Mapping Model in MPLS VPNs

Similar Messages

• Managing Route-Map based MPLS VPN

  1) How to derive the VPN information of the MPLS VPN configured using route-maps? As I understand, stitching route-maps information to derive VPN is complex as it is difficult to derive & correlate the filters tied to each of the route-maps that are tied to a VRF :(
  2) Is there any MIB to get from the MIB
  a) Route-maps tied to each VRF
  b) What is the filter associated with each route-map?
  c) Definition of each of the above filter
  It would have been nice if the route-maps' name had global-significance within AS, so that we could have treated route-maps, pretty much like the route-tragets. Alas, I doubt it is :(
  It should be noted here that if the MPLS VPN is configured using route targets, the VPN information derivation is fairly straight forward throught MplsVpn MIB.
  So, the question is what is the simplest way to derive the MPLS VPN info given that they are configured using route-maps in BGP for labelled-route-distribution & for the pkt association with the VRFs.
  Thanks,
  Suresh R

  Each CE in a customer VPN is also added to the management VPN by selecting the Join the management VPN option in the service request user interface.
  The function of the management route map is to allow only the routes to the specific CE into the management VPN. The Cisco IOS supports only one export route map and one import route map per VRF.
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_chapter09186a0080353ac3.html

• Filtering methods inside a VRF in MPLS VPN

  Hi,
  we have a network with MPLS VPN and several VRFs involved.
  Inside a certain VRF I need to avoid that two particular networks can talk to each other.
  Can you give me a hint of what can be a solution to implement this ?
  Thanks
  Regards
  Marco

  Hi Marco,
  To prevent connectivity between two networks where a MPLS VPN is involved you can apply the same methods as in a "normal" router network. Just think of the complete MPLS VPN (PE to PE) as being one big "router simulator".
  You could either implement ACLs on the interfaces connecting to the PE or filter routing updates between sites - depending on your topology. When filtering routing updates seems the way to go, you should also have a look into selective import or export. With the help of a route-map one can selectively insert single networks into a VPN by selectively attaching route-targets to BGP updates.
  Regards, Martin

• MPLS VPNs - Latency

  Hello All,
  I have a MPLS VPN setup for one of my sites. We have a 10M pipe (Ethernet handoff) from the MPLS SP, and it is divided into 3 VRFs.
  6M - Corp traffic
  2M - VRF1
  2M - VRF2
  The users are facing lot of slowness while trying to access application on VRF1. I can see the utilization on the VRF1 is almost 60% of it's total capacity (2M). Yesterday when trying to ping across to the VRF1 Peer in the MPLS cloud, I was getting a Max response time of 930ms.
  xxxxx#sh int FastEthernet0/3/0.1221
  FastEthernet0/3/0.1221 is up, line protocol is up
    Hardware is FastEthernet, address is 503d.e531.f9ed (bia 503d.e531.f9ed)
    Description: xxxxx
    Internet address is x.x.x.x/30
    MTU 1500 bytes, BW 2000 Kbit, DLY 1000 usec,
       reliability 255/255, txload 71/255, rxload 151/255
    Encapsulation 802.1Q Virtual LAN, Vlan ID  1221.
    ARP type: ARPA, ARP Timeout 04:00:00
    Last clearing of "show interface" counters never
  I also see a lot of Output drops on the physical interface Fa0/3/0. Before going to the service provider, can you please tell me if this can be an issue with the way QoS is configured on these VRFs?
  xxxxxxx#sh int FastEthernet0/3/0 | inc drops
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3665
  Appreciate your help.
  Thanks
  Mikey

  Hi Kishore,
  Thanks for the clarification. Let me speak to the service provider and see if we can sort out the Output drops issue.
  I had a few more queries.
  1) Will output drops also contribute to the latency here?
  2) The show int fa0/3/0.1221 output below only shows the load on the physical interface (fa0/3/0) and not of that particuar interface.Right?
  xxxxxx#sh int fa0/3/0.1221 | inc load
       reliability 255/255, txload 49/255, rxload 94/255
  xxxxx#sh int fa0/3/0 | inc load
       reliability 255/255, txload 49/255, rxload 94/255
  I can try and enable IP accounting on that sub-interface (VRF) and see the load. Thoughts?
  3) As you said, if the 2M gets maxed out I would see latency as the shaper is getting fully utilized. But I don't see that on the interface load as mentioned above? I have pasted the ping response during the time load output was taken. I can;t read much into the policy map output, but does it talk anything about 2M being fully utilized and hence packets getting dropped.
  xxxxxxx#ping vrf ABC x.x.x.x re 1000
  Type escape sequence to abort.
  Sending 1000, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:
  Success rate is 99 percent (997/1000), round-trip min/avg/max = 12/216/1972 ms
  xxxx#sh policy-map interface fa0/3/0.1221
  FastEthernet0/3/0.1221
    Service-policy output: ABC
      Class-map: class-default (match-any)
        114998 packets, 36909265 bytes
        5 minute offered rate 11000 bps, drop rate 0 bps
        Match: any
        Traffic Shaping
             Target/Average   Byte   Sustain   Excess    Interval  Increment
               Rate           Limit  bits/int  bits/int  (ms)      (bytes)
            2000000/2000000   12500  50000     50000     25        6250
          Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
          Active Depth                         Delayed   Delayed   Active
          -      0         114998    36909265  1667      2329112   no
  Thanks
  Mikey

• IP Precedence vs DSCP in MPLS VPN

  Hi there,
  From my reading through Cisco website, I noticed that most of implementation suggested to use DSCP values and sometimes use IP Precedence in CE/PE class-map for classfication and markings.
  What is the most appropriate or maybe best practise to configure by using IP Precedence or DSCP? Is there any difference in terms of providing QoS especially in MPLS VPN enviroment?
  Thanks.
  maher

  Hi Maher,
  DiffServ offers you the advantage of a 6-bit field so that you can offer much more granular QoS. IP Precedence only offers you 3 bits so that the QoS offered is fairly coarse. These days, most implementations would be using DSCP for that reason.
  Within an MPLS core, the QoS setting is carried within the EXP field, which is a 3-bit field. Therefore, even if you use 6-bits for DSCP at the edge, you will end up having to map those 6-bits into 3-bits for carriage across the MPLS network. That is not a problem, however. You are bound to get more congestion at the edges so you need more granular QoS markings there. The core of a network is unlikely to be congested so 3 bits of QoS marking is sufficient.
  Hope that helps - pls rate the post if it does.
  Paresh

• Multihoming Primary/Backup PE MPLS VPN

  Hi there,
  I kind of stuck of implementing and configuring Primary/Backup scenario for MPLS VPN enviroment.
  Currently, only singe CE router connected to 2 PE router, Primary PE and Backup PE in the same POP.
  PE-CE IGP is running OSPF. On CE router prespective, how do I achieve primary/backup scenario and on other remote PE, how does MPLS VPN cloud noticed that there is Primary and Backup PE towords this CE router?
  Any configuration or sample out there? Appreciate for the help.
  regards,
  maher

  Hello Maher,
  I would try to set the interface metric to a higher value for the backup PE. With OSPF->BGP redistribution you should then get a higher MED in BGP making the path less preferable. Example:
  interface Serial0/0
  description to primary PE
  ip ospf cost 100
  interface Serial0/1
  description to backup PE
  ip ospf cost 1000
  Alternatively you could modify the MED while redistributiing into BGP:
  router bgp 65000
  address-family ipv4 vrf VRFname
  redistribute ospf 123 vrf VRFname match internal external route-map OSPF2BGP
  route-map OSPF2BGP permit 10
  set metric 10000
  Hope this helps! Please rate all posts.
  Regards, Martin

• Performance end to end testing and comparison between MPLS VPN and VPLS VPN

  Hi,
  I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
  I would appreciate any support, guidence, advice.
  Thanks
  Shahbaz

  Hi Shahbaz,
  I am not completely sure I understand your request.
  MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
  From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
  Ingress PE impose 2 labels (at least)
  Core Ps swap top most MPLS label
  Egress PE removes last label exposing underlying packet or frame.
  So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
  About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
  Riccardo

• Centralize internet access in MPLS VPN

  Can i implement Centralize internet access (the Hub CE Router to performs NAT) in cisco MPLS VPN solution?
  If so, is there any example about that? i can't find it at CCO~
  Thanks a lot~

  If you run dynamic routing protocol in PE-CE,like rip2,ospf,bgp,do the following task.
  1:set a default route in HUB CE;and generate the default route under its dynamic protocol.
  2:in other CEs, make sure they can learn this route.
  If you run static route and vrf static route between CE and PE,do the following task.
  1.set default route in HUB CE, and set default route in other CEs.
  2.In all PEs,redistribute the connected and static rotues to address-family ipv4 of customer vrf.
  3.set the customer vrf default route in all PE which connected your all CEs.
  Note: make sure all PEs can reach the GW address of vrf deafult route. GW IP address is the interface of which HUB CE towards PE.
  command: "ip route vrf 0.0.0.0 0.0.0.0 global.
  TRY

• Problem when mapping  model attribute to dropdownbyindex

  HI
  I am mapping model attribute ( this is mapped to Model field of RFC ) to DropDownbyIndex.
  Once i call BAPI the executed list of values populates into dropdown but it doesn't show first value, instead it puts one extra space in dropdown ( 1 blank by default + 1), when we try to select this blank value it gives error.
  Pl help me solving this issue
  Thanks!

  Hi Ravindra,
  It might be write the all code in BAPI side only.
  After writing the bapi code u can retrive thru only DropdownbyIndex.
  What ever u created means Cusomecontroller or component controller in init() method u created BAPI instance and send input to the BAPI.
  When you setting the paramaeters in init() megtod
  U can do like this.
  bapi input = nwe bapi();
  input.setparametername("firstparameter displaying onthedropdownbox");
  for example
  input.setDoc_type("orders");
  add like this.
  Hope this will help
  nageswara.

• Selective Route Import/Export in MPLS VPN

  Champs
  I have multiple brach locations and 3 DC locations.DC locations host my internal applications , DC's  also have central Internet breakout for the region. My requirement is to have full mesh MPLS-VPN but at same time brach location Internet access should be from nearest IDC in the region  if nearest IDC is not availalbe it should go to second nearest DC for internet.I have decided which are primary and seconday DC for Internet breakout. How can this be achieved in MPLS-VPN scenario.Logically i feel , i have to announce specific LAN subnet and default route(with different BGP attribute like AS Path)  from all 3 DCs. Spokes in the specific region should be able to import default route  from primary DC and secondary DCs only  using some route filter?
  Regards
  V

  Hello Aaron,
  the route example works for all routers except the one, where the VRF vpn2 is configured. What you can do for management purposes is either to connect through a neighbor router using packet leaking or configure another Loopback into VRF vpn2.
  The last option (and my recommendation) is to establish another separate IP connection from your NMS to the MPLS core. Once VRFs are failing (for whatever reason, f.e. erroneously deleted) you might just not get connectivity to your backbone anymore to repair what went wrong.
  So I would create an "interconnection router" with an interface in the VRF vpn2 and one interface in global IP routing table. This way you will still be able to access PEs, even if VRFs or MBGP is gone.
  Hope this helps! Please rate all posts.
  Regards, Martin

• Ask the Expert:Concepts, Configuration and Troubleshooting Layer 2 MPLS VPN – Any Transport over MPLS (AToM)

  With Vignesh R. P.
  Welcome to the Cisco Support Community Ask the Expert conversation.This is an opportunity to learn and ask questions about  concept, configuration and troubleshooting Layer 2 MPLS VPN - Any Transport over MPLS (AToM) with Vignesh R. P.
  Cisco Any Transport over MPLS (AToM) is a solution for transporting Layer 2 packets over an MPLS backbone. It enables Service Providers to supply connectivity between customer sites with existing data link layer (Layer 2) networks via a single, integrated, packet-based network infrastructure: a Cisco MPLS network. Instead of using separate networks with network management environments, service providers can deliver Layer 2 connections over an MPLS backbone. AToM provides a common framework to encapsulate and transport supported Layer 2 traffic types over an MPLS network core.
  Vignesh R. P. is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, and MPLS. Previously at Cisco he worked as a network consulting engineer for enterprise customers. He has been in the networking industry for 8 years and holds CCIE certification in the Routing & Switching and Service Provider tracks.
  Remember to use the rating system to let Vignesh know if you have received an adequate response. 
  Vignesh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Service Provider sub-community discussion forum shortly after the event. This event lasts through through September 21, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Tenaro,
  AToM stands for Any Transport over MPLS and it is Cisco's terminology used for Layer 2 MPLS VPN or Virtual Private Wire Service. It is basically a Layer 2 Point-to-Point Service. AToM basically supports various Layer 2 protocols like Ethernet, HDLC, PPP, ATM and Frame Relay.
  The customer routers interconnect with the service provider routers at Layer 2. AToM eliminates the need for the legacy network from the service provider carrying these kinds of traffic and integrates this service into the MPLS network that already transports the MPLS VPN traffic.
  AToM is an open standards-based architecture that uses the label switching architecture of MPLS and can be integrated into any network that is running MPLS. The advantage to the customer is that they do not need to change anything. Their routers that are connecting to the service provider routers can still use the same Layer 2 encapsulation type as before and do not need to run an IP routing protocol to the provider edge routers as in the MPLS VPN solution.
  The service provider does not need to change anything on the provider (P) routers in the core of the MPLS network. The intelligence to support AToM sits entirely on the PE routers. The core label switching routers (LSRs) only switch labeled packets, whereas the edge LSRs impose and dispose of labels on the Layer 2 frames.
  Whereas pseudowire is a connection between the PE routers and emulates a wire that is carrying Layer 2 frames. Pseudowires use tunneling. The Layer 2 frames are encapsulated into a labeled (MPLS) packet. The result is that the specific Layer 2 service—its operation and characteristics—is emulated across a Packet Switched Network.
  Another technology that more or less achieves the result of AToM is L2TPV3. In the case of L2TPV3 Layer 2 frames are encapsulated into an IP packet instead of a labelled MPLS packet.
  Hope the above explanation helps you. Kindly revert incase of further clarification required.
  Thanks & Regards,
  Vignesh R P

• GRE with VRF on MPLS/VPN

  Hi.
  Backbone network is running MPLS/VPN.
  I have one VRF (VRF-A) for client VPN network.
  One requirement is to configure another VRF (VRF-B) for this client for a separate public VRF connection.
  Sub-interfacing not allowed on CE-to-PE due to access provider limitation.
  So GRE is our option.
  CE config:
  Note: CE is running on global. VRF-A is configured at PE.
  But will add VRF-B here for the  requirement.
  interface Tunnel0
    ip vrf forwarding VRF-B
  ip address 10.12.25.22 255.255.255.252
  tunnel source GigabitEthernet0/1
  tunnel destination 10.12.0.133
  PE1 config:
  interface Tunnel0
  ip vrf forwarding VRF-B
  ip address 10.12.25.21 255.255.255.252
  tunnel source Loopback133
  tunnel destination 10.12.26.54
  tunnel vrf VRF-A
  Tunnel works and can ping point-to-point IP address.
  CE LAN IP for VRF-B  is configured as static route at PE1
  PE1:
  ip route vrf VRF-B 192.168.96.0 255.255.255.0 Tunnel0 10.12.25.22
  But from PE2 which is directly connected to PE1 (MPLS/LDP running), connectivity doesnt works.
  From PE2:
  - I can ping tunnel0 interface of PE1
  - I cant ping tunnel0 interface of CE
  Routing is all good and present in the routing table.
  From CE:
  - I can ping any VRF-B loopback interface of PE1
  - But not VRF-B loopback interfaces PE2 (even if routing is all good)
  PE1/PE2 are 7600 SRC3/SRD6.
  Any problem with 7600 on this?
  Need comments/suggestions.

  Hi Allan,
  what is running between PE1 and PE2 ( what I mean is any routing protocol).
  If No, then PE2 has no ways of knowing GRE tunnel IP prefixes and hence I suppose those will not be in its CEF table...
  If Yes, then check are those Prefixes available in LDP table...
  Regards,
  Smitesh

• Redundant access from MPLS VPN to global routing table

  Several our customers have MPLS VPNs deployed over our infrastructure. Part of them requires access to Internet (global routing table in our case).
  As I'm not aware of any methods how to dynamicaly import/export routes between VRF/Global routing tables, at the moment there are static routes configured - one inside VRF pointing to global next hop, another one in global routing table, pointing to interface inside VRF.
  Task is to configure redundant access to Internet. By redundancy I mean using several exit points (primary and backup), what physically represents separate boxes.
  Here comes tricky part - both global static routes (on both boxes, meaning) are valid and reachable in all cases - no matter if specific prefix is reachable in VRF or not. What I'd like to achieve is that specific static route becomes valid only if specific prefix is reachable inside VRF. Yea, sounds like dynamic routing :), I know
  OK, hope U got the idea. Any solutions/recommendations ? Running all Internet routing inside VRF isn't an option, at least for now :(

  Hi Andris,
  I did not mean to have a VRF on the CE. The CE would have both PVCs in the global routing table - his ONLY routing table in fact. One PVC would be used to announce routes into the customer specific VPN (VRF configured on the PE). The other PVC would allow for internet access through the PE (global IP routing table on the PE).
  dot1q will be ok as well.
  This way the CE can be a normal BGP peer to the PE, i.e. there is no MPLS VPN involved here. This allows all options of customer-ISP connectivity.
  Example:
  PE config:
  interface Serial0/0
  encapsulation frame-relay
  interface Serial0/0.1 point-to-point
  description customer VPN access
  ip vrf customer
  ip address 10.1.1.1 255.255.255.252
  interface Serial0/0.2 point-to-point
  description customer Internet access
  ip address 192.168.1.1 255.255.255.252
  router rip
  address-family ipv4 vrf customer
  version 2
  network 10.0.0.0
  no auto-summary
  redistribute bgp 65000 metric 5
  router bgp 65000
  neighbor 192.168.1.2 remote-as 65001
  address-family ipv4 vrf customer
  redistribute rip
  CE config:
  interface Serial0/0
  encapsulation frame-relay
  interface Serial0.1 point-to-point
  description VPN access
  ip address 10.1.1.2 255.255.255.252
  interface Serial0.2 point-to-point
  description Internet access
  ip address 192.168.1.2 255.255.255.252
  router bgp 65001
  neighbor 192.168.1.1 remote-as 65000
  router rip
  version 2
  network 10.0.0.0
  no auto-summary
  Of course you can replace RIP with whatever is suitable for you. And don´t sue me when you do not apply required BGP filters for internet access... ;-)
  The other option ("mini internet") would be feasible as well. Just make sure your BGP filters are NEVER messed up and additionally apply a limit on the numbers of prefixes in your VRF mini-internet.
  Regards
  Martin

• Overlapping addresses in MPLS VPN

  I know that you can have overlapping addresses in a MPLS VPN and that route distiguisher is used for distiguishing them, by converting IPv4 to VPNv4.
  My question is that if an IP range of a Branch A overlapps with IP range of branch B of the same VPN, How could a host in Branch A ping any host in Branch B, if they are in a same subnet? I mean, how could the router (CE) know to forward it to PE ? if the range is directly connected (to CE).
  I will apreciate any help

  Within a VPN the normal IP routing rules apply, eg. if you have 2 networks that overlap within a VPN you need to use NAT in one of the CE routers.
  Hth,
  Niels

• How can I find the all path available for a MPLS VPN in SP network

  How can I find the all path available for a MPLS VPN in SP network between PE to PE and CE to CE?

  Hi There
  If we need to find all the available paths for a remote CE from a local PE it will depend upon whether its a RR or non-RR design. If the MP-iBGP deisgn is non-RR  the below vrf specific command
  sh ip bgp vpnv4 vrf "vrf_name"  will show us the MP-iBGP RT for that particular VPN. It will show us the next hop. Checking the route for same in the Global RT will show us the path(s) available for same ( load-balancing considered) .Then we can do a trace using the Local PE MP-iBGP loopback as source to remote PE's MP-iBGP loopback to get the physical Hops involved.
  However if the design is RR-based there might be complications involved when the RR is in the forwarding path ie we have NHS being set to RR-MP-iBGP loopback and the  trace using the Local PE MP-iBGP loopback as source to remote PE's MP-iBGP loopback will get us the physical Hops involved.
  If we have redundant RRs being used with NHS being set then the output of sh ip bgp vpnv4 vrf "vrf_name" will show us two different available paths for the remote CE destination but just one being used.
  RR-based design with no NHS being used will always to cater to single path for the remote CE detsination.
  So in any case the actual path used for the remote CE connectivity would be a single unless we are using load-balancing.
  Hope this helps you a bit on your requirement
  Thanks & Regards
  Vaibhava Varma