Вы находитесь на странице: 1из 28

Enterprise Network Virtualization

using IP and MPLS Technologies:


Advanced
Travis Jones, Consulting Systems Engineer
CCIE #4603 Data Center, R&S, Security, Service Provider & Voice
CCDE 2013:60
LTRMPL-3102
Agenda

Introduction
Session prerequisites and goals
Lab Overview
Technology
Design Logic
Access Instructions

Execute Lab
The Prerequisites
Know how to navigate and configure Cisco IOS
Familiarity with MPLS (what it is, what it does, and how it does it)
Understanding of IP routing fundamentals
This is an advanced lab

LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Session Goal
Provide every attendee with hands-on experience in the configuration of multiple
network virtualization technologies.
Demonstrate the interoperability of various network virtualization protocols and
the integration of services within a functioning end-to-end topology.
This lab should not be considered a design guide.

LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Lab Overview
MPLS Concepts and Capabilities
Reference points and their roles within an MPLS domain (P, PE, CE)
Virtual Routing and Forwarding (VRFs)
Inter-AS options (Options A, B, and C)
MPLS over GRE
Use cases

LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Services Edge
Definition
The Services Edge functional area is where a great deal of policy enforcement
and traffic manipulation is done.
Three main functionalities:
Control inter-VPN traffic/access
Control access to VPN-dedicated resources
Control access to shared resources
Two types of access to shared services
Uncontrolled access
Controlled access

LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Uncontrolled Access
Sharing Between VPNs with Route-target

Export 3:3 VRF


VRF Export 3:3
Import 1:1
Import 1:1
Export 2:2
VRF Export 2:2
Import 1:1 VRF
Import 1:1

VRF Import 3:3 No transitivity: imported


Bi-directional communication
Import 2:2 routes are no re-exported.
between all VRFs and central Export 1:1
services VRF. Shared
Services Blue and Red VRFs remain
Central services routes imported into isolated. No routes are
both VRF red and blue (1:1) exchanged.

Central VRF imports routes for blue


and red subnets (3:3, 2:2)
LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Controlled Access
FW + Fusion Router
Fusion router:
Inter-VPN connectivity
Shared resource connectivity (Internet, VPN A
servers, etc)
VPN B I-Net
ASASM contexts: Fusion
VPN C VDC or VRF
VPN isolation / protection
VPN D
Per VPN policies: ACL, NAT
250 contexts per FW Shared Firewall Contexts
Map to VLANs Services or zone-pairs

IOS Zone Based Firewall


Inter-Zone Policies
Traffic Classes
LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
A WAN Core Layer Dual Plane
IGP isolation between each plane
Isolate topology changes
Flexible topology
Highly redundant
Similar to two provider environments
Traffic engineering

LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Refer to BRKMPL-2108 for more details

Big Picture Design


DCs connect using dark fiber, GRE, or
leased lines
The IGP used in the WAN core is separate
DCs peer to the WAN core using eBGP
Inter-AS option C
Only feed infra routes to WAN Core
VPN exchanged between RRs at
each DC
Advantages:
Scale & Flexibility
IGP Isolation
Adding/removing DCs is seamless
High level of HA
LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
R19
Host3
R20 Host4

Lab Topology FW2


R17
DC2
AS65002
R18

R9 R10

R2 R5

AS65000
WAN Core

R3

DC1 R1 SP
AS65001
FW1 R22
R6 R25 R12 Host5
R4
R14 R7
AS100

R11 R23

R8 R21
Host6
R13
R15

Host1 DC3 R24


AS65003

R16 Host2 FW3

LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Complete Your Online Session Evaluation
Please complete your Online
Session Evaluations after each
session
Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
All surveys can be completed via
the Cisco Live Mobile App or the
Dont forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online

Presentation ID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Continue Your Education
Demos in the Cisco Campus
Walk-in Self-Paced Labs
Table Topics
Meet the Engineer 1:1 meetings

LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Q&A
Reference
Network Virtualization
Giving one physical network the ability to support multiple virtual networks
Separation between:
Line of business
Customers
App layers Alpha Network Cust2 Cust2

Virtual Network Virtual Network Virtual Network

Actual Physical Infrastructure


LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Virtual Routing Forwarding Instance (VRF) Defined
MPLS/IP Core
IP Switching to VPN/VRF users

MPLS/Tunnel Labels
and Route Targets
IP link
802.1q

VRF

VRF

VRF
Logical or Physical
PE Router Int
(Layer 3)

LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Background
Info

MPLS Technology Overview 2. In the Core:


1. At Ingress Edge:
Label imposition Label swapping or
Classify & Push switching
PE
Label(s) onto Forward using labels (not IP
P P
packets address); label indicates
PE service class and
destination
Label Edge Router
(LER) OR P P 3. At Egress Edge:
Provider Edge- PE Label disposition
PE PE Remove labels and forward
PE packets
Label Switch Router (LSR)
Customer Customer or P (Provider) router
A B
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Label 20bits EXP S TTL-8bits

EXP = Class of Service: 3 Bits; S = Bottom of Stack; TTL = Time to Live

LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
MPLS Inter-AS Use Cases
Cust1 Cust1
AS1 AS3
DC1 WAN
Core (AS2) DC2

Cust2 Cust2

Extend VPN services over multiple independently managed MPLS domains


Fast geographic service coverage expansion
Two MPLS VPN Providers peering to cover for a common customer base

Build MPLS VPN networks on original multi-domain network


IGP isolation with service continuity
Interconnect BGP confederations with different IGPs in the same AS

Two available as described in RFC 4364 :


Carrier Supporting Carrier (CSC)
Inter-Autonomous Systems (I-AS)

LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Extending MPLS with Inter-AS

Back-to-Back VRFs
ASBR1 (Option A)
ASBR2

MP-eBGP for VPNv4


AS #1 (Option B) AS #2
MPLS MPLS
Multihop MP-eBGP
PE11 between RRs PE22
(Option C)
MP-eBGP+Labels

CE1 CE2
VPN-R1 VPN-R2

Option C: Interesting since we offload the VPN routes from ASBRs


LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Deployment & Implementation Scenarios
Point to Point Tunneling : MPLS to MPLS over GRE

IP Network
MPLS MPLS
DC1 MPLSoGRE
DC2
PE1 P1 P2 PE2
IGP Label GRE Header IGP Label
VPN Label IGP Label VPN Label
IP Payload VPN Label IP Payload
IP Payload
IP WAN Transport
IPSEC Option for security
P to P Tunnel
Looks like an MPLS Link
Drawbacks:
Cumbersome with multiple sites (MPLSoMGRE is an alternate solution)
MTU

LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Refer to BRKMPL-2108 for more details

Big Picture: Using VDC or VRF Sandwich Design


VDC or VRF Sandwich Design
VDC-Agg VDC-Agg
Virtual firewalls assigned to VRF
by VLAN association
Active/Standby
One pair of physical or virtual firewall VRF B VRF C
per VRF
VRF A
Each firewall requires two VLANs;
inside and outside VDC-Sub-Agg VDC-Sub-Agg

Firewall in transparent or routed mode

LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Refer to BRKMPL-2108 for more details
Big Picture
Design: Firewall Placement w/Virtualization
Option1 CORE Option2
MPLS

LB

LB

Default Gateway
Spine Layer (N7k)
Default Gateway
Spine Layer (N7k)
F2e

FabricPath
FabricPath

LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Recommended Reading

Coming
Soon

2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Thank You