those destinations. learn: with and VPN Architectures, Volume II , you'll How to integrate various remote access technologies into the backbone providing VPN Each service to many different types label space; globally unique labels or centralized label MPLS device uses its own local of customers assignment is unnecessary, making MPLS extremely robust and scalable. Every label The new PE-CE device options as well input label in its label forwarding information assigned by an MPLSrouting is entered as anas other advanced features, including per-VPN base Network Address Translation (PE-NAT) (LFIB), which is the forwarding table used for label switching. The label assignment and distribution of an MPLS device are illustrated in Figure 1-6. How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Figure 1-6. Control Plane Operations in an LSR How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. Most and assignments, both local as well as those made by adjacent devices, customer MPLS label VPN Architectures, Volume II , also introduces the latest advances in are entered into a table security, label information base (LIB). The label that the IP the advanced integration, called theand troubleshooting features essential to providing next-hop assigns for

a particular IP prefix is entered as an output label in the local LFIB to enable pure label forwarding. In devices that support IP forwarding, such a label is also entered into the FIB to support IP-to-label forwarding. After the IP routing tables, IP forwarding tables, and label forwarding tables have been built, the MPLS devices can start to forward IP traffic. All MPLS devices must support label forwarding; whenever they receive a labeled packet, they perform a label lookup in the LFIB, replace the input label with the output label, and forward the labeled packet to the next-hop • Table of Contents LSR. Some MPLS devices (ingress LSRs) can receive IP datagrams, perform a lookup in the • Index FIB, insert an MPLS label stack in front of the IP datagram based on information stored in the MPLS and VPN Architectures, Volume II FIB, and forward the labeled packet to the next-hop LSR. The PE router within the MPLS VPN ByJim Guichard, Ivan Pepelnjak, Jeff Apcar a device. architecture is an example of such Other MPLSCisco Press (egress LSR) can receive labeled packets, perform an LFIB lookup, and Publisher: devices (basedDate:the absence of an output label in the LFIB) remove the label from the ingress on June 06, 2003 Pub labeled datagram and forward the IP datagram to the next-hop IP router. In most cases, all ISBN: 1-58705-112-5 LSRs in an MPLS network can act as both ingress and egress LSRs, the notable exception Pages: 504 being ATM switches acting as LSRs. The various paths that an IP datagram or a labeled datagram can take through an LSR are displayed in Figure 1-7.

WithMPLS and VPN Architectures, Volume II , you'll learn: Figure 1-7. Packet Forwarding

in an LSR

How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services The basic principle of MPLS has been extended to a variety of other applications, including these: Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN MPLS traffic engineering (TE)— The modified link-state routing protocols (OSPF and Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced ISIS) are used to architectures, Volume II provides readers with the necessary tools topics and deployment discover free resources in the network, labels are assigned through theResource Reservation Protocol (RSVP), and the global FIB they need to deploy and maintain a secure, highly available VPN. is modified based on MPLS TE labels. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN MPLS VPNs— describes are created (one or connectivity including the integration of Architecture. Part II Many FIBsadvanced MPLS VPN more per VPN customer), and Multiprotocol BGP technologies (dial, DSL, cable, Ethernet) information of routing service provider access is used to distribute the customer routingand a varietyand MPLS labels across the network. protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues MPLS quality of service necessary steps the service provider standard to protect the including security, outlining the (QoS) in ATM environments— The must takeLDP is modified to assign up VPN sites, and also detailing the latest security features different backbone and any attachedto four labels for each IP prefix, with each label serving ato allow moreQoS class. topologies and filtering. This part also covers multi-carrier MPLS VPN advanced deployments. Finally, Part IV provides a methodology for advanced MPLS VPN New MPLS applications are constantly emerging. For example, one of the new MPLS troubleshooting. applications (also covered in this book) enables IPv6 transport across an MPLS network; IPv6 routing protocols are used to Volume II , routing tables, which are then used as customer for MPLS and VPN Architectures, build IPv6 also introduces the latest advances in the basis label assignment and and troubleshooting features essential to providing the advanced integration, security, distribution.

The large variety of different MPLS applications still adhere to the common framework. Each application might have its own "routing protocol," its own LDP, and its own forwarding database. However, the MPLS applications all share a common LFIB, enabling the LSRs to transparently integrate new MPLS applications without affecting the existing services, as shown in Figure 1-8.

• •

Table of Contents

Figure 1-8. Multiple MPLS Applications in a Single LSR Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

The The new PE-CE routing options as well as other advanced features, including per-VPN MPLS VPN Technology
Network Address Translation (PE-NAT) As discussed previously, MPLS-based VPNs use a combination of connectionless VPNs How VRFs can be and service providers (thus minimizing separation inside the between the customersextended into a customer site to providethe provisioning complexity customer network and cost) with connection-oriented VPNs in the network core (reducing the overhead on the P devices). Furthermore, several additional mechanisms have been implemented to allow the The latest MPLS VPN security features and customers to use overlapping address spaces. designs aimed at protecting the MPLS VPN backbone In a typical MPLS-VPN network, the CE routers and PE routers exchange the customer routes usingHow suitable customer multicast traffic inside aare inserted into VRFs on the PE routers, any to carry IP routing protocol. These routes VPN which guarantees the perfect isolation between customers. This process is illustrated in The latest inter-carrier enhancements to allow for easier and more scalable deployment Figure 1-9, which details the internal structure of a PE router (San Jose) to which two VPN of inter-carrier MPLS VPN services customers are connected (FastFood and EuroBank) and which also connects to a P router (Washington). Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Figure 1-9. Virtual Routing Tables in a PE Router topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers When customer routes are placed into VRFs, the PE routers allocate a separate MPLS label The new PE-CE routing options as well to other advanced features, customer routes and that will be needed for VPN data forwarding as each customer route. The including per-VPN Network Address are transported across associated MPLS labelsTranslation (PE-NAT) the P-network using multiprotocol BGP. The customer IP addresses are augmented with a 64-bit route distinguisher before being inserted How VRFs can be to ensure global uniqueness of potentially nonunique customer into the provider's BGPextended into a customer site to provide separation inside the customer network addresses. Additional BGP attributes (extended BGP communities) are used to control the exchange of routes between VRFs to allow the service providers to build VPN topologies that The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN are almost impossible to build with any other VPN technology. backbone How to carry customer multicast traffic inside a VPN

NOTE of inter-carrier MPLS VPN services

The latest inter-carrier enhancements to allow for easier and more scalable deployment

You can find detailed descriptions of these topologies and implementation Advanced troubleshooting techniques including router outputs to ensure high availability guidelines in the MPLS and VPN Architectures (Volume I) book. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools The extended BGP communities are also used to implement additional MPLS VPN features, they need to deploy and maintain a secure, highly available VPN. includingautomatic route filtering with the site-of-origin (SOO) community or automatic propagation of Open Shortest Path First begins route brief refresher of the MPLS VPN MPLS and VPN Architectures, Volume II , (OSPF) with aattributes across the BGP backbone. (OSPF support is described in more detail in Chapter 3, "PE-CE Routing Protocol Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Enhancements and Advanced Features.") DSL, cable, Ethernet) and a variety of routing service provider access technologies (dial, protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to VPN packet forwarding across the MPLS VPN backbone is implemented with MPLS forwarding integrate these features into the VPN backbone. Part III details advanced deployment issues using an MPLS label stack imposed in the IP datagram by the ingress PE router. The first including security, outlining the necessary steps the service provider must take to protect the label in the stack is the label assigned to the IP address of the egress PE router (BGP nextbackbone and any attached VPN sites, and also detailing the latest security features to allow hop) in the service provider core. The second label is the label assigned to the customer route more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN by the egress PE router. The first label is usually removed one hop before the egress PE deployments. Finally, Part IV provides a methodology for advanced MPLS VPN router through a process called penultimate hop popping. The egress PE router then performs troubleshooting. label lookup on the VPN label, removes the VPN label, and forwards the packet to the CE router. The whole process is illustrated , also introduces the latest advances in customer MPLS and VPN Architectures, Volume II in Figure 1-10. integration, security, and troubleshooting features essential to providing the advanced

Figure 1-10. VPN Packet Propagation in an MPLS VPN Network

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: An IP datagram, sent from San Jose to Lyon, is forwarded across the service provider backbone in a number of steps: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers 1. An IP datagram is sent from the CE router to the PE router. The new PE-CE routing options as well as other advanced features, including per-VPN 2. Network Address Translation (PE-NAT) prepends an MPLS header consisting of two The PE router performs an IP lookup and labels: a label assigned via LDP (also known as IGP label, or IL), identifying the path How VRFs can be extended into a customerVPN label (VL) assigned by inside the PE toward the egress PE router (Paris); and a site to provide separation the Paris customer network router. 3. The latest MPLS VPN security featuresprovider network removes the IGP label, leaving The penultimate router in the service and designs aimed at protecting the MPLS VPN backbone only the VPN label in the MPLS header. 4. Howegress PE router performs label lookup ona VPN The to carry customer multicast traffic inside the VPN label, removes the MPLS header, and forwards the IP datagram to the Lyon CE router. The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

New MPLS VPN Developments
Many service providers worldwide have enthusiastically embraced the MPLS and MPLS VPN technologies as they enable the service providers to deploy the two most common applications—Internet access and VPN services—on a common network infrastructure. The • Table of Contents diversity of their infrastructures, access layer technologies, and IP routing setups, as well as • Index the new services these service providers would like to deploy, have triggered the MPLS and VPN Architectures, Volume II development of several new MPLS-related features, including these:
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

Tight integration of access technologies such as dial-up, digital subscriber line (DSL), and cable with MPLS VPN New routing protocol options and support for additional VPN routing protocols ISBN: 1-58705-112-5 Transport of additional Layer 3 protocols over MPLS
Pages: 504

Pub Date: June 06, 2003

Each of these is discussed in the following sections. WithMPLS and VPN Architectures, Volume II , you'll learn:

Access Technology Integration with MPLS VPN
How implementation of MPLS VPN technology supported the backbone that were The initial to integrate various remote access technologies intocustomer sites providing VPN service to many different types of customers connected primarily to the service provider backbone through a permanent connection. These connections were implemented with Layer 2 technology, which was well established in the The base. Although you could, as well as other advanced features, including per-VPN IOS code new PE-CE routing options with skill, support other access technologies (most Network Address Translation (PE-NAT) notably, dial-up users), a number of supporting technologies were not MPLS VPN-enabled, forcing the service providers to accept compromises they would rather avoid. How VRFs can be extended into a customer site to provide separation inside the customer network Tighter integration of MPLS VPN with access technologies was implemented by making several additional Cisco IOS services VPN-aware: The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Virtual-Profile Cisco Express Forwarding (CEF) How to carry customer multicast traffic inside a VPN Overlapping address pools The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS poolsservices On-demand address VPN (ODAP) Advanced troubleshooting techniques including router outputs to ensure high availability Framed Route VRF Aware MPLSPer VRF authentication, authorization, and accounting (AAA) MPLS and VPN and VPN Architectures, Volume II , builds on the best-selling Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures,(LSDO) II provides readers with the necessary tools VRF-aware large-scale dial out Volume they need to deploy and maintain a secure, highly available VPN. VPN-ID MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN DHCP relay—MPLS VPN support Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing All these features EIGRP, and OSPF), arming the reader with the knowledge of how to detail protocols (IS-IS, and the access technology integration with MPLS VPN is described in Chapter 2, "Remote Access to an VPN backbone. Part III details advanced deployment issues integrate these features into the MPLS VPN." including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies andOptions New Routing Protocol filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. New Cisco IOS releases extend the range of IP routing protocols that are supported between the PEand VPN and the CE routers. Enhanced IGRP (EIGRP) and Integrated Intermediate MPLS routers Architectures, Volume II , also introduces the latest advances in customer System-to-Intermediate System (Integrated IS-IS)essential to providing the advanced OSPF integration, security, and troubleshooting features are supported, as well as additional

connectivity options, including virtual OSPF links between PE routers (sham links). Furthermore, Cisco IOS supports IP Multicast inside the MPLS VPN and per-VRF network address translation (NAT) on the PE router. These new features are described in Chapters 3, "PE-CE Routing Protocol Enhancements and Advanced Features," 4, "Virtual Router Connectivity," and 7, "Multicast VPN."

• Table Protocols Transported Over MPLS New Layer-3 of Contents • Index
MPLS and VPN (IPv6), also known II IP: The Next Generation (IPng), has joined IPv4 as IP version 6 Architectures, Volume as another Layer 3 protocol ,Jeff can ByJim Guichard, Ivan Pepelnjakthat Apcarbe transported across an MPLS backbone. MPLS support for globally routed IPv6 is described in Chapter 8, "IPv6 Across an MPLS Backbone." Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Summary
Many service providers that wanted to minimize their costs of provisioning and operations by offering all their services (VPN and public Internet) over a common infrastructure have enthusiastically embraced MPLS-based VPN networks. Furthermore, these service providers • Table of Contents have achieved significant cost savings due to the provisioning simplicity offered by MPLS • Index VPN's integration with the benefits of both connectionless and connection-oriented VPN MPLS and VPN Architectures, Volume II approaches.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

An end-to-end MPLS VPN solution is, like any other VPN solution, divided into the central Pnetwork to which a large number of customer sites (sites in the C-network) are attached. The Publisher: Cisco Press customer sites are attached to the PE devices (PE routers) through CE devices (CE routers). Pub Date: June 06, 2003 Each PE router contains several virtual routing and forwarding tables (VRFs)—at least one per ISBN: 1-58705-112-5 VPN customer. These tables are used together with Multiprotocol BGP run between the PE Pages: 504 routers to exchange customer routes and to propagate customer datagrams across the MPLS VPN network. The PE routers perform the label imposition (ingress PE router) and removal (egress PE router). The central devices in the MPLS VPN network (P routers) perform simple label switching. MPLS-based VPNs have been significantly enhancedlearn: their initial rollout. The new MPLS WithMPLS and VPN Architectures, Volume II , you'll since VPN features allow better integration of access technologies, support of additional PE-CE routing protocols, as well as support of new transport options across MPLS backbones (transport to integrate variousLayer 2 technologies). How of IPv6 and legacy remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Part II: Advanced PE-CE Connectivity
Chapter 2 Remote Access to an MPLS VPN
• •

Chapter 3 PE-CE Routing Protocol Enhancements and Advanced Table of Contents Features
Index

Chapter 4 Virtual Volume II MPLS and VPN Architectures,Router Connectivity
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Chapter 2. Remote Access to an MPLS VPN
• Table offerings The initial serviceof Contents for Multiprotocol Label Switching (MPLS) virtual private networks • (VPNs) wereIndex provided to customers through fixed connections to the provider edge (PE) MPLS and VPN Architectures, Volume II as leased line, Frame Relay, Asynchronous Transfer Mode router by using technologies such (ATM) permanent virtual ,Jeff Apcar ByJim Guichard, Ivan Pepelnjakcircuits (PVCs), or last mile Ethernet. The provision of remote or offnet access to the MPLS VPN was incumbent upon the customer having the appropriate access infrastructure in place to cater to his mobile or remote workforce. Therefore, the ability for an Publisher: Cisco Press MPLS VPN service provider to supply MPLS VPN value-added services (which, in turn, Pub Date: June generates more06, 2003 revenue) to remote users was completely dependent on the customer's ISBN: 1-58705-112-5 remote access network and the geographic coverage that the network provided. This is Pages: 504 illustrated in Figure 2-1.

Figure 2-1. Remote Access Provided by Customer
WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. In this scenario, the SuperCom network begins with a brief refresher of the MPLS VPN MPLS and VPN Architectures, Volume II , provides only fixed-line access to the EuroBank and FastFoods customer edge (CE) advancedRemote access is provided by using EuroBank and Architecture. Part II describes routers. MPLS VPN connectivity including the integration of FastFoods hardware at their remote locations. cable, Ethernet) and a variety of routing service provider access technologies (dial, DSL, protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to To provide a scalable and complete end-to-end VPN service, the service provider must have a integrate these features into the VPN backbone. Part III details advanced deployment issues network infrastructure that is capable of integrating remote access directly into an MPLS VPN including security, outlining the necessary steps the service provider must take to protect the network. Such an infrastructure can enable remote users to seamlessly access their corporate backbone and any attached VPN sites, and also detailing the latest security features to allow VPNs through a service provider point of presence (POP), not a customer POP. The advantage more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN of this is that a service provider can offer a value-add service by leasing wholesale dial access deployments. Finally, Part IV provides a methodology for advanced MPLS VPN to many VPN customers. The VPN customers can be ISPs or large enterprises that want to troubleshooting. provide access to remote users but avoid the need for maintaining their own separate and expensive VPN Architectures, Volume service provider remote access network can be sold as a MPLS and access network. The same II , also introduces the latest advances in customer unique service to many VPN customers (build once, sell many),providing the advanced integration, security, and troubleshooting features essential to which decreases the

customer's operating costs and increases the revenue of the service provider. This is illustrated in Figure 2-2.

Figure 2-2. Remote Access Provided by a Service Provider
• • Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services In this scenario, SuperCom provides remote access services terminating into the MPLS VPN network. This remote access network allows any EuroBank or FastFoods remote user direct Advanced troubleshooting techniques including router outputs to ensure high availability access to his VPNs, which alleviates the need for EuroBank and FastFoods to provide a MPLS andremote access infrastructure. , builds on the best-selling MPLS and VPN separate VPN Architectures, Volume II Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Service providers will invariably use Volume II provides readers with the necessary to topics and deployment architectures,one or more of the following access technologiestools provide remote access to an MPLS VPN: they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Public Switched Telephone Network (PSTN) Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Integrated EIGRP, Digital Network (ISDN) protocols (IS-IS,Services and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues Asymmetric digital subscriber line (ADSL) including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow Data-over Cable Service Interface Specifications (DOCSIS), or simply called cable more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. technologies areprovides conjunction with various protocols and procedures to These access Finally, Part IV used in a methodology for advanced MPLS VPN troubleshooting. provide the remote access service. The protocols and procedures include the following: MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced Point-to-Point Protocol (PPP)

Layer 2 Tunneling Protocol (L2TP) Virtual private dialup network (VPDN) Remote Authentication Dial-In User Service (RADIUS) Dynamic Host Configuration Protocol (DHCP)
• Table of Contents

The first part of this chapter provides an overview of each of these protocols and procedures • Index to provide you with a foundation for understanding how remote access is provided to an MPLS and VPN Architectures, Volume II MPLS VPN. The second part of this chapter covers the following remote access scenarios and ByJim Guichard, Ivan Pepelnjak, Jeff Apcar features:
Publisher: Cisco Press

Dial-in access to Pub Date: June 06, 2003an
ISBN: 1-58705-112-5 Pages: 504

MPLS VPN via VPDN (L2TP) or direct ISDN

Large-scale dial-out access from an MPLS VPN via L2TP or direct ISDN Dial backup to an MPLS VPN Digital subscriber line (DSL) access to an MPLS VPN by using various encapsulation methods WithMPLS and VPN Architectures, Volume II , you'll learn: Cable access to an MPLS VPN Advanced features, such remote access technologies into the backbone providing VPN How to integrate various as on-demand address pools, per-VRF AAA, and VRF-aware DHCP relay service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Feature Enhancements for MPLS VPN Remote Access
Several new features and enhancements were made to Cisco IOS so that MPLS VPN services could be provisioned over various remote access technologies. Most of these features are • Table the detailed examples provided throughout this chapter or are addressed in incorporated intoof Contents • Index the later section, "Advanced Features for MPLS VPN Remote Access." The features can be MPLS and VPN Architectures, Volume II summarized as follows:
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: router through Cisco Cisco Press

Virtual-profile Cisco Express Forwarding (CEF)— PPP sessions that terminate on a an L2TP tunnel or direct ISDN interface do so via a virtual-access Pub Date: June The virtual-access interface is an instance of a virtual-profile or a virtualinterface. 06, 2003 template. Each system has a maximum of 25 virtual-templates; virtual-profiles do not ISBN: 1-58705-112-5 have this limitation; therefore, they are preferred because they are more scalable and Pages: 504 flexible. The virtual-profile CEF feature allows these interfaces to be CEF switched, which is a prerequisite for MPLS.

Overlapping address pools— Previously, per-router local address pools could only be specified in the global IP routing instance. This meant that all VRFs as well as all global WithMPLS and VPN Architectures, Volume to ,provide interface addresses for PPP sessions. The interfaces shared a single local pool II you'll learn: overlapping pool feature allows the same IP address range to be used concurrently in different VRFs, thereby providing access technologies into IP address space. How to integrate various remote better utilization of the the backbone providing VPN service to many different types of customers On-demand address pools (ODAP)— Instead of configuring pool address ranges locally, the ODAP feature allows a well as other advanced to provideincluding per-VPN The new PE-CE routing options as central RADIUS server features, VRF-aware pool addresses as required. In this(PE-NAT) local pool can expand and contract based on Network Address Translation way, the usage, and the RADIUS server can provide better address management by allocating subnets where be extended into a customer site to provide separation inside the How VRFs can they are needed. customer network Framed Route VRF aware— When a remote CE router dials into a PE router via a PPP session, there must be a mechanism to allow the remote subnet to be injected into the The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN VRF for the duration of the call. This is done through the Framed-Route RADIUS backbone attribute or the corresponding cisco-avpair "ip:route" attribute. This attribute usually applies carry global routing table; however, a VPN How to to thecustomer multicast traffic insideenhancements have been made so that Cisco IOS can determine whether it should be applied to a VRF. The latest inter-carrier enhancements to allow for easier and more scalable deployment Per VRF authentication, authorization, and accounting (AAA)— This feature of inter-carrier MPLS VPN services allows RADIUS information to be sent directly to a customer RADIUS server that is located within the VRF. Previously, the only way to get to a customer RADIUS server Advanced troubleshooting techniques including router outputs to ensure high availability was to use a proxy via the service provider RADIUS server reachable in the global MPLSrouting table. and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the LSDO solution to VRF-aware large-scale dial out (LSDO)— This feature allows the necessary tools they need to deploy the context of a secure, highly availableallows multiple VRFs to use the operate within and maintain a VRF. VRF-aware LSDO VPN. same dialer interface on a router with individual profiles downloaded from an AAA MPLSserver. Architectures, Volume II , begins with a brief refresher of the MPLS VPN and VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider This feature allows remoteDSL, cable, Ethernet) andas variety of routing VPN-ID— access technologies (dial, access applications such a a RADIUS or DHCP protocols (IS-IS, EIGRP, and OSPF),originates a reader withDHCP request. Thehow to server to identify the VPN that arming the RADIUS or the knowledge of VPN-ID integrate these based on into the VPN backbone. Part III details advanced deployment issues feature is features RFC 2685. including security, outlining the necessary steps the service provider must take to protect the DHCP Relay—MPLS VPN sites, and This feature allows a single DHCP server backbone and any attached VPNSupport— also detailing the latest security features to allow moreidentify and service many filtering. supplyingalso covers from distinct IP address pools. advanced topologies and VRFs by This part addresses multi-carrier MPLS VPN Creating different namespaces within the server for advanced MPLS VPN deployments. Finally, Part IV provides a methodology separates address pools. Either the VRF name or the troubleshooting. VPN ID identifies these namespaces. The DHCP server can reside in the global routing table or in any customer or shared services VRF. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Overview of Access Protocols and Procedures
This section briefly describes the typical protocols that are used in remote access technologies. It serves as a refresher or an introduction to those of you who are not intimately familiar with these protocols. For a more in-depth description of remote access • Table of IOS configuration guidelines, please refer to Cisco Connect Online protocols and CiscoContents • Index (www.cisco.com) under the Technologies section.
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

PPP
Publisher: Cisco Press Pub Date: June 06, 2003

PPP is ISBN: 1-58705-112-5 fundamental to the deployment of nearly all the remote access scenarios discussed in this chapter. PPP provides a link layer service (Layer 2 of the OSI model) between two Pages: 504 devices (in this case, the customer device and the PE router), and it can operate over a variety of physical media such as ISDN, ADSL, leased line, and virtual circuits such as ATM PVCs and L2TP tunnels. PPP provides a datagram service only; reliable transport is the responsibility of the higher layers in the protocol stack. The connection that PPP operates over can be either fixed or switched (dial-up) and running in asynchronous or synchronous WithMPLS and VPN Architectures, Volume II , you'll learn: bit serial mode. The only requirement for PPP is that the circuit provided be full duplex. An advantage of PPP is that it can support many different network protocols (Layer 3 of the OSI hierarchy), such as IP,various remote access technologies into the backbone same link. VPN How to integrate DECnet, AppleTalk, and OSI simultaneously over the providing service to many different types of customers PPP is a layered protocol that has three components: The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) An encapsulation component that is used to transmit datagrams over the specified physical layer. How VRFs can be extended into a customer site to provide separation inside the customer network A Link Control Protocol (LCP) to establish, configure, and test the link as well as negotiate capabilities. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone One or more NCPs used to negotiate optional configuration parameters and facilities for the network layer. There is one Network Control Protocol (NCP) for each protocol How to carry customer multicast traffic inside a VPN supported by PPP. The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

NOTE

Advanced troubleshooting techniques including router outputs to ensure high availability

MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN The device that terminates PPP sessions in Cisco Press. Extending into more advanced Architectures, Volume I (1-58705-002-1), from a service provider network is called a network access server (NAS). A Volume II provides readers with the necessary tools topics and deployment architectures, NAS is capable of terminating many connections they over a variety of physical media. Among otheravailable VPN. need to deploy and maintain a secure, highly examples, a NAS could be a Cisco Systems 7200 acting as a PE router with switched ISDN connections or a Cisco Systems AS5300 universal access , begins with a brief refresher of the MPLS VPN MPLS and VPN Architectures, Volume II concentrator terminating dial-in ISDN or analog modem Part Architecture. calls. II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues To establish a link outlining the necessary steps the each endpoint must take open the including security, for point-to-point communication,service provideruses LCP to to protect the connection, negotiate capabilities, and and also detailing appropriately. Examples of to allow backbone and any attached VPN sites, configure the link the latest security features capabilities that topologies and filtering. This part also covers unit (MRU), compression of more advanced can be negotiated are the maximum receive multi-carrier MPLS VPN certain PPP fields, andPart IV provides a methodology for(PAP) or Challenge Handshake deployments. Finally, Password Authentication Protocol advanced MPLS VPN Authentication Protocol (CHAP). troubleshooting. Optionally, youArchitectures, Volume II , also determine whether the networkin customer MPLS and VPN can assess the link quality to introduces the latest advances protocols can be activated. If security,quality is not of acceptable quality, then LCP can hold off passing to the integration, the link and troubleshooting features essential to providing the advanced

NCP phase. When the LCP phase is completed, the relevant NCP for that protocol must separately negotiate each network layer protocol. For example, the NCP for IP called Internet Protocol Control Protocol (IPCP) can negotiate options such as IP addresses to be used at each end of the link, DNS server addresses, and the compression protocol. LCP and NCP are both extensible protocols; therefore, new features and options can be easily added when required.Figure 2-3 shows where LCP and NCP fit in the PPP model.
• • Table of Contents Index

MPLS and VPN Architectures, Volume II

Figure 2-3. PPP Model

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: The LCP layer also provides the optional authentication function, which is a fundamental requirement when providing remote access services. Authentication takes place after the link How to integrate various remote access technologies into the backbone providing VPN has been established and prior to the NCP negotiation phase. service to many different types of customers As previously mentioned, LCP has two authentication protocols available: PAP and CHAP. PAP The new PE-CE routing options as well as other advanced features, including per-VPN is a simple two-way handshake protocol. The username/password is repeatedly sent across Network Address Translation (PE-NAT) the link from the originating end until an acknowledgement is received. PAP sends passwords in clear text; there is no protection from playback or trial and error attacks inside as trying to How VRFs can be extended into a customer site to provide separation (such the guess passwords from the outside). customer network CHAPThe latest MPLS VPN security features and designs aimed at protecting the MPLS VPN is a more robust authentication protocol that uses a three-way handshake to verify the identity of the remote end. The authentication is done initially when the link is established backbone and might be periodically repeated. CHAP is the preferred authentication method and will be used How to carrythroughout this chapter. The three-way handshake operates as follows: in examples customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment The local peer sends a challenge message to the remote peer of inter-carrier MPLS VPN services The remote peer combinestechniques including router outputs keyensure high availability Advanced troubleshooting the challenge with a shared secret to and responds with a value calculated by using a one-way hash function (such as a message-digest algorithm MPLSMD5). and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced The local peer then compares the returned hash value with with the necessary tools topics and deployment architectures, Volume II provides readerswhat it expected to receive. (It calculates its own value by secure, highly function.) they need to deploy and maintain a using the hash available VPN. MPLSIf theVPN Architectures, Volume II , begins with acknowledged; otherwise, theVPN and hash values match, the authentication is a brief refresher of the MPLS connection is terminated. describes advanced MPLS VPN connectivity including the integration of Architecture. Part II service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the NOTE backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies andkey" as it is referred to, covers multi-carrier MPLS VPN The password, or "secret filtering. This part also is never sent across the link. Only deployments. Finally, Partof the secret a methodology for advanced MPLS be used to the hashed response IV provides is transmitted. Because CHAP can VPN troubleshooting. many different remote systems, the challenge/response packet can authenticate also contain a name (usually the hostname) that will be used to index a list of MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer secret keys or passwords. integration, security, and troubleshooting features essential to providing the advanced

Figure 2-4 illustrates CHAP in operation. A remote FastFoods user has dialed into the San Jose NAS. SanJose_NAS will send a challenge message to the FastFoods_Mobile1 PC asking for its secret. FastFoods_Mobile1 will use information in the challenge message as well as the secret that is locally stored to send a response back. The response message will contain the name of the FastFoods remote user (FastFoods_Mobile1) as well as the encrypted secret (whatsthebuzz). The SanJose_NAS will then compare the response received from • Table of Contents FastFoods_Mobile1 with the name/secret pair stored either locally on the NAS server or on a • Index RADIUS/AAA server. If the encrypted versions of the secrets match, then an accept message MPLS and VPN Architectures, Volume II is sent back and the NCP layer can proceed. This handshake can be periodically repeated ByJim Guichard, Ivan Pepelnjak, Jeff Apcar during the call.
Publisher: Cisco Press Pub Date: June 06, 2003

Figure ISBN: 1-58705-112-5
Pages: 504

2-4. CHAP Three-Way Handshake

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network

L2TP

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone In a typical PPP connection, the Layer 2 termination point and the PPP session endpoint How to same physical multicast traffic inside user could obtain a connection to the NAS reside on thecarry customer device. For example, a a VPN by way of an analog dial-up or ISDN connection and then run PPP over that connection. In The the Layer 2 and PPP session would terminate on the NAS as shown in Figure 2-5. this case,latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Figure 2-5. PPP the best-selling MPLS and VPN Volume II , builds on Endpoints Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. L2TP allows the PPP session endpoint to be divorced from the Layer 2 termination point. This MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer means that a PPP session can be extended across the Internet or an ISP network. While integration, security, and troubleshooting features essential to providing the advanced

traversing an IP backbone, the PPP session is carried inside an L2TP tunnel. The PPP session can pass through many intermediate nodes before terminating on the target remote access server. L2TP allows the remote client to communicate with the remote server by using PPP as if the two were directly connected. The network infrastructure is transparent to either end of the PPP session. The device that terminates the Layer 2 connection and originates the L2TP tunnel is called the L2TP Access Concentrator (LAC). The device that terminates the L2TP tunnel and the original PPP session from the remote client is called the L2TP Network Server (LNS). The LAC passes packets between the remote client and the LNS. • Table of Contents
• Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

NOTE
Publisher: Cisco Press Pub Date: June 06, 2003

L2TP allows the creation of a virtual private dialup network (VPDN) to connect a remote client to its corporate network by using a shared infrastructure, which could ISBN: 1-58705-112-5 be the Internet or a service provider's network. VPDNs are described in the Pages: 504 following section.

Figure 2-6 illustrates the basic concept of an L2TP tunnel. WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN Figure 2-6. PPP Session Through an L2TP Connection service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS has a remote In this scenario, FastFoodsVPN services client called FastFoods_Mobile1 that needs to communicate directly with a server that is located at the FastFoods Lyon site. The nearest Advanced troubleshooting techniques provided router outputs to ensure high Lyon dial-in POP to the FastFoods mobile user is including by SuperCom in San Jose. Theavailability server is reachable through a FastFoods router that is connected directly to the SuperCom MPLS and VPN Architectures,when FastFoods_Mobile1 calls into theMPLS and VPN in San network in Paris. Therefore, Volume II , builds on the best-selling SuperCom LAC Architectures, Jose LACI will exchange PPP messages with FastFoods_Mobile1 and advanced Jose, the San Volume (1-58705-002-1), from Cisco Press. Extending into more topics and deployment architectures, Volume II provides readers with Lyon_LNS to set up an communicate by way of L2TP requests and responses with FastFood's the necessary tools they need to The PPP session will besecure, highly available VPN. L2TP tunnel. deploy and maintain a established between FastFoods_Mobile1 and the Lyon_LNS. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. PartFastFoods_Mobile1 will MPLS VPN connectivity including the integration of PPP frames from II describes advanced be accepted by the SanJose_LAC, stripped of any serviceframing or transparency bytes, encapsulated in L2TP, and and a variety of the linked provider access technologies (dial, DSL, cable, Ethernet) forwarded over routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the L2TP frames, strip the L2TP appropriate tunnel toward Lyon_LNS. The LNS will accept these knowledge of how to integrate these features into the VPN backbone. Part encapsulation, and process the incoming PPP frames. III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN VPDN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. AVPDN is VPN Architectures, Volume II , also introduces to latest advances in customer MPLS and a network that connects a remote access clientthe a private network by using a shared or public IP infrastructure. A VPDN uses a tunnel protocol, such as L2TP, Point-tointegration, security, and troubleshooting features essential to providing the advanced

Point Tunneling Protocol (PPTP), or Layer 2 Forwarding (L2F) to extend the Layer 2 and higher parts of the network connection from a remote user across an ISP network to a private network. VPDNs allow a service provider to share its common remote access infrastructure among many remote clients. Each client can dial in to a service provider NAS/LAC and be connected to the private corporate network based on the logon domain name or the number that was dialed (by using the dialed number identification service, or DNIS). Figure 2-7 describes the VPDN process. It is essentially the same scenario as described in • Table of Contents Figure 2-6, except that the protocol exchanges are fully detailed. It uses a combination of • Index PPP, L2TP, and RADIUS to provide the virtual private dial-in service.
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

Figure 2-7. VPDN Process

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS what happens The following steps outlineVPN services during the VPDN process: Advanced troubleshooting techniques including router outputs to ensure high availability Step 1. The FastFoods remote client initiates a PPP call to the SuperCom San Jose LAC via PSTN or ISDN. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Step 2. The remote client and the LAC begin to negotiate PPP options by using LCP. topics This covers elements such as the authentication method (CHAP or PAP), compression, and deployment architectures, Volume II provides readers with the necessary tools they need the PPP multilink. and to deploy and maintain a secure, highly available VPN. MPLS and VPN Assuming that Volume II ,selected, thea brief refresher of the MPLS VPN Step 3. Architectures, CHAP was begins with LAC sends a challenge message. Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety ofit is Step 4. The FastFoods remote client responds with its username (assume routing protocols (IS-IS, EIGRP, and OSPF), arming the reader partially authenticates howuser by mobile1@fastfoods.com) and password. The LAC with the knowledge of the to integrate these features intoit has received in the CHAP response. using the information the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and The LAC checks whether and also detailing the latest security featuresIt allow Step 5. any attached VPN sites, the FastFoods remote client is a VPDN user. to more advanced topologies and filtering. usernamealso covers multi-carrier MPLS VPN determines this by examining the This part (mobile1), domain name (fastfoods.com), deployments. Finally, Part IV provides a methodology for advanced MPLS VPN or called number (DNIS). This information can either be stored locally (configured troubleshooting.on the LAC or it can be retrieved from the SuperCom RADIUS server. In our statically) example, the information is forwarded via a RADIUS request to the SuperCom RADIUS MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer server. integration, security, and troubleshooting features essential to providing the advanced

Step 6. The RADIUS server has an entry for the domain name of the FastFoods remote client; therefore, the client is a VPDN user. The RADIUS server replies to the LAC with a message containing the IP address of the FastFoods LNS and other information to allow the LAC to create an L2TP tunnel to the specific LNS.

• •

Table of Contents Index NOTE

MPLS and VPN Architectures, Volume II

If ,Ivan Pepelnjak,Jeff were ByJim Guichardthe remote client Apcar

determined not to be a VPDN client, then authentication would continue on the LAC. In this case, it would be likely that this customer would be subscribing to Internet access or some other SuperCom Publisher: Cisco Press common service and would be connected directly to the global routing space of Pub Date: June 06, 2003 SuperCom. ISBN: 7. If the L2TP Step 1-58705-112-5 tunnel does not already exist, the SanJose_LAC builds a tunnel to Pages: 504 the FastFoods Lyon_LNS by using L2TP control messages. Only one tunnel is built for each domain. For example, all fastfoods.com that subsequently dial in use the same tunnel.

Step 8. L2TP provides an optional CHAP-like authentication mechanism during tunnel establishment. The LNS can check to , you'll learn: WithMPLS and VPN Architectures, Volume IIsee if the LAC can open a tunnel (via local configuration) to it and both the LAC and LNS can authenticate each other using a shared secret configured locally or on a RADIUS server. Alternatively, the LNS can How to integrate various remote access technologies into the backbone providing VPN accept the tunnel without any authentication. service to many different types of customers Step 9. After the tunnel is created, a VPDN session is created over the L2TP tunnel for The new PE-CE remote client. Eachwell as other advanced features, a unique VPDN the FastFoods routing options as remote client is associated with including per-VPN Network on an L2TP tunnel. (PE-NAT) session Address Translation How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN NOTE backbone An L2TP tunnel can support many VPDN sessions for the same domain. How Therefore, any further FastFoods remote clients that called into the San Jose to carry customer multicast traffic inside a VPN LAC would be forwarded through the same L2TP tunnel to the Lyon LNS. The latest inter-carrier enhancements to allow for easierauthenticated CHAPdeployment Step 10. The San Jose LAC then forwards the partially and more scalable response of inter-carrier MPLSclient. This includes the username/password information from the FastFoods VPN services (mobile1@fastfoods.com) and the LCP-negotiated parameters. Advanced troubleshooting techniques including router outputs to ensure high availability Step 11. The LNS creates a virtual-access interface based on a virtual-template for the MPLS and VPN Architectures, Volume II , builds on is authenticated MPLS and VPN VPDN session. The remote user information the best-selling by the FastFoods Radius Architectures, Volume I (1-58705-002-1), from Cisco Press. Extendingon the LNS advanced server (or username/password information configured statically into more can be topics used). and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Step 12. The FastFoods RADIUS server returns the appropriate response/authorization MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN and any other relevant information. Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Step 13. The FastFoods Lyon LNS then sends a CHAP response back to the FastFoods protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to remote client through the L2TP tunnel. integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Step 14. After the CHAP response is successful, the NCP phase, in this case using IPCP, backbone and any attached VPN sites, and also detailing the latest security features to allow is performed. When the PPP sessions are functioning, the LAC acts as a go-between for more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN the FastFoods remote client and the LNS. deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. The combination of PPP, L2TP, and VPDN are the basic building blocks for enabling remote MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer access to MPLS VPNs. Some modifications and feature enhancements are required to support integration, security, and troubleshooting features essential to providing the advanced

L2TP directly into VRFs, and these will be discussed in detail in the remote access to MPLS VPN examples later in this chapter.

RADIUS
• Table a distributed client/server system that prevents unauthorized access to RADIUS provides of Contents • Index facilities, such as dial-in services or individual hosts. RADIUS is a protocol that provides AAA MPLS and to a Architectures, Volume II services VPN network. User permissions and configuration information are stored on a centralized RADIUS/AAA ,Jeff Apcar ByJim Guichard, Ivan Pepelnjakserver.
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 NOTE Pages: 504

In this chapter, a RADIUS server refers to an AAA server that uses the RADIUS protocol.

WithMPLS and VPN Architectures, Volume II , you'll learn: A NAS operates as a RADIUS client. The client is responsible for passing user information to designated RADIUS servers and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and returning How to integrate various remote access technologies into the backbone providing VPN all configuration information that is necessary for the client to deliver service to the remote service to many different types of customers access user. The RADIUS server can also provide accounting services to measure the amount of resources that each remote accessas well as other advanced features,the types of RADIUS The new PE-CE routing options user consumes. Figure 2-8 shows including per-VPN messages. Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network

Figure 2-8. RADIUS Messages
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

The RADIUS message types are described as follows: Access Request— These packets are sent to a RADIUS server. They convey information that is used to determine whether a user is allowed access to a specific NAS (such as the username) and any special services requested for that user.
• •

Access Accept— These packets are sent by the RADIUS server. They provide specific Table of Contents configuration information in a series of attributes that are necessary to begin delivery of serviceIndex user. to the are sent by the RADIUS server to reject the accessrequest due to invalid information in the request. For example, a nonexistent username or a bad password would be rejected. Access Challenge— These packets allow the RADIUS server to send the user a ISBN: 1-58705-112-5 challenge requiring a response.
Pages: 504

MPLS and VPN Architectures, Volume II

Access Reject— These packets ByJim Guichard, Ivan Pepelnjak, Jeff Apcar
Publisher: Cisco Press

Pub Date: June 06, 2003

Accounting Request— These packets are sent from a client (typically a NAS or its proxy) to a RADIUS accounting server. They convey information that provides accounting for a user service. Accounting Response— These packets are sent from the RADIUS accounting server to WithMPLS and VPN Architectures, Volume II , you'll learn: the client to acknowledge that the Accounting Request has been received and recorded successfully. How to integrate various remote access technologies into the backbone providing VPN The RADIUS standard and its extensions specify a large number of attributes that can be service to many different types of customers exchanged between a RADIUS client and a RADIUS server (where they are usually stored in the server database). These attributes are referred toadvanced features, (AV) pairs. A RADIUS The new PE-CE routing options as well as other as attribute value including per-VPN request from the NAS and the corresponding reply from the server carry a series of Network Address Translation (PE-NAT) attributes. Within a RADIUS packet, these attributes are encoded using the type-length-value (TLV)How VRFs can be extended into a customer site to provide separation inside the format, as shown in Figure 2-9. customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Figure 2-9. RADIUS Attribute Format How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools Examples of RADIUSand maintain a secure, highly available VPN. they need to deploy attributes are: MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN username (type = 1; value is a string) Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial,string)cable, Ethernet) and a variety of routing user-password (type = 2; value is a DSL, protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into thevalue backbone. Part III2details advanced deployment issues frame-protocol (type = 7; VPN can be 1 for PPP, for SLIP, and so on) including security, outlining the necessary steps the service provider must take to protect the backbone and any attached attributes, please refer to the the latestspecification detailedallow For a comprehensive list of VPN sites, and also detailing RADIUS security features to in more advanced topologies andsupport for proprietary vendor information, the RADIUS RFC 2138. To provide specific filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN standard defines a vendor-specific attribute with a type value of 26. Vendor-specific troubleshooting. allow vendors to support their own extended attributes that are unsuitable attributes (VSAs) for general use. The standard states that the information within this attribute should be MPLS and VPN Architectures, Volume II ,Cisco introduces thecomplies with the suggested encoded as a sequence of vendor TLVs. also Systems Inc. latest advances in customer integration, security, and troubleshooting features essential to providing the advanced format, and the Cisco VSA is shown in Figure 2-10.

Figure 2-10. Cisco VSA

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

The Vendor ID takes its value from the SMI Network Management Private Enterprise Code Pub Date: June 06, 2003 definition. The Vendor ID for Cisco Systems Inc., has a value of 9. The Vendor Type (v-type) ISBN: 1-58705-112-5 field has a value of 1, which defines this Cisco VSA as the "cisco-avpair." The Vendor Value Pages: 504 (v-value) is a string that consists of the following format: protocol : attribute sep value where WithMPLS and VPN Architectures, Volume II , you'll learn: Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair. How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers sep is = for mandatory attributes and * for optional attributes. The new PE-CE routing options as well as other advanced features, including per-VPN The cisco-avpairs are used extensively when providing remote access to MPLS VPNs. Table 2Network Address Translation (PE-NAT) 1 shows some examples of cisco-avpairs. How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Table 2-1. Examples of Cisco avpairs backbone How to Value Attribute carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment cisco-avpair ip: addr-pool=main_pool of inter-carrier MPLS VPN services cisco-avpair vpdn: ip-addresses=10.1.1.1 Advanced troubleshooting techniques including router outputs to ensure high availability cisco-avpair lcp: interface-config=ip vrf forwarding <vrfname>\n ip unnumbered Loopback MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools The need to deploy and the IP address pool, preconfigured as main_pool on the NAS, to be theyfirst example causes maintain a secure, highly available VPN. used during IP authorization (the IPCP phase). The next example defines an endpoint of a MPLS and VPN Architectures, Volume be used. The last brief refresher of thevalid interface tunnel (that is, the LNS, 10.1.1.1) to II , begins with a example allows any MPLS VPN Architecture. be configured dynamically on the VPN connectivity including the integration of command to Part II describes advanced MPLS router. This example defines a VRF and uses serviceaddress defined on the loopback0 interface (this Ethernet) and a variety of routing the IP provider access technologies (dial, DSL, cable, must exist on the LNS). protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the DHCP and any attached VPN sites, and also detailing the latest security features to allow backbone more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN DHCP allows a device such as a PC to be dynamically configured with network information troubleshooting. such as an IP address, DNS, and WINS server addresses from a central location. DHCP removes the burden of managing andII , also introduces the latest which can in customer MPLS and VPN Architectures, Volume coordinating IP addressing, advances be a timeconsuming task for large networks. In addition, DHCP allowsto providing the advanced integration, security, and troubleshooting features essential PC users to move between

Publisher: Cisco Press

different IP subnets (such as different offices) and still receive the correct network information each time they connect to the IP network. DHCP is a client/server protocol that uses Bootstrap Protocol (BOOTP) messages for its requests. DHCP messages from client to server are carried in BOOTP requests, whereas server to client messages are carried in BOOTP replies. The DHCP message consists of a series of options such as gateway address, allocated address, subnet mask, DNS server address, domain name, and so on. Figure 2-11 shows the basic steps for DHCP operation • Table of Contents between a PC client and a DHCP server on the same LAN.
• Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Figure 2-11. DHCP Operation
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced NOTE topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. BOOTP is an older protocol that provided functionality similar to DHCP, although in a severely limited fashion. DHCP is, in fact, an extension of BOOTP, mostly MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN specifying new describes advanced MPLS VPN connectivity including the the Architecture. Part II attributes that can be exchanged between the clients and integration of servers and new message types needed to cable, Ethernet) and a variety of routing service provider access technologies (dial, DSL, support the more robust IP address allocation offered by DHCP. protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow The following steps illustrate the DHCP operation: more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN an address Step 1. The PC client broadcasts a DHCP DISCOVER message requesting troubleshooting. The message will be received by all DHCP servers connected to the LAN allocation. (although we have shown only one). MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Step 2. The DHCP server issues a DHCP OFFER message containing the IP address, domain name, DNS, lease time, and so on in a unicast message back to the PC. Note that several DHCP Offer messages might be dependant on the number of DHCP servers connected to the LAN. Step 3. The PC selects a received offer (usually the first or only one). At this point, the offer has not been formally accepted, but the DHCP server usually reserves the address (for a Table of Contents short period) until it receives a formal request from the PC. The PC formally requests the address offered by broadcasting a DHCP REQUEST. A broadcast is used so Index that the message serves as a reject to any other DHCP servers that made offers.

• •

MPLS and VPN Architectures, Volume II

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar Step 4. The DHCP server confirms

that the IP address has been allocated by responding with a DHCP ACK message that also includes other network configuration Publisher: Cisco Press parameters.
Pub Date: June 06, 2003 ISBN: 1-58705-112-5

The following are other messages that can be sent:
Pages: 504

DHCP DECLINE— Client to server, indicating that the network address is already in use or there is another issue. DHCP RELEASE— Client to Volume II , you'll that the WithMPLS and VPN Architectures, server, indicating learn: network address is to be relinquished and the remaining lease cancelled. DHCP integrate various remote access that the client's the backbone providing VPN How toNAK— Server to client, indicatingtechnologies into notion of network address is incorrect (for example, the client has moved to a new subnet) or the client's lease has service to many different types of customers expired. The new PE-CE routing options as well as other advanced features, including per-VPN DHCP INFORM— Client to server, asking only for local configuration parameters; the Network Address Translation (PE-NAT) client already has an externally configured network address. How VRFs can be extended into a customer site to provide separation inside the customer network

DHCP Relay Agents

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone The previous description is a reasonably simplistic view of how DHCP works. It assumes a DHCPHow to carry customer every LAN traffic inside a VPN server is available on multicast in the network (which might well be the case if you are using the DHCP server feature in a Cisco router). However, if the DHCP server is centralized somewhere in the network, you to allow for easier and more scalable deployment The latest inter-carrier enhancements must enable the DHCP relay agent feature by configuring the LAN interface ofservices router to get the DHCP messages between the client of inter-carrier MPLS VPN a Cisco and the server. The operation of the DHCP relay agent feature is shown in Figure 2-12. Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Agent Figure 2-12. DHCP Relay Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5

DHCP Relay operates as follows: Step 1. All client to server messages (DHCP Discover, DHCP Request, and so on) are sent in a BOOTP Request. WithMPLS and The DHCP relay agent feature, is activated on the router interface via the ip Step 2. VPN Architectures, Volume II you'll learn: helper address command. When the router sees a BOOTP Request that contains a DHCP message, it inserts its LAN interface address into the giaddr field of the BOOTP How to integrate various remote access technologies into the backbone providing VPN header, which in our example will be 192.168.30.1. service to many different types of customers Step 3. The destination broadcast address in the original BOOTP message is replaced The new PE-CE routing options as well as other advanced features, including per-VPN with the unicast IP address specified in the ip helper address command. The BOOTP Network Address Translation (PE-NAT) request is then forwarded directly to the DHCP server as a unicast message. The DHCP server uses the giaddr field to a customer site to provide separation inside the How VRFs can be extended intodetermine the subnet pool that an address should be allocated from. customer network Step 4. The server security features and returned directly to the DHCP relay agent The latest MPLS VPNto client messages aredesigns aimed at protecting the MPLS VPN (router) backboneby using the giaddr as the destination. These messages from the server, such as DHCP Offer, DHCP ACK, and so on, are carried in a BOOTP Reply. How to carry customer multicast traffic inside a VPN Step 5. The relay agent receives the message and forwards the reply as a broadcast or The latest IP packet to the client PC. to allow for easier and more scalable deployment a unicast inter-carrier enhancements of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Pages: 504

Providing Dial-In Access to an MPLS VPN
This section covers two methods of connecting switched calls to an MPLS VPN. The first method is based on VPDN and supports both analogue PSTN and ISDN calls. The second method supports only pure digital calls and is used to terminate ISDN calls directly onto a PE • Table of Contents router.
• Index
MPLS and VPNall our remote access examples in this chapter, we use the addressing as Throughout Architectures, Volume II summarized Ivan Pepelnjak ByJim Guichard,in Table 2-2., Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Table 2-2. IP Address Assignment for the SuperCom Network Pages: 504

Company Site SuperCom San Jose VHG/PE router (loopback 0) Management PE router (loopback 0) WithMPLS and VPN Architectures, Volume II , you'll learn: San Jose NAS/LAC (loopback 0)

Subnet/Host 194.22.15.2/32 194.22.15.3/32 194.22.15.4/32

How to PE-CE interface addresses integrate various remote access technologies into the backbone providing VPN 192.168.2.0/24 service to many different types of customers Management LAN 194.22.16.0/24 The new PE-CE routing host RADIUS server options as well as other advanced features, including per-VPN 194.22.16.2/32 Network Address Translation (PE-NAT) DHCP server host 194.22.16.3/32 How VRFs can be extended into a customer site to provide separation inside the San Jose overlapping remote address pool(s) 192.168.3.0/26 customer network Loopback for VRF instantiation 192.168.2.100/32 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone FastFoods Lyon subnet 10.2.1.0/24 How to Lyon RADIUS server carry customer multicast traffic inside a VPN 10.2.1.5/32

Lyon sales data server 10.2.1.6/32 The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier subnetVPN services Fresno MPLS (vending machine) 10.4.1.0/24 Advanced troubleshooting techniques including router outputs to ensure high availability Reno subnet (vending machine) 10.5.1.0/24 Dialer for Fresno Vending 192.168.2.51/32 MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into192.168.2.52/32 more advanced Dialer for Reno Vending topics and deployment architectures, Volume II provides readers with the necessary tools they need to San Francisco subnet a secure, highly available VPN. EuroBank deploy and maintain 10.2.1.0/24 Sacramento subnet (SOHO) 10.3.1.0/24 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture.Palo Alto (DSL CPE) Part II describes advanced MPLS VPN connectivity including the integration of 10.6.1.0/24 service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge196.7.25.0/24 Paris subnet of how to integrate these features into the VPN backbone. Part III details advanced deployment issues Dialer for Modesto necessary steps the service provider must take to protect the 192.168.2.61/32 including security, outlining the Branch backbone and any attached VPN sites, and also detailing the latest security192.168.2.62/32 features to allow Dialer for Laguna Branch more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

Dial-In Access via L2TP VPDN also introduces the latest advances in customer MPLS and VPN Architectures, Volume II ,
integration, security, and troubleshooting features essential to providing the advanced

This solution allows a service provider to offer a wholesale dial service to remote customers of an MPLS VPN. The remote clients dial a service provider POP by using the PSTN or ISDN and, after the appropriate authentication and L2TP procedures are executed, are connected to a PE router in the service provider network that provides access to the relevant VRF. The mechanisms used to provide remote access to an MPLS VPN are based on the VPDN model. The advantage of using VPDN is to separate the remote access function from the edge function. A user can dial in to any NAS in the network and, using an L2TP tunnel, be directed • Table of Contents to the nearest PE router that holds the appropriate VRF. Without this functionality, a VRF for • Index every VPN that has remote access capabilities must be preinstantiated on every NAS that the MPLS and VPN Architectures, Volume II user might possibly dial.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

To best explain the various components and procedures, we shall use the SuperCom network shown in Figure Press SuperCom can provide wholesale dial services through the NASes Publisher: Cisco 2-13. installed in JunePOPs, including the San Jose NAS shown in the diagram. The FastFoods Pub Date: its 06, 2003 Corporation1-58705-112-5 ISBN: has a requirement to provide real-time sales data to its worldwide mobile sales force from a network server that is located in FastFoods Marketing HQ in Lyon. Rather than Pages: 504 building a private global remote access network at substantial cost, FastFoods has elected to use the SuperCom shared remote access infrastructure. This allows FastFoods to provide access to its VPN from any region worldwide where SuperCom has a POP presence. For the sake of simplifying the example, we will show the remote access process for a single remote salesperson called elvis@fastfoods.com, who is located somewhere on the U.S. West Coast Withwants and VPN Architectures, Volume II , you'll learn:a server at FastFoods European and MPLS to access the FastFoods sales data located on headquarters in Lyon. How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

Figure 2-13. SuperCom Dial-In Using VPDN The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Although the remote dial-in access to an MPLS VPN follows the same a variety of as a service provider access technologies (dial, DSL, cable, Ethernet) and procedures routing standard VPDN connection, certain parts of the process change slightly; for example, a protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to SuperCom PE router rather than VPN backbone.router performs advanced deployment issues integrate these features into the a FastFoods C Part III details the LNS function. The process is summarized as outlining including security,follows: the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Whenelvis@fastfoods.com dials in using PPP, the SuperCom San Jose NAS/LAC extracts deployments. Finally, Part IV provides a methodology for advanced MPLS VPN the domain name fastfoods.com, and passes it to the SuperCom RADIUS server for troubleshooting. authentication. The SuperCom RADIUS server is reachable via the global routing table. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer If the domain name authentication succeeds, then the SuperCom RADIUS server passes integration, security, and troubleshooting features essential to providing the advanced

back the relevant L2TP information for fastfoods.com, including the IP address of the tunnel endpoint (LNS). Note that the SuperCom RADIUS server contains domain entries rather than specific user entries; that is, it has an entry for fastfoods.com rather than one for elvis@fastfoods.com. The LAC builds an L2TP tunnel to the LNS. In MPLS VPN remote access terminology, the LNS can also be referred to as the virtual home gateway (VHG). The term VHG refers to the fact that the LNS function is performed on a PE router rather than an LNS residing Table of Contents on a customer C router. In our example, this VHG/PE router is located at San Jose, and Index we will refer to it as the SuperCom San Jose VHG/PE router.

• •

MPLS and VPN Architectures, Volume II

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

NOTE

You can use the terms VHG and PE/LNS interchangeably.

The San Jose VHG/PE router must preinstantiate the FastFoods VRF that terminates the L2TP tunnel to minimize the convergence time for populating the VRF with routes. The and VPN Architectures, terminates the L2TP tunnel by using a virtual-template or a WithMPLSSan Jose VHG/PE router Volume II , you'll learn: virtual-profile. (You will learn the difference later.) The SuperCom network uses virtualprofiles; therefore, it obtains the information to create a virtual interface from the SuperCom RADIUS server. This access technologies into the backbone providing VPN How to integrate various remoteinformation includes items such as the VRF for the virtual to many the interface address, and the IP address pool. The remote user service interface,different types of customers accesses the VRF through an associated virtual interface. The new PE-CE routing options as well as other advanced features, including per-VPN To obtain the relevant information to create the virtual interface, the San Jose VHG/PE Network Address Translation (PE-NAT) router requests authentication for elvis@fastfoods.com from the SuperCom RADIUS How VRFs can be extended into server does not hold this individual user information; server. The SuperCom RADIUS a customer site to provide separation inside the customer network proxy the request to the relevant customer RADIUS server. In our therefore, it must example, this is the Lyon FastFoods RADIUS server. To achieve connectivity between the The latest MPLS VPN security features and designs aimed atis covered in a later section RADIUS servers, additional configuration is necessary. This protecting the MPLS VPN backbone titled "Configuring Access Between the SuperCom and FastFoods RADIUS servers." How to carry customer multicast traffic inside a VPN

Configuring the SuperCom San Jose NAS/LAC easier and more scalable deployment The latest inter-carrier enhancements to allow for
of inter-carrier MPLS VPN services The San Jose NAS/LAC configuration is reasonably simple because the ensure high availability Advanced troubleshooting techniques including router outputs to SuperCom RADIUS server provides the details that are used to create the appropriate L2TP tunnel for the dial-in MPLS The necessary configuration is shown in Examplebest-selling MPLS and VPN user. and VPN Architectures, Volume II , builds on the 2-1. Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN NOTE Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access shown here and theDSL, cable, Ethernet) and following section This configuration technologies (dial, RADIUS attributes in the a variety of routing protocols (IS-IS, EIGRP, and VPNs but are required for any VPDN L2TP access.how to are not specific to MPLS OSPF), arming the reader with the knowledge of integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This Configuration Example 2-1. San Jose NAS/LAC part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Hostname SanJose_NAS integration, security, and troubleshooting features essential to providing the advanced

! aaa new-model aaa authentication ppp default local group radius aaa authorization network default local group radius
• Table of Contents Index

! •

MPLS and VPN Architectures, Volume II

vpdn enable

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

vpdn search-order domain
Publisher: Cisco Press

!

Pub Date: June 06, 2003 ISBN: 1-58705-112-5

interface 504 Pages: Loopback0 ip address 194.22.15.4 255.255.255.255 ! WithMPLS and VPN Architectures, Volume II , you'll learn: ip radius source-interface Loopback0 ! How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers radius-server host 194.22.16.2 auth-port 1645 acct-port 1646 key a$4two The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the Theaaa commands specify that any incoming PPP connections or network service requests customer network (VPDN/L2TP) should be authenticated or authorized by checking the locally configured The first and then the SuperCom RADIUS designs aimed at protecting the MPLS VPN database latest MPLS VPN security features andserver whose details are configured with the backbone radius-server host command. How to carry customer multicast specify that only the Thevpdn commands enable VPDN andtraffic inside a VPN domain name portion (fastfoods.com) of the incoming username (elvis@fastfoods.com) should be used when The VPDN tunnel authorization from the SuperCom RADIUS more scalable deployment obtaining latest inter-carrier enhancements to allow for easier and server. It is also a good of inter-carrier MPLS the services idea to statically configure VPN source address used by the router when sending RADIUS messages so that the RADIUS server can easily identify RADIUS clients. This is achieved Advanced troubleshooting techniques including through the ip radius source-interface command. router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they NOTE deploy and maintain a secure, highly available VPN. need to MPLS and VPN Architectures, Volumeon , begins with a brief refresher configured for each The configuration does not rely II individual VPDN groups to be of the MPLS VPN Architecture. Part SuperCom RADIUS server provides this information, as the integration of domain. The II describes advanced MPLS VPN connectivity including discussed in service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing the next section. protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow SuperCom RADIUS Server Attributes part also covers multi-carrier MPLS VPN more advanced topologies and filtering. This deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. The RADIUS server that SuperCom manages authenticates on the domain name associated with and VPN Architectures, Volume II , also introduces the latest advances in customer MPLSthe remote user. Therefore, the entries in the RADIUS server consist only of domain names, not security, and usernames such as elvis@fastfoods.com. Each the advanced integration, fully qualified troubleshooting features essential to providing domain entry

consists of a series of RADIUS attribute value (AV) pairs defining the VPDN information for that domain. This information is passed back to the LAC so that an L2TP tunnel can be built to the appropriate LNS.

• •

NOTE

Table of Contents

Index A RADIUS server does not actually distinguish between a username and a domain the RADIUS client passes to it (in our case, the ByJim LAC or LNS) Pepelnjak, Jeff Apcar Guichard, Ivan in an access-request message. If the server finds an exact match for the string in its database, then AV pairs that are associated with that entry are passed back in Publisher: Cisco Press an access-accept message. This means that the SuperCom RADIUS server is not limited to keeping information on the domain name only; it can also Pub Date: June 06, 2003 authenticate the fully qualified username elvis@fastfoods.com if FastFoods does not ISBN: 1-58705-112-5 have its own RADIUS server.
MPLS name; it only compares the string and VPN Architectures, Volume II Pages: 504

The SuperCom RADIUS server attributes that are used to create an L2TP tunnel for fastfoods.com are shown in Table 2-3. The method in which the AV pairs are set or configured is beyond the scope of this book because it varies between RADIUS server WithMPLS and VPN Architectures, Volume II , you'll learn: implementations. The attributes shown are defined in RFC 2868, "RADIUS Attributes for Tunnel Protocol Support." The table also provides the corresponding Cisco-avpairs that were How to integrate various remote access technologies into IOS versions providing VPN available prior to the publication of RFC 2868. The latest Cisco the backbone accept either AV service pair format. to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can Table 2-3.into a customer RADIUS Attributes inside the be extended SuperCom site to provide separation customer network Attribute (Type) VPN security features and designs aimed at protecting Cisco AV VPN The latest MPLS Value Corresponding the MPLS Pair backbone User-Name (1) fastfoods.com How to carry customer multicast traffic inside a VPN User-Password (2) Cisco The latest inter-carrier enhancements to allow for easier and tunnel-type=l2tp Tunnel-Type (64) 3 (L2TP) vpdn: more scalable deployment of inter-carrier MPLS VPN services Tunnel-Medium-Type 1 (IPv4) (65)Advanced troubleshooting techniques including router outputs to ensure high availability Tunnel-Server-Endpoint vpdn: MPLS and VPN MPLS and VPN Architectures,194.22.15.2buildsJose Volume II , (San on the best-selling ip-addresses=194.22.15.2 (67) VHG/PE) Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools Tunnel-Password (69) Vision vpdn: l2tp-tunnelthey need to deploy and maintain a secure, highly available VPN. password=vision MPLS and VPN Architectures,SuperCom_LAC Volume II , begins with a brief vpdn: tunnel-id=SuperCom_LAC refresher of the MPLS VPN Tunnel-Client-Auth-ID Architecture. Part II describes advanced MPLS VPN connectivity including the integration of (90) service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Tunnel-Server-Auth-ID protocols (IS-IS, EIGRP, andSuperCom_LNS the reader with the knowledge of how to OSPF), arming (91) integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN to the The User-Name attribute defines the domain name that the San Jose NAS/LAC passes deployments. Finally, Part a static value of "cisco." server. The password has IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

NOTE
A static password of "cisco" is always used in the RADIUS message when the LAC requests VPDN authorization for a domain. Therefore, all domain name entries on a RADIUS server must be configured with the password "cisco."

•

The other AV pairs request the San Jose NAS/LAC to build an L2TP tunnel for IPv4 packets to • Index the destination 194.22.15.2. The local name that the San Jose NAS/LAC uses for the tunnel is MPLS and VPN Architectures, Volume II "SuperCom_LAC." This name corresponds to the terminate-from hostname command that ByJim Guichard, Ivanthe San Jose Apcar is configured on Pepelnjak,Jeff VHG/PE router, which is discussed in the next section. Finally, for authentication purposes, the tunnel uses the password "vision," and the remote name expected is Cisco Press Publisher: "SuperCom_LNS." An alternative to using a RADIUS server for VPDN authorization is to configure a static VPDN ISBN: 1-58705-112-5 group on the SuperCom NAS/LAC. The disadvantage of this is the increased operational Pages: 504 overhead if there are many NAS/LACs to maintain and configure. By using a centralized RADIUS server, all VPDN configurations can be maintained in one place and used by many NAS/LACs. Example 2-2 shows what the static VPDN configuration that corresponds to the RADIUS AV pairs in Table VPN Architectures, Volume WithMPLS and 2-1 looks like in Cisco IOS. II , you'll learn: How to integrate various NAS/LAC technologies into the backbone providing VPN Example 2-2. San Joseremote accessVPDN Group Configuration service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) vpdn-group 10 How VRFs can be extended into a customer site to provide separation inside the request-dialin customer network protocol l2tp The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone domain fastfoods.com How to carry customer multicast traffic inside a VPN initiate-to ip 194.22.15.2 The latest inter-carrier enhancements to allow for easier and more scalable deployment of name SuperCom_LAC local inter-carrier MPLS VPN services Advanced password vision l2tp tunnel troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.
Pub Date: June 06, 2003

Table of Contents

Configuring the SuperCom San Jose VHG/PE Router

MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced the L2TP tunnel from the San Jose NAS/LAC. Theof The San Jose VHG/PE router terminates MPLS VPN connectivity including the integration service provider access technologies (dial, DSL, cable,elvis@fastfoods.com is terminated on a remote PPP session received through the tunnel from Ethernet) and a variety of routing protocols (IS-IS, EIGRP, The virtual-access interface is associated with the FastFoods VRF to virtual-access interface. and OSPF), arming the reader with the knowledge of how to integrate these features into the to the FastFoods VPN. details create a deployment issues allow elvis@fastfoods.com access VPN backbone. Part III You canadvanced virtual-access including by cloning through the necessary steps the service provider must take to protect the interface security, outlining virtual templates or virtual-profiles. backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV providesformethodology for advanced MPLS VPN Virtual templates are configured a individual VPNs. Each associated virtual interface troubleshooting. template must be configured for a specific VRF to preinstantiate the route for that VRF. Cisco IOS permits no more than 25 virtual-templates to be configured on a router; MPLStherefore,Architectures, Volume II , also introduces the latest advances in customer for and VPN the use of virtual-templates does not scale well and is not recommended integration, security, andnumber of VPNs. features essential to providing the advanced terminating a large troubleshooting

Virtual-profiles are more flexible and can use a common virtual-template or an AAA (in our case, it will be RADIUS) server to provide the additional configuration details needed to create the virtual-access interface. The configuration information on the AAA server is held on a per user basis. Virtual-profiles simplify the configuration and provide a more scalable approach for tunnel termination because only a single virtual-template configuration is required for VPNs that terminate on the LNS.
• Table of the necessary configuration for the San Jose VHG/PE router. Example 2-3 showsContents • Index
MPLS and VPN Architectures, Volume II

Example ,Ivan Pepelnjak,Jeff Apcar ByJim Guichard2-3. San Jose VHG/PE Router Configuration
Publisher: Cisco Press Pub Date: June 06, 2003

hostname SanJose_PE !
Pages: 504

ISBN: 1-58705-112-5

aaa authentication ppp default local group radius aaa authorization network default local group radius WithMPLS and VPN Architectures, Volume II , you'll learn: ! How to integrate virtual-profile aaavarious remote access technologies into the backbone providing VPN service to many different types of customers vpdn enable The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) ! How VRFs can be extended into a customer site to provide separation inside the vpdn-group 1 customer network accept-dialin The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone protocol l2tp How to carry customer multicast traffic inside a VPN virtual-Template 1 The latest inter-carrier enhancements to allow for easier and more scalable deployment terminate-from hostname SuperCom_LAC of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability local name SuperCom_LNS MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN l2tp tunnel password vision Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools ! they need to deploy and maintain a secure, highly available VPN. interface virtual-Template1 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of no ip address service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP,address no peer default ip and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the ppp authentication chap callin backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN ! deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. SuperCom_Pool 192.168.3.1 192.168.3.62 ip local pool MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer ip local pool FastFoods_Pool 192.168.3.1 192.168.3.62 group VPN_FastFoods integration, security, and troubleshooting features essential to providing the advanced

ip local pool EuroBank_Pool 192.168.3.1 192.168.3.62 group VPN_EuroBank ! ip radius source-interface Loopback0 !
• Table of Contents

radius-server host 194.22.16.2 auth-port 1645 acct-port 1646 key a$4two • Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

ThePublisher: Cisco Press is identical to what the SuperCom NAS/LAC uses because both use the aaa configuration same SuperCom RADIUS server. The operational difference is that the San Jose NAS/LAC Pub Date: June 06, 2003 passesISBN: domain name fastfoods.com to the SuperCom RADIUS server that responds the 1-58705-112-5 directly. In 504 Pages: contrast, the San Jose VHG/PE router passes the fully qualified username elvis@fastfoods.com to the SuperCom RADIUS server for authentication, which, in turn, proxies the message to the FastFoods RADIUS server for processing. The virtual-profile aaa command enables the LNS to obtain configuration information from the RADIUS server on a per-user basis that can be applied to the virtual-template. In our case, the vpdn-group command supplies the virtual-template number. A single VPDN group configuration is WithMPLS and VPN Architectures, Volume II , you'll learn: required to terminate an L2TP tunnel from any LAC that has the name SuperCom_LAC with a password of "vision." The LAC uses the local name SuperCom_LNS for authentication, which matches the AV pair information previously provided to the SuperCom NAS/LAC in Table 2-1. How to integrate various remote access technologies into the backbone providing VPN The vpdn-group is associated with the generic virtual-template1. This virtual-template is service to many different types of customers used in conjunction with information received from the FastFoods RADIUS server to create the virtual-access interface for the remote user. The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) The San Jose VHG/PE router uses locally configured overlapping pools to provide IP addresses VRFs can be extendedoverlapping pool site to provide the same address the How to remote users. The into a customer feature allows separation inside space to be used customer network concurrently in different VRFs by appending a group name on the ip local pool command. In our example, three pools have been configured to use the same address range 192.168.3.1 through 192.168.3.62: The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone A SuperCom_Pool for remote users whoinside a VPN services in the global routing How to carry customer multicast traffic are accessing table (such as best effort Internet) The latest inter-carrier enhancements to allow for easier and more scalable deployment A FastFoods_Pool for VPN services of the FastFoods VPN of inter-carrier MPLS remote users A EuroBank_Pool for remote users of including router outputs to ensure high availability Advanced troubleshooting techniques the EuroBank VPN MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they NOTE deploy and maintain a secure, highly available VPN. need to In a VPN Architectures, the pools begins with a brief refresher of the MPLS MPLS andproduction network,Volume II ,used would most likely provide registered VPN addresses. Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing You (IS-IS, further discussion arming addressing options in the "Advanced protocolscan find EIGRP, and OSPF),on other the reader with the knowledge of how to Features for MPLS into the VPN backbone. Part integrate these featuresVPN Remote Access" section. III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN To complete the configuration, we must preinstantiate all the VRFs to be accessed through deployments. Finally, Part IV provides a methodology for advanced MPLS VPN this LNS. We cannot rely on dynamic instantiation of the VRF routing information when the troubleshooting. first user dials in because Multiprotocol BGP might take up to 60 seconds to converge the routesand VPNnew VRF. To avoid this II , alsocreate and associate aadvances in customer MPLS for the Architectures, Volume delay, introduces the latest loopback interface with the applicable VRF, as shown in Example 2-4. integration, security, and troubleshooting features essential to providing the advanced

Example 2-4. Preinstantiation of VRFs

ip vrf FastFoods
• rd 10:26 Table of Contents • Index
MPLS and VPN Architectures, Volume II route-target export 10:26 ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

route-target import 10:26 !
Publisher: Cisco Press Pub Date: June 06, 2003

ISBN: Loopback10 interface 1-58705-112-5 Pages: 504

ip vrf forwarding FastFoods ip address 192.168.2.100 255.255.255.255 WithMPLS and VPN Architectures, Volume II , you'll learn: How the number of addresses required, you can use into the backbone providing VPN To reduce to integrate various remote access technologies the same address 192.168.2.100 service to many different types of customers on every loopback that is required for instantiation. The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the NOTE

customer network A full explanation on how routes are converged between VPN sites is provided in The latest of Cisco Press's Volume I of MPLS and VPN Architectures, ISBN Chapter 12MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone 1587050811. How to carry customer multicast traffic inside a VPN

FastFoods RADIUS Server Attributes of inter-carrier MPLS VPN services

The latest inter-carrier enhancements to allow for easier and more scalable deployment

Advanced troubleshooting techniques including router outputs to ensure high availability The FastFoods RADIUS server authenticates any remote users who request access to the MPLS and VPN Architectures, Volume II , the SuperCom RADIUS server. If authentication FastFoods VPN via a proxy request from builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from (via Press. Extending into more advanced succeeds, an access-accept message is returnedCisco the SuperCom RADIUS server) that topics and deployment architectures, Volume II provides readers with the necessary tools in contains the RADIUS attributes required to assist in configuring the virtual-access interface they need to deploy and maintain a remote user. available VPN. the San Jose VHG/PE router for the secure, highly MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to NOTE integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Unless the VPN customer requests SuperCom to manage its remote user lists, the backbone and any attached VPN sites, anda proxy entry to a latest security features to allow SuperCom RADIUS server must have also detailing the customer RADIUS server more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN for every domain it services. deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN RADIUS serverVolume II , also introduces the latest advances in customer 2-4. The FastFoods Architectures, attributes for user elvis@fastfoods.com are shown in Table integration, security, and troubleshooting features essential to providing the advanced pool All of the Cisco-avpair attributes shown here are service provider-specific, such as the

name, loopback address, and VRF name. This information can be stored on the FastFoods RADIUS server and passed back for the user. In practice, however, this is not recommended due to the security implications of a customer being able to configure a service provider's network interfaces. It is more likely that the SuperCom RADIUS server would add the service provider-specific attributes to proxy requests, which would then be passed back with an access-accept message from the FastFoods RADIUS server. The Cisco-avpairs are shown in this table together with user-specific attributes to simplify the explanation.
• • Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar Table 2-4. User elvis@fastfoods.com Publisher: Cisco Press Pub Date: June 06, 2003

RADIUS Attributes

Attribute (Type)

Value elvis@fastfoods.com whatsthebuzz 1 (Framed) 1 (PPP)

User-Name (1) ISBN: 1-58705-112-5 User-Password (2) Service-Type (6) Framed-Protocol (7)
Pages: 504

Cisco-avpair lcp:interface-config=ip learn: WithMPLS and VPN Architectures, Volume II , you'llvrf forwarding FastFoods \n1 ip unnumbered loopback 10 \n How to integrate various remote access technologies into the backbone providing VPN peer default ip address pool FastFoods_Pool service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

NOTE network customer

How VRFs can be extended into a customer site to provide separation inside the

The \n in the Cisco-avpair signifies an explicit carriage return. Usage will vary The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN between RADIUS server implementations. backbone How to carry customer multicast traffic inside a VPN Based on latest inter-carrier enhancements to allow for easier and more scalable deployment The these attributes, the SuperCom PE/LNS will create a virtual-access interface to terminate a framed PPP session. This interface will be placed in the FastFoods VRF and use of inter-carrier MPLS VPN services the address of loopback 10, as discussed in Example 2-4. The remote user elvis@fastfoods.com will be provided with the next available address from the high availability Advanced troubleshooting techniques including router outputs to ensure local address pool called FastFoods_Pool. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.

NOTE

MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN It is likely that describes advanced MPLS VPN connectivity including the integration Architecture. Part II the FastFoods RADIUS server would only contain username entries of such as "fred" rather than the fully qualified domain name. and a variety on the service provider access technologies (dial, DSL, cable, Ethernet) A proxy script of routing SuperCom RADIUS and OSPF), be responsible for stripping off the domain name protocols (IS-IS, EIGRP, server wouldarming the reader with the knowledge of how to before proxying the request. integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN Configuring Access Between SuperCom and FastFoods RADIUS Servers troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer The FastFoods RADIUS server is only reachable via the FastFoods VRF. The SuperCom integration, security, and troubleshooting features essential to providing the advanced

RADIUS server is connected to an interface on the Management PE router and must be reachable via the global routing table for all SuperCom routers that require RADIUS services. This is because the radius-server host command that is configured on the NAS and PE routers only operates in the global routing space. Therefore, some additional configuration is required to allow the SuperCom RADIUS server to communicate with both the NAS and PE routers in the global table and the RADIUS server in the FastFoods VRF, without compromising security in the FastFoods network. This is achieved • Table of Contents by using the MPLS VPN mechanisms of route-targets and route-maps, as shown in Figure 2• Index 14.
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

Figure 2-14. RADIUS Connectivity

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and in a Management VRF to isolate the The SuperCom RADIUS server should be placed designs aimed at protecting the MPLS VPN backbone SuperCom management addresses from the global table. This is done on the Management PE router shown in Figure 2-13. This allows the FastFoods RADIUS server host address to be How to carry customer VRF and the SuperCom RADIUS server host address to be exported to the Managementmulticast traffic inside a VPN exported to the FastFoods VRF. Both RADIUS servers can then communicate directly with The latest inter-carrier enhancements to allow for easier and more scalable deployment each other. The FastFoods network remains secure because access is limited to the FastFoods of inter-carrier MPLS VPN services RADIUS server from the Management VRF only. Advanced troubleshooting techniques including router outputs to ensure high availability Access to the SuperCom RADIUS server from the global routing table (for SuperCom routers) is achieved by placing a global static route into on the best-selling MPLS and VPNto the MPLS and VPN Architectures, Volume II , builds the Management VRF that points SuperCom network, asI well as a static route in the global routing table into more advanced Architectures, Volume (1-58705-002-1), from Cisco Press. Extending that points to the SuperCom deployment architectures, Volume II provides readers with the necessary tools topics and Management network. they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of NOTE service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to Chapter 12 of Cisco Press's Volume I of MPLS and VPN Architectures provides integrate these features into the VPN backbone. Part III details advanced deployment issues further detailed information on advanced scenarios such as route leaking between a including security, outlining the necessary steps the service provider must take to protect the VRF and the global routing table. backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. 2-6 show the relevant configurations on the Management and Paris PE Examples 2-5 and routers to accomplish proxy access. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Example 2-5. Management PE Configuration for RADIUS Proxy

hostname Management_PE !
• Table of Contents

ip vrf SuperCom_Management • Index
MPLS and VPN Architectures, Volume II

rd 10:1 ByJim Guichard, Ivan Pepelnjak, Jeff Apcar export map OUT-Management-RADIUS
Publisher: Cisco Press Pub Date: June route-target 06, 2003 10:2 import ISBN: 1-58705-112-5

!

Pages: 504

access-list 20 permit host 194.22.16.2 ! WithMPLS and VPN Architectures, Volume II , you'll learn: route-map OUT-Management permit 10 match ip address 20 How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers set extcommunity rt 10:1 The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) ! How 194.22.16.0 255.255.255.0 Ethernet5/0 ip route VRFs can be extended into a customer site to provide separation inside the customer network ip route vrf SuperCom_Management 194.22.15.0 255.255.255.0 POS3/0 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone ip route vrf SuperCom_Management 194.22.16.2 255.255.255.255 Ethernet5/0 How to carry customer multicast traffic inside a VPN 194.22.16.2 The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability The Management PE configuration has an export map defined that permits only the SuperComVPN Architectures, Volume II , builds onto be set with the route-target 10:1. The MPLS and RADIUS server address (194.22.16.2) the best-selling MPLS and VPN FastFoods VRFVolume Paris PE router (shown in Cisco Press. Extending into more advanced Architectures, on the I (1-58705-002-1), from Example 2-6) has a corresponding routetarget import for 10:1. Conversely, the FastFoods VRF has a similar export map setting the topics and deployment architectures, Volume II provides readers with the necessary tools route-target deploy the FastFoods RADIUS server (10.2.1.5), which the Management VRF they need to 10:2 forand maintain a secure, highly available VPN. then imports. The "additive" keyword is necessary to allow the route-target 10:2 to be appended to the existing route-target 10:26. Without brief refresher of the MPLS VPN MPLS and VPN Architectures, Volume II , begins with athe "additive" keyword, the default action is to overwrite all existing route-targets. Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Three static routes are defined on the Management PE router. The first static route creates a protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to route to the Management subnet VPN backbone. Part III details advanced deployment issues integrate these features into the in the global routing table. The next static route creates a route to allow access to devices in the global routing table via POS3/0 (the interface that including security, outlining the necessary steps the service provider must take to protect the connects and any attached VPN sites, and also Note that this static command does to allow backbonethe Management PE to the backbone). detailing the latest security features not require the "global" keyword because we are using an interface name, not a next-hop more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN address. The last static route provides a methodology forSuperCom RADIUS server to be used deployments. Finally, Part IV creates a host route to the advanced MPLS VPN to export to the FastFoods VRF. (The export route map matches on this entry.) The Paris PE troubleshooting. router has a single static host route configured pointing to the FastFoods RADIUS server, shown in VPN Architectures, Volume II , also introduces the latest advances in customer MPLS andExample 2-6. integration, security, and troubleshooting features essential to providing the advanced

Example 2-6. Paris PE Configuration for RADIUS Proxy

hostname Paris_PE !
• • Table of Contents Index

ip vrf FastFoods

MPLS and VPN Architectures, Volume II ByJim 10:26 , Ivan Pepelnjak, Jeff Apcar rd Guichard

export map OUT-Customer-RADIUS Publisher: Cisco Press
Pub Date: June 06, 2003

route-target export 10:26 ISBN: 1-58705-112-5 route-target import 10:26 route-target import 10:1 ! WithMPLS and VPN Architectures, Volume II , you'll learn: access-list 20 permit host 10.2.1.5 ! How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers
Pages: 504

route-map OUT-Customer-RADIUS permit 10 The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) match ip address 20 How VRFs can be extended into a customer site to provide separation inside the set customer network 10:2 additive extcommunity rt ! The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone ip route vrf FastFoods 10.2.1.5 255.255.255.255 FastEthernet0/1 192.168.2.21 How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Example 2-7 shows the routing entries for the Management and FastFoods VRFs. As you can Advanced troubleshooting techniques including address of 10.2.1.5 or 194.22.16.2. see, both VRFs import only the relevant host RADIUSrouter outputs to ensure high availability You can also see the static entries discussed previously. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools Example 2-7. Management secure, highly available VPN. and FastFoods VRF Tables they need to deploy and maintain a MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Management_PE#show ip route vrf SuperCom_Management service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to [snip] these features into the VPN backbone. Part III details advanced deployment issues integrate including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN S 194.22.15.0/24 is directly a methodology for advanced MPLS VPN deployments. Finally, Part IV provides connected, POS3/0 troubleshooting. 10.0.0.0/32 is subnetted, 1 subnets MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer B 10.2.1.5 and troubleshooting features essential to providing the advanced integration, security,[200/0] via 194.22.15.1, 4d21h

194.22.16.0/24 is variably subnetted, 2 subnets, 2 masks C S 194.22.16.0/24 is directly connected, Ethernet5/0 194.22.16.2/32 [1/0] via 194.22.16.2, Ethernet5/0

----------------------------------------------------------------------• Table of Contents • Index Paris_PE#show ip route vrf FastFoods
MPLS and VPN Architectures, Volume II

[snip] ByJim Guichard, Ivan Pepelnjak, Jeff Apcar
Publisher: Cisco Press Pub Date: June 06, 2003

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
ISBN: 1-58705-112-5

S S

Pages: 504 10.2.1.0/24

[1/0] via 192.168.2.21

10.2.1.5/32 [1/0] via 192.168.2.21, FastEthernet0/1

192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks WithMPLS and VPN Architectures, Volume II , you'll learn: B 192.168.2.100/32 [200/0] via 194.22.15.2, 00:19:03 C How192.168.2.20/30 is directly connected, FastEthernet0/1 providing VPN to integrate various remote access technologies into the backbone service to many different types of customers 194.22.16.0/32 is subnetted, 1 subnets The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translationvia 194.22.15.3, 00:19:33 194.22.16.2 [200/0] (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN The solution shown here is not without its drawbacks. For example, overlapping addresses backbone might become an issue in the Management VRF if multiple customers' RADIUS servers were usingHow same address space. Some form ofinsidewould be necessary, which would increase the to carry customer multicast traffic NAT a VPN the complexity and management of the solution. A new feature called PerVRF AAA addresses this problem by inter-carrier enhancementsservice provider RADIUS to act as a proxy. It The latest obviating the need for the to allow for easier and more scalable deployment achieves this by allowing direct servicesto the customer's RADIUS server from the VRF. This of inter-carrier MPLS VPN access feature is discussed in a later section. Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Verifying Dial-In via VPDN Operation

B

Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they that all the necessary components of the network have VPN. configured for remote Now need to deploy and maintain a secure, highly available been access, we can verify operation by examining output of various show commands. To provide MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN a more complete picture of how remote access to an MPLS VPN operates, two more users Architecture. Part II describes advanced MPLS VPN connectivity including the integration of have dialed into the San Jose NAS in addition to elvis@fastfoods.com. They are service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing eric@eurobank.com and jimi@fastfoods.com. This is shown in Figure 2-15. protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow Figure 2-15. Multiple VPDN Users more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

Two L2TP tunnels are created between the San Jose LAC and LNS, one for each domain ISBN: 1-58705-112-5 (FastFoods and EuroBank). Each user has a separate PPP session activated over the Pages: 504 appropriate tunnel, and these sessions are represented at the LNS by a virtual-access interface in the VRF. The following debug (see Example 2-8) from the San Jose NAS shows the incoming call for elvis@fastfoods.com. After the call is connected, the San Jose NAS challenges the remote PC for the username/password. When the San , you'll learn: WithMPLS and VPN Architectures, Volume IIJose NAS receives this information, it extracts the domain name fastfoods.com and searches for a matching L2TP tunnel. Because no VPDN groups are explicitly configured, the SuperCom RADIUS server is queried and the relevant How to integrate various A tunnel is then established to the backbone providing VPN tunnel information is returned.remote access technologies into194.22.15.2 (San Jose VHG/PE service to many different types of elvis@fastfoods.com is forwarded over the tunnel. router), and the username/password of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network %LINK-3-UPDOWN: Interface Async2, changed stateaimed at protecting the MPLS VPN The latest MPLS VPN security features and designs to up backbone As2 CHAP: O CHALLENGE id 14 len 31 from "SanJose_NAS" How to carry customer multicast traffic inside a VPN As2 CHAP: I RESPONSE id 14 len 39 from "elvis@fastfoods.com" The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services As2 VPDN: Got DNIS string 94780400 Advanced troubleshooting techniques including router As2 VPDN: Looking for tunnel -- fastfoods.com -- outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN As2 VPDN/RPMS/: Got tunnel info for fastfoods.com Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools As2 VPDN/RPMS/: LAC SuperCom_LAC they need to deploy and maintain a secure, highly available VPN. As2 VPDN/RPMS/: l2tp-busy-disconnect yes MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of As2 VPDN/RPMS/: l2tp-tunnel-password xxxxxx service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to As2 VPDN/RPMS/: IP 194.22.15.2 integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the As2 VPDN: Share tunnel fastfoods.com IP 194.22.15.2 state established backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN As2 VPDN: Forward to address 194.22.15.2 deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. As2 VPDN: Forwarding... MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer As2 VPDN: Bind interface direction=1 integration, security, and troubleshooting features essential to providing the advanced

Pub Date: June 06, 2003

Example 2-8. San Jose Debug

As2 VPDN: elvis@fastfoods.com is forwarded %LINEPROTO-5-UPDOWN: Line protocol on Interface Async2, changed state to up

• •

Table of Contents Index

The San VPN Architectures, Volume II virtual-template events is shown in Example 2-9. When MPLS and Jose debug for VPDN and the L2TP call,Ivan Pepelnjaka virtual interface (in our case, Vi2) is cloned from the brief is received, ,Jeff Apcar ByJim Guichard information that is configured in virtual-template1 (refer to Example 2-2 for details). When the username elvis@fastfoods.com is received over the L2TP tunnel, the SuperCom RADIUS Publisher: Cisco Press server is queried for authentication and further configuration information (which is proxied to the Pub Date: June 06, 2003 server). After this information is returned, it is applied to Vi2 (Cloned FastFoods RADIUS ISBN: VRF, address from AAA - 1-58705-112-5 pool, and so on) and the line protocol is changed to up.
Pages: 504

Example 2-9. San Jose VHG/PE-Router Debug
WithMPLS and VPN Architectures, Volume II , you'll learn: Vi2 VTEMPLATE: ************* CLONE VACCESS2 ***************** How to integrate various virtual-Template1 Vi2 VTEMPLATE: Clone from remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address default ip address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the encap ppp customer network end The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone

How to carry customer multicast traffic inside a VPN VTEMPLATE: Receiving vaccess request, id 0x5B70035, result 1 The latest inter-carrier enhancements to allow for easier and more scalable deployment Vi2 VPDN: Set to Async VPN services of inter-carrier MPLS interface Vi2 VPDN: Virtual interface created including router outputs to ensure high availability Advanced troubleshooting techniques for elvis@fastfoods.com bandwidth 65 Kbps MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Vi2 VPDN: Bind interface direction=2 Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools 2w5d: %LINK-3-UPDOWN: Interface virtual-Access2, changed state to up they need to deploy and maintain a secure, highly available VPN. VTEMPLATE: Sending vaccess request, id 0x63CDE184 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Processing vaccess requests,VPNoutstanding including the integration of VTEMPLATE: Part II describes advanced MPLS 1 connectivity service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader has vtemplate/AAA of how to Vi2 VTEMPLATE: Has a new cloneblk AAA, now it with the knowledge integrate these features into the VPN backbone. Part III details advanced deployment issues including security,************* CLONE VACCESS2 service provider must take to protect the Vi2 VTEMPLATE: outlining the necessary steps the ***************** backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and AAA Vi2 VTEMPLATE: Clone from filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer ip vrf forwarding FastFoods integration, security, and troubleshooting features essential to providing the advanced

ip unnumbered loopback 10 peer default ip address pool FastFoods_Pool end

• •

VTEMPLATE: Receiving vaccess request, id 0x63CDE184, result 1
Index
MPLS and VPN Architectures, Volume II

Table of Contents

%LINEPROTO-5-UPDOWN: Line protocol on Interface virtual-Access2,
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

changed state to up
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5

The following output in Example 2-10 shows the VPDN status on the San Jose NAS. Two L2TP tunnels have been created to the SuperCom_LNS with the local IDs of 28791 and 35022. The first tunnel is for FastFoods and has two PPP sessions active, whereas the second tunnel is for EuroBank with one session active. The corresponding sessions can be seen in the output from theshow vpdn session command. WithMPLS and VPN Architectures, Volume II , you'll learn:

Pages: 504

Example 2-10. San Jose NASaccess technologies into the backbone providing VPN How to integrate various remote VPDN Information
service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN SanJose_NAS#show vpdn tunnel (PE-NAT) Network Address Translation How VRFs can be extended into a customer site to provide separation inside the customer network L2TP Tunnel Information Total tunnels 2 sessions 3 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to Remote Name LocID RemIDcarry customer multicast traffic inside a VPN Port State Remote Address Sessions

The latest inter-carrier enhancements to allow for easier and more scalable deployment 28791 1463 SuperCom_LNS est 194.22.15.2 1701 2 of inter-carrier MPLS VPN services 35022 37120 SuperCom_LNS est 194.22.15.2 1701 1 Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced SanJose_NAS#show vpdn session Volume II provides readers with the necessary tools topics and deployment architectures, they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN L2TP Session Information advanced MPLS 2 sessions 3 Architecture. Part II describes Total tunnels VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues LocID RemID TunID Intf Username State Last Chg take to protect the including security, outlining the necessary steps the service provider must Fastswitch backbone and any attached VPN sites, and also detailing the latest security features to allow 46 46 28791 As3 jimi@fastfoods.com est 00:14:26 enabled more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN 49 49 28791 As2 elvis@fastfoods.com est 00:05:13 enabled troubleshooting. 50 50 eric@eurobank.com est 00:02:04 in customer MPLS and VPN 35022 As4 Architectures, Volume II , also introduces the latest advances enabled integration, security, and troubleshooting features essential to providing the advanced

The VPDN information on the San Jose VHG/PE router is shown in Example 2-11 and is similar to the LAC. Note that the interface associated with the user is a virtual-access interface and that all L2TP tunnels are terminated by using VPDN group 1 as the tunnel client name that matched the hostname "SuperCom_LAC."
• • Table of Contents

Example Index San Jose VHG/PE Router VPDN Information 2-11.
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

SanJose_PE#show vpdn tunnel Publisher: Cisco Press
Pub Date: June 06, 2003 ISBN: 1-58705-112-5

L2TP Tunnel Information Total tunnels 2 sessions 3

Pages: 504

LocID RemID Remote Name State Remote Address Port WithMPLS and VPN Architectures, Volume II , you'll learn: 1463 28791 SuperCom_LAC est 194.22.15.26 1701

Sessions VPDN Group 2 1

How to integrate various remote access technologies into the backbone providing VPN 37120 35022 SuperCom_LAC est 194.22.15.26 1701 1 1 service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) SanJose_PE#show vpdn sess How VRFs can be extended into a customer site to provide separation inside the customer network L2TP The latest Information Total tunnels 2designs aimed at protecting the MPLS VPN Session MPLS VPN security features and sessions 3 backbone How to carry customer multicast traffic inside a VPN LocID RemID TunID Intf Username State Last Chg Fastswitch The latest inter-carrier enhancements to allow for easier and more scalable deployment inter-carrier MPLS VPN services 46 of46 1463 Vi1 jimi@fastfoods.com est 00:36:22 enabled 49 Advanced troubleshooting techniques including routerest outputs 00:27:09 high availability to ensure enabled 49 1463 Vi2 elvis@fastfoods.com

MPLS and VPN 37120 Vi3 Architectures, Volume II , builds on the best-selling MPLS and VPN 50 50 eric@eurobank.com est 00:24:01 enabled Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN If we look at the VRF information in the San Jose VHG/PE router in Example 2-12, we see Architecture. Part II describes advanced MPLS VPN connectivity including the integration of that the virtual-access interfaces have been associated with the correct VRF. The loopback service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing interfaces are used for preinstantiation of the VPN routes, as discussed earlier. protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Example 2-12. San Jose sites, and also detailing the Information backbone and any attached VPN VHG/PE Router VRF latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. SanJose_PE#show ip vrf MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Name Interfaces integration, security, and troubleshooting Default essential to providing the advanced features RD

EuroBank

10:27

virtual-Access3 Loopback11

FastFoods

10:26

virtual-Access1 virtual-Access2

• •

Table of Contents Index

Loopback10

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

In our configuration, the addresses for each of the remote access users are taken from one of Pub Date: June 06, 2003 the shared pools. To achieve higher utilization of the available address space, all the pools ISBN: 1-58705-112-5 use the same range of 192.168.3.1–192.168.3.62. As you can see in Example 2-13, two Pages: 504 been used from the FastFoods_Pool, whereas one address has been used addresses have from the EuroBank_Pool. Because these addresses are allocated to different VRFs, there is no possibility of overlap.

Publisher: Cisco Press

WithMPLS and VPN Architectures,VHG/PE-Router Address Pool Usage Example 2-13. San Jose Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers SanJose_PE#show ip local pool The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) Pool Begin End Free In use How VRFs can be extended into a customer site to provide separation inside the customer network SuperCom_Pool 192.168.3.1 192.168.3.62 62 0 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN ** pool <FastFoods_Pool> is in group <VPN_FastFoods> backbone FastFoods_Pool customer multicast traffic inside192.168.3.62 192.168.3.1 How to carry a VPN 60 2

The <EuroBank_Pool> is in group <VPN_EuroBank> ** poollatest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services EuroBank_Pool 192.168.3.1 192.168.3.62 61 1 Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment tables for FastFoods and EuroBankreaders with 2-14, we can see that Examining the routing architectures, Volume II provides in Example the necessary tools they need to deploy and maintain a secure, highly available for each of the virtual-access the host addresses have been installed as connected routes VPN. interfaces. You can also see the loopback address used for preinstantiation of the VRFs using MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN the address of 192.168.2.100. Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, access to FastFoods users was to provide access to Our original premise for providing remote DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, Lyon OSPF), arming the reader with the knowledge of FastFoods VRF the Sales Data server in and (10.2.1.6). This has been achieved because the how to integrate these features into10.2.1.0/24 from the FastFoods VRF on the Paris PE router has imported the BGP route the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the servicewho is terminating on the San the (194.22.15.1), allowing any FastFoods remote access user provider must take to protect backbone and any attached VPN sites, and also detailing the latest security features to allow Jose PE router access to the FastFoods Lyon subnet. more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

Example 2-14. San Jose VHG/PE Router VRF Routing Tables

MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

SanJose_PE#show ip route vrf FastFoods [snip]

10.0.0.0/24 is subnetted, 1 subnets
• Table of Contents

B •

10.2.1.0 [200/0] via 194.22.15.1, 02:09:57 Index subnetted, 2 subnets, 2 masks

MPLS and VPN Architectures, Volume II

192.168.2.0/24 is variably ByJim Guichard, Ivan Pepelnjak, Jeff Apcar C B
Publisher: Cisco Press

192.168.2.100/32 is directly connected, Loopback10 192.168.2.20/30 [200/0] via 194.22.15.1, 02:09:57 is subnetted, 2 subnets

Pub Date: June 06, 2003

ISBN: 1-58705-112-5 Pages: 504 192.168.3.0/32

C C

192.168.3.2 is directly connected, virtual-Access1 192.168.3.1 is directly connected, virtual-Access2

WithMPLS and VPN Architectures, Volume II , you'll learn: SanJose_PE#show ip various vrf EuroBank technologies into the backbone providing VPN How to integrate route remote access service to many different types of customers [snip] The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) B How VRFs can be [200/0] via 194.22.15.1, 02:14:14 separation inside the 196.7.25.0/24 extended into a customer site to provide customer network 194.22.15.0/32 is subnetted, 2 subnets The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone 194.22.15.3 [200/0] via 194.22.15.3, 02:14:29 How to carry customer multicast traffic inside a VPN 194.22.15.1 [200/0] via 194.22.15.1, 02:13:59 The latest inter-carrier enhancements to allow for easier and more scalable deployment 192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks of inter-carrier MPLS VPN services C 192.168.2.100/32 is directly connected, Loopback11 Advanced troubleshooting techniques including router outputs to ensure high availability

B B

B MPLS and192.168.2.24/30 [200/0] II , builds on the best-selling MPLS and VPN VPN Architectures, Volume via 194.22.15.1, 02:14:14 Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics 192.168.3.0/32 architectures, Volume II provides readers with the necessary tools and deployment is subnetted, 1 subnets they need to deploy and maintain a secure, highly available VPN. C 192.168.3.1 is directly connected, virtual-Access3 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues Aggregating Remote User Host Addresses service provider must take to protect the including security, outlining the necessary steps the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN The VRF routing tables in the provides a methodology for advanced MPLS route installed for deployments. Finally, Part IV previous example showed there was a host VPN each remote access user. To redistribute these routes to other VPN sites across the MPLS VPN troubleshooting. backbone, you need to configure the redistribute connected command configured in BGP for the VRF (under the address-family)., For large-scale dial-in services, this could lead to MPLS and VPN Architectures, Volume II also introduces the latest advances in customer many host routes being distributed and installed into VRFs by Multiprotocol BGP. To prevent integration, security, and troubleshooting features essential to providing the advanced

this from happening, you should summarize the remote host addresses in the VRF to the subnet used for pool addresses by using the BGP aggregate-address command, as shown inExample 2-15. The summary-only keyword prevents more specific routes from being advertised. Therefore, the redistribute connected might be kept for other routing requirements, and any connected routes in the range 192.168.3.0/26 can be overridden by theaggregate-address entry.
• Table of Contents

Example Index Summarizing Pool Addresses 2-15. •
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

router bgp 100
Publisher: Cisco Press Pub Date: June 06, 2003 [snip] ISBN: 1-58705-112-5

!

Pages: 504

address-family ipv4 vrf FastFoods aggregate-address 192.168.3.0 255.255.255.192 summary-only WithMPLS and VPN Architectures, Volume II , you'll learn: redistribute connected exit-address-family How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers ! The new PE-CE routing options as well as other advanced features, including per-VPN address-family ipv4 vrf EuroBank Network Address Translation (PE-NAT) How VRFs can 192.168.3.0 255.255.255.192 provide separation inside the aggregate-addressbe extended into a customer site tosummary-only customer network redistribute connected The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone exit-address-family How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services The pool addresses 192.168.3.1 to 192.168.3.62 are summarized to a single route 192.168.3.0/26, which appears techniques including router outputs on ensure high availability Advanced troubleshooting in the label forwarding table (LFIB) to the San Jose VHG/PE router as an aggregate route (see Example 2-16). Note there are two aggregates for 192.168.3.0/26, representingVolume II , builds on the best-selling MPLS and VPN MPLS and VPN Architectures, one for each VRF. Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.

NOTE MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of An entry that has technologies label DSL, forwarding table requires additional service provider accessan aggregate (dial, in the cable, Ethernet) and a variety of routing processing. EIGRP, and OSPF), arming the the stack and a Layer 3 lookup is protocols (IS-IS,First, the label is removed from reader with the knowledge of how to performed in the VRF on the underlying IP Part III details advanced deployment issues integrate these features into the VPN backbone.packet. If the removed label is not at the bottom of the stack (aggregates should always service provider of the stack), the including security, outlining the necessary steps the be at the bottommust take to protect the packet is any attached VPN sites, and also detailing the latest security features to allow backbone and discarded. more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. Example 2-16. San Jose PE/NAS Aggregate Routes
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

SanJose_PE#show mpls forwarding | inc 192.168.3 20 21 22
• •

Aggregate Untagged Untagged
Index Untagged

192.168.3.0/26[V] 0 192.168.3.1/32[V] 1400 192.168.3.2/32[V] 2100 192.168.3.1/32[V] 0 Vi2 Vi1 Vi3 point2point point2point point2point

Table of Contents

25

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar 26 Aggregate 192.168.3.0/26[V] 0

Publisher: Cisco Press Pub Date: June 06, 2003

If you look at the VRF table for FastFoods (see Example 2-17) in the Paris PE router, you can Pages: 504 see that the host routes have been replaced with a single summarized route 192.168.3.0/26.

ISBN: 1-58705-112-5

Example 2-17. Paris PE-Router FastFoods VRF Table
WithMPLS and VPN Architectures, Volume II , you'll learn: Paris_PE#show ip route vrf FastFoods technologies into the backbone providing VPN How to integrate various remote access service to many different types of customers [snip] The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) 10.0.0.0/8 be extended subnetted, 2 subnets, 2 masks How VRFs canis variably into a customer site to provide separation inside the customer network 10.2.1.0/24 [1/0] via 192.168.2.21 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone 10.2.1.5/32 [1/0] via 192.168.2.21, FastEthernet0/1 How to carry customervariably traffic inside a VPN 192.168.2.0/24 is multicast subnetted, 2 subnets, 2 masks B C The latest inter-carrier enhancements to allow for easier and more scalable deployment 192.168.2.100/32 [200/0] via 194.22.15.2, 02:56:44 of inter-carrier MPLS VPN services 192.168.2.20/30 is directly connected, FastEthernet0/1 Advanced troubleshooting techniques including router outputs to ensure high availability

S S

194.22.16.0/32 is subnetted, 1 subnets MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced B 194.22.16.2 [200/0] via 194.22.15.3, 02:57:14 topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. 192.168.3.0/26 is subnetted, 1 subnets MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN B 192.168.3.0 [200/0] via 194.22.15.2, 00:00:09 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow Dial-In Access via Direct ISDNThis part also covers multi-carrier MPLS VPN more advanced topologies and filtering. deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. Direct dial-in access allows a remote user who has ISDN access to call a PE router and have that call terminate directly into the appropriate VRF. There is no L2TP tunneling necessary MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer because the security, and troubleshooting features essential to providing the advanced integration, PE router performs the functions of both a PE router and a NAS. Direct ISDN

dial-in is supported only with pure digital calls (not analogue calls carried within the ISDN Bchannel). Figure 2-16 shows a direct ISDN dial scenario in the SuperCom network. The San Jose NAS/PE router has a primary rate ISDN service connected; therefore, remote users who are equipped with an ISDN service can call the San Jose PE router directly. In our example, EuroBank has a small branch office located in Sacramento, which is equipped with a SOHO router that is connected to an ISDN service. This router uses dial-on-demand techniques to • Table of Contents connect the Sacramento PCs on the 10.3.1.0/24 network to the EuroBank VPN. The link is • Index established by using PPP, and the SOHO router is identified to the SuperCom network with MPLS and VPN Architectures, Volume II the username sacramento@eurobank_SOHO. The choice of the domain name ByJim Guichard, Ivan (rather thanApcar eurobank_SOHO Pepelnjak,Jeff eurobank.com) is deliberate. The rationale will be explained at the end of this section.
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

Figure 2-16. SuperCom Dial-In Using Direct ISDN

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues NOTE including security, outlining the necessary steps the service provider must take to protect the backbone and any SOHO applies to a customer network that has a small number of PCsallow The acronym attached VPN sites, and also detailing the latest security features to more advanced topologieswhat filtering. This part a small office, home office (SOHO). connected, generally and you would find in also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and does Architectures, Volume II , also introduces on SuperCom to provide all of its EuroBank VPN not have an AAA server and relies solely the latest advances in customer integration, security, and troubleshooting features essential to providing the attributes AAA services. Therefore, the SuperCom RADIUS server holds the entries and advanced for all

remote EuroBank users (regardless of whether they are routers or single users/hosts). As in the VPDN scenario, virtual-profiles are used to create virtual-access interfaces for incoming calls. This mechanism provides a scalable solution for terminating many different users over the same ISDN service because the configuration of the B-channel virtual-access interface is provided by the SuperCom RADIUS server based on the calling user ID. The direct dial-in ISDN process is simpler than dial-in access using VPDN; it can be • summarizedTable of Contents as follows:
• Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

1. When the Sacramento EuroBank router calls in, a PPP link is established over the ISDN B-channel.
Publisher: Cisco Press

2.Pub Date: June 06, 2003 The San Jose NAS/PE router obtains the username sacramento@eurobank_SOHO from the Sacramento router using CHAP, which it then forwards to the SuperCom RADIUS ISBN: 1-58705-112-5 server504 authorization. Pages: for 3. If successful, the SuperCom RADIUS server passes back any configuration parameters (VRF name, address pool) that are associated with the user. 4. The San Jose NAS/PE router creates a virtual-access interface for the PPP session based WithMPLS locally configured virtual-template you'll learn: on a and VPN Architectures, Volume II , combined with the configuration that the SuperCom RADIUS server provides. 5. Howuser CHAP authentication completestechnologies into theis fully established within The to integrate various remote access and the connection backbone providing VPN service to many different types of customers the VPN. The new PE-CE routing options as PE as other advanced features, function per-VPN In the SuperCom network, the San Josewell router also performs the LNS including to Network Address Translation (PE-NAT) terminate L2TP tunnels from the San Jose NAS/LAC as discussed previously. To enable the San Jose PE router to provide L2TP termination, it must have the command vpdn enable How VRFs can be extended into a customer site to provide separation inside the set. For direct dial-in ISDN calls using PPP, the LNS function is not necessary; however, this customer network command causes interesting behavior on the San Jose PE router. When an ISDN call is received, latest MPLS VPN security features and designs aimedrouter to initially forward an The the vpdn enable command causes the San Jose PE at protecting the MPLS VPN access request using just the domain or DNIS name. Because the SuperCom RADIUS server backbone has entries holding L2TP tunnel information for all domains (such as fastfoods.com and eurobank.com), there is a danger that traffic inside a VPN will be mistakenly returned to the How to carry customer multicast tunnel information San Jose PE router, which will then unnecessarily build an L2TP tunnel to itself. You can avoid this problem by inter-carrier the RADIUS server to checkeasier and more scalable deployment The latest configuring enhancements to allow for for various attributes such as the NAS-identifier (the LAC or VPN services of inter-carrier MPLS LNS) or the NAS-Port (an ISDN call) of the access request and providing the appropriate RADIUS response. In our example, we have opted not to rely on special RADIUS troubleshooting techniques including router outputs to ensure nameavailability Advanced scripting procedures. Instead, we will use a different domain high to identify the direct dial-in ISDN users. Therefore, using domain "eurobank_SOHO" avoids conflict on MPLS and VPN Architectures, Volume eurobank.com dial-in users who are using VPDN. the RADIUS server for any bona-fide II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Configuring the SuperCom San Jose NAS/PE Router MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Example 2-18 showsdescribes advanced MPLS San Jose NAS/PE router. Architecture. Part II the configuration for the VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to Example 2-18. San Jose VPN backbone. Part III details advanced deployment issues integrate these features into the NAS/PE Router Configuration for Direct including security, outlining the necessary steps the service provider must take to protect the ISDN Dial backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. hostname SanJose_PE MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer ! integration, security, and troubleshooting features essential to providing the advanced

virtual-profile virtual-Template2 virtual-profile aaa ! ip vrf EuroBank
• •

rd 10:27

Table of Contents Index

MPLS and VPN Architectures, Volume II

route-target export 10:27 route-target import 10:27
Publisher: Cisco Press

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

!

Pub Date: June 06, 2003 ISBN: 1-58705-112-5

interface Loopback11
Pages: 504

ip vrf forwarding EuroBank ip address 192.168.2.100 255.255.255.255 WithMPLS and VPN Architectures, Volume II , you'll learn: ! interface Serial6/0:15 How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers ip unnumbered Loopback0 The new PE-CE routing options as well as other advanced features, including per-VPN encapsulation ppp Network Address Translation (PE-NAT) isdn switch-type primary-net5 a customer site to provide separation inside the How VRFs can be extended into customer network ppp authentication chap callin The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN ! backbone interface virtual-Template2 How to carry customer multicast traffic inside a VPN The latest no ip address inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services no peer default ip address Advanced troubleshooting techniques including router outputs to ensure high availability ppp authentication chap callin MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced ! topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of The AAA and overlapping local pool configuration is the same as for dial-in access using service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing VPDN, as shown previously in Example 2-2. The only difference, besides the ISDN interface protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to configuration, is the addition of a virtual-profile using virtual-template2. integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN NOTE troubleshooting. Virtual-template2 is necessary so that any incoming ISDN PPP calls have a virtualMPLS and VPNto which a virtual-access , also introduces cloned. Virtual-template2 can template Architectures, Volume II interface can be the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced also be configured with any global configuration that SuperCom might deem

necessary, such as certain access-lists that would be common for all users.

Thevirtual-profile aaa command causes any additional per-user specific configurations to be retrieved from the SuperCom RADIUS server and applied to the cloned interface. Note that Loopback 11 is used to preinstantiate the EuroBank VRF.
• • Table of Contents Index

SuperCom Architectures, Volume II RADIUS Server Attributes MPLS and VPN
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

The RADIUS entry for the Sacramento SOHO router shown in Table 2-5 is identical to that of Publisher: user except for the addition of a Framed-Route attribute, which injects a static a single PC Cisco Press Pub Date: June 06, 2003 route into the EuroBank VRF for the Sacramento LAN 10.3.1.0/24. The next-hop address for the route is1-58705-112-5 ISBN: then automatically set to the address selected from the local pool for the remote interface. 504 Pages:

WithMPLS and VPN Architectures, Volume II , you'll learn:

Table 2-5. Sacramento Router RADIUS Attributes for Direct ISDN Dial

How to integrate various remote access technologies into the backbone providing VPN Attribute (Type) Value service to many different types of customers User-Name (1) sacramento@eurobank_SOHO The new PE-CE routing options as well as other advanced features, including per-VPN User-Password (2) Whatsthebuzz Network Address Translation (PE-NAT) Service-Type (6) 1 (Framed) How VRFs can be extended into a customer site to provide separation inside the customer network Framed-Protocol (7) 1 (PPP) Framed-Route(22) VPN security features and designs aimed at protecting the MPLS VPN 10.3.1.0/24 The latest MPLS backbone Cisco-avpair lcp:interface-config=ip vrf forwarding EuroBank \n[1] How to carry customer multicast traffic inside a VPN ip unnumbered loopback 11 \n The latest inter-carrier enhancements to allow for easier and more scalable deployment peer default ip address pool EuroBank_Pool of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability
[1]

The \n signifies an explicit carriage return that varies between server implementations.

MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.

NOTE

MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN A new Cisco II describes advanced MPLS VPN connectivity including the support Architecture. PartIOS feature called Framed Route VRF aware was necessary tointegration of the Framed-Route technologies (dial, DSL, cable, Ethernet) and is available in the service provider access attribute in the context of a VRF. This feature a variety of routing 12.2(8)T Release of Cisco IOS. arming the use the cisco-avpair "ip:route=10.3.1.0 protocols (IS-IS, EIGRP, and OSPF),You can alsoreader with the knowledge of how to 255.255.255.0" in into of VPN backbone. Part III details advanced deployment issues integrate these featuresplacethethe Framed-Route attribute to achieve the same result. including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. the Sacramento SOHO Router Configuring Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. Example 2-19 shows the Sacramento router configuration. The ip address negotiated MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer command ensures that the dialer interface receives its address from the EuroBank_Pool integration, security, and troubleshooting features essential to providing the advanced

configured on the San Jose NAS/PE_Router. A default static route is used via interface dialer 1 to gain access to the EuroBank VPN.

Example 2-19. Sacramento SOHO Router Configuration for Direct ISDN Dial
• • Table of Contents Index

hostname Sacramento_SOHO MPLS and VPN Architectures, Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

! interface BRI0/0
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 no ip address Pages: 504

encapsulation ppp dialer pool-member 5 isdn switch-type basic-net3 WithMPLS and VPN Architectures, Volume II , you'll learn: ! How to integrate various remote access technologies into the backbone providing VPN interface Dialer1 different types of customers service to many The new PE-CE routing options as well as other advanced features, including per-VPN ip address negotiated Network Address Translation (PE-NAT) encapsulation ppp How VRFs can be extended into a customer site to provide separation inside the customer 5 dialer pool network The idle-timeout 600 dialer latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone dialer string 94780400 How to carry customer multicast traffic inside a VPN dialer-group 1 The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services ppp chap hostname sacramento@eurobank_SOHO Advanced troubleshooting techniques including router outputs to ensure high availability ppp chap password whatsthebuzz MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN ! Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools ip route 0.0.0.0 and maintain a secure, highly available VPN. they need to deploy 0.0.0.0 Dialer1 ! MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of dialer-list 1 protocol ip permit service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Verifying Direct Dial-In Operation a methodology for advanced MPLS VPN deployments. Finally, Part IV provides troubleshooting. Example 2-20 shows the routing table for the introduces VRF latest the ISDN connection has MPLS and VPN Architectures, Volume II , also EuroBank the after advances in customer been established from thetroubleshooting features essential to providing the advanced integration, security, and Sacramento SOHO router. Interface Virtual-Access4 has been

created in the EuroBank VRF and configured with the address 192.168.3.2 from the EuroBank local pool. (Note that Vi3 is still connected to eric@eurobank.com.) In addition, a per-user static route, denoted by the "U," for 10.3.1.0/24 has been inserted for the Sacramento LAN. This information was in the Framed-Route attribute that was returned in the access-accept message from the SuperCom RADIUS server. The Multiprotocol BGP will distribute the peruser static route to all other EuroBank VRFs assuming that redistribute static has been appropriately configured under the BGP address-family.
• • Table of Contents Index

Example 2-20. SanVolume II MPLS and VPN Architectures, Jose NAS/PE Router EuroBank VRF Routes for Direct ISDN Dial ,Jeff Apcar ByJim Guichard, Ivan Pepelnjak
Publisher: Cisco Press Pub Date: June 06, SanJose_PE#show 2003 route vrf EuroBank ip ISBN: 1-58705-112-5 Pages: 504 [snip]

B

196.7.25.0/24 [200/0] via 194.22.15.1, 04:28:33

WithMPLS and VPN Architectures, Volume II , you'll learn: 10.0.0.0/24 is subnetted, 1 subnets U How10.3.1.0 [1/0] via 192.168.3.2technologies into the backbone providing VPN to integrate various remote access service to many different types of customers 192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translationdirectly connected, Loopback11 192.168.2.100/32 is (PE-NAT) How192.168.2.24/30 [200/0] avia 194.22.15.1, 04:28:33 VRFs can be extended into customer site to provide separation inside the customer network 192.168.3.0/24 is variably subnetted, 3 subnets, 2 masks The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone 192.168.3.1/32 is directly connected, virtual-Access3 How to carry customer multicast traffic inside a VPN 192.168.3.2/32 is directly connected, virtual-Access4 The latest inter-carrier enhancements to allow for easier and more scalable deployment 192.168.3.0/26 [200/0] via 0.0.0.0, 00:00:54, Null0 of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

C B

C C B

Providing Dial-Out Access via LSDO
The LSDO feature is an effective and scalable method of providing dial-out services in a service provider environment. LSDO eliminates the need to configure individual dialer profiles for every • Table of Contents outgoing destination. Instead, all the dialer profile attributes such as the dialing number, • Index username/passwords, and PPP peer IP address are kept on an AAA server. Only a generic dialer MPLS and VPN Architectures, Volume II all service provider VHG or NAS devices. By using an AAA server, interface needs to be configured on you can keep all Pepelnjak,Jeff Apcar ByJim Guichard, Ivandialer configurations at a central point and download them to any router in the service provider network that provides dial-out services.
Publisher: Cisco Press When an interesting packet causes a dialer to be activated, the router downloads the appropriate Pub from the AAA server that is then applied to the generic dialer. LSDO provides many other profile Date: June 06, 2003 ISBN: 1-58705-112-5 features such as fault tolerance, redundancy, and congestion management. You can find further detailed information on the Cisco CCO web site at www.cisco.com. This section is concerned with Pages: 504 LSDO operation in an MPLS VPN environment through a feature enhancement called VRF-aware LDSO, which was first available in Cisco IOS version 12.2(8)T.

Figure 2-17 shows an example of LSDO operation within the SuperCom network. FastFoods has a national grid of "YummyTummy" vending machines that dispense various snacks. Normally, the WithMPLS and VPN Architectures, Volume II , you'll learn: vending machines are offline, and each evening FastFoods HQ queries these vending machines for stock levels and other maintenance purposes. FastFoods uses the SuperCom LSDO service to obtain a connection to each of the vending machines from within the FastFoods VPN. The step-by-step How to integrate various remote access technologies into the backbone providing VPN operation of the LSDO service is shown customers service to many different types of in Figure 2-17. The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

Figure 2-17. LSDO Operation for FastFoods
How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable,at the FastFoods variety of routing California Our example shows a single vending machine located Ethernet) and a location in Fresno, protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to on the subnet 10.4.1.0/24. The Fresno dial number is 99065890, and the username and password integrateCHAP is "Fresno_Dialer/showmethemoney." The dialer advanced that is configured on the San used for these features into the VPN backbone. Part III details interface deployment issues including security, outlining thethe address used the service provider must take to protect the Jose PE router is Dialer20, and necessary steps for the connected route is 192.168.2.51. backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies the call flow to support also covers multi-carrier MPLS VPN The following summarizes and filtering. This part LSDO for FastFoods: deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. packet arrives at the San Jose PE router bound for network 10.4.1.0/24 in the Step 1. A FastFoods VRF. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, 2. Subnetand troubleshooting features essential to providing the advanced Step security, 10.4.1.0/24 is routed to a dialer interface (in our configuration examples,

Dialer20 is used) within the FastFoods VRF. This interface has been configured with "dialer aaa," which indicates that you should obtain dialer profile information from the SuperCom AAA server. A static route must be configured (we are using 192.168.2.51) pointing to interface Dialer20, and it is given the remote name "Fresno_Vending." This remote name distinguishes this route from other vending machine routes that point to the same dialer. Step 3. The San Jose PE router issues an access-request RADIUS message to the SuperCom RADIUS server by using the username Fresno_Vending-out-FastFoods. The username uses the • Table of Contents format "<remote name>-out-<VRF Name>." If no name has been applied to the static route, • Index "<ip address>-out-<VRF name>" is used, where IP address is the /32 address that appears in MPLS and VPN Architectures, Volume II the static route.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar Publisher: Cisco Press username entry.

Step 4. The RADIUS server passes back the cisco-avpair attributes for the corresponding This consists of the dial string, username, and password for CHAP and the /32 Pubaddress to be used on the dialer interface while the call is active. Date: June 06, 2003
Pages: 504

Step 5. When the reply is received, a free dialer is searched for on the San Jose PE router. The dialer interface is configured with the command "dialer vpdn," which causes a vpdn-group to provide the dial-out. This vpdn-group is configured with "request-dialout."

ISBN: 1-58705-112-5

Step 6. A virtual-access interface is created for the dial-out session, and an L2TP tunnel is created to the NAS based on the vpdn-group information. This virtual-access interface is placed WithMPLS and VPN Architectures, Volume II , you'll learn: inside the FastFoods VRF. Step 7. The dial string is passed through the L2TP tunnel. How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers Step 8. The San Jose NAS then dials the number by using the dialer interface that is associated with the vpdn-group. options as well is other advanced features, including The new PE-CE routingThis vpdn-group as configured with "accept-dialout." per-VPN Network Address Translation (PE-NAT) Step 9. The Fresno CE router answers the call and issues a CHAP challenge. The San Jose PE router then passes the username/password it received from the RADIUS server How VRFs can be extended into a customer site to provide separation inside the through the PPP session. customer network Step 10. The call is fully connected, and designs flow in both directions. The latest MPLS VPN security featuresand data can aimed at protecting the MPLS VPN backbone The followingcarry customer multicast traffic inside a VPN How to sections detail the configurations that are necessary to provide the FastFoods scenario discussed in the previous steps. The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

Configuringtroubleshooting techniques Jose VHG/PE Routerensure high availability the SuperCom San including router outputs to Advanced
The San Jose PE router requires three items to on the best-selling MPLS and VPN MPLS and VPN Architectures, Volume II , builds be configured for LSDO: a generic dialer-interface, a vpdn-group for dial-out (1-58705-002-1), from Cisco Press. Extendingremote subnets that use the Architectures, Volume I to the San Jose NAS, and static routes for the into more advanced dialer and deployment architectures, Volume II provides readers with the necessary tools topics interface. they need to deploy and maintain a secure, highly available VPN. The dialer interface configuration for Dialer20, shown in Example 2-21, is a generic configuration that exists in the global routing table. It is not associated with a VRF, and the IP address that is allocated MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN to it can be any value and only needs to be unique connectivity table. The dialer aaa command Architecture. Part II describes advanced MPLS VPN in the global including the integration of causes provider access router to query the RADIUS server for dialing information. The dialer vpdn service the San Jose PE technologies (dial, DSL, cable, Ethernet) and a variety of routing command allows EIGRP, and OSPF), used for L2TP dial-out. protocols (IS-IS, a vpdn-group to be arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and Configurationlatest security features to allow Example 2-21. Dialer Interface also detailing the more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. aaa authentication ppp default local group radius MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

aaa authorization network default local group radius aaa authorization configuration default group radius ! interface Dialer20
• •

ip address 194.22.15.62 255.255.255.252
Index

Table of Contents

MPLS and VPN Architectures, Volume II

encapsulation ppp

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

no keepalive
Publisher: Cisco Press

dialer in-band 2003 Pub Date: June 06,
ISBN: 1-58705-112-5

dialer aaa

Pages: 504

dialer vpdn dialer-group 2 WithMPLS and VPN Architectures, Volume II , you'll learn: no peer default ip address no cdp enable How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers ppp authentication chap callin ! The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

dialer-list 2 can be extended into a customer site to provide separation inside the How VRFs protocol ip permit customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone The existing vpdn-group 1 configuration, used in the previous VPDN dial-in examples, has been modified to allow dial-out service fromtraffic inside a Jose PE router) by the addition of the requestHow to carry customer multicast the LNS (San VPN dialout command. The command rotary-group 20 allows interface Dialer20 to use this vpdn-group The latest inter-carrier enhancements to the San easier and more scalable deployment for dial-out by initiating an L2TP connectionto allow for Jose LAC/NAS 194.22.15.4 (see Example 222). of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability

Example 2-22. VPDN Group II , builds on the best-selling MPLS and VPN Configuration for Dial-Out MPLS and VPN Architectures, Volume
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. vpdn-group 1 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN accept-dialin Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocol l2tp protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues virtual-Template 1 including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow request-dialout more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN protocol l2tp troubleshooting. rotary-group 20 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

terminate-from hostname SuperCom_LAC initiate-to ip 194.22.15.4 local name SuperCom_LNS l2tp tunnel password 7 06100632454107
• •

source-ip 194.22.15.2
Index

Table of Contents

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Finally, youCisco Press Publisher: must configure some static routes in the FastFoods VRF to allow the dialer interface to function, asJune 06, 2003 Pub Date: shown in Example 2-23. The first static route injects the interface Dialer20 into the FastFoods VRF with the next-hop of 192.168.2.51. This address must match the interface address to ISBN: 1-58705-112-5 be downloaded from the RADIUS server for the PPP session to FastFoods Fresno. Note that the remote Pages: 504 name Fresno_Vending has been applied to this route. This name will be used to obtain the dialing information from the RADIUS server via an access-request message. The second static route injects the actual Fresno Subnet and ensures that Dialer20 will be used, as shown in Example 2-23. WithMPLS and VPN Architectures, Volume II , you'll learn:

Example 2-23. Static Routes for Dialer Interfaces
How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers ip route vrf FastFoods 192.168.2.51 255.255.255.255 Dialer20 name Fresno_Vending The new PE-CE routing options as well as other advanced features, including per-VPN ip route vrfAddress Translation (PE-NAT) Network FastFoods 10.4.1.0 255.255.255.0 192.168.2.51 How VRFs can be extended into a customer site to provide separation inside the customer network The latest same dialer interface within the VRF to aimed at remote access sites. However, the You can use theMPLS VPN security features and designs dial other protecting the MPLS VPN backbone remote name and next-hop address must be different. For example, the following configuration in Example 2-24 shows the configuration to access to the FastFoods Reno "YummyTummy" vending How to the customer multicast traffic inside VPN machine withcarrysame interface Dialer20. (Assumeathat Reno is using the subnet 10.5.1.0/24.) The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced ip route vrf FastFoods 192.168.2.52 255.255.255.255 Dialer20 name Reno_Vending topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. ip route vrf FastFoods 10.5.1.0 255.255.255.0 192.168.2.52 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to Configuringfeatures into the VPN San Jose LAC/NAS advanced deployment issues integrate these the SuperCom backbone. Part III details including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. vpdn-group used to accept the dial-out request on the San Example 2-25 shows the corresponding This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN Jose LAC/NAS by using the accept-dialout service. The dialer 2 command associates the dial-out troubleshooting. request with interface Dialer2 which, in turn, uses the physical interface Serial0:15 to call the Fresno CE router. You might have noticed that there is no request-dialin service configured on this vpdnMPLS and VPN Architectures, Volumethe, San Jose PE router. latest advances virtual-profiles are used group to match the accept-dialin on II also introduces the This is because in customer integration,Jose LAC/NAS troubleshooting features essential to providing downloaded from the RADIUS on the San security, and for dial-in services. (The tunnel information is the advanced

Example 2-24. Additional Static Routes for Dialer Interfaces

server, as discussed earlier in the "Dial-In Access via L2TP VPDN" section.)

Example 2-25. San Jose LAC/NAS Configuration for LSDO

vpdn-group Table of Contents 1 •
• Index

accept-dialout MPLS and VPN Architectures, Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

protocol l2tp

Publisher: Cisco Press dialer 2 Pub Date: June 06, 2003 ISBN: 1-58705-112-5 terminate-from hostname SuperCom_LNS Pages: 504

local name SuperCom_LAC l2tp tunnel password 7 1058000A0C181C source-ip 194.22.15.4 WithMPLS and VPN Architectures, Volume II , you'll learn: ! How to integrate various remote access technologies into the backbone providing VPN interface Dialer2 different types of customers service to many ip unnumbered Loopback0options as well as other advanced features, including per-VPN The new PE-CE routing Network Address Translation (PE-NAT) encapsulation ppp How VRFs can be extended into a customer site to provide separation inside the customer network dialer in-band The aaa dialer latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone dialer-group 2 How to carry customer multicast traffic inside a VPN no cdp enable The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services ppp authentication chap callin ! Advanced troubleshooting techniques including router outputs to ensure high availability

MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN interface Serial0:15(1-58705-002-1), from Cisco Press. Extending into more advanced Architectures, Volume I topics and deployment architectures, Volume II provides readers with the necessary tools no need to deploy and maintain a secure, highly available VPN. they ip address encapsulation ppp MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of dialer provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing service rotary-group 2 protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to isdn switch-type primary-net5 integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the isdn incoming-voice modem backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN no cdp enable deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. ppp authentication chap callin MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer ! integration, security, and troubleshooting features essential to providing the advanced

dialer-list 2 protocol ip permit

SuperCom RADIUS Attributes
• • Table of Contents Index

Table 2-6 lists the RADIUS attributes that will be returned to dial FastFoods Fresno. The username MPLS and VPN Architectures, Volume II must Guichardthe "<remoteJeff Apcar ByJim match , Ivan Pepelnjak, name>-out-<VRF name>" that the San Jose PE router generates. The rest of the attributes will be applied to the dialer interface (to create a dynamic dialer map) and include the dial number, username, password, and interface address that will be applied to the virtual-access Publisher: Cisco Press interface that is created. The "send-auth" attribute indicates that CHAP will be used for authentication.
Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

Table 2-6. SuperCom RADIUS Attributes for FastFoods Fresno
Attribute (Type) Value WithMPLS and VPN Architectures, Volume II , you'll learn: User-Name (1) "Fresno_Vending-out-FastFoods" cisco-avpair integrate various remote access technologies into the backbone providing VPN "outbound:dial-number=99065890" How to service of customers cisco-avpair to many different types"outbound:send-name=Fresno_Dialer" The new as well as other advanced features, including per-VPN cisco-avpair PE-CE routing options"outbound:send-secret=showmethemoney" Network Address Translation (PE-NAT) cisco-avpair "outbound:send-auth=2" How VRFs can be extended into a customer site to provide separation inside the cisco-avpair "outbound:addr=192.168.2.51" customer network service-type outbound The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer LSDO traffic inside Verifying VRF-Aware multicastOperation a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services The following output in Example 2-26 shows the state of the FastFoods routing table on the San Jose VHG/PE router with no dialer interface active. You can see the two static routes that were configured Advanced troubleshooting techniques including router outputs to ensure high availability previously, ultimately allowing the Fresno subnet 10.4.1.0/24 to be accessed via interface Dialer20. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II No Dialer Active the necessary tools Example 2-26. FastFoods VRF with provides readers with they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes vrf FastFoods VPN connectivity including the integration of SanJose_PE#show ip route advanced MPLS service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to [snip] integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part subnets, 2 multi-carrier MPLS VPN 10.0.0.0/8 is variably subnetted, 3 also covers masks deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. B 10.2.1.0/24 [200/0] via 194.22.15.1, 3d20h MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer S 10.4.1.0/24 [1/0] via 192.168.2.51 integration, security, and troubleshooting features essential to providing the advanced

C

10.66.162.0/23 is directly connected, Ethernet5/1 192.168.2.0/24 is variably subnetted, 3 subnets, 2 masks

C S
•

192.168.2.100/32 is directly connected, Loopback10 192.168.2.51/32 is directly connected, Dialer20
Table of Contents

B •

192.168.2.20/30 [200/0] via 194.22.15.1, 3d20h Index 192.168.3.0/24 is variably subnetted, 3 subnets, 2 masks 192.168.3.2/32 is directly connected, virtual-Access3
Publisher: Cisco Press

MPLS and VPN Architectures, Volume II

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

C C B

192.168.3.1/32 Pub Date: June 06, 2003
ISBN: 1-58705-112-5

is directly connected, virtual-Access1 [200/0] via 0.0.0.0, 3d19h, Null0

192.168.3.0/26 Pages: 504

When a packet arrives at the San Jose VHG/PE router destined for 10.4.1.0/24, it is routed toward WithMPLS and VPN It is deemed an interesting packet because it matches the dialer-list 2 configured. interface Dialer20. Architectures, Volume II , you'll learn: Because no dial connection is active, an access-request message for dialing information is forwarded to the SuperCom RADIUS server, as shown intechnologies into the output (see ExampleVPN How to integrate various remote access the following debug backbone providing 2-27). When the attributes are returned, a dynamic dialer map and an L2TP tunnel based on the vpdn-group service to many different types of customers information (using the vpdn-group with dialer rotary-group 20 configured) are created. Access to the PPP session over the routing options viawell as other advanced features, including per-VPN The new PE-CE dialer tunnel is as virtual-access5. Network Address Translation (PE-NAT) How VRFs can RADIUS into a customer site for LSDO Example 2-27. be extendedAccess-Requestto provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone RADIUS/ENCODE(00000024): acct_session_id: 44 How to carry customer multicast traffic inside a VPN RADIUS(00000024): sending The latest inter-carrier enhancements to allow for easier and more scalable deployment RADIUS: Send to unknown id 40 194.22.16.2:1645, Access-Request, len 103 of inter-carrier MPLS VPN services RADIUS: authenticator CD 17 02 7A B7 A5 D4 router4A FB 9B 76 D4 DB 3Bavailability Advanced troubleshooting techniques including AC - outputs to ensure high BA RADIUS: VPN Architectures, Volume II , builds "Fresno_Vending-out-FastFoods" [1] 30 on the best-selling MPLS and VPN MPLS and User-Name Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced RADIUS: deployment architectures, Volume II*provides readers with the necessary tools [2] 18 topics and User-Password they need to deploy and maintain a secure, highly available VPN. RADIUS: Service-Type [6] 6 Outbound [5] MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN RADIUS: NAS-IP-Address [4] 6 192.22.15.2 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing RADIUS: Acct-Session-Id [44] 10 "0000002C" protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues RADIUS: Nas-Identifier [32] including security, outlining the necessary 13 "SanJose_PE." steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN RADIUS: Received from id 40 194.22.16.2:1645, Access-Accept, len 208 troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest D7 59 95 in customer RADIUS: authenticator 52 D6 BF C7 13 10 03 B8 - 48 A5 advances DD F5 E3 integration, security, and troubleshooting features essential to providing the advanced

RADIUS: RADIUS: RADIUS: RADIUS:
• •

Service-Type Vendor, Cisco Cisco AVpair Vendor, Cisco Cisco AVpair
Index Table of Contents

[6] [26] [1] [26] [1] [26] [1] [26] [1] [26] [1]

6 37 31 40 34 43 37 28 22 34 28

Outbound

[5]

"outbound:dial-number=99065890"

RADIUS: RADIUS: RADIUS:

"outbound:send-name=Fresno_Dialer"

MPLS and VPN Architectures, Volume II

Vendor, Cisco Cisco AVpair

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

"outbound:send-secret=showmethemoney"

Publisher: Cisco Press

RADIUS: Vendor, Cisco Pub Date: June 06, 2003
ISBN: 1-58705-112-5

RADIUS:

Pages: 504

Cisco AVpair

"outbound:send-auth=2"

RADIUS: RADIUS:

Vendor, Cisco Cisco AVpair

"outbound:addr=192.168.2.51"

WithMPLSReceived Architectures, Volume II , you'll learn: RADIUS: and VPN from id 24 RADIUS/DECODE: VSA send-auth=2 maps to chap How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN DSES 50910: Session create Network Address Translation (PE-NAT) DSES How VRFs can be extended into a customer site to provide separation inside the 0x50910: Building dialer map customer network DSES 0x50910: Next hop name is Fresno_Vending The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Vi5 DDR: Dialing cause ip (s=192.168.2.22, d=10.4.1.1) backbone Vi5 DDR: to carry customerdial 99065890 inside a VPN How Attempting to multicast traffic The latest inter-carrier enhancements to allow for easier and more scalable deployment %LINK-3-UPDOWN: Interface virtual-Access5, changed state to up of inter-carrier MPLS VPN services Vi5 DDR: Dialer statechange to up Advanced troubleshooting techniques including router outputs to ensure high availability Vi5 DDR: Dialer call has been placed MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Vi5 DDR: dialer protocol up topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. 1 discarded Vi5: Call connected, 1 packets unqueued, 0 transmitted, MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Vi5 DDR: dialer protocol up Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Vi5: Call connected, 0 packets unqueued, 0 transmitted, 0 discarded protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues %LINEPROTO-5-UPDOWN: Line protocol on Interface virtual-Access5, changed state to up including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. The VRF-aware dynamic dialer map is created, as shown in Example 2-28. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Example 2-28. Dynamic Dialer Map

SanJose_PE#show dialer map Dynamic dialer map ip 192.168.2.51 vrf FastFoods name Fresno_Vending (99065890)
• • on Di20 Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press If you look at the FastFoods routing information after Fresno has been connected, you see that Pub Date: June 06, 2003 interface Virtual-Access5 has replaced interface Dialer20, and that 192.168.2.51/32 is now a ISBN: 1-58705-112-5 connected route, as shown in Example 2-29. Pages: 504

Example 2-29. FastFoods VRF with Dialer Active
WithMPLS and VPN Architectures, Volume II , you'll learn: SanJose_PE#show ip route vrf FastFoods How to integrate various remote access technologies into the backbone providing VPN [snip] service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translationsubnetted, 3 subnets, 2 masks 10.0.0.0/8 is variably (PE-NAT) B S How10.2.1.0/24 extended into a194.22.15.1, to provide separation inside the VRFs can be [200/0] via customer site 3d21h customer network 10.4.1.0/24 [1/0] via 192.168.2.51 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone 192.168.2.0/24 is variably subnetted, 3 subnets, 2 masks How to carry customer multicast traffic inside a VPN 192.168.2.100/32 is directly connected, Loopback10 The latest inter-carrier enhancements to allow for easier and more scalable deployment 192.168.2.51/32 is directly connected, virtual-Access5 of inter-carrier MPLS VPN services 192.168.2.20/30 [200/0] via 194.22.15.1, outputs to ensure high availability Advanced troubleshooting techniques including router3d21h

C C B

MPLS and VPN Architectures, Volume II , builds on the subnets, 2 MPLS and VPN 192.168.3.0/24 is variably subnetted, 3 best-selling masks Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced C topics and deployment architectures, Volume II provides readers with the necessary tools 192.168.3.2/32 is directly connected, virtual-Access3 they need to deploy and maintain a secure, highly available VPN. C 192.168.3.1/32 is directly connected, virtual-Access1 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of B 192.168.3.0/26 [200/0] via 0.0.0.0, 3d20h, Null0 service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security featuresSan Jose PE router The VPDN tunnel information for the LNS and LAC are shown in Example 2-30. The to allow moreinterface Vi5 to send and receive traffic for Fresno over the tunnel to the San Jose LAC/NAS. The uses advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN to Fresno. San Jose LAC/NAS uses the physical interface Se0:9 to instigate the connection troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Example security,Dialer VPDN Tunnel Information 2-30. and troubleshooting features essential to providing the advanced integration,

SanJose_PE#show vpdn [snip] LocID RemID Remote Name
• Table of Contents

State est

Remote Address 194.22.15.4

Port 1701

Sessions VPDN Group 1 1

32199 38359 SuperCom_LAC • Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

LocID RemID TunID Intf
Publisher: Cisco Press

Username Fresno_Vending

State est

Last Chg Fastswitch 00:00:24 enabled

53

Pub Date: June 06, 2003 178 32199 Vi5 ISBN: 1-58705-112-5

-------------------------------------------------------------------------------Pages: 504 SanJose_NAS#show vpdn LocID RemID Remote Name State Remote Address Port Sessions 1

WithMPLS and VPN Architectures, Volume II , you'll learn: 38359 32199 SuperCom_LNS est 194.22.15.2 1701

How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers LocID RemID TunID Intf Username State Last Chg Fastswitch The new PE-CE routing options as well as other advanced features, including per-VPN 178 Network Address Translation (PE-NAT) 53 38359 Se0:9 est 00:00:30 enabled How VRFs can be extended into a customer site to provide separation inside the customer network

VRFbackbone Route Download from an AAA Server Static

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN

How to carry customer multicast traffic inside a VPN In our LSDO example, the static routes were configured manually in the San Jose PE router to provide The latest inter-carrier remote LAN subnets. An alternative more scalable deployment reachability to the FastFoodsenhancements to allow for easier andto configuring the static VRF routes of inter-carrier Jose VPN services explicitly on the San MPLSPE router is to automatically download them from the SuperCom RADIUS server. This is achieved through the AAA route download feature in Cisco IOS. The advantage of this Advanced troubleshooting techniques including router from a to ensure high and then feature is that you can manage static routes to remote sitesoutputs central location availability download these routes to specific routers that are providing dial-out services for VPN customers. This MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN provides a scalable solution for managing a large number of remote routes as well as shifting dial-out Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced load to other remote-access servers by simply reconfiguring the RADIUS server and reloading the topics and deployment architectures, Volume II provides readers with the necessary tools routes to another router. they need to deploy and maintain a secure, highly available VPN. You can enable the static route download feature on the San Jose PE router using the following global MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN command: Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. aaa route download [time] [authorization method-list] MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

If a method-list is not specified, then the default AAA server configured is used. The routes are downloaded periodically from the AAA server. The time parameter is optional and specifies the interval to download new routes from the RADIUS server; by default, this is set to 720 minutes. After this command is configured, the San Jose PE router immediately issues a series of RADIUS access-request messages for static routes. The username/key supplied in each RADIUS request • Table of Contents message consists of the router hostname plus an incrementing index in the form <hostname>-n. For • Index example, theArchitectures, Volume II MPLS and VPN San Jose PE router uses the following usernames to download routes from the RADIUS server:
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

SanJose_PE-1, SanJose_PE-2 … SanJose_PE-n
Publisher: Cisco Press

ThePub Date: June 06, 2003 RADIUS access-request messages continue until the RADIUS server issues an access-reject due to the username/key not existing. The incorporation of the hostname in the request message means that ISBN: 1-58705-112-5 the RADIUS server can download specific static routes to particular routers. By supplying an index to Pages: 504 the hostname, the static routes can be logically grouped, for example, by VRF. In this way, you can achieve a scalable method of static route distribution. In our example, we will configure the SuperCom RADIUS server to download static routes for both FastFoods and EuroBank, replacing the manual method of configuring routes directly into the router. WithMPLS has been Architectures, Volume routes can be downloaded on a per-VRF basis based on the EuroBank and VPN included to show how II , you'll learn: <hostname>-n username. TableHow shows the RADIUS entries and attributes for the into the backbone providing VPN 2-7 to integrate various remote access technologies EuroBank and FastFoods static routes. Note service to many different types using the cisco-avpair "ip:route" attribute, which now supports that the static routes are specified byof customers VRFs as part of the VRF-aware Framed-Route feature that is available in Cisco IOS 12.2(8)T onward. The new PE-CE routing options as the as other advanced features, including per-VPN All FastFoods routes are grouped under well username SanJose_PE-1, whereas all EuroBank routes are Network the username SanJose_PE-2. grouped underAddress Translation (PE-NAT) (We are showing two EuroBank branches located at Modesto and Laguna in California.) The routes configured consist of the connected route for the dialer How VRFs can be extended into a customer site to provide separation inside the interface at each remote site, plus the corresponding LAN subnet pointing to the connected route. customer network Enabling these routes to be downloaded into other PE routers would require a separate username entry corresponding to the target router's hostname. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN

Table latest inter-carrier enhancements to allow for easier and more scalable deployment The 2-7. Static Route Download Attributes for FastFoods and EuroBank
of inter-carrier MPLS VPN services Attribute Value Advanced troubleshooting techniques including router outputs to ensure high availability (Type) MPLS and VPN Architectures, Volume II , builds on Entry User-Name (1) "SanJose_PE-1" FastFoods the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced User-Password "cisco" topics and deployment architectures, Volume II provides readers with the necessary tools (2) they need to deploy and maintain a secure, highly available VPN. Cisco-avpair "ip:route=vrf FastFoods 192.168.2.51 255.255.255.255 dialer20 name MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Fresno_Vending" Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing "ip:route=vrf FastFoods 192.168.2.52 255.255.255.255 dialer20 name protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to Reno_Vending" integrate these features into the VPN backbone. Part III details advanced deployment issues "ip:route=vrf FastFoods 10.4.1.0 255.255.255.0 192.168.2.51" including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow "ip:route=vrf FastFoods 10.5.1.0 255.255.255.0 192.168.2.52" more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides aEuroBank Entry advanced MPLS VPN methodology for User-Name (1) "SanJose_PE-2" troubleshooting. User-Password "cisco" (2) MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Cisco-avpair

"ip:route=vrf EuroBank 192.168.2.61 255.255.255.255 dialer20 name Modesto_Branch" "ip:route=vrf EuroBank 192.168.2.62 255.255.255.255 dialer20 name Laguna_Branch" "ip:route=vrf EuroBank 196.7.28.0 255.255.255.0 192.168.2.61"

• •

"ip:route=vrf EuroBank 196.7.30.0 255.255.255.0 192.168.2.62" Table of Contents
Index

MPLS and VPN Architectures, Volume II

The debug output in Example 2-31 ByJim Guichard, Ivan Pepelnjak, Jeff Apcar shows how static routes are downloaded for FastFoods and EuroBank VRFs. The routes have been grouped by VRF on the RADIUS server so that the first request (SanJose_PE-1) passes back all the static routes for FastFoods and the second request (SanJose_PEPublisher: Cisco Press 2) passes back all the static routes for EuroBank. The third request (SanJose_PE-3) is rejected Pub Date: June 06, 2003 because there are no more routes to download.
ISBN: 1-58705-112-5 Pages: 504

Example 2-31. Static Route Download Debug

WithMPLS and VPN Architectures, Volume II ,21646/8 194.22.16.2 1645, Access-Request, len 87 RADIUS(00000000): Send to unknown id you'll learn: RADIUS: User-Name [1] 14 "SanJose_PE-1" How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers RADIUS: User-Password [2] 18 * The new PE-CE routing options as well as other advanced features, including per-VPN RADIUS: Service-Type [6] 6 Outbound [5] Network Address Translation (PE-NAT) RADIUS: VRFs can be extended into a customer site to provide separation inside the [4] 6 194.22.15.2 How NAS-IP-Address customer network RADIUS: Acct-Session-Id [44] 10 "00000000" The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN RADIUS: Nas-Identifier [32] 13 "SanJose_PE." backbone RADIUS: Received from idmulticast traffic inside a VPN How to carry customer 21646/8 192.22.16.2 1645, Access-Accept, len 326 RADIUS: latest inter-carrier enhancements to allow for easier and more scalable deployment The Vendor, Cisco [26] 88 of inter-carrier MPLS VPN services RADIUS: Cisco AVpair [1] 82 "ip:route=vrf FastFoods 192.168.2.51 Advanced troubleshooting techniques including router outputs to ensure high availability 255.255.255.255 dialer20 name Fresno_Vending" MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), 86 RADIUS: Vendor, Cisco [26] from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. RADIUS: Cisco AVpair [1] 80 "ip:route=vrf FastFoods 192.168.2.52 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN 255.255.255.255 dialer20 name Reno_Vending" Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, 66 DSL, cable, Ethernet) and a variety of routing RADIUS: Vendor, Cisco [26] protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues RADIUS: Cisco AVpair [1] 60 "ip:route=vrf FastFoods 10.4.1.0 including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow 255.255.255.0 192.168.2.51" more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN RADIUS: Vendor, Cisco [26] 66 troubleshooting. RADIUS: Cisco AVpair [1] 60 "ip:route=vrf FastFoods 10.5.1.0 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

255.255.255.0 192.168.2.52" RADIUS(00000000): Send to unknown id 21646/9 194.22.16.2 1645, Access-Request, len 87 RADIUS:
• •

User-Name User-Password
Index Table of Contents

[1] [2] [6] [4] [44] [32]

14 18 6 6 10 13

"SanJose_PE-2" * Outbound 194.22.15.2 "00000000" "SanJose_PE." [5]

RADIUS: RADIUS:

MPLS and VPN Architectures, Volume II

Service-Type

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

RADIUS:

NAS-IP-Address

Publisher: Cisco Press

RADIUS: Acct-Session-Id Pub Date: June 06, 2003
ISBN: 1-58705-112-5

RADIUS:

Pages: 504

Nas-Identifier

RADIUS: Received from id 21646/9 194.22.16.2 1645, Access-Accept, len 327 RADIUS: Vendor, Cisco [26] 87

WithMPLS and VPN AVpair RADIUS: Cisco Architectures, Volume II , you'll learn: [1] 81 "ip:route=vrf EuroBank 192.168.2.61 255.255.255.255 dialer20 name Modesto_Branch" How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers RADIUS: Vendor, Cisco [26] 86 The new PE-CE routing options as well as other advanced features, including per-VPN RADIUS: Cisco AVpair [1] 80 "ip:route=vrf EuroBank 192.168.2.62 Network Address Translation (PE-NAT) 255.255.255.255 dialer20 name Laguna_Branch" to provide separation inside the How VRFs can be extended into a customer site customer network RADIUS: Vendor, Cisco [26] 67 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN RADIUS: Cisco AVpair [1] 61 "ip:route=vrf EuroBank 196.7.28.0 backbone 255.255.255.0 192.168.2.61" How to carry customer multicast traffic inside a VPN The Vendor, Cisco RADIUS: latest inter-carrier enhancements to allow for easier and more scalable deployment [26] 67 of inter-carrier MPLS VPN services RADIUS: Cisco AVpair [1] 61 "ip:route=vrf EuroBank 196.7.30.0 Advanced troubleshooting techniques including router outputs to ensure high availability 255.255.255.0 192.168.2.62" MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco 194.22.16.2 1645, Access-Request, RADIUS(00000000): Send to unknown id 21646/10Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. len 87 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN RADIUS: authenticator 5D 95 36 F8 0F 84 37 F6 - 90 23 71 0C 8D 5D 00 71 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing RADIUS: User-Name [1] 14 "SanJose_PE-3" protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues RADIUS: User-Password [2] 18 * including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow RADIUS: Service-Type [6] 6 Outbound [5] more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN RADIUS: NAS-IP-Address [4] 6 194.22.15.2 troubleshooting. RADIUS: Acct-Session-Id [44] 10 "00000000" MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

RADIUS:

Nas-Identifier

[32]

13

"SanJose_PE."

RADIUS: Received from id 21646/10 194.22.16.2 1645, Access-Reject, len 35

The output in Example 2-32 verifies the static routes that have been downloaded from the SuperCom • Table of Contents Radius server.
• Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Example 2-32. Verifying Downloaded Static Routes
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 SanJose_PE#show ip route static download Pages: 504

Connectivity: A - Active, I - Inactive

A 192.168.2.61 255.255.255.255 Dialer20 name Modesto_Branch WithMPLS and VPN Architectures, Volume II , you'll learn: A A A A A A A 192.168.2.62 255.255.255.255 Dialer20 name Laguna_Branch How to integrate various remote access technologies into the backbone providing VPN 196.7.28.0 255.255.255.0 of customers service to many different types192.168.2.61 196.7.30.0 255.255.255.0 as well as other The new PE-CE routing options192.168.2.62 advanced features, including per-VPN Network Address Translation (PE-NAT) 10.4.1.0 255.255.255.0 192.168.2.51 How VRFs can be extended into a customer site to provide separation inside the customer network 10.5.1.0 255.255.255.0 192.168.2.52 The latest MPLS 255.255.255.255 Dialer20 nameaimed at protecting the MPLS VPN 192.168.2.51 VPN security features and designs Fresno_Vending backbone 192.168.2.52 255.255.255.255 Dialer20 name Reno_Vending How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services The previous output does not show in which VRFs these downloadedto ensure high availability Advanced troubleshooting techniques including router outputs routes have been placed; however, you can easily confirm this by viewing the routing tables of each VRF, as shown in Example 2-33. and VPN Architectures, Volume II , builds on the best-sellingby the codeVPN MPLS Downloaded static routes are indicated in the routing table MPLS and P rather than the customary code S. Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.

Example 2-33. Verifying Static Routes in VRFs
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to SanJose_PE#show ip route vrf FastFoods | inc P.* integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining thestatic, I steps the service provider mobile, B to protect the Codes: C - connected, S - necessary - IGRP, R - RIP, M - must take - BGP backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part - OSPF, IA multi-carrier MPLS VPN D - EIGRP, EX - EIGRP external, O also covers - OSPF inter area deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 MPLS and VPN OSPF external type 1,, also-introduces the latest advances- EGP E1 - Architectures, Volume II E2 OSPF external type 2, E in customer integration, security, and troubleshooting features essential to providing the advanced

P - periodic downloaded static route P P P
• •

10.5.1.0/24 [1/0] via 192.168.2.52 10.4.1.0/24 [1/0] via 192.168.2.51 192.168.2.51/32 is directly connected, Dialer20 192.168.2.52/32 is directly connected, Dialer20
Index Table of Contents

P

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

SanJose_PE#show ip route vrf EuroBank | inc P.*
Publisher: Cisco Press

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP Pub Date: June 06, 2003
ISBN: 1-58705-112-5 Pages: 504

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

WithMPLS and VPN Architectures, Volume II , you'll learn: P - periodic downloaded static route P P P P 196.7.28.0/24 [1/0] via 192.168.2.61 How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers 196.7.30.0/24 [1/0] via 192.168.2.62 The new PE-CE routing options as well as other advanced features, including per-VPN 192.168.2.62 is directly connected, Dialer20 Network Address Translation (PE-NAT) How192.168.2.61 is directly customer site Dialer20 separation inside the VRFs can be extended into a connected, to provide customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Providing Dial-Out Access Without LSDO (Direct ISDN)
Sometimes the VRF-aware LSDO solution might not be applicable. This occurs when there is • Table of Contents direct ISDN dial-out from the VHG or when the number of dial-out customers is small and • Index contained to Architectures, Volume II (therefore, not many routers need to be configured). The MPLS and VPN a single LAC/LNS pair L2TP Guichard,Ivandial-out can be statically configured. tunnels for Pepelnjak,Jeff Apcar ByJim
Publisher: Cisco Press Pub Date: June 06, 2003

NOTE ISBN: 1-58705-112-5
If VRF-aware LSDO was not used, then a dialer profile configuration for each remote destination is required on every VHG or NAS (for direct ISDN) that provided dial-out services. In a large network, this would involve a considerable amount of operational overhead. WithMPLS and VPN Architectures, Volume II , you'll learn: The static dialer profile configuration (no AAA servers are used) is shown in Example 2-34. How to integrate various remote access technologies into the backbone providing VPN This configuration applies to dial-out via a statically configured L2TP tunnel. Note that the service to many different types of customers changes only involve the configuration on the San Jose PE router. The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS interface Dialer20VPN security features and designs aimed at protecting the MPLS VPN backbone ip vrf forwarding FastFoods How to carry customer multicast traffic inside a VPN ip unnumbered Loopback10 The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services encapsulation ppp Advanced troubleshooting techniques including router outputs to ensure high availability no keepalive MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN dialer pool 20 Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools dialer to deploy and maintain a secure, highly available VPN. they needremote-name Fresno_Vending dialer VPN Architectures, MPLS andstring 99065890 Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of dialer vpdn service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to dialer-group 2 integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the peer default ip address 192.168.2.51 backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN no cdp enable deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. ppp authentication chap callin MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer ppp chap security, Fresno_Dialer integration, hostnameand troubleshooting features essential to providing the advanced
Pages: 504

Example 2-34. Dialer Profile Configuration Without LSDO

ppp chap password 0 showmethemoney ! ip route vrf FastFoods 10.4.1.0 255.255.255.0 192.168.2.51 ip route vrf FastFoods 192.168.2.51 255.255.255.255 Dialer20 permanent
• • ! Table of Contents Index

MPLS and VPN Architectures, Volume II

vpdn-group 1 ByJim Guichard, Ivan Pepelnjak, Jeff Apcar accept-dialin
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504 virtual-Template

protocol l2tp

1

request-dialout protocol l2tp WithMPLS and VPN Architectures, Volume II , you'll learn: pool-member 20 How to integrate various remote access terminate-from hostname SuperCom_LAC technologies into the backbone providing VPN service to many different types of customers initiate-to ip 194.22.15.4 The new PE-CE routing options as well as other advanced features, including per-VPN Network SuperCom_LNS local name Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the l2tp tunnel password 7 06100632454107 customer network source-ip 194.22.15.2 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN In the case of direct dial ISDN, the vpdn-group configuration in the previous example would The latest inter-carrier enhancements to allow for easier and more scalable deployment not apply, and the dialer vpdnservices of inter-carrier MPLS VPN command must be removed from interface dialer 20. For direct dial ISDN in the SuperCom network, all that would be necessary on the San Jose VHG/PE router would be to add the ISDN interface torouter outputs to ensure high availability Advanced troubleshooting techniques including the dial-out pool, as shown in Example 2-35. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools Example 2-35. ISDN Dial-Out Pool they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of ! service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to interface Serial6/0:15 integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the ip unnumbered Loopback0 backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN encapsulation ppp deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. dialer pool-member 20 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer isdn switch-type primary-net5 integration, security, and troubleshooting features essential to providing the advanced

no cdp enable ppp authentication chap callin end

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Providing Dial Backup for MPLS VPN Access
Dial backup protection for a primary CE router/PE router link can be provided easily by using either of the dial-in architectures (VPDN or Direct ISDN) that were previously discussed. The primary and backup links normally reside on the same CE router. Consider the scenario • Table of Contents shown in Figure 2-18. The EuroBank San Francisco CE router has a primary connection • terminating Index San Jose PE router. The primary link is protected by a backup interface on the MPLS can VPN Architectures, Volume II direct ISDN dial to establish a backup link to the that and use either VPDN (L2TP) or EuroBank VRF. ByJim Guichard, Ivan Pepelnjak, Jeff Apcar
Publisher: Cisco Press Pub Date: June 06, 2003

ISBN: 1-58705-112-5 Pages: 504

Figure 2-18. Dial Backup for FastFoods San Jose

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced If the primary link fails, the backup interface, which is a dialer interface, automatically calls topics and deployment architectures, Volume II provides readers with the necessary tools the San Jose LAC/NAC (using an analogue or digital call). The procedures followed are they need to deploy and maintain a secure, highly available VPN. identical to those for VPDN or direct dial-in ISDN access. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Example 2-36 shows the common configuration and RADIUS attributes for providing a Architecture. Part II describes advanced MPLS VPN connectivity including the integration of backup link (in our example, interface Dialer2) to EuroBank San Francisco by using the service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing backup interface command. See Table 2-8 for the corresponding list of RADIUS attributes protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to on the SuperCom RADIUS Server. integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow Example 2-36. EuroBank San Francisco CE Router Configuration for more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Backup deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, Serial0/0 interface security, and troubleshooting features essential to providing the advanced

backup interface Dialer2 ip address 192.168.2.25 255.255.255.252 ! interface Dialer2
• Table of Contents

• ip address negotiated Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar encapsulation ppp

dialer pool 5 Publisher: Cisco Press dialer idle-timeout 600
ISBN: 1-58705-112-5 Pub Date: June 06, 2003

dialer string 94780400 dialer-group 1 ppp chap hostname sanfran_backup@eurobank.com WithMPLS and VPN Architectures, Volume II , you'll learn: ppp chap password 0 heyiamup ! How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

Pages: 504

dialer-list 1 protocol ip permit The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network

Table 2-8. San Francisco Router RADIUS Attributes for Backup backbone
How to carry customer multicast traffic inside a VPN Attribute (Type) Value

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN

The latest User-Name (1)inter-carrier enhancements to allow for easier and more scalable deployment "sanfran_backup@eurobank.com" of inter-carrier MPLS VPN services User-Password (2) "heyiamup" Advanced troubleshooting techniques including router outputs to ensure high availability Service-Type (6) 1 (Framed) MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Framed-Protocol (7) 1 (PPP) Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. You might have noticed that these configurations are similar to the EuroBank Sacramento SOHO router used in the Direct ISDN dial-in scenario. brief refresher of the MPLS VPN MPLS and VPN Architectures, Volume II , begins with a However, the difference in the rest of the configuration II describes advanced MPLS VPN or dynamic routing is used. Architecture. Part depends on whether static routingconnectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing If static routing isEIGRP, andthe backup link, the reader with the knowledge of how to protocols (IS-IS, used over OSPF), arming the configuration at the CE router contains two default routes (shown in into the VPN backbone. Part III details advanced deployment issues integrate these features Example 2-37): one pointing to the primary interface and the other pointing security, outlining the (with a higher metric). The RADIUS must take to protect includingto the backup interface necessary steps the service provider attributes used (see the Table 2-9) insert a static Framed-Route using the framed route VRF-aware features to the backbone and any attached VPN sites, and also detailing the latest security feature into allow EuroBank VRF for the San and filtering. via part also covers multi-carrier MPLS VPN more advanced topologies Francisco LANThis the backup link. If the primary interface fails on the San Francisco CE router, the dialer a methodology for advanced MPLS VPN static route deployments. Finally, Part IV provides backup interface and the corresponding become active. troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, 2-37. and troubleshooting features Example security,Backup Static Routes essential to providing the advanced

ip route 0.0.0.0 0.0.0.0 192.168.2.26 ip route 0.0.0.0 0.0.0.0 dialer 2 230
• • Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Table 2-9. Additional RADIUS Attributes for Backup Static Routing
Publisher: Cisco Press

Attribute (Type)

Pub Date: June 06, 2003 ISBN: 1-58705-112-5

Value 10.2.1.0/24 "lcp:interface-config=ip vrf forwarding EuroBank \n ip unnumbered loopback 11 \n

Framed-Route(22) Pages: 504 cisco-avpair

peer default , address pool WithMPLS and VPN Architectures, Volume IIipyou'll learn: EuroBank_Pool" How to integrate various remote access technologies into the backbone providing VPN For dynamic routing, configure the dialer interface and the virtual-access interface with static service to many different types of customers IP addresses (those that are not obtained from a pool). You do not need to use the RADIUS Framed-RoutePE-CE routing options as well as other advanced features, including per-VPN The new attribute (see Table 2-10).Example 2-38 uses the Routing Information Protocol (RIP) Address Translation (PE-NAT) Network as the routing protocol, and the addresses used at each end of the backup link come from the 192.168.2.0/24 subnet, which happens to be the same range that the primary link uses. If a different extended usedafor the backup link, a corresponding RIP network How VRFs can be subnet is into customer site to provide separation inside the statement for that subnet is necessary. customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Example 2-38. Dynamic Routing Using RIP How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment ! San Francisco CE router of inter-carrier MPLS VPN services ! Advanced troubleshooting techniques including router outputs to ensure high availability

router rip MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced version deployment architectures, Volume II provides readers with the necessary tools topics and 2 they need to deploy and maintain a secure, highly available VPN. redistribute connected MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN network 192.168.2.0 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing -----------------------------------------------protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues !San Jose PE router including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow router rip more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN ! troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer address-family ipv4 vrf EuroBank integration, security, and troubleshooting features essential to providing the advanced

version 2 redistribute bgp 100 metric 10 redistribute static network 192.168.2.0
• •

no auto-summary
Index

Table of Contents

MPLS and VPN Architectures, Volume II

exit-address-family

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5

Table 2-10. Additional RADIUS Attributes for Backup Dynamic Routing
Attribute (Type) Value WithMPLS and VPN Architectures, Volume II , you'll learn: cisco-avpair "lcp:interface-config=ip vrf forwarding EuroBank \n ip address 192.168.2.41 255.255.255.252" How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Pages: 504

Providing DSL Access to an MPLS VPN
The DSL technology provides high-speed network access over a pair of copper wires, which essentially is the local loop from the telephone company central office (CO) to residential or • Table of A modulation technology called Discrete Multitone (DMT) allows the business premises. Contents • Index transmission of high-speed data over the copper pair. It is not within the scope of this book MPLS and VPN Architectures, Volume II to explain the details of DSL operation; however, the aspects that relate to successful operation within Pepelnjak VPN network are covered in the following sections. ByJim Guichard, Ivanan MPLS, Jeff Apcar DSL has the following basic components:
Publisher: Cisco Press Pub Date: June 06, 2003

At the 1-58705-112-5 ISBN: customer end, there is a customer premises equipment (CPE), which can be a device, such as a router (preferably Cisco). Alternatively, it can be a device that is Pages: 504 capable of bridging client PCs, which do not need routing capability. It can also be a directly connected client PC that uses a DSL adapter card and special software.

WithMPLS and VPN Architectures, Volume II , you'll learn:

NOTE
How On integrate various remote access technologiesold telephone service (POTS) VPN to the physical layer, there will also be a plain into the backbone providing service to or splitter on the customer premises to allow simultaneous use of a filter many different types of customers phone and DSL device on the same pair of wires. The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) The subscriber be extended into aat another site to provide separation inside separate How VRFs can line is terminated customer large-scale splitter at the CO to the the voice calls from the DSL data connection. The DSL data connection is terminated at customer network a digital subscriber line access multiplexer (DSLAM), whose function is to provide highdensity termination of all the copper pairs feeding into it. The DSLAM connects toVPN The latest MPLS VPN security features and designs aimed at protecting the MPLS an aggregation device by using ATM. backbone The aggregation devicemulticast traffic providesVPN higher-level protocol termination How to carry customer is a router that inside a the from the ATM connection. Each customer DSL connection is terminated on separate ATM PVCs. The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services DSL uses ATM as its basic transport mechanism. You can use various encapsulation methods depending on the application that is required. All the router outputs to ensure adaptation Advanced troubleshooting techniques including encapsulations use ATM high availability layer 5 (AAL5) to segment the data into ATM cells and RFC 1483 to allow the transport of multiple protocols over the same ATM PVC. RFC 1483 best-selling MPLS and The MPLS and VPN Architectures, Volume II , builds on the comes in two variants. VPN first method allows multiple protocols to be carried over the Cisco Press. Extending into more advanced Architectures, Volume I (1-58705-002-1), from same PVC. In Cisco IOS, this is configured using and deployment architectures, Volume II provides readers with the necessary tools topics the aal5snap keyword. The second method does higher layer protocol multiplexing implicitly to deploy and one protocol per PVC). they needby PVC (that is,maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to NOTE integrate these features into the VPN backbone. Part III details advanced deployment issues RFC security, been obsoleted by RFC 2684. However, provider must take to protect including 1483 has outlining the necessary steps the servicethe overwhelming practice is the to still refer to the standard as RFC 1483, detailing the the latest iteration. backbone and any attached VPN sites, and alsowhich implies latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. The possible encapsulation methods are shown in Figure 2-19. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Figure 2-19. DSL Encapsulation Formats

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers Each The new encapsulation methodsas well as other advanced features, including per-VPN of these PE-CE routing options and their operation within an MPLS VPN network for remote access Address Translation (PE-NAT) sections. Network are discussed in the following How VRFs can be extended into a customer site to provide separation inside the customer network

DSL Access by Using RFC 1483 Routed Encapsulation

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone This connection method is particularly straightforward and consists of an ATM PVC between the DSL CPE carry customer multicast traffic Figure a VPN How to and the PE router, as shown in inside 2-20 for a EuroBank DSL CPE connection. The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures,address is configured at both ends of the link, and customer A static (or unnumbered) IP Volume II , also introduces the latest advances in the ATM integration, security, and troubleshooting features essential to providing the advanced user subinterface at the PE router end is placed into a statically configured VRF. No remote

Figure 2-20. DSL RFC 1483 Routed

authorization and authentication is necessary in this scenario. From an MPLS perspective, there is no difference between this configuration and any other permanent circuit connection, such as Frame Relay, Packet Over SONET (POS), or leased line. Because the DSL CPE is a router, it can be configured with dynamic routing to the PE router if required and act as a DHCP server to its locally connected devices. If address management were required to be coordinated from a EuroBank central location, then a DHCP server could be located elsewhere in the EuroBank VPN, such as Paris in our example. Therefore, the DSL CPE would act as a DHCP relay agent to the Paris DHCP server. Note that this DHCP server would only support • Table of Contents EuroBank DHCP requests.
• Index
MPLS and VPN Architectures, Volume II

RFC 1483 routed is most suited for remote office applications rather than residential users. ByJim Guichard, Ivan Pepelnjak, Jeff Apcar The following configuration (see Example 2-39) shows how to place an RFC 1483 routed DSL CPE into the EuroBank VRF.
Publisher: Cisco Press Pub Date: June 06, 2003

Example1-58705-112-5 Jose PE Router Configuration RFC 1483 Routed ISBN: 2-39. San
Pages: 504

interface ATM2/0.1 point-to-point ip vrf forwarding EuroBank WithMPLS and VPN Architectures, Volume II , you'll learn: ip address 192.168.2.74 255.255.255.252 How to integrate various remote access technologies into the backbone providing VPN pvc service to many different types of customers 1/32 ubr 256 The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) encapsulation aal5snap How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to DSL CPE easier and router is bridged and no In this access scenario, all traffic between the allow for and the PE more scalable deployment of inter-carrier MPLS VPN services routing occurs. The traffic is carried on the ATM PVC within an RFC 1483 bridged packet, which includes the Layer 2 information (Ethernet addresses and so on). From the perspective Advanced PE router, shown in Figure including ATM subinterface appears as LAN of the San Jose troubleshooting techniques 2-21, the router outputs to ensure highaavailability interface. This is accomplished by configuring route-bridge encapsulation (RBE) on the MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN subinterface. Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.

DSL Access Using RFC 1483 Bridged Encapsulation

Figure 2-21. begins with a brief Bridged MPLS and VPN Architectures, Volume II , DSL RFC 1483 refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Because the DSL CPE has no routing functionality, it cannot act as a DHCP server. Therefore, Pages: 504 if DHCP is required, then a remote EuroBank DHCP server must provide it. In our example, the San Jose PE router acts as the relay agent to the Paris EuroBank DHCP server.

Configuring the San Jose PE Router
WithMPLS and VPN Architectures, Volume II , you'll learn: Example 2-40 shows the configuration for RBE on the San Jose PE router. Because the subinterface ATM2/0.1 acts as a LAN interface in RBE, the San Jose router (10.6.1.1/32) How to integrate various remote access technologies into the backbone providing VPN appears as the gateway for the EuroBank Palo Alto subnet 10.6.1.0/24. The San Jose PE service to many different types of customers router relays any DHCP requests in the normal manner to 196.7.25.32, using the ip helperaddress global command. options as well as other advanced features, including per-VPN The new PE-CE routing Network Address Translation (PE-NAT)

Example 2-40. be extended into a customer site to provide separation inside the How VRFs can San Jose PE Router Configuration for RFC 1483 customer network Bridged
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone interface ATM2/0.1 point-to-point How to carry customer multicast traffic inside a VPN ip vrf latest inter-carrier enhancements to allow for easier and more scalable deployment The forwarding EuroBank of inter-carrier MPLS VPN services ip address 10.6.1.1 255.255.255.0 Advanced troubleshooting techniques including router outputs to ensure high availability ip helper-address global 196.7.25.32 MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN no ip mroute-cache Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools atm need to deploy ip they route-bridgedand maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN pvc 1/32 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service 256 ubr provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues encapsulation aal5snap including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

Configuring the Palo Alto DSL CPE

MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

The DSL CPE configuration is basic and only requires bridging to be configured, as shown in Example 2-41.

Example 2-41. Palo Alto DSL CPE Configuration for RFC 1483 Bridged
• Table of Contents

interface Ethernet0 • Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

no ip address

no ip directed-broadcast
Publisher: Cisco Press Pub Date: June 1 bridge-group06, 2003 ISBN: 1-58705-112-5

!

Pages: 504

interface ATM0 no ip address WithMPLS and VPN Architectures, Volume II , you'll learn: no ip directed-broadcast no ip mroute-cachevarious remote access technologies into the backbone providing VPN How to integrate service to many different types of customers no atm ilmi-keepalive The new PE-CE routing options as well as other advanced features, including per-VPN pvc Network Address Translation (PE-NAT) 1/32 How VRFs can be extended into a customer site to provide separation inside the ubr 256 customer network encapsulation aal5snap The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone bridge-group 1 ! How to carry customer multicast traffic inside a VPN

The latest inter-carrier enhancements to allow for easier and more scalable deployment bridge 1 protocol ieee of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN The disadvantage of this solution is that DSL customers must have a DHCP serveradvanced Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more that is available within their own Intranet because the provides readers with the necessary tools topics and deployment architectures, Volume II DSL CPE is not capable of providing the IP addresses.to deploy and maintain a secure, highly available VPN. not have the operational they need This might not be desirable for the customer if he does and support infrastructure to manage and maintain his own DHCP server(s). A new feature called DHCP Relay – MPLS VPN support begins with a brief refresher of the and VPN MPLS and VPN Architectures, Volume II ,is available from Cisco IOS 12.2(4)BMPLS12.2(8)T; it allows the DHCP server to exist outside MPLS VPN either in the global routing table or Architecture. Part II describes advancedof the VRF, connectivity including the integration of another VRF. A access technologies (dial, DSL, cable, Ethernet) and a support overlapping service providerDHCP server that is enabled with this feature is able to variety of routing addresses; therefore, a singleOSPF), armingprovide addresses to knowledge ofThis means that protocols (IS-IS, EIGRP, and server might the reader with the many VRFs. how to the service provider could provide a centralized DHCP server to advanced deployment issues integrate these features into the VPN backbone. Part III details support all remote VPN customers. This feature and its necessary steps the service bridged scenario are protect the including security, outlining the applicability to the RFC 1483provider must take to discussed in detail in the earlier section, "Advanced Features for MPLS latest security features backbone and any attached VPN sites, and also detailing the VPN Remote Access." to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. Using PPP Over ATM DSL Access MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

In the PPP over ATM (PPPoA) scenario shown in Figure 2-22, the Palo Alto DSL CPE has routing functionality and uses PPP to connect to the San Jose PE router. The PPP session runs over the ATM PVC between the DSL CPE and the PE router; therefore, it is called PPP over ATM, or PPPoA. The locally connected PCs can either be statically configured with IP addresses or request them from a DHCP server that is configured on either the DSL CPE or a remote server in the EuroBank intranet.
• • Table of Contents Index

MPLS and VPN Architectures, Volume II

Figure 2-22. DSL PPPoA

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN The advantage of using PPPoA in a (PE-NAT) Network Address Translation DSL access scenario is that you can perform a single authentication and accounting instance on the DSL connection for all PCs behind the DSL CPE. The PCs can obtain their addresses from a local DHCP pool separation inside the the DSL How VRFs can be extended into a customer site to provide that is configured on CPE or from a customer DHCP server. customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to NOTE carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier to those explained in the The steps for establishing the PPPoA session are identical and more scalable deployment of inter-carrier via Direct services "Dial-In Access MPLS VPNISDN" section. Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and PPP call is received,Volume II , builds interface is cloned from a and VPN When the VPN Architectures, a virtual-access on the best-selling MPLS virtual-template for Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced the PPP session. The RADIUS server authenticates the PPP session and supplies additional topics and deployment architectures, Volume II interface. readers with the necessary for the configuration information for the virtual-access provides You can obtain addressing tools theysession in several ways, including the RADIUS available VPN. IP pool, or an on-demand PPP need to deploy and maintain a secure, highly server, a local address pool, which is described in the "Advanced Features for MPLS VPN Remote Access" MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN section. Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to Configuring the San Josethe VPN backbone. Part III details advanced deployment issues PE Router integrate these features into including security, outlining the necessary steps the service provider must take to protect the Example and any attached VPN sites, that is necessary the latest Jose PE router to backbone2-42 shows the configuration and also detailingon the Sansecurity features to allow terminate a PPPoA session. As filtering. This part also covers multi-carrier a VPN, scalability more advanced topologies and with all PPP terminations that are accessing MPLS VPN is achieved via the combination of virtual-profiles supported by a RADIUS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS server. This technique has been explained in detail in the earlier section, "Providing Dial-In Access to an troubleshooting. MPLS VPN." The virtual-template1 has been associated with the PPP ATM PVC that is connecting to Architectures, Volume II , also introduces the latest advances in When a PPP MPLS and VPNthe DSL CPE using the encapsulation aal5mux ppp command. customer connection security, and troubleshooting features essential to providing the advanced integration,is received on PVC 1/32, virtual-template1 is used to clone a virtual access

interface with additional configuration information being supplied by the SuperCom RADIUS server.

Example 2-42. San Jose PE Router Configuration for PPPoA
• Table of Contents

hostname SanJose_PE • Index
MPLS and VPN Architectures, Volume II

!

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

aaa authentication ppp default local group radius
Publisher: Cisco Press

aaaPub Date: June 06, 2003 authorization network default local group radius
ISBN: 1-58705-112-5

!

Pages: 504

virtual-profile aaa ! WithMPLS and VPN Architectures, Volume II , you'll learn: interface ATM2/0.1 point-to-point pvc How to integrate various remote access technologies into the backbone providing VPN 1/32 service to many different types of customers ubr 256 The new PE-CE routing options as well as other advanced features, including per-VPN encapsulation aal5mux ppp virtual-Template1 Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network interface virtual-Template1 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone no ip address ! How default ip address no peer to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment no keepalive of inter-carrier MPLS VPN services ppp authentication chap callin Advanced troubleshooting techniques including router outputs to ensure high availability ! MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced ip radiusdeployment architectures, Volume II provides readers with the necessary tools topics and source-interface Loopback0 they need to deploy and maintain a secure, highly available VPN. ! MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN radius-server host 194.22.16.2 auth-port 1645 acct-port 1646 the a$4two Architecture. Part II describes advanced MPLS VPN connectivity including key integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Note that and any attached VPN sites, and also used to terminate security features to allow backbone virtual-template1 is the same one we detailing the latestL2TP VPDN sessions from the San Jose LAC/NAS described in the This part also via L2TP VPDN" section. more advanced topologies and filtering."Dial-In Accesscovers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

Configuring the EuroBank Palo Alto DSL CPE

MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Example 2-43 shows the PPPoA configuration for the DSL CPE. You might notice that it is similar in many respects to the configuration used in the EuroBank Sacramento SOHO router shown previously in Example 2-19. The only difference is that an ATM PVC is used rather than an ISDN channel. The SuperCom RADIUS server will use the username paloalto@eurobank_dsl to authenticate and download the appropriate per-user configuration.

Example Table of Contents Alto DSL CPE for PPPoA Configuration 2-43. Palo •
• Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

interface ATM0

noPublisher: Cisco Press ip address
Pub Date: June 06, 2003 ISBN: 1-58705-112-5 no ip redirects Pages: 504

no atm ilmi-keepalive pvc 1/32 ubr 256 WithMPLS and VPN Architectures, Volume II , you'll learn: encapsulation aal5mux ppp dialer How to integrate various remote access technologies into the backbone providing VPN dialer pool-member 1 service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) dsl operating-mode auto How VRFs can be extended into a customer site to provide separation inside the customer network ! ! The latest MPLS interface Dialer1 VPN security features and designs aimed at protecting the MPLS VPN backbone ip address negotiated How to carry customer multicast traffic inside a VPN no ip redirects The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services encapsulation ppp Advanced troubleshooting techniques including router outputs to ensure high availability dialer pool 1 MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN dialer-group 1 Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools no need to deploy and maintain a secure, highly available VPN. they cdp enable ppp chap hostname paloalto@eurobank_DSL MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of ppp chap password technologies (dial, DSL, cable, Ethernet) and a variety of routing service provider accessatwistedpair protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to ! integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the ip route 0.0.0.0 0.0.0.0 Dialer1 backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN ! deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. dialer-list 1 protocol ip permit MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

SuperCom RADIUS Server Attributes
The RADIUS entry for the Palo Alto DSL router shown in Table 2-11 is straightforward and almost identical to the attributes used for any other direct dial-in PPP router. In our configuration, the PPP address is obtained from the local pool defined for EuroBank on the • San Jose PE Table of Contents router. A VRF-aware Framed-Route 10.6.1.0/24 is injected into the EuroBank • Index VRF to provide reachability to the Palo Alto LAN. Loopback 11 is the interface used to MPLS and VPN Architectures, Volume II preinstantiate the EuroBank VRF.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003

ISBN: 1-58705-112-5 Pages: 504

Table 2-11. Palo Alto RADIUS Attributes for PPPoA
Value paloalto@eurobank_DSL Atiwstedpair

Attribute (Type) User-Name (1) User-Password (2)

WithMPLS and (6) Architectures, Volume II , you'll learn: Service-Type VPN 1 (Framed) Framed-Protocol (7) 1 (PPP) How to integrate various remote access technologies into the backbone providing VPN Framed-Route many different types of customers 10.6.1.0/24 service to (22) Cisco-avpair PE-CE routing options as well as other advanced features, including per-VPN lcp:interface-config=ip vrf forwarding EuroBank \n [1] The new Network Address Translation (PE-NAT) ip unnumbered loopback 11 \n How VRFs can be extended into a customer site to provide separation inside the peer default ip address pool EuroBank_Pool customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN [1] The \n signifies an explicit carriage return; this varies between server implementations. backbone How to carry customer multicast traffic inside a VPN

Verifying PPPoA Operation

The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

Because the PPPoA operation is similar to what you have already read in Direct ISDN access, Advanced troubleshooting techniques including router outputs to ensure high availability there is no real value in showing information such as routing table and debugs again; the outputs are also similar. The main differences are that best-selling MPLS and VPN route MPLS and VPN Architectures, Volume II , builds on the the username and framed injected are different, and we are connecting using an Press. Extending into more advanced Architectures, Volume I (1-58705-002-1), from Cisco ATM PVC. The output shown in Example 2-44 confirms architectures,Jose PE router has terminated thethe necessary tools topics and deployment that the San Volume II provides readers with Palo Alto PPPoA session on to deploy and maintain a secure, "jimi" and "eric" VPN. they need virtual-access5. As you can see, highly available are also logged on via an L2TP VPDN session from the San Jose LAC/NAS. The address 192.168.3.2 has been allocated from the EuroBank Architectures, Volume II begins appears to be the same one "jimi" is MPLS and VPNlocal address pool, which ,is why itwith a brief refresher of the MPLS VPNusing that was allocated from the FastFoods local pool using the overlapping address pool feature. Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into DSL and VPDN User Information Example 2-44. PPPoAthe VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN SanJose_PE#show user troubleshooting. Line User Host(s) Idle Location MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, * 0 con 0 security, and troubleshooting features essential to providing the advanced idle 00:00:00

Interface Vi3
• •

User eric@eurobank.com

Mode PPPoVPDN

Idle

Peer Address

00:45:11 192.168.3.3 00:00:07 192.168.3.2 00:51:06 192.168.3.2

Vi5 Vi6

Table of Contents Index

paloalto@eurobank_ PPPoATM

MPLS and VPN Architectures, Volume II

jimi@fastfoods.com PPPoVPDN

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

Closer Date: June 06,of the virtual access interface, shown in Example 2-45, confirms that it has Pub inspection 2003 been cloned from virtual-template1 via a PPPoA session using additional configuration ISBN: 1-58705-112-5 provided by the AAA (RADIUS) server and that it is in the EuroBank VRF.
Pages: 504

Example 2-45. PPPoA Virtual-Access Interface
WithMPLS and VPN Architectures, Volume II , you'll learn: SanJose_PE#show interface vi5 How to integrate various remote access technologies into the backbone providing VPN virtual-Access5 isdifferent types of customers service to many up, line protocol is up Hardware is Virtual Access interface other advanced features, including per-VPN The new PE-CE routing options as well as Network Address Translation (PE-NAT) Interface is unnumbered. Using address of Loopback11 (192.168.2.100) How VRFs can be extended into a customer site to provide separation inside the MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec, customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN reliability 255/255, txload 1/255, rxload 1/255 backbone Encapsulation PPP, LCP Open How to carry customer multicast traffic inside a VPN Open: IPCP The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services PPPoATM vaccess, cloned from AAA, virtual-Template1 Advanced troubleshooting techniques including router outputs to ensure high availability [snip] MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools SanJose_PE#show ip vrf EuroBank they need to deploy and maintain a secure, highly available VPN. Name Default RD Interfaces MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of EuroBank virtual-Access3 service provider access technologies (dial,10:27 cable, Ethernet) and a variety of routing DSL, protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to virtual-Access5 integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Loopback11 backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer DSL Access Using troubleshooting features essential to providing the advanced integration, security, and PPP over Ethernet

In the PPP over Ethernet (PPPoE) scenario shown in Figure 2-23, the Palo Alto DSL CPE is connected to the San Jose PE router by using a simple bridged connection much like the RFC 1483 bridged scenario. PPPoE sessions are initiated directly from the PC clients with PPPoE software installed and bridged over the ATM PVC via encapsulated Ethernet-bridged frames. Therefore, the San Jose PE Router has a virtual-access interface for each PC client, as opposed to a single interface like in the PPPoA scenario. The advantage of PPPoE is that software resides onContents • Table of the client PCs; therefore, DSL CPE only needs to have basic bridging capabilities, Index no routing functions are necessary, which keeps the hardware costs down. and • Because VPN Architectures, Volume II session, authentication and accounting information can be MPLS and each PC runs its own PPP tracked on a,per-user basis. Apcar ByJim Guichard Ivan Pepelnjak, Jeff
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

Figure 2-23. DSL PPPoE

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone A DHCP function is not necessary because the SuperCom RADIUS server provides each PC How address for its PPP session. Authentication and with an IP to carry customer multicast traffic inside a VPN virtual-access creation and configuration are performed by using the same procedures as explained in the earlier section, The latest via Direct ISDN." "Dial-In Access inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

Configuring the SuperCom PE Router

Advanced troubleshooting techniques including router outputs to ensure high availability

MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced The VPDN deployment IOS processes PPPoE. Therefore, you must define necessary tools topics and code in Ciscoarchitectures, Volume II provides readers with the a VPDN group to terminate to PPPoE and maintain a arrive highly available VPN. they need all deploy connections thatsecure, at the San Jose PE router, as shown in Example 2-46. The VPDN group supplies the virtual-template to be used to clone a virtual-access MPLS andfor the PPP session. Volume II , begins with a ATM PVC and the the MPLS VPN interface VPN Architectures, The linkage between the brief refresher of VPDN group is Architecture. Partusing the protocol pppoe command on both the ATM interface and vpdnaccomplished by II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing group configuration. protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Example 2-46. San Jose PE Router Configuration for PPPoE backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. aaa authentication ppp default local group radius MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer aaa authorization network default local group radius integration, security, and troubleshooting features essential to providing the advanced

! virtual-profile aaa ! interface ATM2/0.1 point-to-point
• Table of Contents • pvc 1/32 Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

ubr 256

encapsulation aal5snap
Publisher: Cisco Press

protocol pppoe Pub Date: June 06, 2003
ISBN: 1-58705-112-5

!

Pages: 504

vpdn-group 4 accept-dialin WithMPLS and VPN Architectures, Volume II , you'll learn: protocol pppoe virtual-Template various remote access technologies into the backbone providing VPN How to integrate 1 service to many different types of customers

!

The new PE-CE routing options as well as other advanced features, including per-VPN interface virtual-Template1 (PE-NAT) Network Address Translation no ip address How VRFs can be extended into a customer site to provide separation inside the customer network no peer default ip address The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN no keepalive backbone ppp How to carry customer multicast traffic inside a VPN authentication chap callin ! The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

ip radius source-interface Loopback0 Advanced troubleshooting techniques including router outputs to ensure high availability ! MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced radius-server host 194.22.16.2 auth-port 1645 acct-port 1646 key a$4two topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Configuring the Palo Alto DSL CPE protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues includingCPE only requires athe necessary steps theand is identical to the configuration the The DSL security, outlining bridging configuration service provider must take to protect backbonethe RFC1483 bridged section and also detailing the latest security features to allow shown in and any attached VPN sites, in Example 2-41. more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

SuperCom RADIUS Server Attributes

MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer The RADIUS attributes for "anne" allow access to the EuroBank VRF and the advanced integration, security, and troubleshooting features essential to providing provide an address

out of the EuroBank local address pool. Table 2-12 lists these attributes and their respective values.

Table 2-12. User anne@eurobank_DSL RADIUS Attributes
• Table of Contents •Attribute (Type) Index

Value "anne@eurobank_DSL" "irisheyes" 1 (Framed) 1 (PPP) "lcp:interface-config=ip vrf forwarding EuroBank \n[1] ip unnumbered loopback 11 \n peer default ip address pool EuroBank_Pool"

MPLS and VPN Architectures, Volume II

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

User-Name (1)

User-Password (2)
Publisher: Cisco Press Service-Type (6) Pub Date: June 06, 2003

Framed-Protocol (7) ISBN: 1-58705-112-5
Pages: 504 Cisco-avpair

WithMPLS and VPN Architectures, Volume II , you'll learn:
[1]

The \n signifies an explicit carriage return; usage varies between RADIUS servers.

How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

Verifying PPPoE Operation

The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

In our example,can be extended into a customer site to provide separation inside the in her How VRFs remote user anne@paloalto_DSL has connected via the PPPoE client PC tocustomerJose PE router. When the PPP session is established, her virtual-access the San network interface is placed into the EuroBank VRF. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN A PPPoE frame contains one of two ethertypes: backbone How to carry customer multicast traffic inside a VPN 0x8863 -PPPoE control packet, which manages the PPPoE session The latest inter-carrier enhancements to allow for easier and more scalable deployment 0x8864 -PPPoE data packet, which carries the actual PPP packet of inter-carrier MPLS VPN services Two sessions exist for any PPPoE client connection. The first is a VPDN L2TP-like session for Advanced troubleshooting techniques including router outputs to ensure high availability the PPPoE tunnel, and the second is for the actual PPP session that is carried within the PPPoE frame. These two sessions correspond tobuilds onEthertypes in theMPLS and VPN MPLS and VPN Architectures, Volume II , the two the best-selling frame. Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced As mentioned previously, the VPDN code processes the PPPoE connection. Therefore, if we topics and deployment architectures, Volume II provides readers with the necessary tools display the VPDN PPPoE tunnel information as shown in Example 2-47, we can see the they need to deploy and maintain a secure, highly available VPN. Ethernet endpoints connected over the ATM PVC. The remote MAC address 0090.a9fd.249e is the network interface card on "anne's" , begins with a brief 0004.6d7f.6038 is that used on MPLS and VPN Architectures, Volume IIPC. The MAC addressrefresher of the MPLS VPN the ATM interface at describes advanced MPLS VPN connectivity including the integration of Architecture. Part II the San Jose PE Router. service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to Example 2-47. VPDN Session Informationdetails advanced deployment issues integrate these features into the VPN backbone. Part III for the PPPoE Client including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN SanJose_PE#show vpdn | begin PPPoE deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. PPPoE Tunnel and Session Information Total tunnels 1 sessions 1 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

PPPoE Session Information UID SID RemMAC LocMAC 58
• •

OIntf

Intf VASt Vi5 1/32 UP

Session state CNCT_PTA

3

Table of Contents

0090.a9fd.249e ATM2/0.1

Index0004.6d7f.6038 VP/VC:

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

YouPub Date: June 06, 2003 PPP session for "anne" by displaying the active users on the San Jose can view the actual PE router shown in Example 2-48. The address 192.168.3.5 has been allocated from the ISBN: 1-58705-112-5 EuroBank local pool. Meanwhile, L2TP VPDN users "eric" and "jimi" are still connected. They Pages: 504 must be hard workers to be logged in for so long!

Example 2-48. PPPoE DSL and VPDN User Information
WithMPLS and VPN Architectures, Volume II , you'll learn: SanJose_PE#show user How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers [snip] The new PE-CE routing options as well as other advanced features, including per-VPN Interface User Mode Idle Peer Address Network Address Translation (PE-NAT) Vi3 How VRFs eric@eurobank.com aPPPoVPDN site to provide separation inside the 14:12:23 192.168.3.3 can be extended into customer customer network Vi7 anne@eurobank_palo PPPoE 00:03:14 192.168.3.5 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Vi6 backbone jimi@fastfoods.com PPPoVPDN 14:18:18 192.168.3.2 How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier PPP session has been terminated on virtual-access7, cloned from InExample 2-49, theMPLS VPN services virtual-template1 as per the vpdn-group 4 configuration in Example 2-46. Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Example 2-49. PPPoE Virtual-Access Interface Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. SanJose_PE#show interface vi7 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of virtual-Access7 is technologies (dial, DSL, up service provider accessup, line protocol is cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues Hardware is Virtual Access interface including security, outlining the necessary steps the service provider must take to protect the backbone and is unnumbered. Using and also detailing the latest(192.168.2.100) to allow Interface any attached VPN sites, address of Loopback11 security features more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments.bytes, BW 100000 Kbit, methodology usec, MTU 1492 Finally, Part IV provides a DLY 100000 for advanced MPLS VPN troubleshooting. reliability 255/255, txload 1/255, rxload 1/255 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and LCP Open Encapsulation PPP, troubleshooting features essential to providing the advanced

Open: IPCP PPPoE vaccess, cloned from AAA, virtual-Template1 Bound to ATM2/0.1 VCD: 1, VPI: 1, VCI: 32, loopback not set
• •

[snip]

Table of Contents Index

MPLS and VPN Architectures, Volume II

SanJose_PE#show ip vrf EuroBank ByJim Guichard, Ivan Pepelnjak, Jeff Apcar Name Publisher: Cisco Press EuroBank
Pub Date: June 06, 2003 ISBN: 1-58705-112-5

Default RD 10:27

Interfaces virtual-Access3 virtual-Access7 Loopback11

Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn:

DSLHow to integrate various remote access technologies into the backbone providing VPN Access Using PPPoX and VPDN (L2TP)
service to many different types of customers The new PE-CE discussed so far have as other advanced on a PE router. However, you All the DSL scenariosrouting options as well terminated directly features, including per-VPN Network Address Translation (PE-NAT) can separate the DSL PPP termination function from the PE router function by using the L2TP VPDN architecture, as discussed in the earlier section, "Dial-In Access via Direct ISDN." L2TP VPDNHow VRFs the scalability required for large-scale to provide separation inside the Figure provides can be extended into a customer site DSL to MPLS VPN terminations. customer network 2-24 shows the EuroBank Palo Alto DSL PE router using PPPoX and L2TP to access the San Jose PE router. The LAC function in this case is most likely a Cisco 6400 universal access The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN concentrator. backbone How to carry customer multicast traffic inside a VPN

Figure 2-24. PPPoX Using VPDN (L2TP) The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN For the purposes of simplifying Figure 2-24, we have shown the Palo Alto CPE capable of troubleshooting. operating in either mode: PPPoE where the CPE acts as a bridge, or PPPoA where the CPE acts as a router. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

If the CPE were configured to support PPPoE, the following call processing would occur: Step 1. The user anne@eurobank.com initiates a PPPoE session from her PC. Step 2. The PPP packet encapsulated in an Ethernet frame is transported over the ATM PVC by using RFC 1483 bridged mode.
• •

MPLS and VPN Architectures, Volume II

Step 3. When the NAS (most likely a 6400 universal access concentrator) receives the Table of Contents initial packet, it looks for a VPDN group that has the protocol pppoe command Index configured.

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar Step 4. The VPDN group points

to a virtual-template that you can use to clone a virtual-access interface for the PPP session. This virtual-access interface acts as the output interface to the L2TP tunnel, which is created in the next steps. Publisher: Cisco Press
Pub Date: June 06, 2003

Step 1-58705-112-5 or universal access concentrator challenges the PPPoE client for a 5. The NAS ISBN: username password. Because the vpdn is configured, the domain name eurobank.com Pages: 504 is used to search for a VPDN group or query to the SuperCom RADIUS server for L2TP tunnel information. Step 6. An L2TP tunnel is then built to the LNS.

WithMPLS and The LNS receives the full username anne@eurobank.com through the tunnel Step 7. VPN Architectures, Volume II , you'll learn: and authenticates it using the appropriate RADIUS server (either the customer's or the service provider's). How to integrate various remote access technologies into the backbone providing VPN service to many different types of customersRADIUS server is then used to configure a Step 8. The information returned from the virtual-access interface and provide an IP address to the PPPoE client. The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) If the CPE is configured for PPPoA, the following call processing occurs: How VRFs can be extended into a customer site to provide separation inside the customer The DSL CPE initiates a PPPoA call. Step 1. network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Step 2. The PPP packet is carried directly in RFC 1483 encapsulation. backbone Step 3. The NAS/universal access concentrator receives the packet and creates a How to carry customer multicast traffic inside a VPN virtual-access interface from the virtual-template defined on the PVC configuration. This virtual access interface is used as the output interface to the scalable deployment The latest inter-carrier enhancements to allow for easier and moreL2TP tunnel, to be created in the MPLS VPN of inter-carrier next steps.services Step 4. From this point, techniques including router outputs 5 ensure high scenario. Advanced troubleshootingthe steps are the same as from Step to in the PPPoE availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, the SuperCom San Jose from Cisco Press.Access Concentrator Configuring Volume I (1-58705-002-1), NAS/Universal Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Example 2-50 shows the necessary VPDN configuration for the San Jose NAS/universal access concentrator. Architectures, Volume II , begins with brief refresher sessions. VPDN-group MPLS and VPNVPDN-group 1 is used to terminate anyaincoming PPPoEof the MPLS VPN 10 is used to Part II an L2TP tunnel to the San VPN connectivity including the integration of Architecture. create describes advanced MPLS Jose VHG/PE router for any PPPoX users who have the domainaccess technologies (dial, DSL, cable, Ethernet) and a variety of routing service provider "eurobank.com." protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow NOTE more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN We could have just as easily retrieved the vpdn-group 10 configuration from the troubleshooting. SuperCom RADIUS server instead of statically configuring it, in the same manner that VPN Architectures, Dial In using VPDN (L2TP) scenario advances the MPLS andwe have done in theVolume II , also introduces the latest covered atin customer beginning of this chapter. If a Cisco features essential to concentrator advanced integration, security, and troubleshooting6400 universal accessproviding the is being

used as the LAC, then Cisco IOS 12.2(3)B onward must be used to support retrieving L2TP tunnel information from the RADIUS server. However, because we have explicitly defined the vpdn-group for the tunnel, no RADIUS server configuration was necessary.

•

Example Index San Jose NAS/Universal Access Concentrator VPDN 2-50. • Configuration MPLS and VPN Architectures, Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Table of Contents

vpdn enable

Publisher: Cisco Press Pub Date: June 06, 2003

ISBN: 1-58705-112-5 vpdn search-order domain Pages: 504

! vpdn-group 1 accept-dialin WithMPLS and VPN Architectures, Volume II , you'll learn: protocol pppoe How to integrate various remote access technologies into the backbone providing VPN virtual-Templatedifferent types of customers service to many 1 The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) vpdn-group 10 How VRFs can be extended into a customer site to provide separation inside the customer network request-dialin ! The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN protocol l2tp backbone domain eurobank.com How to carry customer multicast traffic inside a VPN initiate-to ip 194.22.15.2 The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services local name SuperCom_LAC Advanced troubleshooting techniques including router outputs to ensure high availability l2tp tunnel password vision MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Example 2-51 shows the interface configuration to terminate the PPPoX sessions. ATM0/0/0.2 uses and VPN to terminate any PPPoE , begins with a connected via of the MPLS VPN MPLSPVC 1/32 Architectures, Volume II clients that are brief refresher a bridged CPE. It uses the PPPoE vpdn-group (as described in Step 3 VPN connectivity including the integration of Architecture. Part II describes advanced MPLS on the previous page) to find virtual-template1 so that provider access interface can be cloned. ATM0/0/0.3 uses PVC variety of routing service a virtual-access technologies (dial, DSL, cable, Ethernet) and a1/33 to connect to a CPE that (IS-IS, EIGRP, PPPoA. It directly the virtual-template1 to clone of how to protocolsis configured forand OSPF), arminguses reader with the knowledge a virtual-access template. In both cases, the the VPN backbone. Part III is created will be used as the output integrate these features into virtual-access template thatdetails advanced deployment issues interface security, outlining the necessary steps Jose PE router). including from the L2TP tunnel (going to the San the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN Example 2-51. San Jose NAS/Universal Access Concentrator PPPoX troubleshooting. Interface Configuration MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

! interface ATM0/0/0.2 point-to-point Description Termination for PPPoE clients from PVC 1/32 no ip route-cache
• Table of Contents • no ip mroute-cache Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

pvc 1/32

encapsulation aal5snap
Publisher: Cisco Press Pub Date: June 06, 2003 protocol pppoe ISBN: 1-58705-112-5

!

Pages: 504

interface ATM0/0/0.3 point-to-point Description Termination for PPPoA DSL CPE from PVC 1/33 WithMPLS and VPN Architectures, Volume II , you'll learn: no ip route-cache no ip mroute-cachevarious remote access technologies into the backbone providing VPN How to integrate service to many different types of customers pvc 1/33 The new PE-CE routing options as well as other advanced features, including per-VPN encapsulation aal5mux ppp virtual-Template1 Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network interface virtual-Template1 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone no ip address ! How to carry customer multicast traffic inside a VPN no keepalive The default ip address no peerlatest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services ppp authentication chap callin Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools It is not necessary to show the San Jose PE router configuration or per-user RADIUS they need to deploy and maintain a secure, highly available VPN. attributes because these are the same as has been discussed in previous scenarios. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access VPDN Operation Verifying PPPoX andtechnologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part information for the deployment issues The output in Example 2-52 shows the VPDN session III details advanceduser "anne" who has including security, outlining the necessaryaccess the service provider must take to protect the connected to the San Jose NAS/universal steps concentrator by using PPPoE. (Assume that backbone and any attachedconfigured appropriately.) Virtual-access2 has been createdallow the Palo Alto CPE has been VPN sites, and also detailing the latest security features to to more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN created terminate the PPPoE and provide an output interface to the L2TP tunnel that has been deployments. Finally,Jose PE router). a methodology for advanced MPLS VPN to 194.22.15.2 (San Part IV provides troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Example security,PPPoE and L2TPfeatures essential to providing the advanced 2-52. and troubleshooting Session Information integration,

SanJose_UAC#show vpdn

L2TP Tunnel and Session Information Total tunnels 1 sessions 1
• • Table of Contents Index

MPLS and VPN Architectures, Volume II

LocID RemID Remote Name

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

State est

Remote Address 194.22.15.2

Port 1701

Sessions 1

27748 34770 SuperCom_LNS
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5

LocIDPages: 504 TunID Intf RemID 24 41 27748 Vi2

Username

State

Last Chg Fastswitch 00:15:54 enabled

anne@eurobank est

WithMPLS and VPN Architectures, Volume II , you'll learn: %No active L2F tunnels How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers PPPoE Tunnel and Session Information Total tunnels 1 sessions 1 The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the PPPoE Tunnel Information customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Session count: 1 How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment PPPoE Session Information of inter-carrier MPLS VPN services SID RemMAC LocMAC Intf VASt OIntf VP/VC Advanced troubleshooting techniques including router outputs to ensure high availability

1 UP ATM0/0/0.2 MPLS and0004.27fd.249e 0004.c12b.b807 on the best-selling MPLS and VPN 1/32 VPN Architectures, Volume II , builds Vi2 Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. SanJose_UAC#show user MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Line Host(s) Idle Location Architecture. Part User II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing * 0 con (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to idle 00:00:00 protocols 0 integrate these features into the VPN backbone. Part III details advanced deployment issues Vi2 including security,anne@eurob Virtual PPP (PPPoE ) 00:17:30 must take to protect the outlining the necessary steps the service provider backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. The Palo Alto DSL CPE has now been reconfigured to operate in PPPoA mode. The output in Example VPN Architectures, Volume user information. the latest advances in customer MPLS and2-53 shows the session and II , also introducesThe PPPoA session has been terminated security, and troubleshooting features has been created to the San Jose PE integration,on virtual-access1 and an L2TP session essential to providing the advanced

router.

Example 2-53. PPPoA and L2TP Session Information

SanJose_UAC#showContents • Table of vpdn
• Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

L2TP Tunnel and Session Information Total tunnels 1 sessions 1
Publisher: Cisco Press Pub Date: June 06, 2003

LocID ISBN: 1-58705-112-5Name RemID Remote
Pages: 504

State est

Remote Address 194.22.15.2

Port 1701

Sessions 1

26460 4452

SuperCom_LNS

LocID RemID TunID Intf Username State WithMPLS and VPN Architectures, Volume II , you'll learn: 26

Last Chg Fastswitch

65 26460 Vi1 paloalto@euro est 00:05:22 enabled How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

SanJose_UAC#show user The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) Line User Host(s) Idle Location How VRFs can be extended into a customer site to provide separation inside the * 0 customer network con 0 idle 00:00:00 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Vi1 paloalto@e Virtual PPP (ATM ) 00:04:10 backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Providing Cable Access to an MPLS VPN
The Data-over-Cable Service Interface Specification (DOCSIS) is a standard that allows data traffic to be carried over a cable network that is primarily used for delivering television channels. Data is • Table of Contents transmitted by using radio frequency (RF) signals over the cable system. Two-way communication is • achieved by Index providing a "downstream" carrier signal from the cable network to the customer and an MPLS and VPN Architectures, Volume II customer to the cable network. Cable modems are devices at the "upstream" carrier signal from the customer premises that convert a ByJim Guichard, Ivan Pepelnjak, Jeff Apcar digital data stream to an RF signal (upstream) and RF back to digital data (downstream). At the head end of the cable network, a cable modem termination system (CMTS) performs the corresponding RF to data operation for many customers (many modems).
Publisher: Cisco Press Pub Date: June 06, 2003 Normally, several hundred users can share a single 6-MHz downstream channel and one or more ISBN: 1-58705-112-5 upstream channels. The downstream channel takes the place of a single television transmission channel. Pages: 504

In a DOCSIS 1.0-compliant hybrid fiber-coaxial (HFC) network (or just cable for short), the physical cable interface from a head end router can have many branches, each terminating at a cable modem. Access to an MPLS VPN is achieved through a cable subinterface that has a VRF statically configured on it. Version 1.0 of the DOCSIS specification uses a Service ID (SID) to identify a particular cable WithMPLS and VPN Architectures, Volume II , you'll learn: modem and all the devices (PCs) behind it. Traffic from the same SID always terminates on the same subinterface at the cable head end PE router; therefore, all CPEs that are connected to the same cable modem are in the same VPN. remote access technologies into the backbone providing VPN How to integrate various service to many different types of customers Figure 2-25 shows a cable access scenario in the SuperCom network. Both our customers, EuroBank and FastFoods, have routing options as well to their VPNs. The SuperComincluding per-VPN has been The new PE-CE cable users connected as other advanced features, San Jose PE router upgraded to offer cable services and physically terminates the cable on interface Cable 3/0. The Network Address Translation (PE-NAT) EuroBank and FastFoods cable modems logically terminate on separate subinterfaces of Cable 3/0. TableHow VRFs can be extended into aassignments toto provide separation example. 2-13 shows the various address customer site be used in our cable inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Figure 2-25. Cable Access to SuperCom MPLS VPN How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Table 2-13. IP Address Assignment for SuperCom Cable Access
Company Site SuperCom Default/Management interface (Cable 3/0.1) SuperCom DHCP server host
•EuroBank • Table of Contents Host subnet Index

Subnet/Host 194.22.17.0/32 194.22.16.3/32 10.7.1.0/24 (Cable 3/0.5) 192.168.4.0/28 196.7.25.32/32 10.7.1.0/24 subnet (Cable 3/0.6) 192.168.4.16/28

Cable modem subnet MPLS and VPN Architectures, Volume II

ByJim Guichard,EuroBank DHCP server Ivan Pepelnjak, Jeff Apcar

FastFoods Host subnet
Publisher: Cisco Press

Cable modem Pub Date: June 06, 2003
ISBN: 1-58705-112-5 Pages: 504

Each cable subinterface on the San Jose head end PE router is configured with the following: A VRF name— EuroBank or FastFoods. WithMPLS and VPN Architectures, Volume II , you'll learn: A primary address— 192.168.4.1/28 for EuroBank and 192.168.4.17/28 for FastFoods. The primary address subnet allocates IP addresses by the SuperCom DHCP server for all cable modems that will be part of that VRF. For example, all EuroBank cable modems (assuming there How to integrate various remote access technologies into the backbone providing VPN is more than one) that connect to the San Jose head end PE router are allocated an address from service to many different types of customers 192.168.4.0/28. The new PE-CE routing options as well as other advanced features, including per-VPN A secondary address— 10.7.1.1/24. Both FastFoods and EuroBank use the same subnet for their Network Address Translation (PE-NAT) cable users, but there is no overlap because the subnet is in different VRFs. The secondary address subnetbe extended into aDHCP requeststo provide (PCs) hosts inside the How VRFs can is used to satisfy customer site from CPE separation that are connected to the cable modems. Either the SuperCom DHCP server or the customer DHCP server can supply these customer network addresses. In either case, the server must be reachable within the VRF. You can achieve this through the use of static routes or a management aimed at protecting the MPLS earlier in the The latest MPLS VPN security features and designsextranet, which was discussed VPN "Dial-In Access via L2TP VPDN" section. backbone A DHCP helper address for cable traffic inside a VPN How to carry customer multicast modem address requests and another helper address for PC host address requests. (They can be the same server address.) The latest inter-carrier enhancements to allow for easier and more scalable deployment In our example, the SuperCom services of inter-carrier MPLS VPN DHCP server supplies all cable modem IP addresses. (The server has a DHCP scope configured for 192.168.4.0/28 and 192.168.4.16/28.) The EuroBank PC users obtain their addresses directly from the EuroBank DHCP server located in Paris, to ensure high availability users Advanced troubleshooting techniques including router outputs whereas the FastFoods PC receive their addresses from the SuperCom RADIUS server. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Referring to Figure 2-25, the steps for obtaining Cisco Press. Extending into more advanced Architectures, Volume I (1-58705-002-1), from cable connectivity are as follows: topics and deployment architectures, Volume II provides readers with the necessary tools Step 1. When the maintain or FastFoods cable modem is powered up, it issues a DHCP they need to deploy and EuroBank a secure, highly available VPN. Discover for an IP address. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Step 2. At II point, the San Jose head end connectivity including the integration of Architecture. Partthisdescribes advanced MPLS VPN PE router cannot determine which subinterface (hence VRF) this technologies is associated with. In this case, a uses information service provider access cable modem (dial, DSL, cable, Ethernet) and it variety of routingfrom the first subinterface that is configured on Cable 3/0 as its default. It relays the how to protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge ofrequest by using the helper address (for cable modems) that is defined on Cable 3/0.1 with the giaddr set to integrate these features into the VPN backbone. Part III details advanced deployment issues 194.22.17.1. The helper address in steps the the SuperCom must server protect the including security, outlining the necessarythis case isservice provider DHCP take to194.22.16.3. backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

NOTE

MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Remember from our previous discussions on DHCP that the giaddr is used in the relayed integration, security, and troubleshooting features essential to providing the advanced

packet to indicate the source of the relay and the subnet for the address that is being requested. Step 3. When the SuperCom DHCP server receives the request, it uses the giaddr and the MAC address of the cable modem to determine which scope to provide an address from. The modem MAC address must have previously been provisioned in the DHCP server. Step 4. The DHCP server returns an address out of the appropriate pool (192.168.4.0/28 or 192.168.4.16/28) for the EuroBank or FastFoods modem in a DHCP Offer message. Table of Contents Step 5. Any subsequent communication from the modem such as a DHCP Request or DHCP Renew are sent directly to the SuperCom DHCP server.
Index

• •

MPLS and VPN Architectures, Volume II

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar Publisher: Cisco it can network, Press

Step 6. When the San Jose head end PE router receives these messages from the cable determine the correct subinterface to associate the packet with (through the PubSID) and 06, 2003the VRF. This means that the SuperCom DHCP server must be reachable within Date: June hence the VRF. ISBN: 1-58705-112-5
Pages: 504

Step 7. The PC clients issue a DHCP Discover to obtain an IP address.

Step 8. The PC request is relayed to the helper address that is defined on the subinterface for hosts. The giaddr is set to the secondary address of the interface. (Remember: The primary address that is configured is for modems, and the secondary address is used for client PCs.) WithMPLS and VPN Architectures,the helper address, the packet is relayed to the SuperCom DHCP Depending on the value of Volume II , you'll learn: server or the customer's DHCP server. If the DHCP request came from a FastFoods user, the packet is relayed to the SuperCom DHCP server to obtain an address. How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers Step 9. If the DHCP request came from a EuroBank user, the request is relayed to the EuroBank DHCP server to obtain an address for as PC. The new PE-CE routing options as well the other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network

NOTE

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN There is no user authorization and authentication necessary in the cable access solution. The backbone cable subinterfaces cannot be dynamically configured. All the appropriate configurations must to carry customer multicastcable modem a VPN How be in place before the first traffic inside is connected. The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

Configuringtroubleshooting techniques including router outputs to ensure high availability Advanced the SuperCom Head End PE Router
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Example 2-54 Volume I (1-58705-002-1), from Cisco Press.cable access to the EuroBank and Architectures, shows the PE router configuration to provide Extending into more advanced FastFoods deployment architectures, Volume II provides readers with the necessary tools topics and VPN. they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume Router Configuration for Cable Access Example 2-54. San Jose PE II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate relayfeatures into the VPN backbone. Part III details advanced deployment issues ip dhcp these information option including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow ! more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN interface Cable3/0.1 troubleshooting. description Non-VPN and modems MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

ip address 194.22.17.1 255.255.255.0 cable dhcp-giaddr policy cable helper-address 194.22.16.3 !
• •

interface Cable3/0.5
Index

Table of Contents

MPLS and VPN Architectures, Volume II

description EuroBank Cable Network ip vrf forwarding EuroBank
Publisher: Cisco Press

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

ipPub Date: June 06, 2003 address 10.7.1.1 255.255.255.0 secondary
ISBN: 1-58705-112-5

ip address 192.168.4.1 255.255.255.240
Pages: 504

cable dhcp-giaddr policy cable helper-address 194.22.16.3 cable-modem WithMPLS and VPN Architectures, Volume II , you'll learn: cable helper-address 196.7.25.32 hosts ! How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers interface Cable3/0.6 The new PE-CE routing options as well as other advanced features, including per-VPN description FastFoods Cable Network Network Address Translation (PE-NAT) ip vrf forwarding FastFoods How VRFs can be extended into a customer site to provide separation inside the customer network ip address 10.7.1.1 255.255.255.0 secondary The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN ip address 192.168.4.17 255.255.255.240 backbone cable dhcp-giaddr policymulticast traffic inside a VPN How to carry customer The latest inter-carrier enhancements to allow for easier and more scalable deployment cable helper-address 194.22.16.3 of inter-carrier MPLS VPN services ! Advanced troubleshooting techniques including router outputs to ensure high availability ip route 192.168.4.0 255.255.255.240 Cable3/0.5 MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. ip route 192.168.4.16 255.255.255.240 Cable3/0.6 Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. ip route 10.7.1.1 255.255.255.0 Cable3/0.6 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN ip route vrf EuroBank 194.22.16.3 255.255.255.255 FastEthernet2/0 194.22.16.3 global Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing ip route vrf FastFoods 194.22.16.3 255.255.255.255 FastEthernet2/0 194.22.16.3 global protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Theip dhcp relay information option command inserts additional information (circuit identifier and deployments. Finally, Part IV provides a methodology for advanced MPLS VPN the remote ID) into the relayed packet that the DHCP server can use for additional processing. troubleshooting. Interface Cable 3/0.1 is used to initially relay the DHCP Discover message to the SuperCom DHCP serverand usingArchitectures, Volume II , also introduces the latest advances in customer with a VRF, MPLS by VPN the helper address 194.22.16.3. Because this interface is not associated all non-VPN security, and troubleshooting features essential to providing the advanced integration, cable modems and host PCs also use it.

Thecable dhcp-giaddr policy command that appears under all the subinterfaces directs the router to use the primary or secondary address in the giaddr depending on whether it is a cable modem or host PC address request. The subinterfaces Cable 3/0.5 and Cable 3/0.6 have primary and secondary addresses defined to allow connectivity to both cable modems and host PCs. Because EuroBank uses the SuperCom DHCP server for its cable modem addresses and its own DHCP server to allocate PC addresses, there are two corresponding helper addresses configured for cable modem or hosts. FastFoods relies on SuperCom • Table of Contents to provide all addresses; therefore there is only a single helper address needed for both types of • Index requests. These helper addresses are specified by using the cable helper-address command.
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak,have opted In our cable example, we Jeff Apcar

to use static routes to allow the appropriate connectivity between the cable subnets and the SuperCom DHCP server. However, in practice, it might be more secure to place the SuperCom DHCP server into its own management VRF, as discussed previously in Publisher: Cisco Press the Pub Date: June 06, 2003 L2TP VPDN" section. "Dial-In Access via
ISBN: 1-58705-112-5 Pages: 504

NOTE
In our example, we have had to inject the RFC 1918 private subnet 10.7.1.0/24 into the global table to provide the SuperCom DHCP server access to the FastFoods subnet. In WithMPLS and VPN Architectures, Volume II , you'll learn: practice, this is not recommended because of the possibility of overlapping addresses. You should use registered customer addresses in the global space if possible. How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

Verifying Cable Operation(PE-NAT) Network Address Translation

The new PE-CE routing options as well as other advanced features, including per-VPN

How VRFs can be extended into a customer site to provide separation inside the customer network The debug output in Example 2-55 was generated from a DHCP Discover due to the initialization of the FastFoods cable modem. When the DHCP Discover message is received (in a BOOTP Request), it is The latest MPLS VPN security features and designs aimed 194.22.17.1. The DHCP Offer is then forwarded to 194.22.16.3 (SuperCom DHCP) with the giaddr ofat protecting the MPLS VPN backbone forwarded back (in a BOOTP Reply). When the DHCP Request is received from the cable modem (to confirm use of the address allocated), the giaddr used is 192.168.4.17, which is that of the FastFoods How to (The router now knows traffic inside a VPN subinterface.carry customer multicastthe association between the cable modem and the subinterface.) The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN DHCPD: adding relay (1-58705-002-1), from Architectures, Volume I information option. Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools DHCPD: setting giaddr to 194.22.17.1. they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, 0100.02fd.fa0d.77 forwarded to 194.22.16.3. VPN DHCPD: BOOTREQUEST from Volume II , begins with a brief refresher of the MPLS Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing DHCPD: forwarding BOOTREPLY to client 0002.fdfa.0d77. protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into information option. III details advanced deployment issues DHCPD: validating relay the VPN backbone. Part including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow DHCPD: broadcasting BOOTREPLY to client 0002.fdfa.0d77. more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides option. DHCPD: adding relay information a methodology for advanced MPLS VPN troubleshooting. DHCPD: setting giaddr to 192.168.4.17. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, from 0100.02fd.fa0d.77 essential to providing the advanced DHCPD: BOOTREQUESTand troubleshooting features forwarded to 194.22.16.3.

Example 2-55. Debug of FastFoods Modem Address Reques

DHCPD: forwarding BOOTREPLY to client 0002.fdfa.0d77. DHCPD: validating relay information option. DHCPD: broadcasting BOOTREPLY to client 0002.fdfa.0d77.?
• • Table of Contents Index

MPLS and VPN Architectures, Volume II

The output in Example 2-56 confirms the addresses that have been allocated for the EuroBank and ByJim Guichard, Ivanmodems. Jeff Apcar FastFoods cable Pepelnjak, Each modem has been allocated an address within its respective VRFs using the subnet that is defined on the primary address.
Publisher: Cisco Press Pub Date: June 06, 2003

Example1-58705-112-5 ISBN: 2-56. Cable Modem Address Allocation
Pages: 504

SanJose_PE#show cable modem Interface Prim Online Timing Rec QoS CPE IP address WithMPLS and VPN Architectures, Volume II , you'll learn: Sid State Offset Power MAC address

How to integrate various remote access technologies into the backbone providing VPN Cable3/0/U1to many different types of customers 5 online 2812 -0.50 0 192.168.4.18 0002.fdfa.0d77 service 1 Cable3/0/U0 PE-CE online options as well0.25 5 advanced features, including per-VPN 2812 192.168.4.4 0003.e350.92e9 The new 2 routing as other 0 Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the SanJose_PE#show ip vrf int customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Interface IP-Address VRF Protocol backbone Cable3/0.5 192.168.4.1 EuroBank up How to carry customer multicast traffic inside a VPN Cable3/0.6 192.168.4.17 FastFoods up The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability DHCP and VPN Architectures, are relayed builds on the best-selling MPLS and VPN MPLS requests for PC clients Volume II , as per normal operation; the only difference is that the secondary address is used as the giaddr. from Cisco Press. Extending into more advanced Architectures, Volume I (1-58705-002-1), topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Advanced Features for MPLS VPN Remote Access
The previous sections have covered basic integration of remote access technologies (dial-up, DSL, and cable) into the MPLS VPN environment. This section covers some advanced Cisco IOS features • that you canTable with remote access and includes the following: use of Contents
• Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

On-demand address pools (ODAPs) Per-VRF AAA

Publisher: Cisco Press

DHCP relay—VPN Pub Date: June 06, 2003
ISBN: 1-58705-112-5 Pages: 504

support

ODAPs
In most dial-up scenarios, the dial-in server supplies an IP address to the dial-in user (or router). You can allocate the IP addresses to PPP sessions by using a variety of methods: WithMPLS and VPN Architectures, Volume II , you'll learn: Statically configured using the RADIUS Framed-IP-address attribute. How to integrate various remote access technologies into the backbone providing VPN Local address pools that can be of customers service to many different types either overlapping or nonoverlapping. Overlapping/nonoverlapping local pools are implemented and maintained locally on the router. Overlapping local pools as well as used advanced features, including per-VPN The new PE-CE routing options have been other throughout the SuperCom examples. Network Address Translation (PE-NAT) Addresses can also be provided from overlapping pools that the RADIUS server manages. If overlapping pools are configured customer site to provide separation inside the How VRFs can be extended into a on a RADIUS server, authentication and accounting must be configured on the customer network same server. An latest MPLS that a DHCP features and designs aimed at protecting the MPLS common Theaddress pool VPN security server manages. The DHCP server only maintains a VPN pool from backbone which addresses are dynamically assigned upon request. This method does not provide the scalability of overlapping pools. How to carry customer multicast traffic inside a VPN To supplement the existing address allocation methods, ODAPs were introduced in IOS The latest Using ODAPs enhancements to allow for expandand more scalable deployment 12.2(8)T. inter-carrier allows an address pool to easier and contract based on address of inter-carrier MPLS associated with a VRF and is initially populated with one or more usage. Each ODAP is VPN services subnets that a RADIUS or DHCP server provides. Advanced troubleshooting techniques including router outputs to ensure high availability If the allocation of addresses from a pool reaches a preset high utilization mark, additional MPLSsubnets are leased from Volume II , builds on the best-selling MPLS and VPN and VPN Architectures, the RADIUS or DHCP server to satisfy demand. Conversely, if Architectures, Volume I (1-58705-002-1), subnets arePress. Extending the RADIUS or DHCP server utilization falls below a certain level, from Cisco handed back to into more advanced topics andprovided the lease. Each time a subnet is leased, a corresponding summarized route is that deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain then removed when the lease is returned to the RADIUS or inserted into the VRF that is a secure, highly available VPN. DHCP server. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advancedeach VRF that requires address assignment services on a A separate ODAP is configured for MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing router. Both PPP and normal DHCP client requests can be serviced from the same pool. protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN NOTE deployments. Finally, Part IV provides a methodology for advanced MPLS VPN The RADIUS troubleshooting. or DHCP server that is used in the network must support the leasing and returning of IP subnets on a per-VRF basis. ODAPs are supported in Cisco Access MPLS and VPN from V1.7 onward. Registrar Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Figure 2-26 illustrates how ODAPs would work in the SuperCom network to provide addresses for FastFoods from the San Jose PE router.

• •

Figure Table of Contents
Index

2-26. SuperCom ODAP for FastFoods

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the The following describes the operational steps for ODAP: customer network Step 1. The SuperCom RADIUS server has been allocated three /26 address blocks starting The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN at 192.168.3.0 to support requests from the FastFoods ODAP. Note that these address backbone blocks do not have to be contiguous or unique. The same address blocks can be allocated to How topools in differentmulticast traffic inside a VPN server implements this varies between other carry customer VRFs. (The way the RADIUS products and is not within the scope of this chapter; however, Cisco Access Registrar is The latest inter-carrier enhancements to allow for easier and more scalable deployment recommended.) of inter-carrier MPLS VPN services Step 2. On startup, the San Jose PE router requests a subnet to populate its ODAP for Advanced troubleshooting techniques including router outputs to ensure highNAS-Identifier FastFoods. It does this through a RADIUS access-request message with the availability attribute set to "odap-dhcp" to allow the RADIUS server to distinguish it from a normal user MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN authentication request. The User-Name attribute contains the VRF that the ODAP subnet is Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced being requested for. topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Step 3. The RADIUS server responds with the first available subnet from its resource pool. In this case, this is 192.168.3.0/26, which provides 62 useable addresses for PPP clients. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Step 4. A route is automatically placed into the FastFoods VRF for 192.168.2.0/26. service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Multiprotocol BGP distributes this throughout the FastFoods VPN. protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues Step 5. At this point, addresses can be allocated from the ODAP pool to any PPP client including security, outlining the necessary steps the service provider must take to protect the requests (could be from the NAS/LAC or direct ISDN) until the high utilization mark is backbone and any attached VPN sites, and also detailing the latest security features to allow reached. more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN Step 6. Assuming the high mark is reached, the San Jose PE router requests another troubleshooting. address pool. The size of the pool it requests is configurable. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Step security, and troubleshooting features essential then passed back and added to the integration, 7. The next available subnet 192.168.3.64/26 is to providing the advanced

ODAP for FastFoods, leaving one subnet available in the RADIUS server. If no subnets are available, the RADUS server responds with an access-reject message. Step 8. A corresponding route for 192.168.3.64/26 is placed into the FastFoods VRF. Step 9. Addresses are then allocated from the expanded ODAP by using an available pool of 124 addresses until the low or high utilization mark is reached. Note that the utilization marksTable a percentage of the total current pool size. If possible, addresses are allocated are of Contents from the first leased subnet. Therefore, over time, the last leased has addresses returned to Index it as PPP sessions terminate.

• •

MPLS and VPN Architectures, Volume II

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar Step 10. Assuming that the

low utilization mark has been reached, the last leased subnet (192.168.3.64/26) is released back to the RADIUS server if there are no active addresses Publisher: Cisco being leased from it. currently Press
Pub Date: June 06, 2003

Step 1-58705-112-5 ISBN: 11. When the subnet is returned to the RADIUS server, the corresponding route is removed from the FastFoods VRF. Pages: 504

Configuring the SuperCom San Jose PE Router
Example 2-57 VPN Architectures, Volume II , necessary to WithMPLS and shows the configuration that isyou'll learn: enable ODAP for the FastFoods VRF. How to integrate various remote access technologies into the backbone providing VPN Example 2-57. San Jose PE Router Configuration for ODAP service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) aaa authentication ppp default local group radius How VRFs can be extended into a customer site to provide separation inside the aaa authorization network default local group radius customer network aaa authorization configuration default designsradius at protecting the MPLS VPN The latest MPLS VPN security features and group aimed backbone How to carry customer multicast traffic inside a VPN ip address-pool dhcp-pool The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced FastFoods_ODAP ip dhcp pool troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN vrf FastFoods Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools utilization mark high 80 they need to deploy and maintain a secure, highly available VPN. utilization mark low 25 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of origin aaa subnet size initial /26 autogrow /26 service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to ! integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the radius-server host 194.22.16.2 auth-port 1645 acct-port 1646 key a$4two backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN radius-server attribute 32 include-in-access-req deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. radius-server attribute 44 include-in-access-req MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer radius-server vsa send authentication integration, security, and troubleshooting features essential to providing the advanced

Theaaa authorization configuration command allows the San Jose PE router to configure the ODAP with subnets received from the SuperCom RADIUS server. The command ip address-pool dhcp-pool enables ODAP as the global address mechanism for PPP sessions that terminate in a VRF; however, this default can be overridden at the interface level.
•

The ODAP isIndex configured with the ip dhcp pool command for each VRF that requires it—in our • case,and VPN Architectures, high and low utilizations are specified as a percentage (80% and 25%) of for FastFoods. The Volume II MPLS the total number of addresses in the pool (could be multiple subnets). The origin command ByJim Guichard, Ivan Pepelnjak, Jeff Apcar activates the ODAP for the FastFoods VRF. In our example, we obtain subnets from the AAA server, which is the SuperCom RADIUS server. The initial subnet requested is a /26 in size; Publisher: Cisco Press thereafter, if expansion of the pool is necessary, the requested subnets are also /26.
Pub Date: June 06, 2003

Table of Contents

When requesting a subnet, the RADIUS access-request message must contain the NAS-Port ISBN: 1-58705-112-5 identifier ("odap-dhcp") and an accounting session-id attribute so that the RADIUS server can Pages: 504 distinguish different subnet requests. This is achieved by allowing the RADIUS attributes 32 and 44 to be included in the message. In addition, the radius-server vsa send authentication command allows the PE router to include cisco-avpairs in the request—in particular, a "pool-mask" indicating the size of subnet required. WithMPLS and VPN Architectures, Volume II , you'll learn:

RADIUS Attributes
How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The RADIUS attributes remain relatively unchanged from previous examples except that the peer default address pool used is the DHCP-pool for other advanced features, including per-VPN(see The new PE-CE routing options as well as ODAP rather than a locally configured pool TableNetwork Address Translation (PE-NAT) 2-14). This is achieved by using the interface command peer default ip address dhcppool. How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Table 2-14. User Attributes for ODAP How to carry customer multicast traffic inside a VPN Attribute (Type) Value The latest inter-carrier enhancements to allow for easier and more scalable deployment User-Name (1) elvis@fastfoods.com of inter-carrier MPLS VPN services User-Password (2) whatsthebuzz Advanced troubleshooting techniques including router outputs to ensure high availability Service-Type (6) 1 (Framed) MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Framed-Protocol (7) 1 (PPP) Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools Cisco-avpair lcp:interface-config=ip vrf forwarding FastFoods \n[1] they need to deploy and maintain a secure, highly available VPN. ip unnumbered loopback 10 \n MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of peer default ip address dhcp-pool service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues [1] The \n signifies an explicit carriage return. Usage varies between RADIUS server implementations. including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. NOTE MPLS and VPN Architectures, Volume IISan Jose PE router was set to ODAP with the ip Because the global default on the , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providingpeer advanced address-pool dhcp-pool command, it is not necessary to enter a the default

command in the interface config.

Verifying ODAP Operation
• Table of Contents The San Jose PE router and the SuperCom RADIUS server have had ODAP configured for both the • Index FastFoods and EuroBank VRFs. The output in Example 2-58 shows the RADIUS debug messages MPLS and VPN Architectures, Volume II from the San Jose PE router requesting an initial subnet for FastFoods. As you can see, the UserName attribute consists of the VRF ByJim Guichard, Ivan Pepelnjak, Jeff Apcar name. The cisco-avpair consists of the pool-mask indicating that a /26 subnet is required. The NAS-identifier indicates to the RADIUS server that this is an ODAP request. The response from the SuperCom RADIUS server is subnet 192.168.3.0/26, which Publisher: Cisco Press is used to initially configure the ODAP. The procedure is the same for the EuroBank VRF.
Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 2-58. Example504

ODAP RADIUS Access Request and Accept Messages

RADIUS(00000000): Send to unknown id 21645/68 194.22.16.2:1645, Access-Request, WithMPLS and VPN Architectures, Volume II , you'll learn: len 136 How to integrate various remote access technologies into the backbone providing VPN [snip] service to many different types of customers RADIUS: User-Name [1] 11 "FastFoods" The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) RADIUS: User-Password [2] 18 * How VRFs can be extended into a customer site to provide separation inside the RADIUS: Vendor, Cisco [26] 33 customer network RADIUS: latest MPLS VPN security [1] Cisco AVpair 27 "pool-mask=255.255.255.192" The features and designs aimed at protecting the MPLS VPN backbone RADIUS: Acct-Session-Id [44] 10 "00000038" How to carry customer multicast traffic inside a VPN RADIUS: Nas-Identifier [32] 11 "odap-dhcp" The latest inter-carrier enhancements to allow for easier and more scalable deployment RADIUS: Vendor, Cisco VPN services 15 [26] of inter-carrier MPLS Advanced troubleshooting techniques including router outputs to ensure high availability RADIUS: cisco-nas-port [2] 9 "Port 56" MPLS and VPN Architectures, Volume II , builds 60000 best-selling MPLS and VPN on the RADIUS: NAS-Port [5] 6 Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II194.22.15.2 provides readers with the necessary tools RADIUS: NAS-IP-Address [4] 6 they need to deploy and maintain a secure, highly available VPN. RADIUS: Service-Type [6] 6 Outbound [5] MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II from id 21645/68 MPLS VPN connectivity including the integration of RADIUS: Received describes advanced 194.22.16.2:1645, Access-Accept, len 126 service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to [snip] integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary 6 RADIUS: Termination-Action [29] steps the service provider must take to protect the 1 backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN RADIUS: Vendor, Cisco [26] 29 deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. AVpair RADIUS: Cisco [1] 23 "pool-addr=192.168.3.0" MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer RADIUS: Vendor, Cisco [26] 33 integration, security, and troubleshooting features essential to providing the advanced

RADIUS:

Cisco AVpair

[1]

27

"pool-mask=255.255.255.192"

The three remote users from our VPDN dial-in scenario, elvis@fastfoods.com,jimi@fastfoods.com, and eric@eurobank.com, have dialed in again, but this time they have received addresses for their PPP sessionsTable ofthe ODAPs that are associated with their VRFs. For the sake of example, the from Contents • FastFoods ODAP has had its high/low utilization marks set to 3% and 2% respectively to force • Index expansion of Architectures, Volumetwo users. Example 2-59 shows the ODAP status for the FastFoods the pool with just II MPLS and VPN and EuroBank VRFs.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: ExampleCisco Press FastFoods and EuroBank ODAPs 2-59. Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

SanJose_PE#show ip dhcp pool

PoolMPLS and VPN Architectures, Volume II , you'll learn: With FastFoods_ODAP : Utilization mark (high/low) : 3 / 2 How to integrate various remote access technologies into the backbone providing VPN Subnet size many different types of:customers (autogrow) 26 / 26 service to (first/next) VRF The new PE-CE routing options as well as other advanced features, including per-VPN name : FastFoods Network Address Translation (PE-NAT) Total addresses : 124 How VRFs can be extended into a customer site to provide separation inside the customer network Leased addresses : 2 The event Pendinglatest MPLS VPN security features and designs aimed at protecting the MPLS VPN : none backbone 2 subnets are currently in the pool : How to carry customer multicast traffic inside a VPN Current index IP address range Leased addresses The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services 192.168.3.3 192.168.3.1 - 192.168.3.62 2 Advanced troubleshooting techniques including router outputs to ensure high availability 192.168.3.65 192.168.3.65 - 192.168.3.126 0 MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools Pool need to deploy : they EuroBank_ODAPand maintain a secure, highly available VPN. Utilization mark (high/low) : 80 / with a brief refresher of the MPLS VPN MPLS and VPN Architectures, Volume II , begins25 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Subnet size access technologies (dial, DSL, cable, Ethernet) and a variety of routing : 26 / 26 (autogrow) service provider(first/next) protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to VRF name : EuroBank integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Total addresses backbone and any attached VPN sites, : 62also detailing the latest security features to allow and more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Leased addresses deployments. Finally, Part IV provides : methodology for advanced MPLS VPN a 1 troubleshooting. Pending event : none MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, is currently in the pool features essential to providing the advanced 1 subnet security, and troubleshooting :

Current index 192.168.3.2

IP address range 192.168.3.1 - 192.168.3.62

Leased addresses 1

Both ODAPs Table of Contents an initial subnet allocation of 192.168.3.0/26. have received
• Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

•

Publisher: Cisco Press Pub Date: June 06, 2003

NOTE

There is no restriction on what subnets can be used. Our example uses the same subnet ISBN: 1-58705-112-5 range for both VRFs to show the overlapping pool capability of ODAP.
Pages: 504

Two addresses have been leased from FastFoods_ODAP (for "elvis" and "jimi") from the first available subnet. Because the high utilization mark has been exceeded, the FastFoods_ODAP has requested andexpansion with the extra subnet 192.168.3.64/26 being provided from the WithMPLS an VPN Architectures, Volume II , you'll learn: SuperCom RADIUS server. The EuroBank_ODAP has leased one address to "eric." Example 2-60 shows the routing tables for both VRFs. You into the backbone providing VPN the How to integrate various remote access technologies can see the connected routes to virtual-access interfaces for each user. Also, note the static routes that have been injected for each service to many different types of customers of the ODAP subnets pointing to null0. In this case, the BGP aggregate-address command, as discussednew PE-CE routingnecessary. However, to achieve proper summarization, the connected The previously, is not options as well as other advanced features, including per-VPN routes must not be redistributed into Multiprotocol BGP. Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network Example 2-60. FastFoods and EuroBank Routing Table with ODAP The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone SanJose_PE#show ip route vrf FastFoods How to carry customer multicast traffic inside a VPN [snip] latest inter-carrier enhancements to allow for easier and more scalable deployment The of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability 10.0.0.0/24 is subnetted, 1 subnets MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN B 10.2.1.0 [200/0] via 194.22.15.1, 2d02h Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools 192.168.2.0/24 maintain a secure, highly 2 subnets, they need to deploy andis variably subnetted, available VPN.2 masks MPLS and192.168.2.100/32 Volume II , begins with a brief refresher of the MPLS VPN VPN Architectures, is directly connected, Loopback10 C Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing B 192.168.2.20/30 [200/0] via 194.22.15.1, 2d02h protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features is variably backbone. Part III details advanced deployment issues 192.168.3.0/24 into the VPN subnetted, 4 subnets, 2 masks including security, outlining the necessary steps the service provider must take to protect the backbone 192.168.3.64/26 VPN sites, and also detailing the latest security features to allow and any attached [1/0] via 0.0.0.0, Null0 S more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN C 192.168.3.2/32 is directly connected, virtual-Access5 troubleshooting. C 192.168.3.1/32 is directly connected, virtual-Access4 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features Null0 S 192.168.3.0/26 [1/0] via 0.0.0.0, essential to providing the advanced

SanJose_PE#show ip route vrf EuroBank [snip]
• • Table of Contents Index 196.7.25.0/24 [200/0] via 194.22.15.1, 2d02h

B

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar 192.168.2.0/24 is variably

subnetted, 2 subnets, 2 masks

C B

192.168.2.100/32 Publisher: Cisco Press
Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

is directly connected, Loopback11

192.168.2.24/30 [200/0] via 194.22.15.1, 2d02h

192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks 192.168.3.1/32 is directly connected, virtual-Access3

C

S 192.168.3.0/26 [1/0] via 0.0.0.0, Null0 WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

Per VRF AAA

The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

So far in this chapter, the SuperCom RADIUS server has authenticated user PPP sessions that How VRFs can be extended into a customer site to provide separation inside the terminate on the San Jose PE router. In the FastFoods case, the RADIUS access-requests were customer network proxied to the FastFoods RADIUS server at Lyon where the actual user information was stored. As has been discussed previously, this requires that a route be available between the two RADIUS The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN servers to allow them to communicate. It also involves a series of configuration steps to import backbone and export routes between the Management VRF, customer VRF, and global routing table. Such configurations, although quite common in MPLS VPN networks, can be prone to error and security How to carry customer multicast traffic inside a VPN issues. The latest inter-carrier enhancements to allow for easier and more scalable deployment You caninter-carrier MPLS VPN services RADIUS proxy for remote access by using a new feature of eliminate the requirement of a call per-VRF AAA. This feature allows direct access to a customer RADIUS server from within the VRF for user authentication. Thetechniques including router service provider RADIUS server is not Advanced troubleshooting advantage of this is that a outputs to ensure high availability required, nor are complex Intranet configurations for proxy RADIUS access. Because only one RADIUS server is required, a failure point is removed best-selling MPLS and VPN MPLS and VPN Architectures, Volume II , builds on the and access-request response time is improved. Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools The need to deploy and maintain a secure, highly that you define theyinitial implementation of per-VRF AAA requiresavailable VPN. a virtual-template for each VRF that contains a customer RADIUS server. Apart from the VRF name and interface addressing method, the virtual-template supplies the relevant configurations that define the VPN MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLSaccess to the customer RADIUS server. A per-VRF virtual-template is required because VHG/PE router Architecture. Part II describes advanced MPLS VPN connectivity including the integration of forwards only a access technologies (dial, DSL, the username@domainname of routing service provider single access-request containingcable, Ethernet) and a variety and password (received through the L2TP tunnel). arming the reader with the knowledge of how to protocols (IS-IS, EIGRP, and OSPF),Therefore, the VHG/PE router must know the VRF and RADIUS server forthese features into the VPN backbone. Part III details advanced deployment issues integrate a domain before the PPP session is established so that the received username@domainname and password can be forwarded to the correct customer protect server. including security, outlining the necessary steps the service provider must take to RADIUSthe backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

NOTE

MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Future security, and troubleshooting AAA feature plan to providing the advanced integration, enhancements to the per-VRF features essential to allow the service provider

RADIUS server to dynamically provide the customer RADIUS information (as well as the VRF, interface addressing, and so on). Therefore, future versions will have three RADIUS requests: one from the LAC to the SP RADIUS server for tunnel information, one for the LNS to SP RADIUS server for VPN and Customer RADIUS information, and one from the LNS to Customer RADIUS server to authenticate the customer.

• •

Figure 2-27 shows the per-VRF AAA in the SuperCom network for FastFoods.
Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Table of Contents

Figure 2-27. Per-VRF AAA VPDN Access
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Essentially, remote access is the same as the VPDN scenario described previously, except that configuration information for the virtual-access interface is obtained from a specific virtualHow to carry customer virtual-template is associated template for FastFoods. This multicast traffic inside a VPN with a vpdn-group that is configured to terminate FastFoods users only. You do this by using a different hostname in the vpdn-group The latest inter-carrier Jose NAS/LAC receives a call for and more scalable deployment configuration. When the Sanenhancements to allow for easier elvis@fastfoods.com, it creates the L2TP of inter-carrier MPLS VPN services tunnel as normal, but instead of using SuperCom_LAC as the L2TP client name, a different LAC client name is used to identify FastFoods (in our case, it is FastFoods_LAC). The SuperCom Advanced troubleshooting techniques including router outputs to ensure high availability RADIUS server (which is not shown) supplies this information. When the San Jose VHG/PE router receives the L2TP request, it searchesII , builds on the best-selling MPLS and VPN MPLS and VPN Architectures, Volume for a VPDN-group that matches the LAC client name (in the terminate-from host command) and then uses the associated virtual-template. The virtualArchitectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced template provides the information that allows II provides readers with the necessary tools the topics and deployment architectures, Volume the San Jose VHG/PE router direct access to FastFoods to deploy and maintain a secure, highlyso that elvis@fastfoods.com can be they need RADIUS server with the FastFoods VRF available VPN. authenticated. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN The SuperCom LAC/NAS configuration remainsVPN same as the including the integration of Architecture. Part II describes advanced MPLS the connectivity VPDN scenario. However, the configuration changes required for per-VRFDSL, cable, Ethernet) and a are shown routing service provider access technologies (dial, AAA for other components variety of in the following sections. (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to protocols integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Configuring the SuperCom San Jose PE Router the latest security features to allow backbone and any attached VPN sites, and also detailing more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. VHG/PE Part IVrequires several configuration changes.MPLS VPN must configure an The San Jose Finally, router provides a methodology for advanced First, you troubleshooting. that defines the details of the FastFoods RADIUS server. The configuration for AAA server group the FastFoods RADIUS server is shown in Example 2-61. To support the possibility of overlapping MPLS and VPN Architectures, Volume II , also introduces the latest advancesthe customer AAA addresses of customer RADIUS servers when there are multiple VRFs using in per-VRF integration, security, and server-private has beenessential under the server advanced allow feature, a new command troubleshooting features defined to providing the group. This

RADIUS servers that have the same IP address to be defined but associated with a different VRF. The server group also associates the VRF where the private RADIUS server is located. In our example, the FastFoods VRF uses the RADIUS server 10.2.1.5 located at Lyon, which is directly reachable in the VRF routing table. In addition, you must configure a method list for authentication and authorization for the FastFoods server group. The virtual-template for FastFoods uses these method lists.
• Table of Contents

Example Index Configuring the FastFoods RADIUS Server Group 2-61. •
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

aaa group server radius SG_FastFoods
Publisher: Cisco Press Pub Date: June 06, 2003 server-private 10.2.1.5 auth-port 1645 acct-port 1646 key Two4a$ ISBN: 1-58705-112-5

ip vrf forwarding FastFoods Pages: 504 ! aaa authentication ppp FastFoods_List group SG_FastFoods WithMPLS and VPN Architectures, Volume II , you'll learn: aaa authorization network FastFoods_List group SG_FastFoods How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers Next,The new PE-CE routing options as commands for the VRF, features, including per-VPN In our you must define RADIUS-specific well as other advanced as shown in Example 2-62. case, Network Address Translation (PE-NAT) unqualified usernames (no "@fastfoods.com"); the FastFoods RADIUS server contains therefore, the first command strips off the domain name for any access-requests in the FastFoods How VRFs can be extended into a customer site in the VRF that allows the FastFoods VRF. The second command provides a source addressto provide separation inside the customer to reach RADIUS server network the San Jose PE router. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment radius-server domain-stripping vrf FastFoods of inter-carrier MPLS VPN services ! Advanced troubleshooting techniques including router outputs to ensure high availability

Example 2-62. FastFoods RADIUS-Specific Commands for per-VRF AAA

MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN ip radius source-interface lo10 vrf FastFoods Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , beginsvirtual-template are configured, asVPN Finally, the FastFoods-specific vpdn-group and with a brief refresher of the MPLS shown in Architecture. Part II the hostname for the vpdn-group matches the tunnel the integration of Example 2-63. Note describes advanced MPLS VPN connectivity including client name attribute service provider access technologiesFastFoods domain entry. Anyand a variety of sessions that are from the SuperCom RADIUS server (dial, DSL, cable, Ethernet) FastFoods PPP routing protocols (IS-IS, the L2TP tunnel for this vpdn-group use the the knowledge of how to established over EIGRP, and OSPF), arming the reader with virtual-template3. The virtual integrate these features into the information to Part III virtual-access interface in the FastFoods template defines all the relevant VPN backbone.create a details advanced deployment issues including security, outlining the necessary steps FastFoods users. Themust take to protect the VRF, including which AAA method list to use for the service provider FastFoods_List causes the backbone and any attached be sent to the FastFoods RADIUS latest security features source access-request message to VPN sites, and also detailing the server 10.2.1.5 with a to allow more advanced topologies (loopback 10). address of 192.168.2.100 and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

Example 2-63. VPDN and Virtual Template Configurationin customer for per-VRF MPLS and VPN Architectures, Volume II , also introduces the latest advances AAA integration, security, and troubleshooting features essential to providing the advanced

vpdn-group 2 accept-dialin protocol l2tp
• Table of Contents • virtual-Template 3 Index
MPLS and VPN Architectures, Volume II

terminate-from hostname FastFoods_LAC ByJim Guichard, Ivan Pepelnjak, Jeff Apcar local name SuperCom_LNS
Publisher: Cisco Press Pub l2tp Date: June 06, 2003 tunnel password vision ISBN: 1-58705-112-5

!

Pages: 504

interface virtual-Template3 ip vrf forwarding FastFoods WithMPLS and VPN Architectures, Volume II , you'll learn: ip unnumbered Loopback10 peer default ip address dhcp-pool How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers ppp authentication chap FastFoods_List The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) ppp authorization FastFoods_List How VRFs can be extended into a customer site to provide separation inside the customer network

SuperCom RADIUS Server Attributes backbone

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN

How to carry customer multicast traffic inside a VPN The only attribute that changes for the FastFoods domain entry is the name of the Tunnel client, The latest inter-carrier Table 2-15). which is FastFoods_LAC (seeenhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Table 2-15. SuperCom RADIUS Attributes for per-VRF AAA Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highlyValue Attribute (Type) available VPN. User-Name (1) fastfoods.com MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of User-Password (2) cisco service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to Tunnel-Type (64) 3 (L2TP) integrate these features into the VPN backbone. Part III details advanced deployment issues Tunnel-Medium-Type (65) 1 service including security, outlining the necessary steps the (IPv4) provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow Tunnel-Server-Endpoint (67) 194.22.15.2 (San Jose VHG/PE) more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Tunnel-Password (69) vision deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. Tunnel-Client-Auth-ID (90) FastFoods_LAC MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Tunnel-Server-Auth-ID (91) SuperCom_LNS integration, security, and troubleshooting features essential to providing the advanced

Verifying per-VRF AAA Operation
Now that per-VRF AAA has been configured for FastFoods, when elvis@fastfoods.com and jimi@fastfoods.com dial in again, they are associated with vpdn-group 2. This is because the tunnel client name FastFoods_LAC was provided with the L2TP tunnel request from the San Jose • Table of LAC/NAS. All other Contents non-FastFoods users such as EuroBank user "eric" still use vpdn-group 1 with • Index the SuperCom RADIUS server providing most of the interface configurations. You can verify this by MPLS and VPN Architectures, Volume II examining the VPDN information on the San Jose VHG/PE router, as shown in Example 2-64.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

ExampleCisco Press Verifying VPDN Connection Information Publisher: 2-64.
Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

SanJose_PE#show vpdn

L2TP Tunnel and Session Information Total tunnels 2 sessions 3 WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN LocID RemID Remote Name State Remote Address Port Sessions VPDN Group service to many different types of customers 36418 11895 PE-CE routing options as well as other advanced features, including per-VPN 194.22.15.26 1701 1 1 The new SuperCom_LAC est Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the LocID RemID TunID Intf Username State Last Chg customer network 14 54 36418 VPN eric@eurobank.com est 2d08h The latest MPLS Vi6 security features and designs aimed at protecting the MPLS VPN backbone

How to carry customer multicast traffic inside a VPN LocID RemID Remote Name State Remote Address Port Sessions VPDN Group The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN est 47519 24880 FastFoods_LAC services 194.22.15.26 1701 2 2 Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN LocID RemID TunID Intf Username State Last Chg Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools 20 60 47519 Vi4 elvis@fastfoods.com est 00:00:56 they need to deploy and maintain a secure, highly available VPN. 21 61 47519 Vi5 jimi@fastfoods.com est 00:00:08 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues The RADIUS debugoutlining the necessary steps the service provider must take forprotect the including security, output in Example 2-65 shows the access-request message to user "elvis" being sentand any attached VPN sites, and also detailing the by using the RADIUS source address backbone directly to the FastFoods RADIUS server 10.2.1.5 latest security features to allow (NAS –IP-Address) of 192.168.2.100, which is loopback 10. (Use for preinstantiation of the more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN FastFoods VRF.) Note Part IV provides a methodology for advanced MPLS VPN deployments. Finally, that the domain name has been stripped off the username. troubleshooting.

Example 2-65. Access-Request DEBUG for per-VRF AAA MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

RADIUS(00000036): Send to unknown id 1645/24 10.2.1.5:1645, Access-Request, len 82 RADIUS: RADIUS:
• RADIUS: •

authenticator 39 FA 82 72 D4 E1 72 92 - EA 1A DA 33 48 6E 5A A0 Framed-Protocol
Table of Contents User-Name Index

[7] [1]

6 6 19 6 6 6 13

PPP "elvis" * Virtual Framed 192.168.2.100 "SanJose_PE."

[1]

MPLS and VPN Architectures, Volume II [3] RADIUS: CHAP-Password ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

RADIUS: RADIUS:

NAS-Port-Type Service-Type NAS-IP-Address

[61] [6] [4] [32]

[5] [2]

Publisher: Cisco Press Pub Date: June 06, 2003

RADIUS: RADIUS:

ISBN: 1-58705-112-5

Pages: 504

Nas-Identifier

RADIUS: Received from id 1645/24 10.2.1.5:1645, Access-Accept, len 20 RADIUS: authenticator 14 A1 41 83 94 A9 60 29 WithMPLS and VPN Architectures, Volume II , you'll learn: 52 C8 47 16 72 E2 46 3A RADIUS(00000036): Received from id 1645/24 How to integrate various remote access technologies into the backbone providing VPN service to many different types of virtual-Access4, changed state to up 2d08h: %LINK-3-UPDOWN: Interface customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the Examining the characteristics of the virtual-access4 interface for elvis@fastfoods.com, you can see customer network that it was cloned from virtual-template3, as defined in vpdn-group 2 (see Example 2-66). The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN virtual-access 4 SanJose_PE#show interface services Advanced troubleshooting techniques is up virtual-Access3 is up, line protocolincluding router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Hardware is Virtual Access interface Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools Interface is unnumbered. Using address of Loopback10 (192.168.2.100) they need to deploy and maintain a secure, highly available VPN. MTU 1500 bytes, BW 256 Kbit, DLY 100000 usec, MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of reliability 255/255, txload 1/255, rxload 1/255 service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to Encapsulation PPP, LCP Open integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Open: IPCP backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN PPPoVPDN vaccess, cloned from virtual-Template3 deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. Protocol l2tp, tunnel id 25317, session id 12, loopback not set MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer [snip] integration, security, and troubleshooting features essential to providing the advanced

Example 2-66. Virtual-Access Interfaces

DHCP Relay: VPN Support
This feature Table of Contents provides VRF-aware support for DHCP Relay and allows a single DHCP server to • support DHCP clients in different VRFs, which might have overlapping address spaces. The DHCP • Index server can be located in the global table, allowing the service provider to offer DHCP services, a MPLS and VPN Architectures, Volume II local VRF (that is, the one the client resides in), or a remote VRF (that is, an extranet VPN).
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003

NOTE ISBN: 1-58705-112-5
The DHCP server must have the capability to support overlapping address pools for this feature to work.
Pages: 504

WithMPLS and VPN a DHCP relay agent to II , you'lladditional information in the DHCP request to This feature allows Architectures, Volume provide learn: allow the DHCP server to identify the correct VPN namespace for IP address assignment or policy application. This additional information is provided by using the DHCP Relay Agent Information How to integrate various remote agent technologies into convey information in the form of option, known as Option 82. The relay access uses Option 82 to the backbone providing VPN service to DHCP VPN-related activities, the suboptions used are as follows: suboptions. For many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) VPN-ID— The relay agent uses this suboption to convey to the DHCP server the VPN that the DHCP request is associated with. The relay agent also uses VPN-ID to identify for the VRF Howreplies from the DHCP server.customer site to provide separationthe VRFthe any VRFs can be extended into a The identifier can consist of either inside name or the customer network in RFC 2685. VPN ID as defined The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN

NOTE

The latest inter-carrier enhancements to allow for easier and more scalable deployment Configuration of a VPN ID for a VPN is optional. You can still use the VRF name to of inter-carrier MPLS VPN services identify configured VPNs in the router. The VRF name is not affected by the VPN ID configuration. The identification mechanisms are independent of each other. Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Subnet-selection— This suboption from Cisco Press. Extending VRF that advanced Architectures, Volume I (1-58705-002-1),identifies the IP subnet in theinto more the request originated from. In normal relay agent processing, readers with the necessary tools topics and deployment architectures, Volume II providesthe subnet is derived from the gateway address (giaddr) of the relay agent. The DHCP server also uses the giaddr to communicate they need to deploy and maintain a secure, highly available VPN. with the relay agent. However, when relaying a request from a VRF, the giaddr is the address MPLSconfigured on the VRF interface,II , begins with a brief refresher ofDHCP server. Therefore, and VPN Architectures, Volume which might not be visible to the the MPLS VPN the subnet-selection suboption allows separation of the client subnet from the address Architecture. Part II describes advanced MPLS VPN connectivity including the integration of used to communicate with the DHCP server. This will be explained in a variety of routing service provider access technologies (dial, DSL, cable, Ethernet) and the example provided later in this (IS-IS, protocols section. EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues Server-ID-override— After a client steps the service provider must take to protect the including security, outlining the necessary has been allocated an IP address, it sends renew or release packets directly to sites, and also detailing the latest security features to be directly backbone and any attached VPNthe DHCP server. However, the DHCP server might not allow morereachable from the client VRF. (It mightpartin thecovers multi-carrier MPLS VPN advanced topologies and filtering. This be also global table.) The Server-ID-override suboption is used to change the IP address of thefor advanced MPLS VPN deployments. Finally, Part IV provides a methodology DHCP server in reply packets to the VRF interface address of the relay agent. The relay agent inserts its VRF interface address into troubleshooting. this suboption when it first relays the request. When the reply is returned, the value of this MPLSfield is then copied to the DHCP server address option; latest advances in customer and VPN Architectures, Volume II , also introduces the therefore, the client is "tricked" into sending its renew/release packets directly to the relay agent. integration, security, and troubleshooting features essential to providing the advanced

NOTE
The DHCP server must also support DHCP Option 82 as well as provide a mechanism to manage overlapping addresses from different name spaces. This capability is available in VersionTable of Contents Network Registrar. 5.5 of the Cisco
Index

• •

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Figure 2-28 shows VPN-aware DHCP Relay operation for the EuroBank Palo Alto CPE that is connected to the SuperCom network by using DSL. In this scenario, the CPE is connected by using Publisher: Cisco Press RFC 1483 bridged, and the VRF ATM interface at the San Jose PE router is configured with route bridge Date: June 06, 2003 Pub encapsulation (RBE). Therefore, it behaves as if it were a LAN interface. The DHCP server is located in the SuperCom global routing table, which does not have direct reachability to the ISBN: 1-58705-112-5 10.6.1.0/24504 Pages: subnet of EuroBank Palo Alto.

Figure 2-28. VPN-Aware DHCP Relay Operation
WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services The DHCP relay operation can be summarized in the following steps: Advanced troubleshooting techniques including router outputs to ensure high availability Step 1. A client on the Palo Alto subnet 10.6.1.0/24 requests an address by broadcasting a MPLS and VPN Architectures, Volumemessage contains best-selling MPLS as the MAC address and DHCP Discover message. This II , builds on the information such and VPN Architectures, Volumeis (1-58705-002-1), from Cisco Press. Extending into more advanced hostname. This I carried in a bridged packet toward the San Jose PE router. topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Step 2. The San Jose PE router acting as the relay agent receives the packet. Before forwarding it to the SuperCom DHCP server, the San Jose PE router adds the relay agent MPLS and VPN Architectures, Volume II , begins with "EuroBank", Subnet-Selection VPN information (Option 82) as follows: VPN-ID = a brief refresher of the MPLS = Architecture. Part II describes advanced MPLS VPN connectivity including set to 194.22.15.17, "10.6.1.0/24", Server-ID-Override = "10.6.1.1." The giaddr field is the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing from the which is the outgoing interface address in the global routing table that is reachable protocols (IS-IS, DHCP server. SuperCom EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, relay agent unicasts thesteps the service providertoward the to protect the Step 3. The outlining the necessary DHCP Discover message must take SuperCom DHCP backbone and any attached VPN sites, and also detailing the latest security features to allow server 194.22.16.3. more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS and Subnet-Selection Step 4. The DHCP server receives the packet and uses the VPN-ID VPN troubleshooting. to allocate an address from the correct VPN namespace. suboptions MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Step 5. The DHCP server sends the DHCP offer back to the San Jose PE router by using the integration, security, and troubleshooting features essential to providing the advanced

value of the giaddr field, which was 194.22.15.17. Step 6. The relay agent removes the Option 82 information. Step 7. The DHCP Offer is unicast (using the MAC address) to the requesting client. Step 8. The client then confirms its received address by broadcasting a DHCP Request toward the of Contents relay agent. Table Step 9. The San Jose PE router then adds the option 82 information. message is then relayed to the SuperCom DHCP server.
Index

• •

MPLS and VPN Architectures, Volume II

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar Step 10. The DHCP Request Publisher: Cisco Press DHCP Step 11. The

Pubinformation to access Date: June 06, 2003 ISBN: 1-58705-112-5

server then formally allocates the address, using the Option 82 the correct namespace.

Pages: 504

Step 12. A DHCP Acknowledge is then forwarded to the San Jose PE router. Step 13. The San Jose PE router receives the DHCP Ack message and changes the DHCP server ID to the address in the Server-ID-Override, which is 10.6.1.1.

Step 14. The acknowledge is then forwarded directly to the DHCP client. WithMPLS and VPN Architectures, Volume II , you'll learn: Step 15. Any subsequent renew or release messages are sent directly to 10.6.1.1. When the San Jose PE router receives these messages, it adds the Option 82 information and How to integrate various remote access technologies into the backbone providing VPN relays the packet toward the SuperCom DHCP server. service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN

Configuring Address TranslationRouter Network the San Jose PE (PE-NAT)
How VRFs can be extended into a customer site to to the separation router. Several The only configuration changes that are necessary applyprovideSan Jose PEinside the customer network commands have been introduced or modified to support the DHCP Relay—VPN Support feature and are shown in the following configuration (see Example 2-67), which applies to the DSL The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN RFC1483 scenario discussed previously. backbone The command ip dhcp relay information option vpn inserts the DHCP Relay Agent Information How to carry customer multicast traffic inside a VPN option (Option 82) into any DHCP requests that the San Jose PE router receives. In particular, the vpn keyword ensures that the three VPN-related suboptions—VPN-ID, Subnet-Selection, and The latest inter-carrier enhancements to allow for easier and more scalable deployment Server-ID-Override—are added. of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN NOTE Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they Option 82 can also be used toaconvey suboptions that are unrelated to VPNs, such as the need to deploy and maintain secure, highly available VPN. circuit identifier suboption and the remote ID suboption used in cable access. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), Configuration Example 2-67. DHCP Relay arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering.vpn part also covers multi-carrier MPLS VPN ip dhcp relay information option This deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. ! MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer ip vrf EuroBank integration, security, and troubleshooting features essential to providing the advanced

rd 10:27 vpn id ACDE48:27 route-target export 10:27 route-target import 10:27
• •

!

Table of Contents Index

MPLS and VPN Architectures, Volume II

interface ATM2/0.1 point-to-point
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

description RBE connection to Palo Alto DSL CPE
Publisher: Cisco Press

ipPub Date: June 06, 2003 EuroBank vrf forwarding
ISBN: 1-58705-112-5

ip address 10.6.1.1 255.255.255.0
Pages: 504

ip helper-address global 194.22.16.3 no ip mroute-cache WithMPLS and VPN Architectures, Volume II , you'll learn: atm route-bridged ip pvc 1/32 How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers ubr 256 The new PE-CE routing options as well as other advanced features, including per-VPN encapsulation aal5snap Network Address Translation (PE-NAT) ! How VRFs can be extended into a customer site to provide separation inside the customer network

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Thevpn id command under the VRF configuration allows a unique ID that is distinct from the VRF nameHow toallocated. The VPN ID is specified in the format defined by RFC 2685 and consists of to be carry customer multicast traffic inside a VPN the following elements: The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services An Organizational Unique Identifier (OUI) that consists of a three-octet hex number. The IEEE Registration Authority assigns OUIs to any company that manufactures availability Advanced troubleshooting techniques including router outputs to ensure highcomponents under the ISO/IEC 8802 standard. The OUI generates universal LAN MAC addresses and MPLSprotocol identifiers for use in local ,and metropolitan-area network (MAN) applications. For and VPN Architectures, Volume II builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco (hex). Extending into more advanced example, an OUI for Cisco Systems is 00-03-6B Press. topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain four-octet highly available VPN. A VPN index, consisting of a a secure, hex number, which identifies the VPN within the company. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Our example Part ACDE48 as advanced MPLS VPN connectivity including the integration of Architecture. used II describes the OUI, which is defined by the IEEE to represent private use. The VPN index used access technologies (dial, DSL, cable, Ethernet) and a variety of routing service provider is the same as the unique identifier used in the Route-Distinguisher. protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to The ip helper address has been modified to support aIII details advanced deployment issues in the integrate these features into the VPN backbone. Part DHCP server address that is reachable global routing table, another VRF, or the local VRF. service provider must take to protect the including security, outlining the necessary steps theIt now takes the form ip helper-address [vrf name | global] address. If neither VRF nor also detailing the latest security features to allow backbone and any attached VPN sites, and global keywords are used, the DHCP address must be reachable in the local VRF. more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN Our example uses the SuperCom DHCP server, which is reachable on the management LAN in the troubleshooting. global routing table. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Verifying VPN-Aware DHCP Relay Operation
The output shown in Example 2-68 is a debug of DHCP activity on the San Jose PE router when a client on the Palo Alto LAN requests a DHCP address. The first section shows the DHCP Discover being received with the giaddr initially being set to 10.6.1.1 (the incoming interface address). The Option 82 information is added, and the giaddr is then overwritten with the outgoing global interface addressof Contents Jose PE router (the interface that is used to reach the DHCP server). • Table on the San The next sections show the BOOTREPLY from the DHCP server (containing the DHCP Offer), • Index followed VPNthe DHCP Request from the client and then another BOOTREPLY (containing the DHCP MPLS and by Architectures, Volume II Ack).
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: ExampleCisco Press VPN-Aware DHCP Relay Debug Output 2-68. Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

DHCPD: DHCPDISCOVER received from client 0100.0347.bb2f.12 on interface ATM2/0.1. DHCPD: there is no address pool for 10.6.1.1. DHCPD: setting giaddr to 10.6.1.1. WithMPLS and VPN Architectures, Volume II , you'll learn: DHCPD: adding relay information option. How to integrate various remote access technologies into the backbone providing VPN service id =ACDE48:27 DHCPD: VPN to many different types of customers The new PE-CE routing options as DHCPD: Selected subnet=10.6.1.0 well as other advanced features, including per-VPN Network Address Translation (PE-NAT) DHCPD: Server-id-override=10.6.1.1 How VRFs can be extended into a customer site to provide separation inside the customer network DHCPD: giaddr changed to 194.22.15.17 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN DHCPD: BOOTREQUEST from 0100.0347.bb2f.12 forwarded to 194.22.16.3. backbone How to carry customer multicast traffic inside a VPN DHCPD: forwarding BOOTREPLY to client 0003.47bb.2f12. more scalable deployment The latest inter-carrier enhancements to allow for easier and of inter-carrier MPLS VPN services DHCPD: Vrf name from sub-option = EuroBank Advanced troubleshooting techniques including router outputs to ensure high availability DHCPD: Forwarding reply on numbered intf MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN DHCPD: creating ARP (1-58705-002-1), from Cisco Press. Extending into more advanced Architectures, Volume I entry (10.6.1.2, 0003.47bb.2f12). topics and deployment architectures, Volume II provides readers with the necessary tools DHCPD: unicasting BOOTREPLY a client 0003.47bb.2f12 (10.6.1.2). they need to deploy and maintainto secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider accessreceived from client 0100.0347.bb2f.12. variety of routing DHCPD: DHCPREQUEST technologies (dial, DSL, cable, Ethernet) and a protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues DHCPD: setting giaddr to 10.6.1.1. including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, option. detailing the latest security features to allow DHCPD: adding relay information and also more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments.id =ACDE48:27 provides a methodology for advanced MPLS VPN DHCPD: VPN Finally, Part IV troubleshooting. DHCPD: Selected subnet=10.6.1.0 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting DHCPD: Server-id-override=10.6.1.1 features essential to providing the advanced

DHCPD: giaddr changed to 192.22.15.17 DHCPD: BOOTREQUEST from 0100.0347.bb2f.12 forwarded to 192.22.16.3.

DHCPD: forwarding BOOTREPLY to client 0003.47bb.2f12.
• • Table of Contents Index

DHCPD: Vrf name from sub-option = EuroBank
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff on numbered DHCPD: Forwarding reply Apcar

intf

DHCPD: creating ARP entry (10.6.1.2, 0003.47bb.2f12). Publisher: Cisco Press
Pub Date: June 06, 2003

DHCPD: unicasting BOOTREPLY to client 0003.47bb.2f12 (10.6.1.2). ISBN: 1-58705-112-5
Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Summary
Remote access to an MPLS VPN supports many different access technologies. These include PSTN and ISDN dial-in and dial-out, all DSL encapsulation modes, and cable access using a • DOCSIS-1.0Table of Contents compliant network. By centralizing configuration and addressing functions on • Index service provider or customer AAA/DHCP servers, a highly scalable remote access solution can MPLS and VPN Architectures, Volume II be built. In addition, many features have been introduced or enhanced in Cisco IOS to provide VRF-aware support, Apcar ByJim Guichard, Ivan Pepelnjak, Jeffincluding ODAPs, per-VRF AAA, DHCP Relay—VPN Support, and VPN-ID among others. The use of these features and the architectures described throughout this chapter allows a service provider to build a single remote access infrastructure that many Publisher: Cisco Press customers can share. Remote access to an MPLS VPN allows a customer to obviate the need Pub Date: June 06, 2003 to build, manage, and maintain his own remote access infrastructure, lowering costs and ISBN: 1-58705-112-5 improving coverage. Service providers can generate new revenue streams by assuming Pages: 504 responsibility of remote access provisioning on behalf of the customer.

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Chapter 3. PE-CE Routing Protocol Enhancements and Advanced Features
• Table of Contents The initial implementation of the Cisco Systems Inc. Multiprotocol Label Switching (MPLS) • Index virtual private network (VPN) architecture provided support for several, but not all, routing MPLS and VPN Architectures, Volume edge (PE) routers and customer edge (CE) routers. This initial protocols between the provider II support included Pepelnjak,Jeff Apcar ByJim Guichard, Ivan Border Gateway Protocol (BGP-4), static routing, Routing Information Protocol (RIP) version 2 and Open Shortest Path First (OSPF), each of which was described in detail in the first volume of this book. Deployment experience has shown that the majority of Publisher: Cisco Press services have been provisioned using either static routing or BGP-4. However, this Pub Date: June 06, 2003 combination is changing as MPLS technology has gained more acceptance among a diverse mix of ISBN: customers. Many of these customers have more complex routing topologies that end 1-58705-112-5 Pages: 504 are best served through more integration with the customer Interior Gateway Protocol (IGP).

Because of this change, several enhancements have been added to the support of the OSPF protocol, and the ability to run either Enhanced Interior Gateway Routing Protocol (EIGRP) or Integrated Intermediate-System to Intermediate-System (IS-IS) has been added to the list of PE-CE protocols. Architectures, Volume II , you'll learn: WithMPLS and VPN This chapter describes the enhancements made to the OSPF protocol. It also provides a detailed look at how EIGRP and IS-IS have been implemented and how each is configured at the PE routers. How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

NOTE Address Translation (PE-NAT) Network

The new PE-CE routing options as well as other advanced features, including per-VPN

As with all other PE-CE routing protocols, when introducing separationIS-IS between How VRFs can be extended into a customer site to provide EIGRP or inside the the service provider and the VPN customer, no additional protocol changes are customer network required at the CE routers. They can continue to run standard IOS images. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Throughout this chapter, we multicast to the sample service provider topology, as shown in How to carry customer will refer traffic inside a VPN Figure 3-1. All relevant IP address ranges for the service provider backbone and attached The latest inter-carrier Table 3-1. VPN customers are shown in enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Figure 3-1. Sample Service Provider Topology

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn:

Table 3-1. IP Address Assignment for SuperCom Backbone
How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers Company Site Subnet The new PE-CE routing options as well as other advanced features, including per-VPN FastFoods San Jose 195.12.2.0/24 Network Address Translation (PE-NAT) Lyon 10.2.1.0/24 How VRFs can be extended into a customer site to provide separation inside the EuroBank San Francisco 10.2.1.0/24 customer network London 196.7.24.0/24 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Paris 196.7.25.0/24 backbone Washington 196.7.26.0/24 How to carry customer multicast traffic inside a VPN SuperCom Paris (Loopback 0) 194.22.15.1/32 The latest inter-carrier enhancements to allow for easier and more scalable deployment San Jose (Loopback 0) 194.22.15.2/32 of inter-carrier MPLS VPN services Washington (Loopback 0) Advanced troubleshooting techniques including router outputs to ensure 194.22.15.3/32 high availability PE-CE Interface Addresses 192.168.2.0/24 MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

PE-CE Connectivity: OSPF
The use of OSPF for PE-CE connectivity was extensively covered in Volume 1 of this publication. However, various enhancements have been made since Volume 1 was first • Table of Contents published that increase the viability of deploying this particular routing protocol. Therefore, it • useful to provide a quick review of how OSPF is used in this environment and then describe Index is MPLS and VPN Architectures, Volume II applied to the architecture. the enhancements that have been
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Before diving into the details of these enhancements, it is perhaps helpful to review why OSPF might be chosen as the routing protocol on the PE-CE link. It is clear that OSPF is a Publisher: Cisco complex routingPress protocol that might not suit all environments. Indeed, it is probably fair to sayPub Date: Junemight only be desirable for VPN customers who want to retain OSPF within that OSPF 06, 2003 ISBN: 1-58705-112-5 each of their sites, either during a migration or on a permanent basis.
Pages: 504

There are many reasons why customers might want to retain their OSPF configurations, although the most common reasons are as follows: Prevention of a large number of external routes within the OSPF topology WithMPLS and VPN Architectures, Volume II , you'll learn: Provision of a more flexible topology that is able to support backdoor connectivity between customer sites How to integrate various remote access technologies into the backbone providing VPN service to of having to redistribute OSPF information into other protocols such as BGP-4 Avoidancemany different types of customers or RIP version 2 at the CE routers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) Avoidance of having to learn/support another routing protocol such as BGP-4 at the network edge How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone NOTE How to carry is a mechanism that allows a router to Redistributioncustomer multicast traffic inside a VPN move routes from one protocol (or static entry) in its routing table to another routing protocol. The desire The latest inter-carrier enhancements to allow for easier and more scalable deployment to restrict the amount of redistribution can be extremely important in a normal of inter-carrier MPLS VPN services OSPF environment. This is because a route that is redistributed into OSPF will appear as an external OSPF route within the topology. outputs to protocolhigh availability Advanced troubleshooting techniques including router The OSPF ensure dictates that external routes be flooded across the whole OSPF domain, which increases the overhead Architectures, as well II builds on the best-selling MPLS and VPN MPLS and VPN of the protocol Volume as, the CPU load on all routers that are participating in the OSPF domain. Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they Certain OSPF area types, such as stub or totally stubby,VPN. be deployed so that need to deploy and maintain a secure, highly available can external routes are not sent into the area. However, this can have the drawback of suboptimal routing because the II , begins with a brief full topology information MPLS and VPN Architectures, Volume area does not have therefresher of the MPLS VPNin which to make describes on the best exit point toward the OSPF backbone for a Architecture. Part II a decision advanced MPLS VPN connectivity including the integration of particular external route. service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to Due these tight integration VPN backbone. Part III details used in the MPLS VPN integrate to the features into the of OSPF with Multiprotocol BGPadvanced deployment issues backbone, the use of OSPF does not necessitate the generation must take routes including security, outlining the necessary steps the service provider of external to protect the when redistributing between VPN and and Multiprotocol BGP. Using OSPF as the backbone and any attached VPN sites, sitesalso detailing the latest security features to allow PE-CE routing protocol is filtering. This part also covers multi-carrier redistribution more advanced topologies andbetter from the customer's perspective than MPLS VPN from BGP into OSPF at the customer site. deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced OSPF PE-CE Connectivity Requirements

To facilitate the multitude of possible OSPF topologies and to provide connectivity between VPN sites that run the OSPF protocol, an additional level of routing hierarchy, referred to as theMPLS VPN Superbackbone, is required. This additional level of hierarchy is necessary so that VPN sites can run independent OSPF processes and learn routes from other VPN sites without the necessity of a direct adjacency with those sites.
•

The OSPF protocol already provides two levels of hierarchy: the backbone (area 0) and • Index nonbackbone areas that have to be directly attached to the backbone. The third level of MPLS and VPN Architectures, Volume II hierarchy, which the MPLS VPN architecture provides, exists above the normal backbone area ByJim exists). ,To help illustrateApcar point, Figure 3-2 shows how a particular VPN client might (if it Guichard Ivan Pepelnjak,Jeff this attach to an MPLS VPN environment.
Publisher: Cisco Press Pub Date: June 06, 2003

Table of Contents

Figure 3-2. OSPF Client Connectivity to an MPLS VPN Backbone Pages: 504

ISBN: 1-58705-112-5

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools There are a couple of interesting observations that you can make from Figure 3-2. The first is they need to deploy and maintain a secure, highly available VPN. that multiple OSPF backbone areas (Area 0) are possible within the same VPN customer environment. Each site can choose to run an independent backbone area, or multiple sites MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN can act collectively as one backbone area through the use of sham-links. Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the NOTE backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and in more detail part also covers multi-carrier MPLS VPN Sham-links are discussed filtering. This in the section titled "VPN Client Backdoor deployments. Finally, Part IV provides a methodology for advanced MPLS VPN Links" later in this chapter. troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced aware When backbone areas are used within a VPN customer topology, the only caveat to be

of is that any site configured to run an OSPF backbone area must be attached directly with the MPLS VPN Superbackbone, either through a direct link or a virtual link. This is mandatory because the PE routers always act as Area Border Routers (ABRs) and need to be able to exchange intra-area information with other ABR or backbone area routers. The second interesting observation is that you can have a complete OSPF domain, with backbone and nonbackbone areas, attached to a single Virtual Routing & Forwarding instance (VRF) at the PE router. This is possible because the PE router acts as an ABR and presents all • Table of Contents OSPF areas behind the MPLS VPN backbone as nonbackbone areas to the local OSPF domain.
• Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

NOTE Publisher: Cisco Press
Pub Date: June 06, 2003

If multiple areas are attached to the same VRF, then the backbone area must exist ISBN: within 1-58705-112-5 is necessary to provide connectivity between these the VRF. This Pages: 504 nonbackbone areas. Assigning a loopback interface to the VRF and placing this loopback within the backbone area can achieve it.

WithMPLS and VPN Architectures, Volume II , you'll learn:

Basic OSPF Operation Between PE and CE Routers
How to integrate various remote access technologies into the backbone providing VPN InMPLS and VPN Architectures,types of customers 9, "MPLS/VPN Architecture Overview," service to many different (Volume I), Chapter several steps were highlighted that are necessary when you are initially provisioning a new VPN customer.PE-CE the exception of as well as other not expand on theseincluding per-VPN The new With routing options Step 4, we will advanced features, further within this chapter. However, it is Translationto understand that these steps are the basic building blocks Network Address important (PE-NAT) of the VPN and are required regardless of the PE-CE protocol that will be used for the VPN How customer: VRFs can be extended into a customer site to provide separation inside the customer network 1. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Define and configure the VRFs. backbone 2. Define and configure the route distinguishers. How to carry customer multicast traffic inside a VPN 3. Define and configure the import and export policies. The latest inter-carrier enhancements to allow for easier and more scalable deployment 4. of inter-carrier MPLS links.services Configure the PE-CE VPN 5. Advanced the CE interfacestechniques including router outputs to ensure high availability Associate troubleshooting to the previously defined VRFs. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN 6. Configure Multiprotocol BGP. Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools 7. Mutually redistribute (except in the case of BGP on the PE-CE links) routes between they need to deploy and maintain a secure, highly available VPN. Multiprotocol BGP and the routing protocol on the PE-CE links. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Although each OSPF interface is associated with a particular VRF, it is necessary to provide a service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing mechanism whereby the PE router is able to distinguish which routes belong to which VRFs, protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to and to understand which interfaces belong to which OSPF processes. To achieve this aim, a integrate these features into the VPN backbone. Part III details advanced deployment issues separate OSPF process is necessary for each VRF that will receive VPN routes via OSPF. including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security featuresuseallow Due to the complexity of OSPF and the associated topology database, the option to to more advanced topologies(as with BGP-4 andpart also coversfor example) is not currently different routing contexts and filtering. This RIP version 2, multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanceddifferent process-id) is available in Cisco IOS. Therefore, a different OSPF process (with a MPLS VPN troubleshooting. Future IOS releases will provide content support. required per VRF. MPLS and VPN Architectures, Volume II , also introduces the latest advances in a particular Figure 3-3 shows the separation of each OSPF process and its association with customer integration, security, and troubleshooting features essential to providing the advanced VRF.

Figure 3-3. OSPF Process Separation and Association with VRFs

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: The separation of different VRFs into independent OSPF processes is achieved using an extension to the router ospf command, as illustrated in Example 3-1. How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

Example 3-1. Separation ofas well as other advanced features, Processes VRFs into Different OSPF including per-VPN The new PE-CE routing options
Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the router OSPF <OSPF Process ID> VRF <vrf-name> customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry Figure 3-3 is configured inside a VPN The PE router fromcustomer multicast trafficto support the attachment of the EuroBank and FastFoods VPN customers by using the router OSPF command, as shown in Example 3-2. The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

Example 3-2. Use of Router OSPF Command outputs to ensure high availability for Multiple OSPF Advanced troubleshooting techniques including router Processes
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools router ospf 100 vrf maintain a they need to deploy andFastFoods secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN network 192.168.2.16 0.0.0.3 area 1 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing ! protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features EuroBank router ospf 101 vrf into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and1also detailing the latest security features to allow network 192.168.2.12 0.0.0.3 area more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and of the OSPF process-id for eachalso introduces the latest advances determines how Selection VPN Architectures, Volume II , VPN client is important because it in customer integration, security, and troubleshooting features essential to the OSPF the advanced routes received from CE routers at this site are advertised into providing topology of other

sites. By default, the process-id must be the same on all PE routers; otherwise, the OSPF routes transported across the MPLS VPN backbone will be inserted as external routes (type 5 LSAs) in the local OSPF domain, instead of interarea (type 3 LSAs) routes. This process is described in more detail in the later section "Controlling LSA Type Generation at PE Routers." You can control the process through the use of a domain-id.

• •

Table of Contents

MPLS and VPN Architectures, Volume II ByJim Using the same process-id for Guichard, Ivan Pepelnjak, Jeff Apcar

NOTEIndex

a given VPN can be problematic because more than one VRF might want to use the same process-id on the PE router. This is not possible; therefore, the domain-id becomes an important tool. Publisher: Cisco Press
Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

NOTE
The OSPF process-id was not taken into account in early Cisco IOS implementations of OSPF on the PE-CE links, Volume II , you'll learn: WithMPLS and VPN Architectures,and all intra-area OSPF routes were advertised as interarea routes into the OSPF topology database at other PE routers. The processid value became important only with the introduction of support for OSPF domains How to integrate various remote access technologies into the backbone providing in IOS releases 12.1(4.4)T, 12.1(4.4), and 12.0(16.3)ST. Take special care when VPN service to your different types a customers upgrading manyIOS software to of release that supports OSPF domains inside an MPLS VPN; the upgrade might break your customer's OSPF routing due to the The new PE-CE routing options as well advertisement (LSA) generation. different method of PE router link-state as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The last step within the provisioning process of an OSPF VPN customer is to make sure that locally received OSPF routes are redistributed into Multiprotocol BGP and that remote OSPF The latest MPLS VPN security features process from Multiprotocol BGP. the necessary routes are redistributed into the local OSPF and designs aimed at protecting The MPLS VPN backbone configuration steps for the EuroBank VPN customer are shown in Example 3-3. How to carry customer multicast traffic inside a VPN

Example 3-3. Redistribution for OSPF VPN Customers scalable deployment The latest inter-carrier enhancements to allow for easier and more
of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability interface Serial0/0/0 MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced description ** interface to EuroBank VPN topics and deployment architectures, Volume II provides readers with the necessary tools they vrf forwarding EuroBank a secure, highly available VPN. ip need to deploy and maintain MPLS and VPN 192.168.2.14 Volume II , begins with a brief refresher of the MPLS VPN ip address Architectures, 255.255.255.252 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing ! protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues router ospf 101 vrf EuroBank including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and1also detailing the latest security features to allow network 192.168.2.12 0.0.0.3 area more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN redistribute bgp 10 subnets metric 20 troubleshooting. ! MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

router bgp 10 ! address-family ipv4 vrf EuroBank redistribute ospf 101 match internal external 1 external 2
• •

no auto-summary
Index

Table of Contents

MPLS and VPN Architectures, Volume II

no synchronization

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

exit-address-family
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

NOTE
It is mandatory to use the subnets option when you are redistributing BGP into WithMPLS and VPN Architectures,redistributesyou'll the major networks and supernets. It OSPF; otherwise, Cisco IOS Volume II , only learn: is also mandatory to use the match command when you are redistributing from OSPF into BGP; otherwise, only the internal OSPF routes are redistributed into BGP. How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) Changing the OSPF router-id How VRFs can be extended into a customer site to provide separation inside the customer network Each router within an OSPF network needs to hold a unique identifier within the OSPF domain. This identifier is used so that a router can recognize self-originated LSAs and so that The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN other routers can know during routing calculation which router originated a particular LSA. backbone The LSA common header has a field known as the Advertising Router, and this is set to the originating router's router-id. How to carry customer multicast traffic inside a VPN The router-id that is used forenhancements to allow for easier and more scalable deployment The latest inter-carrier the VRF OSPF process within a Cisco router is selected from the highest inter-carrier MPLSavailable within the VRF, or if no loopback interface exists, it is of loopback address VPN services selected from the highest interface address. This might be problematic if the interface address selected for the router-id goes down, as a change of router-id ensure high availability Advanced troubleshooting techniques including router outputs to is forced, and the OSPF process on the router must restart. The restart of an OSPF process requires rebuilding of its and VPN Architectures, Volume II , builds on the topology databases, VPN MPLS OSPF adjacencies, resynchronization of the OSPFbest-selling MPLS andand a full SPF run on all routers in all OSPF areas in which the affected router participates. This can advanced Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more cause significant deployment architectures, domain. Because of this, it with the necessary tools topics and instability within the OSPF Volume II provides readers is recommended that you set the router-id to and maintain a address, such as a loopback they need to deploya fixed interface secure, highly available VPN.interface. You can do this by using the router-id command within the OSPF process configuration, as shown in Example MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN 3-4. Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and VRF OSPF router-id with the knowledge of how to Example 3-4. Setting OSPF), arming the reader integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering.vrf EuroBank covers multi-carrier MPLS VPN SanJose(config)# router ospf 101 This part also deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. SanJose(config-router)# router-id a.b.c.d MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

NOTE
It is possible to use the same IP address for the loopback interfaces within multiple VRFs. However, even if OSPF processes are in different VRFs, they cannot have the • Table of Contents same router-id. In this case, only one of the VRF OSPF processes will use the • Index loopback address as its router-id; the other processes will use the highest interface MPLS and VPN Architectures, Volume II address within their respective VRFs. Use of the router-id command can make this ByJim selection more deterministic; therefore, it is useful to assign a loopback with a Guichard, Ivan Pepelnjak, Jeff Apcar unique address to each VRF OSPF process within the VRF.
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5

Monitoring OSPF Running Inside a VRF
Pages: 504

After all the necessary configuration steps have been completed, the show ip ospf command can be used to view any OSPF processes that have been created. Example 3-5 shows the OSPF process VPN Architectures, Volume II , you'll learn: WithMPLS and that was created in Example 3-2 for the EuroBank VPN. How to integrate various remote access technologies into the backbone providing Example 3-5. show ip ospf Command Output Highlighting OSPF VPN service to many different types of customers Process Creation The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) SanJose#show ip ospf How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Routing Process "ospf 101" with ID 192.168.2.14 and Domain ID 0.0.0.101 backbone How to carry customer multicast routes Supports only single TOS(TOS0) traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment Supports opaque LSA of inter-carrier MPLS VPN services Connected to MPLS VPN Superbackbone Advanced troubleshooting techniques including router outputs to ensure high availability It is an area border router MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced SPF schedule delay 5 secs, Hold time between two SPFs 10 secs topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Number of Part II describes advanced MPLS 0x209BC Architecture. external LSA 3. Checksum SumVPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Number (IS-IS, EIGRP, LSA 0. Checksum the 0x0 protocols of opaque AS and OSPF), arming Sum reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues Number of DCbitless external and opaque AS LSA 0 including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow Number of DoNotAge external and This part also covers multi-carrier MPLS VPN more advanced topologies and filtering. opaque AS LSA 0 deployments. Finally, Part IV provides a methodology for advanced MPLS VPN Number of areas in this router is 1. 1 normal 0 stub 0 nssa troubleshooting. External flood list length 0 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Area 1 Number of interfaces in this area is 1 Area has no authentication SPF algorithm executed 6 times
• •

Area ranges are
Index

Table of Contents

MPLS and VPN Architectures, Volume II

Number of LSA 14. Checksum Sum 0x9BE51

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Number of opaque link LSA 0. Checksum Sum 0x0
Publisher: Cisco Press

Number 2003 Pub Date: June 06, of DCbitless
ISBN: 1-58705-112-5 Pages: 504

LSA 0

Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN The output from Example 3-5 shows that the EuroBank site from Example 3-2 has been service to many different types of customers connected to the MPLS VPN Superbackbone and that the PE router is acting as an ABR for the exchangenew PE-CE information between EuroBank sites. The number of including per-VPN The of routing routing options as well as other advanced features, interfaces that are attached to this particular OSPF process and their relevant area information are also shown. Network Address Translation (PE-NAT) After HowOSPF processes for any into a customer site to provide separation inside the to the VRFs can be extended attached VPN clients have been created, it is possible start learning routes from the attached sites, as illustrated in Example 3-6. customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN

Example 3-6. Route Population of OSPF VRFs backbone
How to carry customer multicast traffic inside a VPN The show ip route enhancements SanJose#latest inter-carriervrf EuroBank to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B Advanced troubleshooting techniques including router outputs to ensure high availability D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter are MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN i - Part II L1 - IS-IS level-1, VPN IS-IS level-2, ia the integration of Architecture. IS-IS, describes advanced MPLSL2 - connectivity including - IS-IS service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing * - candidate default, - per-user static the knowledge of protocols (IS-IS, EIGRP, and OSPF),Uarming the reader withroute, o - ODR how to integrate these features into the VPN backbone. Part III details advanced deployment issues P - periodic downloaded static route including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN Gateway of last resort is not set troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

10.0.0.0/30 is subnetted, 1 subnets O C 10.2.1.40/30 [110/74] via 192.168.2.13, 00:00:17, Serial0/0/0 192.168.2.12/30 is directly connected, Serial0/0/0

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

NOTE

Publisher:IOS uses a Cisco Cisco Press

information about Pub Date: June 06, 2003
Pages: 504

structure called a Protocol Descriptor Block (PDB) to hold each routing process configured on the router. Each router can hold a 1-58705-112-5 32 PDBs. maximum of ISBN:

At the time of writing this chapter, each VRF OSPF process required the use of a separate PDB; therefore, there is a limitation on the number of VRF OSPF processes that can be run on each PE router. Because the MPLS VPN backbone typically requires four PDBs (backbone IGP, BGP-4, static, and connected), each PE router can support up to 28 separate OSPF processes. If further processes are required, WithMPLS further PE routers must Volume II , you'll learn: then and VPN Architectures, be deployed. In future versions of IOS, this restriction will be removed by allowing multiple VRFs How to the same process through use of the routing context backbone providing VPN to shareintegrate various remote access technologies into the mechanism. service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be NOTE networkextended into a customer site to provide separation inside the customer You can obtain the number of PDBs that are currently allocated on a Cisco router by The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN using the show ip protocol summary command. backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment BGP Extended Community Attributes for OSPF Routes of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability Multiprotocol BGP (as defined in RFC 2858) is used within an MPLS VPN environment to distribute VPN routing information among PE routers. When OSPF is used on VPNPE-CE links, MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and the there are several things (1-58705-002-1), from withinPress. Extending into more advanced Architectures, Volume I that need to be carried Cisco the Multiprotocol BGP update to allow a receivingdeployment architectures, Volume incoming VPN routing information. topics and PE router to correctly process the II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. The MPLS VPN architecture relies on the import and export of routes based on route-target values to VPN the VPN structure. In II , begins the a brief refresher of Multiprotocol MPLS and build Architectures, Volume addition to with route-target values,the MPLS VPN BGP updates that carryII describes advanced MPLS VPN connectivity including the integration of Architecture. Part OSPF routes need some additional information to facilitate seamless propagation of OSPF information among customer sites. This information indicates to the service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing receiving PE router what and OSPF), arming is contained within the update and what type of protocols (IS-IS, EIGRP, type of OSPF route the reader with the knowledge of how to LSA should be generatedintoflooded toward the CE router. integrate these features or the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the The MPLS VPN architecture makes use of the BGP extended community attribute to convey backbone and any attached VPN sites, and also detailing the latest security features to allow the type of OSPF route contained within the Multiprotocol BGP update. The format of this more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN attribute is provided in Figure 3-4. This attribute must be present within the Multiprotocol deployments. Finally, Part IV provides a methodology for advanced MPLS VPN BGP update when carrying OSPF routes. troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Figure 3-4. Format of the Extended Community Attribute for OSPF

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

The first two octets of the attribute define the BGP extended community type, and this is encoded with type 0x0306. The next four octets define the OSPF area where the prefix Publisher: Cisco Press resides. (This value is set to 0 for autonomous system External routes.) The next octet Pub Date: June 06, 2003 defines the OSPF route-type. The last octet is used as an optional field, which currently ISBN: 1-58705-112-5 indicates the external metric type.
Pages: 504

Several 1-octet route-types are defined. They are generated based on the OSPF LSA type: Type 1 and 2 intra-area route (router and network LSAs): route-type 2 WithMPLS and VPN Architectures, Volume II , you'll learn: Type 3 summary route (network-summary LSA): route-type 3 Type to autonomous system external route (autonomous system-external LSA): routeHow 5 integrate various remote access technologies into the backbone providing VPN type 5 to many different types of customers service Type 7 not-so-stubby-area (NSSA): route-type 7 The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) Sham-link endpoint addresses: route-type 129 How VRFs can be extended into a customer site to provide separation inside the Example 3-7 shows the Multiprotocol BGP update that is generated for the 192.168.2.12/30 customer network subnet from Example 3-2, as well as the associated extended community attributes for the route. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone

Example 3-7. customer multicastBGP UpdateVPN How to carry Multiprotocol traffic inside a Showing OSPF Route-Type
The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services SanJose#show ip bgp vpnv4 all 192.168.2.12 Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced BGP routing table entry for 100:251:192.168.2.12/30, version 194 topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Paths: (1 available, best #1, table EuroBank) MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Advertised to non peer-group peers: Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing 194.22.15.1 194.22.15.3 protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues Local including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow 0.0.0.0 from 0.0.0.0 (194.22.15.2) more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN Origin incomplete, metric 0, localpref 100, weight 32768, troubleshooting. valid, sourced, best MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Extended Community: RT:1:793 OSPF DOMAIN ID:0.0.0.101 OSPF RT:1:2:0

Using the format of Contents of the extended community attribute as shown in Figure 3-4, you can see • Table that the OSPF route-type is set to a value of OSPF RT:1:2:0. The update is from area 1, and • Index it is a Type 2 intra-area route. The last field, which is set to 0, indicates that the prefix is MPLS and VPN Architectures, Volume II neither a metric Type 1 nor Type 2 external route.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Controlling Press Type Generation at PE Routers LSA Pub Date: June 06, 2003 ISBN: 1-58705-112-5

When Pages: 504 Cisco first

introduced the ability to run OSPF on the PE-CE links, only the route-type within the Multiprotocol BGP update was taken into consideration when generating LSAs at the PE routers. This meant that all intersite routes were injected as Type 3 LSAs into the attached VPN sites, unless the route-type was set to external, meaning that the original route was redistributed into OSPF from another source. WithMPLS and VPN Architectures, Volume II , you'll learn: In most cases, VPN customers run a single OSPF process before migrating to a solution that utilizes the MPLS VPN architecture. For such customers, internal OSPF routes appear as internal routes in othervariousresulting access desired behavior. the backbone providing VPN How to integrate sites, remote in the technologies into Some customers, however, run multiple OSPF processes, perhaps linked with a non-OSPF backbone. For these service to many different types of customers customers, the default MPLS VPN behavior changes what was previously an external OSPF routeThe newinternalroutingroute. This significantly changes the routing behavior, especially into an PE-CE OSPF options as well as other advanced features, including per-VPN Network Address because intersite routes are now advertised into the area. if stub areas are used, Translation (PE-NAT) How VRFs can be extended into a customer site domain-id is required so that the To rectify such issues, the implementation of an OSPFto provide separation inside the MPLS customer network VPN backbone can identify distinct OSPF domains inside each VPN network that is running OSPF across the PE-CE links. For each OSPF route, the receiving PE router needs to identify The domain to which the route belongs so designs correct LSA type is the MPLS into the OSPF latest MPLS VPN security features and that the aimed at protecting generated VPN backbone any relevant attached VPN sites. The format of the domain-id is shown in Figure 3-5. How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment Figure 3-5. Domain-id Extended Community Format of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

When the PE router redistributes intersite OSPF routes that originated in a different OSPF domain, it always uses Type 5 LSAs. Within the same OSPF domain, the PE router uses Type 3 LSAs for internal OSPF routes and Type 5 LSAs for external OSPF routes.

• •

Table of Contents Index

MPLS NOTE Architectures, Volume II and VPN ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

The type field of the domain-id extended community attribute can be 0x0005, 0x0105, or 0x0205. In the Cisco Systems Inc. implementation, the type field that is Publisher: Cisco Pressis 0x0005, although the format of the global and local administrator used currently Pub Date:is as 06, 2003 for type 0x0105 and 0x0205. (The global administrator field is fields June defined four octets and carries the domain-id, and the local administrator field is two octets ISBN: 1-58705-112-5 and is ignored.) For example, if the process-id of a particular VPN customer is 101, Pages: 504 then the domain-id extended community attribute is encoded as 00 05 00 00 00 65 xx xx (where xx xx is the local administrator field and is ignored).

WithMPLS and VPN Architectures, Volume II , you'll learn:

NOTE integrate various remote access technologies into the backbone providing VPN How to
service to many different types of customers With the introduction of OSPF domain support, each VPN site must use the same OSPF domain-idrouting it is desirable for intersite routes to be viewed as external The new PE-CE unless options as well as other advanced features, including per-VPN within the OSPF process. The default domain-id is the same as the OSPF process-id, Network Address Translation (PE-NAT) although using the domain-id <ip-address> configuration command might change this. You can view the current domain-id to provide separation inside the ip How VRFs can be extended into a customer site value in the output of the show ospf command. customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone

Prevention of customer multicast traffic inside aOSPF Sites Routing Loops Between VPN How to carry
The latest inter-carrier enhancements to allow for easier and more scalable deployment In many deploymentMPLS VPN services of inter-carrier scenarios, it is necessary to provide dual attachment for customer sites to different PE routers, or perhaps have more than one connection from the customer site to the same PE router at the service provider location. This implies that the same set of routes Advanced troubleshooting techniques including router outputs to ensure high availability can be advertised into a customer site from multiple points, potentially resulting in the MPLS and VPN Architectures, overcome the potential for routing loops, a down bit within the creation of routing loops. To Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced options field of the generic OSPF header is used, as illustrated in Figure 3-6. topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLSFigure 3-6. OSPF Header , begins withOptions Fieldof the MPLS VPN and VPN Architectures, Volume II Showing a brief refresher and Down Bit Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: The down bit is set only when a PE router generates a Type 3 summary LSA into an attached site of a particular VPN. After receiving an LSA with the down bit set, a PE router is able to How that it should ignore the LSA during SPF computation and not redistribute the determineto integrate various remote access technologies into the backbone providing VPN routeservice to many different types of customers into Multiprotocol BGP. The new inspect the value of the well bit within the OSPF database with the show ip You can easily PE-CE routing options asdown as other advanced features, including per-VPN ospf Network Address Translation (PE-NAT) command, as shown in Example 3-8. How VRFs can be extended into a customer site to provide separation inside the customer network

Example 3-8. Examination of the LSA to Check Down Bit Setting
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone SanJose# to carry customer multicast traffic inside a VPN How show ip ospf data summary 10.3.1.15 The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services OSPF Router with ID (192.168.1.12) (Process ID 101) Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Summary Net Link States (Area 1) topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN LS age: 401 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, Downward) Ethernet) and a variety of routing Options: (No TOS-capability, DC, DSL, cable, protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues LS Type: Summary Links(Network) including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN (summary also detailing the latest security features to allow Link State ID: 10.3.1.15 sites, and Network Number) more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part 192.168.1.12methodology for advanced MPLS VPN Advertising Router: IV provides a troubleshooting. LS Seq Number: 80000001 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Checksum: 0xC886 Length: 28 Network Mask: /32 TOS: 0
• • Index

Metric: 65

Table of Contents

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan 7 LSAs also require Type 5 and Type Pepelnjak,Jeff Apcar

some kind of mechanism that will prevent them from continually being advertised around the backbone network and between VPN sites. To facilitate this requirement, the originating PE router sets an external route tag—the domainPublisher: Cisco Press tag—within June 06, 2003 or Type 7 LSA. If a PE router receives an LSA that contains the same Pub Date: the Type 5 tag as ISBN:locally configured tag, then the PE router knows that another PE router generated the 1-58705-112-5 this route and the LSA is ignored. The format of the 32-bit domain-tag can be seen in Figure Pages: 504 3-7.

WithMPLS and VPN Architectures, Volume II , you'll learn:

Figure 3-7. Domain-Tag Format

How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network By default, the top 4 bits of the tag are always set to 1101, and the lowest 16 bits are set to the autonomous system number of features and designs aimed at can changethe MPLS VPN The latest MPLS VPN security the MPLS VPN backbone. You protecting this default valuebackbone the domain-tag <32-bit value> command within the OSPF process by using configuration. How to carry customer multicast traffic inside a VPN Example 3-9 shows the external route tag setting for a particular Type 5 LSA. In this example, latest inter-carrier enhancements to allow for easier and more scalable deployment The the External route tag value of 3489661143 equates to 11010000000000000000000011010111 in binary. This shows that the top 4 bits are set to of inter-carrier MPLS VPN services 1101 and the bottom 16 bits are set to the MPLS VPN backbone autonomous system number Advanced troubleshooting techniques including router outputs to ensure high availability of 215. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Example 3-9. External Route Tag Example topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN SanJose#show ip II describes advanced MPLS VPN connectivity including the integration of Architecture. Part ospf data external service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues OSPF Router with ID (192.168.2.16) (Process ID 100) including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. Type-5 AS External Link States MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

LS age: 1040 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 192.168.2.16 (External Network Number)
• •

Advertising Router: 10.2.1.49
Index

Table of Contents

MPLS and VPN Architectures, Volume II

LS Seq Number: 8000002B Checksum: 0xF59E
Publisher: Cisco Press

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Length: June 06, 2003 Pub Date: 36
ISBN: 1-58705-112-5

Network Mask: /32
Pages: 504

Metric Type: 2 (Larger than any link state path) TOS: 0 WithMPLSMetric: 1 and VPN Architectures, Volume II , you'll learn: Forward Address: 0.0.0.0 How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers External Route Tag: 3489661143 The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network

VPN Client Backdoor Links

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone When connecting VPN sites that run the OSPF protocol, you might assume that the data path between the carry customer multicast traffic inside a VPN How to two sites is only available across the MPLS VPN backbone. This might not necessarily be the case, and many large VPNs today provide a backup path between sites. These paths areinter-carrier as backdoor links, allow for easier andproblem that must be The latest referred to enhancements to and they present a more scalable deployment addressed so that routing can be influenced based on policy. The presence of backdoor links of inter-carrier MPLS VPN services is the major reason that OSPF might be desirable on the PE-CE links; the use of other Advanced troubleshooting techniques including router outputs to ensure high availability protocols cannot achieve the desired connectivity goals. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Figure 3-8 shows a sample network that has backdoor links between customer sites. The Architectures, Volume I attached to the MPLS VPN backbone,Extending into more advanced EuroBank VPN sites are (1-58705-002-1), from Cisco Press. but the customer has also topics and deployment architectures, Volume II provides readers with usednecessary tools deployed direct links between the sites. Because these links are to be the only for backup they need the traffic and maintain a secure, MPLS backbone if possible. purposes, to deploy should flow across the highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Figure 3-8. OSPF Backdoor Links protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

The backup links in the EuroBank network pose an interesting OSPF problem. All EuroBank sites are in the same OSPF area; therefore, the full connectivity within each site is advertised WithMPLS and VPN Architectures, rules in OSPF dictate that the intra-area routes are to all other sites. Route selection Volume II , you'll learn: preferred over the interarea routes, which means that all traffic between the sites will follow the intra-area path via the backdoor links. In other words, the EuroBank sites will never use How to integrate various remote access technologies into the backbone providing VPN the MPLS backbone for intersite traffic, unless, of course, the backdoor links become service to many different types of customers unavailable. Even worse, the PE routers will ignore the Multiprotocol BGP routes that they receive from other PE routers because they have an intra-area OSPF route advertised to them The new PE-CE routing options as well as other advanced features, including per-VPN from Network Address Translation (PE-NAT) selection of the backdoor path to reach the the CE routers. Example 3-10 shows the EuroBank Paris CE router from the San Jose PE router. How VRFs can be extended into a customer site to provide separation inside the customer network

Example 3-10. Backdoor Link Selection Example
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry bgp v a 196.7.25.1 SanJose#show ip customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment BGP routing table entry for 100:251:196.7.25.1/32, version 58 of inter-carrier MPLS VPN services Paths: (3 available, best #2) Advanced troubleshooting techniques including router outputs to ensure high availability Advertised to non peer-group II , builds MPLS and VPN Architectures, Volume peers: on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced 194.22.15.1 194.22.15.3 topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Local MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN 194.22.15.3 (metric 30) from MPLS VPN connectivity including the integration of Architecture. Part II describes advanced194.22.15.3 (194.22.15.3) service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Origin incomplete, metric 22, localpref with valid, internal protocols (IS-IS, EIGRP, and OSPF), arming the reader 100, the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues Extended outlining the necessary steps the service provider must take including security,Community: RT:1:793 OSPF DOMAIN ID:0.0.0.101 OSPF to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow RT:1:2:0 OSPF 2 more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN Local troubleshooting. 192.168.2.13 from 0.0.0.0 (194.22.15.2) MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Origin incomplete, metric 86, localpref 100, weight 32768, valid, sourced, best Extended Community: RT:1:793 OSPF DOMAIN ID:0.0.0.101 OSPF RT:1:2:0 OSPF 2
• •

Local

Table of Contents Index

MPLS and VPN Architectures, Volume II

194.22.15.1 (metric 30) from 194.22.15.1 (194.22.15.1) Origin incomplete, metric 11, localpref 100, valid, internal

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

Extended 2003 Pub Date: June 06, Community:
ISBN: 1-58705-112-5 Pages: 504

RT:1:793 OSPF DOMAIN ID:0.0.0.101 OSPF

RT:1:2:0 OSPF 2

SanJose#show ip route vrf EuroBank 196.7.25.1 WithMPLSentry for 196.7.25.1/32 Routing and VPN Architectures, Volume II , you'll learn: Known via "ospf 101", distance 110, metric 86, type intra area How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers Redistributing via bgp 215 The new PE-CE routing options as well as other advanced features, including per-VPN Advertised by bgp 215 Network Address Translation (PE-NAT) Last update can be 192.168.2.13 aon Serial0/0/0, 00:00:17 ago How VRFs from extended into customer site to provide separation inside the customer network Routing Descriptor Blocks: The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN * 192.168.2.13, from 192.168.2.14, 00:00:17 ago, via Serial0/0/0 backbone Route metric is 86, traffic share count is How to carry customer multicast traffic inside a VPN 1 The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services UsingAdvanced troubleshooting techniques including router outputs to is the loopback address this example, you can see that the 196.7.25.1/32 prefix (which ensure high availability of the EuroBank Paris CE router) is learned via Multiprotocol BGP from the Paris and MPLS and VPN Architectures, Volume IIlocally into Multiprotocol BGP at the San Jose PE Washington PE routers and is inserted , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Ciscobest path within Multiprotocol BGP. router. The locally generated route is considered the Press. Extending into more advanced topics andexamination of the EuroBank VRF routing table readers with the necessary tools However, deployment architectures, Volume II provides shows that the selected path is they need to deploy and next-hop of secure, highly available the EuroBank San Francisco CE learned via OSPF with a maintain a 192.168.2.13, which is VPN. router. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describesselection is MPLS VPN connectivity including the integrationover This seemingly illogical route advanced made because the intra-area path is preferred of service provider access technologies San Jose PEcable, Ethernet) and OSPF has of lower the interarea path generated by the (dial, DSL, router. In addition, a variety a routing protocols (IS-IS, EIGRP, and Internal arming theclearly shows that the MPLS of how to administrative distance than OSPF), BGP. This reader with the knowledge VPN backbone integrate these features intersite VPN backbone. Part III details advancedby the backdoor will not be used for any into the traffic, which will be carried exclusively deployment issues including security,EuroBank the necessary steps the service provider must take to protect the links between the outlining sites. This default behavior is acceptable if the purpose of the backbone and any attached VPN sites, and also backup purposes only. However, because this connectivity into the MPLS VPN backbone is for detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrierTo overcome this is generally not the case, the default behavior is not normally acceptable. MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN the topology. issue, an extra (logical) intra-area link between the PE routers is introduced to troubleshooting. as a sham-link, is established between the VRF loopback interfaces in the PE This link, known routers, and it is treated as an OSPF demand circuit that has no periodic flooding across the MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer link. integration, security, and troubleshooting features essential to providing the advanced

OSPF PE-CE Sham-Link Support
The sham-link provides virtual intra-area connectivity across the MPLS VPN Superbackbone so that traffic can be attracted to the backbone rather than taking the backdoor link between sites. As previously stated, this logical link runs within VRFs of the same VPN between PE • Table adjacency routers. An OSPF of Contents is created and database exchange (for the particular OSPF • Index process) occurs across the link. This means that the PE router can flood Type 1 and Type 2 MPLS and VPN Architectures, Volume II LSAs between sites across the MPLS VPN backbone, thereby creating the desired intra-area connectivity. ByJim Guichard, Ivan Pepelnjak, Jeff Apcar With a sham-link configured between PE routers, if the PE router receives an update via Publisher: Cisco Press Multiprotocol BGP for a particular prefix, it will prefer the intra-area path for the same prefix, Pub Date: June 06, 2003 which is still learned across the sham-link. Therefore, the traffic will flow across the MPLS ISBN: 1-58705-112-5 VPN backbone.
Pages: 504

In our example topology of Figure 3-8, the EuroBank customer has backdoor links between most of its sites; therefore, sham-links are necessary to prevent intersite traffic from crossing the backdoor links. Because backdoor links exist between the San Francisco and Washington CE routers and the Washington and London CE routers, you should deploy sham-links between the PE routers to which the CE routers attach. In our example, this means that a WithMPLS and VPN Architectures, Volume II , you'll learn: sham-link is required between the San Jose and Washington PE routers and the Washington and Paris PE routers. Figure 3-9 shows the use of the sham-link functionality, but only between the integrate and Washingtonaccess technologies into the backbone providing VPN How to San Jose various remote PE routers for ease of illustration. service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Figure 3-9. OSPF Sham-Link Deployment Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to Creation of sham-links for the EuroBank customer results in two separate sham-links: one integrate these features into the VPN backbone. Part III details advanced deployment issues between the San Jose PE router and Washington PE router, and another between the including security, outlining the necessary steps the service provider must take to protect the Washington PE router and the Paris PE router. It is worth noting that no sham-link exists backbone and any attached VPN sites, and also detailing the latest security features to allow between the Paris PE router and the San Jose PE router. The reason for this is that no more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN backdoor link exists between the EuroBank San Francisco and Paris sites; therefore, a shamdeployments. Finally, Part IV provides a methodology for advanced MPLS VPN link is not strictly required. In practice, it might be easier from a provisioning and network troubleshooting. management point of view to configure a sham-link between these two sites, thereby creating a VPN mesh of sham-links for II , also introduces the in several unnecessary shamMPLS and full Architectures, Volume this VPN. This results latest advances in customer links, but it does relieve the service provider from the burden of understanding which VPN integration, security, and troubleshooting features essential to providing the advanced

site has backdoor links with which other VPN sites.

NOTE
A sham-link is required between any two sites that share a backdoor link. If no Table of Contents backdoor link exists between the sites, then a sham-link is not required. If the MPLS • Index VPN backbone is to be used for connectivity, then the OSPF cost of the sham-link MPLS must beArchitectures, Volume II path via the backdoor links between the VPN sites. and VPN better than any other
•
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

OSPF Date: June 06, 2003 Pub Sham-Link Configuration
ISBN: 1-58705-112-5 Pages: 504

A separate loopback interface inside the VRF is required for each VRF that is to be connected to other PE routers using sham-links. This loopback interface is used as an endpoint address for the sham-link. The same loopback interface in a VRF can be used to terminate any number of sham links. (There is no requirement for a different loopback address per shamlink within the same VRF.) This loopback address should not be redistributed into WithMPLS and VPN Architectures, Volume II , you'll learn: Multiprotocol BGP because the sham-link endpoint address is distributed between PE routers using the OSPF extended community attribute with route-type 129. Example 3-11 shows the configurationintegrate various remote accesssham-link between the San Joseproviding VPN How to necessary for the creation of a technologies into the backbone and Washington PE routers frommany different types of customers service to Figure 3-9. The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) Example 3-11. OSPF Sham-Link Configuration How VRFs can be extended into a customer site to provide separation inside the customer network hostname SanJose The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone ! How to carry customer multicast traffic inside a VPN interface loopback 1 The latest inter-carrier enhancements to allow for easier and more scalable deployment description ** interface for sham-link to Washington of inter-carrier MPLS VPN services ip vrf forwarding EuroBank Advanced troubleshooting techniques including router outputs to ensure high availability ip address Architectures, Volume II , builds on the best-selling MPLS and VPN MPLS and VPN 10.2.1.2 255.255.255.255 Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced ! topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. router ospf 101 vrf EuroBank MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II 10.2.1.2 advanced MPLS VPN40 area 1 sham-link describes 196.7.26.2 cost connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the hostname Washington backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN ! deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. interface loopback 1 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer description ** interface for sham-link to San Jose integration, security, and troubleshooting features essential to providing the advanced

ip vrf forwarding EuroBank ip address 196.7.26.2 255.255.255.255 ! router ospf 101 vrf EuroBank
• •

area 1 sham-link 196.7.26.2 10.2.1.2 cost 40
Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Table of Contents

ThePublisher: Cisco Pressis used to create the sham-link, and the source and destination loopback area command interfaces identify 2003two endpoints of the sham-link. An OSPF cost must be associated with Pub Date: June 06, the the sham-link so that shortest path first (SPF) can use it to calculate the shortest path. If the ISBN: 1-58705-112-5 cost of the sham-link is better than any backdoor link between sites, then intersite traffic Pages: 504 flows across the MPLS VPN backbone. If the cost is higher than the backdoor link path, then intersite traffic flows across the backdoor link. This behavior provides flexibility within the OSPF topology. You can manipulate traffic flow based on administrator-controlled policy (OSPF costs) rather than on the intra-area versus interarea rule. WithMPLS ip ospf sham-link command shown in Example 3-12 can now be used to check Theshow and VPN Architectures, Volume II , you'll learn: that the sham-link from Example 3-11 has been successfully created. How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) SanJose#show ip ospf sham-link a customer site to provide separation inside the How VRFs can be extended into customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Sham backbone Link OSPF_SL0 to address 196.7.26.2 is up Area How to carry customer multicast traffic inside a VPN 1 source address 10.2.1.2 The demand circuit Run aslatest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services DoNotAge LSA allowed. Cost of using 40 State POINT_TO_POINT, Advanced troubleshooting techniques including router outputs to ensure high availability Timer intervals configured, Hello 10, Dead 40, Wait 40, MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Hello due in 00:00:04 topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Adjacency State FULL (Hello suppressed) MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Index 2/2, II describes advanced MPLS VPN 4, number including the integration of Architecture. Part retransmission queue length connectivity of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing retransmission 0 protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues First 0x63311F3C(205)/0x63311FE4(59) Next including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow 0x63311F3C(205)/0x63311FE4(59) more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN Last retransmission scan length is 0, maximum is 0 troubleshooting. Last retransmission Volume II is msec, maximum is 0 msec MPLS and VPN Architectures, scan time, also0introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Example 3-12. show ip ospf sham-link Command Output

Link State retransmission due in 360 msec

The output from the previous example confirms that the sham-link is active and that it runs as a demand circuit. (No period flooding occurs across the link, and hellos are suppressed.) The newly created sham-link is advertised within the PE routers Type 1 LSA as an • Table of Contents unnumbered point-to-point connection between two PE routers. This is illustrated in Example • Index 3-13.
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Example 3-13. Sham-Link Representation Within the OSPF Database
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5

SanJose#show ip ospf data router 10.2.1.2 Pages: 504

OSPF Router with ID (10.2.1.2) (Process ID 101) WithMPLS and VPN Architectures, Volume II , you'll learn: Router Link States (Area 1) How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN LS Network Address Translation (PE-NAT) age: 527 How VRFs can be extended into a customer site to provide separation inside the Options: (No TOS-capability, DC) customer network LS Type: Router Links The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Link State ID: 10.2.1.2 How to carry customer multicast Advertising Router: 10.2.1.2 traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment LS Seq Number: 8000001F of inter-carrier MPLS VPN services Checksum: 0x4CEB Advanced troubleshooting techniques including router outputs to ensure high availability Length: 60 MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Area Border Router topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. AS Boundary Router MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Number of Links: 3 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues Link connected to: the necessary steps the service provider must take to protect the including security, outlining another Router (point-to-point) backbone and any attached VPN sites, and also detailing the latest security features to allow (Link ID) Neighboring Router ID: 196.7.26.2 more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN (Link Data) Router Interface address: 0.0.0.18 troubleshooting. Number of TOS metrics: 0 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

TOS 0 Metrics: 1

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

PE-CE Connectivity: Integrated IS-IS
Now that the enhancements to the OSPF protocol have been covered, it is time to introduce the first new protocol to be added to the list of PE-CE protocols: IS-IS. Although IS-IS is not • expected to Table of Contents be one of the more widely deployed protocols for this type of connectivity due to • limited deployment within Enterprise networks, its availability as a PE-CE protocol might Index its MPLS and VPN Architectures, Volume II still be important in certain scenarios. For example, a VPN client might be running IS-IS on the internal network Pepelnjak,Jeff Apcar ByJim Guichard, Ivan and might want to maintain the IS-IS topology when moving to an MPLS VPN environment. The primary reasons for this are similar to those discussed within the OSPF section:
Publisher: Cisco Press Pub Date: June 06, 2003

Avoidance of having to redistribute IS-IS information into other protocols such as BGP-4 ISBN: 1-58705-112-5 or RIP504 Pages: version 2 at the CE routers Avoidance of having to learn/support another routing protocol such as BGP-4 at the network edge Support for IS-IS is also important for the migration of an ISP, which uses IS-IS as its routing WithMPLS and VPN Architectures, Volume such as in the Carrier's Carrier architecture. This protocol toward the MPLS VPN backbone, II , you'll learn: architecture is explained in more detail in Chapter 6, "Large-Scale Routing and Multiple Service Provider Connectivity." How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other IS-IS PE-CE Connectivity Requirementsadvanced features, including per-VPN Network Address Translation (PE-NAT) How OSPF, is be extended into a protocol, site it provide adopted within the service IS-IS, likeVRFs can a link-state routing customer and to is widely separation inside the customer network provider community. The technical details of how IS-IS operates are outside the scope of this publication. Readers who require this level of detail should refer to the Cisco Press book IS-IS The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Network Design Solutions, written by Abe Martey. backbone As with the OSPF protocol, IS-IS can split a routing domain into a series of areas where How to carry customer multicast traffic inside a VPN interarea connectivity is achieved by interconnection across a Level 2 backbone, partially overlaying the individual Level 1 areas. In general, small IS-IS topologies are built within a The latest inter-carrier enhancements to allow for easier and more scalable deployment single area, and this area includes all the routers within the routing domain. As the network of inter-carrier MPLS VPN services increases in size, it is split into a Level 2 backbone and a number of Level 1 areas. Routers establish Level 1 adjacencies to techniques including router outputs (intra-area routing) and Advanced troubleshooting perform routing within a local area to ensure high availability Level 2 adjacencies to perform routing between Level 1 areas (interarea routing). MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN The IS-IS Level 2 backbone is created through the connection of all Level 2 more advanced Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into routers from all areas, and deploymentattach to the backbone II provides readers with the necessary tools topics and local areas architectures, Volume via a Level 1-2 router. Within a local area, all routers know deploy and maintain a secure, highly available VPN. they need to how to reach all other routers within the area, but they know nothing about routers in other areas. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN The default behavior describes advanced MPLS VPN connectivity including the integration of Architecture. Part II of a Cisco router for the first IS-IS process to be created is to act as a Level 1-2 router.access technologies (dial, DSL, cable, Ethernet) and 2.variety of routing service provider This is basically a combination of Level 1 and Level a (The router establishes both Level 1 and Level 2 adjacencies arming the reader with the knowledge ofone for the local protocols (IS-IS, EIGRP, and OSPF), and maintains two separate databases: how to Level 1 area and anotherinto the VPN backbone. PartYou details advanced deployment issues integrate these features for the Level 2 backbone.) III can configure the router to act as a Level 1 (intra-area) router only, as both a Level the service provider 2 (interarea) router the including security, outlining the necessary steps 1 router and a Level must take to protect (the default), or as anyinterarea router only. Because of this range of options, various combinations backbone and an attached VPN sites, and also detailing the latest security features to allow for connectivity topologies and filtering. This part also covers multi-carrier MPLS VPN more advanced can be established. deployments. Finally, Part IV provides a methodology for advanced MPLS VPN With the introduction of an MPLS VPN backbone between VPN sites, an additional Level of troubleshooting. routing hierarchy (referred to as Level 3) above Level 2 has been added (similar to OSPF). This additional VPN Architectures, Volume II , alsocan run independent IS-IS processes and learn MPLS and level is required so that VPN sites introduces the latest advances in customer routes from security, and troubleshooting features direct adjacency with those sites. With this integration, other VPN sites without maintaining a essential to providing the advanced

additional level, the routing hierarchy changes from Level 1/Level 2/Level 1 to Level 1/Level 2/Level 3/Level 2/Level 1. This gives various connectivity options between the PE routers and CE routers. To help you understand how IS-IS might be deployed, we'll assume that EuroBank has decided to migrate its internal network to the IS-IS protocol and run Level 1-2 everywhere. FastFoods also runs IS-IS and attaches to the SuperCom MPLS VPN backbone, but it only runs Level 2. This connectivity can be seen in Figure 3-10.
• • Table of Contents Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak,3-10. IS-IS Figure Jeff Apcar Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

PE-CE Connectivity Options

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone A VPN site can attach to the MPLS VPN backbone by using Level 1, Level 1-2, or Level 2 modes How to carry customer multicast traffic inside a VPN of operation. You will learn about each of these options and how they affect the routing between sites in the next sections. The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced of IS-IS VPN Routing Information Separation troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced As with all PE-CE connectivity options, the PE router needs to be able to provide separation topics and deployment architectures, Volume II provides readers with the necessary tools between VPN clients. Separation of forwarding information is achieved through the use of they need to deploy and maintain a secure, highly available VPN. VRFs. However, separation at the routing protocol level is also needed so that the PE router can identify which routing updates belong to which clients. IS-IS usesof the MPLS VPN MPLS and VPN Architectures, Volume II , begins with a brief refresher the same mechanism as the OSPF protocol II describes advanced MPLS VPN connectivity including the integration of Architecture. Part (as shown in Figure 3-3)—that is, a separate process is required for each IS-IS VPN client.access technologies (dial, DSL, cable, Ethernet) and a varietycommand has service provider To support this mechanism, an extension to the router isis of routing been provided, as shown and OSPF), arming the reader with the knowledge of how to protocols (IS-IS, EIGRP, in Example 3-14. integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Example 3-14. Extension to router isis Command security features to allow backbone and any attached VPN sites, and also detailing the latest more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. SanJose(config)#router isis <tag> VRF vrf-name MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

The<tag> option within the router isis command allows a tag to be allocated that can be used to reference the particular IS-IS process. This is necessary when you are assigning interfaces to the process using the ip router isis command. Example 3-15 shows the necessary configuration to create the EuroBank and FastFoods IS-IS processes and to assign the relevant interfaces to these processes on the San Jose PE router.
• • Table of Contents Index

Example 3-15. Configuration of IS-IS Process on PE Routers MPLS and VPN Architectures, Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press hostname SanJose Pub Date: June 06, 2003

!

ISBN: 1-58705-112-5 Pages: 504

ip vrf EuroBank rd 100:251 route-target export 1:793 WithMPLS and VPN Architectures, Volume II , you'll learn: route-target import 1:793 How to integrate various remote access technologies into the backbone providing VPN ! service to many different types of customers ip vrf FastFoods routing options as well as other advanced features, including per-VPN The new PE-CE Network Address Translation (PE-NAT) rd 100:269 How VRFs can be extended into a customer site to provide separation inside the customer network route-target export 1:821 The latest import 1:821 route-targetMPLS VPN security features and designs aimed at protecting the MPLS VPN backbone ! How to carry customer multicast traffic inside a VPN

interface Serial 3/0/0 The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services description ** interface to EuroBank San Francisco CE-router Advanced troubleshooting techniques including router outputs to ensure high availability ip vrf forwarding EuroBank MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN ip address Volume I (1-58705-002-1), from Architectures, 192.168.2.14 255.255.255.252Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools ip routerto deploy and maintain a secure, highly available VPN. they need isis EuroBank ! MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of interface Serial 3/0/1 service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to description features into the VPN backbone. Part III CE-router integrate these ** interface to FastFoods San Josedetails advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the ip vrf and any attached VPN sites, and also detailing the latest security features to allow backbone forwarding FastFoods more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN ip address 192.168.2.17 255.255.255.252 deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. ip router isis FastFoods MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer ! integration, security, and troubleshooting features essential to providing the advanced

router isis EuroBank vrf EuroBank net 47.1234.0000.0000.0020.00 metric-style wide !
• Table of Contents • Index router isis FastFoods vrf FastFoods
MPLS and VPN Architectures, Volume II

net 47.3456.0000.0001.0020.00 ByJim Guichard, Ivan Pepelnjak, Jeff Apcar metric-style wide
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

After all of the IS-IS processes have been created and the relevant interfaces have been associated with customer VRFs, the PE router can form a routing adjacency with the attached CE routers for the purposes of exchanging routing information. WithMPLS and VPN Architectures, Volume II , you'll learn:

Propagation of IS-IS Routes Within Multiprotocol BGP
How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers After all of the relevant IP prefix information has been collected from the attached VPN site, it is necessary to distribute this to other PE routers within the network so that full connectivity The new PE-CE routing options as well as other advanced features, including per-VPN can be provided to the Translation (PE-NAT) as with all other PE-CE routing protocols other Network Address VPN customer. This, than BGP-4, requires redistribution from the VRF into Multiprotocol BGP. It is achieved by usingHow redistributeextended into a customer site to provide separation inside the the VRFs can be command within the BGP process. An example of this redistribution for the EuroBank VPN is given in Example 3-16, which shows that both Level 1 and Level 2 routes customer network should be redistributed from the VRF. The IS-IS cost is automatically transferred into the BGP The latest MPLS VPN security features and MED attribute during the redistribution process. designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside Routes into Multiprotocol BGP Example 3-16. Redistribution of IS-IS a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services router bgp 10troubleshooting techniques including router outputs to ensure high availability Advanced ! MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced address-family ipv4 vrf EuroBank topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. redistribute isis EuroBank vrf EuroBank level-1-2 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of no auto-summary service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to no synchronization integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the exit-address-family backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN ! deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

NOTE
To get locally connected interfaces that are within the VRF into Multiprotocol BGP, it is necessary to configure redistribute connected within the BGP address family for that VRF.
• Table of Contents

• Index After the VPN prefix information has been imported into any receiving VRFs at remote PE MPLS and you Architectures,redistribution once again so that the information can be advertised to routers, VPN must apply Volume II any attached CE Pepelnjak,Jeff Apcar ByJim Guichard, Ivanrouters that reside within the VPN. Example 3-17 shows the necessary configuration for this redistribution within the EuroBank VPN.
Publisher: Cisco Press

Example1-58705-112-5 3-17. Redistribution from VRF into IS-IS Process ISBN:
Pages: 504

Pub Date: June 06, 2003

router isis EuroBank vrf EuroBank net 47.1234.0000.0000.0020.00 WithMPLS and VPN Architectures, Volume II , you'll learn: redistribute bgp 10 metric transparent level-1-2 How to integrate various remote access technologies into the backbone providing VPN metric-style wide service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network

NOTE
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN The transparent keyword within the configuration of the previous example tells the backbone PE router to redistribute the IS-IS routes with the metric carried in the MED attribute How Multiprotocol BGP route. If the metric is non-zero, then the same metric is of theto carry customer multicast traffic inside a VPN used within the IS-IS LSP. If the metric is zero, then the default IS-IS metric is used. The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services With the Level 1-2 keyword configured on the redistribute bgp command, the Multiprotocol BGP routes are redistributed as external IS-IS routes into Level 1 and Advanced troubleshooting techniques including router outputs to ensure high availability Level 2 IS-IS topology databases. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers withrouting process, any After the redistribution has been configured within the relevant IS-IS the necessary tools they need to deploy and maintain a secure, highly available VPN. within the VRF are routes that were learned via Multiprotocol BGP and were installed advertised toward the relevant CE routers. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Leve1 1-2 PEEIGRP, and OSPF), Router Connectivity knowledge of how to protocols (IS-IS, Router to CE arming the reader with the integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Now that and any learned VPN sites, and also detailing the latest security features PE-CE backbone you haveattached the basic configuration steps for implementing IS-IS as ato allow routing protocol, you can move on to how different topologies are deployed. more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN The first type of IS-IS connectivity to consider is Level 1-2. This is the default mode on a Cisco troubleshooting. router, and the EuroBank VPN is using this mode of operation for all its internal connectivity. Because this is the default, no additional configuration is necessary from that which was MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer configured in Example 3-15. Therefore, within the EuroBank to providing the advanced integration, security, and troubleshooting features essential VPN, the San Francisco,

Washington, Paris, and London CE routers, and the IS-IS processes that are associated with this VPN on the SuperCom PE routers, are all using is-type Level 1-2, as illustrated in Figure 311.

Figure 3-11. EuroBank Level 1-2 IS-IS Topology
• • Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing the routers within the EuroBank VPN by using the show isis You can view the topology of options as well as other advanced features, including per-VPN Network Address Translation the adjacency formation by using the show clns topology command. You can view(PE-NAT) neighbors command, as shown in Examples 3-18 and 3-19. These examples show only the How VRFs can be extended into a customer site to provide separation inside the local site connectivity on the San Jose PE router because no routes at this point have been customer network distributed between EuroBank sites across the MPLS VPN backbone. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier topology SanJose#show isis MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Area EuroBank: Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools IS-IS paths to level-1 routers they need to deploy and maintain a secure, highly available VPN. System Id Metric Next-Hop Interface SNPA MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of SanFrancisco 10 San Francisco Se3/0/0 *HDLC* service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to SanJose -integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN IS-IS paths to level-2 routers deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. System Id Metric Next-Hop Interface SNPA MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer SanFrancisco San Francisco Se3/0/0 *HDLC* integration, security, and 10 troubleshooting features essential to providing the advanced

Example 3-18. show isis Topology Output for EuroBank VPN

SanJose

--

Example 3-19. show clns neighbors output
• • Table of Contents Index

MPLS and VPN Architectures, Volume II

SanJose#show clns neighbors

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

Area EuroBank: 2003 Pub Date: June 06, System Id
ISBN: 1-58705-112-5 Pages: 504

Interface Se3/0/0

SNPA *HDLC*

State Up

Holdtime 26

Type Protocol L1L2 IS-IS

SanFrancisco

WithMPLSshow VPN Architectures, detail II , you'll learn: SanJose# and clns neighbors Volume How to integrate various remote access technologies into the backbone providing VPN Area service to many different types of customers EuroBank: The new PE-CE routing options as well as other advanced features, including per-VPN System Id Interface SNPA State Holdtime Type Protocol Network Address Translation (PE-NAT) SanFrancisco can be extended *HDLC*customerUp to provide separationIS-IS the 28 L1L2 inside How VRFs Se3/0/0 into a site customer network Area Address(es): 47.1234 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN IP backbone Address(es): 192.168.2.13* Uptime: 00:00:36 How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced the deployment, the San Francisco EuroBank CE router should see availability At this stage of troubleshooting techniques including router outputs to ensure high all routers within its local site in addition to the San Jose PE router. Because both the PE router and the MPLS and are running Level 1-2, all routes that on the best-selling MPLS and should be seen CE router VPN Architectures, Volume II , builds are reachable within the site VPN Architectures, Volume I and Level 2 link-state database. Example 3-20 confirms this and shows both within the Level 1 (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment CE router has Level 1 and Level 2 readers with the necessary tools that the San Francisco architectures, Volume II provides link-state packets (LSPs) from the they Jose PE router. and maintain a secure, highly available VPN. San need to deploy MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Example 3-20. Level 1-2 Database for EuroBankand a variety of routing service provider access technologies (dial, DSL, cable, Ethernet) CE Router protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the SanFrancisco#show isis VPN sites, and also backbone and any attached database detail detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. IS-IS Level-1 Link State Database: MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer LSPID LSP Seq Num LSP Checksum LSP providing ATT/P/OL integration, security, and troubleshooting features essential to Holdtime the advanced

SanFrancisco.00-00 * 0x00000004 Area Address: 47.1234 NLPID: 0xCC

0x85CB

942

1/0/0

Hostname: SanFrancisco
• Table of Contents • IP Address: Index

10.2.1.1

MPLS and VPN Architectures, Volume II

Metric: 10 ByJim Guichard, Ivan PepelnjakIP 192.168.2.12/30 , Jeff Apcar Metric: 0
Publisher: Cisco Press

IP 10.2.1.1/32 IS-Extended SanJose.00 0x00000003 0xBE4C 1065 1/0/0

Pub Date: Metric: June 06, 2003 10 ISBN: 1-58705-112-5 Pages: 504 SanJose.00-00

Area Address: 47.1234 NLPID: 0xCC

WithMPLS and VPN Architectures, Volume II , you'll learn: Hostname: SanJose IP How to integrate various remote access technologies into the backbone providing VPN Address: 196.7.25.3 service to many different types of customers Metric: 10 IP 192.168.2.12/30 The new PE-CE routing options as well as other advanced features, including per-VPN Network Metric: 0 Address Translation (PE-NAT) IP 196.7.25.3/32 How VRFs Metric: 10 can be extended into a customer site to provide separation inside the IS-Extended SanFrancisco.00 customer network IS-IS Level-2 Link State Database: The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL How to carry customer multicast traffic inside a VPN SanFrancisco.00-00 * 0x00000002 0xDC7E 925 0/0/0

The latest inter-carrier enhancements to allow for easier and more scalable deployment Area inter-carrier MPLS VPN services of Address: 47.1234 NLPID: 0xCC Advanced troubleshooting techniques including router outputs to ensure high availability Hostname: Architectures, MPLS and VPN SanFrancisco Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced IP and deployment architectures, Volume II provides readers with the necessary tools 10.2.1.1 topics Address: they need to deploy and maintain a secure, highly available VPN. Metric: 10 IS-Extended SanJose.00 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Metric: 0 IP 10.2.1.1/32 service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and 192.168.2.12/30 reader with the knowledge of how to Metric: 10 IP OSPF), arming the integrate these features into the VPN backbone. Part III details advanced deployment issues SanJose.00-00 including security, outlining the necessary steps the service provider must 0/0/0 protect the 0x00000004 0x050A 1058 take to backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Area Address: 47.1234 deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. 0xCC NLPID: MPLS and VPN SanJose Hostname: Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

IP Address: Metric: 10 Metric: 0 Metric: 10
• •

196.7.25.3 IS-Extended SanFrancisco.00 IP 196.7.25.3/32 IP 10.2.1.1/32 IP 192.168.2.12/30

Metric: 10

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

IS-IS always prefers intra-area routes to interarea routes. This means that in our example, the Publisher: Cisco Press EuroBank San Francisco CE router will select any Level 1 routes over Level 2 routes learned Pub Date: June 06, 2003 from the San Jose PE router. The previous example showed that the only route reachable at ISBN: 1-58705-112-5 the San Jose PE router is 196.7.25.3/32, and this was advertised both at Level 1 and Level 2. Pages: 504 Example 3-21 shows that the San Francisco CE router has selected the Level 1 path for this particular prefix.

Example 3-21. San Francisco CE Router Level 1-2 Route Selection
WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN SanFrancisco#many ip route service to show different types of customers Codes: Cnewconnected, S options as well-as other R - RIP, features, including per-VPN IGRP, advanced M - mobile, B - BGP The - PE-CE routing - static, I Network Address Translation (PE-NAT) D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area How VRFs can be extended into a customer site to provide separation inside the customerOSPF NSSA external type 1, N2 - OSPF NSSA external type 2 N1 - network The latest MPLS VPN security features and designs aimed at protecting- EGP E1 - OSPF external type 1, E2 - OSPF external type 2, E the MPLS VPN backbone i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area How to carry customer multicast traffic inside a VPN * - candidate default, U - per-user static route, o - ODR The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services P - periodic downloaded static route Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Gateway of last resort is not set from Cisco Press. Extending into more advanced Architectures, Volume I (1-58705-002-1), topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. 196.7.25.0/32 is subnetted, subnets MPLS and VPN Architectures, Volume II ,1begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of i L1 provider access[115/10] via 192.168.2.14, Ethernet) and a variety of routing service 196.7.25.3 technologies (dial, DSL, cable, Serial1/0 protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to 10.0.0.0/32 is into the VPN backbone. integrate these features subnetted, 1 subnets Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the C backbone 10.2.1.1 is directly connected, detailing the latest security features to allow and any attached VPN sites, and also Loopback0 more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN 192.168.2.0/30 is subnetted, 1 subnets deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. C 192.168.2.12 is directly connected, Serial1/0 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Now that all the local site routes have been learned, you must redistribute them from within the VRF into Multiprotocol BGP so that other PE routers can import them. An example of how to configure this redistribution was shown earlier. After the redistribution has been completed, any routes that are learned from the San Francisco CE router or locally attached VRF interfaces that are associated with the EuroBank IS-IS process are carried within Multiprotocol BGP (see Example 3-22). This example also shows the output of debug isis vrf, which can be used to • Table of Contents confirm that the routes are passed to Level 3 (MPLS VPN backbone) and advertised by • Index Multiprotocol BGP.
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Example 3-22. IS-IS Routes Carried Within Multiprotocol BGP
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5

SanJose#show ip bgp vpnv4 vrf EuroBank Pages: 504 BGP table version is 54, local router ID is 194.22.15.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal WithMPLS and VPN Architectures, Volume II , you'll learn: Origin codes: i - IGP, e - EGP, ? - incomplete How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers Network Next Hop Metric LocPrf Weight Path The new PE-CE routing options as well as other advanced features, including per-VPN Route Distinguisher: 100:251 (PE-NAT) for vrf EuroBank) Network Address Translation (default How VRFs can be extended into a customer site 10 provide separation inside the to *> 10.2.1.1/32 192.168.2.13 32768 ? customer network *> 192.168.2.12/30 0.0.0.0 0 32768 ? The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry bgp vpnv4 vrf EuroBank 10.2.1.1 SanJose#show ip customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment BGP routing table entry for 100:251:10.2.1.1/32, version 54 of inter-carrier MPLS VPN services Paths: (1 available, best #1, table EuroBank) Advanced troubleshooting techniques including router outputs to ensure high availability Advertised to non peer-group peers: MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced 192.168.1.14 194.22.15.3 topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Local MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN 192.168.2.13 from 0.0.0.0 (194.22.15.2) Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Origin incomplete, metric 10, localpref 100, weight 32768, valid, how to protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of sourced, best integrate these features into the VPN backbone. Part III details advanced deployment issues Extended Community: RT:1:793 including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN SanJose#debug isis vrf troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

5d22h: ISIS-VRF: EuroBank:Adv(ISIS=>BGP VPN) 10.2.1.1/32, L3 5d22h: ISIS-VRF: EuroBank:Adv(ISIS=>BGP VPN) 192.168.2.12/30, L3

It is also necessary Contents to redistribute any remote EuroBank routes into the local site at the PE • Table of router.Example 3-23 shows some debugging output that confirms successful redistribution of • Index Multiprotocol BGP routes into Level 1 and Level 2 IS-IS topology databases, and also the San MPLS and VPN Architectures, Volume II Francisco CE router's routing table after this redistribution has been performed at the San Jose ByJim Guichard, Ivan Pepelnjak, Jeff Apcar PE router.
Publisher: Cisco Press Pub Date: 3-23. San Francisco CE Router After Redistribution ExampleJune 06, 2003 ISBN: 1-58705-112-5 Pages: 504

SanJose#debug isis vrf

WithMPLS and VPN Architectures, Volume II , you'll learn: 5d22h: ISIS-VRF: EuroBank:Learn(ISIS<=BGP VPN) 196.7.25.1/32, adv L1 5d22h: ISIS-VRF: EuroBank:Learn(ISIS<=BGP VPN) 196.7.25.2/32, adv L1 How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers 5d22h: ISIS-VRF: EuroBank:Learn(ISIS<=BGP VPN) 192.168.2.24/30, adv L1 The new PE-CE routing options as well as other advanced features, including per-VPN 5d22h: ISIS-VRF: EuroBank:Learn(ISIS<=BGP VPN) 196.7.25.1/32, adv L2 Network Address Translation (PE-NAT) How VRFs can EuroBank:Learn(ISIS<=BGP VPN) 196.7.25.2/32, inside 5d22h: ISIS-VRF: be extended into a customer site to provide separation adv L2the customer network 5d22h: ISIS-VRF: EuroBank:Learn(ISIS<=BGP VPN) 192.168.2.24/30, adv L2 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN San Francisco# show ip route The latest inter-carrier enhancements to allow for easier and more scalable deployment Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP of inter-carrier MPLS VPN services D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area Advanced troubleshooting techniques including router outputs to ensure high availability N1 - Architectures, Volume II , builds on - OSPF NSSA external type MPLS and VPN OSPF NSSA external type 1, N2 the best-selling MPLS and VPN 2 Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced E1 - OSPF external type Volume OSPF external type the - EGP topics and deployment architectures, 1, E2 - II provides readers with2, Enecessary tools they need to deploy and maintain a secure, highly available VPN. i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN * - Part II describes advanced per-user static route, o - the Architecture. candidate default, U - MPLS VPN connectivity including ODR integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing P - periodic and OSPF), static route protocols (IS-IS, EIGRP,downloaded arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow Gateway of last resort is not set more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. 196.7.25.0/32 is subnetted, subnets MPLS and VPN Architectures, Volume II ,3also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

i L2 i L1 i L2

196.7.25.2 [115/20] via 192.168.2.14, Serial1/0 196.7.25.3 [115/10] via 192.168.2.14, Serial1/0 196.7.25.1 [115/20] via 192.168.2.14, Serial1/0 10.0.0.0/32 is subnetted, 1 subnets

• •

C

10.2.1.1 is directly connected, Loopback0
Index

Table of Contents

MPLS and VPN Architectures, Volume II

192.168.2.0/30 is subnetted, 2 subnets 192.168.2.12 is directly connected, Serial1/0

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

C

Publisher: Cisco Press

i L2 Date: June 06, 2003 [115/20] via 192.168.2.14, Serial1/0 192.168.2.24 Pub
ISBN: 1-58705-112-5 Pages: 504

As you can see, the San Francisco CE router learned routes from remote EuroBank sites. All of these routes are seen as Level 2 routes within the routing table instead of Level 1 routes. That is because the PE router acts as a Level 2 router into the backbone; therefore, any routes that WithMPLS and across the backbone are seen ,as Level 2. But what if the San Francisco CE router are reachable VPN Architectures, Volume II you'll learn: were running in Level 1 mode only? Example 3-24 shows the routing table of the San Francisco CE router after changing it to Level 1 only. How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

Example 3-24. San Francisco well Routeradvanced1 Only Routing per-VPN The new PE-CE routing options as CE as other Level features, including Table
Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network SanFrancisco(config)#router isis EuroBank The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN SanFrancisco(config-router)#is-type level-1 backbone How to carry customer multicast traffic inside a VPN SanFrancisco#show ip route The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP Advanced troubleshooting techniques including router outputs to ensure high availability D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN N1 - Volume I (1-58705-002-1), 1, Cisco Press. Extending into type 2 Architectures, OSPF NSSA external type fromN2 - OSPF NSSA external more advanced topics and deployment architectures, Volume II provides readers with the necessary tools E1 - OSPF and maintain a 1, E2 - OSPF external type 2, E - EGP they need to deploy external type secure, highly available VPN. i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS refresher ia - MPLS inter area MPLS and VPN Architectures, Volume II , begins with a brieflevel-2, of the IS-IS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of * - candidate default, (dial, DSL, cable, Ethernet) and a variety service provider access technologiesU - per-user static route, o - ODR of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to P - periodic into the VPN backbone. Part integrate these features downloaded static route III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Gateway of last resort IV provides a methodology for advanced MPLS VPN deployments. Finally, Part is 192.168.2.14 to network 0.0.0.0 troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer 196.7.25.0/32 is subnetted, 3 subnets integration, security, and troubleshooting features essential to providing the advanced

i ia i L1 i ia

196.7.25.2 [115/20] via 192.168.2.14, Serial1/0 196.7.25.3 [115/10] via 192.168.2.14, Serial1/0 196.7.25.1 [115/20] via 192.168.2.14, Serial1/0 10.0.0.0/32 is subnetted, 1 subnets

• • C

Table of Contents Index 10.2.1.1 is directly connected, Loopback0

MPLS and VPN Architectures, Volume II

192.168.2.0/30 is subnetted, ByJim Guichard, Ivan Pepelnjak, Jeff Apcar C
Publisher: Cisco Press

2 subnets

192.168.2.12 is directly connected, Serial1/0 192.168.2.24 [115/20] via 192.168.2.14, Serial1/0

i ia

Pub Date: June 06, 2003

ISBN: 1-58705-112-5

i*L1 Pages: 504 0.0.0.0/0 [115/10] via 192.168.2.14, Serial1/0

The MPLS from Example 3-24 highlights II , you'll learn: Withoutputand VPN Architectures, Volume a couple of interesting points. The first thing to notice is that the routes from other EuroBank sites are no longer Level 2 but ia (IS-IS interarea). This is because the CE router no longer holds a Level 2 database; it sees any routes How to integrate local site as interarea technologies into the backbone providing VPN that are not within the various remote access routes that are reachable via the PE router. These service to many different types a customers interarea routes are available due to of process known as route leaking, which will be discussed later in this chapter. The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) The second observation is that a default route that is pointing toward the PE router has been installed in the CE router's routing table. The Level 1 router uses this default route to indicate How VRFs can to reach destinations that are not local to the area. how to exit the areabe extended into a customer site to provide separation inside the customer network

Level 2 PE Router to CE Router Connectivity backbone

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN

How to carry customer multicast traffic inside a VPN Our second example concentrates on the FastFoods VPN, which has sites in San Jose and Lyon, The latest inter-carrier enhancements to of connectivity and more scalable deployment France, as illustrated in Figure 3-12. This typeallow for easier requires some additional of inter-carrier MPLS VPN services configuration from that in Example 3-15 because the default IS type needs to be changed to Level 2 only. This can be achieved by using the is-type level-2-only command within the ISAdvanced troubleshooting techniques including router outputs to ensure high availability IS process configuration. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools Figure 3-12. FastFoods Level 2 IS-IS Topology they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting the topology of the providing the the FastFoods San As in the Level 1-2 example, you can viewfeatures essential torouters within advanced

Jose site by using the show isis topology command. You can view the adjacency formation by using the show clns neighbors command, as shown in Example 3-25.

Example 3-25. FastFoods Level 2 IS-IS Topology
• Table of Contents

SanJosePE#show isis topology • Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Area FastFoods:
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5

IS-ISPages: 504 to level-2 routers paths System Id SanJoseCE Metric 10 Next-Hop SanJoseCE Interface Se3/0/1 SNPA *HDLC*

WithMPLS and VPN Architectures, Volume II , you'll learn: SanJosePE -How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers SanJosePE#show clns neighbor The new PE-CE routing options as well as other advanced features, including per-VPN Area Network Address Translation (PE-NAT) FastFoods: How VRFs can be extended SNPA a customer site to provide separation inside the into System Id Interface State Holdtime Type Protocol customer network SanJoseCE Se3/0/1 *HDLC* Up 27 L2 IS-IS The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic SanJosePE#show clns neighbor detail inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment Area FastFoods: of inter-carrier MPLS VPN services System Id Interface SNPA State Holdtime Type Protocol Advanced troubleshooting techniques including router outputs to ensure high availability SanJoseCE Se3/0/1 *HDLC* Up 29 L2 IS-IS MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Area Address(es): 47.3456 topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. IP Address(es): 192.168.2.18* MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Uptime: 00:37:57 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the The FastFoods VPN only has a Level 2 and also Example 3-26 shows the IS-IS database backbone and any attached VPN sites, database.detailing the latest security features to allow information for topologies and router, This part its routing multi-carrier MPLS database. more advanced the San Jose CEfiltering. as well as also coverstable built from thisVPN This output shows all the local prefix information, but it does not include remote FastFoods site deployments. Finally, Part IV provides a methodology for advanced MPLS VPN routes because redistribution to/from the MPLS/VPN backbone has yet to be configured. troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, 3-26. and troubleshooting features Database Example security,FastFood Level 2 IS-ISessential to providing the advanced

SanJoseCE#show isis database detail

IS-IS Level-2 Link State Database:
• • Table of Contents Index

LSPID

MPLS and VPN Architectures, Volume II

LSP Seq Num

LSP Checksum 0xBDBD

LSP Holdtime 487

ATT/P/OL 0/0/0

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar SanJoseCE.00-00 * 0x0000000E

Area Address: 47.3456 Publisher: Cisco Press
Pub Date: June 06, 2003

NLPID: 1-58705-112-5 0xCC ISBN: Hostname: SanJoseCE IP Address: 195.12.2.1
Pages: 504

Metric: 10 IS-Extended SanJosePE.00 WithMPLS and VPN Architectures, Volume II , you'll learn: Metric: 0 IP 195.12.2.1/32 How to integrate various remote access technologies into the backbone providing VPN Metric: 10 IP 192.168.2.16/30 service to many different types of customers SanJosePE.00-00 0x0000000E 0x34C8 727 0/0/0 The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) Area Address: 47.0001.0194 How VRFs can be extended into a customer site to provide separation inside the Area Address: 47.3456 customer network NLPID:latest MPLS VPN security features and designs aimed at protecting the MPLS VPN 0xCC The backbone Hostname: SanJosePE How to carry customer multicast traffic inside a VPN IP Address: 195.12.2.2 The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services SanJoseCE.00 Metric: 10 IS-Extended Advanced Metric: 0 troubleshooting techniques including router outputs to ensure high availability IP 195.12.2.2/32 MPLS and VPN Architectures, 192.168.2.16/30 on the best-selling MPLS and VPN Metric: 10 IP Volume II , builds Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. SanJoseCE#show ip route MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer * - candidate default, U - per-user static route, o - ODR integration, security, and troubleshooting features essential to providing the advanced

P - periodic downloaded static route

Gateway of last resort is not set

• •

Table of Contents

195.12.2.0/32 is subnetted, 2 subnets Index 195.12.2.1 is directly connected, Loopback0 195.12.2.2 [115/10] via 192.168.2.17, Serial1/1 is subnetted, 1 subnets is directly connected, Serial1/1

MPLS and VPN Architectures, Volume II

C

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

i L2

Publisher: Cisco Press Pub192.168.2.0/30 Date: June 06, 2003 ISBN: 1-58705-112-5

C

192.168.2.16 Pages: 504

For the San Jose CE router to learn routes from other FastFoods sites, redistribution from ISWithMPLS and VPN Architectures, Volume II , you'll learn: IS to Multiprotocol BGP and from Multiprotocol BGP to IS-IS must be configured at the San Jose PE router. After this redistribution has been completed and all relevant routes have been distributed between the San Jose and Paris PE routers, theinto the backbone providing all How to integrate various remote access technologies San Jose CE router can see VPN remote sites to many different types of customers service via a Level 2 route, as shown in Example 3-27. The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) Example 3-27. San Jose CE Router Routing Table After Redistribution How VRFs can be extended into a customer site to provide separation inside the customer network SanJoseCE#show ip route The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP How to carry customer multicast traffic inside a VPN D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area The latest inter-carrier enhancements to allow for easier and more scalable deployment N1 - OSPF MPLS VPN services of inter-carrier NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external techniques - OSPF external type ensure EGP Advanced troubleshooting type 1, E2including router outputs to2, E - high availability i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN inter area Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced * deployment architectures, - per-user static route, o - necessary tools topics and - candidate default, U Volume II provides readers with theODR they need to deploy and maintain a secure, highly available VPN. P - periodic downloaded static route MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols of last resort is not set Gateway (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering.subnets also covers multi-carrier MPLS VPN 10.0.0.0/32 is subnetted, 2 This part deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. i L2 10.2.1.1 [115/20] via 192.168.2.17, Serial1/1 MPLS and10.2.1.2 [115/20] via 192.168.2.17, Serial1/1 advances in customer VPN Architectures, Volume II , also introduces the latest i L2 integration, security, and troubleshooting features essential to providing the advanced

195.12.2.0/32 is subnetted, 2 subnets C i L2 195.12.2.1 is directly connected, Loopback0 195.12.2.2 [115/10] via 192.168.2.17, Serial1/1 192.168.2.0/30 is subnetted, 2 subnets
• •

i L2 C

192.168.2.28 [115/20] via 192.168.2.17, Serial1/1
Index

Table of Contents

MPLS and VPN Architectures, Volume II

192.168.2.16 is directly connected, Serial1/1

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Level 1 Only PE Router to CE Router Connectivity Pages: 504

In our final connectivity example, the EuroBank VPN has decided that Level 2 connectivity is not required; therefore it has reconfigured its routers from Level 1-2 to Level 1 by using the is-type level-1 command within the IS-IS process configuration. The new topology is shown WithMPLS andand Example 3-28. Volume II , you'll learn: inFigure 3-13 VPN Architectures, How to integrate various remote access technologies into the Example 3-28. EuroBank Level 1 IS-IS Topology backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) SanJose#show isis topology How VRFs can be extended into a customer site to provide separation inside the customer network Area The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN EuroBank: backbone IS-IS paths to level-1 routers How to carry customer multicast traffic inside a VPN System Id Metric Next-Hop Interface SNPA The latest inter-carrier enhancements to allow for easier and more scalable deployment of VPN vxr18 inter-carrier MPLS 10 services vxr18 Se3/0/0 *HDLC* Advanced troubleshooting techniques including router outputs to ensure high availability 7500-20 – MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools SanJose#show clns neighbor detail they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Area EuroBank:access technologies (dial, DSL, cable, Ethernet) and a variety of routing service provider protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to System Id Interface SNPA integrate these features into the VPN backbone. State details advanced deployment issues Part III Holdtime Type Protocol including security, outlining the necessary steps the service provider must take to protect the SanFrancisco any attached VPN sites, and also detailing the latest security features to allow Se3/0/0 *HDLC* Up 26 L1 IS-IS backbone and more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Area Address(es): 47.1234 deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. IP Address(es): 192.168.2.13* MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Uptime: security, integration, 00:06:59and troubleshooting features essential to providing the advanced

Figure 3-13. EuroBank Level 1 IS-IS Topology
• • Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers Because there is no Level 2 database, only a Level 1 adjacency exists between the PE router and CE router.PE-CE routing options thewell asdatabase information for the San Francisco CE The new Example 3-29 shows as IS-IS other advanced features, including per-VPN router. This output shows all the local prefix information and, because there are no changes to Network Address Translation (PE-NAT) the redistribution (as already provided in earlier examples), or how routes are treated within How VRFs can be extended EuroBank routes as well. Multiprotocol BGP, all the remoteinto a customer site to provide separation inside the customer network The latest MPLS VPN security features Example 3-29. San Francisco CE and designsLevel at protecting the MPLS VPN Routers aimed 1 Database backbone How to carry customer multicast traffic inside a VPN SanFrancisco#show isis database detail allow for easier and more scalable deployment The latest inter-carrier enhancements to of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability IS-IS Level-1 Link State Database: MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I LSP Seq Num (1-58705-002-1), from Cisco Press. Extending into more advanced LSPID LSP Checksum LSP Holdtime ATT/P/OL topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. SanFrancisco.00-00 * 0x00000041 0x011D 516 0/0/0 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Area Address: 47.1234 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing NLPID: 0xCC protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues Hostname: SanFrancisco including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow IP Address: 10.2.1.1 more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV192.168.2.12/30 Metric: 10 IP provides a methodology for advanced MPLS VPN troubleshooting. Metric: 0 IP 10.2.1.1/32 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, 10 troubleshooting features essential to providing the advanced Metric: security, and IS-Extended SanJose.00

SanJose.00-00

0x00000003

0xFF24

610

0/0/0

Area Address: 47.1234 NLPID:
• •

0xCC
Table of Contents Index

Hostname: SanJose IP Address:

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan PepelnjakIP 192.168.2.12/30 , Jeff Apcar Metric: 10

196.7.25.3

Metric: Cisco Press Publisher: 0
Pub Date: June 06, 2003

IP 196.7.25.3/32 IS-Extended SanFrancisco.00 IP-Interarea 196.7.25.2/32 IP-Interarea 196.7.25.1/32

Metric: 1-58705-112-5 ISBN: 10 Metric: 10 Metric: 10
Pages: 504

Metric: 10 IP-Interarea 192.168.2.24/30 WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The San Francisco CE router routing table in Example 3-30 shows that all routes are seen as interarea newthe PE router. This is no different from the Level 1-2 example earlier in this The via PE-CE routing options as well as other advanced features, including per-VPN section. This means that the PE router can be Level 1 or Level 2, and the only difference from Network Address Translation (PE-NAT) the CE router's perspective is that no default route via the PE router exists within the routing table. ThisVRFs can bethe PE router hascustomer 2 neighbors and decides that there is no Level How is because extended into a no Level site to provide separation inside the 2 exitcustomer network router's local area. No gateway of last resort is set. point within the CE The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Example 3-30. San Francisco CE Routers Routing Table How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment SanFrancisco#show ip route of inter-carrier MPLS VPN services Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP Advanced troubleshooting techniques including router outputs to ensure high availability D - EIGRP, EX - EIGRP external, on OSPF, IA - OSPF inter area MPLS and VPN Architectures, Volume II , builds O -the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced N1 - OSPF NSSA external Volume N2 - OSPF NSSA with the type 2 topics and deployment architectures, type 1, II provides readers externalnecessary tools they need to deploy and maintain a secure, highly available VPN. E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN i - Part II L1 - IS-IS level-1, VPN IS-IS level-2, ia the integration area Architecture. IS-IS, describes advanced MPLSL2 - connectivity including - IS-IS inter of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing * - candidate default, - per-user static the knowledge of protocols (IS-IS, EIGRP, and OSPF),Uarming the reader withroute, o - ODR how to integrate these features into the VPN backbone. Part III details advanced deployment issues P - periodic downloaded static route including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN Gateway of last resort is not set troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

196.7.25.0/32 is subnetted, 3 subnets i ia i L1 i ia
• •

196.7.25.2 [115/20] via 192.168.2.14, Serial1/0 196.7.25.3 [115/10] via 192.168.2.14, Serial1/0 196.7.25.1 [115/20] via 192.168.2.14, Serial1/0 10.0.0.0/32 is subnetted, 1 subnets
Index Table of Contents

MPLS and VPN Architectures, Volume II

C

10.2.1.1 is directly connected, Loopback0

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

192.168.2.0/30 is subnetted, 2 subnets
Publisher: Cisco Press

C

192.168.2.12 Pub Date: June 06, 2003
ISBN: 1-58705-112-5 Pages: 504

is directly connected, Serial1/0

i ia

192.168.2.24 [115/20] via 192.168.2.14, Serial1/0

Prevention of Architectures, Volume II , you'll IS-IS WithMPLS and VPNRouting Loops Betweenlearn: Sites
How to integrate various remote customer VRF into into the backbone providing VPN All routes that are redistributed from aaccess technologies the PE-CE IS-IS process are seen as service to many different types of customers IP-interarea routes. This process is known as route leaking and is defined in RFC 2966, "Domain-Wide Prefix Distribution with Two-Level IS-IS." The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) RFC 2966 defines an up/down bit that indicates whether a particular route has been leaked from Level 2 into Level 1. If the up/down bit is set to 0, then the route was originated within How VRFs can be extended into a customer site to provide separation inside the that Level 1 area. If the up/down bit is set to 1, then the route has been redistributed into the customer network area from Level 2. This means that any route with the down bit set will always be leaked downward (such as from Level 2 to Level 1) and never upward (such as from Level 1 to Level The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN 2). backbone In a normal IS-IS deployment, the up/down bit is used to prevent routing information and How to carry customer multicast traffic inside a VPN forwarding loops. This is achieved by making sure that any L1/L2 router does not readvertise into Levellatest inter-carrier enhancements to allow forbit set. and more scalable deployment The 2 any Level 1 routes that have the up/down easier of inter-carrier MPLS VPN services Within an MPLS VPN environment, the bit is set when redistributing a route from a higher level to a lower level troubleshooting techniques including router Level 2 or Level 1, high availability Advanced (such as from the MPLS VPN backbone into outputs to ensure or from Level 2 to Level 1). The up/down bit is checked when redistributing a route from a lower level to a higherand VPN Architectures, Volume 2 or Level oninto the MPLS VPN backbone, or from Level 1 MPLS level also (such as from Level II , builds 1 the best-selling MPLS and VPN into Level 2). If the bitIis set, then the redistribution does not occur and Multiprotocol BGP Architectures, Volume (1-58705-002-1), from Cisco Press. Extending into more advanced does not advertise the architectures, Volume II provides readers with the necessary tools topics and deployment route. they need to deploy and maintain a secure, highly available VPN. Figure 3-14 provides an illustration of how the up/down bit is used for loop prevention. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Figure and OSPF), arming the reader with the knowledge of how to protocols (IS-IS, EIGRP, 3-14. Up/Down Bit: Prevention of Loops integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

PE-CE Connectivity: EIGRP
The last protocol to review in this chapter is EIGRP. This protocol, described in depth in the EIGRP Network Design Solutions book by Cisco Press (ISBN 1-57870-165-1), has been widely • Table of Enterprise space, and a large percentage of Enterprise networks rely on adopted within the Contents • Index EIGRP for their connectivity requirements. Therefore, it is important to provide support for MPLS and VPN Architectures, Volume II EIGRP within the MPLS VPN architecture, specifically for PE-CE connectivity.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

EIGRP PE-CE Connectivity Requirements Publisher: Cisco Press
Pub Date: June 06, 2003 ISBN: 1-58705-112-5

As with all other PE-CE routing protocols, the MPLS VPN backbone within an EIGRP environment Pages: 504 must be transparent. The backbone should also integrate with existing EIGRP route selection rules to ensure that the intersite traffic flow is affected only by configured routing policy. To achieve this when running EIGRP on the PE-CE links, the VPN routes are carried between sites and injected into receiving sites as internal EIGRP routes, with their original metrics unaltered. As with a regular multiprocess EIGRP setup, the exception to this behavior is when the WithMPLS and VPN Architectures, Volume II ,autonomous system, or if the route originated from originating site belongs to a different EIGRP you'll learn: within a different routing protocol. This scenario is described in more detail later in this section. How to integrate various remote access technologies into the backbone providing VPN Throughout this section, we'll use the EuroBank network, which is now running EIGRP as its service to many different types of customers internal routing protocol. EuroBank has chosen to run two EIGRP processes in its network: one for its U.S. sites (autonomous system 21) and one for its international sites (autonomous The new PE-CE routing options as well as other advanced features, including per-VPN system 22). Figure 3-15 illustrates the EIGRP setup in the EuroBank network and its Network Address Translation (PE-NAT) connectivity to the MPLS VPN backbone. How VRFs can be extended into a customer site to provide separation inside the customer network

Figure 3-15. EIGRP and designs aimed at protecting the The latest MPLS VPN security featuresPE-CE Connectivity ExampleMPLS VPN backbone
How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer NOTE integration, security, and troubleshooting features essential to providing the advanced

Although it is not common, there are many valid reasons why someone would want to run several EIGRP processes in the network. Please refer to the EIGRP Network Design Solutions book for more details.

Figure 3-15 shows that the EuroBank VPN client has three sites; two are within autonomous system 21 (namely San Francisco and Washington), and one is within autonomous system 22 • Table of Contents (Paris).
• Index
MPLS and VPN MPLS VPN backbone is transparent to the EIGRP protocol, no EIGRP adjacencies Because the Architectures, Volume II are formed across the backbone, and no EIGRP updates or queries are sent between PE routers, ByJim Guichard, Ivan Pepelnjak, Jeff Apcar resulting in better scalability of the overall EIGRP network. Publisher: Cisco Press Pub Date: June 06, 2003

Separation of EIGRP VPN Routing Information ISBN: 1-58705-112-5
Pages: 504

As with all other PE-CE routing protocols, it is necessary to provide separation of routing information among different VPNs. Unlike the other protocols that have been described within this chapter, EIGRP makes use of routing contexts to provide separation. Routing contexts were described in detail in Volume 1 of MPLS and VPN Architectures (ISBN 1-58705-081-1), Chapter WithMPLS and VPN Architectures, Volume II , you'll learn: 9, "MPLS/VPN Architecture Overview." Example 3-31 shows an EIGRPremote access technologies the default global routing table and How to integrate various process that is created for into the backbone providing VPN specific contexts that are then created for individual VRFs via the use of address-families within service to many different types of customers the main process. The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

Example 3-31. Creation of EIGRP Routing Contexts
How VRFs can be extended into a customer site to provide separation inside the customer network The conf t SanJose#latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Enter configuration commands, one per line. End with CNTL/Z. How to carry customer multicast traffic inside a VPN SanJose(config)#router eigrp 1 The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services SanJose(config-router)#address-family ipv4 vrf EuroBank Advanced troubleshooting techniques including router outputs to ensure high availability SanJose(config-router-af)# MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. After the relevant EIGRP VRF routing context has been created, you must configure the MPLS and VPN Architectures, of the attached VPN site. You can achieve this by using the autonomous system number Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of autonomous-system command, as shown in Example 3-32. service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part Autonomous System Number Example 3-32. Creation of VRF-Specific III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN SanJose(config-router-af)#autonomous-system 21 troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

NOTE
In traditional EIGRP configuration, the EIGRP process number had to be equal to the EIGRP autonomous system number. When configuring the EIGRP as the PE-CE routing protocol, each instance of the EIGRP protocol could use an autonomous system numberTable of Contents (configured with the autonomous-system command) that was different from the EIGRP process number. Index

• •

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

The final configuration step within the EIGRP VRF is to specify a list of networks for the routing Publisher: Cisco Press process. You use the network command to achieve this. Example 3-33 shows the necessary commands for the 2003 Francisco EuroBank site that is attached to the San Jose PE router. Pub Date: June 06, San
ISBN: 1-58705-112-5 Pages: 504

Example 3-33. Specification of Networks Within the EIGRP Process

router eigrp VPN Architectures, Volume II , you'll learn: WithMPLS and 1 ! How to integrate various remote access technologies into the backbone providing VPN address-family ipv4 vrf EuroBankcustomers service to many different types of network new PE-CE 0.0.0.255 The 10.2.1.0 routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) network 192.168.2.12 0.0.0.3 How VRFs can be extended into a customer site to provide separation inside the customer network no auto-summary The latest MPLS 21 autonomous-systemVPN security features and designs aimed at protecting the MPLS VPN backbone exit-address-family How to carry customer multicast traffic inside a VPN ! The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced NOTE topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Example 3-33 shows that automatic summarization has been disabled through use of theno auto-summary command. The default EIGRP behavior is that automatic MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN summarization describes advanced MPLS VPN connectivity cause undesirable results Architecture. Part II is enabled. Automatic summarization might including the integration of in provider access technologies (dial, a site would receive the same summary from service an MPLS VPN environment because DSL, cable, Ethernet) and a variety of routing multiple other sites and OSPF), arming not be able to the knowledge of how use protocols (IS-IS, EIGRP, and would thereforethe reader withdetermine which site toto for a more specific route. integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN After the PE-CE link configuration has been successfully completed, an EIGRP neighborship deployments. Finally, Part IV provides a methodology for advanced MPLS VPN relationship should exist between the PE router and CE router. You can see this by using the troubleshooting. show ip eigrp vrf <vrf-name> neighbor command, as shown in Example 3-34. A summary of the topology can also be viewed by using the show ip eigrp vrf <vrf-name> topology MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer summary command. integration, security, and troubleshooting features essential to providing the advanced

Example 3-34. Use of the show ip eigrp vrf neighbor Command

SanJose#show ip eigrp vrf EuroBank neighbor
• •

IP-EIGRP neighbors for process 21
Index
MPLS and VPN Architectures, Volume II

Table of Contents

H

Address

Interface

Hold Uptime (sec)

SRTT (ms) 1

RTO

Q

Seq Type

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Cnt Num 200 0 3

Publisher: Cisco Press

0

192.168.2.13 Pub Date: June 06, 2003
Pages: 504

Se3/0/0

10 00:41:58

ISBN: 1-58705-112-5

SanJose#show ip eigrp vrf EuroBank topology summary IP-EIGRP Topology Table for AS(21)/ID(192.168.2.14) Routing Table: EuroBank Head WithMPLS1, next serial 5 serial and VPN Architectures, Volume II , you'll learn: 2 routes, 0 pending replies, 0 dummies How to integrate various remote access technologies into the backbone providing VPN service enabled on 1 types of customers IP-EIGRP(1)to many differentinterfaces, neighbors present on 1 interfaces The new PE-CE routing options as well as other advanced features, including per-VPN Quiescent interfaces: Se3/0/0 Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network At this point in the configuration, routes from the attached VPNat protecting the MPLS VPN the The latest MPLS VPN security features and designs aimed site should be available at PE router and should be installed within the local VRF routing table, as shown in Example 3-35. backbone How to carry customer multicast traffic inside a VPN

Example 3-35. EIGRP Routes Within VRF Routing Table

The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

Advanced troubleshooting techniques including router outputs to ensure high availability SanJose#show ip route vrf EuroBank MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools Routing Table: EuroBank they need to deploy and maintain a secure, highly available VPN. Codes: C - connected, S Volume II I - IGRP, R - RIP, M - mobile, B - BGP MPLS and VPN Architectures, - static,, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF variety of routing service provider access technologies (dial, DSL, cable, Ethernet) and a inter area protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to N1 - OSPF NSSA external backbone. Part III details external type 2 integrate these features into the VPN type 1, N2 - OSPF NSSAadvanced deployment issues including security, outlining the necessary steps the service provider must take to protect the E1 - any external type 1, E2 - detailing the latest security - EGP backbone and OSPFattached VPN sites, and alsoOSPF external type 2, E features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN i - Finally, Part IS-IS level-1, L2 - IS-IS level-2, ia VPN deployments.IS-IS, L1 - IV provides a methodology for advanced MPLS - IS-IS inter area troubleshooting. * - candidate default, U - per-user static route, o - ODR MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Gateway of last resort is not set

10.0.0.0/32 is subnetted, 1 subnets D
• •

10.2.1.1 [90/2297856] via 192.168.2.13, 00:19:50, Serial3/0/0
Table of Contents Index 192.168.2.0/30 is subnetted, 1 subnets

MPLS and VPN Architectures, Volume II

C 192.168.2.12 ,Jeff Apcar ByJim Guichard, Ivan Pepelnjakis directly connected, Serial3/0/0
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Example 3-35 shows that the 10.2.1.1/32 subnet, which is reachable at the EuroBank San Pages: 504 Francisco CE router, is now available within the EuroBank VRF on the San Jose PE router.

Propagation of EIGRP Routes Within Multiprotocol BGP
WithMPLS and VPN Architectures, Volume II , you'll learn: After all the VPN site routes have been successfully received into the relevant VRF at the PE router, you must redistribute them from the VRF into Multiprotocol backbone providing VPN How to integrate various remote access technologies into the BGP so that other PE routers can have access to these routes. You of customersthis by using the redistribute command service to many different types can achieve within the BGP address-family configuration, as shown in Example 3-36. The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

Example 3-36. Redistribution of EIGRP Routes into Multiprotocol BGP
How VRFs can be extended into a customer site to provide separation inside the customer network The latest router bgp 10 MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone ! How to carry customer multicast traffic inside a VPN

address-family ipv4 vrf EuroBank The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services redistribute eigrp 21 Advanced troubleshooting techniques including router outputs to ensure high availability no auto-summary MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN no synchronization Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools exit-address-family they need to deploy and maintain a secure, highly available VPN. ! MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues Example security, outlining including 3-37 confirms that the necessary steps thewithin the EuroBank VRF have been the local EIGRP routes service provider must take to protect successfully redistributed into Multiprotocol BGP. The example shows the details for to backbone and any attached VPN sites, and also detailing the latest security features theallow loopback0 interface on the San Francisco CE part also more advanced topologies and filtering. This router. covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

Example 3-37. Confirmation of Successful Redistribution into MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Multiprotocol BGP
integration, security, and troubleshooting features essential to providing the advanced

SanJose#show ip bgp v vrf EuroBank 10.2.1.1 BGP routing table entry for 100:251:10.2.1.1/32, version 8 Paths: (1 available, best #1, table EuroBank)
• Table of Contents • Advertised to non peer-group peers: Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

192.168.1.14 194.22.15.3

Local
Publisher: Cisco Press Pub Date: June 06, 2003 192.168.2.13 from ISBN: 1-58705-112-5

0.0.0.0 (194.22.15.2)

Origin Pages: 504

incomplete, metric 2297856, localpref 100, weight 32768,

valid, sourced, best Extended Community: RT:1:793 0x8800:32768:0 0x8801:21:640000 WithMPLS and VPN Architectures, Volume II , you'll learn: 0x8802:65281:1657856 0x8803:65281:1500 How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers Similarly to the OSPFrouting options as well as other advanced features, including per-VPN The new PE-CE and IS-IS case, a number of additional extended BGP communities (which you can see in Address Translation (PE-NAT) Network the previous example) are used to propagate EIGRP metric and other route attributes with the Multiprotocol BGP update. The exact format of these BGP communities is described in thecan be extended into a customer site to provide separation inside the How VRFs following section. customer network The latest MPLS VPN security features and designs aimed at protecting BGP Extended Community Attributes for EIGRP Routes the MPLS VPN backbone How to carry customer multicast traffic inside a VPN To provide a fully transparent transport of EIGRP routing information across the MPLS VPN backbone, six new extended enhancements to allow for easier carrymore scalable deployment The latest inter-carrier BGP communities are defined to and the EIGRP metric information across the Multiprotocol BGP backbone. These communities can propagate EIGRP of inter-carrier MPLS VPN services autonomous system numbers, all five EIGRP metrics (bandwidth, delay, load, reliability, and Advanced troubleshooting are propagated in EIGRP updates for routes that are MTU), and other attributes that techniques including router outputs to ensure high availability redistributed in EIGRP. Some examples of additional attributes include the administratorMPLS and VPN Architectures, Volume II , builds on the system number, and the route metric in defined tag, originating routing protocol, autonomous best-selling MPLS and VPN Architectures, Volume Iprotocol. Table 3-2 from Cisco format Extending into more advanced the originating routing (1-58705-002-1), shows the Press. of each of these attributes. topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Table 3-2. EIGRP Extended Community Attributes service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

EIGRPAttributes Appended Type 0x8800 Usage Values
• • Table of Contents Index

EIGRP route metric information appended Flags + tag

MPLS and VPN Architectures, Volume II

EIGRPMetric Information

Type 0x8801 ByJim Guichard, Ivan Pepelnjak, Jeff Apcar Usage
Publisher: Cisco Press

EIGRP route metric information appended Autonomous system + delay

Values Pub Date: June 06, 2003 Type ISBN: 1-58705-112-5 0x8802
Pages: 504

Usage Values Type 0x8803

EIGRP route metric information Reliability + hop + BW

WithMPLS and VPN Architectures, Volume II , you'll learn: Usage EIGRP route metric information Values Reserve + load + MTU How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers EIGRPExternal Information The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) Type 0x8804 How VRFs can be extended into a customerExternal route information inside the Usage EIGRP site to provide separation customer network Values Remote autonomous system + remote ID The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Type 0x8805 backbone Usage EIGRP External How to carry customer multicast traffic inside a VPNroute information Values Remote protocol + remote metric The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services TheEIGRP External Information Extended Community router outputs to ensure high availability Advanced troubleshooting techniques including attributes carry the original protocol that the route was learned from. Several values are assigned to each of the relevant protocols, and these are VPN Architectures, MPLS and shown in Table 3-3.Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , beginsInformation Protocol MPLS VPN Table 3-3. EIGRP External with a brief refresher of the Values Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Protocol IGRP EIGRP Static
•

Value 1 2 3
Table of Contents Index

RIP

4 5 6 7 8 9 10

•Hello

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

OSPF

IS-IS
Publisher: Cisco Press EGP Pub Date: June 06, 2003

BGP

ISBN: 1-58705-112-5

IDRPPages: 504

EIGRP-VRF Route Types
WithMPLS and VPN Architectures, Volume II , you'll learn: As the last step in achieving end-to-end EIGRP connectivity across the MPLS VPN backbone, the How to integrate various through Multiprotocol BGP into be backbone providing VPN routes received by a PE router remote access technologiesmust the redistributed into EIGRP and service to many routers. types of customers propagated to the CE different The redistribute command is used inside the VRF address family in the EIGRP process, as shown in Example 3-38. It is also highly recommended that you The new PE-CE routing options as well as other advanced features, including per-VPN disable EIGRP's automatic route summarization with the no auto-summary command; Network Address Translation (PE-NAT) otherwise, the routes that are transported across the Multiprotocol BGP backbone might be unintentionally summarized. How VRFs can be extended into a customer site to provide separation inside the customer network

Example 3-38. Redistribution of and designsRoutes into EIGRPMPLS VPN The latest MPLS VPN security features MP-BGP aimed at protecting the
backbone How to carry customer multicast traffic inside a VPN router eigrp 1 The latest inter-carrier enhancements to allow for easier and more scalable deployment ! of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability address-family ipv4 vrf EuroBank MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN redistribute bgp 10 Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools no auto-summary they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing The extended BGP communities that were attached to the Multiprotocol BGPof howwhen the protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge route to original EIGRP route wasinto the VPN backbone. PartBGP details advanced deployment issues integrate these features inserted into Multiprotocol III are used to ensure that the MPLS VPN backbone is transparent to the necessary all EIGRP metric information is preserved between including security, outliningEIGRP and thatsteps the service provider must take to protect the sites. If the backbone were not transparent, then all intersite latest security be seen as external backbone and any attached VPN sites, and also detailing the routes would features to allow withinadvanced topologies and filtering. This part also routingmulti-carrier of view. more the EIGRP topology. That is undesirable from a covers policy point MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN The first decision that the PE router must make is whether to insert the redistributed route into troubleshooting. the EIGRP topology table as an internal or external route. If the route were not redistributed into BGP from an EIGRP process (the II , also introduces the latest advances in customer MPLS and VPN Architectures, Volume EIGRP-specific extended BGP communities are not attached to the route), or troubleshooting features essential toan EIGRP process with a different integration, security, and if the route were redistributed from providing the advanced

autonomous system number (the EIGRP autonomous system number that is configured in the VRF differs from the autonomous system number carried in the EIGRP Metric Information community), the route would be inserted into EIGRP as an external route. Otherwise, it would be inserted as an internal EIGRP route. The origin of the route also influences the rules that a receiving PE router follows for the generation of the EIGRP metrics:
• • Table of Contents Index In the case of non-EIGRP routes, the PE router generates an External EIGRP route by using MPLS and VPN Architectures, VolumeIf no default metric exists, then the PE router does not generate the default EIGRP metric. II a route Ivan Pepelnjak,Jeff Apcar ByJim Guichard, toward the CE router.
Publisher: Cisco Press

In the case of EIGRP routes that originate within the same autonomous system, the PE router generates an Internal EIGRP route by using the metrics contained within the Pub Date: June 06, 2003 Extended Community attributes.
ISBN: 1-58705-112-5

In the 504 of EIGRP routes that originate within a different autonomous system, the PE Pages: case router generates an External EIGRP route by using the default metric. If the default metric does not exist, the route is not advertised toward the CE by using the Extended Community attribute information. WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Summary
With the introduction of EIGRP and IS-IS protocols on the PE-CE links, Cisco Systems Inc. is now able to support all modern IP routing protocols within an MPLS VPN environment.
• Table of Contents

In • addition to this, support for the OSPF protocol has been further enhanced so that the Index presenceVPNbackdoor backup links between customer sites no longer causes undesired MPLS and of Architectures, Volume II effects. This ,Ivan Pepelnjak,Jeff Apcar use of sham-links that are configured between PE is achieved through the ByJim Guichard routers to which the customer sites that have backdoor links are connected, and the creation of routing adjacencies across these links.
Publisher: Cisco Press

ThePub Date: June 06, 2003 introduction of these new routing protocols is essential for the continued adoption of the MPLS VPN architecture and so that more complex customer routing topologies can be ISBN: 1-58705-112-5 supported and migrated toward this type of solution. Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Chapter 4. Virtual Router Connectivity
The individual components of the Multiprotocol Label Switching (MPLS) virtual private network (VPN) architecture offer network designers additional service capabilities beyond • Table of Contents those originally envisioned in the MPLS VPN architecture. This chapter focuses on the virtual • Index routing and forwarding (VRF) table capabilities built into Cisco IOS, such as the ability to do MPLS and VPN Architectures, Volume II the following:
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Use the VRF functionality Publisher: Cisco Press
ISBN: 1-58705-112-5

without using MPLS label imposition or Multiprotocol Border Gateway Protocol (BGP) extensions. (This is sometimes referred to as VRF-lite or multiPub Date: June 06, 2003 VRF functionality.)
Pages: 504 Build complex

routing scenarios without being directly connected to the MPLS VPN backbone via a provider edge (PE) router Perform network address translation (NAT) from multiple independent private address spaces into a single global address space within an individual router. (This functionality is called VPN Architectures, Volume II , you'll learn: WithMPLS andprovider edge router NAT, or PE-NAT.) Connect multiple VPN customers to the same router interface by using the VRF selection based integrate various remote access technologies into the backbone providing VPN How toon source IP address feature. service to many different types of customers Apart from the obvious uses in a test lab setup in which a single router can mimic a large number of independent devices, the multi-VRF functionality is commonly including per-VPN The new PE-CE routing options as well as other advanced features, implemented in scenarios when severalTranslation (PE-NAT) Network Address independent VPNs need to be connected to a single customer edge (CE) router. The traditional MPLS VPN architecture would require the conversion of such a CE router intoVRFs can beedge (PE) router.customer site to provide might be unable to run the How a provider extended into a However, the CE router separation inside the full MPLS VPN functionality, usually due to memory or CPU limitations. Even if the CE router customer network is capable of performing this functionality, the service provider might object to a customer The latest MPLS the security features and designs aimed at protecting the MPLS VPN router participating inVPN MPLS VPN backbone, or the end customer might require a more backbone flexible topology so that it can isolate its internal VPNs. How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Configuring Virtual Routers on CE Routers
Consider, for example, the EuroBank VPN network introduced in the previous chapters, which contains four sites (San Francisco, Washington, London, and Paris). Each site has a single CE router that participates in a simple VPN. Three of these sites are connected to the PE routers in San Jose, • Washington,Table of Contents the London site is connected to the Paris site. and Paris, and
• Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: are not2003 If you June 06, yet

NOTE

familiar with the SuperCom/EuroBank case study, you can find the ISBN: 1-58705-112-5 detailed setup used in this case study in Chapters 2, "Remote Access to an MPLS VPN," and 3, "PE-CE Routing Protocol Enhancements and Advanced Features." Pages: 504

Now imagine that the EuroBank would like to introduce a level of separation between different departments within the organization. (For example, the trading floor in each site should be WithMPLS and VPN Architectures, Volume II , you'll learn: completely isolated from retail banking.) How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

NOTE PE-CE routing options as well as other advanced features, including per-VPN The new
Network Address Translation (PE-NAT) Isolation among departments or related companies is a common requirement in today's worldVRFs can be extended into a customer site to provide separation inside the How of mergers, spin-offs, and acquisitions. For example, a company that is preparing to spin off one of its operations might start this process by isolating the relevant departments customer network from the rest of the company. The request for interdepartment isolation could also be for security reasons.VPN example, a company that is developing protecting the MPLS VPN as The latest MPLS For security features and designs aimed at highly secretive products well as consumer goods would need to isolate the two production lines to maintain a level backbone of confidentiality. How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment Due to the separation of the Trading and Retail departments, EuroBank is introducing a new of inter-carrier MPLS VPN services addressing scheme, which is outlined in Table 4-1. This scheme adds addressing space for loopback Advanced troubleshooting techniques required previously. interfaces on the CE routers, which was notincluding router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Assignment Table 4-1. New EuroBank IP Address MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Department EuroBank Trading

Site San Francisco London Paris

Subnet 10.2.1.0/25 196.7.24.0/25 196.7.25.0/25 196.7.26.0/25 10.2.1.128/25 196.7.24.128/25 196.7.25.128/25 196.7.26.125/25 196.7.1.1/32 196.7.1.4/32 196.7.1.3/32 196.7.1.2/32

•

Table of Contents

Washington San Francisco London Paris

•EuroBank Retail Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003

Washington San Francisco London Paris Washington

Loopback interfaces for EuroBank CE routers ISBN: 1-58705-112-5
Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: To achieve its goal of organizational separation, EuroBank effectively needs to divide its intranet VPN into two integrate various remote access EuroBank could implement this requirement in a How to independent department VPNs. technologies into the backbone providing VPN number of ways: service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Use access lists to build a complex peer-to-peer VPN on top of the existing VPN network. Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network

NOTE The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Refer to Chapter 8 of MPLS and VPN Architectures (Volume I) (1-58705-081-1, Cisco How Press, 2002) for more details on how to use access lists to build peer-to-peer VPNs. to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment Deploy two CE MPLS VPN services of inter-carrier routers in each site with two links going into the MPLS VPN backbone. Each CE router would then serve one of the VPNs, as shown in Figure 4-1. Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, VolumeFigure 4-1. Two CE Cisco Press.per EuroBank Site I (1-58705-002-1), from Routers Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Turn the CE routers into PE routers and extend the MPLS VPN backbone to each individual site, as shown in Figure 4-2. The service provider might want to retain the full control of the PE routers and might not accept PE routers being installed on a customer site. In addition, the existing CE routers might need to be replaced with higher capacity devices (having more memory and faster CPU) to support the full load imposed on them by being part of the MPLS VPN backbone.
• • Table of Contents Index

MPLS and VPN Architectures, Volume II

Figure 4-2. PE Router on the EuroBank Site

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN Build a hierarchical VPN using the customers service to many different types of carrier's carrier model, which is described in detail in Chapter 6, "Large-Scale Routing and Multiple Service Provider Connectivity." The new PE-CE routing options as well as other advanced features, including per-VPN The easiest scenario toTranslation (PE-NAT) previous list would be the scenario in which two CE Network Address implement from the routers are deployed on each site. Unfortunately, this scenario involves higher acquisition costs (two CE routersVRFs canbe deployed) and operational costs (two links going intoinside the VPN How need to be extended into a customer site to provide separation the MPLS backbone). customer network In addition to the previoussecurity features and designs aimed at protecting theanother very costThe latest MPLS VPN options, the multi-VRF functionality offers EuroBank MPLS VPN effective option. The CE router could have two independent routing entities, each one performing IP backbone routing for one of the VPN customers, as illustrated in Figure 4-3. How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Figure 4-3. Separation of the Trading and Retail Sites in a Single CE Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Router

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: Each How customer (Retail andremote access technologies into the backbone providing VPN VPN to integrate various Trading) would have its own IP address space, IP routing table, and service to many different types of customers IP routing process. (Routing Information Protocol, or RIP, is used in this example.) Each department could even have additional routers in its site. These routers would participate in their The new PE-CE routing options as protocol data (in our case RIP updates) with the relevant own routing domain exchanging routingwell as other advanced features, including per-VPN Network Address CE router, (PE-NAT) routing instance in the Translation which is similar to the setup in Figure 4-4. How VRFs can be extended into a customer site to provide separation inside the customer network

Figure security Router Separation of protecting Sites The latest MPLS VPN4-4. CEfeatures and designs aimed atComplexthe MPLS VPN backbone
How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Figure 4-4 depicts an efficient use of multi-VRF functionality, which enables EuroBank to reduce its acquisition costs compared to other implementation options by not having to deploy multiple CE routers. However, the operational costs remain the same because the CE router still needs two separate links to the PE router (one for each VPN customer). More creativity is needed to reduce the operational costs: Frame Relay encapsulation can be deployed on the point-to-point serial links and Frame Relay Table of Contents subinterfaces can be used to emulate the two links. This approach can be used on any fixed Index serial link, including channelized interfaces, high-speed serial links, and optical links. if the PE-CE connection is implemented with Ethernet-

• •

MPLS and VPN Architectures, Volume II

VLAN encapsulation Jeff be deployed ByJim Guichard, Ivan Pepelnjak,can Apcar type technology.
Publisher: Cisco Press Pub Date: June 06, 2003

IP tunnels can be configured between PE and CE routers to emulate two independent point-topoint links regardless of the underlying transport technology. Tunnels should generally be ISBN: 1-58705-112-5 avoided due to the security reasons discussed in the "Linking the Virtual Router with the MPLS Pages: 504 VPN Backbone" section later in this chapter, as well as for performance reasons and issues such as fragmentation of IP packets that are close to the maximum MTU size.

Assuming that EuroBank can use the Frame Relay approach, the configuration of the CE router becomes fairly simple, as demonstrated in the multi-VRF configuration of the San Francisco CE router displayed in Example 4-1. Volume II , you'll learn: WithMPLS and VPN Architectures, How to integrate various remote access technologies into the backbone providing VPN Example 4-1. San Francisco CE Router Configuration service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) hostname SanFrancisco ! How VRFs can be extended into a customer site to provide separation inside the customer network

ip subnet-zero The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone ip cef How to carry customer multicast traffic inside a VPN ! The latest inter-carrier enhancements to allow for easier and more scalable deployment ip vrf inter-carrier MPLS VPN services of Retail rd 1:2 Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN ! Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools ip vrf Trading they need to deploy and maintain a secure, highly available VPN. rd 1:1 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of ! service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to interface Loopback0 integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the ip address 196.7.1.1 255.255.255.255 backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN no ip directed-broadcast deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. ! MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer interface Ethernet0/0 integration, security, and troubleshooting features essential to providing the advanced

ip vrf forwarding Trading ip address 10.2.1.1 255.255.255.128 no ip directed-broadcast !
• •

interface Ethernet0/1
Index

Table of Contents

MPLS and VPN Architectures, Volume II

ip vrf forwarding Retail

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

ip address 10.2.1.129 255.255.255.128
Publisher: Cisco Press

noPub Date: June 06, 2003 ip directed-broadcast
ISBN: 1-58705-112-5

!

Pages: 504

interface Serial0/0 no ip address WithMPLS and VPN Architectures, Volume II , you'll learn: encapsulation frame-relay ! How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers interface Serial0/0.313 point-to-point The new PE-CE routing options as well as other advanced features, including per-VPN description *** Link to PE_SanJose *** Network Address Translation (PE-NAT) ip vrf forwarding Trading into a customer site to provide separation inside the How VRFs can be extended customer network ip address 192.168.2.13 255.255.255.252 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN frame-relay interface-dlci 313 backbone ! How to carry customer multicast traffic inside a VPN

The latest inter-carrier point-to-point interface Serial0/0.613 enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services description *** Second link to PE_SanJose *** Advanced troubleshooting techniques including router outputs to ensure high availability ip vrf forwarding Retail MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, 192.168.2.17 255.255.255.252Cisco Press. Extending into more advanced ip address Volume I (1-58705-002-1), from topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain 613 frame-relay interface-dlci a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN ! Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing router rip protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues version 2 including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow no auto-summary more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN ! troubleshooting. address-family ipv4 vrf Trading MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

version 2 network 10.0.0.0 network 192.168.2.0 no auto-summary
• •

exit-address-family
Index

Table of Contents

MPLS and VPN Architectures, Volume II

!

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

address-family ipv4 vrf Retail
Publisher: Cisco Press

version 2 Pub Date: June 06, 2003
ISBN: 1-58705-112-5

network 10.0.0.0
Pages: 504

network 192.168.2.0 no auto-summary WithMPLS and VPN Architectures, Volume II , you'll learn: exit-address-family How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The router configuration in Example 4-1 looks like a typical PE router configuration: The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) Two virtual routing and forwarding tables (Trading and Retail) are defined for two VPN How VRFs can be extended into a customer site to provide separation inside the customers. customer network A global loopback interface is configured. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN

NOTE The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services It is always advisable to configure at least one interface with an IP address that belongs to the router's global IP including router outputs a ensure of router Advanced troubleshooting techniques routing table; otherwise, to number high availability functions that require a valid global IP address might not work. For example, if you MPLS and want Architectures, Volume IIprotocol on the best-selling MPLS BGP process would not VPN to use the BGP routing , builds for the VRF routing, the and VPN startVolume I (1-58705-002-1), from Cisco Press. Extending into more advanced Architectures, because as it cannot assign a router ID.
topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Individual local-area network (LAN) and wide-area network (WAN) interfaces are assigned to MPLSVRFs. and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Two instances of RIP routing are configured—one for each and service provider access technologies (dial, DSL, cable, Ethernet)VRF. a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to The configuration also contains aVPN backbone. Part IIIdifferences from the usual PE router integrate these features into the number of significant details advanced deployment issues configuration: including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow moreMPLS is not configured and no labels are assigned to themulti-carrier MPLS VPN advanced topologies and filtering. This part also covers VRF routes. deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. BGP routing is not configured. Multiprotocol MPLSThere is no redistribution between,the PE-CE routing protocoladvances in customer and VPN Architectures, Volume II also introduces the latest and Multiprotocol BGP. integration, security, and troubleshooting features essential to providing the advanced

The incoming interface at the CE router is associated with a VRF, as is the CE router to PE router link. A normal PE router does not associate upstream links with a particular VRF. The configuration on all the other PE routers and CE routers has to be modified to support the needs of the two EuroBank VPNs. The configuration from the San Jose PE router is included in Example 42.
• Table of Contents

Example Index Configuration of the San Jose PE Router 4-2. •
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

hostname PE_SanJose
Publisher: Cisco Press

! !

Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

ip vrf EuroBank_Retail rd 10:2512 WithMPLS and VPN Architectures, Volume II , you'll learn: route-target export 10:2512 route-target import 10:2512 How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers ! The new PE-CE routing options as well as other advanced features, including per-VPN ip vrf EuroBank_Trading Network Address Translation (PE-NAT) rd 10:2511 can be extended into a customer site to provide separation inside the How VRFs customer network route-target export 10:2511 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone route-target import 10:2511 ! How to carry customer multicast traffic inside a VPN

The latest inter-carrier point-to-point interface Serial0/0.331 enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services description *** Link to EuroBank San Francisco *** Advanced troubleshooting techniques including router outputs to ensure high availability ip vrf forwarding EuroBank_Trading MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced ip address 192.168.2.14 255.255.255.252 topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. frame-relay interface-dlci 331 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN ! Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing interface Serial0/0.631 point-to-point reader with the knowledge of how to protocols (IS-IS, EIGRP, and OSPF), arming the integrate these features into the VPN backbone. Part III details advanced deployment issues description *** Second Link to EuroBank San Francisco *** including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow ip vrf forwarding EuroBank_Retail more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN ip address 192.168.2.18 255.255.255.252 troubleshooting. frame-relay interface-dlci 631 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

! router rip version 2 !
• •

address-family ipv4 vrf EuroBank_Trading
Index

Table of Contents

MPLS and VPN Architectures, Volume II

version 2

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

redistribute bgp 10 metric transparent
Publisher: Cisco Press

network 192.168.2.0 Pub Date: June 06, 2003
ISBN: 1-58705-112-5

no auto-summary
Pages: 504

! address-family ipv4 vrf EuroBank_Retail WithMPLS and VPN Architectures, Volume II , you'll learn: version 2 redistribute bgp 10 metric transparent How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers network 192.168.2.0 The new PE-CE routing options as well as other advanced features, including per-VPN no auto-summary Network Address Translation (PE-NAT) ! How VRFs can be extended into a customer site to provide separation inside the customer network router bgp 10 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN address-family ipv4 vrf EuroBank_Trading backbone redistribute rip How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services address-family ipv4 vrf EuroBank_Retail Advanced troubleshooting techniques including router outputs to ensure high availability redistribute rip MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. ! If you inspect the routing tables of the San Francisco CE router (displayed in Example 4-3), you can MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN see that the global routing table contains only a single loopback interface, whereas the individual Architecture. Part II describes advanced MPLS VPN connectivity including the integration of VRF routing tables possess the relevant routing information for the Trading and Retail groups of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing EuroBank. protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Example 4-3. IP Routingsites, and also the San Francisco Router to allow backbone and any attached VPN Tables on detailing the latest security features more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. SanFrancisco#show ip route MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP integration, security, and troubleshooting features essential to providing the advanced

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP * - candidate default, U - per-user static route, o - ODR
• • Table of Contents Index

MPLS and VPN Architectures, Volume II

Gateway of last resort is not ByJim Guichard, Ivan Pepelnjak, Jeff Apcar set
Publisher: Cisco Press Pub Date: June 06, 2003

196.7.1.0 255.255.255.255 is subnetted, 1 subnets
ISBN: 1-58705-112-5

C

Pages: 504 196.7.1.1

is directly connected, Loopback0

SanFrancisco#show ip route vrf Trading WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN Routing Table: Trading service to many different types of customers Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP The new PE-CE routing options as well as other advanced features, including per-VPN NetworkEIGRP, EX - EIGRP (PE-NAT) D - Address Translation external, O - OSPF, IA - OSPF inter area How VRFs can be extended into type 1, N2site OSPF NSSA separation inside 2 N1 - OSPF NSSA external a customer - to provide external type the customer network E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone * - candidate default, U - per-user static route, o - ODR How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment Gateway of last resort VPN services of inter-carrier MPLS is not set Advanced troubleshooting techniques including router outputs to ensure high availability 196.7.25.0 255.255.255.128 is subnetted, 1 subnets MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced R 196.7.25.0 architectures, Volume II provides readers Serial0/0.313 topics and deployment [120/2] via 192.168.2.14, 00:00:06, with the necessary tools they need to deploy and maintain a secure, highly available VPN. 196.7.24.0 255.255.255.128 is subnetted, 1 subnets MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of R 196.7.24.0 [120/3] via 192.168.2.14, 00:00:06, Serial0/0.313 service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader 1 subnets 196.7.26.0 255.255.255.128 is subnetted, with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including 196.7.26.0 [120/2] necessary steps the service provider must take to protect the security, outlining the via 192.168.2.14, 00:00:06, Serial0/0.313 R backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering.subnetted, 1 covers multi-carrier MPLS VPN 10.0.0.0 255.255.255.128 is This part also subnets deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. C 10.2.1.0 is directly connected, Ethernet0/0 MPLS and VPN Architectures, Volume II ,is subnetted, the latest advances in customer 192.168.2.0 255.255.255.252 also introduces 4 subnets integration, security, and troubleshooting features essential to providing the advanced

R R R C
• •

192.168.2.40 [120/1] via 192.168.2.14, 00:00:07, Serial0/0.313 192.168.2.32 [120/1] via 192.168.2.14, 00:00:07, Serial0/0.313 192.168.2.48 [120/2] via 192.168.2.14, 00:00:07, Serial0/0.313 192.168.2.12 is directly connected, Serial0/0.313
Table of Contents Index

MPLS and VPN Architectures, Volume II

SanFrancisco#show ip route vrf Retail
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

Routing Table: Retail Pub Date: June 06, 2003
ISBN: 1-58705-112-5

Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP
Pages: 504

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 WithMPLS and OSPF Architectures, Volume II ,- OSPF external type 2, E - EGP E1 - VPN external type 1, E2 you'll learn: * - candidate default, U - per-user static route, o - ODR How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Gateway of last resort is not set Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network 196.7.25.0 255.255.255.128 is subnetted, 1 subnets The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN 196.7.25.128 [120/2] via 192.168.2.18, 00:00:20, Serial0/0.613 backbone 196.7.24.0 255.255.255.128 is subnetted, 1 How to carry customer multicast traffic inside a VPN subnets The latest inter-carrier enhancements to allow for easier and more scalable deployment 196.7.24.128 [120/3] via 192.168.2.18, 00:00:20, Serial0/0.613 of inter-carrier MPLS VPN services 196.7.26.0 255.255.255.128 is subnetted, 1 subnets Advanced troubleshooting techniques including router outputs to ensure high availability R 196.7.26.128 [120/2] via 192.168.2.18, 00:00:20, Serial0/0.613 MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco1Press. Extending into more advanced 10.0.0.0 255.255.255.128 is subnetted, subnets topics and deployment architectures, Volume II provides readers with the necessary tools they need10.2.1.128 ismaintain a secure, highly Ethernet0/1 to deploy and directly connected, available VPN. C R MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN 192.168.2.0 255.255.255.252 is subnetted, 4 subnets Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing R 192.168.2.44 [120/1] via 192.168.2.18, 00:00:20, Serial0/0.613 protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues R 192.168.2.36 [120/1] via 192.168.2.18, 00:00:20, Serial0/0.613 including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow R 192.168.2.52 [120/2] via 192.168.2.18, 00:00:20, Serial0/0.613 more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN C 192.168.2.16 is directly connected, Serial0/0.613 troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

R

Running OSPF in Virtual Router Scenarios
The previous example used RIP within the customer VPN for a simple reason: RIP is the simplest routing protocol to use in the multi-VRF scenarios. Using routing protocols with loop prevention mechanisms, such as Open Shortest Path First (OSPF) or Intermediate System-to-Intermediate System (IS-IS), requires additional configuration steps. The moment you configure the OSPF or IS• Table of Contents IS routing process and associate it with a VRF, the router starts behaving like a PE router and • Index performsVPN Architectures, Volume II the loop prevention actions based on the setting of the down bit in OSPF or the up/down MPLS and bit in IS-IS, as discussed in Chapter 3.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Assume that OSPF is introduced as the routing protocol in the trading department for EuroBank sites San Francisco and Washington, as shown in Figure 4-5. Publisher: Cisco Press
Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

Figure 4-5. OSPF in EuroBank Network

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The relevant configuration of the San Francisco CE router is shown in Example 4-4. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of ospf 1 vrf Trading router inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability log-adjacency-changes MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN network 0.0.0.0 255.255.255.255 area 0 Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN With OSPF running inside a VRF, the CE router VPN connectivity including the integration of sites Architecture. Part II describes advanced MPLS in San Francisco rejects all OSPF routes from that areprovider access to the San Jose PE router. These routes would a variety of routing the MPLS service not connected technologies (dial, DSL, cable, Ethernet) and be received across VPN backbone by EIGRP, and OSPF), arming the reader with the San Francisco how to protocols (IS-IS, the San Jose PE router and propagated to the knowledge of CE router through OSPF with the down bit set, as shownbackbone.4-6. III details advanced deployment issues integrate these features into the VPN in Figure Part including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Figure 4-6. IV provides a methodology for advanced MPLS VPN deployments. Finally, PartOSPF Update Propagation in EuroBank Network troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Example 4-4. OSPF Configuration on the San Francisco CE Router

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

The following sequence of events occurs when a route from the EuroBank Washington site is propagatedCisco Press the MPLS VPN backbone toward the San Francisco CE router: Publisher: through
Pub Date: June 06, 2003 ISBN: 1-58705-112-5

1. The OSPF process that is running in a VRF at the Washington CE router sends a type 1 (router) Pages: 504 link-state advertisement (LSA) to the Washington PE router. 2. The Washington PE router redistributes the OSPF route into Multiprotocol BGP and appends OSPF-specific extended BGP communities to the route. WithMPLSSan Jose PE router receives the Multiprotocol BGP route from the Washington PE router 3. The and VPN Architectures, Volume II , you'll learn: with OSPF-specific extended BGP communities. How to integrate various remote access technologies into the backbone providing VPN 4. The San Jose PE router redistributes the Multiprotocol BGP route into OSPF and sends it as a service to many different types of customers type 3 (summary) LSA toward the San Francisco CE router, with the down bit set in the LSA. The new PE-CE routing options as well as other advanced features, including per-VPN 5. The San Francisco CE router acts as a PE router because the OSPF process is configured in the Network Address Translation (PE-NAT) context of a VRF; therefore, the CE router receives but ignores the LSA because the LSA has the down bit set. As a result, the route announced provide separation inside the How VRFs can be extended into a customer site to in the LSA is not installed in the VRF routing table, andnetwork customer the destinations in Washington are not reachable from San Francisco. You can verify this processsecurity features and designs aimed at on the Santhe MPLS VPNrouter. The latest MPLS VPN by inspecting the VRF IP routing table protecting Francisco CE The only entries in the IP routing table are the OSPF external routes that originate from the Paris backbone and London sites, as shown in Example 4-5. (PE routers do not set the down bit on these routes because the routescustomer multicast traffic inside a VPN How to carry do not originate in an OSPF process and consequently do not carry OSPF communities in the Multiprotocol BGP update.) The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

Example 4-5. IP Routing Table in VRF Trading

Advanced troubleshooting techniques including router outputs to ensure high availability

MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced SanFrancisco#show ip route vrf Trading topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Routing Table: Trading Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP troubleshooting. * - candidate default, U - per-user static latest advances in MPLS and VPN Architectures, Volume II , also introduces the route, o - ODR customer integration, security, and troubleshooting features essential to providing the advanced

Gateway of last resort is not set

196.7.25.0 255.255.255.128 is subnetted, 1 subnets O • E2
•

196.7.25.0 [110/1] via 192.168.2.14, 00:02:39, Serial0/0.313 Table of Contents
Index

196.7.24.0 255.255.255.128 MPLS and VPN Architectures, Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

is subnetted, 1 subnets

O E2

196.7.24.0 [110/2] via 192.168.2.14, 00:02:39, Serial0/0.313

Publisher: Cisco Press

10.0.0.0 255.255.255.128 is subnetted, 1 subnets
ISBN: 1-58705-112-5 10.2.1.0 is

Pub Date: June 06, 2003

C

directly connected, Ethernet0/0

Pages: 504

192.168.2.0 255.255.255.252 is subnetted, 3 subnets O E2 192.168.2.40 [110/1] via 192.168.2.14, 00:02:39, Serial0/0.313

O E2 192.168.2.48 [110/1] via 192.168.2.14, 00:02:39, Serial0/0.313 WithMPLS and VPN Architectures, Volume II , you'll learn: C 192.168.2.12 is directly connected, Serial0/0.313 How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

The new PE-CE routing options as well as other advanced features, including per-VPN Detailed investigation of the topology database of the OSPF process associated with the Trading VRF Network Address Translation (PE-NAT) in the San Francisco router (shown in Example 4-6) shows the actual source of the problem. The How VRFs can the Washington a customer the to provide separation inside the LSA associated with be extended intosubnets has site down bit set; therefore the San Francisco CE customer network router ignores it and does not set the routing bit. The result is that the OSPF process will not transfer this subnet into the IP routing table even if the LSA would be considered and used in the The latest SPF algorithm. MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone

Example 4-6. OSPF LSA for Washington Subnet in Trading OSPF Process
The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services SanFrancisco#show ip ospf 1 databaseincluding router outputs to ensure high availability Advanced troubleshooting techniques summary 196.7.26.0 MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides(Process ID the necessary tools OSPF Router with ID (192.168.2.13) readers with 1) they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advancedStatesVPN connectivity including the integration of Summary Net Link MPLS (Area 0) service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the LS age: 298 backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Options: (No TOS-capability, DC, Downward) deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. LS Type: Summary Links(Network) MPLS and VPN Architectures, Volume II , alsoNetwork Number) Link State ID: 196.7.26.0 (summary introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

How to carry customer multicast traffic inside a VPN

Advertising Router: 192.168.2.14 LS Seq Number: 80000002 Checksum: 0xA87 Length: 28
• •

Network Mask: 255.255.255.128
Index

Table of Contents

MPLS and VPN Architectures, Volume II

TOS: 0

Metric: 74

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003

To support the multi-VRF functionality in combination with OSPF, you must use a new command ISBN: 1-58705-112-5 that disables the down bit check within the VRF-specific OSPF process and is described in Table 4-2. Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn:

Table 4-2. Configuring OSPF with Multi-VRF

Command Description Syntax to integrate various remote access technologies into the backbone providing VPN How service to many different types of customers capability To suppress the PE-specific checks on a router when the OSPF process is associated vrf-lite new PE-CE routing options as well as other advanced features, including per-VPN mode. with the VRF, use the capability vrf-lite command in router configuration The To restore the checks, use the Network Address Translation (PE-NAT) no form of this command. How VRFs can be extended into a customer site to provide separation inside the After customer network configuring the capability vrf-lite command in each OSPF process on the San Francisco CE router (as shown in Example 4-7), the LSAs received from the San Jose PE router are installed in The latest table (see Example 4-8) and the routing bit is at on these the in the OSPF the VRF routing MPLS VPN security features and designs aimed set protectingLSAs MPLS VPN backbone topology database (see Example 4-9). How to carry customer multicast traffic inside a VPN

Example 4-7. Correctenhancements to allow for easier and San Francisco CE Router The latest inter-carrier OSPF Configuration on the more scalable deployment
of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability router ospf 1 vrf Trading MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced log-adjacency-changes topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. capability vrf-lite MPLS and VPN Architectures, Volume II ,area 0 with a brief refresher of the MPLS VPN network 0.0.0.0 255.255.255.255 begins Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Example 4-8. VRF Routing Tablealso detailing the latest security features to allow backbone and any attached VPN sites, and on the San Francisco CE Router more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. SanFrancisco#show ip route vrf Trading MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Routing Table: Trading Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
• • Table of Contents Index E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

MPLS and VPN Architectures, Volume II

* - candidate ,Jeff Apcar ByJim Guichard, Ivan Pepelnjakdefault,
Publisher: Cisco Press

U - per-user static route, o - ODR

Gateway of last resort is not set
ISBN: 1-58705-112-5 Pages: 504

Pub Date: June 06, 2003

196.7.25.0 255.255.255.128 is subnetted, 1 subnets O E2 196.7.25.0 [110/1] via 192.168.2.14, 00:00:07, Serial0/0.313 WithMPLS and VPN Architectures, Volume II , you'll learn: 196.7.24.0 255.255.255.128 is subnetted, 1 subnets to integrate [110/1] via access technologies into the backbone providing VPN O E2 How196.7.24.0 various remote192.168.2.14, 00:00:07, Serial0/0.313 service to many different types of customers 196.7.26.0 255.255.255.128 is subnetted, 1 subnets The new PE-CE routing options as well as other advanced features, including per-VPN O IA Network Address Translation (PE-NAT) 196.7.26.0 [110/138] via 192.168.2.14, 00:00:07, Serial0/0.313 How VRFs can be extended into a customer site to provide separation inside the 10.0.0.0 255.255.255.128 is subnetted, 1 subnets customer network C 10.2.1.0 is directly connected, Ethernet0/0 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone 192.168.2.0 255.255.255.252 is subnetted, 4 subnets

How to carry customer multicast traffic inside a VPN 192.168.2.40 [110/1] via 192.168.2.14, 00:00:08, Serial0/0.313 The latest inter-carrier enhancements to allow for easier and more scalable deployment O IA of inter-carrier MPLS VPN services 192.168.2.14, 00:00:08, Serial0/0.313 192.168.2.32 [110/65] via O E2 O E2 Advanced troubleshooting techniques including router outputs to ensure high availability 192.168.2.48 [110/1] via 192.168.2.14, 00:00:08, Serial0/0.313 MPLS and192.168.2.12 is directly ,connected, Serial0/0.313 VPN Architectures, Volume II builds on the best-selling MPLS and VPN C Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Example 4-9. II describes advancedBit Set Is Used for IP Routing Architecture. Part LSA with Down MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues SanFrancisco#show ip ospf necessary steps 196.7.26.0 including security, outlining the1 data summary the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN OSPF Router with ID (192.168.2.13) (Process ID 1) troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Summary Net Link States (Area 0)

Routing Bit Set on this LSA LS age: 1964
• •

Options: (No TOS-capability, DC, Downward)
Index

Table of Contents

MPLS and VPN Architectures, Volume II

LS Type: Summary Links(Network)

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Link State ID: 196.7.26.0 (summary Network Number)
Publisher: Cisco Press

Advertising06, 2003 Pub Date: June Router: 192.168.2.14
ISBN: 1-58705-112-5

LS Seq Number: 80000008
Pages: 504

Checksum: 0xFD8D Length: 28 WithMPLS and VPN 255.255.255.128 Network Mask: Architectures, Volume II , you'll learn: TOS: 0 Metric: 74 How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

Running BGP in Virtual Router Scenarios provide separation inside the How VRFs can be extended into a customer site to
customer network Running BGP in MPLS VPN security features and relatively straightforward in most cases. The BGP The latest a multi-VRF scenario should be designs aimed at protecting the MPLS VPN implementation in Cisco IOS provides a rich set of features, including ignore-as and as-override backbone functionality that enable the PE router to cope with most BGP designs. How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

NOTE

Advanced troubleshooting techniques including router outputs to ensure high availability The use of BGP in complex MPLS VPN routing scenarios is described in Chapter 11, "Provider Architectures, Volume Edge (CE) Connectivity Options," and VPN MPLS and VPN Edge (PE) to Customer II , builds on the best-selling MPLSof MPLS and VPN Architectures (Volume I). Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. The only VPN Architectures, Volume II from the design requirement of the MPLS VPN MPLS andpotential problem might arise , begins with a brief refresherthat a CE router serving multiple VPN customers must advanced MPLS VPN connectivity including the integration of Architecture. Part II describesuse different autonomous system numbers in each VRF. Assume that EuroBank wants to change the PE-CE routing protocol Ethernet) and variety of routing service provider access technologies (dial, DSL, cable, on the Paris CEarouter from RIP to BGP and that it requires autonomous OSPF), arming be used for the Trading VPN and autonomous system protocols (IS-IS, EIGRP, andsystem 65100 tothe reader with the knowledge of how to 65200 to be used for theinto the VPN as shown inPart III details advanced deployment issues integrate these features Retail VPN, backbone. Figure 4-7. This requirement cannot be easily implemented because Cisco IOS supports steps single BGP process must single protect the including security, outlining the necessaryonly a the service providerwith a take toautonomous system number on any router. backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

Figure 4-7. CE Router with Two Different BGP Autonomous Systems
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) This requirement can be partiallyinto a customer site to provide separation inside the How VRFs can be extended solved by using the local-as feature that allows a BGP router to present itself as being in a different autonomous system on a per-neighbor basis. The relevant IP customer network routing configuration of the Paris CE router is shown in Example 4-10. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services The EuroBank design introduces a third autonomous system (65001) to be used on the Paris CE router. If you tried to reuse autonomous system 65100 or autonomous system Advanced troubleshooting techniques including router outputs to ensure system path 65200 as the router's BGP autonomous system number, the autonomous high availability would indicate that destinations in one VPN are reachable through the other VPN because MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN system the router's autonomous system number is always inserted in the autonomous Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced path. topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Example 4-10. IP Routing Configuration of the Paris CE Router Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues router rip including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow version 2 more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN ! troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer address-family ipv4 vrf Trading integration, security, and troubleshooting features essential to providing the advanced

NOTE

redistribute bgp 65001 metric transparent ! address-family ipv4 vrf Retail redistribute bgp 65001 metric transparent
• •

!

Table of Contents Index

MPLS and VPN Architectures, Volume II

router bgp 65001 !

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

address-family 2003 Pub Date: June 06, ipv4 vrf Trading
ISBN: 1-58705-112-5

redistribute rip
Pages: 504

neighbor 192.168.2.42 remote-as 10 neighbor 192.168.2.42 local-as 65100 WithMPLS and VPN Architectures, Volume II , you'll learn: ! address-family ipv4 vrf Retail How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers redistribute rip The new PE-CE routing options as well as other advanced features, including per-VPN neighbor 192.168.2.46 remote-as 10 Network Address Translation (PE-NAT) neighbor 192.168.2.46 local-asa65200 How VRFs can be extended into customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Thelocal-as feature permits the BGP session to be established because the BGP autonomous system numbers exchanged in the BGP open inside a VPN How to carry customer multicast traffic messages match the autonomous system numbers expected by the remote BGP peer. The BGP updates sent from the CE router to the PE router, The contain two autonomous system to allow prepended to more scalable deployment however, latest inter-carrier enhancementsnumbers for easier and the autonomous system path: the of inter-carrier number configured autonomous system MPLS VPN services in the BGP routing process and the autonomous system number configured with the local-as command. The resulting BGP table on the Paris PE router is Advanced troubleshooting techniques including router outputs to ensure high availability shown in Example 4-11. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Example 4-11. Multiprotocol BGP Table on readers with the necessary tools PE_Paris topics and deployment architectures, Volume II provides they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN PE_Paris#show ip describes advanced MPLS VPN connectivity including the integration of Architecture. Part II bgp vpnv4 all regexp 65 service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing BGP table version is and OSPF), arming the reader with the knowledge of how to protocols (IS-IS, EIGRP, 88, local router ID is 194.22.15.1 integrate these features into the VPN backbone. Part III details advanced deployment issues Status codes: s suppressed, d damped, h the service valid, > best, to protect the including security, outlining the necessary steps history, *provider must take i - internal, backbone and any attached VPN sites, and also detailing the latest security features to allow S Stale more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN Origin codes: i - IGP, e - EGP, ? - incomplete troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Network

Next Hop

Metric LocPrf Weight Path

Route Distinguisher: 10:2511 (default for vrf EuroBank_Trading) *> 192.168.2.40/30 *> 192.168.2.48/30
• •

192.168.2.41 192.168.2.41 192.168.2.41 192.168.2.41

0 0 1 0

0 65100 65001 ? 0 65100 65001 ? 0 65100 65001 ? 0 65100 65001 ?

*> 196.7.24.0/25
Index

Table of Contents

MPLS and VPN Architectures, Volume II

*> 196.7.25.0/25

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Route Distinguisher: 10:2512 (default for vrf EuroBank_Retail)
Publisher: Cisco Press

*> Pub Date: June 06, 2003 192.168.2.45 192.168.2.44/30
ISBN: 1-58705-112-5

0 0 1 0

0 65200 65001 ? 0 65200 65001 ? 0 65200 65001 ? 0 65200 65001 ?

*> 192.168.2.52/30
Pages: 504

192.168.2.45 192.168.2.45 192.168.2.45

*> 196.7.24.128/25 *> 196.7.25.128/25

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN Similarly, the CE router prepends the autonomous system number configured with the neighbor service to many different types of customers local-as command to all incoming BGP updates, as shown in Example 4-12. The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

Example 4-12. Local Autonomous System Number Prepended to Incoming BGPHow VRFs can be extended into a customer site to provide separation inside the Updates
customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Paris#show ip bgp vpnv4 vrf Trading How to carry customer multicast traffic inside a VPN BGP table version is 56, local router ID is 192.168.252.2 The latest inter-carrier enhancements to allow for easier and more scalable deployment Status codes: s suppressed, d damped, h history, * valid, > best, i -internal, of inter-carrier MPLS VPN services S Stale troubleshooting techniques including router outputs to ensure high availability Advanced Origin codes: i - IGP, e Volume II , builds on the best-selling MPLS and VPN MPLS and VPN Architectures, - EGP, ? - incomplete Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Network Next Hop topics and deployment architectures, Volume II Metric LocPrf Weight Path provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Route Distinguisher: 1:1 (default for vrf Trading) MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN *> 192.168.2.12/30 192.168.2.42 0 the integration of Architecture. Part II describes advanced MPLS VPN connectivity including 65100 10 ? service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing *> 192.168.2.32/30 0 65100 10 ? protocols (IS-IS, EIGRP,192.168.2.42 and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues *> 192.168.2.40/30 0.0.0.0 0 32768 ? including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow *> 192.168.2.48/30 0.0.0.0 32768 ? more advanced topologies and filtering. This part also 0 covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN *> 196.7.24.0/25 192.168.2.50 1 32768 ? troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest 32768 ? in customer advances *> 196.7.25.0/25 0.0.0.0 0 integration, security, and troubleshooting features essential to providing the advanced

*> 196.7.26.0/25

192.168.2.42

0 65100 10 ?

The presence of an extra autonomous system number in the autonomous system path might interfere with the BGP loop prevention code in other C routers. These routers would reject the incoming BGP update if the autonomous system number that is configured with the neighbor local• Table of Contents as command on the CE router equals their BGP autonomous system number, as demonstrated in • Index Figure 4-8.
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar Publisher: Cisco Press Figure 4-8.

Pub Date: June 06, 2003 Number ISBN: 1-58705-112-5 Pages: 504

BGP Update Ignored Due to Extra Autonomous System in the Autonomous System Path

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The following sequence of events occurs in Figure 4-8: The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone 1. HowPE routercustomerVPN prefix traffic inside a VPN The to carry sends a multicast to the CE router through BGP. Because the prefix was redistributed into BGP on another PE router, the autonomous system path contains only the The latest inter-carrier enhancements to allow for easier and more scalable deployment provider's autonomous system number (10). of inter-carrier MPLS VPN services 2. A virtual autonomous system number is inserted into the autonomous system path due to the Advancedof the neighbor local-as command before the BGP prefix is inserted into the BGP behavior troubleshooting techniques including router outputs to ensure high availability table on a Paris CE router. Therefore, the BGP entry in the Paris CE router contains MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN autonomous system path 65100 10. Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment propagated to Volume II provides readers with theThe real autonomous 3. The BGP prefix is architectures, a C router in the Paris Trading site. necessary tools they need to numberandthe Paris CE secure,is prepended to the autonomous system path, resulting system deploy of maintain a router highly available VPN. in an autonomous system path of 65001 65100 10. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity includingupdate contains of own 4. The Paris trading C router rejects the BGP update because the BGP the integration its service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing autonomous system number (65100). protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate thesesolved in Cisco IOS release 12.2T Part III details advanced deployment issues This issue was features into the VPN backbone. and 12.0ST with an additional option of the including security, outlining the necessary steps the service provider must take to protect the neighbor local-as command described in Table 4-3. backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces BGP Updates in customer Number on Incoming the latest advances integration, security, and troubleshooting features essential to providing the advanced

Table 4-3. Disabling Prepending of neighbor local-as Autonomous System

Command Syntax neighbor ip-addresslocal-as as-number [no-prepend]

Description Configures the router not to prepend the local autonomous system number to routes that are received from external peers.

Theno-prepend option of the neighbor local-as command prevents the BGP router with • Table of configured on a BGP neighbor from prepending the neighbor local-as neighbor local-as Contents • autonomousIndex system number to incoming BGP updates. The usage of this command on the Paris CE MPLS and VPN Architectures, Volume II in Example 4-13) results in the desired BGP routing table, which router (the configuration is shown is displayed ,Ivan Pepelnjak,Jeff ByJim Guichardin Example 4-14.Apcar
Publisher: Cisco Press

ExampleJune 06, 2003 4-13. Disabling Local Autonomous System Prepending on Pub Date: Incoming BGP Updates ISBN: 1-58705-112-5
Pages: 504

router bgp 65001 ! WithMPLS and VPN Architectures, Volume II , you'll learn: address-family ipv4 vrf Trading How to integrate various remote access technologies into the backbone providing VPN neighbor 192.168.2.42 local-as 65100 no-prepend service to many different types of customers ! The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) address-family ipv4 vrf Retail How VRFs can be extended into a customer site to provide separation inside the neighbor 192.168.2.46 local-as 65200 no-prepend customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone

Example 4-14. VRF BGP Routes on the Paris CE Router
The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Paris#show iptroubleshooting techniques including router outputs to ensure high availability Advanced bgp vpnv4 all BGP table version is 75, local II , builds on the best-selling MPLS and VPN MPLS and VPN Architectures, Volume router ID is 192.168.252.2 Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Status codes: s suppressed, d damped, II provides readers with the necessary tools topics and deployment architectures, Volume h history, * valid, > best, i - internal, they need to deploy and maintain a secure, highly available VPN. S Stale MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes - EGP, ? MPLS VPN connectivity including the integration of Origin codes: i - IGP, e advanced - incomplete service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps Metric LocPrf Weight Path to protect the the service provider must take Network Next Hop backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Route Distinguisher: 1:1 (default for vrf Trading) deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. *> 10.2.1.0/25 192.168.2.42 0 10 ? MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer *> 192.168.2.12/30 192.168.2.42 0 10 ? integration, security, and troubleshooting features essential to providing the advanced

How to carry customer multicast traffic inside a VPN

*> 192.168.2.32/30 *> 192.168.2.40/30 *> 192.168.2.48/30 *> 196.7.24.0/25
• •

192.168.2.42 0.0.0.0 0.0.0.0 192.168.2.50 0.0.0.0 192.168.2.42 0 0 1 0

0 10 ? 32768 ? 32768 ? 32768 ? 32768 ? 0 10 ?

*> 196.7.25.0/25
Index

Table of Contents

MPLS and VPN Architectures, Volume II

*> 196.7.26.0/25

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Route Distinguisher: 1:2 (default for vrf Retail)
Publisher: Cisco Press

*> Pub Date: June 06, 2003 192.168.2.46 10.2.1.129/32
ISBN: 1-58705-112-5

0 10 ? 0 10 ? 0 10 ? 0 32768 ? 32768 ?

*> 192.168.2.16/30
Pages: 504

192.168.2.46 192.168.2.46 0.0.0.0

*> 192.168.2.36/30 *> 192.168.2.44/30

WithMPLS and VPN Architectures, Volume II , you'll learn: *> 192.168.2.52/30 0.0.0.0 0

*> 196.7.24.128/25 192.168.2.54 1 32768 ? How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers *> 196.7.25.128/25 0.0.0.0 0 32768 ? The new PE-CE routing options as well as other advanced features, including per-VPN *> 196.7.26.129/32 192.168.2.46 0 10 ? Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS Complex Virtual VPN security features and designs aimed at protecting the MPLS VPN Router Setups backbone How to carry customer multicast traffic inside a VPN The multi-VRF examples introduced so far have implemented simple VPN topologies where the individuallatest inter-carrier enhancementscompletely isolated.and using additional MPLS VPNThe VPNs and associated VRFs were to allow for easier By more scalable deployment related Cisco IOS features,VPN services of inter-carrier MPLS you can extend these scenarios to more complex topologies implemented within a single CE router, while remaining isolated from the complexities of the MPLS Advanced VPN backbone. troubleshooting techniques including router outputs to ensure high availability MPLS andanother request of the EuroBank customer, which is illustrated and VPN 4-9. The trading Consider VPN Architectures, Volume II , builds on the best-selling MPLS in Figure Architectures, Volume I in the San Francisco site mustPress. Extending into more advanced access floor and retail banking (1-58705-002-1), from Cisco be clearly separated, but they require topics and deployment architectures, Volume same site. This server must not be reachable by to a common file server that is located at the II provides readers with the necessary tools they need retail employees located at other highly available VPN. trading or to deploy and maintain a secure, sites. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologiesFrancisco Connectivity Requirements Figure 4-9. San (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504 The connectivity requirements are easily implemented with the overlapping VPN topology introduced in Chapter 12, "Advanced MPLS/VPN Topologies" of MPLS and VPN Architectures (Volume I). The initial approach to the San Francisco CE router configuration would involve configuring three VRFs with appropriate route distinguishers and route targets, as shown in Example 4-15.

WithMPLS and VPN Architectures, Volume II , you'll learn:

Example 4-15. Overlapping VPN Configuration on the San Francisco CE Router
How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

The new PE-CE routing options as well as other advanced features, including per-VPN ip vrf CommonServer Network Address Translation (PE-NAT) rd 1:3 VRFs can be extended into a customer site to provide separation inside the How customer network route-target export 1:3 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN route-target import 1:3 backbone route-target import 1:1multicast traffic inside a VPN How to carry customer route-targetinter-carrier enhancements to allow for easier and more scalable deployment The latest import 1:2 of inter-carrier MPLS VPN services ! Advanced troubleshooting techniques including router outputs to ensure high availability ip vrf Retail MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced rd 1:2 topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. route-target export 1:2 MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN route-target import 1:3 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing route-target import 1:2 protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues ! including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow ip vrf Trading more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN rd 1:1 troubleshooting. route-target export 1:1 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

route-target import 1:3 route-target import 1:1

After properly configuring all the VRFs and the route targets, you would probably be surprised to • Table of Contents learn that the routes are not propagated between VRFs—a result of the fact that the inter-VRF route • Index import and export works only through Multiprotocol BGP. To enable the route propagation between MPLS and VPN Architectures, Volume II these VRFs, you must configure the BGP routing process on the CE router and redistribute the VRF ByJim Guichard, Ivan Pepelnjak, Jeffaddress family. You must perform these configuration steps even routes into the per-VRF BGP Apcar though BGP is not used for peering sessions or for advertisement of routes to other routers.
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5

NOTE

Pages: 504

Configuration of a VPNv4 address family is not required because the CE router does not peer with VPNv4 BGP neighbors. WithMPLS and VPN Architectures, Volume II , you'll learn: When this redistribution is configured (shown in Example 4-16), the routes are imported into the How to integrate various remote access technologies into the backbone providing VPN desired VRFs, as Example 4-17 demonstrates. service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Example 4-16. BGP Configuration on the San Francisco CE Router Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network router bgp 65002 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN address-family ipv4 vrf Trading backbone redistribute connected multicast traffic inside a VPN How to carry customer The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services address-family ipv4 vrf Retail Advanced troubleshooting techniques including router outputs to ensure high availability redistribute connected MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced ! topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. address-family ipv4 vrf CommonServer ! MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN redistribute connected Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Example 4-17. VRF Routing Table on the San latest security CE Router backbone and any attached VPN sites, and also detailing the Francisco features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. SanFrancisco#show ip route vrf CommonServer MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Routing Table: CommonServer Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
• •

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
Table of Contents Index E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjakdefault, * - candidate ,Jeff Apcar

U - per-user static route, o - ODR

Publisher: Cisco Press Pub Date: June 06, 2003

Gateway of last resort is not set
ISBN: 1-58705-112-5 Pages: 504

Gateway of last resort is not set

WithMPLS and VPN Architectures, Volume II , you'll learn: 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks B C B How10.2.1.0/25various remote access technologies into the backbone providing VPN to integrate is directly connected, 00:07:41, Ethernet0/0 service to many different types of customers 10.2.2.0/24 is directly connected, Ethernet0/2 The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) 10.2.1.128/25 is directly connected, 00:07:41, Ethernet0/1 How VRFs can be extended into a customer site to provide separation inside the 192.168.2.0/30 is subnetted, 2 subnets customer network B B 192.168.2.12 is directly connected, 00:07:41, protecting the The latest MPLS VPN security features and designs aimed atSerial0/0.313MPLS VPN backbone 192.168.2.16 is directly connected, 00:07:41, Serial0/0.613 How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), fromaCisco Press. ExtendingC routers; therefore, the The configuration in Example 4-16 covers simple setup with no into more advanced topics and deployment architectures, Volume II provides BGP satisfies the necessary tools redistribution of connected routes into Multiprotocol readers with the design they requirements. If themaintainor secure, highly available VPN. need to deploy and trading a retail site would contain additional C routers, the routing protocol used with these C routers would have to be redistributed into Multiprotocol BGP. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and the data structures reader San Francisco CE router reveals that the More in-depth exploration of OSPF), arming the on the with the knowledge of how to integrate these San Francisco CE router more closely mimics the behavior of a PE router even behavior of the features into the VPN backbone. Part III details advanced deployment issues including security, a standalone multi-VRF device: service provider must take to protect the though it remains outlining the necessary steps the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for with different route distinguishers, as There are multiple instances of the same BGP route advanced MPLS VPN troubleshooting. shown in Example 4-18. (Local copies of the BGP route with route distinguishers equal to the VRF route distinguishers are generated automatically during the import process.) MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

NOTE

Example 4-18. Multiprotocol BGP Table on the San Francisco CE Router

SanFrancisco#show ip bgp vpnv4 all
• •

BGP table of Contents is 17, local router ID is 196.7.1.1 Table version
Index

Status codes: s Volume II MPLS and VPN Architectures,suppressed,
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

d damped, h history, * valid, > best, i - internal,

S Stale

Publisher: Cisco Press

Origin codes: i - IGP, e - EGP, ? - incomplete
ISBN: 1-58705-112-5 Pages: 504

Pub Date: June 06, 2003

Network

Next Hop

Metric LocPrf Weight Path

Route Distinguisher: 1:1 (default for vrf Trading) *> 10.2.1.0/25 0.0.0.0 WithMPLS and VPN Architectures, Volume II , you'll learn: 0 32768 ?

*> 10.2.2.0/24 0.0.0.0 0 32768 ? How to integrate various remote access technologies into the backbone providing VPN *> 192.168.2.12/30 0.0.0.0 customers 0 32768 ? service to many different types of Route Distinguisher: 1:2 (default other advanced features, including per-VPN The new PE-CE routing options as well asfor vrf Retail) Network Address Translation (PE-NAT) *> 10.2.1.128/25 0.0.0.0 0 32768 ? How VRFs can be extended into a customer site to provide separation inside the customer network *> 10.2.2.0/24 0.0.0.0 0 32768 ? The192.168.2.16/30security features and designs aimed at protecting the MPLS VPN *> latest MPLS VPN 0.0.0.0 0 32768 ? backbone Route Distinguisher: 1:3 (default for vrf CommonServer) How to carry customer multicast traffic inside a VPN *> 10.2.1.0/25 0.0.0.0 0 32768 ? The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services *> 10.2.1.128/25 0.0.0.0 0 32768 ? Advanced troubleshooting techniques including router outputs to ensure high availability *> 10.2.2.0/24 0.0.0.0 0 32768 ? MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN *> 192.168.2.12/30 0.0.0.0 0 32768 ? Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools *> 192.168.2.16/30 0.0.0.0 32768 ? they need to deploy and maintain a secure, highly available0VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Labels are allocated to OSPF), arming the Example 4-19) knowledge of how is protocols (IS-IS, EIGRP, andthe VRF routes (see reader with the even though MPLS to not configured on an interface and no the VPN backbone. Part III are configured. integrate these features into Multiprotocol BGP neighborsdetails advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow moreExample 4-19. MPLS Forwarding also covers multi-carrier MPLS VPN Router advanced topologies and filtering. This part Table on the San Francisco deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLSSanFrancisco#show mpls forwarding-table and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Local tag 16 17
• •

Outgoing tag or VC Aggregate Aggregate
Table of Contents Index

Prefix or Tunnel Id 10.2.1.0/25[V]

Bytes Tag switched 0 \

Outgoing interface

Next Hop

192.168.2.12/30[V] 0 10.2.1.128/25[V] 0

MPLS and VPN Architectures, Volume II

18

Aggregate

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

19

Aggregate

192.168.2.16/30[V] 0 10.2.2.0/24[V] 0

\

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5

20 Aggregate Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Linking the Virtual Router with the MPLS VPN Backbone
The configurationof Contents in the previous section used the simplest possible connectivity • Table examples between theIndex multi-VRF CE router and the PE router: Frame Relay subinterfaces. This • connectivity type or other connectivity types where you could configure subinterfaces on the MPLS and VPN Architectures, Volume II sameGuichard,Ivan Pepelnjak,Jeff Apcar physical interface (such as VLAN-based Ethernet, Fast Ethernet, or Gigabit Ethernet ByJim connectivity) are highly recommended because they are simple to configure and produce almost no undesired side effects (apart from the IP quality of service, or QoS, configuration Publisher: Cisco Press that might be more complex than an equivalent connection on a point-to-point link). There Pub Date: June 06, 2003 are, however, several new access technologies, such as cable networks, that do not allow you ISBN: 1-58705-112-5 to configure multiple subinterfaces between a pair of routers. In these scenarios, generic routing encapsulation (GRE) tunnels can be used to establish multiple virtual links between Pages: 504 the adjacent routers.

GRE Refresher
WithMPLS and VPN Architectures, Volume II , you'll learn: The GRE technology is used in Cisco IOS to tunnel a variety of different protocols across a How to integrate various remote access technologies into the backbone providing VPN generic IP backbone. GRE tunnels are configured as regular tunnel interfaces in Cisco IOS service to many different types of customers and are established between two IP addresses: tunnel source and tunnel destination. After the tunnel is configured and operational, it behaves exactly like a point-to-point link from the The new PE-CE routing options as well as other advanced features, including per-VPN routing perspective. Routing protocols (or static routing) are run over the tunnel, routes are Network Address Translation (PE-NAT) exchanged and installed in the IP routing table, and the traffic can start to flow over the tunnel. How VRFs can be extended into a customer site to provide separation inside the customer network When the tunnel interface appears as the next-hop interface in the IP routing and forwarding tables, packets can be routed into the tunnel. These packets are encapsulated in MPLS VPN The latest MPLS VPN security features and designs aimed at protecting the another IP datagram with the source and destination address set to the configured tunnel source and backbone destination. The IP protocol type in the IP header is set to 47 to indicate that the IP datagram carries a GRE-encapsulated packet. How to carry customer multicast traffic inside a VPN The packets with IP protocol enhancements to by a router are processed scalable deployment The latest inter-carrier type 47 received allow for easier and more as follows: of inter-carrier MPLS VPN services The IP source address is compared to the tunnel destination that is configured on tunnel Advanced troubleshooting techniques including router outputs to ensure high availability interfaces to find the corresponding tunnel interface. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN After the tunnel interface is found, the tunnel key (if it Extending into more advanced Architectures, Volume I (1-58705-002-1), from Cisco Press. is configured) is compared to the corresponding value in the IP datagram. If the values do not match, necessary is topics and deployment architectures, Volume II provides readers with the the packet tools dropped. they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing NOTE protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues The tunnel key does not significantly increase the security of the tunneled data including security, outlining the necessary steps the service provider must take to protect the because it is a simple clear-text value (similar to an SNMP community string). backbone and any attached VPN sites, and also detailing the latest security features to allow The tunnel key should be used primarily to prevent configuration mismatches. more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. The packet is processed as if it arrived through the point-to-point link (tunnel interface). MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

GRE Tunnels in the MPLS VPN Architecture
The GRE tunnels can be freely combined with the MPLS VPN architecture as long as you maintain the following rules: A tunnel interface can be configured to belong to a VRF. Such a tunnel can then be used Table of Contents to establish intra-VRF connectivity across an IP backbone. In this case, the backbone • Index would not necessarily require MPLS and VPN Architectures, Volume II MPLS to be enabled nor would it require the full feature set of an MPLS VPN deployment. The same concept can be applied to establish multiple ByJim Guichard, Ivan Pepelnjak, Jeff Apcar logical links over a single physical link between a PE router and a CE router.
•
Publisher: Cisco Press Tunnel interfaces

Pub Date: June 06, 2003 within the backbone

can be used to link PE routers, without the requirement of running LDP network. In this case, labeled VPN packets are encapsulated within aISBN: 1-58705-112-5 rather than being labeled with an IGP label derived from LDP. GRE datagrams However, you usually still have to run LDP between the tunnel endpoints to ensure that Pages: 504 an LDP implicit-null label is assigned to the Multiprotocol BGP next-hop.

In most IOS releases, although the tunnel interface can be configured as a VRF interface, the tunnel endpoints (tunnel source and tunnel destination addresses) must be reachable in the global IP address space by the routers that terminate the GRE WithMPLS andThis essentially means that GRE tunnel encapsulation code is not VRF-aware. In tunnels. VPN Architectures, Volume II , you'll learn: this case, the Global IP routing table forwards the IP datagrams that carry the tunneled traffic. In addition, IP datagrams that carry tunneled traffic must be received over a How to integrate various remote access technologies into the backbone providing VPN global interface. service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How NOTE be extended into a customer site to provide separation inside the VRFs can customer network With a sophisticated configuration relying on VRF routes where global nexthops MPLS VPN routes point to VRF interfaces, you can configure the MPLS The latest and global security features and designs aimed at protecting the router VPN such backbone that the GRE-encapsulated traffic can be received over a VRF interface. Such a configuration is complex and should be avoided. How to carry customer multicast traffic inside a VPN restrictions that are described in to previous bullet and been removed in the IOS The latest inter-carrier enhancementsthe allow for easier havemore scalable deployment 12.0S release, MPLS supports VRF-based tunnel interfaces. In this IOS release, the of inter-carrier which VPN services tunnel endpoints can belong to a VRF and the GRE-encapsulated traffic can be received over an interface that belongs to the including Advanced troubleshooting techniquessame VRF.router outputs to ensure high availability These rules (particularly the Volume II , that on the endpoints MPLS and VPN MPLS and VPN Architectures,requirementbuildsthe GREbest-sellingmust be in global IP space) also explain why the use of GRE tunnels to link Cisco routers with the into more is Architectures, Volume I (1-58705-002-1), from the PE Press. Extending CE routersadvanced discouraged from a security perspective: topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLSIf theVPN Architectures, Volume II , secure IP backbone, where all customer traffic is and service provider is running a begins with a brief refresher of the MPLS VPN carried Part II describes advanced MPLS VPN connectivity including the which has of Architecture. in the VPNs, the backbone is exposed to traffic from a CE router, integration to be received over a global interface. service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to If the service provider the VPN backbone. Part III details advanced deployment of its integrate these features intois running a public Internet in the global IP address space issues MPLS VPN backbone, the CE router becomes exposed provider must including security, outlining the necessary steps the serviceto the Internet. take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

NOTE

MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Using GRE tunnels has other drawbacks. For example, to encapsulated traffic integration, security, and troubleshooting features essential theproviding the advanced

cannot be load-shared based on source and destination IP address. Furthermore, the additional IP header that is needed for GRE encapsulation reduces the usable payload size, sometimes resulting in the need to fragment transported IP datagrams, which might result in reduced forwarding performance of the router that is performing the fragmentation or reassembly.

•

You can avoid both security risks by deploying proper IP access lists on PE routers or CE • Index routers, but these access lists require additional mandatory configuration operations in the MPLS and VPN Architectures, Volume II provisioning process. Alternatively, you could deploy VRF-aware GRE tunnels if the IOS ByJim Guichard, Ivan Pepelnjak, Jeff Apcar release you are using in your network supports them.
Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 NOTE Pages: 504

Table of Contents

Throughout the configuration examples in the remainder of this chapter, GRE tunnels based on global IP addresses will be used to reduce the complexity of the examples and to ensure that you can successfully use the examples with any IOS release that supports MPLS VPN functionality. WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN

Using GRE many different Link of customers CE Routers to the MPLS VPN service to Tunnels to types Multi-VRF Backbone
The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

Based on the information in the previous two sections, it should be easy to deploy several How VRFs can be extended into a customer site to provide separation inside the point-to-point virtual links between the CE router and the PE router by using the setup shown customer network inFigure 4-10. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone

Figure 4-10. Virtual VRF Interfaces Implemented with PE-CE GRE How to carry customer multicast traffic inside a VPN Tunnels
The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: Keep Howfollowing guidelines in mind when using this design: the backbone providing VPN the to integrate various remote access technologies into service to many different types of customers One global loopback interface needs to be configured as tunnel source/destination on The new PE-CE routing options as well as other advanced features, including per-VPN the CE router and PE router (PE-NAT) Network Address Translationfor each parallel link. How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN NOTE backbone You can use the same loopback interface on the PE router for tunnel links to How multiple customer multicast traffic inside a VPN to carry CE routers, but the parallel tunnels terminated at the same remote router must have distinct source addresses to enable proper assignment of The latest inter-carrier enhancements to allow for easier and more scalable deployment incoming tunneled traffic to the tunnel interface. of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs toVRF is not configured at The PE-CE link needs to be in global IP address space; that is, a ensure high availability the PE router end. Global routing (either static routing or a dynamic routing protocol) MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN must be established across this link to propagate the tunnel source and destination Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced addresses between the PE router and the CE router. BGP is the recommended routing topics and deployment architectures, Volume II provides readers with the necessary tools protocol in designs based on dynamic routing because of its security features. they need to deploy and maintain a secure, highly available VPN. Incoming access lists should be configured on both the PE router and CE router. These MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN access lists should permit only the tunneled traffic between the tunnel source and the Architecture. Part II describes advanced MPLS VPN connectivity including the integration of destination addresses and the routing protocol updates (if a dynamic routing protocol is service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing used between the PE router and the CE router). protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN configured (one III detailsand assigned to their issues Individual tunnel interfaces are backbone. Part per VRF) advanced deployment including security, outlining the necessary steps the service provider interfaces, and VRF the respective VRF. VRF IP addresses are configured on the tunnel must take to protect backbone and any attached VPN sites,to run over the tunnel interfaces. routing protocols are configured and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. you can Part IV provides a methodology for advanced MPLS VPN Alternatively, Finally, implement a virtual link for one VRF (VRF B in Figure 4-11) over a troubleshooting. physical link that belongs to another VRF (VRF A in Figure 4-11) by using VRF-aware GRE tunnels. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Figure 4-11. VRF-Aware GRE Tunnel Established Between the PE Router and the CE Router

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) Keep the following guidelines in mind when you are implementing this design: How VRFs can be extended into a customer site to provide separation inside the customer network One VRF loopback interface needs to be configured as the tunnel source/destination on the latest MPLS VPN router for each parallel tunnel link. at protecting the MPLS case, The CE router and PE security features and designs aimedSimilarly to the previousVPN the same backbone loopback interface can be used for multiple tunnel endpoints as long as these tunnels terminate at different remote routers. How to carry customer multicast traffic inside a VPN The PE-CE link needs to be in the same VRF as the VRF loopback interface that is acting The latest inter-carrier enhancements to allow for easier and more scalable deployment as the tunnel endpoint. of inter-carrier MPLS VPN services Individual tunnel interfaces are configured (one per VRF) and assigned to their Advanced troubleshooting techniques including router outputs to ensure high availability respective VRF. VRF IP addresses are configured on the tunnel interfaces and VRF routing protocols are configured to run over the tunnel interfaces. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced From the service provider's perspective, most of the security restrictions are removed by topics this setup. However, from the customer's perspective, it is still possible that a malicious using and deployment architectures, Volume II provides readers with the necessary tools they who belongs to and maintain a could insert GRE packetsVPN. are destined for the PE user need to deploy Site A (VRF A) secure, highly available that router and spoof traffic that is supposedly originating in VRF B. To remove this potential MPLS and VPNyou can use a more complex, but also more secure, design in which VPN PE-CE security hole, Architectures, Volume II , begins with a brief refresher of the MPLS the Architecture.to a dedicated VRF on the PE router (toconnectivity including the integration of link belongs Part II describes advanced MPLS VPN remove security issues on the PE router service provider global IP address space onDSL, CE router (to remove a variety issues on the side) and to the access technologies (dial, the cable, Ethernet) and security of routing protocols (IS-IS, EIGRP, and OSPF), armingin Figure 4-12. the knowledge of how to CE router side). Such a design is presented the reader with integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advancedFigure 4-12. More Secure also covers multi-carrier MPLS VPN topologies and filtering. This part PE-CE Tunnel Design deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) As you can see frombe extended intoin this section, deployment separation inside the How VRFs can the discussions a customer site to provide of GRE tunnels between PE routers and CE network is complex; therefore, you should always try to implement a simple customer routers solution, be it using Frame Relay encapsulation in a WAN environment or VLAN encapsulation in a LAN environment. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN Deploying GRE Tunnels to Support Multi-VRF in EuroBank's European Sites The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Each Advanced troubleshootingtwo logical connections to the adjacent PE router to availability EuroBank site must have techniques including router outputs to ensure high support the separation of the Trading and Retail departments. This requirement is easy to implement MPLS and VPN Architectures, Volume II , builds onby using additional Frame Relay data-link in the U.S. sites (San Francisco and Washington) the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), CE routers and the PE routers. Assume that cost connection identifiers (DLCIs) between thefrom Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the would like to retain considerations prevent the use of the same strategy in Europe; EuroBank necessary tools they need to deploy and maintain a secure, highlyParis PE router as well as a single DLCI a single DLCI between its Paris CE router and the available VPN. between the EuroBank Paris site (Paris CE router) and the EuroBank London site (London C MPLS and VPN Architectures, Volume II , begins with aprovider, EuroBank decided VPN router). Working together with the SuperCom service brief refresher of the MPLS to Architecture. Part II describes advanced MPLS VPN connectivity including the integration of implement the multi-VRF concept in combination with tunnel interfaces throughout Europe, service provider access technologies (dial, DSL, will use GRE tunnels based on of routing as shown in Figure 4-13. In addition, EuroBank cable, Ethernet) and a variety global IP protocols (IS-IS,endpoints are in global IP address space on the routers and of how to routing. (Tunnel EIGRP, and OSPF), arming the reader with PE knowledge CE routers.) integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Figure 4-13. Tunnel Interfaces That Link CE Router VRFs in Europe deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: Perform the following steps to remote access technologies into the backbone providing VPN How to integrate various implement the required design: service to many different types of customers Step 1. Configure loopback interfaces on the PE router and the CE router in Paris. The new PE-CE routing options as well as other advanced features, including per-VPN Step 2. Configure tunnel interfaces between the Paris PE router and the Paris CE router Network Address Translation (PE-NAT) as well as between the Paris CE router and the London C router. How VRFs can be extended into a customer site to provide separation inside the customer Configure the WAN link. The WAN links that link the PE routers and CE routers Step 3. network must be in the global IP routing table on both ends. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backboneAdvertise loopback interface addresses between the tunnel endpoints. Step 4. How to carry customer multicastin the target VRFs. Step 5. Place tunnel interfaces traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment Step 6. Perform the remainder of the VRF configuration. (Configure VRF interfaces and of inter-carrier MPLS VPN services VRF routing protocols.) Advanced troubleshooting techniques including router outputs to ensure high availability The following sections explain each step in more detail. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools Configuring Loopback Interfaces they need to deploy and maintain a secure, highly available VPN. MPLS and interfaces must be configured, on a PE with a brief a CE router in Paris, as shown in Loopback VPN Architectures, Volume II begins router and refresher of the MPLS VPN Architecture. Part II describes advanced MPLSbe configured in the Londontherouter. Example 4-20. Loopback interfaces must also VPN connectivity including C integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues Example 4-20. Loopback Interface Configuration including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN PE_Paris(config)# troubleshooting. interface Loopback2511 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

ip address 192.168.251.1 255.255.255.255 no ip directed-broadcast ! interface Loopback2512
• •

ip address 192.168.251.2 255.255.255.255
Index

Table of Contents

MPLS and VPN Architectures, Volume II

no ip directed-broadcast

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

CE_Paris(config)# Pub Date: June 06, 2003
ISBN: 1-58705-112-5

interface Loopback1
Pages: 504

ip address 192.168.252.1 255.255.255.255 no ip directed-broadcast WithMPLS and VPN Architectures, Volume II , you'll learn: ! interface Loopback2 How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers ip address 192.168.252.2 255.255.255.255 The new PE-CE routing options as well as other advanced features, including per-VPN no ip directed-broadcast Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network C_London(config)# The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN interface Loopback1 backbone ip addresscarry customer multicast traffic inside a VPN How to 192.168.252.11 255.255.255.255 The latest inter-carrier enhancements to allow for easier and more scalable deployment no ip directed-broadcast of inter-carrier MPLS VPN services ! Advanced troubleshooting techniques including router outputs to ensure high availability interface Loopback2 MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, 192.168.252.12 255.255.255.255 ip address Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they ip directed-broadcast no need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN Configuring Tunnel Interfaces backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow Tunnel interfaces must be configured between the Paris PE router and the Paris CE router as more advanced topologiesCE router and ThisLondon C router, multi-carrier Example 4-21. well as between the Paris and filtering. the part also covers as shown in MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

Example 4-21. TunnelVolume II , also introduces the latest advances in customer Interface Configuration MPLS and VPN Architectures,
integration, security, and troubleshooting features essential to providing the advanced

PE_Paris(config)# interface Tunnel2511 description *** Trading tunnel to CE Paris ***
• tunnel source of Contents Table Loopback2511 • Index

tunnel destination 192.168.252.1 MPLS and VPN Architectures, Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

tunnel key 2511

!

Publisher: Cisco Press Pub Date: June 06, 2003

ISBN: Tunnel2512 interface 1-58705-112-5 Pages: 504

description *** Retail tunnel to CE Paris *** tunnel source Loopback2512 tunnel destination 192.168.252.2 WithMPLS and VPN Architectures, Volume II , you'll learn: tunnel key 2512 How to integrate various remote access technologies into the backbone providing VPN CE_Paris(config)# different types of customers service to many interface Tunnel1 routing options as well as other advanced features, including per-VPN The new PE-CE Network Address Translation (PE-NAT) description *** Trading tunnel to PE Paris *** How VRFs can be extended into a customer site to provide separation inside the customer network tunnel source Loopback1 The destination 192.168.251.1 tunnel latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone tunnel key 2511 How to carry customer multicast traffic inside a VPN ! The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services interface Tunnel2 Advanced troubleshooting techniques including router outputs to ensure high availability description *** Retail tunnel to PE Paris *** MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN tunnel source Loopback2 Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools tunnel to deploy and maintain a secure, highly available VPN. they needdestination 192.168.251.2 tunnel VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN MPLS andkey 2512 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of ! service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to interface Tunnel11 into the VPN backbone. Part III details advanced deployment issues integrate these features including security, outlining the necessary steps the service provider must take to protect the description *** Trading tunnel and also detailing the latest security features to allow backbone and any attached VPN sites, to London *** more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN tunnel source Loopback1 deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. tunnel destination 192.168.252.11 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer tunnel key 2511 integration, security, and troubleshooting features essential to providing the advanced

! interface Tunnel12 description *** Retail tunnel to London *** tunnel source Loopback2
• Table of Contents • tunnel destination 192.168.252.12 Index
MPLS and VPN Architectures, Volume II

tunnel key 2512 ByJim Guichard, Ivan Pepelnjak, Jeff Apcar
Publisher: Cisco Press

C_London(config)#
Pages: Tunnel1 interface 504

Pub Date: June 06, 2003 ISBN: 1-58705-112-5

description *** Trading tunnel to Paris *** tunnel source Loopback1 WithMPLS and VPN Architectures, Volume II , you'll learn: tunnel destination 192.168.252.1 How to 2511 tunnel keyintegrate various remote access technologies into the backbone providing VPN service to many different types of customers ! The new PE-CE routing options as well as other advanced features, including per-VPN Network Address interface Tunnel2 Translation (PE-NAT) How VRFs can Trading tunnel customer *** description *** be extended into ato Paris site to provide separation inside the customer network tunnel source Loopback2 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone tunnel destination 192.168.252.2 How to carry customer multicast traffic inside a VPN tunnel key 2512 The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced NOTE topics and deployment architectures, Volume II provides readers with the necessary tools they As specified in the design rules,secure, highly available VPN. between a pair of need to deploy and maintain a the parallel tunnel interfaces routers must use different tunnel source and destination IP addresses. Conversely, MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN the tunnel interfaces going to different routers (for example, tunnel interfaces on Architecture. Partrouter) couldadvanced MPLS VPN connectivity including the integration of the Paris CE II describes use the same tunnel source IP address. service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Configure the WAN Links backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN The link between the Paris IV provides a methodology router must be in the global IP routing deployments. Finally, Part PE router and the Paris CE for advanced MPLS VPN table on the PE router. Similarly, the links from the Paris CE router to the Paris PE router and troubleshooting. London C router must be in the global IP routing table on the Paris CE router, as shown in Example VPN MPLS and4-22. Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Example 4-22. WAN Interface Configuration

PE_Paris(config)# interface Serial0/0.641 point-to-point
• • Table of Contents Index description *** Link to EuroBank Paris ***
MPLS and VPN Architectures, Volume II ByJim addressIvan Pepelnjak, Jeff Apcar ip Guichard, 192.168.2.26 255.255.255.252

noPublisher: Cisco Press ip directed-broadcast
Pub Date: June 06, 2003

frame-relay interface-dlci 641
ISBN: 1-58705-112-5 Pages: 504

CE_Paris(config)# interface Serial0/0.1 point-to-point WithMPLS and VPN Architectures, Volume II , you'll learn: description *** Link to London *** How to 192.168.2.29 remote access technologies into the backbone providing VPN ip addressintegrate various 255.255.255.252 service to many different types of customers no ip directed-broadcast The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) frame-relay interface-dlci 274 ! How VRFs can be extended into a customer site to provide separation inside the customer network

interface Serial0/0.614 point-to-point designs aimed at protecting the MPLS VPN The latest MPLS VPN security features and backbone description *** Link to PE_Paris *** How to carry customer multicast traffic inside a VPN ip address 192.168.2.25 255.255.255.252 The latest inter-carrier enhancements to allow for easier and more scalable deployment no ip inter-carrier MPLS VPN services of directed-broadcast Advanced interface-dlci 614 frame-relay troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.

Advertise the Loopback Interfaces

MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part IIaddresses must be advertised between the tunnel endpoints. BGP is of Loopback interface describes advanced MPLS VPN connectivity including the integration service provider access technologies (dial, DSL, cable, Ethernet) and a varietyin the EuroBank deployed between the PE router and the CE router, and RIP is used internally of routing protocols as shown in Example 4-23. arming the reader with the knowledge ofahow to BGP network, (IS-IS, EIGRP, and OSPF), Note that the CE router is configured as global integrate on thefeatures into the VPN backbone. Part III details advanced deployment issues neighbor these PE router. including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This Supporting Tunnel Interfaces Example 4-23. Global IP Routing part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer PE_Paris(config)# integration, security, and troubleshooting features essential to providing the advanced

router bgp 10 network 192.168.251.1 mask 255.255.255.255 network 192.168.251.2 mask 255.255.255.255 neighbor 192.168.2.25 remote-as 65001
• Table of Contents • neighbor 192.168.2.25 route-map NoAdvertise in Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

neighbor 192.168.2.25 filter-list 1 out

!
Publisher: Cisco Press

ip Pub Date: June 06, 2003 as-path access-list 1 permit ^$
ISBN: 1-58705-112-5

!

Pages: 504

route-map NoAdvertise permit 10 set community no-advertise WithMPLS and VPN Architectures, Volume II , you'll learn: CE_Paris(config)# various remote access technologies into the backbone providing VPN How to integrate service to many different types of customers router rip The new PE-CE routing options as well as other advanced features, including per-VPN version 2 Address Translation (PE-NAT) Network network VRFs can be extended into a customer site to provide separation inside the How 192.168.2.0 customer network network 192.168.252.0 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone no auto-summary ! How to carry customer multicast traffic inside a VPN

The latest inter-carrier enhancements to allow for easier and more scalable deployment router bgp 65001 of inter-carrier MPLS VPN services network 192.168.252.1 mask 255.255.255.255 Advanced troubleshooting techniques including router outputs to ensure high availability network 192.168.252.2 mask 255.255.255.255 MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced neighbor 192.168.2.26 remote-as 10 topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN C_London(config)# describes advanced MPLS VPN connectivity including the integration of Architecture. Part II service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing router rip protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues version 2 including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow network 192.168.2.0 more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN network 192.168.252.0 troubleshooting. no auto-summary MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

The previous examples also include a number of additional measures introduced in the global BGP routing configuration between the PE router and the CE router to ensure security and stability of the design: The CETable of Contents router advertises only its own loopback interfaces in BGP, and not the other subnets from the customer network (C-network). Index The PE router sets the no-advertise community on updates received from the CE router to prevent them from being propagated further into the service provider network (Pnetwork). outgoing updates toward the CE router with a filter list to prevent memory and CPU overload on the CE router. ISBN: 1-58705-112-5
Pages: 504

• •

MPLS and VPN Architectures, Volume II

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

The PE router filters Pub Date: June 06, 2003

Place Tunnel Interfaces into the Target VRFs
Tunnel interfaces are placed in the target VRFs, as shown in Example 4-24. WithMPLS and VPN Architectures, Volume II , you'll learn:

Example 4-24. VRF Interface Configuration

How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

The new PE-CE routing options as well as other advanced features, including per-VPN PE_Paris(config)# Network Address Translation (PE-NAT) interface Tunnel2511 How VRFs can be extended into a customer site to provide separation inside the customer network ip vrf forwarding EuroBank_Trading The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN ip address 192.168.2.42 255.255.255.252 backbone ! How to carry customer multicast traffic inside a VPN

interface Tunnel2512 The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services ip vrf forwarding EuroBank_Retail Advanced troubleshooting techniques including router outputs to ensure high availability ip address 192.168.2.46 255.255.255.252 MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. CE_Paris(config)# MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN interface Tunnel1 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider accessTrading ip vrf forwarding technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues ip address 192.168.2.41 255.255.255.252 including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow ! more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN interface Tunnel2 troubleshooting. ip vrf forwarding Retail MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

ip address 192.168.2.45 255.255.255.252 ! interface Tunnel11 ip vrf forwarding Trading
• •

ip address 192.168.2.49 255.255.255.252
Index

Table of Contents

MPLS and VPN Architectures, Volume II

!

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

interface Tunnel12
Publisher: Cisco Press

ipPub Date: June 06, 2003 Retail vrf forwarding
ISBN: 1-58705-112-5

ip address 192.168.2.53 255.255.255.252
Pages: 504

C_London(config)# WithMPLS and VPN Architectures, Volume II , you'll learn: interface Tunnel1 ip vrf forwarding Trading How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers ip address 192.168.2.50 255.255.255.252 ! The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

interface Tunnel2 extended into a customer site to provide separation inside the How VRFs can be customer network ip vrf forwarding Retail The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN ip address 192.168.2.54 255.255.255.252 backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

Remaining VRF Configuration

Advanced troubleshooting techniques including router outputs to ensure high availability The VRFs need to be configured, with their respective VRF routing protocols, and the LAN MPLS and VPN Architectures, Volume IIbe assignedthe these VRFs. BGP isand VPN between interfaces in Paris and London need to , builds on to best-selling MPLS deployed Architectures,and the CE router in Paris, and RIP is used between the Paris CE router and the the PE router Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics androuter. The VRF IP routing configurations are included next. the necessary tools London C deployment architectures, Volume II provides readers with (Please refer to the they needBGP in Virtual Router Scenarios" earlier in this chapter for a detailed description of "Running to deploy and maintain a secure, highly available VPN. the BGP configuration used in Example 4-25.) MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Example 4-25. VRF IP Routing Configuration protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow PE_Paris(config)# more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN router bgp 10 troubleshooting. address-family ipv4 vrf EuroBank_Trading MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

neighbor 192.168.2.41 remote-as 65100 ! address-family ipv4 vrf EuroBank_Retail neighbor 192.168.2.45 remote-as 65200
• • Table of Contents Index

MPLS and VPN Architectures, Volume II

Paris(config)# router rip

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

address-family 2003 Pub Date: June 06, ipv4 vrf Trading
ISBN: 1-58705-112-5

version 2

Pages: 504

redistribute bgp 65001 metric transparent network 192.168.2.0 WithMPLS and VPN Architectures, Volume II , you'll learn: network 196.7.25.0 ! How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers address-family ipv4 vrf Retail The new PE-CE routing options as well as other advanced features, including per-VPN version 2 Network Address Translation (PE-NAT) redistribute can be extended into transparent to provide separation inside the How VRFs bgp 65001 metric a customer site customer network network 192.168.2.0 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN network 196.7.25.0 backbone ! How to carry customer multicast traffic inside a VPN

The latest inter-carrier enhancements to allow for easier and more scalable deployment router bgp 65001 of inter-carrier MPLS VPN services address-family ipv4 vrf Trading Advanced troubleshooting techniques including router outputs to ensure high availability redistribute rip MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced neighbor 192.168.2.42 remote-as 10 topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. neighbor 192.168.2.42 local-as 65100 no-prepend MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN ! Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing address-family ipv4 vrf Retail protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues redistribute rip including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow neighbor 192.168.2.46 remote-as 10 more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN neighbor 192.168.2.46 local-as 65200 no-prepend troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

London(config)# router rip address-family ipv4 vrf Trading version 2
• •

network 192.168.2.0
Index

Table of Contents

MPLS and VPN Architectures, Volume II

network 196.7.24.0

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

!
Publisher: Cisco Press

address-family 2003 Pub Date: June 06, ipv4 vrf Retail
ISBN: 1-58705-112-5

version 2

Pages: 504

network 192.168.2.0 network 196.7.24.0 WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN After you have completed all these configuration steps, you can verify proper operation of service to many different types of customers this design by inspecting the VRF IP routing table on the London C router, which is shown in Example 4-26.PE-CE routing options as well as other advanced features, including per-VPN The new Network Address Translation (PE-NAT)

Example 4-26. be extended into a customer site to the London C Router How VRFs can VRF IP Routing Tables on provide separation inside the
customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone London#show ip route vrf Trading How to carry customer Routing Table: Trading multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP of inter-carrier MPLS VPN services D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area Advanced troubleshooting techniques including router outputs to ensure high availability N1 - Architectures, Volume II , builds on - OSPF NSSA external type MPLS and VPN OSPF NSSA external type 1, N2 the best-selling MPLS and VPN 2 Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced E1 - OSPF external type Volume OSPF external type the - EGP topics and deployment architectures, 1, E2 - II provides readers with2, Enecessary tools they need to deploy and maintain a secure, highly available VPN. * - candidate default, U - per-user static route, o - ODR MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Gateway of last resort is not set protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow 196.7.25.0 255.255.255.128 is subnetted, 1 subnets more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN R 196.7.25.0 [120/1] via 192.168.2.49, 00:00:03, Tunnel1 troubleshooting. 196.7.24.0 255.255.255.128 is subnetted, 1 subnets MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

C

196.7.24.0 is directly connected, Ethernet0/0 196.7.26.0 255.255.255.128 is subnetted, 1 subnets

R

196.7.26.0 [120/1] via 192.168.2.49, 00:00:03, Tunnel1 10.0.0.0 255.255.255.128 is subnetted, 1 subnets

• •

R

10.2.1.0 [120/1] via 192.168.2.49, 00:00:03, Tunnel1
Index

Table of Contents

MPLS and VPN Architectures, Volume II

192.168.2.0 255.255.255.252 is subnetted, 4 subnets 192.168.2.40 [120/1] via 192.168.2.49, 00:00:03, Tunnel1

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

R R C R

Publisher: Cisco Press

192.168.2.32 Pub Date: June 06, 2003
ISBN: 1-58705-112-5 Pages: 504

[120/1] via 192.168.2.49, 00:00:03, Tunnel1

192.168.2.48 is directly connected, Tunnel1 192.168.2.12 [120/1] via 192.168.2.49, 00:00:05, Tunnel1

London#show ip route vrf Retail WithMPLS and VPN Architectures, Volume II , you'll learn: Routing Table: Retail How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP The new PE-CE routing options as well as other advanced features, including per-VPN D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area Network Address Translation (PE-NAT) N1 - OSPF NSSA external a customer - to provide external type the How VRFs can be extended into type 1, N2site OSPF NSSA separation inside 2 customer network E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN * - candidate default, U - per-user static route, o - ODR backbone How to carry customer multicast traffic inside a VPN The of last resort enhancements to allow for easier and more scalable deployment Gateway latest inter-carrieris not set of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability 196.7.25.0 255.255.255.128 is subnetted, 1 subnets MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced R 196.7.25.128 [120/1] via 192.168.2.53, 00:00:10, Tunnel2 topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. 196.7.24.0 255.255.255.128 is subnetted, 1 subnets MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN C 196.7.24.128 is directly connected, Loopback1001 Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing 196.7.26.0 255.255.255.255 is subnetted, 1 subnets protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues R 196.7.26.129 [120/1] via 192.168.2.53, 00:00:10, Tunnel2 including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow 10.0.0.0 255.255.255.255 is subnetted, 1 subnets more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN R 10.2.1.129 [120/1] via 192.168.2.53, 00:00:10, Tunnel2 troubleshooting. 192.168.2.0 255.255.255.252 is subnetted, 4 subnets MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

R R C R
• •

192.168.2.44 [120/1] via 192.168.2.53, 00:00:11, Tunnel2 192.168.2.36 [120/1] via 192.168.2.53, 00:00:11, Tunnel2 192.168.2.52 is directly connected, Tunnel2 192.168.2.16 [120/1] via 192.168.2.53, 00:00:12, Tunnel2
Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

VRF Selection Based on Source IP Address
In the traditional implementation of the MPLS VPN architecture in Cisco IOS, each physical or logical interface was associated with one VRF table, resulting in a one-VPN-per-interface • Table Service providers that wanted to offer access to different VPN networks (or design limitation.of Contents • Index different upstream ISPs) to many customers who were connected to a shared media (cable or MPLS and VPN Architectures,first encountered this limitation. Ethernet infrastructure) Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

In situations in which more than one VPN customer had to be connected to a single physical interface, the following solutions were available:
Publisher: Cisco Press Pub Date: June 06, 2003

VPN customers who were connected to a LAN interface were split into multiple virtual ISBN: 1-58705-112-5 LANs (VLAN), each VLAN subinterface belonging to a different VRF. This approach could Pages: 504 separate the Trading and Retail LANs in the EuroBank network if the EuroBank CE routers had only one LAN interface. Subinterfaces were also used (if available) for multiple VPN customers who were connected to the same WAN interface. This approach worked if the WAN technology that WithMPLSdeployed in the network Volume II , you'll learn: For example, Frame Relay and was and VPN Architectures, supported subinterfaces. ATM supported subinterfaces based on Frame Relay DLCI or ATM virtual circuits (VCs). How to integrate varioustunnels could be used to create logical interfaces. In some scenarios, GRE remote access technologies into the backbone providing VPN service to many different types of customers PPP-over-Ethernet (PPPoE) could be deployed between the VPN customers (even The new PE-CE routing options as well as other advanced features, including per-VPN individual workstations) and the PE routers to separate the VPN customers into different Network Address Translation (PE-NAT) VPNs. How VRFs can be extended into a customer list use the one-interface-per-customer All the designs presented in the previous bulletedsite to provide separation inside the customer network paradigm and thus share a common scalability problem: The number of customers that a single PE router can support is limited by the number of interfaces that the Cisco IOS The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN supports. backbone A new functionality, VRF selection based on source IP address, was introduced in Cisco IOS How to carry customer multicast traffic inside a VPN release 12.0S to circumvent the one-VPN-per-interface design rule and associated scalability issues. With this functionality, the VPN packet allow for easier and more scalable deployment The latest inter-carrier enhancements to forwarding is performed as follows: of inter-carrier MPLS VPN services If the VRF selection feature is enabled on an interface, a lookup is performed on the Advanced troubleshooting techniques including router outputs to ensure high availability source IP address in the VRF selection table to determine the VRF to which the sending MPLSIP host belongs. and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced After the target VRF is found, the VRF Cisco Express Forwarding (CEF) table lookup is topics and deployment architectures, Volume II provides readers with the necessary tools performed on the destination IP address to find the next-hop and associated MPLS label they need to deploy and maintain a secure, highly available VPN. stack. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Global CEF table lookup is performed on the destination IP address if the VRF selection Architecture. Part II describes advanced MPLS VPN connectivity including the integration of lookup fails. (The source IP address is not associated with a VRF.) service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, configuration commands in the reader are associated with this functionality. The three simple EIGRP, and OSPF), arming Table 4-4 with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides aSelection Based on Source IP Address Table 4-4. Configuring VRF methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Command Syntax vrf selection sourceaddress maskvrfname ip vrf select
•source •

Description This global command populates the VRF selection table. A single (global) per-router VRF selection table is supported in IOS release 12.0S. This interface-level command enables the VRF selection lookup for

Table of Contents that are received through the specified interface. The ip vrf packets Index select source and ip vrf forwarding commands are mutually

MPLS and VPN Architectures, Volume II exclusive. If the

cannot configure ByJim Guichard, Ivan Pepelnjak, Jeff Apcar same interface.

VRF Selection feature is configured on an interface, you VRFs (using the ip vrf forwarding command) on the

ip Publisher: Cisco PressThis interface-level command enables redistribution of the IP prefix vrf receive Pub Date: vrf-name June 06, 2003 configured on the specified interface into the specified VRF routing table. ISBN: 1-58705-112-5 detailed usage guidelines of this command are covered later in this The section. Pages: 504

VRF Selection in the EuroBank Network
WithMPLS and VPN Architectures, Volume II , you'll learn: The VRF selection functionality can be applied in those EuroBank sites that must support two VPNs per site (Trading and Retail VPN) but are not implemented with a VLAN-supporting How to integrate various remote access technologies into the backbone providing VPN technology, as shown in Figure 4-14. For example, these sites could have been implemented service to many different types of customers with 10BASE-T Ethernet, shared 100BASE-T Ethernet, or Token Ring. The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

Figure 4-14. Two Sites Connected to the Same Physical Interface
How VRFs can be extended into a customer site to provide separation inside the customer network

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, in the Paris site prohibits thesecurity features to allow The LAN functionality that is deployed and also detailing the latest use of the VLAN more advanced topologies and filtering. This part also covers multi-carrierhosts from the subinterface on the Paris CE router. The only way to separate the Trading MPLS VPN deployments. Finally,the VRF provides a methodology for advanced MPLS VPN that is Retail hosts is to use Part IV selection functionality, resulting in a configuration troubleshooting. in Example 4-27. (The configuration in the example includes only the VRF similar to the one selection-specific configuration commands. The rest of the configuration is similar to the one MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer inExample 4-1.) integration, security, and troubleshooting features essential to providing the advanced

Example 4-27. VRF Selection on the Paris CE Router

vrf selection source 196.7.25.0 255.255.255.128 vrf Trading
• Table of Contents vrf selection source 196.7.25.128 255.255.255.128 vrf Retail • Index

! MPLS and VPN Architectures, Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

interface TokenRing 0/0 ip vrf select source
Pub Date: June 06, 2003 ISBN: 1-58705-112-5 ip address 196.7.25.1 255.255.255.0 Pages: 504 Publisher: Cisco Press

WithMPLS and VPN Architectures, Volume II , you'll learn:

NOTE

Securityintegrate variouswhen deployingtechnologies into the backbone providing VPN How to is a major issue remote access the VRF selection functionality. Because the Trading and Retail workstations in Paris reside on the same shared LAN service to many different types of customers segment, each user can observe the traffic of the other department. It is also easy The new PE-CE routing into a workstation from advanced features, including per-VPN for an intruder to break options as well as other another VPN and gain unauthorized Network Address Translation (PE-NAT) access into that VPN. How VRFs can be extended into a customer site to provide separation inside the customer network

Designing the Return Path for the VPN Traffic at protecting the MPLS VPN The latest MPLS VPN security features and designs aimed
backbone How to carry customer multicast traffic inside a VPN With the configuration from Example 4-27, the IP packets sent from workstations that are attached to the Paris LAN are forwarded to appropriate VPNs and eventually reach the The latest inter-carrier enhancements to allow for easier and more scalable IP routing desired VPN destinations. However, the Paris LAN interface belongs to the global deployment table of inter-carrier MPLS VPN services is not in a VRF); therefore, its IP subnet is not of the Paris CE router (the interface automatically propagated into the VRF routing tables for the Trading and Retail VPN. Advanced troubleshooting techniques including router outputs to ensure high availability Consequently, the VPN IP hosts in other sites cannot return the traffic to Paris IP hosts. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN You can use two designs to establish the return path for the VPN traffic: Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they needwhole IP prefix maintain a secure, highly available VPN. selection is inserted into The to deploy and that is assigned to an interface with VRF the VRF routing tables. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. PartIP address space assigned to VPN interface are includinginto the appropriate Parts of the II describes advanced MPLS the connectivity inserted the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing VRF table. protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. want III details advanced deployment issues You can use the ip vrf receive command if you Part to transfer the IP prefix assigned to the including on which outlining the necessary steps the service provider musttables. With thisthe interface security, you've configured the VRF selection to the VRF routing take to protect backbone and any attachedwhichsites,routing table shall receive the global IP prefix assigned command, you can specify VPN VRF and also detailing the latest security features to allow more advanced on which you use the command. The IP prefixmulti-carrier MPLS VPN to the interface topologies and filtering. This part also covers appears in the VRF routing deployments. Finally,interfaceprovides a be redistributed into Multiprotocol BGP like any other table as a connected Part IV and must methodology for advanced MPLS VPN troubleshooting. VRF subnet. directly connected MPLS and VPN Architectures, Volume II , alsouse are shown in Example 4-28. customer In the EuroBank example, the commands to introduces the latest advances in integration, security, and troubleshooting features essential to providing the advanced

Example 4-28. Insertion of Interface-Wide IP Prefix into the VRF Tables

interface TokenRing 0/0
• Table of Contents • ip vrf receive Trading Index
MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

ip vrf receive Retail

Publisher: Cisco Press Pub Date: June 06, 2003

Theip vrf receive command in Example 4-28 inserts the IP prefix 196.7.25.1/24 that covers ISBN: 1-58705-112-5 hosts Pages: 504 to the Trading and Retail sites into both the Trading and Retail VRF table. As belonging a result, hosts from other Trading sites can access Retail hosts in the Paris site, and hosts from other Retail sites can access the Trading hosts in Paris. The undesired inter-VPN communication can be performed only in one direction (other sites to Paris hosts), but many denial-of-service attacks need only one-way communication. The design from Example 4-28 should not be used in security-conscious environments. WithMPLS and VPN Architectures, Volume II , you'll learn: A more secure approach to the return-traffic design involves VRF static routes pointing to the global interface: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers For every VRF that is associated with an interface through the VRF selection The new PE-CE routing options as well as other advanced features, including per-VPN functionality, configure a VRF static route covering only the IP address space assigned Network Address Translation (PE-NAT) to that VRF with the vrf selection command. The static route should point to the directly connected interface, as shown in Example 4-29. How VRFs can be extended into a customer site to provide separation inside the customer network

Example 4-29. security VPN Return Traffic Design The latest MPLS VPNSecurefeatures and designs aimed at protecting the MPLS VPN
backbone How to carry customer multicast traffic inside a VPN ip route vrf Trading 196.7.25.0 255.255.255.128 TokenRing 0/0 The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services ip route vrf Retail 196.7.25.128 255.255.255.128 TokenRing 0/0 Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Redistribute the VRF static routes into Multiprotocol BGP to propagate them to other PE topics and deployment architectures, Volume II provides readers with the necessary tools routers. they need to deploy and maintain a secure, highly available VPN. With this approach, each VRF table receives only the IP prefix associated with the hosts in its MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN VPN, preventing undesired intersite inter-VPN traffic. The base problem of the VRF selection Architecture. Part II describes advanced MPLS VPN connectivity including the integration of functionality still remains, though: The users from different VPNs that are attached to the service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing same physical shared media can still communicate with each other. protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Performing NAT in a Virtual Router Environment
NAT in conjunction with private IP addresses (as defined in RFC 1918) was initially introduced as a temporary measure to ensure continuous growth of the Internet while IPv6 was developing. As with • Table measures, many temporary of Contents it was widely accepted and further extended in the Cisco IOS • Index implementation to include port address translation (PAT) and two-way NAT. Today, NAT is used as MPLS and VPN Architectures, Volume II one of the primary means of connecting enterprise networks to the Internet. It is also commonly deployed in ,Ivan Pepelnjak,Jeff Apcar ByJim Guichardscenarios in which networks that are using overlapping or private IP address spaces need to be interconnected.
Publisher: Cisco Press In the MPLS VPN environment, NAT is generally implemented in three scenarios: Pub Date: June 06, 2003 ISBN: 1-58705-112-5

When 504 service provider wants to offer Internet access to its customers who use private IP Pages: the addresses, at least one device between the end user and the Internet has to perform the NAT function. Traditionally, this task was left to the CE devices because NAT within the VRF was not supported. The typical setup together with sample CE router configuration is shown in Figure 4-15 and Example 4-30. WithMPLS and VPN Architectures, Volume II , you'll learn:

Figure 4-15. CE Router NAT on Internet Interface How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to NOTE integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must takesubinterfaces The setup in Figure 4-15 is based on the design where two separate to protect the backbone are used attached and Internet connectivity. Similar, although more complex, allow and any for VPN VPN sites, and also detailing the latest security features to setup more advanced topologies and filtering. of VPN connectivity. multi-carrier MPLS VPN could be used for other types This part also covers deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Example 4-30. Simple NAT Performed Toward Internet integration, security, and troubleshooting features essential to providing the advanced

! ! Define a separate subinterface for Internet access. This is the ! NAT outside interface
• • Table of Contents

!

Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

interface Serial0.2 point-to-point description *** Link to public Internet ***

Publisher: Cisco Press Pub ip address2003 Date: June 06, 194.22.18.1 ISBN: 1-58705-112-5

255.255.255.252

ip nat Pages: 504

outside

frame-relay interface-dlci 200 ! WithMPLS and VPN Architectures, Volume II , you'll learn: ! All other interfaces are NAT inside interfaces ! How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers interface Ethernet0 The new PE-CE routing options as well as other advanced features, including per-VPN ip nat inside Network Address Translation (PE-NAT) ! How VRFs can be extended into a customer site to provide separation inside the customer network ! Define Overload NAT translation using IP address of outside interface The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone ! How to carry customer multicast traffic inside Serial0.2 overload ip nat inside source list 1 interface a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment ! of inter-carrier MPLS VPN services ! All packets going to Internet are translated Advanced troubleshooting techniques including router outputs to ensure high availability MPLS! and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced access-list 1 permit any topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of When the access technologies (dial, DSL, cable, services and a variety of routing service providerservice provider wants to offer commonEthernet) to a number of its customers, the customers have to and OSPF), arming the reader be the to access the how to protocols (IS-IS, EIGRP,use coordinated IP addresses towithable knowledge of common servers. This requirement either triggers the need for renumbering customer networks or the need for integrate these features into the VPN backbone. Part III details advanced deployment issues a NAT function performed necessary steps the service space. The NAT could be performed at including security, outlining the inside the customer address provider must take to protect the individual CE routers. VPN sites, setup together with sample security features to allow backbone and any attached The typical and also detailing the latest configuration is shown in Figure more4-16 and Example 4-31. filtering. This part also covers multi-carrier MPLS VPN advanced topologies and deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

Example 4-31. Complex NAT Toward Common Server Performed on
MPLSthe VPN Router and CE Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

! ! Define a loopback interface with coordinate IP address !
• •

interface Loopback0
Index

Table of Contents

MPLS and VPN Architectures, Volume II

ip address 194.22.18.1 255.255.255.255

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

!
Publisher: Cisco Press

! WAN interface Pub Date: June 06, 2003
ISBN: 1-58705-112-5

toward PE router is NAT outside interface

! Pages: 504 interface Serial0 ip nat outside WithMPLS and VPN Architectures, Volume II , you'll learn: ! ! LAN interface is NAT inside interface How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers ! The new PE-CE routing options as well as other advanced features, including per-VPN interface Ethernet0 Network Address Translation (PE-NAT) ip VRFs can be How nat inside extended into a customer site to provide separation inside the customer network ! The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN ! Only packets toward common server are translated backbone ! How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment route-map Translate of inter-carrier MPLS VPN services match ip address 101 Advanced troubleshooting techniques including router outputs to ensure high availability ! MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from 194.22.16.1Extending into more advanced access-list 101 permit ip any host Cisco Press. topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. ! MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN ! Define a route-map controlled overload NAT translation Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing ! using IP address of the loopback interface protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues ! including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow ip nat inside source route-map Translate interface Loopback0 overload more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Figure 4-16. Complex CE Router NAT on VPN Interface

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

Instead of performing NAT within customer address space on each CE router, the service provider could deploy a bank of NAT devices (one per customer) on a central location, preferably close to the common servers. A sample setup for three customer VPNs is displayed WithMPLS and4-17. Architectures, Volume II , you'll learn: inFigure VPN How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

Figure 4-17. Centralized Per-VPN NAT

The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN In all cases, the service (1-58705-002-1), fromand more controlled if the service provider can Architectures, Volume I provisioning is simpler Cisco Press. Extending into more advanced perform the VRF-awarearchitectures, Volume II PE routers. This feature, called PE-NAT, was topics and deployment NAT functionality in the provides readers with the necessary tools introducedto deployIOS release 12.2T and will be described in this section together with a refresher they need in Cisco and maintain a secure, highly available VPN. on NAT configuration and operation. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to NOTE integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the The NAT functionality of Cisco IOS and related configuration commands is also briefly backbone and any attached VPN sites, and also detailing the latest security features to allow covered in Chapter 1 of Enhanced IP Services for Cisco Networks from Cisco Press. For an more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN in-depth description of NAT in Cisco IOS and detailed configuration guidelines, which are deployments. Finally, Part IV provides a methodology for advanced MPLS VPN beyond the scope of this book, please refer to the Cisco IOS documentation available on troubleshooting. www.cisco.com. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

NAT Refresher
The basic NAT functionality is best explained in its simplest application: enabling a network that has private IP addresses (shown in Figure 4-18) to communicate with the public Internet.
• • Table of Contents Index

MPLS and VPN Architectures, Volume II

Figure 4-18. Basic NAT Functionality

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers In this scenario, the NAT device performs the following functions: The new PE-CE routing options as well as other advanced features, including per-VPN When an IP packet is received from the Network Address Translation (PE-NAT) inside interface, the source IP address is replaced with a global IP address, the IP checksum of the IP packet is recomputed, and the packet is How VRFs can be extended into a customerglobal IP address that corresponds to the source IP forwarded toward its final destination. The site to provide separation inside the customer networkin a translation table. address is stored The latestIP packet is security features and designs aimed at protecting the MPLS VPN When an MPLS VPN received from the outside interface, the destination IP address is backbone to the addresses in the translation table. If there is a match, the destination global compared IP address is replaced with the private IP address and the packet is forwarded toward a host How to carryof the network. in the inside customer multicast traffic inside a VPN The latest inter-carrier enhancements private for easier and more scalable deployment The global IP addresses used to replace theto allow IP addresses could be statically mapped to the of inter-carrier (static NAT). This setup is commonly used to ensure that servers (such as web private IP addresses MPLS VPN services hosts and e-mail servers) with private IP addresses are always reachable from the global Internet Advanced troubleshooting techniques including router outputs to ensure high availability through the same public IP address, as shown in Figure 4-19. MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools Figure 4-19. Static NAT Used to Access Servers in Private IP Address they need to deploy and maintain a secure, highly available VPN.

Space

MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: Alternatively, you can define a pool of global IP addresses (NATpool) that are shared between all users in the private network and allocated on-demand. Cisco IOS also provides a rich set of configurationintegrate various which you can decide on a packet-per-packet basis whether the How to commands with remote access technologies into the backbone providing VPN source IP address should be translated. customers service to many different types of BasicThe new PE-CEtranslation based on theas other advanced features, including requires a NAT performs routing options as well IP address only, which means that it per-VPN distinct global Address Translation (PE-NAT) is simultaneously accessing the global Internet from Network IP address for every user who the private network. Typically, such a user would only open a few TCP or UDP sessions at a time. How VRFs can UDP protocol permits a single IP address to open more than the However, the TCP orbe extended into a customer site to provide separation inside 65 thousand customer network sessions. This capability enhanced the operation of NAT by allowing the introduction of PAT, which is also called overloadNAT. PAT allows multiple private IP addresses to be mapped to one global IP The latest MPLS VPN The NAT device and designs aimed at port translation together address (see Figure 4-20).security features performs TCP and UDPprotecting the MPLS VPN with the backbone IP address translation. How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment Figure 4-20. PAT of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

NOTE
The basic NAT functionality can support any protocol that is running on top of IP. PAT works only for applications that are running on top of TCP or UDP.

• •

Table of Contents

Index Configuring NAT on a PE Router MPLS and VPN Architectures, Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

The PE-NAT implementation in Cisco IOS extends the existing NAT functionality to include VRFaware NAT.Cisco Press Publisher: The VRF-aware NAT supports most of the NAT functionality in IOS (static and dynamic NAT translations, PAT translation, overlapped translations, use of route maps to select IP packets to Pub Date: June 06, 2003 be translated, and so on). In the first PE-NAT release, the NAT translation can be performed within ISBN: 1-58705-112-5 a single VRF (not VRF-to-VRF) or between a VRF and the global IP routing table. Pages: 504 Any VRF or global interface can be an inside or an outside interface. Furthermore, an interface that is connecting a PE router to the network core (MPLS-enabled interface of the PE router) can be configured as the inside interface, and NAT can be applied to all MPLS-encapsulated VPN packets received through that interface (giving the network designers an option to perform NAT in a single WithMPLS and VPN Architectures, Volume II , you'll learn: point in the network). The NAT configuration commands were changed only slightly; the vrf option was added to the How to integrate various remote access technologies into in backbone inside source and outside source NAT commands, as shown theTable 4-5. providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network Command Syntax Description The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN ip nat inside source {list {access-listTo enable NAT of the inside source address within backbone number | name}pool name [overload] | a VRF, use the ip nat inside source vrf global staticlocal-ip global-ip}vrfname configuration command. How to carry customer multicast traffic inside a VPN ip nat outsideinter-carrier enhancements to allowenable NAT of the outside source address To for easier and more scalable deployment The latest source {list {access-listnumber | name}pool name | staticglobalwithin a VRF, use the ip nat outside source vrf of inter-carrier MPLS VPN services ip local-ip}vrfname global configuration command. Advanced troubleshooting {access-listip nat inside destination list techniques including routerNAT of the inside destination address To enable outputs to ensure high availability number | name}pool name vrfname within a VRF, use the ip nat inside destination MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN vrf global configuration command. Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. In the following two sections, we discuss how to use the modified NAT commands to implement two common VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN MPLS anddeployment scenarios in an MPLS VPN network: Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Using PE-NAT to allow users who have the reader addresses access to common protocols (IS-IS, EIGRP, and OSPF), arming overlappingwith the knowledge of how to services integrate these features into the VPN backbone. Part III details advanced deployment issues Using PE-NAT to give users who have private IP addresses access to take to protect the including security, outlining the necessary steps the service provider mustthe Internet backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN Using PE-NAT to Access Common Services troubleshooting. MPLS and VPN Architectures, Volume II provider would like to offer advances services that are coIn this scenario, the SuperCom service , also introduces the latest common in customer integration, security, and troubleshooting features essential to providing the advanced can be located with the Washington PE router, as shown in Figure 4-21. A number of services

Table 4-5. Configuring VRF-Aware NAT on PE Routers

implemented with this approach, including Voice over IP (VoIP) gateways, web hosting, e-mail hosting, hosting of other applications, or common DNS.

Figure 4-21. Common Services in SuperCom Network
• • Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) As always, the communication between the end users and the common server that is located in Washington will can be extended into the users can reach the common server IP subnet and vice How VRFs only be successful if a customer site to provide separation inside the versa. It's easynetwork that the users can reach the common server by using the overlapping customer to ensure VPN topology described in Chapter 12, "Advanced MPLS/VPN Topologies" of MPLS and VPN Architectures (VolumeVPN The communication from the common server to the end users is more The latest MPLS I). security features and designs aimed at protecting the MPLS VPN problematic. In this case, the end users in EuroBank San Francisco and FastFoods San Jose use backbone overlapping IP addresses; therefore, there is no unique return path from the Washington-based How to carry customer multicast traffic inside a VPN server to these users. The latest inter-carrier enhancements to allow for easier to more scalable deployment The SuperCom designers can use several different approachesandsolve this problem: of inter-carrier MPLS VPN services Deploy standard NAT on all the CE routers that are accessing to common server. With this Advanced troubleshooting techniques including router outputsthe ensure high availability approach, a small portion of global IP address space would be assigned to each customer site; MPLSeven VPN Architectures, Volume be ,enoughon most cases. TheMPLS and VPN then use the and a single IP address would II builds in the best-selling CE router would Architectures, Volumemap source IP addresses of packets sent toward the common service to an overload NAT to I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the4-31 earliertools allocated global IP address, as shown in Figure 4-22. (See Example necessary in this section they need to deploy and maintainconfiguration.) available VPN. for a CE router NAT sample a secure, highly MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) andon a CE of routing Figure 4-22. Complex NAT Performed a variety Router protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5

Deploy PE-NAT on the Washington PE router to perform the NAT operation at a central service point. With this approach, SuperCom can also minimize the use of public IP addresses because all MPLS VPN users can use the same NAT address pool, as shown in Figure 4-23. Furthermore, with careful design, the NAT address pool can use private IP addresses, saving on public address space. WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN Figure 4-23. PE-NAT Deployed in SuperCom Network service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to NOTE integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the To minimize the complexity, the diagrams throughout the rest of this section will only backbone and any attached VPN sites, and also detailing the latest security features to allow include Washington and San Jose PE routers and connected CE routers. more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. The SuperCom designers decided to deploy a centralized PE-NAT solution by using the addressing MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer scheme displayed in Table 4-6. integration, security, and troubleshooting features essential to providing the advanced

Pages: 504

Table 4-6. Common Server Address Assignment
Description
•Common server of Contents Table subnet •
MPLS and VPN Architectures, Volume II

IP Prefix 194.22.16.0/24 194.22.16.1 194.22.16.2 172.16.0.0/22

Index PE router address

VoIP gateway ByJim Guichard, Ivan Pepelnjak, Jeff Apcar Outside NAT pool
Publisher: Cisco Press Pub Date: June 06, 2003

ISBN: limitation (NAT is only performed inside a single VRF) requires careful design on the The PE-NAT1-58705-112-5 Pages: PE Washington504 router that includes the following components:

A dedicated VRF is created for the common server. A NAT pool is established in the Washington PE router, and the routing between the common WithMPLS and VPN Architectures, Volume IIinyou'll learn: server VRF. server and the NAT pool is configured , the common For all customers who are accessing the common server, customer VRFs are configured on the How to integrate various remote access technologies into the backbone providing VPN Washington PE router, and the route toward the common server is inserted into the customer service to many different types of customers VRF. The new PE-CE routing options as well as other advanced features, including per-VPN VRF-aware NAT is configured on the Washington PE router. Network Address Translation (PE-NAT) Each one of these components is discussed in a separate subsection that follows. How VRFs can be extended into a customer site to provide separation inside the customer network

Common Server VRF Configuration and designs aimed at protecting the MPLS VPN The latest MPLS VPN security features
backbone How to carry customer multicast traffic router VPN A VRF must be created on the Washington PEinside a to isolate the common server from the global IP address space in which the Internet service is offered, as shown in Example 4-32. In The latest inter-carrier enhancements to requirements, and more scalable might also environments that have more relaxed security allow for easierthe common server deploymentreside of inter-carrier MPLS Contrary to in global IP address space.VPN services the overlapping VPN topology, no route leakage between this VRF and the customer VRFs is defined. Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Example 4-32. CommonServer VRF Cisco Press. Extending into more advanced Architectures, Volume I (1-58705-002-1), from Definition topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. ip vrf CommonServer MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of rd 100:100 service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to route-target export 100:100 integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the route-target import 100:100 backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN ! deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. interface FastEthernet3/0 MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced ip vrf forwarding CommonServer

ip address 194.22.16.1 255.255.255.0

NAT Pool and Related IP Routing Configuration
• • Table of Contents Index

A single NAT Architectures, Volume II MPLS and VPN pool is defined to cover the needs of all customers who are accessing the common server. The corresponding configuration commands are shown in Example 4-33.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: ExampleCisco Press NAT Pool Definition 4-33. Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504

ip nat pool Common 172.16.0.0 172.16.3.255 netmask 255.255.252.0

WithMPLS and VPN Architectures, Volume II , you'll learn: An IP route that covers the NAT pool is defined in the CommonServer VRF to enable the routing of return packets from the common server toward the PE router with the commands in Example 4-34. How to integrate route to the common technologies into the backbone providing VPN You can announce this various remote accessserver through a PE-CE routing protocol, or you can service to many different the common server. use static or default routing on types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network ip routelatest CommonServer 172.16.0.0 and designs aimed at protecting the MPLS VPN The vrf MPLS VPN security features 255.255.252.0 Null0 backbone ! How to carry customer multicast traffic inside a VPN router rip The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services version 2 ! Advanced troubleshooting techniques including router outputs to ensure high availability

Example 4-34. IP Routing from the Common Server to the IP NAT Pool

MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN address-family ipv4 vrf CommonServer Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and 2 version deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. redistribute static MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of network 194.22.16.0 service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow The IP route toward the NAT pool is propagated toward the common server (see Example 4-35); more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN therefore, the NAT pool from which the translated return addresses will come is reachable from the deployments. Finally, Part IV provides a methodology for advanced MPLS VPN common server. troubleshooting. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Example security,IP Routing on the Common Server integration, 4-35. and troubleshooting features essential to providing the advanced

CommonServer#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
• • Table of Contents Index N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

MPLS and VPN Architectures, Volume II

E1 - OSPF external type ByJim Guichard, Ivan Pepelnjak, Jeff Apcar
Publisher: Cisco Press

1, E2 - OSPF external type 2, E - EGP

* - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route

Pub Date: June 06, 2003

ISBN: 1-58705-112-5 Pages: 504

Gateway of last resort is not set

WithMPLS and VPN Architectures, Volume II , you'll learn: 172.16.0.0 255.255.252.0 is subnetted, 1 subnets R C How172.16.0.0 various remote194.22.16.1, 00:00:01, FastEthernet0/0 to integrate [120/1] via access technologies into the backbone providing VPN service to many different types of customers 194.22.16.0 255.255.255.0 is directly connected, FastEthernet0/0 The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network

NOTE backbone

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN

It is unnecessary to redistribute routes from the VPN How to carry customer multicast traffic inside a CommonServer VRF into Multiprotocol BGP. The CommonServer VRF is completely isolated from the rest of the MPLS VPN network (similar to the VRF-lite configuration discussed previously in this chapter). The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability

Customer VRF Configuration

MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools The current PE-NAT implementation works only inside a single VRF. Due to this requirement, you they need to deploy and maintain a secure, highly available VPN. need to define a VRF on the Washington PE router for every customer who accesses the common server so VPN Architectures, Volume II , begins with a brief customer VRF. MPLS and that the NAT function will be performed inside the refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of The EuroBank VRF is already defined in the Washington PE router. You must create the FastFoods service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing VRF, as shown in Example 4-36. protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Example 4-36. Customersites, and also detailing the latest security features to allow backbone and any attached VPN VRF Definition more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. ip vrf FastFoods MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced rd 100:252

route-target export 100:252 route-target import 100:252

• Table of Contents You must define a static route toward the common server in every customer VRF on the Washington • PE router to Index ensure that (from the PE router's perspective) NAT will always be performed inside the
MPLS and VPN Architectures, Volume II customer VRF. You must redistribute this static route into Multiprotocol BGP and any relevant PE-CE routing protocol Pepelnjak, connectivity from CE routers to the central server. Both configuration ByJim Guichard, Ivanto enable Jeff Apcar steps are illustrated in Example 4-37. Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504 NOTE

No interfaces are placed in VRFs of customers who do not connect directly to the Washington PE router. WithMPLS and VPN Architectures, Volume II , you'll learn:

Example 4-37. IP Routing from Customers to the Common Server

How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

The new PE-CE routing options as well as other advanced features, including per-VPN ip route vrf EuroBank 194.22.16.0 255.255.255.0 FastEthernet3/0 194.22.16.2 Network Address Translation (PE-NAT) ip route VRFs FastFoods 194.22.16.0 255.255.255.0 FastEthernet3/0 194.22.16.2 How vrf can be extended into a customer site to provide separation inside the customer network ! The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN router bgp 10 backbone address-family customer multicast traffic inside a VPN How to carry ipv4 vrf FastFoods redistributeinter-carrier enhancements to allow for easier and more scalable deployment The latest static of inter-carrier MPLS VPN services ! Advanced troubleshooting techniques including router outputs to ensure high availability address-family ipv4 vrf EuroBank MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced redistribute static topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. ! MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN router rip Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing address-family ipv4 vrf EuroBank protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues redistribute static including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. After these configuration steps, the route toward the common server is inserted into the EuroBank and FastFoods VRFs on the Washington PE router (see Example 4-38). This route is propagated to MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer other PE routers and to the CE routers (see Example 4-39). Therefore, the common server is integration, security, and troubleshooting features essential to providing the advanced

reachable from all customer sites.

Example 4-38. Route Toward the Common Server in the EuroBank and FastFood VRF on the Washington PE Router
• Table of Contents

PE_Washington#sh ip route vrf EuroBank 194.22.16.0 • Index
MPLS and VPN Architectures, Volume II

Routing entry for 194.22.16.0 255.255.255.0 ByJim Guichard, Ivan Pepelnjak, Jeff Apcar Known via "static", distance 1, metric 0
Publisher: Cisco Press Pub Date: June 06, 2003 Redistributing via bgp 10 ISBN: 1-58705-112-5 Pages: 504 Advertised by bgp 10

Routing Descriptor Blocks: * 194.22.16.2, via FastEthernet3/0 WithMPLS and VPN Architectures, Volume II , you'll learn: Route metric is 0, traffic share count is 1 How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers PE_Washington#show ip route vrf FastFood 194.22.16.0 The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation 255.255.255.0 Routing entry for 194.22.16.0(PE-NAT) How VRFs can be extended into a customer 0 Known via "static", distance 1, metric site to provide separation inside the customer network Redistributing via bgp 10 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Advertised by bgp 10 How to carry customer multicast traffic inside a VPN Routing Descriptor Blocks: The latest inter-carrier enhancements to allow for easier and more scalable deployment * 194.22.16.2, via FastEthernet3/0 of inter-carrier MPLS VPN services Route metric is 0, traffic share count is 1 Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to4-39. Route Toward the Common Server in the San Jose PE Example deploy and maintain a secure, highly available VPN.

Router andArchitectures, Volume II , begins with a brief refresher of the MPLS VPN Connected CE Routers MPLS and VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to PE_SanJose#show ip routethe VPN backbone. Part III details advanced deployment issues integrate these features into vrf FastFood 194.22.16.0 including security, outlining the necessary steps the service provider must take to protect the Routing entry for 194.22.16.0/24 and also detailing the latest security features to allow backbone and any attached VPN sites, more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN Known via "bgp 10", IV provides a methodology type internal deployments. Finally, Part distance 200, metric 0, for advanced MPLS VPN troubleshooting. Redistributing via rip MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer Advertised by rip metric transparent integration, security, and troubleshooting features essential to providing the advanced

Last update from 194.22.15.3 00:06:42 ago Routing Descriptor Blocks: * 194.22.15.3 (Default-IP-Routing-Table), from 194.22.15.3 Route metric is 0, traffic share count is 1
• • Table of Contents

AS Hops 0 Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

SanJose#show ip route 194.22.16.0
Publisher: Cisco Press Pub Date: June Routing entry06, 2003 for 194.22.16.0 255.255.255.0 ISBN: 1-58705-112-5 Pages: 504 Known via "rip", distance 120, metric 1

Redistributing via rip Last update from 192.168.2.18 on Serial0.236, 00:00:19 ago WithMPLS and VPN Architectures, Volume II , you'll learn: Routing Descriptor Blocks: * 192.168.2.18, from 192.168.2.18, 00:00:19 ago, via Serial0.236 How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers Route metric is 1, traffic share count is 1 The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the SanFrancisco#show ip route 194.22.16.0 customer network Routing entry for 194.22.16.0/24 The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Known via "rip", distance 120, metric 1 How to carry customer multicast traffic inside a VPN Redistributing via rip The latest inter-carrier enhancements to allow for easier and more scalable deployment Last update from 192.168.2.14 on Serial0.313, 00:00:03 ago of inter-carrier MPLS VPN services Routing Descriptor Blocks: Advanced troubleshooting techniques including router outputs to ensure high availability * 192.168.2.14, from 192.168.2.14, 00:00:03 ago, via MPLS and VPN MPLS and VPN Architectures, Volume II , builds on the best-selling Serial0.313 Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Route metric architectures, Volume topics and deployment is 1, traffic shareIIcount is readers with the necessary tools provides 1 they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing NAT Configuration onand OSPF), arming PE Routerwith the knowledge of how to the Washington the reader protocols (IS-IS, EIGRP, integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the With the IP routingattached VPN sites, and alsowith the following steps: backbone and any in place, NAT is configured detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN The interface that connects the common server to the Washington PE router is configured as troubleshooting.NAT interface with the commands in Example 4-40. an outside MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Example 4-40. Outside NAT Interface Configuration

interface FastEthernet3/0 ip nat outside
• • Table of Contents Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

A single route map is defined to match packets that are exchanged between the customers and the common server. A sample route map configuration is shown in Example 4-41.

Publisher: Cisco Press Pub Date: June 06, 2003

Example 4-41. Route Map and Access List Used in NAT Definitions
ISBN: 1-58705-112-5 Pages: 504

ip access-list extended CommonNAT permit ip any 194.22.16.0 0.0.0.255 WithMPLS and VPN Architectures, Volume II , you'll learn: ! How to integrate various remote 10 route-map CommonNAT permit access technologies into the backbone providing VPN service to many different types of customers match ip address CommonNAT The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The NOTE latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone Performing NAT based on a route map is strongly advised in complex NAT scenarios Howbecause Cisco IOS creates extendedinside a VPNentries when a route map is used with to carry customer multicast traffic translation theip nat command. The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrierthat connect CE routers to the Washington PE router are configured as inside The interfaces MPLS VPN services NAT interfaces with the ip nat inside command, as shown in Example 4-42. Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Example 4-42. Interfaces Toward CE Routers Are Configured as Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools Inside Interfaces they need to deploy and maintain a secure, highly available VPN.

NAT

MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN Architecture. PartSerial6/3.312 point-to-point connectivity including the integration of interface II describes advanced MPLS VPN service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to description *** Link to EuroBank Washington *** integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the ip nat inside backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. NAT translation is configured for the EuroBank and FastFoods VRF with Inside source commands shown in Example 4-43. MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced

Example 4-43. Per-VRF Inside Source IP Address Translation Definition

ip nat inside source route-map CommonNAT pool Common vrf EuroBank
• •

ip natTable of Contents inside source route-map CommonNAT pool Common vrf FastFoods
Index

MPLS and VPN Architectures, Volume II ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

After these configuration steps, PE-NAT is fully operational, but only for customer sites that are Publisher: Cisco Press attached directly to the Washington PErouter. For example, the Washington CE router can access Pub Date: June 06, 2003 the common server, but the San Francisco CE router cannot because the packets sent from it ISBN: 1-58705-112-5 toward the common server are not forwarded from an inside NAT interface to an outside NAT Pages: 504 the perspective of the Washington PE router. To enable NAT functionality for remote interface from sites, you must define all the core interfaces (interfaces that link PE routers with P routers and other PE routers) as inside interfaces, which is shown in Example 4-44.

Example 4-44. Interfaces Toward Network WithMPLS and VPN Architectures, Volume II , you'll learn: Core Are Configured as NAT Inside Interfaces
How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers interface Serial6/0 The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) description *** Link to PE_SanJose *** How VRFs can be extended into a customer site to provide separation inside the ip nat inside customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry PE-NAT configuration is simple; VPN Testing the proper customer multicast traffic inside a Telnet session is opened from a CE router toward the common server, and the NAT translation entries are examined on the PE router. The latest inter-carrier enhancements to allow the Washington CE router in the EuroBank VRF Example 4-45 shows two translation entries: one forfor easier and more scalable deployment of other one for the VPN services and the inter-carrier MPLSSan Jose CE router in the FastFoods VRF. Opening a few Telnet sessions from CE routers to the common server results in NAT translations shown in Example 4-45. Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Example 4-45. NAT Translations on Cisco PE Router Architectures, Volume I (1-58705-002-1), from the Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. PE_Washington#show ip nat translations with a brief refresher of the MPLS VPN MPLS and VPN Architectures, Volume II , beginsverbose Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Pro Inside global Inside (dial, Outside local Outside global service provider access technologieslocal DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to tcp 172.16.0.1:11007 into the VPN backbone. Part III details advanced 194.22.16.2:23 192.168.2.17:11007 194.22.16.2:23 integrate these features deployment issues including security, outlining the necessary steps the service provider must take to protect the create 00:00:24, use 00:00:24, left 23:59:35, latest security features to allow backbone and any attached VPN sites, and also detailing theMap-Id(In): 4, more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN flags: deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. extended, use_count: 0, VRF : FastFood MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer tcp 172.16.0.2:11012 integration, security, and troubleshooting features 194.22.16.2:23 192.168.2.33:11012 essential to providing the advanced 194.22.16.2:23

create 00:00:08, use 00:00:08, left 23:59:51, Map-Id(In): 5, flags: extended, use_count: 0, VRF : EuroBank

• •

Table of Contents Index

MPLS and VPN Architectures, Volume II

Using PE-NAT for Shared Firewalls ByJim Guichard, Ivan Pepelnjak, Jeff Apcar
You can use NAT functionality that is similar to the one deployed in the previous scenario to give Pub Date: June 06, 2003 MPLS VPN customers who have private IP addresses access to the Internet through a shared PEISBN: The corresponding topology of the SuperCom network is shown in Figure 4-24. NAT device.1-58705-112-5
Pages: 504 Publisher: Cisco Press

Figure 4-24. Internet Access with Shared PE-NAT
WithMPLS and VPN Architectures, Volume II , you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools through In this setup, the Washington PE router is directly connected to an Internet gateway router they need to deploy and maintain a secure, highly available VPN. a LAN connection. Internet access that is implemented through packet leaking between VRFs and global IP routing (described in more detail in Chapter 13, "Advanced MPLS/VPN Topics" of the MPLS MPLS and VPN Architectures, Volume IIwill be used inathis scenario. of the MPLS VPN and VPN Architecture (Volume I) book , begins with brief refresher Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the NOTE backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and would be This part also to use an Internet-in-a-VPN approach In this particular setup, it filtering. even simpler covers multi-carrier MPLS VPN deployments. Finally,same IV provides a methodology for advanced MPLS VPNthe previous and employ the Part design that was used for common server access in troubleshooting. only difference in the configuration would be that the per-VRF static route section. The toward the common server (as configured in the previous section) would be replaced by a MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer per-VRF default route. integration, security, and troubleshooting features essential to providing the advanced

The design used to implement PE-NAT between a VRF and the global IP routing table is similar to the inter-VRF design and has the same limitations of PE-NAT. (NAT is only performed inside a single VRF.) Step 1. The interface toward the Internet gateway is placed in the global IP routing table, as shown in Example 4-46.
Table of Contents Index

• •

MPLS and VPN Architectures, Volume II

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Example 4-46. Internet Gateway Interface Configuration

Publisher: Cisco Press Pub Date: FastEthernet3/0 interface June 06, 2003 ISBN: 1-58705-112-5

ip address 194.22.16.1 255.255.255.0 Pages: 504

Step 2. A single NAT pool is defined with the command in Example 4-47 to cover the needs of all customers who are accessing II , you'll learn: WithMPLS and VPN Architectures, Volume the Internet. A subset of the subnet defined on the Washington PE router, the Internet gateway link is used to simplify IP routing. How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers Example 4-47. NAT Pool Definition The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) ip nat pool Common 194.22.16.16 194.22.16.31 netmask 255.255.255.240 How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Step 3. backboneA global IP route covering the NAT pool is defined with the command in Example 448 to ensure that the Washington PE router will perform proxy-ARP when the Internet gateway forwards return traffic traffic IP addresses How to carry customer multicast toward inside a VPN in the NAT pool. The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS Global IP Routing to IP NAT Pool Example 4-48. VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN ip route 194.22.16.16 255.255.255.240 Null0 Press. Extending into more advanced Architectures, Volume I (1-58705-002-1), from Cisco topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Step 4. Architectures, Volume II , customer who accesses the of the MPLS VPN MPLS and VPN A VRF is defined for every begins with a brief refreshercommon server. (The EuroBank VRF is already defined in the Washington PE router, but the FastFood VRF Architecture. Part II describes advanced MPLS VPN connectivity including the integration ofmust be created, as shown in Example (dial, service provider access technologies 4-49.)DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, 4-49. Customer VRF Definition provider must take to protect the Example outlining the necessary steps the service backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. ip vrf FastFood MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer rd 100:252 integration, security, and troubleshooting features essential to providing the advanced

route-target export 100:252 route-target import 100:252

Step 5. A default route with the Internet gateway as the global next-hop is defined in every customer VRF on the Washington PE router to ensure that (from the PE router's perspective) • Table of Contents NAT will be performed inside a single VRF. This default route must be redistributed into • Index Multiprotocol BGP and any relevant PE-CE routing protocol, as shown in Example 4-50. MPLS and VPN Architectures, Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

Pub Date: June 06, 2003

Example 4-50. Default IP Routing from Customers to the Internet Gateway
ISBN: 1-58705-112-5

Pages: 504

ip route vrf EuroBank 0.0.0.0 0.0.0.0 194.22.16.2 global ip route vrf FastFood 0.0.0.0 0.0.0.0 194.22.16.2 global ! WithMPLS and VPN Architectures, Volume II , you'll learn: router bgp 10 How to integrate various remote access technologies into the backbone providing VPN service to many different types of address-family ipv4 vrf FastFoodcustomers The new PE-CE routing options as well as other advanced features, including per-VPN redistribute static Network Address Translation (PE-NAT) default-information originate How VRF