MPLS VPN without Signalling Protocol in CORE

Similar Messages

• MPLS/VPN network load balancing in the core

  Hi,
  I've an issue about cef based load-balancing in the MPLS core in MPLS/VPN environment. If you consider flow-based load balancing, the path (out interface) will be chosen based on source-destination IP address. What about in MPLS/VPN environment? The hash will be based on PE router src-dst loopback addresses, or vrf packet src-dst in P and PE router? The topology would be:
  CE---PE===P===PE---CE
  I'm interested in load balancing efficiency if I duplicate the link between P and PE routers.
  Thank you for your help!
  Gabor

  Hi,
  On the PE router you could set different types and 2 levels of load-balancing.
  For instance, in case of a DUAL-homed site, subnet A prefix for VPN A could be advertised in the VPN by PE1 or PE2.
  PE1 receives this prefix via eBGP session from CE1 and keep this route as best due to external state.
  PE2 receives this prefix via eBGP session from CE2 and keep this route as best due to external state.
                               eBGP
                       PE1 ---------CE1
  PE3----------P1                          Subnet A
                       PE2----------CE2 /
                              eBGP
  Therefore from PE3 point of view, 2 routes are available assuming that IGP metric for PE3/PE1 is equal to PE3/PE2.
  The a 1rst level of load-sharing can be achieve thanks to the maximum-paths ibgp number command.
  2 MP-BGP routes are received on PE3:
  PE3->PE1->CE1->subnet A
  PE3->PE2->CE2->subnet A
  To use both routes you must set the number at 2 at least : maximum-paths ibgp 2
  But gess what, in the real world an MPLS backbone hardly garantee an equal IGP cost between 2 Egress PE for a given prefix.
  So it is often necessary to ignore the IGP metric by adding the "unequal-cost" keyword: maximum-paths unequal-cost ibgp 2
  By default the load-balancing is called "per-session": source and destination addresses are considered to choose the path and the outgoing interface avoiding reordering the packets on the target site. Overwise it is possible to use "per-packet" load-balancing.
  Then a 2nd load-sharing level can occur.
  For instance:
           __P1__PE1__CE1
  PE3           \/                   Subnet A
          \ __P2__PE2__CE2
  There is still 2 MP-BGP paths :
  PE3->P1->PE1->CE1->subnet A
  PE3->P1->PE2->CE2->subnet A
  But this time for 2 MP-BGP paths 4 IGP path are available:
  PE3->P1->PE1->CE1->subnet A
  PE3->P1->PE2->CE2->subnet A
  PE3->P2->PE1->CE1->subnet A
  PE3->P2->PE2->CE2->subnet A
  For a load-balancing to be active between those 4 paths, they must exist in the routing table thanks to the "maximum-path 4 "command in the IGP (ex OSPF) process.
  Therefore if those 4 paths are equal-cost IGP paths then a 2nd level load-balancing is achieved. the default behabior is the same source destination mechanism to selected the "per-session" path as mentionned before.
  On an LSP each LSR could use this feature.
  BR

• Ask the Expert:Concepts, Configuration and Troubleshooting Layer 2 MPLS VPN – Any Transport over MPLS (AToM)

  With Vignesh R. P.
  Welcome to the Cisco Support Community Ask the Expert conversation.This is an opportunity to learn and ask questions about  concept, configuration and troubleshooting Layer 2 MPLS VPN - Any Transport over MPLS (AToM) with Vignesh R. P.
  Cisco Any Transport over MPLS (AToM) is a solution for transporting Layer 2 packets over an MPLS backbone. It enables Service Providers to supply connectivity between customer sites with existing data link layer (Layer 2) networks via a single, integrated, packet-based network infrastructure: a Cisco MPLS network. Instead of using separate networks with network management environments, service providers can deliver Layer 2 connections over an MPLS backbone. AToM provides a common framework to encapsulate and transport supported Layer 2 traffic types over an MPLS network core.
  Vignesh R. P. is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, and MPLS. Previously at Cisco he worked as a network consulting engineer for enterprise customers. He has been in the networking industry for 8 years and holds CCIE certification in the Routing & Switching and Service Provider tracks.
  Remember to use the rating system to let Vignesh know if you have received an adequate response. 
  Vignesh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Service Provider sub-community discussion forum shortly after the event. This event lasts through through September 21, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Tenaro,
  AToM stands for Any Transport over MPLS and it is Cisco's terminology used for Layer 2 MPLS VPN or Virtual Private Wire Service. It is basically a Layer 2 Point-to-Point Service. AToM basically supports various Layer 2 protocols like Ethernet, HDLC, PPP, ATM and Frame Relay.
  The customer routers interconnect with the service provider routers at Layer 2. AToM eliminates the need for the legacy network from the service provider carrying these kinds of traffic and integrates this service into the MPLS network that already transports the MPLS VPN traffic.
  AToM is an open standards-based architecture that uses the label switching architecture of MPLS and can be integrated into any network that is running MPLS. The advantage to the customer is that they do not need to change anything. Their routers that are connecting to the service provider routers can still use the same Layer 2 encapsulation type as before and do not need to run an IP routing protocol to the provider edge routers as in the MPLS VPN solution.
  The service provider does not need to change anything on the provider (P) routers in the core of the MPLS network. The intelligence to support AToM sits entirely on the PE routers. The core label switching routers (LSRs) only switch labeled packets, whereas the edge LSRs impose and dispose of labels on the Layer 2 frames.
  Whereas pseudowire is a connection between the PE routers and emulates a wire that is carrying Layer 2 frames. Pseudowires use tunneling. The Layer 2 frames are encapsulated into a labeled (MPLS) packet. The result is that the specific Layer 2 service—its operation and characteristics—is emulated across a Packet Switched Network.
  Another technology that more or less achieves the result of AToM is L2TPV3. In the case of L2TPV3 Layer 2 frames are encapsulated into an IP packet instead of a labelled MPLS packet.
  Hope the above explanation helps you. Kindly revert incase of further clarification required.
  Thanks & Regards,
  Vignesh R P

• Configuring MPLS VPN using static routing

  Hi,
  I am managed to set up a BGP/MPLS VPN in a laboratory using CS3620 routers running IOS 12.2(3) with ISIS. I am thinking of using static routes among the PE and P routers instead of a IGP. Does anyone know if Cisco routers supports static configuration of LSP? I have tried but could not get it work.

  You can very well run MPLS with static routing in the core, as in Cisco we have to meet 2 criterias to have a MPLS forwarding Table.
  1) Creating the LIB
  This thing lies in having LDP neighborship netween two peers and you have Label bindings.
  This is irrespective of what is the best next hop to reach the advertising peers LDP_ID.
  2) Creating the LFIB
  Now after considering all the Label bindings, the LDP_ID which can be reached out an interface
  as a next hop, those Label bindings get installed in the LFIB.
  So considering the above two points, we have to be careful in static routes
  only for interfaces like Ethernet (Multiaccess Segments).
  As in CEF when you give a static route pointing to an Ethernet Interface, CEF creates a
  GLean Adjacency (Meaning there could be multiple hosts as the next hop on this segement, and it will glean for the right next-hop)
  Now you may observe that when you give a static route only pointing to an Ethernet interface,
  you LDP adjacency may come up and you may exchange the bindings with each other. But the Label Forarding Table is not created. This is bcos of this being a Multiaccess interface. And you have
  Glean For it. If its a Normal WAN interface like Serial or POS, then there is no problem of
  GLean and you would have a Valid Cached Adjacency.
  So to avoid probelems with Ethernet interfaces you can simply specify the next-hop-ip address.
  For Eg: ip route 10.10.31.250 255.255.255.255 10.10.31.226 (Without the Interface)
  ip route 10.10.31.250 255.255.255.255 fa0/0 10.10.31.226 (Or with the Interface)
  Only Difference in both is in the first one it has to do a recursive lookup for the outgoing interface. Otherwise both work well. And you can have static routes in your network
  running MPLS.
  And doing this CEF would would work as it should and you would have a Valid Cached Adjacency.
  So this is applicable for Cisco devices which use CEF, including 6500 with SUP720.
  HTH-Cheers,
  Swaroop

• L3-MPLS VPN Convergence

  Perhaps someone on this group can identify the missing timers/processing-delays in end-to-end client route convergence
  Scenarios:
  a) BGP New route Advertised by Cleint(CPE1)
  b) BGP Route withdrawn by Client(CPE1)
  PE-to-RR i-M-BGP (Logical)
  ========= ----RR------ ======
  " | | "
  CPE1---->PE1------->P1-------->P2---->PE2----->CPE2
  | |
  --------->P3-------->P4-------
  Routing:
  - eBGP btw CPE and PE (any routing prot within Cust site),
  - OSPF, LDP in Core,
  Timers/Steps I'm aware of:
  - Advertisement of routes from CE to PE and placement into VRF
  - Propagation of routes across the MPLS VPN backbone
  - Import process of these routes into relevant VRFs
  - Advertisement of VRF routes to attached VPN sites
  - BGP advertisement-interval: Default = 5 seconds for iBGP, 30 for eBGP
  - BGP Import Process: Default = 15 seconds
  - BGP Scanner Process Default = 60 seconds
  Would appreciate if you someone can identify any missing process-delay, timers? specially w.r.t RR.
  Thanks
  SH

  Check the LDP/TDP timers in the core. Remember if a link fails in the core, reroute occurs, LDP/TDP binding needs to be renewed. tags are binded on those routes being in the routing table (IGP). So, there is a delay possible from a core prespective:
  mpls ldp holdtime
  mpls ldp discovery hello [holdtime | interval]
  In case you are using TE check these:
  mpls traffic-eng topology holddown
  mpls traffic-eng signalling forwarding sync
  mpls traffic-eng fast-reroute timers promotion
  I believe the latter one onyl applies to SDH. In which you use segment loss feature.
  Regards,
  Frank

• MPLS TE with MPLS VPN

  Hi there,
  I'm looking for some basic configuration to turn on mpls te over existing mpls vpn. Worried to effect mpls vpn customers.
  Perhaps a link would be great!
  thanks in advance.
  maher

  There is many scenarios involving TE and MPLS VPN.
  If you have MPLS TE from ingress to egress PE, the lsp used to go from one PE to the other is signalled using RSVP instead of LDP/TDP.
  If you configure TE between the core routers then you need to runn LDP/TDP on the tunnel interface for LDP to learn labels via that pseudo interface. This second scenario involves that at some point up to 3 labels (TE lsp label, IGP label, service label) might be applied to the MPLS packets instead of your regular 2 label (IGP label, service label).
  Hope this helps,

• VM with remote access VPN without split tunneling

  Hello experts,
  I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network  to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
  My Question to Experts:
  1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
  2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
  Thanks for your help,
  Razi                

  Did you figure this out?

• Performance end to end testing and comparison between MPLS VPN and VPLS VPN

  Hi,
  I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
  I would appreciate any support, guidence, advice.
  Thanks
  Shahbaz

  Hi Shahbaz,
  I am not completely sure I understand your request.
  MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
  From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
  Ingress PE impose 2 labels (at least)
  Core Ps swap top most MPLS label
  Egress PE removes last label exposing underlying packet or frame.
  So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
  About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
  Riccardo

• Centralize internet access in MPLS VPN

  Can i implement Centralize internet access (the Hub CE Router to performs NAT) in cisco MPLS VPN solution?
  If so, is there any example about that? i can't find it at CCO~
  Thanks a lot~

  If you run dynamic routing protocol in PE-CE,like rip2,ospf,bgp,do the following task.
  1:set a default route in HUB CE;and generate the default route under its dynamic protocol.
  2:in other CEs, make sure they can learn this route.
  If you run static route and vrf static route between CE and PE,do the following task.
  1.set default route in HUB CE, and set default route in other CEs.
  2.In all PEs,redistribute the connected and static rotues to address-family ipv4 of customer vrf.
  3.set the customer vrf default route in all PE which connected your all CEs.
  Note: make sure all PEs can reach the GW address of vrf deafult route. GW IP address is the interface of which HUB CE towards PE.
  command: "ip route vrf 0.0.0.0 0.0.0.0 global.
  TRY

• Selective Route Import/Export in MPLS VPN

  Champs
  I have multiple brach locations and 3 DC locations.DC locations host my internal applications , DC's  also have central Internet breakout for the region. My requirement is to have full mesh MPLS-VPN but at same time brach location Internet access should be from nearest IDC in the region  if nearest IDC is not availalbe it should go to second nearest DC for internet.I have decided which are primary and seconday DC for Internet breakout. How can this be achieved in MPLS-VPN scenario.Logically i feel , i have to announce specific LAN subnet and default route(with different BGP attribute like AS Path)  from all 3 DCs. Spokes in the specific region should be able to import default route  from primary DC and secondary DCs only  using some route filter?
  Regards
  V

  Hello Aaron,
  the route example works for all routers except the one, where the VRF vpn2 is configured. What you can do for management purposes is either to connect through a neighbor router using packet leaking or configure another Loopback into VRF vpn2.
  The last option (and my recommendation) is to establish another separate IP connection from your NMS to the MPLS core. Once VRFs are failing (for whatever reason, f.e. erroneously deleted) you might just not get connectivity to your backbone anymore to repair what went wrong.
  So I would create an "interconnection router" with an interface in the VRF vpn2 and one interface in global IP routing table. This way you will still be able to access PEs, even if VRFs or MBGP is gone.
  Hope this helps! Please rate all posts.
  Regards, Martin

• GRE with VRF on MPLS/VPN

  Hi.
  Backbone network is running MPLS/VPN.
  I have one VRF (VRF-A) for client VPN network.
  One requirement is to configure another VRF (VRF-B) for this client for a separate public VRF connection.
  Sub-interfacing not allowed on CE-to-PE due to access provider limitation.
  So GRE is our option.
  CE config:
  Note: CE is running on global. VRF-A is configured at PE.
  But will add VRF-B here for the  requirement.
  interface Tunnel0
    ip vrf forwarding VRF-B
  ip address 10.12.25.22 255.255.255.252
  tunnel source GigabitEthernet0/1
  tunnel destination 10.12.0.133
  PE1 config:
  interface Tunnel0
  ip vrf forwarding VRF-B
  ip address 10.12.25.21 255.255.255.252
  tunnel source Loopback133
  tunnel destination 10.12.26.54
  tunnel vrf VRF-A
  Tunnel works and can ping point-to-point IP address.
  CE LAN IP for VRF-B  is configured as static route at PE1
  PE1:
  ip route vrf VRF-B 192.168.96.0 255.255.255.0 Tunnel0 10.12.25.22
  But from PE2 which is directly connected to PE1 (MPLS/LDP running), connectivity doesnt works.
  From PE2:
  - I can ping tunnel0 interface of PE1
  - I cant ping tunnel0 interface of CE
  Routing is all good and present in the routing table.
  From CE:
  - I can ping any VRF-B loopback interface of PE1
  - But not VRF-B loopback interfaces PE2 (even if routing is all good)
  PE1/PE2 are 7600 SRC3/SRD6.
  Any problem with 7600 on this?
  Need comments/suggestions.

  Hi Allan,
  what is running between PE1 and PE2 ( what I mean is any routing protocol).
  If No, then PE2 has no ways of knowing GRE tunnel IP prefixes and hence I suppose those will not be in its CEF table...
  If Yes, then check are those Prefixes available in LDP table...
  Regards,
  Smitesh

• Mapping Model in MPLS VPNs

  Hi:
  Based on paper titled "L3 MPLS VPN Enterprise Consumer Guide" page 52, figure 44. (http://www.cisco.com/en/US/partner/netsol/ns465/networking_solutions_white_papers_list.html).
  1) The figure discards the "streaming video" and "bulk data" traffics within the mapping process. Why? What happens with these traffics? Both traffics are discarded or simply they need to be mapped to "Best Effort"? Please explain.
  2)In the same figure, "Interactive Video" is mapped to "Realtime" SP class with "Voice" traffic. Is this "Interactive Video" traffic always no TCP-based? If the opposite is true, why is it mixing TCP & UDP over the same "Realtime" class?

  Hi,
  That articles mentions that these protocols tend to use transport-layer protocols such as UDP and RTSP. That is true but there are a lot of different streaming protocols around and some of them do use TCP. In fact, even RTSP supports the use of TCP. And you can also stream via HTTP (Windows Media supports this, for example).
  So you see, there can be a mix of TCP and UDP traffic here.
  The other, more critical, reason for not mixing interactive-traffic with streaming (one-way) traffic is the drastically different jitter/latency requirements for the two. Streaming traffic will easily sustain latency in the order of seconds and jitter is not even a problem. Whereas interactive traffic will not. That is why you should not mix the two.
  Hope that helps - pls rate the post if it does.
  Paresh

• MPLS VPN L3 BGP to Customer CPE

  Hello,
  I am learning how to setup MPLS VPN L3. I am running OSPF in the MPLS Core and have configured MP-BGP between PE. I am running BGP between the PE and CPE in my lab, and I can see redistributed routes from the CPE in the vrf routing table for that customer on the PE router. My question is how to reditribute the vrf routes into my MPLS core to transmit the traffic to the customer other site on the same vpn. Below is what my config looks like.
  PE
  ip vrf customerA
  rd 100:101
  route-target export both 100:1000
  int fa0/0
  ip vrf forwarding customerA
  ip address x.x.x.x x.x.x.x
  router ospf 1
  loopback  in area0
  networks in area0
  router bgp 65000
  neighbor to other PE routers in AS 65000 (MPLS Network)
  address family vpn4
  neighbor other PE routers activate
  neighbor other PE routers send community
  ip address ipv4 vrf customerA
  neighbor to customerA in AS 55000
  CPE
  router ospf 1
  loopback in area 0
  networks in area 0
  router bgp 55000
  neighbor to PE router in AS 65000
  redistribute ospf 1

  Hi
  You dont have to redistribute your routes into mpls core. The vpnv4 bgp session that you have has already sent your ce routes to the remote pe router, provided you have the vrf configured on the other end.
  For more detaiked explanation please check a presentation available in the current running Ask The Expert event in the support community.

• MPLS VPNs alongwith T1 and sub-rate SONET/SDH connections

  Hi,
  I know this question might seem out of place in this particular forum, I apologize for that.
  We currently offer MPLS VPN services on my Cisco 7600 platform with supported FE/GE modules.
  Coming to my question, can I offer DS0/T1 services without adding a new optical (SONET/SDH) box and on the same 7600 (I have enough slots available)
  I was thinking of this particular module for delivering the required additional services:
  http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/Prtn.html
  and
  http://www.cisco.com/en/US/docs/routers/7600/install_config/12.2SX_OSM_config/crns.html
  Is anyone of you guys doing something similar?
  I would request for some inputs w.r.t. stability and/or other factors I should consider before I start to seriously think of them as an alternative option instead of going for separate Optical devices.
  P.S.: This is not MPLS VPNs on subrate interfaces but subrate/T1 'IPLC' service by itself.
  Thanks
  Cheers
  ~sultan

  No, you will need to put an additional module to support DS0/T1 services on your 7600. Following link may help you
  http://www.cisco.com/en/US/products/hw/modules/ps2831/products_data_sheet09186a008015cfe9.html

• MPLS VPNs - Latency

  Hello All,
  I have a MPLS VPN setup for one of my sites. We have a 10M pipe (Ethernet handoff) from the MPLS SP, and it is divided into 3 VRFs.
  6M - Corp traffic
  2M - VRF1
  2M - VRF2
  The users are facing lot of slowness while trying to access application on VRF1. I can see the utilization on the VRF1 is almost 60% of it's total capacity (2M). Yesterday when trying to ping across to the VRF1 Peer in the MPLS cloud, I was getting a Max response time of 930ms.
  xxxxx#sh int FastEthernet0/3/0.1221
  FastEthernet0/3/0.1221 is up, line protocol is up
    Hardware is FastEthernet, address is 503d.e531.f9ed (bia 503d.e531.f9ed)
    Description: xxxxx
    Internet address is x.x.x.x/30
    MTU 1500 bytes, BW 2000 Kbit, DLY 1000 usec,
       reliability 255/255, txload 71/255, rxload 151/255
    Encapsulation 802.1Q Virtual LAN, Vlan ID  1221.
    ARP type: ARPA, ARP Timeout 04:00:00
    Last clearing of "show interface" counters never
  I also see a lot of Output drops on the physical interface Fa0/3/0. Before going to the service provider, can you please tell me if this can be an issue with the way QoS is configured on these VRFs?
  xxxxxxx#sh int FastEthernet0/3/0 | inc drops
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3665
  Appreciate your help.
  Thanks
  Mikey

  Hi Kishore,
  Thanks for the clarification. Let me speak to the service provider and see if we can sort out the Output drops issue.
  I had a few more queries.
  1) Will output drops also contribute to the latency here?
  2) The show int fa0/3/0.1221 output below only shows the load on the physical interface (fa0/3/0) and not of that particuar interface.Right?
  xxxxxx#sh int fa0/3/0.1221 | inc load
       reliability 255/255, txload 49/255, rxload 94/255
  xxxxx#sh int fa0/3/0 | inc load
       reliability 255/255, txload 49/255, rxload 94/255
  I can try and enable IP accounting on that sub-interface (VRF) and see the load. Thoughts?
  3) As you said, if the 2M gets maxed out I would see latency as the shaper is getting fully utilized. But I don't see that on the interface load as mentioned above? I have pasted the ping response during the time load output was taken. I can;t read much into the policy map output, but does it talk anything about 2M being fully utilized and hence packets getting dropped.
  xxxxxxx#ping vrf ABC x.x.x.x re 1000
  Type escape sequence to abort.
  Sending 1000, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:
  Success rate is 99 percent (997/1000), round-trip min/avg/max = 12/216/1972 ms
  xxxx#sh policy-map interface fa0/3/0.1221
  FastEthernet0/3/0.1221
    Service-policy output: ABC
      Class-map: class-default (match-any)
        114998 packets, 36909265 bytes
        5 minute offered rate 11000 bps, drop rate 0 bps
        Match: any
        Traffic Shaping
             Target/Average   Byte   Sustain   Excess    Interval  Increment
               Rate           Limit  bits/int  bits/int  (ms)      (bytes)
            2000000/2000000   12500  50000     50000     25        6250
          Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
          Active Depth                         Delayed   Delayed   Active
          -      0         114998    36909265  1667      2329112   no
  Thanks
  Mikey