CCIE R&S Advanced Technologies Class v4.5 - MPLS Layer 3 VPNs Overview, VRF Lite

Transcript

1	Introduction	0h 43m
2	Using the Cisco Documentation	0h 52m
3	Ethernet Overview, Layer 2 Switchports, Trunking, ISL, 802.1q, DTP	0h 47m
4	VTP, VTP Authentication, VTP Pruning	1h 02m
5	VTP Prune Eligible List, VTP Transparent, VTP Troubleshooting, Trunk Allowed List, Extended VLANs	0h 48m
6	VLAN and VTP Review	0h 19m
7	SVIs, Native Routed Interfaces, Router-on-a-Stick	0h 46m
8	Layer 2 EtherChannel, EtherChannel Load Balancing, Layer 3 EtherChannel	0h 57m
9	802.1q Tunneling, Layer 2 Protocol Tunneling, EtherChannel over 802.1q Tunneling	1h 03m
10	STP Root Bridge Election, STP Root Port Election, STP Designated Port Election, STP Priority, STP Cost, STP Port-Priority	1h 06m
11	STP Review	0h 12m
12	STP Timers, STP PortFast	0h 34m
13	STP UplinkFast	0h 11m
14	STP BackboneFast	0h 12m
15	STP BPDU Filter	0h 13m
16	STP BPDU Guard	0h 11m
17	STP Root Guard	0h 11m
18	STP Loop Guard, Unidirectional Link Detection (UDLD)	0h 11m
19	Multiple Spanning-Tree Protocol (MST)	0h 40m
20	Rapid Spanning-Tree Protocol (RSTP), Rapid-PVST	0h 18m
21	MST with Multiple Regions	0h 33m
22	Flex Links	0h 16m
23	Frame Relay	0h 39m
24	Frame Relay Configuration Part 1	0h 34m
25	Frame Relay Configuration Part 2	0h 41m
26	Frame Relay Switching	0h 27m
27	Back-to-Back Frame Relay	0h 08m
28	Frame-Relay End-to-End Keepalives	0h 18m
29	PPP, PPP PAP Authentication, PPP CHAP Authentication	0h 59m
30	PPPoFR, PPPoE	0h 40m
31	Transparent Bridging, IRB	0h 32m
32	Fallback Bridging	0h 14m
33	IP Routing Overview, Switching Paths, Static Routing	0h 42m
34	Static Routing Examples	0h 25m
35	IP Default-Gateway, IP Default-Network	0h 14m
36	On-Demand Routing (ODR)	0h 07m
37	Floating Static Routes	0h 10m
38	Backup Interface	0h 29m
39	Enhanced Object Tracking, IP SLA, Reliable Static Routing	0h 21m
40	Policy Routing	0h 43m
41	GRE Tunneling, GRE Recursive Routing Errors	0h 27m
42	Reliable Backup Interface with GRE	0h 25m
43	RIP Overview, RIP Versions, RIP Auto-Summary	0h 48m
44	RIP Split-Horizon, RIP Timers	0h 22m
45	RIP Broadcast Updates, IP Directed Broadcast, IP Broadcast-Address, Smurf Attacks, Fraggle Attacks	0h 16m
46	RIP Unicast Updates	0h 03m
47	RIP Offset-List	0h 18m
48	RIP Authentication	0h 11m
49	RIP Summarization	0h 10m
50	Prefix-Lists, RIP Distribute-List Filtering, RIP Administrative Distance Filtering	0h 48m
51	RIP Default Routing, RIP Conditional Default Routing	0h 18m
52	RIP Triggered, RIP Validate Update Source,	0h 12m
53	EIGRP Overview	0h 29m
54	EIGRP Auto-Summary	0h 07m
55	EIGRP Split-Horizon	0h 11m
56	EIGRP Update Types, EIGRP Neighbor, EIGRP Passive-Interface	0h 24m
57	EIGRP Hello-Interval, EIGRP Hold-Time	0h 05m
58	EIGRP Authentication	0h 11m
59	EIGRP Time Based Authentication	0h 25m
60	EIGRP Path Selection, EIGRP Metric Weights, EIGRP Traffic Engineering	0h 47m
61	EIGRP Unequal Cost Load Balancing, EIGRP Variance	0h 19m
62	EIGRP QUERY, EIGRP Summarization, EIGRP Leak-Map	0h 28m
63	EIGRP Stub Router Advertisement	0h 22m
64	EIGRP Default Routing	0h 13m
65	EIGRP Route Filtering	0h 11m
66	EIGRP Router-ID	0h 07m
67	Miscellaneous EIGRP Features	0h 02m
68	OSPF Overview	0h 27m
69	Establishing OSPF Adjacencies, Understanding the OSPF Database	0h 43m
70	OSPF Network Type Broadcast, OSPF DR/BDR Election, OSPF over NBMA, OSPF Network Type Non-Broadcast and Point-to-Multipoint	0h 56m
71	OSPF Network Type Point-to-Point, OSPF Network Type Mismatch	0h 13m
72	OSPF Network Type Point-to-Multipoint Non-Broadcast, OSPF Per Neighbor Cost	0h 17m
73	OSPF Network Type Loopback	0h 02m
74	OSPF Path Selection	0h 27m
75	OSPF Convergence Timers	0h 09m
76	OSPF Authentication	0h 12m
77	OSPF Summarization	0h 32m
78	OSPF Stub Areas, OSPF Totally Stubby Areas, OSPF NSSAs, OSPF Totally NSSAs	0h 40m
79	Controlling OSPF NSSA Redistribution	0h 02m
80	OSPF Type 7 to 5 Translator Election, OSPF LSA Type 3 Filter, OSPF Forwarding Address Suppression	0h 24m
81	Route Redistribution Overview	0h 36m
82	Route Redistribution Configuration & Verification, Connected Redistribution	0h 22m
83	OSPF External Path Selection, TCL PING Scripting	0h 33m
84	Routing Loops Overview, EIGRP Route Loop Prevention	0h 55m
85	Metric Based Routing Loops, Route Tagging	0h 46m
86	Administrative Distance Based Routing Loops, Debug IP Routing, IP Route Profile	0h 58m
87	BGP Overview, BGP Peering Types	0h 51m
88	Establishing BGP Peerings, EBGP Multihop, BGP Neighbor Disable Connected Check, BGP TTL Security	0h 49m
89	BGP 4-Byte ASNs	0h 20m
90	BGP Local AS, BGP Peer Groups	0h 30m
91	BGP Next-Hop Self, BGP Next-Hop Processing	0h 30m
92	BGP Route Reflectors	0h 37m
93	Large Scale BGP Route Reflectors with Clusters	0h 34m
94	BGP Confederation	0h 37m
95	BGP NLRI Advertisements, BGP Network Statement, BGP Redistribution	0h 43m
96	BGP Aggregation, BGP Aggregation & Summary-Only, BGP Aggregation & Unsuppress-Map	0h 46m
97	BGP Origin, BGP Aggregation & AS-Set, BGP Aggregation & Advertise-Map	0h 22m
98	BGP Conditional Route Injection	0h 21m
99	BGP Bestpath Selection, BGP Multipath, BGP Weight	0h 53m
100	BGP Local Preference, BGP Local Preference and Communities, BGP AS-Path Prepending,	0h 30m
101	BGP MED, BGP MED Missing As Worst, BGP Deterministic MED	0h 17m
102	BGP Communites, BGP Regular Expressions	0h 43m
103	BGP Filtering, BGP Convergence Timers, BGP Default Routing, Miscellaneous BGP Features	0h 24m
104	MPLS Overview, MPLS Label Distribution Protocol (LDP)	1h 05m
105	MPLS Tunnels, MPLS Penultimate Hop Popping (PHP)	0h 40m
106	MPLS Layer 3 VPNs Overview, VRF Lite	0h 36m
107	MPLS Layer 3 VPNs and VPNv4 BGP	1h 08m
108	MPLS Layer 3 VPN Verification & Troubleshooting	0h 49m
109	MPLS Layer 3 VPN OSPF PE-CE Routing Overview	0h 06m
110	MPLS Layer 3 VPN OSPF PE-CE Routing Path Selection & Sham-Links	2h 01m
111	MPLS Layer 3 VPN OSPF PE-CE Routing Loop Prevention & Down-Bit, OSPF Capability VRF-Lite	0h 40m
112	IPv6 Overview, IPv6 ICMPv6 ND, IPv6 over NBMA	0h 44m
113	IPv6 Routing Overview, IPv6 Static Routing	0h 28m
114	IPv6 RIPng	0h 20m
115	IPv6 EIGRPv6	0h 09m
116	IPv6 OSPFv3	0h 31m
117	MP-BGP for IPv6	0h 26m
118	IPv6 Tunneling	1h 13m
119	Multicast Overview, IGMP	0h 34m
120	PIM Overview	0h 18m
121	PIM Dense Mode	1h 03m
122	PIM Sparse Mode	0h 30m
123	PIM Sparse Mode Configuration	0h 36m
124	PIM Sparse Mode RPF & RP Troubleshooting	0h 27m
125	Auto-RP, Multicast over GRE Tunnels	0h 53m
126	Bootstrap Router (BSR), Bidirectional PIM, Source Specific Multicast (SSM)	0h 40m
127	MSDP, Anycast RP	0h 27m
128	IPv6 Multicast Routing	0h 24m
129	QoS Overview, IntServ QoS, DiffServ QoS, IP Precedence, DSCP, MQC, HQF	0h 41m
130	MQC Classification	0h 44m
131	FIFO, FQ, WFQ, CBWFQ, HQF	0h 50m
132	LLQ	0h 23m
133	WRED	0h 31m
134	Traffic Shaping, Traffic Policing	0h 40m
135	Frame Relay Traffic Shaping (FRTS)	0h 33m
136	RSVP	0h 07m
137	Catalyst 3560 QoS	1h 00m
138	IOS Security Overview, Access Lists (ACLs)	0h 58m
139	Time Based ACLs, Dynamic ACLs	0h 33m
140	Reflexive ACLs	0h 21m
141	TCP Intercept, Content Based Access Control (CBAC)	0h 34m
142	Zone Based Policy Firewall (ZBPF)	1h 09m
143	AAA, Local Authentication, Local Authorization, Role Based CLI Access	0h 43m
144	Port Security, Static CAM Entries, Storm Control, 802.1X Authentication, PACLs, RACLs, VLAN Access Maps (VACLs)	0h 48m
145	DHCP Snooping, Dynamic ARP Inspection (DAI), IP Source Guard	0h 12m
146	Protected Ports, Private VLANs	0h 25m
147	IP Services Overview, HSRP	1h 10m
148	VRRP, GLBP	0h 28m
149	NAT	0h 42m
150	DHCP, DNS	0h 30m
151	NetFlow	0h 09m
152	WCCP, Miscellaneous IP Services	0h 06m
153	System Management Overview, NTP, NTP Authentication	0h 24m
154	SNMP, RMON	0h 38m
155	Syslog, Telnet, SSH, Banners	0h 21m
156	EEM Scripting, Miscellaneous System Management	0h 26m
Total Duration		81h 02m

Slides - Diagrams

Slides - Introduction

Slides - Ethernet Switching

Slides - Advanced Ethernet Switching

Slides - Frame Relay

Slides - PPP

Slides - Transport Bridging

Slides - Redistribution

Slides - IOS Security

Slides - Layer 2 Security

Slides - IP Services

Slides - System Management

0:00:13	In our next section here for MPLS,
0:00:16	we're gonna start our discussion of the Layer 3 MPLS VPNs.
0:00:20	As I mentioned, there are other topics for MPLS that are gonna be outside of our scope.
0:00:25	Mainly, MPLS Layer 2 VPNs
0:00:28	that are for circuit emulation.
0:00:30	And also for MPLS traffic engineering.
0:00:33	Now, Layer 3 MPLS VPNs
0:00:36	are gonna combine the previous logic that we saw at the MPLS tunnel
0:00:40	that allows us to send traffic over the service provider network
0:00:44	without actually having the detailed routing information
0:00:48	with a way to separate the routing information on a per-customer basis.
0:00:54	So, the idea behind a layer 3 MPLS VPN
0:00:57	is that the provider edge routers are going to learn routes somehow from the customers.
0:01:03	Whether this by through static routing,
0:01:05	or through an IGP, or from BGP.
0:01:08	The provider edge is learning information about the customer.
0:01:12	The key routers then advertise the customer routes to each other
0:01:17	via multi-protocol BGP.
0:01:20	The key point here though is that since we're already running MPLS in the core,
0:01:26	as long as the customer advertised information
0:01:29	points at a BGP next hop that as a label for it,
0:01:33	it means that the devices in the middle of the transit network
0:01:36	don't need to know about the specific customer's routes.
0:01:41	So, it's essentially made up of two portions here.
0:01:44	It's going to be the separation of the customer's routing information,
0:01:47	and then, the actual tunneling of the traffic over the MPLS network.
0:01:54	Now, in order to do this,
0:01:57	we have the principle that's known as the Virtual Routing and Forwarding instance, or the VRF.
0:02:02	The VRF is what we're gonna use on the PE routers
0:02:05	to keep track of different customer's routes on a per-interface basis.
0:02:11	So essentially, what we're doing is breaking the router up into multiple virtual routers.
0:02:16	Where on per-interface basis, we're specifying when a route is learned in there,
0:02:21	whether again, it's from IGP or from static routing,
0:02:24	we're putting it into a separate logical routing table.
0:02:29	Then, the PE routers are going to aggregate all this information together,
0:02:33	and advertise it between each other using multi-protocol BGP.
0:02:38	So, just like our previous design,
0:02:40	where we were doing a BGP peering between router 4 and router 6,
0:02:45	then devices in the core of the MPLS network, they do not need to run BGP.
0:02:51	As long as router 4 has a IGP route
0:02:54	to the loopback of router 6,
0:02:56	and LDP is enabled on all the transit interfaces,
0:03:00	it means that once traffic comes in to router 4,
0:03:04	and goes out towards router 6,
0:03:08	ultimately, that traffic is going to be label switch based on the loopback interface of router 6.
0:03:14	Now, with the VRF, or the Virtual Routing and Forwarding instance,
0:03:17	they key point is that based on how we assign
0:03:20	the VRFs to the interfaces,
0:03:22	that's gonna determine what particular routing table they're assigned to.
0:03:27	For any interface that is not assigned a VRF,
0:03:31	that still exists in the global routing table.
0:03:35	So, when we do our normal verification commands, like Show IP Route,
0:03:38	Ping, Telnet,
0:03:39	that is referring to the global routing table.
0:03:43	Anytime we are now doing a verification for a customer specific route,
0:03:48	that is gonna be with the VRF aware commands.
0:03:51	Where we would say, Show IP Route VRF, or Ping VRF, Telnet VRF,
0:03:57	because we now need to reference that specific routing table
0:04:01	that is related to that individual customer.
0:04:05	Now, since the individual VRF tables and the global routing tables are separate,
0:04:11	it implies that the addressing can overlap between the different VRFs.
0:04:16	So, from the service provider point of view,
0:04:18	this means that they don't care if the customers are using RFC 1918 addresses.
0:04:24	So, the 10 network, the 172, 162.31, the 192.168.
0:04:29	Because once it is actually advertised into BGP,
0:04:33	there's a specific way that MPLS allows us to keep track of the different routes on a per-customer basis.
0:04:40	We'll see that even though the IP prefix could be the same between two different VRFs
0:04:46	It's technically going to be two different routes
0:04:49	based on new additional tags
0:04:52	that are go on to the actual VPNv4 route.
0:04:58	Now, since the VRF information is separate between tables,
0:05:02	this means that VRF A is not gonna have a route to VRF B.
0:05:06	It implies that the VPN
0:05:08	nature of the VRF table.
0:05:11	Meaning that it say, virtual private network
0:05:13	is simply based on the fact that one table doesn't have routing information to another one.
0:05:19	So, if we have customer A and B,
0:05:21	there's no possible way for customer A to send traffic to B
0:05:24	if they have a route to their particular destinations.
0:05:28	Now, we can manually leak traffic between the VRFs
0:05:32	by doing static routes that point manually at different tables.
0:05:35	But under a normal default configuration,
0:05:38	essentially, the traffic is VRFs is going to be isolated.
0:05:42	So, devices in VRF 1 are only gonna have reachability to other interfaces that are in VRF 1.
0:05:48	Likewise, VRF 2 will have reachability to interfaces in VRF 2.
0:05:53	Now, the VRF on its own doesn't necessarily have to imply that we're running MPLS.
0:05:59	We can use this feature on its own
0:06:01	in which case, this is considered a VRF light,
0:06:04	or a multi-VRF configuration.
0:06:08	Now, in that particular case, it simply means that the router has multiple routing tables.
0:06:13	Then, in the individual routing tables, we're separating the traffic or certain set up interfaces versus others.
0:06:19	Again, simply based on the fact that one interface does not have a route to another interface.
0:06:28	So first, let's take a look at this in our topology using just the VRF light configuration.
0:06:33	Then, we'll look at how we can combine this together with multi-protocol BGP,
0:06:37	and then get the final result of our Layer 3 MPLS VPN.
0:06:42	So, to start, we're gonna look at router 4.
0:06:45	Where it has four separate interfaces directly connected.
0:06:48	One of them is going into the MPLS network going to router 2.
0:06:53	We have the link that goes to BB2 that we were running BGP on before.
0:06:57	Then, we have two separate interfaces that are going to switch 3 and to switch 3 respectively.
0:07:04	Now, ultimately, depending on how we define the VRFs,
0:07:08	that's gonna control which particular links we'll have reachability to each other.
0:07:13	So again, the VPN nature is separate in the traffic just based on the fact that
0:07:17	we either do or do not have routes to the other destinations.
0:07:22	So, our first step for this would be to define
0:07:24	what the VRF's name is.
0:07:27	In global config, we say, IP VRF.
0:07:30	Then, give it a... Either a number or a case sensitive name.
0:07:36	So, I'll say that this first one is gonna be "vrf A".
0:07:41	At this point, if we are not doing MPLS,
0:07:45	the only attribute that we need to specify on to the VRF
0:07:48	is the route distinguisher.
0:07:51	We'll see that the route distinguisher is eventually what is gonna keep the individual routes
0:07:56	of one VRF unique from the other ones.
0:08:00	When we're running the VRF light, essentially, this route distinguisher number is only gonna be locally significant.
0:08:07	So, it really only matters if we're running Layer 3 MPLS VPNs,
0:08:10	but it is still a requirement in order to enable the VRF.
0:08:14	So, I essentially need to pick any random number. I'll say, 1:1.
0:08:19	Then, I'll have a separate VRF. IP VRF B
0:08:22	that has the route distinguisher 1:2.
0:08:27	Again, since we're not yet running MPLS,
0:08:30	along with the VRF, we're not running Layer 3 MPLS VPN.
0:08:33	Then, it technically doesn't matter what the route distinguisher value is.
0:08:37	Just the parser needs to put this in, otherwise, it's not gonna create the routing table.
0:08:43	Now, the next step would be to assign the VRF to the particular local interfaces that we want.
0:08:49	When we do this,
0:08:51	we look at the Show IP Route Connected on router 4.
0:08:56	This is going to remove the IP addresses that are assigned on the interfaces.
0:09:01	So, before we do this, we actually wanna know
0:09:03	what are the addresses of the local links that we're gonna put in the VRFs.
0:09:09	I'll say that the links that are connecting to the two switches,
0:09:13	which are the 10.2.49 and the 10.1.104,
0:09:19	these are gonna be in VRF A,
0:09:23	where the link that goes to BB2, and the link that goes to router 2, those are gonna be in VRF B.
0:09:31	So, we have two separations of the traffic here.
0:09:36	So first, we'll go to interface Fast Ethernet 0/0.49.
0:09:42	The command is IP VRF Forwarding,
0:09:45	and then, the VRF's name.
0:09:47	Notice here that it says that it is removing the IP address from the link.
0:09:50	This is because it's moving the interface to the new routing table.
0:09:54	So, once the address is removed, then, I need to reapply it.
0:09:58	So, IP Address 10.2.49.4.
0:10:01	Mask is /24.
0:10:05	Same thing on Fast Ethernet 0/0.104.
0:10:09	IP VR Forwarding A.
0:10:11	And then, I have to re-assign the IP address, 10.1.104.4.
0:10:21	Then, on the other two interfaces, Fast Ethernet 0/0.192,
0:10:26	we'll say that this is in IP VRF Forwarding B.
0:10:31	As well as Fast Ethernet 0/0.24
0:10:35	is in B.
0:10:39	And we'll leave the loopback in the global table.
0:10:42	Now, we can see that the LDP process is now complaining
0:10:46	that it can't set the LDP identifier.
0:10:51	This is because once I applied VRF B, I don't actually have the address assigned to the interface.
0:11:02	So, if I look at the Show IP VRF,
0:11:06	or the Show IP VRF Detail,
0:11:10	right now, for VRF B, I have the interfaces assigned to it,
0:11:14	but if we look at the Show IP Route VRF Star (*),
0:11:19	which is gonna be for including the global table and all of the VRF instances.
0:11:25	We can see that for table B,
0:11:28	those links do not appear because they don't have IP addresses assigned.
0:11:33	Right now, the loopback is still existing in the global table because I didn't change that.
0:11:38	In routing table A, this is for VRF A.
0:11:43	I have the link that's going to switch 3 and the link that's going to switch 4.
0:11:49	So then, those two other interfaces for table B, I need to reassign the IP addresses.
0:11:56	Specifically, this is gonna be interface Fast Ethernet 0/0.24
0:12:02	that has the address 10.0.24.4
0:12:10	/24.
0:12:12	Fast Ethernet 0/0.192 has 192...
0:12:17	.10.28.4.
0:12:21	Now, within the scope of the lab exam, you're putting the interface in the VRF,
0:12:25	it would imply that you would then need to know what is the address assigned
0:12:30	before you actually move the interface between the routing tables.
0:12:34	So, since it is gonna remove the address,
0:12:36	eventually, we're gonna have to put this back on.
0:12:40	So now, if I were to look at the Show IP Route...
0:12:44	Show IP Route VRF A
0:12:47	versus Show IP Route VRF B,
0:12:50	the traffic is now gonna be between interface Fast Ethernet 0/0.49
0:12:56	versus Fast Ethernet 0/0.24.
0:13:00	Simply based on the fact that they're in separate routing tables.
0:13:06	So, anytime a packet comes in on this link,
0:13:10	it means that the routing look-up is gonna be done on this specific table.
0:13:14	So, if routing table B does not have a route to 10.1.104.0,
0:13:19	it's not gonna be able to reach any of those destinations.
0:13:24	Now, from here and out,
0:13:25	it means that any commands that we issue in IOS
0:13:28	essentially are gonna have to be VRF aware commands.
0:13:31	If I were to say, Ping 1.2.3.4, or Show IP Route 1.2.3.4.
0:13:38	Telnet to that address.
0:13:39	That means that by default, that address should be in the global table.
0:13:46	So, sometimes, it can get frustrating with the verification
0:13:49	if you forget that the particular link you're dealing with is in a VRF.
0:13:54	So, if I were to say, on router 4, I wanna ping 192.10.28.254,
0:14:01	it could look like I have some sort of Layer 2 connectivity problem,
0:14:05	because I don't have reachability to this particular address.
0:14:08	When in reality, it's just that I needed to say, "I need to generate the packet inside VRF B,
0:14:15	and the packets going to that particular address."
0:14:19	So we see, there's reachability when the packet is generated in the VRF B routing table
0:14:24	as opposed to the global routing table.
0:14:27	This would be true than if any other command.
0:14:30	If I were to telnet to 10...
0:14:34	.1.104.10,
0:14:42	It says, "This is unreachable simply because I don't have a route to it."
0:14:45	If I Show IP Route 10.1.104.10, this is not in the global routing table.
0:14:52	The reason why is it specifically is in the VRF A routing table.
0:14:58	So, if I were to telnet to that address, but then I said,
0:15:01	"I need to source this from VRF table A."
0:15:07	Then, we could see, we can telnet to that device, but it's not set up for VTY access.
0:15:13	So essentially, any verification now on the router,
0:15:16	you need to be aware on whether this is a VRF aware command or not.
0:15:21	Most of this, you can just tell from the context sensitive help
0:15:23	like if I were to do a traceroute.
0:15:27	It says, "You can select what particular VRF it's in."
0:15:31	You'll see some features in IOS depending on the version.
0:15:34	It may or may not be supported as VRF aware.
0:15:38	So this means all sorts of different services and management type protocols as well.
0:15:43	So, network address translation,
0:15:46	DNS, DHCP, Net Flow.
0:15:48	Those type of services would then need to be VRF aware
0:15:52	if we wanted to configure it to a different routing table than the global table.
0:15:59	Now, a lot of these features will be documented under MPLS.
0:16:02	So, if we look at the main documentation page,
0:16:05	let's go to 12.4T Configuration Guide.
0:16:09	Then, down to MPLS Configurations.
0:16:15	Under Layer 3 VPNs,
0:16:21	you'll see some of the different VRF aware features,
0:16:25	like we can do the VRF selection based on policy routing.
0:16:30	We could also do this...
0:16:34	based on the source address.
0:16:38	So, usually, by default, the VRF assignment is based on whatever is on the interface.
0:16:43	In our particular case here on router 4 Fast Ethernet 0/0.24
0:16:49	is simply in VRF B, because that's what we have configured on the interface.
0:16:54	But there are some cases where you can get into more advanced implementations,
0:16:58	where I wanna say, on this link, there's actually multiple VRFs.
0:17:02	Then, the membership would be based on a policy routing
0:17:05	route map that I can manually define.
0:17:08	So now, since we're dealing with multiple routing tables,
0:17:11	it would then also imply that now, our routing protocols need to become VRF aware.
0:17:17	Essentially, all options that we have for routing in the global table,
0:17:22	in the newer IOS versions, they are also aware as VRF aware instances.
0:17:27	So, this means, static routing. All of the IGPs, BGP, and policy routing can all be VRF aware.
0:17:35	We'll see that the actual syntax between the IGPs and BGP
0:17:38	is a little bit different depending on which one we're talking about.
0:17:42	So, RIP, EIGRP, they're gonna use the address family configuration
0:17:47	to separate which routing table that we're talking about.
0:17:50	Where OSPF is gonna use separate process numbers.
0:17:54	So, if I have five different VRFs on the router
0:17:57	plus I have the global table.
0:17:59	If I were to use OSPF for all of them, it would mean that I would have 6 separate OSPF processes.
0:18:06	Whereas if I was to use EIGRP,
0:18:09	I would have just one global EIGRP process.
0:18:12	Then, I would specify under the address mode,
0:18:15	what is the particular VRF that that configuration belongs to.
0:18:18	Now, ideally, up to this point, we understand the details about how all of the IGPs work.
0:18:23	So, for the rest of the examples of Layer 3 VPNs,
0:18:26	we're not gonna talk about the general functions of OSPF versus EIGRP and RIP.
0:18:32	We're more gonna look at just some of the caveats
0:18:35	that now changed when we are running the VRF aware routing process.
0:18:39	And also how the IGPs now need to enhance their loop prevention
0:18:45	when we are redistributing the PE to CE protocol
0:18:50	into the MPLS network.
0:18:53	Because as we know, anytime that we're doing redistribution,
0:18:56	we're loosing the end-to-end visibility of the loop prevention mechanism of the protocol.
0:19:02	So, we do have the possibility to end up either a loop of the control plane,
0:19:06	which is the actual routing information,
0:19:09	or a loop in the data plane, where it looks like the routing table is stable,
0:19:13	but then, when we go to send traffic, it either goes into a black hole,
0:19:16	or it loops around the network over and over and over.
0:19:19	Now, technically, we could configure the entire network
0:19:23	with using the multi-VRF or the VRF light feature.
0:19:26	The difference is that with VF light,
0:19:29	we would have to do this on a hop-by-hop basis throughout the entire topology.
0:19:35	So, if we were to look at our diagram here,
0:19:37	and if I wanted to specify that switch and switch 3 have reachability to each other,
0:19:43	but also switch 2.
0:19:46	So, I want all three of these neighbors to be inside the same routing table.
0:19:50	To run this as VRF light,
0:19:52	we would essentially have to define VRF on router 4's connected interfaces.
0:19:58	On interface up to router 2,
0:20:01	from 2 to 4, 2 to 3, 3 to 5, and then, 5 down to switch 2.
0:20:11	So, this is the same as normal IP routing logic
0:20:13	that if switch 2 wants to send a packet to switch 4,
0:20:16	all of the devices in the transit path would have to have the routes to the destination.
0:20:21	Then, on the way back, it would have to have the routes back to the source.
0:20:26	So, in small implementations where you're trying to separate the traffic
0:20:31	from one portion of the network to a different one,
0:20:34	using VRF light is basically the same thing as having two sets of different physical routers,
0:20:39	or different physical networks.
0:20:42	But the advantage is that we're just splitting it logically within the same device.
0:20:46	So, we don't need two separate boxes to route to different portions of the network.
0:20:51	But from a service provider's point of view,
0:20:53	this is not gonna be feasible.
0:20:55	It would mean that for every router along the transit path of a particular customer,
0:21:00	we would have to maintain a separate set of either physical or logical interfaces
0:21:06	for that particular device.
0:21:09	So, in order to get away from this shortcoming of the VRF light,
0:21:13	MPLS VPNs are gonna take the logic of the customer routing separation
0:21:20	plus the MPLS tunnel logic,
0:21:23	and combine these together
0:21:25	to essentially get the functionality of both.
0:21:30	Now, in an MPLS Layer 3 VPN,
0:21:33	we'll see that between the provider edge and the customer edge,
0:21:37	we will do some sort of routing exchange
0:21:39	whether it's based on an IGP, based on BGP, or based on static routing.
0:21:45	Once the provider edge learns the route about the customer,
0:21:49	this is gonna be encoded into BGP as what's now known as the VPN version 4 route.
0:21:58	The VPNv4 route is made up of the IP prefix.
0:22:02	So, for example, 10.0.0.0/24,
0:22:06	and the route distinguisher.
0:22:09	The route distinguisher plus the prefix,
0:22:11	this is what makes the entire route unique throughout the entire MPLS network.
0:22:17	And the reason that we need to do this
0:22:20	is that since the VRFs are separate routing tables, we do have the potential design
0:22:24	where customers are overlapping their address space.
0:22:29	So, let's say that in our particular network,
0:22:32	we have four different VPNs that we're trying to define here.
0:22:35	We have VRFs A, B, C, and D.
0:22:37	If in VRF B,
0:22:41	this customer is using the same address space that VRF A is.
0:22:46	Let's say on switch 4, we have the address 10.0.0.0/24,
0:22:53	and BB1 has it's same prefix 10.0.0.0/24.
0:23:00	When this route is then advertised into the MPLS network,
0:23:04	these routers here are gonna have to figure out some way to make sure
0:23:07	that there are actually two separate destinations.
0:23:11	So, with VPNv4 routing, the actual prefix itself is not enough to keep the route unique.
0:23:18	Because we're allowing different customer that have overlapping address space.
0:23:22	This is what the route distinguisher is now for.
0:23:26	So, when we create the VRF table,
0:23:29	the route distinguisher we'll see this not say what VPN the route belongs to.
0:23:36	It's simply used to make the route unique to the MPLS network.
0:23:41	The actual VPN membership is gonna be controlled by a separate attribute,
0:23:45	which is known as the route target.
0:23:47	Router distinguisher, what we're doing
0:23:49	is taking the prefix, which in this case is 10.0.0.0/24.
0:23:56	and we're prepending the route distinguisher.
0:23:59	Let's say the route distinguisher is 100:200.
0:24:04	Then, for one of the other routes,
0:24:08	let's say the route that's coming from BB1,
0:24:09	we give it a separate route distinguisher of 300:400.
0:24:16	It's the same prefix though, 10.0.0.0/24.
0:24:20	Now, when we look at these in the BGP table,
0:24:23	100:200:10.0.0.0/24 is now a separate route than 300:400:10.0.0.0/24.
0:24:36	But again, this value, which is the route distinguisher,
0:24:39	it does not define the VPN membership.
0:24:42	It's used just to keep the route unique.
0:24:46	When the router goes to figure out what VRF we want to send the route into,
0:24:52	that's gonna be controlled by an additional BGP extended community that's known as the route target.
0:25:00	Now, this gets pretty confusing for a lot of people.
0:25:03	Simply based on the fact that the route distinguisher, and the route target,
0:25:07	they use the same numbering format.
0:25:10	Where they have the two digits that are separated by the colon,
0:25:15	and it can also be in IP address form. So, we could say, 1.2.3.4:100, or 1:100.
0:25:24	So, even though the distinguisher and the target are sharing the same format of the number,
0:25:30	they're technically unrelated values.
0:25:33	Now, we can have cases where different VPN sites use the same route distinguisher,
0:25:37	or they use different route distinguishers, it doesn't really matter.
0:25:42	As long as the route is unique, that's the only thing the distinguisher is doing.
0:25:47	Now, we will see that the route target is significant between the VPN sites.
0:25:54	Because generally, the ultimate goal
0:25:56	is that customer A is supposed to have reachability to customer A routes.
0:26:00	And customer B is supposed to have reachability to customer B routes.
0:26:05	The way that we do this
0:26:06	is that when a prefix is learned from the customer,
0:26:11	let's say VRF A on router 4
0:26:16	is learning routes that are coming in from switch 4.
0:26:19	So, specifically, these are coming in from the VRF aware RIP process.
0:26:25	When router 4 receives this in the VRF table,
0:26:27	we are gonna redistribute these into the BGP network.
0:26:31	When we do this, there's mainly two attributes that we care about that we're adding.
0:26:38	One is gonna be the route distinguisher,
0:26:41	which again is keeping the route unique.
0:26:43	The other one is the route target, or the RT.
0:26:47	When the route eventually gets to the other side,
0:26:50	so, in this case, router 5,
0:26:53	the route target value is gonna tell router 5,
0:26:56	"I wanna redistribute that particular BGP prefix back into this VRF table."
0:27:03	So, regardless of whether router 4 and 5 are using the same route distinguisher,
0:27:07	as long as they agree on what the route target policy is,
0:27:11	that's gonna control how the routes are installed in the different VRF tables.
0:27:17	Because technically, we'll see that the VRF itself is only locally significant.
0:27:20	It doesn't matter what the name is, it doesn't matter what interfaces it is assigned to.
0:27:25	It's the route target value
0:27:27	that is encoded as the BGP extended community
0:27:30	that controls what routing prefix gets into
0:27:34	after the route is advertised out to the MPLS network.
0:27:38	Now, in addition to the actual route
0:27:41	that's gonna be advertised through the MPLS network with BGP,
0:27:46	there's two other attributes that we need in the data plane
0:27:50	to figure out where the traffic is supposed to actually go.
0:27:54	So, the VPNv4 route, this is what controls how the routes are exchanged between the routing tables.
0:28:01	Then, we need to figure out, once the end host actually start to forward the traffic,
0:28:05	how do we know where the packets are supposed to go?
0:28:09	So, we can do the routing look-up based on the VPNv4 routes that's fine.
0:28:13	But when the traffic actually gets into the service provider core,
0:28:17	we know that they are only doing the switching based on the MPLS labels.
0:28:23	So now, we're gonna add an additional MPLS label that is known as the VPN label.
0:28:30	The VPN label is a value that is exchanged between the PE routers
0:28:36	through the multi-protocol BGP VPNv4 address family.
0:28:42	So, in our particular design,
0:28:45	there's basically only three routers that are gonna be running BGP.
0:28:49	Router 4, router 5, and router 6.
0:28:55	Now, we could configure route reflection here, or we could configure confederation, or full mesh.
0:29:00	It's the same logic of BGP rules that we're going to apply.
0:29:05	So, for simplicity, we're simply gonna do a full mesh of the config.
0:29:09	But the key point is that when router 4 sends a route to router 5
0:29:15	that is specific to the customer that is in VRF A,
0:29:21	we need to tell router 5 what label value is gonna be used
0:29:25	when the traffic is actually forwarded out to the MPLS network.
0:29:30	Now, we know that router 4 and 5 can reach each other based on their loopback addresses.
0:29:35	This is now what we consider the transport label.
0:29:40	The transport label is generally an IGP-derived label,
0:29:45	which means it's coming from LDP
0:29:49	that's used to route the traffic between the PE's loopbacks.
0:29:54	Now, it doesn't necessarily have to be the loopback,
0:29:58	but for the simplicity of the BGP peering, generally, that's what it's gonna be.
0:30:02	So, to avoid the problem that we saw before with the Pen Ultimate Pop Hopping problem,
0:30:07	generally, we're just gonna peer between the loopbacks,
0:30:09	and make sure that the loopback is a /32 route that's advertised into IGP.
0:30:16	So, as long as router 4, 5, and 6's loopbacks are advertised into IGP
0:30:21	plus their given LDP labels,
0:30:25	this is going to allow us to transport the VPN traffic over the service provider network.
0:30:29	So, this is what the transport label is used for.
0:30:33	Now, when the PE router actually receives the traffic from the other site,
0:30:38	so, let's say BB3 is trying to send traffic to switch 4.
0:30:42	The packet is sent to router 5.
0:30:45	5 puts the transport label on that says, "This is going towards router 4."
0:30:51	So, eventually, the packet gets towards router 4
0:30:54	based on the LDP label that we already knew about.
0:30:59	The problem now is that when router 4 receives the packet,
0:31:03	how does it know what particular VRF we need to send it to.
0:31:08	Now, if switch 4's address is 10.0.0.0/24,
0:31:15	how do we know that there's not gonna be that same address that's in another VRF?
0:31:22	Now, in the control plane, this is easy to keep track of,
0:31:25	because the route distinguisher is telling us the difference between the VRF A routes and the VRF B routes.
0:31:32	But the problem is this route distinguisher is encoded inside BGP.
0:31:37	It's not encoded in the actual data plane
0:31:39	when we're sending the packets between the source and the destination.
0:31:43	So, we need some additional way to signal to the PE router,
0:31:47	what's the actual VPN membership of the packet itself?
0:31:51	And this is what the VPN label is used to do.
0:31:55	So, in addition to the actual route
0:31:58	that is the VPNv4 route,
0:32:02	the BGP neighbors are going to exchange a label for every customer learned route.
0:32:09	And this is gonna happen when we redistribute the PE to CE protocol into multi-protocol BGP.
0:32:17	So, VPNv4 BGP actually has two separate jobs.
0:32:21	To get the routing information to the other side,
0:32:23	and to tell the remote PE router what's the label value you need to use inside
0:32:30	of the MPLS packet.
0:32:33	Now, when we look at the actual packet header format,
0:32:38	again, there's gonna be two separate label values that are being used.
0:32:42	So, if we were to visualize what the actual packet format looks like,
0:32:46	we're gonna have the payload that is IP...
0:32:50	Let's say this is TCP, and someone is trying to do web browsing.
0:32:54	So, we have our normal Layer 3 IP packet followed by whatever the payload is.
0:33:00	Then, we need to put the label values on top of it, the MPLS labels
0:33:05	that are gonna tell us how to get to the PEs.
0:33:08	This is what the transport label is.
0:33:15	So, the transport label is the outer label
0:33:17	that's basically saying,
0:33:20	"Which PE do I need to go to?"
0:33:25	Between the transport label and the actual payload
0:33:29	is the second label, which is the VPN label.
0:33:35	This is telling us...
0:33:38	which customer.
0:33:43	Because in reality, the customer is only locally significant to that individual PE.
0:33:47	So, the MPLS transit network in the middle, they don't care about what the VPN label is,
0:33:53	they only care about what the transport label is.
0:33:57	Once we can get the data packet to the PE,
0:34:00	they're gonna remove the transport label
0:34:03	and figure out how to route the packet based on the underlying VPN label.
0:34:08	Now, since we're already exchanging the routing information through multi-protocol BGP,
0:34:13	then, the VPN label is simply gonna be encoded along with that.
0:34:17	So, there's no additional configuration we need to do in order to generate the label.
0:34:22	As long as the routers are running the VPNv4 address family,
0:34:25	and they're exchanging the customer routes,
0:34:27	ultimately, then the VPN label value is going to be allocated.

Now Viewing

CCIE R&S Advanced Technologies Class v4.5
Title:	CCIE R&S Advanced Technologies Class v4.5
Duration:	81h 02m
The CCIE Routing & Switching Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Routing & Switching lab will be described in detail using an instructor led hands on demonstration. The class consists of over 80 hours of in depth explanations and examples.
Get instant access to our entire library!
	Sign Up
Download this Course
$299.00	Add to Cart

MPLS Layer 3 VPNs Overview, VRF Lite

Create Bookmark