MPLS L3 VPNs

I need to implement Hub and Spoke MPLS L3 VPN. Scenario is we are
implementing 30 VPNs on one Router i.e. 10720 in single VRF and with same
RD. How can I implement Hub and Spoke in this case?

When you want to have an MPLS/vpn hub and spoke topology, the HUB-PE router will need to have 2 vrf's. One which we can call 'from-spokes' and another 'to-spokes'. In the first one, we will have the routes that are being received from the spokes. In the other one, we will have the routes that will be advertised to the spokes; in this one we will certainly NOT have the routes to the other spokes. The HUB-PE needs to have 2 interfaces or sub-interfaces connected towards the CE site. One interface will be in "from-spokes" VRF and the other one will be in "to-spokes VRF. That way the traffic coming from one spoke will always go to the CE via one vrf interface, then come back from the CE via the other vrf interface and sent out towards the other spoke. This is the general overview of a Hub-spoke mpls-vpn topology

Similar Messages

  • MPLS IP-VPN compatibility

    Hi, we've lots of members running on 2 Cisco 2611 with HA configured (HSRP, ISDN backup, etc). There is 2 scenarios here as follow:
    i. 2 units of 2611 routers with each 2611 have a dedicated LL, one connected to HQ, the other connected to DR.
    ii. 2 units of 2611 routers with only one have a dedicated LL, the other provide ISDN DDR when the LL on the other failed.
    iii. 1 unit of 2611 routers with trunking to a 2950 switch, have a dedicated LL and ISDN DDR.
    For the first scenario, when the members having 2 dedicated LL, normally it is from different telco providers. Now there's one single telco offering us the chance to upgrade to MPLS IP-VPN for an interesting rate. What I'm wondering is, can it work that way?
    I have my 6509s with Sup720 at both HQ and DR, I have a good vendor all the while, if part of the members start to accept the MPLS-VPN, is there any integration problem? The HA configured will still work?
    The thing that worried me most is the core layer part, since the member get the router through a router distribution from the core router in EIGRP, and the ISDN DDR will redistribute the static when the ISDN is active. How MPLS fit into my network?

    Hello,
    In principle everything can work. The dessign in question has one leased line (or ISDN) to the HQ and another path through a MPLS VPN. The issue you will have to deal with is to carefully design your dynamic routing. In case you have EIGRP, then an internal route will always be prefered over an external route. It is most likely to get external routes through the MPLS VPN - depending on implementation details.
    Thus you might have the problem of proper primary/backup path selection and also with routing loops. The underlying reason for both is the redistribution in MP-BGP at the MPLS PE router.
    You need to get more details on the implementation in the SP network to avoid any pitfalls. EIGRP supports backdoors in an MPLS VPN environment, but the question is, whether your telco does as well.
    So it might work, but careful routing design is a must and involves you and the telco. HA is still possible, ISDN backup is possible as well. Depending on your specific implementation details you might need some route tagging and redistribution filters implemented by yourself or the telco to avoid the aforementioned problems.
    Hope this helps! Please rate all posts.
    Regards, Martin

  • Mpls and Vpn

    Would like to know if you can specify a general static route with mpls.  I have three sites in a hub and spoke. Spoke A is linked to the hub site via a site vpn to a hub site isr.  Spoke B is linked to the hub via mpls to a standalone mpls isr.  I can’t get from spoke A to B and from spoke B to A.  The mpls isp tells me that I cannot do this because spoke A’s local subnet is not part of the mpls peering(and is on another isp).  Don’t have a lot of familiarity with mpls but  I am wondering why you cannot do a static route of the form: ip route <spoke A lan> <mask> <hub site isr> in either of the mpls isr’s? 

    Hi,
    So:
    B --- mpls ----- HUB ---- vpn ---- A.
    HUB connects to A and B, right?
    I do not see any problem on doing a static route like you said on the client vrf (client from isp point of view).
    Maybe they are afraid of backdoor route on the mpls (not the case) or there are some conflicts between mpls management ip addressing and spoke A lan.
    I have various similar configurations in mpls with static routes, ospf , rip and bgp without any problems and using different isps.
    Ask your mpls isp what is the reason to not create that static? Instead you can ask to make default to a router in your management.
    Regards,
    Pedro Lereno

  • MPLS L2 VPN

    Hi,
    What is L2 MPLS VPN & how to configure it end-to-end, What are the diffrence with L3 VPN
    What is vrflite & what is the pros/cons of the same
    Br/Subhojit                  

    In a MPLS L3 VPN the service provider carries the route for the customer. The network is not transparent meaning that layer 2 traffic such as broadcast and control plane traffic like CDP/LACP/STP etc is not carried for the customer.
    There are different L2 VPNS such as Ethernet over MPLS (EoMPLS) and Virtual Private LAN Service (VPLS).
    EoMPLS is a point to point layer 2 service which does no MAC learning and it is transparent to the customer meaning that the customer can connect two switches together over the "cloud".
    VPLS is a multipoint to multipoint technology. Essentially to the customer the provider network looks like a big switch. Several sites can be connected together and traffic here is also transparent.
    Because these are layer 2 services the customer would be responsible themselves for providing routing in the network.
    VRF lite is a form of L3 VPN but it's not running MPLS. Instead it uses VLANs to separate customer traffic. The cons are that it requires more configuration, is less scalable and needs peering in multiple VRFs compared to just peering in the VPNv4 address family.
    Daniel Dib
    CCIE #37149
    Please rate helpful posts.

  • Could MPLS L3 VPN forward packet which CE configure VRF Lite?

    Or does anyone have a lab for my test? Please share.
    Diagram:
    vrf lite - mplsl3 vpn - vrf lite
    Will it have any change on mpls l3vpn configuration?
    Thank you very much.

    I test lab follow to this document is work. I test with static route and OSPF is work. Now, I’m testing with BGP route. I found the PE doesn’t send the BGP routes from the other sites to the CE. How should I do?
    Topology:
    BGP vrf lite (vrf v11) CE1 - BGP - MPLS L3VPN (vrf v1) PE1 - PE2 (vrf v1) MPLS L3VPN - BGP - CE2 (vrf v11) vrf lite BGP
    PE1#sho ip rou vrf v1
    Gateway of last resort is not set
    B    10.0.252.1/32 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d22h
    B    10.0.252.2/32 [200/0] via 10.0.0.14 (nexthop in vrf default), 1d22h
    L    10.0.252.3/32 is directly connected, 1d22h, Loopback101
    B    38.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d04h
    B    39.0.0.0/24 [200/0] via 10.0.0.14 (nexthop in vrf default), 05:13:07
    B    40.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d04h
    C    41.0.0.0/24 is directly connected, 1d22h, GigabitEthernet0/0/1/2.14
    L    41.0.0.3/32 is directly connected, 1d22h, GigabitEthernet0/0/1/2.14
    B    208.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default), 00:06:55
    B    209.0.0.0/24 [200/0] via 10.0.0.14 (nexthop in vrf default), 00:08:14
    B    210.0.0.0/24 [20/0] via 41.0.0.8, 00:11:17
    CE1#sho ip bgp vpnv4 vrf v11
    BGP table version is 23, local router ID is 172.16.30.5
       Network          Next Hop            Metric LocPrf Weight Path
    Route Distinguisher: 800:1 (default for vrf v11)
    *> 10.0.252.1/32    41.0.0.3                               0 18252 ?
    *> 10.0.252.2/32    41.0.0.3                               0 18252 ?
    *> 10.0.252.3/32    41.0.0.3                 0             0 18252 ?
    *> 38.0.0.0/24      41.0.0.3                               0 18252 ?
    *> 39.0.0.0/24      41.0.0.3                               0 18252 ?
    *> 40.0.0.0/24      41.0.0.3                               0 18252 ?
    r> 41.0.0.0/24      41.0.0.3                 0             0 18252 ?
    *> 210.0.0.0        0.0.0.0                  0         32768 i
    CE1#

  • MPLS using VPN and ISIS

    I 'am looking for a good description for MPLS/VPN we want use ISIS and BGP as Routing Protocols.
    What we also need is a detailed description of a Configurtaion example.
    Can provide such informations.

    Detailed information can be found at (whithin these URLs, there are several links to undesrtand and configure MPLS/VPN with ISIS or BGP):
    MPLS http://www.cisco.com/warp/customer/105/mpls_index.shtml
    ISIS
    http://www.cisco.com/warp/customer/97/index.shtml
    BGP
    http://www.cisco.com/warp/customer/459/18.html

  • Load balance between MPLS and VPN

    Dear All
    There are two locations, site A and site B. I am confused with it. Any one can help to understand it? The site A and B are connected with two paths. One is MPLS and another is VPN over internet. we want MPLS as primary path and L2L VPN as backup. Only when primary path is down, VPN can be used. How can we configure it ? Can you give me suggestion ? or a link. Thank you.

    Hello yangfrank,
    You can set this with a floating static using tracking with ip sla.
    Your primary route will be via MPLS
    ip route 0.0.0.0 0.0.0.0 x.x.x.x track 1 (via MPLS)
    ip route 0.0.0.0 0.0.0.0 y.y.y.y 10 (via VPN)
    ip sla 1
    icmp-echo z.z.z.z source interface gix/x (MPLS interface)
    ip sla schedule 1 life forever start-time now
    track 1 ip sla 1 reachability
    here are examples:
    http://networklessons.com/ip-routing/reliable-static-routing-with-ip-sla/
    http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html
    hope this helps

  • MPLS L3 VPN

    Need to implement HUB and SPOKE topology while all customers are on same PE 10720, same VRF and same RD as directly connected. One directly connected site should act as HUB and all other sites are SPOKES and requirement is that SPOKES can not communicate with each other.

    Hi,
    you need to create a VRF per SPOKE and one for the Hub. Example config excerpt:
    ip vrf Hub
    rd 65000:1
    route-target export 65000:1
    route-target import 65000:2
    ip vrf SPOKE1
    rd 65000:101
    route-target export 65000:2
    route-target import 65000:1
    ip vrf SPOKE2
    rd 65000:102
    route-target export 65000:2
    route-target import 65000:1
    interface Serial1/0
    description to Hub
    ip vrf forwarding Hub
    ip address 10.1.1.1 255.255.255.252
    interface Serial1/1
    description to SPOKE1
    ip vrf forwarding SPOKE1
    ip address 10.1.101.1 255.255.255.252
    interface Serial1/2
    description to SPOKE2
    ip vrf forwarding SPOKE2
    ip address 10.1.102.1 255.255.255.252
    You naming, IP addresses etc. may be different. The main point here is: no SPOKE will import any route from another SPOKE, only from the Hub site. Thus spokes do not get connectivity to each other. The hub site imports all spoke routes, thus can connect everywhere.
    What is missing in the example above is the respective routing contexts for each VRF. You are free to choose appropriate protocols on a per VRF basis and redistribute them into MP-BGP.
    Hope this helps! Please rate all posts.
    Regards, Martin

  • Performance end to end testing and comparison between MPLS VPN and VPLS VPN

    Hi,
    I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
    I would appreciate any support, guidence, advice.
    Thanks
    Shahbaz

    Hi Shahbaz,
    I am not completely sure I understand your request.
    MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
    From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
    Ingress PE impose 2 labels (at least)
    Core Ps swap top most MPLS label
    Egress PE removes last label exposing underlying packet or frame.
    So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
    About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
    Riccardo

  • L2 MPLS VPN between different branches

    Dear Experts ,
    I want to have my different offices to use same IP address range (from a centrally managed DHCP server)  . Is this scenario possible with MPLS L2 VPN ?
    I know that we can do L2 between two branches by using xconnect  but what if i have multiple branches ?
    regards
    haris

    Hi,
    You purpose can be solved using VPLS.
    You can also create multiple Pseudowires from the HUB to different branches, however, all PWs will use different IP address range- which goes against your requirement.
    HTH.
    Regards,
    Amit.

  • Need some honest opinions about Campus VPNs - MPLS in the Enterprise

    Our organization is considering the new Cisco Campus VPN model for one of our new research facilities (~1000 people). They are suggesting a Layer 3 MPLS-iBGP-VPN Core and Distribution Layer (between the PEs) and Layer 2 at the Access. This seems unnecessarily complex and rather difficult to manage. We're going to end up with anywhere from 30-50 VRFs, and we'll end up having to place 6500s w/Sup 720s everywhere (even at the Access). This sounds like overkill to me. Thoughts?

    It basically reads like I wrote a paper describing what I've been thinking about. ;)
    So I guess that means I like the architecture as a general rule. My question to some degree still stands regarding what it is you want and what you need for your environment.
    If you really need the kind of services afforded by this design, then there's not much else you can do that's scalable.
    However, I noticed when the Superverisor 32 came out that it mentioned future MPLS support. I don't know what timeframe the necessary software will come out in (or if it's out already), but depending on the timeframe for your implementation it may be possible for them to coincide in some beneficial way. That would certainly save you rather a lot of money I suspect, as the Sup32s are quite a bit less expensive than the Sup720s (particularly if you're considering having two in each chassis for redundancy). Like I said, I have no idea about availability, but it may be something to consider if you can weasel some dates out of your Cisco salesman (or woman).

  • Central Site Internet Connectivity for MPLS VPN User

    What are the solutions of Central site Internet connectivity for a MPLS VPN user, and what is the best practice?

    Hello,
    Since you mentioned that Internet Access should be through a central site, it is clear that all customer sites (except the central) will somehow have a default (static/dynamic) to reach the central site via the normal VPN path for unknown destinations. Any firewall that might be needed, would be placed at the central site (at least). So, the issue is how the central site accesses the Internet.
    Various methods exist to provide Internet Access to an MPLS VPN. I am not sure if any one of them is considered the best. Each method has its pros and cons, and since you have to balance various factors, those factors might conflict at some point. It is hard to get simplicity, optimal routing, maximum degree of security (no matter how you define "security"), reduced memory demands and cover any other special requirements (such as possibility for overlapping between customer addresses) from a single solution. Probably the most secure VPN is the one which is not open to the Internet. If you open it to the Internet, some holes also open inevitably.
    One method is to create a separate Internet_Access VPN and have other VPNs create an extranet with that Internet_Access VPN. This method is said to be very secure (at least in terms of backbone exposure). However, if full routing is a requirement, the increased memory demands of this solution might lead you to prefer to keep the internet routing table in the Global Routing Table (GRT). You might have full routing in the GRT of PEs and Ps or in PEs only (second is probably better).
    Some names for solutions that exist are: static default routing, dynamic default routing, separate BGP session between PE and CE (via separate interface, subinterface or tunnel), extranet with internet VRF (mentioned earlier), extranet with internet VRF + VRF-aware NAT.
    The choice will depend on the requirements of your environment. I cannot possibly describe all methods here and I do not know of a public document that does. If you need an analysis of MPLS VPN security, you may want to take a look at Michael Behringer's great book with M.Morrow "MPLS VPN Security". Another book that describes solutions is "MPLS and VPN Architectures" by Ivan Pepelnjak. There is a Networkers session on MPLS VPNs that lists solutions. There is also a relevant document in CCO:
    http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml (covering static default routing option).
    Kind Regards,
    M.

  • MPLS "VPN" - really a VPN?

    I keep reading about the MPLS VPN, including a recent Cisco document. They keep referring to MPLS VPNs, but the closest reference to any real VPN was to "Layer 2 VPNs". What L2 VPN? The best that I could decipher was some possible inference to L2TP and/or PPTP encoding (etc.) - maybe. Or not. WPA is probably the only real L2 VPN tech (other than the rare Ethernet encryptors). Most descriptions of MPLS VPNs actually sound similar to VLANs (which is also L2 tech), since the MPLS seem to be isolating similar to VLAN.

    Hi there,
    First: Here's a MPLS FAQ for beginners
    http://www.cisco.com/en/US/tech/tk436/tk428/technologies_q_and_a_item09186a00800949e5.shtml
    When it comes to info on the security of MPLS VPN's, take a look at this document (written by a Cisco-employee):
    M. Behringer, Analysis of the Security of BGP/MPLS IP Virtual Private Networks (VPNs), Internet informational RFC 4381, February 2006.
    "This document analyses the security of the BGP/MPLS IP virtual private network (VPN) architecture that is described in RFC 4364, for the benefit of service providers and VPN users.
    The analysis shows that BGP/MPLS IP VPN networks can be as secure as traditional layer-2 VPN services using Asynchronous Transfer Mode (ATM) or Frame Relay. This memo provides information for the Internet community."
    link: ftp://ftp.rfc-editor.org/in-notes/rfc4381.txt
    Did it help? If so, please rate it.

  • MPLS VPN L2 & L3

    Hi guys !!!
    How is a MPLS L2 VPN different from a MPLS L3 VPN and in what different scenarios do each of these find application?

    Hi,
    You can search several things in Google.
    The most important part is that in L2 MPLS solution it is like overlay MPLS. The Service Provider need not to to participate in customer routing.
    However in the L3 MPLS solution is peer-to-peer VPN. The MPLS Service Provider will participate for CE-PE routing.
    L2 MPLS is ideal for Point to Point link required where as L3 is in general any-to-any connectiviy - best for Hub and spoke.
    Cheers!
    Prince

  • MPLS from a customer view

    Scenario: I have thirty locations with one data center and one dr site. Each location has two pvcs. One for the data center one for the DR site. Question: If we switch to a MPLS network. It would be transparent to the because the router at each location would be a CE router or non-LSR. The provider would handle all the MPLS configuration. I hope this make sense.

    Yes, you are absolutely right.
    When we deployed MPLS at our domain, nothing had to be done at the CPEs. No changes had to be done at the CPEs templates. To our customers it's transparent the way we do packet forwarding. They don't have any idea that we do label switch instead of layer 3 forwarding.
    If you are moving to a MPLS-enabled carrier, you may contract a MPLS-enabled VPN service. With that you may have just one pvc at each site (if you need save some $$), or you may ask for a active & backup/standby pvc scheme. MPLS give to network administrator all flexibility to deploy any kind of connectivity request.
    Yours Truly.
    Murilo Pugliese.

Maybe you are looking for

  • Do you have oracle9i relink problem on Red Hat 7.1? READ THIS!

    Red Hat 7.1 ld program has problem. because that is applied elf_i386_glibc21 emulation patch for oracle8i. downgrade binutils package or rebuild excluding glibc21 emulation patch. and relink all :) ftp://ftp.redhat.com/pub/redhat/linux/7.0/en/os/i386

  • Network render mac and pc together with AE?

    hi I was wondering if it was possible to network render an after effects project sitting on a mac to a pc? and vice versa? cheers Angus

  • IPod browsing by artist

    how come when I browse by artist on my iPod if i select an artist that has, say 4 songs, it only shows the one which has an album name? e.g. one with an album name, 3 without. Any suggestions?

  • How to Backup iTunes

    Is there a way to Backup iTunes onto a harddrive? If you drag the iTunes folder to a harddrive it doesn't always copy correctly. I also don't trust iCloud I want a Hard Copy.

  • Quicktime movies into iDVD

    When I drag my movies into iDVD, it shows the names of the files on the main screen. How do I do away with all the names. And how can I get the movie to play through without stoping after each one. I'm using 8 little quicktime movies of my son.