This discussion is locked

ASK THE EXPERT : Introduction to MPLS VPN

Unanswered Question
Aug 17th, 2011

Read the bioWith Nagendra Kumar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to get an update on MPLS VPN from Cisco subject matter expert Nagendra Kumar. During the event you can ask questions on the common terminology, configuration, and best practices in setting up MPLS VPN networks. Nagendra is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, MPLS, and multicast. Previously at Cisco he worked as a technical marketing engineer for ISR platforms. He has been in the networking industry for 8 years and holds CCIE certification (#20987) in the Routing & Switching and Service Provider tracks.

Remember to use the rating system to let Nagendra know if you have received an adequate response.

You can also review the Live Webcast Video by Nagendra who gave the presentation.

Nagendra might not be able to answer each question due to the volume expected  during this event. Remember that you can continue the conversation on  the the Service Provider discussion forum shortly after the event. This event lasts through August 26, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (3 ratings)
prescherm Wed, 08/17/2011 - 14:49

Very good presentation. Thanks.

I have 2 follow-up questions:

1)  I see in your presentation setup that you create a 'router ospf 100 vrf one' process. With multiple VRF's does this suggest that an ospf process for each vrf needs to be created?

2)  I have previously deployed private MPLS architecture such that the CE and PE functions resided on the same router. In this case I had been configuring BGP with 'Address-Fam ipv4 vrf x'  and under that, redistributing only connected routes.

If all CE interfaces are directly connected SVI interfaces with VRF memberships applied, then is it correct to assume that I would NOT need 'redistribute ospf process vrf x' under 'address-fam ipv4 vrf one'?

(And if I'm thinking about this correctly, this arrangement also eliminate the need for a dedicated 'router ospf 100 vrf x' process. I'd just have loopbacks and P-facing interfaces in a global OSPF process table.)

------ EXAMPLE --------------

router ospf 65001

redistribute connected

passive-interface default

no passive-interface GigabitEthernet0/1

network 10.129.1.4 0.0.0.1 area 132

network 10.129.129.12 0.0.0.0 area 132

network 10.132.40.0 0.0.0.255 area 132

!

router bgp 65001

neighbor 10.129.129.5 remote-as 65001

neighbor 10.129.129.5 description P Router

!

address-family ipv4

  no synchronization

  network 10.129.129.12 mask 255.255.255.255

  redistribute connected

  redistribute static

  neighbor 10.129.129.5 activate

  neighbor 10.129.129.5 send-community both

  neighbor 10.129.129.5 send-label

  no auto-summary

exit-address-family

!

address-family vpnv4

  neighbor 10.129.129.5 activate

  neighbor 10.129.129.5 send-community both

exit-address-family

!

address-family ipv4 vrf x

  no synchronization

  redistribute connected

exit-address-family

!

address-family ipv4 vrf y

  no synchronization

  redistribute connected

exit-address-family

!

address-family ipv4 vrf z

  no synchronization

  redistribute connected

exit-address-family

vinijain Wed, 08/17/2011 - 19:34

Hello Mike

Here is a reply to few of your queries.

1) Yes, there will be a seperate ospf process created for every vrf. Altough you can create different process for the same vrf but for each different vrf, you cannot use the same ospf process. As you already know that the vrf routing table is different from the global routing table, so its always needed that seperate processes be maintained for each routing table.

2) For your second query, If the devices are connected via SVI, i dont think you need to redistribute the ospf process and also i dont think you will be running any ospf process for the SVI connected interfaces.

Hope this answers your query..:)

huangedmc Wed, 08/17/2011 - 22:26

I have a question about path manipulation between a backup link and main MPLS circuit.

Suppose there are two customer VPN sites that are inter-connected with:

1. direct slow backup T1 link, and

2. primary DS3 MPLS

The goal is to have traffic route through the primary MPLS circuits.

If the two VPN sites run OSPF between each other, we can create a sham-link between the PE's and force traffic to go through MPLS.

What if the IGP between the two sites is EIGRP?

Is there an equivalence of OSPF's sham-link?

Nagendra Kumar ... Wed, 08/17/2011 - 23:53

Hi huangedmc,

With EIGRP as PE-CE protocol, considering below 2 points as part of designing will help achieve your goal,

1. Having same EIGRP AS number on all PE devices for that VRF customer.

2. Manipulate BW/Delay parameters.

When a PE device redistribute vrf aware EIGRP into BGP, AS # will be carried as part of extended community in BGP Update to remote PE devices. Any remote PE device while redistributing BGP back into vrf aware EIGRP, will check if the AS # received in BGP Update and the EIGRP AS# to which this update is redistributed and see if they are same. If they are same, it will be advertised as Internal else will be advertised as external.

Once it is Internal, CE devices will decide the estpath based on lowest metric. So by manipulating the metric ( bya working on BW and or delay), your goal can be achieved.

Below is link which describes the extended community to carry EIGRP parameters,

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/fteipece.html

HTH,

Nagendra

sean_evershed Thu, 08/18/2011 - 02:00

Hi Nagendra

My question concerns supporting IPv6 over MPLS VPN.

I was reading the 2007 MPLS Fundamentals Guide by Luc De Ghein from Cisco Press on this topic.

It states that the only supported PE-CE IPv6 routing protocols were eBGP and static IPv6 routes.

Are other routing protocols such EIGRP IPv6 supported now?

If not are there any other options for supporting EIGRP IPv6 and VRF over MPLS on PE-CE's?

Thanks

Sean

Nagendra Kumar ... Thu, 08/18/2011 - 04:13

Hi Sean,

Currently support for EIGRPv6 and OSPFv3 as PE-CE is not available with IOS and we have to use eBGP or static routes.

HTH,

Nagendra

sean_evershed Thu, 08/18/2011 - 20:08

Hi Nagendra,

+5, Thanks for your help. I have a follow question if I may.

I was reading a blog post on 6VPE that stated LDP does not support IPv6 prefixes.

Can you confirm is this is correct?

Thanks

Sean

Nagendra Kumar ... Thu, 08/18/2011 - 21:35

Hi Sean,

Currently LDP cannot be used as signalling protocol for label allocation/advertisement. That is why MPLS VPN for IPv6 customer is still provided over IPv4 core (6VPE) and not yet migrated the core to IPv6

HTH,

Nagendra

lee_jia_en Thu, 08/18/2011 - 22:55

Hi Nagendra,

MPLS VPN and vrf is it the similar? How you go about performing multicasting to Vrf?

Thank you.

Nagendra Kumar ... Fri, 08/19/2011 - 01:23

Hi Lee,

VRF is one of the key element that helps provide MPLS VPN service. VRF is VPN Routing and Forwarding instance which will build its own RIB and FIB table. By having each VPN customer associated to different VRF, privacy is acheived between customers.

Regarding multicast for VRF customers, current implementation is not label switched. Instead, multicast will be enabled on SP core with different group for each vpn customer. PE device on receiving any customer multicast traffic  will encapsulate using GRE with destination address as multicast group for corresponding VRF customer and send across to other PE devices.

Below is the link to get more details about MVPN,

http://www.cisco.com/en/US/tech/tk828/technologies_white_paper09186a00800a3db6.shtml

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a0080242aa8.shtml

HTH,

Nagendra

prescherm Fri, 08/19/2011 - 09:18

Question - this is a pretty good presentation - can I share it within my company?

Thanks,

m.

Nagendra Kumar ... Fri, 08/19/2011 - 22:02

Hi Mike,

Thanks for the comment on the presentation. Sure, you can share the presentation within your company. The video recording of the preso will be available soon if in case you are interested.

Thanks,

Nagedra

Paa-kwasi Sun, 08/21/2011 - 03:18

hi Nagendra Kumar

i use MPLS VPN in my network and will like to ask you the best practice  in configuring route leaking. we use prefix and route map and then  export the route map in the corresponding VRF. what's the best way you  will recommend for us.

Many thanks

Nagendra Kumar ... Mon, 08/22/2011 - 21:55

Hi Fred,

Current preffered way of Inter-VRF leaking in a controlled manner is to use export map and import map. This is also a scalabale solution and so my understandig is you dont need any changes until you face any issue with this solution.

HTH,

Nagendra

unnamed77 Tue, 08/23/2011 - 02:00

Hello! I am write to you from Russia. Please help me, because i dont know why my cisco router didn't received certificat from a Windows Server 2008 r2 CA

Log from Cisco:

cisco1841Surgut(config)#crypto pki authenticate subca01

000129: Aug 19 17:57:13.056 GMT: CRYPTO_PKI: pki request queued properly
000130: Aug 19 17:57:13.056 GMT: CRYPTO_PKI: Sending CA Certificate Request:
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=subca01 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: sngst-ca


000131: Aug 19 17:57:13.056 GMT: CRYPTO_PKI: locked trustpoint subca01, refcount is 1
000132: Aug 19 17:57:13.060 GMT: CRYPTO_PKI: http connection opened
000133: Aug 19 17:57:13.060 GMT: CRYPTO_PKI: Sending HTTP message

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

cisco1841Surgut(config)#
000134: Aug 19 17:57:13.060 GMT: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: sngst-ca


000135: Aug 19 17:57:13.064 GMT: CRYPTO_PKI: unlocked trustpoint subca01, refcount is 0
000136: Aug 19 17:57:13.064 GMT: CRYPTO_PKI: locked trustpoint subca01, refcount is 1
000137: Aug 19 17:57:13.808 GMT: CRYPTO_PKI: unlocked trustpoint subca01, refcount is 0
000138: Aug 19 17:57:13.808 GMT: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK
Content-Length: 4289
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/7.5
Date: Fri, 19 Aug 2011 11:57:13 GMT
Connection: close

Content-Type indicates we have received CA and RA certificates.

000139: Aug 19 17:57:13.808 GMT: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=subca01)

000140: Aug 19 17:57:13.812 GMT: CRYPTO_PKI: status = 0x722(E_SIGNATURE_ALG_NOT_SUPPORTED : signature algorithm not supported): crypto_certc_pkcs7_extract_certs_and_crls failed
000141: Aug 19 17:57:13.812 GMT: CRYPTO_PKI: status = 0x722(E_SIGNATURE_ALG_NOT_SUPPORTED : signature algorithm not supported): crypto_pkcs7_extract_ca_cert returned
000142: Aug 19 17:57:13.812 GMT: CRYPTO_PKI: Unable to read CA/RA certificates.
000143: Aug 19 17:57:13.812 GMT: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
000144: Aug 19 17:57:13.812 GMT: CRYPTO_PKI: transaction GetCACert completed
cisco1841Surgut(config)#

This is part of the config with regards to the certificates:

Building configuration...

Current configuration : 22062 bytes
!
! Last configuration change at 14:42:48 GMT Mon Aug 22 2011 by admin
!
version 15.1
no service pad

!
crypto pki token default removal timeout 0
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
crypto pki trustpoint TP-self-signed-3129615703
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3129615703
revocation-check none
rsakeypair TP-self-signed-3129615703
!
crypto pki trustpoint S1
enrollment terminal
serial-number none
fqdn cisco1841Surgut.xxx.local
ip-address none
password
revocation-check crl
rsakeypair cisco1841Surgut.xxx.local
!
crypto pki trustpoint subca01
enrollment mode ra
enrollment url http://xxx/certsrv/mscep/mscep.dll
ip-address none
password 7 08036D685F4D203636535B210E797C0D6666003224335358720F00070C2C5B394F
revocation-check none
rsakeypair CP-RSAKey-1313751490188 2048 2048
!
!
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain TP-self-signed-3129615703
certificate self-signed 01
xxx
quit
crypto pki certificate chain S1
crypto pki certificate chain subca01
!
!

!
!
!
crypto key pubkey-chain rsa
addressed-key xxx
address xxx
key-string
xxx
quit
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
authentication rsa-encr
crypto isakmp key xxx address xxx
!
!

!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA5
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA3
reverse-route
!
crypto dynamic-map VPN-USER-MAP 50
set transform-set VPN-TRANSFORM
match address 115
!
!
end

cisco1841Surgut#

ashish@ibm Tue, 08/23/2011 - 23:52

Hi Nagendra,

I couldnt join the presentation, is it still available.

Thanks

Ashish

Nagendra Kumar ... Tue, 08/23/2011 - 23:58

Hi Ashish,

The video recording will be available soon. Please keep tracking the forum.

HTH,

Nagendra

sg_network Wed, 08/24/2011 - 04:19

Hi Nagendra,

One of our enterprise customer like to convert IPv4 to MPLS as their entriprise core.

What is best pratice / method to migrate? One big migration or phase by phase?

Also what is default Qos setting for MPLS and Is default setting is enough to preserve EF and call signal during MPLS core transit...

thanks,

John

shivjain Fri, 08/26/2011 - 00:22

Hi John

Actually MPLS is used by service providers but in case of enterprise want to use MPLS, they can use the vrf lite or if they are getting the connectivity from SP, in that case the migration is very easy because no need to change in enterprise.

The things which you need to understand is below mentioned:-

1. Which routing protcol you would like to run with SP?

2. Exiting IGP?

3. IPv6

4. For QOS you need to ask your SP and they will provide you the class details and mapping.

regards

shivlu Jain

Chetan Kumar Ress Wed, 08/24/2011 - 19:16
Hi

I was going through sham-link RFC & i found some thing intresting & but confusing.

I had simulated the LAB for sham link & checked that we won't require redistribution between MPBGP & OSPF when we are using sham-link just we need to configure ospf with vrf & shamlink . Becasue sham-link treat itself as a point to point link with unnumbered interface.



4.2.7.4.  Routing and Forwarding on Sham Links

   If a PE determines that the next hop interface for a particular route
   is a sham link, then the PE SHOULD NOT redistribute that route into
   BGP as a VPN-IPv4 route.

   Any other route advertised in an LSA that is transmitted over a sham
   link MUST also be redistributed (by the PE flooding the LSA over the
   sham link) into BGP.  This means that if the preferred (OSPF) route
   for a given address prefix has the sham link as its next hop
   interface, then there will also be a "corresponding BGP route", for
   that same address prefix, installed in the VRF.

My Question :

Can some one clear me that if i configured sham-link then do we require redistibution between OSPF to MPBGP for route propogation ?

And

If redistrubution is not requried then what is the meaning of below statement.

   Any other route advertised in an LSA that is transmitted over a sham
   link MUST also be redistributed (by the PE flooding the LSA over the
   sham link) into BGP
Nagendra Kumar ... Fri, 08/26/2011 - 06:35

Hi Chetan,

My Question :

Can some one clear me that if i configured sham-link then do we require redistibution between OSPF to MPBGP for route propogation ?

Even with OSPF sham link, we still need to redistribute OSPF into BGP. With Sham link established, the LSAs will be exchanged between PE devices but they dont have a way to signal the labels. So even though, CE devices will see the prefixes as intra-area in RIB, packet forwarding will fail at data plane. This is due to the fact that required label will not be exchanged between PE devices.

And

If redistrubution is not requried then what is the meaning of below statement.

   Any other route advertised in an LSA that is transmitted over a sham
   link MUST also be redistributed (by the PE flooding the LSA over the
   sham link) into BGP

As mentioned above, OSPF redistribution into BGP is required to have label signalling between PE devices.

HTH,

Nagendra

sean_evershed Thu, 08/25/2011 - 06:49

Hi,

Do you know when the webcast you presented be available to download as a PDF?

Thanks

Sean

freedom106 Thu, 08/25/2011 - 22:54

hi,

  In ldp header ,there is a string call ldp indentifer take 48 bit, it compose 32bit ip add and 16bit amount  of lable(i think that the number ldp can advertise is 2^16 ). But, in mpls header ,the lable range is 2^20-16.is there any collision?

Nagendra Kumar ... Fri, 08/26/2011 - 06:30

Hi Yue,

LDP Identifier (48 bits) comprises of 32 bit "LDP Router ID" and 16 bits of "label space". It is not the filed where actual label will be advertised, but to inform neighbors about what label space the local LDP router is going to use. Is it per-interface space or per-platform space.

Actual label will be advertised in Label TLV whcih is of size 32 bits.

HTH,

Nagendra

Actions

Login or Register to take actions

This Discussion

Posted August 17, 2011 at 9:46 AM
Stats:
Replies:27 Avg. Rating:4
Views:7037 Votes:0
Shares:0

Related Content

Discussions Leaderboard