Академический Документы
Профессиональный Документы
Культура Документы
Training Course
Course Contents
Contents:
Introduction to VPNs
Layer 3 VPNs
Basic Layer 3 VPN Configuration with JUNOS Software
Troubleshooting Layer 3 VPNs
Layer 2 VPNs (Kompella)
Layer 2 VPN Configuration and Troubleshooting
(Kompella)
VPLS Configuration and Troubleshooting
Appendix : MPLS Primer
2
Advanced VPNs
Training Course
Module Objectives
After
successfully completing this module, you will
be able to:
Define the term VPN and describe the benefits of IP-based
VPN solutions
List two Characteristics of CPE-based VPNs
Site two characteristics of provider-provisioned VPNs
Describe the pros and cons of Layer 2 and Layer 3 VPN
solutions from a-provider's perspective
Describe the pros and cons associated with Layer 2 and
Layer 3 VPN solutions from a customer's perspective
List the VPN solutions available with JUNOS Internet
software
4
Agenda: Introduction to VPNs
Overview of VPNs
CPE-Based VPNs
Provider-Provisioned VPNs
Introduction to RFC 2547
Introduction to CCC/Layer 2 MPLS VPN
IETF Standards Update
Conclusions
What is a VPN?
Corporate Intranet
Headquarters Branch
Office
Shared Public
Mobile Users and
Infrastructure Telecommuters
Suppliers, Partners
Extranet and Customers
DLCI
DLCI
FR Switch
DLCI
Operational model
PVCs overlay the shared infrastructure (ATM/Frame Relay)
Routing occurs at customer premise
Benefits
Mature technologies
Relatively “secure”
Service commitments (bandwidth, availability, and more)
Limitations
Scalability and management
Not a fully integrated IP solution
Internet
Mobile Users and
Remote Access Telecommuters
Suppliers, Partners
Extranet and Customers
Use IP infrastructure
Can be shared with Internet service
Increasing importance of IP/MPLS (not ATM/FR)
Subscriber benefits
A single network connection for all services
Lower operational expenses
Provider benefits
Multiservice infrastructure that supports all services
Creates additional source of revenue
8
VPN Classification Model
CPE-VPN PP-VPN
CPE CPE PE CPE
Subscriber Subscriber Subscriber
Site 1 VPN Tunnel Site 2 Site 1
PE PE
PE
PE
Subscriber Subscriber Subscriber
Site 3 VPN Site 3 Site 2
PE
CPE CPE CPE
Layer 2 CPE-
CPE-VPNs: L2TP and PPTP
Application
Dial access for remote users
Layer 2 Tunneling Protocol (L2TP)
RFC 2661
Combination of L2F and Point-to-Point Tunneling Protocol
Point-to-Point Tunneling Protocol (PPTP)
Bundled with Windows and Windows NT
Both support IPsec for encryption
Authentication & encryption at tunnel endpoints
10
Layer 3 CPE-
CPE-VPNs: IPsec Tunnel Mode
Defines the IETF Layer 3 security architecture
Applications
Strong security requirements
Extending VPNs across multiple service providers
Security services include
Access control
Data origin authentication
Replay protection
Data integrity
Data privacy (encryption)
Key management
11
Layer 3 CPE-
CPE-VPNs: IPSec – Example
Public Internet
Corporate Branch
HQ office
CPE CPE
12
Layer 3 CPE-
CPE-VPNs:
IPsec Benefits and Limitations
Public Internet
Corporate Branch
HQ office
CPE CPE
Benefits
Does not interfere with existing applications—runs at Layer 3
Protected packets are forwarded by existing routers
Limitations
Minimal provider opportunity (except for delivering a reliable and
scalable Internet service)
Note
United States is easing export of encryption technology
IPsec is the subscriber’s “take charge” solution
IPsec is the quickest way to a common pipe
13
14
Layer 3 PP-
PP-VPNs: RFC 2547bis (1/2)
Service Provider Network
CE CE
Site 1 PE PE Site 3
P VRF
VRF
VRF
CE CE
Site 2 P Site 2
P
P
CE VRF CE
Site 3 VRF Site 1
VRF P
PE PE
15
Layer 3 PP-
PP-VPNs: RFC 2547bis (2/2)
Label Distribution Protocol (LDP) or Resource Reservation
Protocol (RSVP) to setup MPLS tunnel through provider
backbone
BGP is used to distribute
Information about the VPN (discovery)
Routing and reachability for the VPN
Labels for per-VPN LSPs (tunneled in PE-PE LSP)
Flexible, policy-based control mechanism
Export “route targets” associate routes to a particular VPN in
the BGP update
Import “route targets” control whether a route will be
accepted into a site-specific forwarding table
16
Layer 3 PP-
PP-VPNs: Virtual Routers
At high level, Virtual Routers (VRs) are similar to
2547
Network Layer (IP) forwarding in PE equipment for
private networks
VPN-specific forwarding tables
PE participates in private network routing
Routing for private nets across public net
is tunneled along with data
VR within PE operates as if it were a normal router in
the private network
Can use MPLS or other tunneling approach
17
18
Layer 3 PP-
PP-VPN Advantages
Subscriber
Outsource WAN infrastructure
Offload routing complexity to provider
Suits small to medium enterprises that do
not wish to build core routing competency
into their organizations
Provider
VPN-specific routing information is not maintained on
all backbone routers
Value-added service (revenue opportunity)
19
Layer 3 PP-
PP-VPN Disadvantages
Policy-based control creates administrative
burden for provider
20
MPLS
MPLS--Based Layer 2 PP-
PP-VPNs
Layer 2 MPLS-based VPNs
Circuit cross-connec (CCC)
Draft-martini Layer 2 VPNs
Draft-kompella Layer 2 VPNs
Virtual Private LAN Service (VPLS)
21
Circuit Cross-
Cross-connect (CCC)
CCC = Circuit Cross-connect
CCC Table “Good Service SP”
In Out
(Europe Region)
“Good Service SP” LSP1 DLCI 605
(USA Region)
DLCI LSP 1 10.0.0.0
CPE 600 PE
Source PE DLCI CPE
Large Provider 605
DLCI IP/MPLS Network
610 DLCI
PE CPE
608
LSP 2 20.0.0.0
Routing Table CCC Table
In Out In Out CCC Table
10/8 DLCI 600 In Out “Good Service SP”
DLCI 600 LSP 1
20/8 DLCI 610 DLCI 610 LSP 2
LSP2 DLCI 608 (Asia Region)
22
Circuit Cross-
Cross-connect Issues
Only appropriate for small numbers
of individual private connections
CPE and PE systems are statically configured
Complex initial configuration
Large configuration files
Tedious configuration for adds, moves,
and change
Each DLCI/PVC requires a dedicated LSP
23
MPLS
MPLS--based Layer 2 VPNs
CCC Function
24
MPLS
MPLS--based Layer 2 VPNs:
Advantages
Subscriber
Outsourced WAN infrastructure
Easy migration from existing Layer 2 fabric
Can maintain routing control, or opt for managed service
Supports any Layer 3 protocol
Provider
Complements RFC 2547bis
Operates over the same core, using the same outer LSP
Existing Frame Relay and ATM VPNs can be collapsed onto a single
IP/MPLS infrastructure
Label stacking reduces the number of LSPs compared with CCC
No scalability problems associated with storing numerous customer
VPN routes
Simpler than the extensive policy-based configuration
used with 2547
25
MPLS
MPLS--based Layer 2 VPNs:
Disadvantages
Circuit type (ATM/FR) to each VPN site must
be uniform
26
Standards: CPE-Based VPNs
CPE-VPN standards are stable and deployed
RFC 2661 for L2TP
Many RFCs for IPSec
Configuration and provisioning are challenging
Numerous proprietary approaches
Guardian
Checkpoint
Firebox
Infoexpress
27
Standards: Provider-Provisioned
VPNs
RFC 2547 provides overview of benefits
2547bis (Internet-Draft) specifies the details
needed for interoperability
Co-authored by Cisco, Juniper Networks, multiple
service providers, and others
Interoperable products are shipping
Full IETF standardization will take time
Extensions are being considered
OSPF as the PE/CE protocol in BGP/MPLS VPNs
draft-rosen-vpns-ospf-bgp-mpls defines PE router
behavior as ASBR, ABR, and Intemal OSPF router
OSPF Domain-ID supported In JUNOS software
Release 5.0
Multicast in MPLS/BGP VPNs
28
Standards: Provider-Provisioned
VPNs
Summary
layer 2 MPLS VPNs are Internet drafts
draft-kompella-ppvpn-l2vpn (updated version)
supports draft-martini control word-based
encapsulation but has no support of LDP signaling
draft-martini-l2circuit-trans-mpls
draft-martini-l2circuit-encap-mpls
Other standards:
Framework document is Intemet draft that combines
multiple inputs,covers Layer 3 VPNs, and is being
updated to cover Layer 2, CPE PP-VPNs
Requirements document is also Internet draft
Multiple virtual router proposals have been written
but have little industry support
29
30
Comparison: RFC2547 and MPLS
Layer 2 VPNs
RFC2547 MPLS Layer 2 VPNs
Ideal for small/medium Ideal for large/corporate
businesses businesses
ISP-managed routing Customer-managed routing
Layer3 Layer 2
MPLS-based MPLS-based
RSVP,LDP RSVP,LDP
Label stacking Label stacking
IP traffic IP traffic
IP multicast
Non IP CPE traffic
31
32
A Range of VPN Solutions (1 of 4)
Each customer has different:
Security requirements
Staff expertise
Tolerance for outsourcing
Customer networks vary by size and traffic
volume
Providers differ concerning:
Customer base
Willingness to offer outsourcing
Handling managed router services
33
34
A Range of VPN Solutions (3 of 4)
Many customers have limited IP expertise
Want to outsource wide-area interconnection and
routing
RFC 2547bis VPNs are ideal
For remote user access to corporate network
PPTP/L2TP is convenient and effective
Users can access network from anywhere on the
Internet
35
36
JUNOS Software Layer 3 VPN
Implementation
Layer 3 VPN support
RFC 2547bis support
Shipping since Release 4.4
LSA flooding across provider backbone
All router platforms support CE, PE, P router functions
Future RFC 2547bis enhancements possible (for
example, multicast)
Standards are still under definition
37
38
Advanced VPNs
Training Course
Module Objectives
After successfully completing this module, you will
be able to:
Define the roles of P, PE, and CE routers
Describe the format of VPN-IPv4 addresses
Explain the role of the route distinguisher
Describe the flow of RFC 2547bis control information
Explain the operation of the RFC 2547bis forwarding plane
40
Agenda: Layer 3 MPLS VPNs
RFC 2547bis Terminology
VPN-IPv4 Address Structure
Operational Characteristics
Policy-Based Routing Information Exchange
Traffic Forwarding
41
Customer Edge
PE CE VPN A
VPN A CE P P
PE
CE
VPN B VPN B
CE PE
42
Provider Edge Routers
Provider Edge
PE CE VPN A
VPN A CE P P
PE
CE
VPN B VPN B
CE PE
43
Provider Routers
Provider Routers
PE CE VPN A
VPN A CE P P
PE
CE
VPN B VPN B
CE PE
44
VPN Sites
VPN Sites
PE CE VPN A
VPN A CE P P
PE
CE
VPN B VPN B
CE PE
45
CE
CE––A2 VPN B
Site2
CE–
CE –A1
OSPF
P P PE 2 Routing
Static
VPN B Routes CE
CE––B2
Site 1
VPN A
PE 1
Site 3
CE
CE––A3
E-BGP
CE–
CE –B1 P P PE 3
CE
CE––B3
VPN C CE–
CE –C1 CE
CE––C2
Site 1 VPN C
Site 2
VPN B
Site3
46
VRFs
Each VRF is populated with:
Routes received from directly connected CE routers
associated with the VRF
Routes received from other PE routers
with acceptable BGP attributes
47
P P PE 2
CE
CE––B2
PE 1 10.2/16
PE 3
VPN B VPN A
Site 1 P P Site 3
CE–
CE –B1 CE
CE––A3
CE
CE––B3 10.3/16
10.1/16
10.3/16 VPN B
Site3
48
VPN--IPv4 Address Family
VPN
Route Distinguisher (RD)
Assigned
Type Administrator number Subscriber IPv4 prefix
49
50
VPN--IPv4 Address Family
VPN
Route distinguisher disambiguates
IPv4 addresses
VPN-IPv4 routes
Ingress PE prepends RD to IPv4 prefix
of routes received from each CE
VPN-IPv4 routes are exchanged between PE using BGP
Egress PE converts VPN-IPv4 routes into IPv4 routes
before inserting into site’s routing table
VPN-IPv4 is used only in the control plane
Data plane uses MPLS and IPv4 addressing
51
CE–
CE –B2
PE 1 10.2/16
PE 3
VPN B VPN A
Site 1 Site 3
P P
CE–
CE –B1 CE–
CE –A3
CE–
CE –B3 10.3/16
10.1/16
10.3/16 VPN B
Site3
52
Operational Model Overview
VPN A
Site2
VPN A CE–
CE –A2
Site 1 VPN B
CE–
CE –A1
Site2
P P
PE 2
PE 1
VPN B CE–
CE –B2
Site 1 PE 3
VPN A
P P Site 3
CE–
CE –B1 CE–
CE –A3
Control Flow
Routing information exchange between CE and PE
Routing information exchange between PEs
LSP establishment between PEs (RSVP or LDP signaling)
Data flow
Forwarding user traffic
53
54
Route Distribution
Route distribution is controlled
by BGP Extended Community attributes
Route Target:
Identifies a set of VRFs to which a PE router
distributes routes
Site of Origin:
Identifies the specific site from which a PE router
learns a route
55
Route Targets
Each VPN-IPv4 route advertised through BGP is
associated with a route target attribute
Export policies define what targets are associated
with routes
Upon receipt of a VPN-IPv4 route, a PE router will decide
whether to add that route to a VRF
Import policies define what routes will be added
to a VRF
Route isolation between VRFs is accomplished through
route filtering
SP provisioning tool determines the appropriate export and
import targets
56
Exchange of Routing Information
CE--1
CE CE
CE--2
BGP session
Site 2 PE-
PE -1 PE-
PE -2 Site 1
VRF VRF
CE--3
CE CE
CE--4
Site 1 VRF VRF Site 2
OSPF
10.1/16
57
CE--1
CE CE
CE--2
BGP session
Site 2 PE-
PE -1 PE-
PE -2 Site 1
VRF VRF
CE--3
CE CE
CE--4
Site 1 VRF VRF Site 2
10458:23:10.1/80 OSPF
10.1/16
58
Exchange of Routing Information
CE--1
CE CE
CE--2
BGP session
Site 2 PE-
PE -1 PE-
PE -2 Site 1
VRF VRF
CE--3
CE CE
CE--4
Site 1 VRF VRF Site 2
10458:23:10.1/80 OSPF
10.1/16
“VPN RED” export
59
CE--1
CE CE
CE--2
BGP session
Site 2 PE-
PE -1 PE-
PE -2 Site 1
VRF VRF
CE--3
CE CE
CE--4
Site 1 VRF VRF Site 2
10458:23:10.1/80 OSPF
10.1/16
“VPN RED” export
label Z
Next-
Next-hop PE-
PE-2
60
Exchange of Routing Information
61
62
Exchange of Routing Information
10.1/16 Next-
Next-hop PE1
63
Data Flow
CE-1 CE-2
Site 2 PE-1 PE-2 Site 1
VRF VRF
CE-3 CE-4
VRF
Site 2
Site 1 VRF
(10.1/16)
64
Data Flow
CE-1 CE-2
Site 2 PE-1 PE-2 Site 1
VRF VRF
CE-3 CE-4
VRF
Site 2
Site 1 VRF
(10.1/16)
IP
10.1.2.3
65
Data Flow
PE-1
1) Lookup route in
Red FT
2) Push BGP label (Z)
3) Push IGP label (Y)
CE-1 CE-2
Site 2 PE-1 PE-2 Site 1
VRF VRF
CE-3 CE-4
VRF
Site 2
Site 1 VRF
(10.1/16)
IP
10.1.2.3
66
Data Flow
PE-1
1) Lookup route in
Red FT
2) Push BGP label (Z)
3) Push IGP label (Y)
CE-1 CE-2
Site 2 PE-1 PE-2 Site 1
VRF VRF
CE-3 CE-4
VRF
Site 2
Site 1 VRF
(10.1/16)
IGP label (Y)
BGP label (Z)
IP
10.1.2.3
67
Data Flow
CE-1 CE-2
Site 2 PE-1 PE-2 Site 1
VRF VRF
CE-3 CE-4
VRF
Site 2
Site 1 VRF
(10.1/16)
IGP label (x)
BGP label (z)
IP
10.1.2.3
After packets exit the ingress PE, the outer label is used
to traverse the service provider
P routers are not VPN-aware
68
Data Flow
Penultimate
Pop top label
CE-1 CE-2
Site 2 PE-1 PE-2 Site 1
VRF VRF
CE-3 CE-4
VRF
Site 2
Site 1 VRF
(10.1/16)
69
Data Flow
CE-1 CE-2
Site 2 PE-1 PE-2 Site 1
VRF VRF
CE-3 CE-4
VRF
Site 2
Site 1 VRF
(10.1/16)
IP
10.1.2.3
70
Advanced VPNs
Training Course
Module Objectives
After successfully completing this module, you
will be able to:
Create VRFs
Write and apply VRF policy
Configure BGP, extended communities
Configure a point-to-point Layer 3 VPN topology
using RSVP
72
Agenda: Configuring Layer 3 VPNs
Preliminary Steps
PE Configuration
VRF Instance
Assign Route Distinguisher
Associate VRF Interfaces
VRF Policy
Create and Apply BGP Extended Communities
PE-CE Routing Protocol
AS-Override
Site of Origin Community
OSPF Domain Identifier Community
73
74
Introduction to VPN Routing Tables
VPN routing table
inet.0
Main IP routing table, relevant for IGP and BGP
inet.3
RSVP and LDP routes installed, relevant for BGP only
vpn.inet.0
Stores all unicast IPv4 routes received from directly
connected CE routers and all explicitly configured static
routes in the routing instance
For each vpn.inet.0 routing table, one forwarding table is
maintained
bgp.l3vpn.0
Stores all VPN-IPv4 unicast routes received from other PE
routers
This table is present only on PE routers-routes are resolved
using the information in the inet.3 routing table
mpls.0
Mpls-switching table
vpn.mpls.0
Mpls-switching table per vpn-incoming interface
75
[edit]
lab@AmSterdam# show protocol bgp
group int {
type internal;
local-address 192.168.24.1;
family inet {
unicast;
}
family inet-vpn {
unicast;
}
neighbor 192.168.16.1;
}
76
MP-IBGP Peering: PE-PE
lab@Amsterdam> show bgp neighbor
Peer: 192.168.16.1+179 AS 65412 Local: 192.168.24.1+1048 AS 65412
Type: Internal State: Established Flags: < >
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None .
Options: <Preference LocalAddress HoldTime AddressFamily Rib-group Refresh>
Address families configured: inet-unicast inet-vpn-unicast
Local Address: 192.168.24.1 Holdtime: 90 Preference: 170
Number of flaps: 0
Peer ID: 192.168.16.1 Local ID: 192.168.24.1 Active Holdtime: 90
Keepalive Interval: 30
NLRI advertised by peer: inet-unicast inet-vpn-unicast
NLRI for this session: inet-unicaat inet-vpn-unicast
Peer support Refresh capability (2)
Table inet.O Bit: 10000
Send atate: in sync
Active prefixes: 0
Received pref1xes: 0
Suppressed due to damping: 0
Table bgp.l3vpn.O Bit: 30000
Send state: in sync
Active prefixes: 8
Received prefixes: 8
Suppressed due to damping: 0
Table vpna,inet.O Bit; 40000
Send state: in sync
Active prefixes: 7
Received prefixes: 8
77
PE Configuration
PE routers do all VPN-specific configuration
PE routing instance
Create routing instance and list associated VRF
interfaces
Assign a route distinguisher
Link the VRF to import and export policies
Configure PE-CE routing protocol properties
VPN policy
Create and apply BGP extended communities (for
example, route target/site of origin)
Create VRF import and export policies
78
Sample Layer 3 VPN Topology
Provider Core AM Fe-0/0/0 2
CE
2
172.20.0-3/24 OSPF Area 0 Lo0:192.168.24.1 1 29/24 B
1 2 1 Fe-0/0/1
AS 65001 P1 P2
16/24 2 1/24 24/24 172.20.4-7/24
192.168.20.1 Fe-0/0/1
AS 65001
CE 2 Fe-0/0/0
HK 1 AS 65412 192.168.28.1
1
A 21/24 Lo0:192.168.14.1
Network characteristics
Interface addressing is 10.0.x.x/24 (except loopbacks)
IGP is single-area OSPF
RSVP signaling between PE devices, LSPs established
between PE routers (CSPF not required)
Full MP-IBGP mesh between PE routers, lo0 peering, VPN-
IPv4 NLRI .
CE-PE link running EBGP
Full-mesh Layer 3 VPN between CE-A and CE-B
Actual lab topology will differ-this is a sample network
79
80
A Sample VRF Configuration
Creating a VRF called vpn-a with BGP running between
the PE and CE
[edit routing-instances vpn-a]
lab@HK# show
instance-type vrf;
interface fe-0/0/0.0;
route-distinguisher 192.168.16.1:1;
vrf-import vpna-import;
vrf-export vpna-export;
protocols {
bgp {
group ce-a {
type external;
peer-as 65001;
neighbor 10.0.6.2;
}
}
}
81
[edit policy-options]
lab@HK# show policy-statement vpna-import
term 1 {
from {
protocol bgp;
community vpna-target;
}
then accept;
}
term 2 {
then reject;
}
}
82
Sample VRF Export Policy
lab@HK# show policy-statement vpn-a-export
term 1 {
from protocol bgp;
then {
community add vpn-a-target;
community add ce-name-origin;
accept;
}
}
term 2 {
then reject;
}
This policy advertises routes learned from BGP from the
CE, while adding the route target and origin communities
Matching routes are sent to MP-IBGP peers that have
advertised VPN-IPv4 NLRI capabilities
83
85
86
AS Override
172.20.0-3/24
AS 65001 t
87
Advanced VPNs
Training Course
Module 4: Troubleshooting
Layer 3 VPNs
Module Objectives
After successfully completing this module, you will be
able to:
Explain the purpose of the vpn-interface switch
Describe why pinging a multi-access VRF interface can be
problematic, and list two ways of making it work
Explain how you can make PE-based traceroutes reveal P
router hops
View PE-PE control now
Describe the Difference between the bgp.l3vpn table and a
VRF
View a layer 3 VPN's VRF and forwarding tables
Monitor the operation of the PE-CE routing protocol
89
90
RFC 2547bis Troubleshooting
Best to take a layered approach
Core vs. PE/CE problems
Physical layer, data-link layer, IGP, BGP, MPLS, VPN
configuration and import/export policy
vpn-interface switch for ping, traceroute, Telnet, and
SSH
Routing traffic originated on the PE-CE link for multi-
access interfaces requires special steps
Release 5.2 supports vrf-table-label enhancement
Permits Internet Processor II operations, like ARP, at egress
PE router
91
Troubleshooting: A Layered
Approach
AM
Provider Core CE
P1 P2
HK
CE
Core Problems:
PE-CE Problems: IGP PE-CE Problems:
IGP/EBGP MPLS(RSVP/LDP) IGP/EBGP
Policy IBGP Policy
Data Forwarding
92
Sample Layer 3 VPN Topology
Provider Core AM Fe-0/0/0 2
CE
2
172.20.0-3/24 OSPF Area 0 Lo0:192.168.24.1 1 29/24 B
1 2 1 Fe-0/0/1
AS 65001 P1 P2
16/24 2 1/24 24/24 172.20.4-7/24
192.168.20.1 Fe-0/0/1
AS 65001
CE 2 Fe-0/0/0
HK 1 AS 65412 192.168.28.1
1
A 21/24 Lo0:192.168.14.1
Network characteristics
Interface addressing is 10.0.x.x/24 (except loopbacks)
IGP is single-area OSPF
RSVP signaling between PE devices, LSPs established
between PE routers (CSPF not required)
Full MP-IBGP mesh between PE routers, lo0 peering,
VPN-IPv4 NLRI
CE-PE link running EBGP
Full-mesh Layer 3 VPN between CE-A and CE-B
Actual lab topology will differ-
-this network is a sample
93
PE-PE Troubleshooting
94
PE-CE Troubleshooting
95
96
CE-CE VRF Interface Pings
Not an issue for point-to-point interfaces
Multi-access technologies (GE/FE) require special
steps to facilitate ARP
Exporting direct routes from PE router work in JUNOS
software release 5.0 and later
Requires that the PE router has learned at least one route
(static/dynamic) with the CE device as a next hop
Release 5.2 vrf-table-label enhancement
Release 4.4 requires static routes (shown below)
lab@Hong-kong# sbow routing-instance
vpna {
instance-type vrf;
interface fe-0/O/O.O;
route-distinguisher 192.168.16.1:1;
vrf-import vpna-import;
vrf-export vpna-expore;
routing-options {
static {
/* ce-ce traffic */
route 10.0.21.2/32 next-hop 10.0.21.2;
/* pe-pe and CE-CE traffic */
route 10.0.21.0/30 next-bop 10.0.21.2;
}
}
97
98
Internet Processor II Functionality
at Egress PE Router
Starting with Release 5.2, vrf-table-label option in VRF
configuration
Uses LSP sub-interface (LSI) abstract
Creates an LSI that maps to each VRF
Supported core-facing interfaces map reserved MPLS labels to
each VRF LSI
Allows FPC I/O manager ASIC to strip VRF label and map
packets to correct VRF
Internet Processor II can now perform key lookup on IP packet
Requires that core-facing interfaces be non-channelized and
configured for HDLC/PPP encapsulation
Not supported for MP-BGP-Labeled routes (carrier of carriers
/interprovider)
Operational display changes
99
100
Traffic Path for PE-PE Pings
Provider Core AM Fe-0/0/0 2
CE
2
OSPF Area 0 Lo0:192.168.24.1 1 29/24 B
1 2 1 Fe-0/0/1
16/24 2
P1 1/24
P2 24/24
Fe-0/0/1
CE 2 Fe-0/0/0
HK 1 AS 65412
1
A 21/24 Lo0:192.168.14.1
101
102
CE-CE-Based Traceroute
Core router hops are hidden because outer label's TTL is set to 255
lab@CE-a# traceroute 192.168.28.1
traceroute to 192.168.28.1 (192.168.28.1). 30 hops max, 40 byte packets
1 l0.0.21.1 (10.0.6,1) 0.444 ms 0.352 ms 0.341 ms
2 10.0.24.2 (10.0.3.7) 0.769 ms 0.702 ms 0.694 ms
MPLS Label=100000 CoS=0 TTL=1 S=1
3 192.168.28.1 (192.168.28.1) 0.483 ms 0.440 ms 0.431 ms
103
Ping/Traceroute Summary
Key review points regarding PE-CE ping and traceroute
testing:
The vpn-interface switch is needed when testing VPN
connectivity from PE routers
Multi-access links require special steps to ensure the
VRF interface is a labeled route
Without these steps. traffic cannot be sourced from the
VRF interface
JUNOS software Release 4.4 requires /30 static routes
With JUNOS Software Release 5.0, the PE router can simply
redistribute the direct route associated with the VRF
interface-
-requires at least one other route
(dynamic/static) pointing to the CE device
Inclusion of local/source switch when PE router
originates traffic determines core vs. PE-CE hops
Can test proper PE-CE VRF interface functionality locally
Can verify core using standard tools--PE-PE VRF pings
are not really necessary
104
Examining Routes in a VRF
JUNOS software allows the viewing of a VRF with the show
route table vpn-name command
VRFs contain:
The matching routes learned from remote PE routers
Routes learned over the PE-CE link or static routing entries
The bgp.l3vpn.0 table contains all routes learned from other
PE routers with at least one matching route target
Functions as a RIB-In for VPN routes
NLRI updates that do not match at least one VRF are discarded
keep all is useful for troubleshooting route target-related
problems-use only for troubleshooting!
The show route protocol bgp command displays all BGP
routes in all RIBs
Output can be filtered by providing a prefix/mask or by piping
to match or find
105
106
Viewing the Route Table: Example 2
lab@Hong-Kong> show route table vpna 172.20.4.O detail
107
192.168.16.1:1:172.20.0.0/24
*[BGP/170] 14:28:30, localpref 100, from 192.168.5.1
AS path: 65000 I
> to 10.0.0.2 via fe-0/0/0.0, label-switched-path HK
192.168.16.1:1:172.2041.0/24
*[BGP/170] 14:28:30, localpref 10, from 192.168.5.1
AS path: 65000 I
> to 10.0.0.2 via fe-0/0/0.0, label-switched-path HK
192.168.16.1:1:172.20.2.0/24
*[BGP/170] 14:28:30. localpref 100, from 192.168.5.1
AS path: 65000 I
> to 10.0.0.2 via fe-0/0/0.0, label-switched-path HK
108
Viewing Routes Sent to Other
PE Routers
Use the show route advertising-protocol bgp peer-
address command
109
110
Viewing a VPN Forwarding Table
Use the show route forwarding-table vpn
vpn-name command
lab@Hong-Kong > show route forwarding-table vpn vpna
Routing table: vpna.inet
Internet:
Destination Type RtRef Nexthop Type Index NhRef Netif
Default perm 0 dscd 6 1
10.0.21.0/24 intf 0 recv 51 1 fe-0/0/0.0
10.0.21.0/32 dest 0 10.0.21.0 recv 49 1 fe-0/0/0.0
10.0.21.1/32 intf 0 10.0.21.1 locl 50 2
10.0.21.1/32 dest 0 10.0.21.1 locl 50 2
10.0.21.2/32 dest 1 0:d0:b7:3f:af:73 ucst 52 8 fe-0/0/0.0
10.0.21.255/32 dest 0 10.0.21.255 bcst 48 1 fe-0/0/0.0
10.0.29.0/24 user 0 10.0.16.2 Push 100008, fe-0/0/1.0
172.20.0.0/24 user 0 10.0.21.2 ucst 52 8 fe-0/0/0.0
112.20.1.0/24 user 0 10.0.21.2 ucst 52 8 fe-0/0/0.0
172.20.2.0/24 user 0 10.0.21.2 ucst 52 8 fe-0/0/0.0
172.20.3.0/24 user 0 10.0.21.2 ucst 52 8 fe-0/0/0.0
172.20.4.0/24 user 0 10.0.16.2 Push 100000, Push 100008(top) fe-0/0/1.0
172.20.5.0/24 user 0 10.0.16.2 Push 100000, Push 100008(top) fe-0/0/1.0
172.20.6.0/24 user 0 10.0.16.2 Push 100000, Push 100008(top) fe-0/0/1.0
172.20.7.0/24 user 0 10.0.16.2 Push 100000, Push 100008(top) fe-0/0/1.0
192.168.20.1/32 user 0 10.0.21.2 ucst 52 8 fe-0/0/0.0
192.168.26.1/32 user 0 10.0.16.2 Push 100000, Push 100008(top) fe-0/0/1.0
111
112
Monitoring PE-CE BGP Operation
Use the standard BGP CLI operational mode
commands:
show bgp neighbor ce
show bgp summary
show route advertising-protocol bgp ce
show route receiving-protocol bgp ce
show route protocol bgp source-gateway ce
Standard JUNOS software tracing options available for
PE-CE routing instance
113
Advanced VPNs
Training Course
115
116
Differences between Kompella and
Martini
Kompella Martini
Auto Provisioning BGP Based Not Defined
118
Layer 2 Provider-Provisioned
MPLS-Based VPNs
Provider edge device delivers Layer 2 circuit
IDs (DLCI, VPI/VCl, or VLAN ID) to the
customer
Customer sees standard Layer 2 circuit identifiers
for each reachable site
PE router maps circuit IDs to and from MPLS
LSPs for transport over the provider core
Can use label stacking to improve scalability
Customer maps its own routing architecture to
the circuit mesh
Customer routes are transparent to provider
Separation of administrative responsibility
119
120
Standards for Layer 2 VPNs
Two proposals:
Draft-Kompella
draft-kompella-mpls-l2vpn-02.txt
Draft-Martini
draft-martini-l2circuit-trans-mpls-06.txt
draft-martini-l2circuit-encap-mpls-02.txt
Proposals are similar in data plane
Both support a wide range of Layer 2 technologies
Proposals are different in control plane
121
PE CE VPN A
VPN A CE P P FR
PE
FR
ATM
CE
VPN B VPN B
ATM
CE PE
122
Provider Edge Routers
Provider Edge
PE CE VPN A
VPN A CE P P FR
PE
FR
ATM
CE
VPN B VPN B
ATM
CE PE
123
Provider Routers
Provider Routers
PE CE VPN A
VPN A CE P P FR
PE
FR
ATM
CE
VPN B VPN B
ATM
CE PE
124
Draft-
Draft-Kompella:
VPN Forwarding Tables (VFT
(VFTs)
s)
A VFT is created
VPN A for each CE VPN A
Site 1 connected to the PE Site2
CE
CE––A2 VPN B
Site2
CE–
CE –A1 ATM
P P PE 2
ATM
VPN B CE
CE––B2
Site 1
VPN A
PE 1
Site 3
CE
CE––A3
ATM
CE–
CE –B1 P P PE 3
125
Draft-
Draft-Kompella:
VPN Connection Tables (VCT
(VCT))
AVVCT
CT is distributed for
each VPN site to PEs
PEs
CE-1 CE-2
BGP session / LDP Site 1
Site 2 PE-1 PE-2
VFT VFT
CE-2 CE-4
Site 1 VFT VFT Site 2
126
Draft-
Draft-Kompella:
Provisioning the Network
VPN A
Site2
VPN A
CE–
CE –A2
Site 1 VPN B
CE–
CE –A1
Site2
FR
P P
FR
PE 2
PE 1 CE–
CE –B2
VPN B
Site 1
FR
VPN A
P P Site 3
PE 3
CE–
CE –B1 CE–
CE –A3
127
Draft-
Draft-Kompella: Provisioning Customer
Site on PE
CE-4 Routing Table
CE-4 DLCIs
63 In Out
75
10/8 DLCI 63
82
94 20/8 DLCI 75
30/8 DLCI 82
- DLCI 94
List of DLCIs: one for each remote CE, some spare for over-
provisioning
DLCIs independently numbered for each CE
LMI, inverse ARP and/or routing protocols for auto-
discovery and learning addresses
No changes as VPN membership changes
Until over-provisioning runs out
128
Draft-
Draft-Kompella: Provisioning
Customer Site on PE
A VFT is provisioned at each PE for each local CE
CE4 VFT
Imp/Exp RT RT1
CE ID 4
CE4 VCT
CE Range 4
Label Base 1000
Sub-int IDs Label
63
75
82
94
Sub-interface IDs list : set of local sub-interface IDs (DLCIs) assigned for the CE-PE
connection
The PE assigns the reserved labels to the sub-interface IDs
129
Draft-
Draft-Kompella: Provisioning
Customer Site on PE
CE-1 CE-2
Site 2 PE-1 PE-2 Site 1
VFT VFT
CE-2 CE-4
Site 1 VFT VFT Site 2
FR FR
CE4 VFT
Imp/Exp RT RT1
CE ID 4
CE Range 4
Label base 1000
Sub-int IDs Label
CE4‘s DLCI to CE0 63
63 1000
1000 Label used to reach CE4 from CE0
CE4‘s DLCI to CE1 75
75 1001 Label used to reach CE4 from CE1
CE4‘s DLCI to CE2 82
82 1002 Label used to reach CE4 from CE2
CE4‘s DLCI to CE3 94
94 1003 Label used to reach CE4 from CE3
130
Draft-
Draft-Kompella:
Distributing VCTs
Uses BGP
Auto-discovery of members
Auto-assignment of inter-member circuits
BGP Route Target communities + route filtering (based
on Route Target) to configure VPN topologies
131
Draft-
Draft-Kompella:
Distributing VCTs
CE-1 CE-2
Site 2 PE-1 BGP Session PE-2 Site 1
VFT VFT
CE-2 CE-4
Site 1 VFT VFT Site 2
FR FR
CE-1 CE-2
Site 2 PE-1 PE-2 Site 1
VFT VFT
CE-2 CE-4
Site 1 VFT VFT Site 2
FR DLCI 414 FR DLCI 82
CE2 VFT
Sub-int IDs CE ID Inner Label
107 1 7500
209 2 5020
265 3 9350
414 4 1002 Label used to reach CE4
133
Draft-
Draft-Kompella:
Updating VFTs
CE-1 CE-2
Site 2 PE-1 PE-2 Site 1
VFT VFT
CE-2 CE-4
Site 1 VFT VFT Site 2
FR DLCI 414 FR DLCI 82
CE2 VFT
Sub-int IDs CE ID Inner Label Outer Label
107 1 7500
209 2 5020
265 3 9350
414 4 1002 500 LSP to PE-2
CE-1 CE-2
Site 2 PE-1 PE-2 Site 1
VFT VFT
CE-2 CE-4
VFT VFT Site 2
Site 1
DLCI 414 DLCI 82
packet DLCI
414
135
Draft-
Draft-Kompella:
Data Flow
PE-1
1) Lookup DLCI in Red VFT
2) Push VPN label (1002)
3) Push IGP label (500)
CE-1 CE-2
Site 2 PE-1 PE-2 Site 1
VFT VFT
CE-2 CP-4
VFT VFT Site 2
Site 1
IGP label (500) DLCI 82
site label (1002)
Packet
136
Draft-
Draft-Kompella:
Data Flow
CE-1 CE-2
Site 2 PE-1 PE-2 Site 1
VFT VFT
CE-2 CPE-4
VFT VFT Site 2
Site 1 10.1/16
DLCI 414 IGP label (z) DLCI 82
site label (1002)
Packet
137
Draft-
Draft-Kompella:
Data Flow
Penultimate
CE-1 Pop top label CE-2
Site 2 PE-1 PE-2 Site 1
VFT VFT
CE-2 CE-4
VFT VFT Site 2
Site 1 10.1/16
DLCI 414 DLCI 82
Packet
138
Draft-
Draft-Kompella:
Data Flow
CE-1 CE-2
Site 2 PE-1 PE-2 Site 1
VFT VFT
CE-2 CE-4
VFT VFT Site 2
Site 1
DLCI 414 DLCI 82
packet DLCI
82
139
Draft-Kompella: Configuration
Complexity
140
Draft-
Draft-Kompella:
Supported Layer 2 Technologies
Frame Relay
ATM AAL5 CPCS Mode
ATM Transparent Cell Mode
Ethernet
Ethernet VLAN
Cisco HDLC
PPP
141
Advanced VPNs
Training Course
143
144
Preliminary Layer 2 VPN Configuration
Preliminary steps for P and PE routers:
1. Choose and configure the IGP
2. Configure MP-IBGP peering among PE routers
Must include l2-vpn NLRI capability
3. Enable MPLS and the desired MPLS signaling
protocol(s) on P and PE routers
4. Establish LSPs between PE routers
LSP establishment automatic for LDP
The BGP next hop associated with the VPN NLRI must
equal the host ID of the LSP's endpoint
PE routers perform all VPN-related
configuration
145
146
MP-IBGP Peering Example
lab@Amsterdam> show bgp neighbor
Peer: 192.168.16.1+1037 AS 65412 Local: 192.168.24.1+179 AS 65412
Type: Internal State: Established Flags: < >
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None
Options: <Preference LocalAddress HoldTime AddressFamily Rib-group Refresh>
Address families configured: inet-unicast l2vpn
Local Address: 192.168.24.1 Holdtime: 90 Preference: 170
Number of flaps: 0
Peer ID: 192.168.16.1 Local ID: 192.168.24.1 Active Holdtime: 90
Keepalive Interval: 30
NLRI advertised by peer: inet-unicast inet-multicast l2vpn
NLRI for this session: inet-unicaat l2vpn
Peer support Refresh capability (2)
Table inet.O Bit: 10000
Send atate: in sync
Active prefixes: 0
Received pref1xes: 0
Suppressed due to damping: 0
Table bgp.l2vpn.0 Bit: 30000
Send state: in sync
Active prefixes: 1
Received prefixes: 1
Suppressed due to damping: 0
Table vpna.l2vpn.0 Bit: 50000
Send state: in sync
Active prefixes: 1
Received prefixes: 1
147
148
The Circuit Status Vector
F5 RDI Cells
1 …….
Layer 2 NLRI with updated CSV
149
Layer2 information
Control flags indicate:
If sequencing is required
Whether the Martini control word is required
MTU field describes the VPN's MTU
All members of a VPN must use the same MTU as mismatched
MTU causes NLRI to be ignored
150
Layer 2 VPN Configuration Overview
151
Network characteristics
Interface addressing is 10.0.x/24 (except loopbacks)
IGP is single area OSPF
RSVP signaling between PE devices, LSPs established
between PE routers (CSPF not required)
Full MP-IBGP mesh between PE routers, lo0 peering, l2-
vpn NLRI
CEs run OSPF
Full-mesh Layer 2-VPN between CE-1 andCE-2
Actual lab topology will differ-
-this is a sample network
152
Create a Layer 2 VPN Routing Instance
VRFs are created at the [edit routing-instances]
configuration hierarchy
Selecting instance-type l2vpn creates a VFT instance
type
153
154
Sample Layer2 VRF Import Policy
156
Layer 2 VPN Extended BGP Communities
157
158
Default Site Association Rules
Example 2: site 6
encapsulation-type ethernet-vlan;
site ce-6 {
site-identifier 6;
interface fe-O/O/O.O; Default remote site identifier = site 1
interface fe-O/O/O.1; Default remote site identifier = site 2
159
160
Remote Site Identifier Example: 2
Both Examples produce equivalent connectivity and label
Range
……..
l2-vpn {
encapsulation-type ethernet-vlan;
site ce-3 {
site-identifier 3;
interface fe-0/0/0.0; (Default RSI = 1)
interface fe-0/0/0.1; (Default RSI = 2)
……..
l2-vpn {
encapsulation-type ethernet-vlan;
site ce-3 {
site-identifier 3;
interface fe-0/0/0.0; {
remote-site-id 2;
}
interface fe-0/0/0.1; {
remote-site-id 1;
……..
161
162
Interface Configuration: Example 1
ge-0/1/0 {
vlan-tagging;
encapsulation vlan-ccc;
unit 1 {
encapsulation vlan-ccc;
vlan-id 515; Sample Gigabit Ethernet
}
unit 2 {
encapsulation vlan-ccc;
vlan-id 525;
}
}
fe-1/O/1 {
vlan-tagging;
encapsulation vlan-ccc;
unit 0 {
Sample Fast Ethernet
encapsulation vlan-ccc;
vlan-id 513
}
}
163
164
Expanding Layer 2 VPN Membership:
Part 1
fe-0/0/0.0
Provider Core AM 21/24 .2 CE
OSPF Area 0 2 15/24
2
Lo0:192.168.24.1 fe-0/0/0.1 .2
1 2 1 Fe-0/0/1
P1 P2
16/24 2 1/24 24/24
Fe-0/0/1
fe-0/0/0.0
CE .1 21/24
HK 1 AS 65412
22/24
1 .1 fe-0/0/0.1 Lo0:192.168.14.1
CE
2
165
166
Expanding Layer 2 VPN Membership:
Part 3
Hong Kong VPN interface and layer 2 configuration (site 1)
[edit interfaces] lab@hk-pe# show routing-instances
lab@hk-pe# show fe-O/O/O vpn-a {
vlan-tagging; instance-type 12vpn;
Encapsulation vlan-ccc; interface fe-0/0/0.0;
unit o{ interface fe-0/0/0.1;
encapsulation vlan-ccc; route-distinguisher 192.168.16.1:1;
vlan-id 512; vrf-import vpna-import;
} vrf-export vpna-export;
unit 1 { protocols {
encapsulation vlan-ccc; l2vpn {
vlan-id 513; encapsulation-type ethernet-vlan;
site ce-1 {
site-identifier 1;
Default site 2 interface fe-0/0/0.0;
association
interface fe-0/0/0.1;
}
}
} Associated with site 3
} through inheritance
167
168
Expanding layer 2 VPN Membership:
Part 5
Amsterdam VPN interface and Layer2 configuration (sites 2 and 3)
.
.
.
[edit routing-instances vpna] protocols {
lab@Amsterdam# show l2vpn {
instance-type l2vpn; encapsulation-type ethernet-vlan;
interface fe-0/0/0.0; site ce-2 {
interface fe-0/0/0.1; site-identifier 2;
interface fe-0/0/3.0; Default association
interface fe-0/0/0.0;
interface fe-0/0/3.1; with site 3 interface fe-0/0/0.1;
route-distinguisher 192.168.24.1:1; }
}
vrf-import vpna-import;
site ce-3 {
vrf-export vpna-export;
site-identifier 3;
. interface fe-0/0/3.1;
. interface fe-0/0/3.0;
. }
}
} association with site 1 and site 2
(Note interface ordering: LU1 is
Listed before LU 0)
169
170
The Results: Part 2
lab@Amsterdam# show 12vpn connections
L2VPN Connections :
Instance : vpna
Local site: 2 (ce-2)
offset: 1. range: 3 label-base: 32768
connection-site Type St Time last up # Up trans
3 (3) loc Up Jul 18 20:45:46 2001 1
Local circuit: fe-0/0/0.1, Status: Up
Remote circuit: fe-0/0/3.0, Status: Up
1 rmt Up Jul 18 21:47:25 2001 1
Local circuit: fe-0/0/0.0, Status: Up
Remote PE: 192.168.16.1
Incoming label: 32768. Outgoing label: 32769
Local site: 3 (ce-3)
offset: 1. range: 2. label-base: 33792
connection-site Type St Time last up # Up trans
2 (ce-b) loc Up Jul 18 20:45:46 2001 1
Local circuit: fe-0/0/0.l, Status: up
Remote circuit: fe-0/0/3.0, Status: up
1 rmt Up Jul 18 21:47:25 2001 1
Local circuit: fe-0/0/3.1, Status: Up
Remote PE: 192.168.16.1
Incoming label: 33792. Outgoing label: 32770
171
Layer 2 Interworking
Site 2
AS 65412
172
Layer 2 VPN Troubleshooting: Overview
Best to take a layered approach
Core vs. PE/CE problems
Core problems often indicated by inability to establish BGP sessions
or PE-PE LSPs
Physical layer, data-link layer, IGP, BGP, MPLS, VPN
configuration and import/export policies
Added difficulty caused by inability to conduct PE-CE ping
testing
Can be difficult to determine operational status of PE-CE link
Ethernet does not support data-link layer keepalives
PPP and HDLC keepalives operate end-to-end
Frame Relay LMI and ATM OAM can be used to verify PE-CE link
integrity
Watch for mismatched DLCIs/VCIs/VLAN IDs on PE-CE link
VLAN IDs must be the same end to end
Support for end-to-end DLCI/VCI circuit status indications
One PE router can show a Layer 2 connection as up, while the
remote end indicates no l2vpn connections found
Release 5.1 adds end-to-end status indication
173
VLAN
VLAN--Base L2 VPN Encapsulation Example
174
Troubleshooting: A Layered-
Approach
AM
Provider Core CE
P1 P2
HK
CE
Core Problems:
PE-CE Problems: IGP PE-CE Problems:
For Example: MPLS(RSVP/LDP) For Example:
Circuit ID IBGP Circuit ID
CE-CE Problem
(For Example: Policy, Routing Protocol,
Addressing, MTU)
175
PE-PE Troubleshooting
Is the core IGP operational?
Are the PE-~E BGP sessions established
Layer 2 VPN family?
Are the RSVP/LDP LSPs established between
PE routers?
BGP next hop = to LSP egress?
Do any hidden routes exist?
Might not show up as hidden on later software
versions
176
PE-CE Troubleshooting
Is the physical layer up?
Physical layer alarms
Frame Relay LMI/ATM ILMI and OAM cells
Lack of IP connectivity between PE-CE makes
conventional troubleshooting problematic
Are compatible circuit IDs provisioned?
Pings and CE access (Telnet) require OOB
access
Separate interface or LU with compatible IP
addressing
177
CE-CE-Based Traceroute
Core router hops are hidden because outer label's TTL is
set to 255
[edit]
test@ce-a# run traceroute 192.168.28.1
traceroute to 192.168.28.1 (192.168.28.1), 30 hops max, 40 byte packets
1 192.168.28.1 (192.168.28.1) 0.495 ms 0.385 ms 0.370 ms
179
180
Sample l2Vpn connections Output
lab@hk> show l2vpn connections extensive
L2VPN Connections:
Instance: vpn-a
Local site: ce-a (1)
Interface name Remote Site ID
fe-0/0/0.0 2
Label Base Offset Range
32768 1 2
connection-site type St Time Last UP # Up trans
2 rmt Up Aug 3 00:08:14 2001 1
Local circuits: fe-0/0/0.0, Status: Up
Remote PE: 192.168.24.1
Incoming label: 32769, Outgoing label: 32768
Time Event Interface/Lb1/PE
Aug 3 00:08:14 2001 PE route Up
Aug 3 00:08:14 2001 Out lbl Update 32768
Aug 3 00:08:14 2001 In lbl Update 32769
Aug 3 00:08:14 2001 cktO up fe-0/0/0.0
3 rmt OR 181
182
show route table Command:
Example 1
lab@hk-pe> show route table vpn-a
192.168.16.1:1:1:1/96
*[VPN/7] 05:48:27
Discard
192.168.24.1:1:2:1/96
*[BGP/170] 00:02:53. localpref 100, from 192.168.24.1
AS path, I
> to 10.0.16.2 via fe-0/0/1.0, label-switched-path am
192.168.24.1:1:3:1/96
*[BGP/170] 00:02:53. localpref 100, from 192.168.24.1
AS path, I
> to 10.0.16.2 via fe-0/0/1.0, label-switched-path am
183
*L2VPN Preference; 7
Next hop type: Discard
State: <Active Int>
Local AS; 65412
Age: 53:10
Task: L2VPN global
AS patb: I
Communities: Layer2 Info: encaps:VLAN, control flags:0, mtu: 0
Label-base : 800000, range : 2, status-vector : 0x80
184
show route table Command:
Example 2
lab@hk-pe> show route table vpn-a detail | find 192.168.24.1:1:2:1/96
192.168.24.1:1:2:1/96 (1_entry, 1 announced)
*BGP Preference: 170/-101
Route Distinguisher: 192.168.24:1:1
Source: 192.168.24.1
Nexthop: 10.0.16.2 via fe-0/0/1.0, selected
label-switched-path am
Push 100067
Protocol Nexthop: 192.168.24.1, Indirect nexthop: 84cfc38 39
State: <Secondary Active Int Ext>
Local AS: 65412 Peer AS: 65412
Age: 4:56 Metric2: 3
Task: BGP_65412.192.168.24.1+1028
Announcement hits (1): 0-vpn-a-OSPF
AS path: I
Communities: targat:65412:200 Layer2 Info: encaps:VLAN,
control flags:0, mtu: 0
Label-base : 800000, range : 1, status-vector : 0x80
Localpref: 100
Router ID: 192.168.0.1
Primary Routing Table bgp.l2vpn.0
185
192.168.24.1:1:4:1/96
*[BOP/170] 01:08:58, localpref 100, from 192.168.24.1
AS path: I
> to 10.0.16.2 via fe-0/0/1.0, label-switched-path am
186
Viewing Routes Sent to Other PE
Routers
Use the show route advertising-protocol bgp
peer-address command
187
190
Tracing Layer 2 VPNs
Tracing options for layer 2 VPNs
lab@hk-pe# set traceoptions flag ?
Possible completions:
all Trace everything
connections Trace L2VPN connections
error Trace errors
nlri Trace L2VPN remote site advertisements
route Trace L2VPN PE routes
topology Trace L2VPN topology changes
191
Advanced VPNs
Training Course
PE 1 CE–
CE –B2
VPN B
Site 1
VPN A
P P Site 3
PE 3
CE–
CE –B1 CE–
CE –A3
VPLS Acronyms
VPLS
Instance Provider
PE IP Network PE
CPE CPE
Site A Emulated Tunnel Site B
Attachement Attachement
Circuit Circuit
194
VPLS Operations
Control Plane
VPN Discovery
Discover who are the PE members of a given VPN
VPN Signaling
Setup and teardown of the pseudo-wires between
VPLS instances that constitute the VPLS Domain
Forwarding Plane
MAC Learning and Packet Forwarding
MAC Aging
MAC Flushing
195
if 1 VPLS RED
instance 3 PE B
if 2 Rx VC Label Y / Tx VC Label Z for VPLs instance B
196
VPLS Operations
Control Plane
VPN Auto-Discovery
Auto-discovery can be done by BGP
IETF proposals to extend DNS or RADIUS for auto-discovery
VPN Signaling
Demultiplexors can be signaled
by targeted LDP (draft-lasserre-vkompella-ppvpn-vpls)
» O(N^2) LDP sessions operational challenge
by BGP (draft-kompella-ppvpn-vpls)
A single MP-BGP LNRI supports both Auto-Discovery and
Signaling
Using two different protocols for Auto-discovery & Signaling
More complex to debug
More complexity and inter-protocol interactions
More protocol state in the network
197
198
VPLS Control Plane functionality
with MP
MP--BGP
Using BGP for VPN Auto-discovery and Signaling
provides the following benefits
199
PE VCT Provisioning
Site 2 Site 3
PE-2 640 LSP PE-3
CE-2 CE-3
VFT VFT
Vlan 10 Vlan 10
LSP 320
Site 2 VCT Site 3 VCT
Route Dist 100:1.2.3.2 Route Dist 100:1.2.3.3
VE ID 2 VE ID 3
Sites 20 Sites 20
Label base 2000 Label base 3000
Route Target RED Route Target RED
200
VPLS Forwarding Table
Site 2 Site 3
PE-2 640 LSP PE-3
CE-2 CE-3
VFT VFT
Vlan 10 Vlan 10
LSP 320
201
VPLS Auto-
Auto-discovery & Signaling
MP-
MP-iBGP
Site 2 Site 3
PE-2 640 LSP PE-3
CE-2 CE-3
VFT VFT
Vlan 10 Vlan 10
LSP 320
Site 2 VCT NLRI Site 3 VCT NLRI
Route Dist 100:1.2.3.2 Route Dist 100:1.2.3.3
VE ID 2 VE ID 3
Sites 20 Sites 20
Label base 2000 Label base 3000
Route Target RED Route Target RED
Next Hop PE-2 Next Hop PE-3
Site 2 Site 3
PE-2 640 LSP PE-3
CE-2 CE-3
VFT VFT
Vlan 10 Vlan 10
LSP 320
Site 2 VCT NLRI Site 3 VCT NLRI
Route Dist 100:1.2.3.2 Route Dist 100:1.2.3.3
VE ID 2 VE ID 3
Sites 20 Sites 20
Label base 2000 Label base 3000
Route Target RED Route Target RED
Next Hop PE-2 Next Hop PE-3
PE-2 receives BGP NLRI from PE-3 for RED VPLS instance site 3
203
VPLS Auto-
Auto-discovery & Signaling
MP-
MP-iBGP
Site 2 Site 3
PE-2 640 LSP PE-3
CE-2 CE-3
VFT VFT
Vlan 10 Vlan 10
LSP 320
A full mesh of pseudo-wires are set-up between all the VPLS instances
for VPLS RED
204
VPLS Operations
Control Plane
VPN Discovery
Discover who are the PE members of a given VPN
Manual
Automatic
VPN Signaling
Forwarding Plane
MAC Learning and Packet Forwarding
Each PE learns MAC addresses on its own
Learned MAC addresses are not
distributed/signaled
Qualified : one FDB per VLAN per VPLS
Unqualified : one FDB per port
MAC Aging
205
Site 2 Site 3
PE-2 640 LSP PE-3
CE-2 CE-3
VFT VFT
Vlan 10
X
Vlan 10
LSP 320
X sends a packet
VC label 2003 Tunnel label 320
L2 Ethernet Frame with Source MAC X VC label 2003
Minus preamble, minus checksum
L2 Ethernet Frame with Source MAC X
Minus preamble, minus checksum
If the destination address is unknown, the packet is “Flooded” to the VPLS domain
‘Split Horizon’ forwarding scheme
Encapsulation is as per draft-martini-encaps
206
VPLS MAC Learning:
Forwarding to an Unknown MAC Address
Site 2 Site 3
PE-2 640 LSP PE-3
CE-2 CE-3
VFT VFT
Vlan 10
X
Vlan 10
LSP 320
X sends a packet
207
Broadcast Storms
PEs should rate-limit the flooding of packets to unknown
addresses
Possible that the source MAC address is never learned
PEs should rate-limit broadcasting
Limit damage due to broadcast storms
PEs should consider rate-limiting multicast traffic
(IGMP Snooping, static MAC multicast filters …)
208
VPLS MAC Learning:
Forwarding to a Known MAC Address
Site 2 Site 3
PE-2 640 LSP PE-3
CE-2 CE-3
X
Z Vlan 10
VFT VFT
Vlan 10 Y
Z sends a packet to X
LSP 320
209
Site 2 Site 3
PE-2 640 LSP PE-3
CE-2 CE-3
X
Z Vlan 10
VFT VFT
Vlan 10 Y
LSP 320
Unicast to MAC X
Site 2 Site 3
PE-2 640 LSP PE-3
CE-2 CE-3
X
Z Vlan 10
VFT VFT
Vlan 10 Y
LSP 320
Periodically age out unused entries from the MAC address cache
MAC address cache should be limited by VPLS instance (configurable)
211
Dual--homed CPE
Dual
Site 2 P P PE-15
CE-2 PE-2 VFT
Vlan 10 Site 3
Z Vlan 10
VFT CE-3
X
VFT Y
Vlan 10
P P
PE-3
212
Summary
Customers want:
IP VPNs (RFC 2547 VPN)
Point-to-point Layer 2 VPNs
Virtual Private LAN Service (VPLS)
Configuration of VPLS
VPN Connection Table (VCT) is configured on
the PEs per VPLS instance with:
VPN Connection Table (VCT)
Route Distinguisher: defines unique VCT RD 1234:5.6.7.8
VPLS Edge ID VE ID 3
One per VPLS Instance per PE irrespective of
how many local ports belong to that VPLS
Estimated total number of PEs which have # sites 20
sites belonging to that VPLS
214
Configuration Fragment for VPLS
routing-instances vpnA { // Configuration for VPN A
instance-type vpls; // vpls
interface ge-0/0/0.0; // multipoint Ethernet interface
route-distinguisher 1234:5.6.7.8;
route-target 1234:8765; // set Route Target to 1234:8765
protocols { // PE-CE protocol
vpls {
site-range 20;
site CE-A3 {
site-identifier 3;
}
}
}
}
215
216
Sample VPLS Topology
00:12:1e:17:f8:00
00:02:b3:15:ff:f2
Workstation
CE site-id 20
Workstation
PE2
Layer 2 Switch
PE1 (192.168.1.10)
(192.168.1.7) MPLS Core
m CE site-id 2
PE3
00:12:1e:1a:90:41
(192.168.1.9) Layer 2 Switch Workstation
217
Baseline Configuration
P and PE
Create Label-switched-path (LSP) between the
Provider Edge (PE) routers
Either with RSVP or LDP
PE
Setup BGP peer with family l2vpn for VPLS route
exchange
Can use LDP as a signaling protocol as well
PE-CE
Create VPLS routing instance
218
Baseline Configuration
219
Baseline Configuration
[edit]
admin@PE1#show routing-instances
vpls {
instance-type vpls;
interface fe-0/3/1.0;
vrf-target target:100:1;
protocols {
vpls {
site CE3 {
site-identifier 3;
interface fe-0/3/1.0;
}
}
}
}
221
Baseline Configuration
PE2
[edit]
admin@PE2# show interfaces fe-0/2/0
encapsulation ethernet-vpls;
unit 0;
[edit]
admin@PE2# show routing-instances
vpls {
instance-type vpls;
interface fe-0/2/0.0;
vrf-target target:100:1;
protocols {
vpls {
site CE20 {
site-identifier 20;
interface fe-0/2/0.0;
}
}
}
}
222
Baseline Configuration
PE3
[edit]
admin@PE3# show interfaces ge-0/2/0
encapsulation ethernet-vpls;
unit 0;
[edit]
admin@PE3# show routing-instances
vpls {
instance-type vpls;
interface ge-0/2/0.0;
vrf-target target:100:1;
protocols {
vpls {
site CE2 {
site-identifier 2;
interface ge-0/2/0.0;
}
}
}
}
223
Baseline Configuration
Instead of BGP, LDP can be used as signaling
protocol. However, we are going to use BGP this
time as it has more fun. ☺
[edit]
admin@PE3# show routing-instances ldp-vpls
instance-type vpls;
interface ge-0/0/3.105;
protocols {
vpls {
vpls-id 50;
neighbor 192.168.1.12 {
psn-tunnel-endpoint 192.168.1.12;
}
neighbor 192.168.1.7 {
psn-tunnel-endpoint 192.168.1.7;
}
}
}
224
Common Problems
Unsupported PIC type
Supported PIC type for PE-CE interface
All ATM2 IQ PICs
4-port Fast Ethernet PIC with 10/100 Base-TX interfaces PIC
1-port Gigabit Ethernet PIC
1-port 10 Gigabit Ethernet PIC
1-port Gigabit Ethernet Intelligent Queuing (IQ) PIC
4-port and 8-port Gigabit Ethernet IQ2 PICs with SFP
1-port 10 Gigabit Ethernet IQ2 PIC with XFP
2-port Gigabit Ethernet PIC
2-port Gigabit Ethernet IQ PIC
4-port, quad-wide Gigabit Ethernet PIC
10-port Gigabit Ethernet PIC
225
Common Problems
[edit]
admin@Martha_RE0# commit
commit complete
[edit]
admin@Martha_RE0#
226
Common Problems
227
Common Problems
Invalid VLAN ID
With vlan-vpls encapulation
Fast Ethernet 512 through 1023
Gigabit Ethernet 512 through 4094
[edit]
admin@PE1# commit check
[edit interfaces ge-0/0/3]
'unit 1'
VPLS interfaces must have a VLAN-ID >= 512
configuration check succeeds
228
Common Problems
Tunnel PIC is missing
Hardware is not present error on the vpls connection
admin@Rita_RE0> show vpls connections
.....
Legend for connection status (St)
EI -- encapsulation invalid NC -- interface encapsulation not CCC/TCC/VPLS
EM -- encapsulation mismatch WE -- interface and instance encaps not same
VC-Dn -- Virtual circuit down NP -- interface hardware not present
CM -- control-word mismatch -> -- only outbound connection is up
CN -- circuit not provisioned <- -- only inbound connection is up
OR -- out of range Up -- operational
OL -- no outgoing label Dn -- down
LD -- local site signaled down CF -- call admission control failure
RD -- remote site signaled down SC -- local and remote site ID collision
LN -- local site not designated LM -- local site ID not minimum designated
RN -- remote site not designated RM -- remote site ID not minimum designated
XX -- unknown connection status IL -- no incoming label
MM -- MTU mismatch
.....
Instance: vpls
Local site: CE3 (2)
connection-site Type St Time last up # Up trans
3 rmt NP
20 rmt NP
admin@Rita_RE0>
229
Common Problems
LM/RM error on the VPLS connection
Remote VE
admin@PE3> show vpls connections remote-site 4
Layer-2 VPN connections:
230
Common Problems
LM/RM error on the VPLS connection
Local VE
admin@PE1> show vpls connections local-site 4
Layer-2 VPN connections:
231
Common Problems
Traceoption
[edit]
admin@Rita_RE0# set routing-instances vpls protocols vpls traceoptions flag ?
Possible completions:
all Trace everything
connections Trace Layer 2 VPN and VPLS connections
error Trace errors
general Trace general events
nlri Trace Layer 2 VPN and VPLS remote site advertisements
normal Trace normal events
policy Trace policy processing
route Trace routing information
state Trace state transitions
task Trace routing protocol task processing
timer Trace routing protocol timer processing
topology Trace Layer 2 VPN and VPLS topology changes
232
Common Problems
233
Common Problems
admin@PE1>
234
Advanced VPNs
Training Course
Module Objectives
Basic Review of MPLS
High-Level Overview of Traffic Engineering
MPLS Terminology
Resource Reservation Protocol
Named Path via Explicit Route Objects
Constrain-Based Routing Overview
Administrative Groups
Fast Reroute
Circuit-Cross Connect Overview
Label Distribution Protocol
Basic MPLS Configuration Summary
236
MPLS Benefits
Fully integrates IP routing and Layer 2 Switching
Leverage existing IP infrastructures
Optimizes IP Networks by facilitating traffic
engineering
Enable multi-services networking
Integrates private and public networks seamlessly
237
Source Destination
238
Traffic Engineering Uses
239
240
Information Distribution
IGP extensions propagate information
IS-IS use type/length/value (TLV) tuples
OSPF use opaque LSA type 10
Information propagated within area/level only
Information Propagated
Bandwidth available
Preemption priority
Link affinity (link colors)
Router ID
241
Path Selection
Egress
LSR
Ingress
LSR
LSP
242
Path Signaling
Dynamic path creation requires a signaling
protocol to:
Coordinate label distribution
Route the LSP explicitly
Reserve bandwidth (optional)
Provide class-of-service capability (DiffServ style)
Reassign resources (like bandwidth)
Preempt existing LSPs
Prevent loops
243
244
Packet Forwarding
Ingress router examines IP header
Packet is then
Classified for interface output queue
Assigned a lable
Encapsulated in an MPLS header
Forwarded toward the next hop in the LSP
245
MPLS Terminology
Forwarding Equivalence Class (FEC)
Stream/flow of IP packets
FEC/label binding mechanism
Label
Fixed-length
Local significance
Label distribution, retention, and control
Downstream on demand/unsolicited downstream
Liberal/conservative
Independent /ordered
LSR label processing
Push/swap/pop/multi-push/swap-push
246
MPLS Terminology: MPLS Shim Header
32
32--bits
247
Label Swapping
Connection table maintains mappings
Exact match lookup
Input (port, label) determines:
Label operation
Output (port, label)
Same forwarding algorithm used in Frame Relay and ATM
248
MPLS Terminology: Router Type
Egress
LSR
Ingress
New
LSR Transit York
San LSR Transit
Francisco LSR
Penultimate
Router
LSP
Ingress LSR (“head-end LSR”)
Examines inbound IP packets and assigns them to an FEC
Generates MPLS header and assigns initial label
Transit LSR
Forwards MPLS packets using label swapping
Egress LSR (“tail-end LSR”)
Removes the MPLS header
249
Packet Forwarding
Rome
134.5.6.1
134.5.1.5
i3 200.3.2/24 200.3.2.1
251
Penultimate LSR
Tunneling LSP
What label value does the egress LSR for the tunneling
LSP signal to the penultimate LSR so that the label 18 is
popped of the top of the stack?
252
Resource Reservation Protocol
Internet standard for resource reservation
Originally intended for IP QoS
Not a routing protocol
Transport and maintains traffic and policy
parameters that are opaque to RSVP
Simplex reservation s for unicast traffic
Receiver-oriented resource allocation
Maintains soft state for graceful changes of:
Multicast membership
Routing
Multiple reservation styles
Support IPv4 and IPv6
253
RSVP Session
Ingress Egress
Router Router
PATH
RESV
R1 R4 R8 R9
254
RSVP Messaging Protocol
Established Path
State Block
Ingress Egress
Router Router
PATH
RESV
R1 R4 R8 R9
Established Resv
State Block
RSVP message types
Path: establishes state
Resv: reserves resources
PathTear: removes path state
ResvTear: removes reservation state
PathErr: error message send upstream to sender
ResvErr: establishes blockade state
ResvConf: message confirming reservation request
Path and resv state block sdata structures store soft
state information
255
256
Path Message
Ingress Explicit Route = {R1, R2, R3, R4} Egress
LSR PATH PATH PATH LSR
ERO={R2, R3, R4} ERO={R3, R4} ERO={R4}
R1 R2 R3 R4
Establish Path Establish Path Establish Path
State Block State Block State Block
Resv Message
Ingress Egress
Penultimate
LSR LSR
LSR
i2 i3 i6 i2 i5 i4
RESV RESV RESV
R1 Label = 17 R2 Label = 20 R3 Label = 3 R4
MPLS Table MPLS Table MPLS Table
In Out In Out In Out
IP Route (2, 17) (3, 17) (6, 20) (2, 20) (5, Pop)
Resv message
R4 transmits a resv message to R3
Label = 3 (indicates that penultimale LSR should pop
header)
Session object uniquely identifies the LSP
Style object identifies fixed filter or shared explicit
Record route object lists nodes visited (optional field)
R3 and R2
Stores outbound label allocates an inbound label
Transmits resv message with inbound label to upstream LSR
R1 binds label to FEC
258
Named Path via Explicit Route Object
259
Egress
C E F
LSR
ERO
B strict;
C strict;
E strict;
D strict;
F strict;
A B D
Ingress Strict
LSR
260
Named Path ERO: Loose Route
Consult the routing table at each hop to
determine the best path
Egress
C E F
LSR
ERO
D loose;
A B D
Ingress Loose
LSR
261
Egress
C E F
LSR
ERO
C strict;
D loose;
F strict;
A B D Strict
Ingress Loose
LSR
262
Named Path Code
mpls {
traffic-engineering bgp-igp;
label-switched-path Blue1 {
to 192.168.24.1;
primary one
}
label-switched-path Blue2 {
to 192.168.12.1;
primary one; Use loopback address
} instead of interface address
path one { so loose section of path
192.168.20.1 loose; can reroute if necessary
}
isis {
traffic-engineering shortcuts;
interface all {
level 1 disable;
}
}
263
264
Constraint-Based routing Overview
Constraint-
(1 of 2)
Modified shortest path first algorithm
Integrates TED data
IGP topology information
Available bandwidth
Link color
Path determined according to administrative
constraints of LSP
Maximum hop count
Bandwidth
Strict or loose routing
Administrative groups
Priority
Prunes non-qualifying paths then performs an
SPF algorithm on remaining routes
265
Extended IGP
266
IGP Extensions
Extended IGP
267
268
User Constraints
Extended IGP
269
Extended IGP
CSPF Egress
LSR
ERO
PATH
RSVP
Ingress RESV
LSR
RSVP signaling :
Explicit route calculated by CSPF is handed to RSVP
RSVP is unaware of how the ERO was calculated
RSVP establishes LSP
Path: Establishes state and requests label assignment
Resv: Distributes labels and reserves resources
271
Administrative Groups (1 of 7)
Administrative groups
Thirty-two named groups, 0 through 31-
-carried as
32-bit value in IGP updates
Groups assigned to Interfaces
Silver
San Gold
Francisco
Bronze
272
Administrative Groups (2 of 7)
1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0
Administrative groups
Colors advertised on a per-link basis via IGP:
0xC000000E
Colors on router: internal management, bronze,
silver, gold
273
Administrative Groups (3 of 7)
[edit protocols]
mpls {
admin-groups {
good 1;
silver 2;
bronze 3;
management 30;
internal 31;
}
interface so-0/0/0 {
admin-group [ good management ]
}
interface so-0/1/0 {
admin-group silver;
}
interface so-0/2/0 {
admin-group good;
}
interface so-0/3/0 {
admin-group good;
}
}
274
Administrative Groups (4 of 7)
CSPF can include and exclude groups in automatic
path calculation
Logical groupings are supported
mpls {
label-switched-path to-miami {
to 1.1.1.1;
primary use-fargo {
admin-group {
include gold; Logical AND
exclude [ bronze silver ]
}
}
}
path use-fargo {
Logical OR
10.0.1.2 loose;
}
}
275
Administrative Groups (5 of 7)
B 5
G 1
3 I
1 2
E
5
A 6 3
2 1
3 D 2
C H
4 F 3
276
Administrative Groups (6 of 7)
Choose the path from A to H using:
admin group {
include [ copper bronze ];
exclude admin;
}
B 5
G 1
3 I
1 2
E
5
A 6 1
2 1
3 6 D 2
C H
4
F 3
277
Administrative Groups (7 of 7)
B 5
G 1
3 I
1 2
E
5
A 6 1
2 1
3 6 D 2
C H
4
F 3
278
Fast-
Fast-Reroute Operation
279
Fast-
Fast-Reroute Overview
Short-term solution to reduce packet loss-
-if
node or link fails, upstream node:
Immediately detours
Signals failure to ingress LSR
Ingress LSR knows traffic engineering
constraints
Ingress router computes alternate route based on
configured secondary paths; tries to reestablish
primary path
Initiates long-term reroute solution
By default, reroute paths inherit administrative
groups only- -no other parameters
280
Fast Reroute Example
Enable fast reroute on ingress LSR
SF creates detour around LA
LA creates detour around Austin
Austin creates detour around Miami
Fargo
New York
San
Francisco
Miami
Los Angeles
Austin
281
Fargo
New York
San
Francisco
Miami
Los Angeles
Austin
282
Fast Reroute Example –
Long Term Solution
SF fails over to secondary path
Fargo
New York
San
Francisco
Miami
Los Angeles
Austin
283
Fast Reroute
284
Circuit Cross-
Cross-Connect Overview
Connects two Layer 2 circuits
Supports:
PPP, Cisco HDLC, Frame Relay. ATM. and VLAN 802.1Q
Based on Layer 2 circuit ID
carries any protocol
Connects only like interfaces (for example, Frame
Relay to Frame Relay, or ATM to ATM)
Three types of cross-connects
Layer 2 switching
MPLS tunneling
Stitching MPLS LSPs
285
286
CCC MPLS Interface Tunneling (2/2)
287
288
Purpose of LDP (1 of 2)
Creates forwarding equivalence class
A group of IP packets which are forwarded in the
same manner (RFC 3031)
Manages LSP to egress router
New concept
LDP associates the FEC with each LSP it creates
Solves problems
Enables VPNs
Allows traffic class mapping
289
Purpose of LDP (2 of 2)
B Egress
RSVP LSP G
I
A E
290
Label Distribution Protocol (1 of 2)
Upstream Downstream
LDP Peer LDP Peer
Router A Router B
protocols {
mpls {
label-switched-path lsp-path-name {
from source;
to destination;
ldp-tunneling;
}
}
}
293
LDP LDP
RSVP
294
Basic MPLS Configuration Summary
MPLS configuration summary
Configure MPLS and RSVP protocols
Configure family MPLS on interfaces
Configure an LSP
Configure basic IP stuff (for example, addresses
and protocols )
295
Basic RSVP-
RSVP-Signaled LSP
[edit]
Lab@host# set protocols mpls interface a11
Lab@bost# set protocols rsvp interface a11
Lab@host# set interface IN-#/#/# unit 0 family mpls
Lab@host# set protocols mpls Label-switched-path NAME to IP-address no-cspf
296
Displaying MPLS LSPs
297
298
Displaying the MPLS Switching Table
lab@Montreal# show route table mpls.0
mpls.0: 6 destinations, 6 route, (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0 *[MPLS/O] 02:47:47, metric 1
Receive
1 *[MPLS/O] 02:47:47, metric 1
Receive
100003 *[RSVP/7] OO:OO:53, metric 1
> to 10.0.24.2 via fe-0/0/2.0. label-switched-path HK-AM1
100003(S=0) *[RSVP/7] OO:OO:53, metric 1
> to 10.0.24.2 via fe-0/0/2.0. label-switched-path HK-AM1
100004 *[RSVP/7] OO:OO:53, metric 1
> to 10.0.24.2 via fe-0/0/2.0. label-switched-path HK-AM1
100004(S=0) *[RSVP/7] OO:OO:53, metric 1
> to 10.0.24.2 via fe-0/0/2.0. label-switched-path HK-AM1
299
300
Displaying RSVP Neighbor Information
301
Displaying RSVP-
RSVP-Enabled Interfaces
302
Next Hop Resolution
I-BGP
NJ
134.112/16
Boston
Denver DC
192.168.4.1 192.168.16.1
NY
192.168.24.1
SF Dallas .1
192.168.16.1 .1 10.0.20/30 .2 192.168.8.1
AS 64512 Configure
“next hop self”
lab@SF> show route 192.168.24.1
303
....
304
Advanced VPNs
Training Course
Questions ?
Thank You !