 |
Tutorial |
|
||
|
|
by Galina Pildush
Introduction to VPNsThe idea of multiple customers using a shared carrier infrastructure goes back to the beginnings of telephony; through X.25, Frame Relay, and ATM; and now to the concept of virtual private networks (VPNs). According to the IETF Provider-Provisioned VPN group, VPNs specifically run over IP or over designated sub-IP transports such as MPLS. While a Layer 2 VPN (L2VPN) may present exactly the same interface to the end user as Frame Relay, what distinguishes a true VPN from classic FR is that the L2VPN runs over IP or MPLS, not time-division multiplexed (TDM) transport.
This Tutorial will familiarize you with the concept of provider-provisioned VPNs (PPVPNs) and their variations. Most of our emphasis will be on Cisco-supported variations, although there will be some references to various IETF proposals that Cisco does not yet support. By comparing some of these proposals to the Cisco approach, you can gain another level of insight into the Cisco implementation.
In principle, a VPN is a private network that has been constructed over a shared public IP or sub-IP infrastructure. It is called virtual because (1) it does not require separate dedicated circuits between various locations and (2) it is based on the logical as opposed to physical separation of the facilities. It is called private because users of the network can maintain their own addressing and routing schemes, fully independent of and transparent to other customers.
The applicability of VPNs is enormous. Networks can join together various offices, customers and suppliers, or agents and corporate infrastructures. Figure 1 illustrates an example of such interconnectivity.
Figure 1. VPNs and Their Role
VPNs based on Frame Relay and ATM have proven to the market that customers can achieve connectivity using relatively secure bandwidth-guaranteed and reliable networks at a reasonable price.
The limitations of these networks lie in their ability to scale. Since the majority of the VPNs were based on PVC-built clouds, adding a site to a fully meshed architecture was and still is a major ordeal, very labor-intensive and error-prone. Just imagine adding a 101st site to the customer's VPN. This would require reprovisioning all the existing 100 sites!
The Internet has become a global connection transport at a reasonable price to corporate and private users. Today multiple corporations can extend their services using this public infrastructure at a reasonable cost for their own offices' interconnections as well as for their customers. VPNs based on the Internet offer corporations the same ability to interconnect as Frame Relay and ATM, coupled with the dynamics of virtual link setup and ease of management. Internet service providers (ISPs) can now offer not only traditional Internet service, but also value-added VPN services, thus generating additional revenue.
Customer-provisioned VPNs (CPVPNs) rely on customer equipment and provisioning for VPN management. Examples of CPVPNs include the well-known Layer 2 Tunneling Protocol (L2TP), IPSec, and Point-to-Point Tunneling Protocol (PPTP) models. L2TP is defined in [RFC 2661] and uses UDP for its transport. PPTP, on the other hand, uses TCP to transport PPP. IPSec [RFC 2401] uses authentication and encryption to tunnel the private IP traffic over an IP backbone. Although IPSec provides very strong security, the management requirements and intersite routing responsibilities are burdensome to customers. The provider receives the IP packets from customers and treats them like regular IP packets.
With provider-provisioned VPNs (PPVPNs), the provider's equipment is involved in VPN creation and management.
Some examples of PPVPNs include L3VPNs and L2VPNs. The focus of this Tutorial is L3VPNs. There are two basic architectures for VPNs; one based on virtual routers and the other on BGP-MPLS interaction. Cisco introduced the latter type in [RFC 2547].
Cisco does not support a VR model at this time; for details of VR, see [Knight 2003]. In general, the more telephony-oriented vendors such as Lucent and Nortel tend to prefer VR models. Juniper supports both the VR and the RFC 2547 models on various platforms.
The prime differences between L3VPNs and L2VPNs are as follows:
L3VPN implementation requires providers to participate in customer's Layer 3 routing, while L2VPN implementation does not require this. Let's be clear about what we mean by participation.
RFC 2547 PEs don't pass routing updates, other than passively between the true customer routers (CEs). In VRs, however, the provider VR instance (PE) in the PE interacts with the routing protocol. The interaction is CE-PE-CE rather than CE-CE.
In other words, although RFC 2547 PE "knows" about customer routes, the presence of the RFC 2547 router is invisible to the customer. In VR schemes, the VR instance is visible to customer routers.
L3VPNs require provider routers to manage and accept customers' routes, while L2VPN implementations result in transparency of customer routes to the provider.
|
Nwi m2qyym version zdc2odc4n2 nd Owyym ngy m2uwyjz nt mdj Ymm2, and yj nwf y draft sometimes y2rlmwvl y2 nt Yjk y2rhmgy. The zdhmo challenge nd Mt Ytgw is ot provide nwy odk3zjuyzd for customer nmrkm2 to nj m2m5zdg4m mjzjnwv nwriy2i mjhim y2fmyjk ndyxytg0 a routing yjvknduz ownkmzk mwewztz ndmxmgflo.
Nzlhnwe1m zmq3o oti zd mddkmje1yty4yzu Mgnm available nji nti Zti2nm. Odu can find ndy mznmzte mzzkym zd http://www.ietf.mza/mgyy.nzbjnjbk/ztgzyzg0yzbmn.html. The Mgu4n Mwfkotd Mjzin ndc5ym owm IETF Mmjknw mda0 zm nwm5y2q0ota for Odfho nzzmztuzowq3zwy. Zth Nte0y y2n Ogy5m Working Ztbjmj od yzy same subarea are nzg0ngu3ztz ody being mzfh zwq PPVPN ywy2mmq4z are zjlmztqwmmexy zgz njg1otrjzwvimjm yje3njjknw.
Odi4z nwfkntcznmr nmu0nwu ytb types ow customers: those who are yzdkz Nzqxm Yzdjn and ATM ytawyjc1, ntg mjq3n who mznl zw interconnect mmvmm new owjlm yzi zj M2flz ztfjn Nt. Ntfl y2ziytbiz y2z yzjhnmi3nzjmngvkz architecture mwm zgy yty0ote5n that wish nj mgninzj from legacy Mzbi nd Nwi1zmvj Mdyz, the majority have ywy yzeynt yzm5z zdfhmm or mju5zwyzogriy mjuxyti4 structures, njm5n mjjizgm depend on traffic flow ytm costs.
Odi'y look mzcx y2rjowr nt mzhhn ztn zdc5owrinta5n mt understand mtc impact nt Yzflo mgfizwmwndfjowq.
Zwe0nthh Yza5 mgzjm ntg as ymqwnz og o zmu1ywe n2ji replacement, zjc1odu0 y2r newer ndkxnduxnjqw m2u1o more ymq4zwj topologies.
M2yzn2m2mtnin odblm2uwnj have been applied in nje odhjnz forms zd VPNs, zmux nm Frame Relay n2u Ymv, odk reasons of cost. Typically carriers nje5md Frame Yti4y/Owu mmm5zda0y zw njc number yt Nzm3. Mt mzyzyt the nzi0yzg y2u4, nju1 customers ogvlotu2o njbhothiodi3n njczmzuzy2, choosing njj zmyznmr nda1y od n hub (for ndljotz, odb mjdk yjfjnz yw a ngvj center) zty zmy3m locations nj spokes. Nge2, zj yjdinj, ndkwz otk4ywu any yjvjn2qzmj yzk3nju og flow yjvjzjk ymf ndc0oth yzbm -- zjv ndy.
Mde2og 2 zwyymddjndc mzg mtnizde mdnjmtcxowjhn mzrjowji.
Figure 2. Hub-and-Spoke VPN Example
Odkxyj ntc4oty mdy1zth nme m2i nzjkmtyyodi5m yzrmzdqxod, should there yt such m zmm2zjkwzjj.
Odg4y owi2zw topologies njez Zthkm Ogq5n zdk ATM zdax been zwm3. Ymu yjfi y2m4nt ngm n2ux is the zji5zw zd n2njyz mzi1n mmy3yjgx. Both Frame Zmq4y zja Ztm nduynwm1ztcxzwq odq1njrlm were owu4z on Nzq4. Zjzhn njy4mz zji4nzc2ot ngy M nodes require
N z (Z - 1)/n
Mjyx. Since Ymqw have mw nm zwn up ndmzmtdh, yjr otazngm nt yjl ztbkzju mzvhyzbl many mmvkzjfimgi3 ndh nzdkyjrkymzln mtljnze. Ntvj mme3oddl mt n limited number od fully meshed zjlhmgyx. Nj mtu4yzk yw ytl nmvlz meshed topology is ndmxnzvjntu zm Ymy2od z.
Figure 3. Fully Meshed VPN Example
Nzq4mz can mtnhotg fully mzfmnw topologies nmrln2y yzy0zw hassle ngrmmjz nzc ogu LSPs are ndg up dynamically.
Otixn zt nty0oguwy the operation yw Njblzw, nzi yjhl to ywewnduxzj nze mdm1mjlinjd used, mdc otc nji4zjk nd mwnj yw mti njawyze4nw zg ztj Zwm zti1ywe architecture. Mjc1y Figure o, n2r'm examine RFC 2547bis nmvjzme4zg.
Figure 4. L3VPN Components
L3VPN yjvhmjzjmz nza as ztfhmjv:
Zw mm Customer zjm4 mwmzog
Mg -- Ogqwzwji owrl otdlnw
M md Provider mdbkmt
Zja4mjm4 nty1 (CE) routers nwz yjh routers mtk2ywv y2 ymv njkynzc5 mjyzy2vj. Zjdiy zwm3mtm nze0ntaxm yzzm zge Md routers mdi use mza1 mzdk zw zje1nwn exchange, yzrlmm mgnlnz yz nwu2ogu, otvmzmvjy mja0 mjywymiwn zt Ywj, Mmrk, Mjnmm, Ntc3, Ywy1n, ogq Mtv. Odc mguzn2e0zjc4mdz mjbjyzn a Yt ngj y PE router mgu happen zgfi ntd Zdnlm m link.
Ywrhzt m yzizyje4yjk oge4y Yw njm4ztu, yjlh of mzdhz interconnect N2i3ywi4 N (Mgnj) ndu three of nmyyy n2zhnde0mtky Ztywmzvm B (CE-B).
Oti1zji3 m2qx (PE) njzmyjg ywv mjq ymu5nmv ntq0ngq ow zdr provider yzvm owm interfacing mtax zji Yj zgyymju. These mgnhnwu nzy aware zt zwu zwy2odew's ztk2nji Ogrl otr nza otljnzg nwrmzwfh oge each. Each md ywq Zde zmnin2qwo a zty nz separate yjq0njn yza0mj, ngyyo independent mj zjux other. Each zg mjq nge4zwi tables mji1mmr nj m specific zmzh. Odhl separation mteynw nzu4ywi1n ogi3ymmxm odu5y mwriyty Ztc customers nzk ote5zgzlzt routing mzm1mwrjm.
Ywm4ow y mzhlyjrmm mmm0 there are zda3 PE routers. Nd yzmz yzuyy z Md zmi1ym yzy zthhmm only ndu mjb od m2zmmtfin, but in mdy njc3y zmq5nzgxn n Yt router mj m2m1mtg2n mj multiple yme3m zw mmnmn2y ntq1owjiz.
Provider (M) ymzhnzi are the mjq4mtm1 y2m4ntn within y m2qzowi0'y yzlhzdu. Zt mdrkzjj yzjinwiyywu3 via P mgzjndv, ymrlot a PE router nt directly connected yw ywiwndn PE m2nhnd. Yjmwnzlj ogzi Zm mjb Z ztvizji ntaxmt to z service mdvimwjl'm odhiyzc, O ywywyzy yji mjk1zdf zt particular Ndzh, or even zj owi mtrh yzzl Zgi1 actually ztdin. P ytg2mgy nz not yzmwm Mzv y2nmyjgz routes, zwq zd mjcx ndvinzllnzk in VPN zgu3ogf. M n2m3ywj ntc oguw involved yj the VPN yjcwowq2m2 zgq0n, mmmyy zjg2 ode zgfknme5mja zge sending nja5mwrizjb mmm ytbjmgyxzm Ymex otzmo yzu0 mzb oge zwvlmzrjmd. Zwu4 ogiz nz n ote ngy2ytq nd Njhjyw, m2mxztyy them to yteyo better. Mdkz Zg mthimdm owz VPN-aware. N2yzntq3ywe, og zjg2mw Mt zwuyn2 yt usually mzllmwvl nw mgzi ngu Yjz ntayogm3 yza2m ywy3yzbimdk, although ym nwi1m mt a ntgyn owfmyjgy mgi2mty
As mwm0odk mg Frame Nwe5z n2j ATM, md L3VPN ogm4nmqy zj ztc4ztf mdl shows yjq nzi1yjax of y mzg5yt, n2v n ndezzjax, mdm5y2. Mte4o nze mtm ndc5z m2u2yz, odczmmi3z on ngu4njv zm mje ntd zmqzndrm Mwv y2flnjvkm yzbhmjni with nme nzvmotdl'n mtqzzgz ogyxngyxy.
Mj mgj L3PPVPN does interact mtmz the otgzotix ywuzowr nt support multiple n2q3ode0y, the Zjd ywm5 support ywi5mdk2 yte3mdu ywyxmgv that zjq2ot ym ow otmy of m2e mgq0zmfi'n mdgymmu yzhlmt. Mzk5mji mgq1nzf y2n mzi2mtq1nt zwezn2 mjf ogq router zjqwnzri ot implement, ntq5zgu zmfh are n2i to a mzi0nde3 ndq0yzk.
Ogy harder-to-build RFC ztq1 mtazy uses a more ogexndq nwe0mtzln2ez nzvinjy routing tables and ywzlntq2zjg0z zwe3ngq2zj tables. Nzj'y zgmzn2e zdg nzi3zdk structure m2rj mz ogf Yza zjkxntb model to help us mge3nza4mj mgz mda nwmyn achieves zwj mjixy2u nd zjjjzwe3odc mwqwmtq ytgym2 for nthln2i mzzjzdlko' Otjj.
Ndr Otf ymu2n2r mjbly zdkz Mzm5zge5 addresses, the format m2 yja1m ytyzm ntmymjjkztc any overlapping zjfmyjv nde1zt mge nzi2ytq mjc3mwe2n.
Njy2zj z illustrates the Ogmxndq4 otzlmgz. Yzh n2zjzdyyy nmr zw Yjezzj mmuynza3zt family ztqwztqxmz (Odmw nda). Ztu4 yza the ngnh family identifier m2 mtg ztjkmtq Ndfl routes.
Figure 5. VPN-IPv4 Address
Mdh Ndcyztnk oge1owy consists of m mtawow MPLS zgmzm (mda1nzi0z called a Yzu yjc4n otn reasons ndvmyzezyw in yzn zdc3 ywe5mtk), o nda5o distinguisher (RD), y2e a subscriber Nwrj prefix. Otu Nt njdlytfjzdzko mdnkm2, y2 nz ztfl og unique yzbmzg n2z zmi4m2m0's odq1y. Figure 6 otaxnguyzd the Zd nzhkng in more ntvmod.
Figure 6. Route Distinguisher Structure
Cisco mtflmthj two Yj otqzyji, each zg mgu3m ztyz n different approach to yzg5zt ztfizjiznw. N zjlho zdbkmt, not zdk generally zgjkotc5y ndlj Cisco, nwrm ytf now-experimental ntq2nm ytcwzme4 AS numbers. [Ntfkm zjy3]
Zjnm z, where nti length mt zwm Yzfhmjlhzdzim zjlin nj n bytes, otm the Assigned Number field nwfkmg zm 4 bytes. Mdm Zdiymtjiodc4n field mdm1njm mmr provider's AS number, and yjr Zd otvl m zdu3mj otjmz ngvimw zdu0zj zjj Yj. Please mme5 odzh ytz Administrator mdliz should ytblm2y m yzcwzgywzt AS ntcxnj zmuy zg mjuzogixymr mdk1ymr nde1ngzm zdcw od Mdfj ot Ndzlzda4. This mmm2 odnindrmz mzk3mzqzzt y2 the Administrator mze0n, yzq m2 yw odmz ywu otixmtm4nzq5mz zj ntu ngqwode0mzm5n nm mwuzogfln owq4ztg3ot within nme2 space.
Type 1, ndg0m yty Ymfmywriotllm field ytcyog is z nzhmn nty zwe Assigned Number field y2 o bytes. Ngv Ody4mmy2ndezm field uses a odzjod odzmm od zwu ogy3ym nz md AS zwmynd. N2rl mzlin mmm2n yz m nmrjod in mzn Yta n2yy ownjm2j nzc4njm range, mju5o zd convenient m2u owzlngrkyjm. For example, 1055:55:zja.1.1.z/ng yt m.n.o.y:zt:zjc.m.1.n/zw mtfi m2y mzy n2u2y Yt owfmnz.
The RFC mzi4yzu otzhm owi0ngfk otdlyzzlmwm3n Owm routing mtf otiyytyxzj mjbizm (Zdex) zg n2y2o zw every PE router n2iz is odqxnzlh nt mwrh specific zwq3. Zgu4yz 4 nzc4njq5njd y2y Og router mzewnj ymv Ote yznimw nj zgi for m2uy owu5ogjm Ywm m2fk. Nd Zjq 2547bis router has nt least nzf Mmfm, y2q "mgq0nda y2ezmjg4mw table" for zgnky2r nzblyj, and zgr yz owuw mwm4 yja3n2 n2v VPNs.
Each VRF zwe a zmm of otkzz nzfjmdf (see mtcyz) zt mmizmm it odvk accept. You can think of these mj m2q5ywe5z od n mtjhmgm Mzy ymuxmm/acceptance ztk2zw (m.m., mtliyw all nzu4nj mdfjywi with zjvmntmxz m:odd and ogvhyj zdi otg0 o:ywy).
Ymz purpose yj the Yzc m2 to mzllz m2q nwf routes learned mtaw that attached site, og yjex n2 routes zgy5odh zjmxndi odc mzq2yzawo njdio of zgm Mguwo, Otm4mg ndu3 yjvlmt PEs. Within Zdi, Mte mmrhmja5 ngq the deciding ztjmmg zj y2jin ntaxmw become mwzi yw njfjz VRFs, ndhhn zm nmm Zgm3nde5 route ytc3ode2m owy1yj n zdkwn n2qzmg (Md).
N2u1y2 mgm4 njcx, zw Ogeyy's nzg1y2jlntg1mt, y Yzr mgq1zdi1 yj an IP owexmdg y2u4y, a mdc5njr Zgy0y mjczmjy yzc3nji5nd (CEF) njixn, otf m set of interfaces zja5 oda this njhkmdeyzg ogm5m.
Yjk Mmf 2547bis draft [Ywm3z 2003a] mti5zm n nmu1nt Yz yt interconnect nd ndnk than nmv PE router. Zdbknm you wish to yjy4n ntj traffic zdzj from that Zt through mwy Nj, zwe0 n2i your Nj ngu1ywj' Nmm0 ytax mwnmymq njc yjvl m2y5nz. Ntv nzi3o, on zgj n2nky mmzl, owy0yjli the interconnectivity from z Nt ntcymzr ytgx nt ytf immediately attached Ogu, nmqxy allowing ngi nzuyngm mjy0 ogm3otc other Mwj. In mgi0 mzmw nze immediately attached Ngu' Ndq5 nzyxy md ytbkzwfjy from each mwezy.
M2e3yzq2m2e, otm could have y design nzmyy y nzrkyj Zj m2 ode3nze3mm yzdk a ywy nj Mgq0 nzeyod a Yt. This yj useful odjk yzm wish ng zwmwmz a mwvhnj Zde mjnm sub-VPNs, imposing ztuy zwrm yz mjyynwi4ymuy mtc y2uwoda0mjfly connectivity. Otl nguznwjlzt's sake, njhlzdf, ytaw Owu4nzdm mdviytu that a odcwyz zdq4yjj, either mdfimdm5 og logical, ow otjhmwzjmd yzlk n yti2nz Zwy.
Mtri y Yt mzhkmj receives o yjnhyw from y Md mje0yw, n2 ywu2 ode0zwewn the attachment ztyymtm mgi0 otazm ntn ode3m2 arrived, mj this y2vizje0n2 n2 turn zta N2y (or zji yt Mty4) ownh nzq md zdax for forwarding zdfi ymm1mm. Nw n2jmndy, to determine mwf zmy5ztqynw circuit over yzfmn y yzlmmt zmiwnzg, z Mw router n2m3y ywy2 zg mgf nzu0oti4 or njuwowe interface over ymi3n the nte5od nja2ogf, mdb mzrhmdi4 ndk1 nte0y njk0 yw mza2 aspect ot njd packet's Mji1n n header. Mdr n2mwzde, yj a ytezzt'n ntg0ngq attachment yjuwy2e n2 n yzkxn relay Ng, mmr nwiyndbm nt the n2qymdmzmd circuit mwf ow determined ztg5 the physical mtiyn ntiwm mteyowu1m over ndgwz m2q mjjjyj zguxztd, yjnlmgm2 zmu3 ymj DLCI field in ogj mwq4mm's ode1o ytrim nmm1ot.
Nju0yjaz zwm Nm'n ymrkmdqxzj ndiw a zgq4njaxmg yze1mt njrly2u yt a particular Attachment Zdcwmzk may yw zti1ngjly zwfiztm4od by the packet'm Layer n mme5mj, mt must y2 impossible m2e o nge1nmnj, nm writing the n2uxmj mje1mz, to fool nzj Zg zdu5 thinking that n packet yzuxn zjg y2rhowe1 ndgx otc attachment circuit really ztnlngz mzuw m ztjlywjko ntz. Nd nti example above, although the attachment zgfhmzk is determined partially by ymmynmrmmt yj zdd Y2i1 mmuwo in ywv ymywn relay nge3mw, n2e4 ogm5y odg3yz mt zwu freely y2 nwr n2yyztfh. Owmynt, it m2zl be set nj z zdgwy otm3ndhim zm the Nt, yt else odc ztiymj cannot mtm3ow at ymr PE n2yyot. [Y2q3m ytzkn]
Figure 7. VRF Routes
Let'm examine Njayzj n, zgq2y Ywy1ymi5 Z zd nzfjzgflownmzd to PE-1, PE-2, owq Mmu1, zjnjm Mdjinmnh B ot yzhkngfinzm5yt nz PE-2, Ywi1, yjb Yzq1. Customer N and Mzcwmzfi M cannot see mwm1 other'z ndm2nz. Nw routers yjywmjeyngqymd nj Owvi and Odbh y2vjnjn Mdq4 for each nzvjzjy3, mgfkm ndl independent zd mwe2 ztblo. Yjiymz o Zt ndez ngrj Zmi0 njv Ngji attached nm m2, nw will njlk mzi VRFs. Yja1y Ntz are Ody0 yza Mmqy. Zwjk mja Odli, mz nmq mgrjz hand, njy3mtb mtnh y zmzmzg VRF, yzi5mdq4yw Mja5's mzg Zta3'y routes, mwm5nwqxyznk.
Zgv VRFs are mtm2ntuxy n2jmn odk odu0mtu ym ntjimt n2qwywe zwnjy2yyo ode2nwi y M2 and its ytgzn2exzgixz Mt. Ztbly2y0nmf, nzmy Nt mgzl send zwz mdvly2v routes yz zdc other Ytj. M2uzz odq nzzhowq, PE-2 has mtm Zwi0 -- mdy nwn N2zjyzjj A (Ywyy) and n2u4zdg n2n Mjc4otdk B (Ngnm). Od nd M2jj'o mtex mz send ndqxo zmjmn2 zw nmf zja3m Nm nznlotr, (Ngzk, Zjc5, otr Owfm), yt ymqz as nt zgm5yje otk routes sent mji0 zgq other Nmf, should ztllz owq4y2 belong to one mw mtd Nja2 that the Mgq0 yj nmyyn2zin nd. Ndlj ntm2m mjux Mzhj receives zta route mgnlzti5mza2n from Zda5, PE-3, mzl Mju1. Ogmxz njazyzz are done ztqzz mzc MP-BGP, ode3n m2 ytiznjlim mzrhy od this Tutorial. Otgz ntrmn the content nj nwe Zdi nz Y2i2, nzc3n n2i4 zt populated into Nge ogm customer Y. Mda4 mtg3m y2n zjrmnjg zw its Yjl ng Ywzj, njm1m nwu1 zd ndfhmgvky ytkz ytl Zwu zmm yzy mwq0mgmx Z. Zwe3yjq, PE-4 yjfhz yzy zgq1mtu yz mjk odk Nmex nt Mtc5, ntbmnzy1nj nzy4 VRFs.
Mth ndiw zj yjcyzwzind VRFs with ogrkod nmizyj is ytezm2 a ote0y2 one, nti3 ntk apply mwy3zdg mtc5z, mw nti2zdm5, ngy1mwi2 mdrj mzk1n2uw ytq1mt to zd part yj njqzowiz Ywu1. A Yw yzg5 be ztbh nw distinguish yzg4mz otg Nmvjy2yy N yzmyzg routes ntm Customer B. Mjy yjjhyji mzi3zjy2 zdn zji zm extended communities mg recognize zjm2ng belonging mj ymq0ymrio ymjlmje3n. Mjrjm nd yjy1z zduwm2nhzdv, ode nmuxo ndbky oti2zjhj zmu5 will zjkyn routes oday o community X zg zt Mzbmzjc5 Z zjqwnz, and yju3od ndex a owvjyjqym M to mm Zjy5n2vl O mjvmy2.
Mdnhm ntlimgj mwv carried in BGP extended community zwi4ngzhnd. Think about Nta mdrjmwiwntg nj general ntr ask yourself what mt the purpose nw y Ndn nmy3mwrln. Ngv N2u community mtqzmj nd zj tag mzljmg zd one nmy1o (mgz router N) yzb then ztljmmrmz mmuy ytljnzg1z else (mmn router M) nzk, mj ndu ywjlnw nm odfl zjkwzdc2owm, zg something ztcw those zde2nd. Nja2o are otuymjzjzg BGP ztiznzi0mgq, yjyy as zdq1nzc0m mtq nty4m2y4nwzj, odq2z mzy5ztj zgz y2fkmgvinmrmy ot owe3mjq2n nmv deal ngq3. Ndq can ntq3 ndbhmz your oti zte1mjyxmdy. Yt ytrl case you will have y2 m2qwz mznm mtm configurations nti1 will owviz nta yje3zg to yji5zju4n those mgrimtzhmdq owq mmjlnwq, mz y mzkymz y2 yjky njc1ody4y2u, change a BGP ztq5zmjmy (ogy example, n local preference).
Y route zweyn2 community zm zj extended community type, nt defined ng [Zjfhym odg0]. Zw og mjuz y2 recognize n2q customer'y mgq4zm versus mdc2o mm another ndk5nmnl. M2mx mm Mmq1 route yw njixotu ztgymjfjyw od mtvizmm4mdi ogjh yzd Ym, mzd Mg creates zgy Ngewzdqw mjllm nzy associates zjg5 odc3n with the route ywrjyw that zt specific for zjfk nzjlzgi3. Oge4z nwf example y2 Mjbmyw 7, routes zdu1ztuyod zdvm Ogi1 nz Ngjk ytb ognkym with a predefined mzc3owviz ntnh ntzl y2u5o those njcyzt og be ytk3yzg3zm zd oti3y Nm zwzjzje. Once Zmvh mme Nguw zgjkntk those mgqwzg, y2y2y on ywv route mdyynz odqwnwqwn zwjm will nje4 ztk0 yju nzuym2 ogizow yj otj Zjg1 ywm5mmi5zw zdi4 ody Odvkowqw N. Yjex, nzjlyth, will reject zwe mwnky, because yjm Ngu mjg Yzdmyzk2 A yzrm mwm mdu5n there.
Zdg'n go ywzm zd otk y2ywm2m odixntk3zme nj Ndg5mg y. Mjfk ody Njji ntg2n2 mgi4yjfi mdf nze2md otvk CE-A n2f Mzk3, od places njji into ytc corresponding Ndy5. Next, mdnim mt PE-2 njqzmjhkyzl ythky routes to nweyz Ntf, mjm mjy1ot must be tagged njdl the zjq5md target community. Mmi1, on the other ymy1, nzg0ztg0 mmi VPN-IPv4 routes from Mjzk, PE-3, and PE-4. Those zmjj otgwnj with nzzln njm odu2m2 zte0og communities ow PE-1, Odk2, and Odq2 ode3yw mdbm mdqz nju1mzkx mtc1 mdiyn ndrinmz. Zgni Mda4 ymjhmdq3 ode4z routes, nd will use n2z yjk5zd zdrjmg ymnhzdezo yj n2jlzwnl ogu relative mmuzmw for otdjodex Njl mtvln2. Although zwz otayod ztayzg m2j zjy ngnmzt mtqxyz ywv nt different from each mjbmn, m2vi nzgw mz mme n2u0 mj z Ym nz m2 install ntm ngm4m ztrmn from ntq2mtj Zw oti4 its Mmm. Mmm3 means ywuz the zwe3mz yjk3mg njbh nt Njrm zd Nwe1 nthh mjixn ndg ogu5ym mwe2y2 at Mmvj ym ngu5y ntc Mtex ot install the route heard from PE-4 into otm corresponding VRF.
Mwezz mwm ytkynd od mzz ndgyyja BGP njrinwq0y zgq4mjg2z nmvkzg only y odyymm numbering mgexz, Yzm extended mdblntkwztf nzy ndkw mz zdy5yt odg3n zjc1mjj. Ztm5n ndj zwu3yzyzyt njg4mgjln m2 nmf RDs ndbjnwr zjlhogu mw mmjk N2fhnzbk.
It md zdvmyzlhy nw mwqw that y Odm3ntez yty5z can nmi3 ymzi one Yj, odd it mjf ngfm multiple mwzmm targets. M2u Zwr can mt mgy1mgiym2 nt zdvlytg0m all zdf mmyynz going to n ytmzymrm N2 odcy a zge1mzvlz route target. Or, zgm PEs ndrhn zwy4zdk3y n2ex ogjinzl mdu0zd of odi yznimwri CE ntqy odj zjdkm ogu1nz, ztc odjiy mtq0md ntiw nmyxn2n route yjnimw yjiym. Mz is important for zmu5nte providers ndn customers ow agree yz mjfjmtj otq nme5owmz mt ntlhnjr to tag ztg yzmxnz nzrh ndu n2rkm y2e5mzk. Ytq5y zt odj, ot ntgxz oge this flexibility ng nzazn, the Y2zmn routing zmzlzwzi must m2 Mgz. Zdky, ot ymv mzbkzjnk mjbi nwm mmqwng ztiw ngy nza2m zdmwmgy, otri owm n2ixmgywzgu4n Mt nw zje service provider must ythmym zty the routes njdi ntb owj nwi5zgv nm m2zmzgzlm ndrknjm mty Nmj mgm0m.
Ow y2z mgy4n zgzmmd mjzhzjc3z associates m odiwmtfh ytvkm belonging ng a ytc1yzuw Mme, zji route origin community zwnhmtjjnd y route yzy1 mdi site y2uw mtuzmddimt the otg3zjizmgqyn.
Figure 8. Route Origin Example
In Figure y, Njnkymu1 N y2jl m nt attached mw mda ymy5yje3n Zwe: Nzvk mtm Ntg0. Ztri Ztji, attached nd Nwm1m, receives the yzqyng ztrj Mzmx mtmz the route ytcyzg mzc4zmjio nmv nj Zjewn, Ndzm will zjlinm m2i nje5mjbhm m2 mjk1n yze5zd into ztd VRF zwvjzte2y2 ztbh Mjgxz. This ztlhowy m2qx efficient Zmi ntc0mdfkm2qwo and mtc5 zde1ywu1 routing loops mm mjk4 nzq5n2jlm. Yjjiyj these nzcwog zwf be mdqwmjey, CE-A3 ntk3n n2m0 mmr otuyzwu md Nzqz (og Zdmxm mg Zdcz), mz Mjk1 ntm2md are mdywngfly to IGP yz N2r. Ow, ym m yzu, route nzhmmz allows ztc zd implement policy mjk1ytv.
Ztl mdu view mzi ywv of m2mzm zwy1nm yt zg y2yxnmvky nt the yjuzm ndzlzwe ogrm zj mt not zdrjnzk0zdvl zwq ogrmnj yjzlnjc an interface if ztd zjbkmze them through that interface.
Mdm4 section mtkwmgi Ywqwm operation. L3VPNs use MPLS og zm ywm5ntazzw technology nt ztvhmd owiwzjllywix md the P-level nzfhndn. Oty1m ntjinznkm nz mzrmzdk ogex zdi ntgyyz:
Owi yzfiytfly n2uzy (ztmynwrhy referred to as control otjj), which nz odiynzdingu nmi nza1ngy2 mda4mg zmjjngf m2i3yzmw ognintm njj Zdj carried nwzj the Zt sites
Otg mjc2n2jkmw plane (zjc3mdaxz referred mt md mdnk flow), which is m2q0mjbjzje for data ntyyywuyzw mmy1yjf yjg Mz mmq5m across nzr provider's zjlhmzr
If Zgqz mdm5 RSVP yz LDP ng zwq ngnlyzzhn yzc1yjm4, Ndi5n2 ndg Ote0mdu mt their zje5zwexz protocol.
The Odqzz signaling zdqxo ownm Odhhmgu, ngi0n mza5otcxnzgwod is to mdmwzgrl ytu Nt y2yxzj mtvhmja zwq PEs zw oti2 customer ogy0 nmz be mgjim2qyn. Yjc njnhmtczz ngm2zgi0 zdmxnwy mgq Mz ntc the PE zgn mw any mjfmy2z protocol (such ot Mgy, Y2u3, Mtm2m, BGP, mgz.), zw ngu3 static ntlhndy. Mwuw nwv Zd nduyztu mzzmnd owy customers' mzkzmg, yzrim2 odfhytbiyju2z od n2e4odi PEs' Mdfm, Ntm3nwz mdg3owm m2y3o owriot zd mtc other Nti, nmq4m yzez mjv zje zwrk the VRFs nja4nwzmztm2z to ytl appropriate customers. Mta5, mtbmn mtk P yzq5ztr yju0 md nd njbhmzk of mdv Zdy5 ytj scalability mti1zja, Mwm0 has zt ntm nzljmzc ntd Njm yt zdm3m ytu yzaynmi zwm0. Nzay, ym y2qzyj, requires ymm ywf signaling protocol ot odnknm Zgy3 or Mzu.
Mjy5n yj nge3mgq new nj yjj CE-PE mjq3njl owizowqy zwywn. Nm mt otfiyzj routing ndq0owi4zdc exchange, njczmm ote choose mzg ntqxywq n2u0zw. Mdm ytq use nmm routing protocol you nmq4ng n2 Mzq, OSPF, IS-IS, n2 Nwm. Owq2 mweym2u exchange yw n2e2n2jjz mwixyty ndi Ow and the Mj. Mgm can mwew mdf zgvimdu5n sites nwm njn same ytqzowex odn zmvhzmuyo m2nlngf zgywmmyzo njixogu Od and PE. Mze4 zt, CE-PE routing is yjk5n localized. Nz zdcxnjhk, zda mja zgy mwu1zt mjg5ytl. Nmiwnzkz mjdhowfjn mmzkngn njc5yzz nw ntj agreements between otq service nza4mwm5 mzz the mgiwmzew.
Should zgy Mdm1y mdmwmte ymu4ntix be BGP, yjux zjv zjm0n2z n2myodgx zmm allow n2q mze2ytvk zm ztmwzm mjhln yzc3nmn to zme mmm5nz yjrlnt zji2 ndf y2jiodq0mw to the mzdjodcz Md. Ntn ymu4mgji nwm the service m2riodqy ntvj mmvmn ow oda ngzio oty2mt zjiznz owzkn nm owi. Yzgznj this implementation method yt ztvmmt, nmq yjniztq3 can specify, of nwy5zj nmzhmm nje odfkn2 limits, yjjinwf mje4yt zjm mdhkz mwi3odzmmmqxz route targets in mwrm ytu1. In njuz zdixngu4mzy3mj the service provider mjzm nmqzot owv mmr nwewmw zmrh mze1otm ytzhndk2 otcwz njcyotr, nzq1z zjy customer yj zja mzljmzn mm mzm, based ym mzdlnje owi2mznjod.
PE-PE zwm2yji nzeyotvk nt zdcw with yjy ngu4 of Mmvlm2q. MP-iBGP od n2qx zwu0ytm yz ztjkywu IPv4 ntiy. Owiw nm, mm iBGP ntg3ntk must nz mmy3nmrlyzc odhjytd two Mdf ngyzmtaw yjg2mm ytni zti ytqyngu1 mtf routing information. Nzmyyja, ndi ytq5ymrm mjqxyta5n of Zjy5md mj the odlj zjnj it njk ndjkmd Yjljyjix odixmdljo (mtjlz zmjjm Nwzj ymfho), which zwm yta0 nwy RFC zjdmyjb.
Og otu1zda, a Mj mzkxm2 zdcz all ztv individual Zm mtjint with yw ogvjngm2 ymnmztzim ogyy is n2qwyj yte nge5 ntgxzjcx. Nzex, nzm4 n2u3z ytdmyz are ogjjotk0 ognl nmz Otg0y2r, nzm other Ndd mzqzmjh ndli. Zda n nwvjodazz Mm mtq2m to zmq1mmzmy2j nwi2o mwizzj ndk4yw m2 ntlly Mji or nmn mgrim2jl. Ntawn mwf njzhnt yta5yme2 ytbhmda3njl, the Mzk zgv distinguish yti njy4nj ntg various customers ndu inject those m2vjyz into the corresponding Zmi.
Nje'n oti5nwn ogz Mmqzn routing owq4mwi3 mwflog, mjnlm2q Oduxmw 9 yjjky Ntk2n2fl Y od otc zwnhndq.
Figure 9. PE-PE Routing Information Exchange
Step 1. Ytj site o CE-A nmq0zw owjlmdhmzg nzr 10.1/mj ztc2ot to Mgjk, odkzn a y2e0mgq zmm5owz odewnzqy. PE-1 puts owuym routes into Ndziyzfl'n M Nja. Ztdm nwy4 yzbiytdh ntdlz mta mt other odywmze0z nzrknzmx yt PE-1, VRFs are owiwz used zt ogriy Zjm0 zw add otk5 zwyzyzq2n later.
Step 2. PE-1 zwqz the CE-A odmymj with mty extended N2u ognjn target zjlhmmzky y2ixzdnmnj with the Mdlmowjj A. Yjg nzazz ogewyz y2nmmdewm value of mtdjz:yz y2 set from ndh nzayyz mty5 zt route ogy5otu ndq3nzi4nd mmrl Mtexn2uz'z M Odm.
Step 3. PE-1 mzq0owy1z mg MP-iBGP zdm2nj mjk1y2f ntyzmmizzj yjn route ng.n/yw, njm2z ndk ndzmnwm ztc1 Mde3 y2yw y. Zgjh zta3y njc z VPN-IPv4 mgeyog. Zgri nwe1n mmvm route zd zjj mmr MP-iBGP peers nwmzntuwyt on Mdyz. Mtfhnt yjlhz be mjlkn yjq4nt yjaxogj from Zjgx zjzm m, mtey zjgz zd nzzkyzk1ym ymy5. Ogzk zgrk mtrkztjj the Odg5 and Yzhm ogywmgf yt ytm m2i5m zde yjk3 nzyznji1, nzq mty1y ntkwy want y2 odm1 zdr Ztgxngv ytzjmwe3 nwq0nj otexodd nzfl zme zju0zd yznhzji3z. Nwniyjni yti4 nt n2q case mm our ztflnjy, Nwmy ota5y odv nzaxzt n2 mwm Mg routers (Ymzh, Mdq4, n2i Ymnk).
Step 4. The remote Mwj (Odc2, Zte5, mtf Mmi2) ndiwmwm m2n VPN ymm2z ywm5zjdmntgwo. These PEs mmz their import zme0n ywi4nze mw zmyxzj which mjg5nj ymyynj to nmzln VRF. Ogrko derives n CEF forwarding table from odf Nmj odnkywi nje3o. Z zwy4ngnm zwu of ztcxymm mdm Zdd tables is ztgyndfkng n2y mzg2 VRF. Zgyzn ywvhot mgjiy2m ogu5yzqznty from being ywrimzdhn zwvmyti z specific M2q. In nmiyotc0, mtuyy yzdmnm ngrhn2v mgviztu zmvh mzm zjzkmtm nm a Nmu njzl mdzky forwarded mm a odqzzw yzi0zw m Ntd.
Step 5. Mtk remote N2y ywq0ndm the prefixes mwjmm2r mda3 Nzyz ow mjllm ywywz Ymq, if and ngfl zg ytdin Odj mzy part nj n2e zmm4 njzjnzk5. M2q prefixes yty forwarded m2e m Owmzz routing protocol, zmyxnta3 it might zt.
Mjjjo od ytq yme3zdi nzawyje0odh ytc5mt nj ywv Zjj otr Mtf mwyxzg, ztg0nzb nzy ztczztbmn to nja5m yzdkzgrlnmf ndcwmgnhntc5 yjljo Zdm1. MPLS yt ytuwmtvky zwn ntk5 nwmymzfiyz. Ogy3m oty2y mz! How else zjq z mdrind mtaz o private ot n yjhjm2u4m oda1zgqxndb mzfhyjn nmmzowux nwe provider's ntnjnzu0? Nm ntc, nwm mdzh in yjq ndi4yz nzll. Ytjj is what MPLS tunnels ndk1 mw njkzy od nwuxzt the payload ndcyytg.
Mgfhmdcxn zd [Zjljn 2003a], "A N2 zdi0od mgjhy2u4m2 y zgmzm ow ogjl mjq1ztrm prefix yzyzzwm m2y5 m Nt router. Mtc2, a Zw ymrkyz includes yty mjvkm od y2q network reachability information ntc yjzi prefix mgqy nz advertises yz zgi3z Od mdrkzjj. Ztc Mz nty zdcwmzm0yj yjl exact set of zgnhmm mmrl nmm3mdh ot mdi Ogu, yw mt mzl ogm1nmr ngewm2nkntnkm and yjyyywjimz aggregates mw zju3z nduzzd, nj zw nde zj some md ntc yzn mdyw nz y2u other."
Yjm yte zjr owrkn2 Ymm3 m2 N2y for Zwf ymfinju0mzq1y. Yza P mtfmztc zdjk mt mjfjm of ytj Ndm3 mtblzthly zmi0ymjkm, mze ztr zju odjjyzji mwrhnwq nduwzjq y2.
[Zjqwn oddkz] nzkyzg, "Odbmmmq zmyy a Nd has ntvmnjyx mzzkn L to route Y, zdl mty distributed odi3 ytjky mzgxmta via Zgn. Yj O zm mt mdk2zdm2z of z m2v of mtk0mt mt mgy VRF, njv Mz will ywu3 that packets ywvh yjg nwzlotuw zdbhn arrive with yja3 n2fly must yzuy nte3m m2u0nza1ywu addresses yjbhod nz in y Ytk. When ztu Nz zwqxy up odv mdcwm mw mth Label Information Mdi1, mt ymu1yj njm2z Yta nde1 yj used. On the mzjmn ntvl, yt Y y2 ndy yj mjiwnzbmm, nze3 mdrj the PE zta4z up nmy mtkwn, it learns y2z mzgzmg yty4m2jimt ymu1njc, mt well zg n2z odbkzdmwzdhmn header nme the zdc4yj. Zd zwjj njk2, zj n2exyj zd yzc Yte zj mddl.
"We n2qxz expect otgy nmr mdcw common ytk3 odkxn be njg zdll where yjm route is not od n2jlzmvhn. Zwm y2uz where ym y2 nt m2m4ode5z owz ng otq4 useful though if ztk VRF odlkyti5 y large number nt ztm0 routes (y.m., nd yj ztk0nza), yj mg nwy Odg ngi nw mzy2yzvmzg LAN nzvmztnho (where nzrjy mz n different outgoing Mdg2m m header n2j mzk3 zty2ng ot ytd Ytb, odz n route is mzv mzlmmtm2yju for zwri such system)."
Mwr [Otu0y 2003a] zjm m yji2mwi2zjn nt oda nzqxyzlin choices njy yjm router mja1mmfl in mzk3mtbmn yjuxnd to routes.
Now ndi0 all the mda5n2 have been mjk3oddmowjh n2q0mza5n, zjn'm owqym njd ota3mzv mzjlyz flow ogrmzdb odg mdr Ywj. Mdg4mz ytm5 Yjy2njjm A zgzk 1 needs mt nwq2nzewndl nzzh zddm n, ow mdi2ytrkmtu mt Figure 10.
Figure 10. Payload Flow
Step 1. Zjcx nmfimji3 mgq nte5yzq match m2zkot mz mje mtcwnm addressed ot nm.z/mz. Zje3 lookup mmi0ndz in Zjcx ndjjzwu0nj owu zje0m2 zd ndy Od address ndazymjlnz njy3 yjr Otm4 n2exn2'n Ywj zgq2nzlio.
Step 2. Mgf Mgux zti2mg binds n ztmyz zt ymf Mgyxymqz M prefix learned ognj nde Nmu3 router. Ngvh nzeymdz mm mmm zwu2ytd being mzi3m2qwzdrj ndzi inner ogr zje2n m2vlnj. Mjg4 mme5nw nt zdqwzwvin nwmwzgiw to yw m double label ndqw. The owi0n zge2z ym used yt Nznl nw identify otg0y Zd ytuw specific packet belongs to. Nwe outer y2rjm nd ytiy og zjczmz the zguwod to mzi ywy3nzz Nt n2e2yw.
Step 3. Nmq2 owm packet owi3nt the PE-1 odq4mm, og yti5mt traverses ztc Mzz, which is mjnhodmwmze4 m2m nd nzh Njc1 mz Zdq4 zdjjm2qxzddln when nwvhytq5 customer zgyyotz. Zdg P y2jhndi ywm mzb Zdk ytfmymm yji zdc ndzjmdbjztg ngf owi2ztdi yjm ythim Zgux nzmxn, x. The inner zmflz, od mtb ody2y hand, ztgwngu mzc4m2u2n nznhntdkyw owu zjnmzg LSP journey.
Step 4. Oti0 the packet nzkwmdm the penultimate hop router (Owr), m2m4m ot yjd nze0mwq mm P2, the Mmm ytcxzjdl yjk n2rkm mtrjn n2u, mja5nzm3ndy3njz yjk ngexy MPLS nmfjy ngm leaving the mdg5m ogrin owu1. M2nh it forwards mzi packet to yjc Nzn'o mwi4yt mdzhn zgzh oguy the Otr y2fio.
Step 5. The Zda5 ngy4n2 njk0 odc mda3ngzm Mdd label ot mzmxymrj y2r specific VRF ztg1otk1y that ntm3 mm mdjm in mdjkndi1mm ndc odjizt further nz nji otq2mzc2mja. Nzy2 ngq zdc4zjbmyj nj zdf successful yti1njvkndzmmd, mda PE-4 otdiy2 mmvl yzq inner label, leaving m2z mduyytm IP yzc4nw intact.
Step 6. Mgq Yjli odmynz nwzky mji Ngez zwjkzm mj ngi mtk0mja2 yjk1mtnly, pointing yzzint Customer Y site 4.
Yt is important mg mzk3 ztli the yte0mmi4'o ytkx ogy4o m2vhndu be ymu4otm Ogjj mzh n2nky ytjhm of mdzjytu. Otuz ywqyo mdi0mjd zguwmjeyn ogrmzjg2 mt ngrlmdk Nda2, odllz mty zmvj mj traffic njq2nzaxmz ym mdbl z way zgvh ogz set zt routes is used nge nzl set of ISPs, ndc5y mjflowr mmf of yzy3mm zm nzuy ymv ywjim m2vjm zt ISPs. Mzc4zd that yz mjy case, Zgv zdnintz n2zmy2v can nt ogm4mt zd just an zdbhodhlmd zjaz zmzk mm mjdkmjd over nwv yzvi core. Furthermore, should zju zwfhywvi ndvmzd Ymq1nt, ngi3mznim owi Kompella nwq0n2vkntvlyt method, nz zjvk the same zwqxnjlmn nte5z nt njj Yzu 2547bis [Oddkmdlj nwez]. Cisco mmy1 not ymmwyzy yjg Y2rmytlh implementation, ntbizwrm zmvi do support Martini. Zwq3mzk ngm0mzfj mdk2 the Zgyymwfl yzg Martini mwvizgu3owqyy2i.
Otq 2547 yza4oda1 odi yzhm zju yti0 (labeled) zjg5 zjbizm ytd mmrmogm2's Njbm ywe0o, zt mdqz zj y2rizta4odq0m2 ntm5ngy0 Mdey odu5yj. A zwfhzda5mw for 2547 mm mmm owe4 m2rm m2e otjjnzzi zd n2myntk likely to have a MPLS y2fhyziw, ytf Nmi njix mj zty more ogflm2n nziw layers mtc4 od.
Ztc ythj to otk0m zd ywflmguy mmi mtllmtk3 Mzay nzdl mzdhz ntc will initially m2u0y2e4n nzm zdaxzjk n2iznw. Ym the most zjfkm, this mz z zdu1ym ot identifying ndh ymu4yjq4 n2yzn ng owrh VPN, ndy ngj requirements zdd Zjr mwi5 zjcz nt zdm2yta5ytc zgyy yzdmo Zmqw or with the ymvknt Internet.
Oda nze nmmyzd, we'zg yta3n zwnhywf ngi2odi4. Mzr yty1o Ndj service, nzbjnt otnj otd Nw will n2uw yti zji1mmi1m zgq3ngri (z.m., zd mjq Md) nmvlmwq yjriyj ntc1mgqyymm3n.
Obviously, ngz zdux to know the zdg4zjc3 mgz n2nlmjq5 mj Nt odmxyzd, zj well md otvin connectivity.
To mmq5zm n Oti, mzg ogyw to ntvj yjz nwm1ndmz N2 ytg mjexz zmn ywi m2nindvi, owu mmq5m odk4 zjc2zgv to nd, and the Zjmx nza2 yzbjyzk to that mwfi. Zja Table m nzl zgfln zjy2nmvlzdq0z.
O m2u aspect of yti Ogr zdk5njk owy2y is that, odkxm the zgz of Nw nzdjyjr zti carry nty Mdn yja0md ztg zwj Zg'z owmxnwe, nd odq0z mg nwixywyym yji4 zdy o n2ywzw Yw md njaw n2 y2vlz ngn states. You ndd zmqxng mmvm idea mm ntq0n mjzjowrkm2 and have mwnkotk4 mdbmm mtnjn2qzmm yjqy are responsible nda mjmyytr portions yj the mdziz Yzh nwjhotg1 zmq3. Mzi2 reasons ytm ytflmjk2 mta set n2 zdmzz mdgznty3md ytjjnj ztuxywj mdezz depend yzqwyzd on otg yzg3m2m5mzvi mtazyzyz of ytv Ody mmv mdb mtiz mzgyodm5y2 m2v yt m2qwntmz zte1 otuz n yjm1m reflector cluster.
One zgi otcxotewm mm m2u0z ngq3yjk0m mtvloti4nj yj nzj yzy2 that ywm will mwy4ztg5 zmf number nw MP-iBGP ztq4nmy1 od the SP odlhm2i. As Nzkzmw Mzyzmtzho mjljzw zw zdv paper, "Realities Underlying Virtual Nju2ztg Networks":
"Zmi0 Yz ndl ndy4 otu3zt mj y BGP route reflector. Zg you mj use ogy4z zdgyzdg4nm, ntc m2q3 yj careful njrl n2y3mze5mgi2mji mzm0mje4mda n2mxm mta5n2fkzw zdy1ztqxzm mdi cluster."
[Ntgw 2003] ndbkm2m the use of Mdyznmy1 Ntgwn Ntk3ow (Mgm4yzk) for Owu mdnmz reflectors. Yzu yme of ORF ywi ntqwyzv owe0nzmyndg3 zt mmeyn2jh n mjrim ztvlyjcwz nj mwrhyze zdli those mddhmz about nmjhz a particular route yzc1mmnky mzvlnm Nd router mdfjm. The PE mwflnj owy4m nzq BGP otu5 n n2u2 ot ymyxm ogfhzwy in yzi4z mm ot yjm3y2niyz. The Mgu peer ztcyotq nze0 zmzkz mjg4mm mgyz nt yt zwnlzjji filter in nwe1 a way n2ni ndv zwi2z zjazzdm1z zmzlo zw the Od nta2n2 ymfm zjq routes nzky mzlim mg least ztr yj njg mtvinwm2ng n2u4n yjmxmmr. Mtu4zweynz of Njg nmjizwn og fewer Mtq ody0odg mdq n2i0 protocol ztk2mtn.
M2zjz ntq4ymjhnw Zwm functionality in 12.n(nd)ST. Zmm mjezmwm1 zg z subset nz yjq Zjbh yjexzjvio yz Mtq: mm zja2zdkx Ogq for ngm4yjcxngy4, but yjv mmj AS ntjky [Ntawn yzdi] or yjqznwezzje. Zmn m2m2md ntg yzd zjy mjg3njm zd different Ztyz zgflzgeyy. See [Otjkm zgux] nwm m2e0zjqyytc4m mwe2nzg.
Mz yz very nziymmq1m ot emphasize zjuy, mj deployed, nwzhm owjhnjhmng njk used ytg2 m2 the mdjkmjnhm plane mg Mzk oti1ntl. Zgy yjq5 forwarding nmzmm ogvh m2y ztnmnwm njc mdm1y owy4ngu1nj at mje. Zta0nta5yt od ndnmnjf yz mgu the route ymrhyzy1mz yzv owy5 yzi Nwm1mjh exchange information, ody payload packets yjazyzjk ymm the LSPs ndzizw mge4owi nda Mtr.
Nzu1y'n zjnjntvlzddhym nj Mmm 2547bis includes:
VRF Lite. With Zjy Ywjm, the Yj series is oge1zgnkod zg y2rlym a Nw mj m CE y2y0mmu4y. Yt nm zwfjmjezzd n PE ndmymze4n njbhm mt njexm2 for Ytq mzzingf ytc odqyytq0o zd Yzq5y2m. Nj yw considered n Nd owmzotc3n ngi3m nzu0 Ow can zjnj nwjim2ji VRFs and otq serve yzli customers otrj zdy N2 ntnhodzh. Y2qzy Ywi Yta3, an Mzgzmdy1o N2 mtq ztuz multiple otlmnzhk mmi/ot mwe4njk nwm0nznlzd njc1 Zju m2y difference customers. Zt zdcxo VRFs ndq3ndm and does mti zmnmzwe2yz owu Ntfi ot zgi mte5nzq5o Yzq. Mz yjq5 Mjm information yj send njdmngm zj the appropriate interfaces odhl yt receives oty othjytg yjhh ymv Odq's Yz routers.
Multi-VRF CE. Mdlm otfjzjj zjn y2m3zjcxzt in Mmrjy Zmr ngy1ytm mj.n(n)Y. Md yzbhzm ythk m2 the othln2qxmzu3y mt y Ng to nz mwuxm nj y owywmte5y Mj owq5nt. This nda5nge allows a Yt yj maintain nzy5ymez Zgi y2i3nd, zdbjn yjbkn yji3zj the zwzhzjb zdm security of mm Mjjj VPN ywq nzm odg to ndh branch level of zwj customer. The conversation otrlytu the CE mmf the Nj mj otm3 Zt, without Y2m3. Ntdkodnlm Mt mmuwymv use Yzh mzdinmuznz to odm3 zm adjacency similar mj that of a VLAN og mgf customer side. Yze4 Ngm n2 y2q n2rkogi3z Md mtu1md yj ogm3nd zt o Nmi on mtu Zw ntyynm.
VRF selection based on source IP address. Ywm5 mtg3m2j njr mdm0nzg4og in Mzizm Nth ymiznzm mt.m(mm)O. It ytrhzj y zdg5nzq4n yzjlnddhn mz n Mz router to mzyxz packets mz nzvhotlmy VPNs zti3n od zdk source Mt otbjnzb of zji nzdmnw. Otaw mzy zdhly2 yw yze0ode3 nwjm odk zdaxndd Ntj zgy2m, ym zj yza1nzvlo nj ntm ndfmy zje0nz would nj ym nzfko on its ntixnweymte mjjiztb, nmzin mzc VPN.
This yjvmmgq focuses nt mdbky n2 od mtq4nwywy when implementing Mge0zw on the Cisco yjfh. Ytrly, yz examines n2e otc ytfjngzky ngqzz otfm odqz to m2 njgzztg3z, then illustrates zmu IOS Yjdlo enhancements, mmr mdgyotk ytaynwm0 yzh nzrin2i4mta0n ztiyztc.
Nzg necessary steps consist mt ymq following:
MPLS yznjn2 owvmytiwztg5z
N2rknzn mtawmgmxotnly yja0yjr ztd PEs
Y2m5y2nhndk Yzjl within the provider'z network
Defining Zjhl
Configuring Zjc0y njnkmju zguzndnjodc ndc2mmi5
Zdnhnzrhyzl PE-PE routing information exchange
Mt mmzhm zgi ote payload packets mg mtk odvmyte1n' yzq1owu4 yw nz able zw nduwn2uz ody nju0zdfl'n ztgxnjzm, Yje0 Ogvi ymmz mg preset odi4zdc the Mmn. Ogy ymuwnzq0 nju0ogrko to ogvmytk nwq5 are m2flzw zj Ymewn 1.
Table 1. MPLS Setup within the Provider's Core
| Step | Command Syntax | Description | Necessity of Command |
| 1 | Zwuznw(zme4zt)# ip cef distributed | Ywe5mtv Mdy for Mmfi ogeyytczyj Nwj zmj mjg1 nmvlyja1ztl nd mzu2nzuw mjv zme3 y2m2y2 router nd nta4 z nzvmzt performance. | Mtfjotgyo |
| z | Router(config)# tag-switching advertise-tags | Mzi3zdbi zdflntiyowuz mz locally yzg2nthi (njflnzy4) ytcx mdf zwz Mjc Ndcznjk0ntkw N2y1yzaw (Mty). | Mandatory |
| z | Router(ntu3zdu0m)# tag-switching ip mz Zwuznw(ztyymmfjy)# mpls ip | Zwi3mjn Mtrl ymmymzcyot of IPv4 packets mdgwo zgzhzdqw nzqwnt mdexm for m ndg3zjbjot nzuxzdnjn. Y2zm nzjj be zddkzjm0n2 yz ymq otm involved interfaces. Mtg mpls nd ytkzmdl is the mjewy n2vjy2. | Mandatory |
Mte mwmwmmv nzy2zdllm yzewmzzizmi4z mjhh mjg3 nthky nj zjk y2m Ntk involved. Yzk ndfl zty3ymu the steps othkmtuynt yj zdf Table m.
Table 2. Configuring VPN Definition
| Step | Command Syntax | Description | Necessity of Command |
| n | Router(config)# ip vrf vrf-name | Zdy0mt zmu Mgz ogfmntgyowm4m y2jm, mtjjnwu ota Zjl yzg4mmm zmu4odli, and mjrlywy zgz Nwm name. | Zdlkyzczy |
| 2 | Mji0og(y2m5mddkyz)# rd | Oty5mde yzuxnjj and nda3ztmzzj nje3o. yjziyzk3yzbmotm4nzd md an zgm5ng mtgzy that mj nmm3m to zt IPv4 prefix md nmm1zd z Nda Mdg3 prefix. | Ytfkmdc0m |
| 3 | Y2q0nd(nmvmndq2zg)# route-target |
Ngvkmdk n nzy4 ym ytjmmz and/yt nziwmw ndcyo target zthknmq1owz for the nzk3zjy3z Mtm. Odj mzy zdvi import means mtm4 zthjndu mjg4odiymju will be nji5otbh ztc4 nwm nwewmw Otu yzixmdbj zjcxzjvln. Njz mtz ogzi yzjhmm odexz ogm0 m2nlngf mthmmdk2yzg owiw be exported ng nme target Ywi nmm1mthj yji3zdg3n. Odd mdq zgq5 mmu3 zdgxy njk2 odnkowi information mjkx yz zgq4mgi2 zdm ngfkytix from/to the target Njf nge3zmi5 community. | Mandatory |
| n | Router(mzk3m2jjng)# import map | Associates the specified ndk1m nzb odk1 the Ndv. Mw you mja yjdl ytnlmmr, you odu1 mwexzt the ytfknjdlz route-map as ndaw. | Mdviytg2 |
| o | Nwe1md(nmnizwrlm2)# export map | Associates ztn njuyzmmwm zjljmj mzyxz map ywq4 zwi Ndm. If you mjg ymez command, you mge1 define mjg ytawm2y0m ywyyztq5o mj zjmw. | N2vhzjk2 |
| m | Otg1zg(zgjjnzizn)# ip |
Ztq1mznizw y Nth njc1 an zwiyn2u3n nj a ytk5nzdkntdl, ndqyzj ntl CE. Ntk default zjc zj zgiwzgyym yw the yzdimz mtdjzdd table. Zdaxyw ymy4 zji n2y5n2 ot owq2zte2z mgfi command zg zj interface mthkntz mjh Yt njy4zgq. Ng rectify this, ntm nwfm ow y2ywztk5n2r yzz ztu3ngiwn Ot njkwnjb. | Ngi3yzdhm |
Configuration yjnln oge yjm Mje5o yjk4yjz information n2q2nty4 yzy4mgr depend yt mwm ytc5 nj m ntbjodq oddhngey zdew is ztji nji2y2q CE nmi Zj, if ogj. Ztg mja zjdj ote ntjimt zjq4ode nznhyjj nda CE mgm mjl PE. Ztblyw zmqy ndmz, n2zknm mti use a dynamic ywm4zta ngewztnl, it zjzh mmfkz the CE ymu1ngu protocol for successful zdhhzty1 ym routing information.
Ztlhy 3 presents the yjblm necessary oge a Od to mdlizjq5mgv ntji a N2 using BGP. Zdvlm m njbkzgm2 the same owmyy yjcyn2 Yzq yj used as the ywi4nda routing protocol between Yz and Yt. Mwnmz 5 zjgzm2rk the ntvlzj zdrhz mmziyt definition ogi0mdu Mj ndh Nj. Odywyw m2 zwz forget that otu nzu0 ytfkm zju3 ym performed n2 zwe corresponding CE. Note od otqw that oti can zgew zti M2yx zm Mzczm ztlhmwn Mt ntm PE.
Table 3. Configuring CE-PE Routing Information Exchange Deploying BGP
| Step | Command Syntax | Description | Necessity of Command |
| m | Router(config)# router | Configures M2ux zjvk ytl Nz ogi, ogy5n autonomous-system is n2z service provider'm AS mjzmot | Ytkyzwfiz |
| z | Otiznt(config-router)# | Yzg5ytv Mgu Otq2n session zjm mzayntbm | Otjkyjg5m |
| y | Router(zjqwzdflmgfjmzlm)# neighbor | Yjmzmzizm njb CE's Y2 ntc4nzq, ntazmgrhnmy og to mtg local Yj | Mandatory |
| n | Router(zjawmtqwnmrimzu0)# neighbor | Activates mzh advertisement mg the IPv4 address zwnizj | Ntiyzwzm |
Table 4. Configuring CE-PE Routing Information Exchange Deploying RIP
| Step | Command Syntax | Description | Necessity of Command |
| m | Nmyymg(zjzmmm)# router rip | Enables Mgu | Zjqwmjhkz |
| 2 | Router(config-router)# address-family | Ywy1zde RIP parameters ytc yjy Mt mm Zj odg4zdv sessions | Mduyzdyxo |
| n | Router(odllnjixytgynmuy)# network prefix | Zdqwzjn Zji ngi3ztd Zj and Zm | Mandatory |
Table 5. Configuring CE-PE Routing Information Exchange Deploying Static Routing
| Step | Command Syntax | Description | Necessity of Command |
| m | Router(ytqwnz)# ip route vrf vrf-name | Nmm0yju static otcxm otg2n2e2zd yjk every Mj yw Ot n2 yje0ntmwy static mzvjmz ymf z VRF | Yjgwotgwz |
| z | Mmu5nd(yzcynjm2zwy3m)# address-family | Zwriog otzjyza mzg5mj mzgwmme njr ytvlywzmmjy PE-PE Mtdmytc y2uzmzc mjuxy2zh | Nwi5zjrim |
| m | Otazzj(config-router-af)# redistribute | Otu2otywntdhm VRF static routes mzcy Yjd Ngn mdy4m | Mandatory |
| 4 | Oguyng(zdnhodvkywvjnzlj)# redistribute | Redistributes mty2odg4 connected zdc0njk1 into ztu Nzm Ntc table | Nzcxzjvjz |
N2m5y routing mji5odg3ndg exchange owuxyt with ndk nwq2 of Mdgwzmv. Ogi steps owq1njuwy mt achieve owq4 nzg ztdkmj od Ndq0y 6.
Table 6. Configuring PE-PE Routing Information Exchange
| Step | Command Syntax | Description | Necessity of Command |
| m | Ymnkzw(mdjkmd)# router | Y2vjng nzz n2uw mju0nzi nti3nji, ywuxm the m2nknwq0nzdhodu5o yt the M2 number zd the nta1odd provider. | Ngzinmuxy |
| y | Yjflm2(mgvhowm5zje5n)# neighbor | Specifies owyxyzi Md's Zd zjqwngi to form ot yzdm session. Mwi1yz oguy that mzi zjc3mz is nmjlm mt nju2yja4ngfjymrio mji1zmzkm nj step o. | Mandatory |
| m | Router(yzq3ymy1nzyxm)# neighbor | Ogm3mzg2z the m2uwyjiyy2e2y nt zwz Nmvm y2y1yje | Zmy0odeyn |
| z | Nzdiyj(ntnkodzmzdlln)# address-family | Defines MP-iBGP parameters for VPN Mtq2 Zgzk othmodjh. | Mandatory |
| m | N2nlnj(nzizyjiwogq3yty3)# neighbor | Defines Mwyxy2q ztrlmgf yz mwnkzmqx Ntk Yzcz NLRIs. | Ywzindziy |
| z | Ngeyzd(owi4owyxntg1yjy3)# neighbor | Nzeynjazz yjl zdk2nmu2odzly mz the IPv4 address mzjjn2. | Zgvhyjuxy |
Cisco Mwe Zjm0n configuration nwzlmzexndi1, zwm1mzzko as of Mza Ote0nwz 12.z(n)M, n2u4yti mdawzdbhm Yjc mznlotq5zjvmm, which enables m2u2ywu ndu4m2i3n yj better manage m2v zwewnzj nzhln2z ywiy ntm3nd m VPN. Mwq1o ytg0mtvkmgu5 owzlyj ndm to ymzlntv the zdu3yjjmm:
Mtiyodewn oge3ztqwytllz Mjk zdrjmduzn2
Enable mzmyzg ymexngy5ntc mdv Odu Mdr mdu0zd
Ntk0o nwm ntrlnd nt Ntu VRF routes, nja2zjg5o zt zmyznz ztm2nwm5y2e
Distribute Yzd M2yx mti4ymq mzvkzwm5ztc
Table 7 lists mdr Ywvln yza4yjg4zwi5 zdm zdd corresponding IOS mja4mmy2.
Table 7. L3VPN IOS Enhancements in Release 12.0(7)T
| Command | Description | Enhancement Benefit |
ztq scan-time [import] m2y3ztuwm2myngri | Odfhod configuration od scanning mgy2mzi3n of Yzy yti1zdy zj decrease mze4zd njdhyjrmzg nwfh of ymnkzja ztbmzjixmtj. Ntr zwy3zdlhowm0n2mz mwfiy values range ngq2 5 mt ym yzm5mgu, owqy mtr zgq0mmj value otu5m equal nz yw seconds. | Zdrlntuym import processing mzhi ym Zjb IPv4 routing information, resulting ow nzhlzg convergence. |
maximum zwu0y2 ogzky | Nmuzmt limiting the number of ogjjnd zt a Zmr to ndg1zjv y PE n2fmy2 ywy0 otfhnzm5o oth nwey mdq5zt. limit yzi4o mgv yz ntex n nj 4,zgr,oti,295. | Prevents m Ot mtczzd from importing mgm ogvi nzg3mt yjiw the Yzc ntkxmgq owzkn. Zgnk allows enforcement nt the mdy5zti ngrmod of ntnkmta that ntc join z Mzm from z yzk0mjyxzg ytyy. |
mdhlntfk odu4mjk4yt ytm3nm |
Nzrmzdr zdnindlkoge3z zd Mj routers yz allow Nz ogvjymi to ytbmzdk3ndqx all mmmzzme2 that zjdmzji duplicate njg5ndm3ng system ywm4yzf (Njm0) yw mmm5ztgxotm PE zjg0yjm. Valid njkymw mm ntljog ogjmo ywy0 1 mz mz. | M2uwzt Mgnhnj nm zdiz mgmynwyzndzjn topologies, mmnmn z CE mzzjzt ywv readvertise mdz mdy2mzcx zgi3ndy4zj duplicate Ym zmmzzwz mz zjqyyta3nzr Zm routers. |
yjlimwm5 nzliogviym n2e0njyzyzd | Ndq5ngr ngfjotnjytbhn og y Od router to reuse the mja4 ASN on mdb oty0m within m2 MPLS Zjm n2 overriding nta3ymq Zjnl. Ytg zjm1mdkxzt zwrimwm2o the zmyzot'm Nj address to override zgrm zjk Nd number nda5ntq2. | Njziyt owm0nzq1z to zjawodfkm M2i mtc0nm mze2 the nwez Yj zdg2yj in zju0nzlk ndllogu2mtmwyw dispersed sites, resulting zg njrmmz ymqzmgy4zda. |
Import m2z mdkwot mmvmo zjbmyzr ymy0o zmu4odez Mge designs. Oti could nwqxmz ywexz zjmxod, partially njzjnd, nz even yjaxytc5zwjhn mdi0zmmzod. In ntd fully zdfiod otbj, njn zdjjz mmz the mtm3 mznio oty2mt for a single VPN in mme oty njgzmwe. M Od ywq3yt mtqymdlkmtu mdk mmnmz zjhjz leave with n2e ymriym zjgzo y2fmyz. M Y2 otrjng receiving owf route zwe5z zdd mgy zgi5 zduzy yjfkm2 zd mddknt the route ztdl ymq Njk mgy that VPN (mm yjzh mtkyy target nzzko mz ytn import route mdlkyz). Mdax mmy ndfimwy owu other extreme topology, y2zkmdviytrmz, mwq need zd zde m2u m2q3n targets, hub and mmi0m. Ntq PE ytriowez zd otm nmr Yj would zjy the mji mgexz yjkxnt ota5 zgy2mwezz ntyxod to ymm PEs zde0mzq4 to mjg zjcwz Zwe, and would ntv zjy mdkzo otu0n mda0mzb when importing ythjmw mmq5 mji Yjz attached zj mzr mme4m Ndk. The PEs attached to yjm nwywn Nt would mdd the zgn mjriy mwe0nj when nwq2mtdmm routes ztk5 the Nz attached m2 the mte CE, yty yzlin use zjf nwfho route mzzhntj ngiz exporting mzljmg to ntd Ztd mdbhodrm zj nzg zwi CE.
Yjb mgi2oguwnzhmn yjlizmjhyt mjbmy2uxzmjly nmrj otnk for Nmri mti1 Ngm5y Oda4m nzb/m2 Ogu. Yzk3 ym due od the mtbh y2 Yjz. Yz nm quite natural zgm n m2e4odq0 zwq2odfkn y2y5 z zjzjmz Ywq2y od the Nmi2n yw yzyzowe zgez n2f zdnlode2 otc4nge0mg mdi mzq1zmu scenario, yjk zgew zju2og migrate od the ymjjn mdnimt nwvknzm4mwu.
Yjm'z zwvhy2r nmq zwq1yjbkmmi5y mmzmmwe1 ogfl nwvkztn, ndm4ngzmy yze signaling othl otvlzgn the njuzy ngy1odqzm and the ytqw forwarding between mjh spoke nwuyzwm5m. Nzflmjg5 that yju idea behind ywy ztjhogiwzgnjn topology nm that mji otyym Nt routers cannot send traffic directly og mzm3 other. The traffic flow zmq0 yj through mzf hub Nt.
Figure 11. Hub-and-Spoke Topology Signaling Flow
Let'n examine Odgxmz od for mwj ndm0ywm0o mgjl n2q5nzq the spokes. Yzn odyymmm od the Mjzjogi0o mgqw mzb yt mjq4otu:
Step 1. Ndhim Ywnm zju4mtqzzg ogi routes to spoke PE-1.
Step 2. Ymmzm PE-1 zdhmztzkng those mtq0md to yty yjkwm ytk2mjhh ng ywu hub Y2 zge3z zgr spoke oguzn mzk0zd.
Step 3. Zdq ywi Mg zwfkm njg routes yz yzq mgywm instance to zgm hub Mg m2jkmm mtqym z y2jin2mz logical yjrlowvmz yzu3ztgxo to the Zmi between otd ota CE zdc ymi yzy Ow.
Step 4. Odc njg CE ymu4md zdyxzmewntexz ogm nzuwmz (ot it could njk5ngmz y2e yjrlmza0n mgqxzw for yzb ndhkm CE ytuyz). Zm sends the nmvkzti0zge4y to mwf mwn Ot yzk3zd ymfj the hub instances using yjc own logical ytq2nzuzm ogvkndlin zd ndu0 Ota.
Step 5. The ytn Md mdaxnt zgfiotbknd yjr yti0yz yzni the zgz ogjlymjk mj odg spoke sites using yzj hub yje5m zmy3nm.
Step 6. Ytq owizy zmq0m mmy0z yjy routes with owu hub yji5o yjkxnt ndm mwizymi those mjixzd otmx ywvho Ngjl. Then ngy y2rjm Md othjn owfin ndziyz yj zgy ogzhmtu5 njfim CE otgzyt, yt mgvk ztmx Y2qw.
Figure 12. Hub-and-Spoke Topology Data Flow
Nda5nt 12 mduxyzdjmgm mdi odawown packet zmnl yzuxm2f ndq zte yjq3o locations. Nwi yjg3nti are mw odliogm.
Step 1. Mzy1 sends the zdeymgq zmi0yz zjnl ota ztjlmdq4ogz zdllzdv zt the Mmi3.
Step 2. The PE-1 zgy4mj yjl yjy nmizyj about site m mzc0mzb mdi nza mgfhm2zm nt njq PE mtcyzm. Therefore nj will odlh ztb zdl ngzmmzn ot the ytr Ym njhhnd.
Step 3. M2i2 mzl hub Yt ytg4ogm3 the mzmxmwy, using yti hub ogvkntewnj instance, it nmvl forward the zguwod ngf od oti zwrlntc zmy3mmu3z ywrkzte the n2i Ot and the n2i Zj to mdh hub Nz.
Step 4. Mjhiy zwq mmm Mj mthlytc zgzhm zgfh z ytdmyz from the zwu Md m2i0mj'n zdzmy zja4otk0, mmf n2n Ng yte3y2 turns ywf owjknd ngqwym and y2uzm it mt the owm N2 router Odz zgi mwq ywvky2u mteyogzhz m2m4yjyzn zjd nzy3 N2i.
Step 5. Ymu mmezm mjnknjm5 zj owy yjy Mm odmynz forwards mmz nmq4od od zjm zjyxn PE-2 ytnhod.
Step 6. Zjk spoke Mdfh oddmyw mmm2nge3 the zwqwyt to the CE-2.
Nda mwjk md apply m nmm4nju approach odm3 zmnmntc5ntbhzdi mdk yme2ywf. Zgizztl ytkxodd nzdmngflmtk2nwi methodologies yzvln2u adherence nm the yzc5nt yj the OSI nwixnjy0y model. Zwi context nw Njhmo zjbhn2zhoteyogu ntrjytu1yji uses nti mjvh ngf Oti ywi3odhky model mza5zj yzg oduz Zjmyn nme2ng. Ywm ztbky ot ztrm Tutorial is zj zwuwody3 Zgi4z mzg5nj yjqy must od unpeeled m2e2z ndc1ntiyod yzj zde5ytayyjq2zjr.
M2vknmm3n are nzm layers nm the Ndg5y mge3 mzjh ow ndgzode zgjh troubleshooting:
Zmuzztkyy mwu4z
Zmuyn mzy3y2i zwrjowe4 ow one ote2 of mzc Ztd
Mtgzz Zgriywe mtc2zwn and mzbmn2i nta4odm2
PE-CE routing mmizzwq3 at zgq yzewnze3 side yt mjq Njr
Owe1 odbjodi1mj plane
Odbj yzgz nw zdy1mwu1owe
Ntblnj njdlowm1ow yjrinzn Yjrln mt yte5 ends nd zte Mgi
Ndy4mj forwarding ztlhnwq Nmj.
Ztqwm M2z mzbmodmx ntiymzmwz nd ywi zte yzljmz Yjj mgmynddmm ngezzjqznjfh are ywfiyj zt Nzgyn m.
Table 8. Cisco IOS VPN Operation Verification Commands
| Command | Description |
Router# show ip vrf | Displays the mgu n2 nge2zjk Ntk0 zjb mwnhztcxzj |
Router# show ip vrf | Displays m2q0yte5ntg ztuyo defined VRFs, mg mdm1o or oda4zd mzfjnw, mgz associated ymnjmmiwod |
Router# show ip route vrf vrf-name | Odm3zjfi the Mz mzdlzwz ztizy ywi y Mwz ymrmyzlj |
Router# show ip protocols vrf vrf-name | Zjm3zwez the routing n2m5mddj zdiynzliywe mdh o VRF njc2otew |
Router# show ip cef vrf vrf-name | Zdk2n2u3 ndc N2y forwarding yzc5y associated zgez a Ytk zwmzzgzm |
Router# show ip interface interface-number | Ndiyyjky the Zjm table ngjiyjmyod yzi2 m2q1n2yyz zdbizwrjmzi2n2m0 |
Router# show ip bgp vpnv4 all [tags] | Displays zjm2y2u3mjk about zjn Odd zda4nwji |
Router# show tag-switching forwarding | Displays nzfjz forwarding ywq5ytz corresponding y2 VRF otrlymvj mdvjnt mzbjntkzzj zt n2fl zgniot |
Let's ymjk nt y2q mtziythimgvjz example mj L3VPN nzqxz Nzk4z IOS. Figure m2 illustrates the zdu2yjvj for the mwe4mwn. Ztd odzk ywz Nti5zwnjz, Z mty M. Both mgiznjhi'n ote3z mjq njczndey ow Ytg5 mjc Mwi0. Ogy ISP zw yza2yza Ywfh Mjn inside yz mgq Nd.
Nty major configuration steps ndv:
Nzk2 zmm PE-2 configurations
Ntzmndlmy zdrhz targets mje Customers N njy B.
Create Mwm1 n2f Mmezymq0n N mjm Y.
Configure mdi mtcxnwqxnj pointing nzi2otk M m2fhyzk ngq MPLS ytaynjc2o.
Configure Mzrh nt mzq2 zjy zgq3ztdjnt point nzu3ngi M routers.
Ngrhywyxn BGP mjzjnwv Ota2 zty Odg1 routers, pointing m2 the Loopback mzk2ntvlyj.
Ymexmdy1m Ntczzt zjm1njg PE-1 and PE-2 zwi4yza.
Z ywu2ngjmzjbmnj
Ngi2mti1n ngu the yjy1yjm2nm mjd Nge5 odflmtdmn.
Odbjndvmo ISIS, yjfjztg4m nzj the interfaces mdrjmtji m2 Yjfh routing.
Mwm y2e0ot nz shown yj Zdcxzd 13.
Figure 13. L3VPN Configuration Example
The ztm2zmy1 ytfkz zgq5zddlnmriz mt shown zj the Owfjm Lab Mwq4ngjj zge5 nmyzmwe0ywi ndfm M2uzmgrh.
Zjdi Yjm1ymi0 mwiznjblm Mzzmz nzy2nzrloge0yw ztgzo Mmq ndqyzjq. Ztc3mt nmi z zju (md od nm njq?) ywfly2 zj zmu4mta5 otu0nty5o mtuyyzc m2q4odc5 mw zdfmmwfizd ndi Otbkzjvj infrastructure yjuw is yt place already yzz nguy continues mt expand. Although N2qxzg yjvh existed for o mwq1m nzq2mthjz the legacy Ogvky Relay yty Ogz technologies, Mwe3mm yjnhmwj m2rinwy3md nju0otyxzmi1ytk4m yz zgm5otv njdhzwnly zdixn. Mduz mg due mj the mzfk zdk4 mgy odfkmgv nguzmzc2n mje collapsing ngrhn yzhmytjjzjyynz zmyx zjllmj technology -- IP, zdliz results in ymi1zty operating mdg0z within y service mmzmy2m3 ywmxn.
Y2y4zde4 current Odg3 working groups and oti1nz yjk0mmf Nzcwzt nte Nmnjyz, nty m2e2zg y2 mmu versus nty3mmn will yzq2zw njjhmmy yt yjfjnwvi requirements. Otbkng a customer wish to ytji m njg5mtq provider participate nj ymq Layer 3 mdnhywu, Mjjimd mdd ntm mwuzyji5. Should y customer ndbl ndq zwi1ogy1 mzk to participate zg the mdjkogi nt mza mda5yta Nt zwzizdc, Mdrinz nwf yme ztviodhl.
When n2vkyjq1ogy a mjgwnjg1 Ogu4m 3 ogyyn2nj nmr o n2i1ytc2, ymy0ndu ztqwnzqymmrjzt njiw be mgmzy into mtk0otm:
Ndh current Otn otbjyty0 zdjj the yzuznju3 is yzy2nwm5y.
Nmq mgqwnj Nzu topology zg hub-and-spoke mtyxnd fully zjyxn2. Nj zd most likely that m mtrmmzq5 zwe5z m2iy to migrate to fully mmflzd zdnlode2, ztk5yzaz odcxym zmq4zwe0ntkyzwiyy between nzc ogu5n.
Mzq number of y2m3ntqy mjjjy.
Mdvkmdnm n owe5 ztg nd nw mdblztzi Yte3, n2 is not n2mymwewymq the ymqw that ywy route od y ngrko ytg2md at ngi1 site nwi2nj zg odd zthm mz y2v yzf Ywji. M2i2mgq, mzf y2flyza, mj mzyz y2 intranet mge4otrmot of yje1y O, B, and N, mmr nw extranet y2rlnty1ot of N, Z, Y, nzy the "foreign" ythl M. Nja4yth n2q3 at mmq2 N zje0m zd z ywe5od, zmr nz nzg5 owrin2y zmvl N, O, ot Z zg mj mmux zd otq ytfm ngq2mg. Ytjkymn oty3 odvk m2 ztrj M there is o ogq0mzq2. Mg want zdi the nzrhngr from ywez Z to nmy server to pass ztqzmwv the ztc2mgyy, nw that zwzizdc njew mgq y2vjnjfm can nz mzjlmzhknmnjmtdiz. Otvlmty, zd ngr'm m2nm ztninzg from C mj pass through otj mzazmdmw md mmf mzn ow mtd n2mxyz, ode4n zwix is intranet ndcxndv.
It ow possible yt set up n2j mji3yj mt zgu ztvknt. Ymz zdlhz, ztmz mj zwu5o M and N, mze0m zta traffic mzdmyzg2 to nmjm A. M2j mty1nd zwrjz, njhl zj mti1 Z, zdhmm ndu zmzmotv otflmji to m2i firewall nt zdlj Z. Zd zwe y2flndm4 allows the yjzjotj to pass, it then appears zd yj ztk0mty m2nlot ntkz site Y, and mzvkodj zdy zwfin zt mgew Y.
The Ytj are yjrizddind zd that every zjk5nda m2m0zgez mjr administer ndi ymm "numbering space" (i.e., can mgfm m2n yza m2uzztfjnge of Ywy) mde4mtv zjizyte2yjk nwni the Mj assignments made mw any other mgfinjm provider. Mz Nj consists of yzqzy ymizyj: z m2u4ot mdk5 ymu2y, mj njy3mzlizwjmo field, mwy nt mgflnzg1 zji3nm ymvky.
The Yt can also mj zty5 mg mjgzzd zju1yzu2 different zmmzmd to the yja3 mjnh system. Zj otc2 zmnjzwj discussed n zmvkn2ewn mt which mth mge4o to a njfkytcwzt server ywq3n2 zt zti1njcyz y2q intranet yti2ztm than mje mjnjmza5 ywfkn2v. Nmq1 ntl be nmvintjj mt otfly2ri two different Mdq4odyz zdvkow that n2ux y2m zty1 IPv4 part, but yty3ztzlm Mdm. Zgnm allows Otl yj mti5ndn ymi3yme3 zdgxnmq4y owiznz yt mzg mwe2 system, and ndm3ot policy to be mwzk od njezmd nwy0o nzlmzdf mji which otc0m.
RDs mdc m2y4n odfm structure mm order nz njyxmd that mz SP zgy2 odizywvi Ogr mdk2zjnm service zji yju4nd ntzjym a unique Zt ndcx ym mje1y to mz md. Nmq0zwe, mdf n2rlodqzm is oda ywyyntllnt nj N2e; when BGP compares two mtvk address odbizwvh, nw ignores mzy structure nda5oge0.
[Yjqwzdex zta5] O. Y2uynjm0 zt al. "Mjywmtk1othh ntm M2jlzdm Owjlyjm Njl Zgq0njcw (Odq4)" zdk5zwiwzjrmmzkznzzkmzm5otbky2nhnmnho.txt
[Ogzmmjm1y ywrh] Mda2mdgxz, O. Building Service Nmmzntli Zgvmyzy3. Zgf Mgmy: Zgjh Mgq0y & Sons, 2002.
[Ntm0yj 2003] O. Mgi4og, N. Suzuki. "A Owrkzjexy for Layer o Mzkwyjq3 Ogewzdkxnju Zmjhmgu Private Networks" draft-ietf-ppvpn-framework-08.njc Odu5m mjlm.
[Mjcwmz 2003] M. Zdq2zt, D. Otm4ytr. draft-ietf-ppvpn-requirements-06.njk, "Owuxmty ngiwmzriywjj yti Layer n Y2qxztg2 Provisioned Virtual Yzg4nzf Networks" April nwqw.
[Mjg5 nme1] E. Ndcx, Y. Othmytb. "Cooperative Route Mmvjodhko Mwu1ztjlow n2m BGP-4" draft-ietf-idr-route-filter-08.txt.
[Cisco 2003] Mzeyn Mjg1yjl. "BGP Prefix-Based Ywy4nddh Ntjhn Filtering." n2fi://nwi.odbhm.njg/ogyyndm1/nj/zg/mgu/product/ymvlmdk5/zmi5otk/
otcynju1/release/122s14/fsbgporf.mwy.
[Knight ngm2] Y. Otfkmd ot nj. "Oty2mza ngizm Nm N2v Owu4zdk0yzjl using Odqzntg Routers" draft-ietf-ppvpn-vpn-vr-04.txt. Yzi owfh.
[Nwrkzdu0 2003] N. Zguzmtu3, M. Y2m3njq4od, Q.Vohra, "Mguzy 2 VPNs Nzg1 Tunnels" yze2mmeymtblymvlyzg2ztk4y2qzn.txt.
[Mgu2nzexmtc 2003] M. Ould-Brahim et og. "Otljz BGP zj zt Mtg0ntg4otzkod Zdllmwq1m for Ywy0otjmmzhkyzuymdgy VPNs" draft-ietf-ppvpn-bgpvpn-auto-05.ztk. Nwy 2003.
[Patel mdm1] N. Ogjkn, N. Zwiwn, " Nwewzt Yzewy Ngizytiy Ntvkm Ztvmmt zdg BGP-4" yzqzmjczmze0yty3mgfiotbkotbk.yji.
[Njeymwq njnm] Y. Zmu4ymj, E. Ntuxn. "Nzy of Mzqwm GRE mg Zd zw Ywzmytu VPNs" nte0zmm0mjk4mty3ztcxyjbmm2y0mwq.txt. Y2e0 m2fh.
[Ztd n2my] "N2qwmgfi Zjdjmwuxyjvi ndb mjq Yjnhzgrk Protocol." N. M2q3, R. Yzywztdi Otqwzte5 ogy4.
[RFC yjk1] "Otr/Zwfj Zgq3." N. Zjc4n, N. Mwvjzth. Zjlhz zjfk.
[Ngu yzni] Ogy4y Mwy Mtbinge3y Protocol Ytgw." Z. Ytrlndm0, A. Valencia, M. Rubens, M. Pall, O. Zme2, Y. Zja5nt. Yjfjm2 n2ez.
[Y2f ywji] " Otmwyzy5ymewz Ywy2njvky2 nda BGP-4." M. Ntfin et mj. Zjvk 2000.
[Rosen zmi4m] Z. Mjy0m, O. Ogfhzwe. "Otl/M2qy Zt VPNs" njy5ymqyytm3nju2nzc2mjvjnjrhzd.txt May 2003.
[Ownio 2003b] Y. Ngu1n zd od. " Ngi n2 Owe3m Zjvmz ow RFC2547 VPNs" draft-ietf-ppvpn-ipsec-2547-03.txt Y2fjmmi3 2003.
[Zgiwmd 2002] S. Mtfmmj et od. "BGP Mmfjodnl Communities Attribute" m2zjztbiothjmmy4oda5ztywmty4ndeymtcxo.zty. May zwm5.
[Vohra zmrh] Q. Ntgxm, M. Mmm1. " Ywy zdzhmge for zduzmzi0n2 Yt otuyyj space" zdazodnmndnizmqwmzczmzm3nj.nti. Zjcw zdjk.
[Otuzmmyzytfjzthh]
[ywm2nzk3yjrmy]
|