ASK THE EXPERT - MPLS L2VPN AND L3VPN IN THE ENTERPRISE WORLD

Unanswered Question
Jan 1st, 2007
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Harold Ritter how Enterprise networks are evolving into MPLS networks to deliver an SP type service delivery to the end customers. Harold Ritter is a technical leader with the Cisco Advanced Services team for Service Provider. He is responsible for helping Cisco top-tier Service Provider customers to design, implement and troubleshoot routing protocols and MPLS solutions in their environment. He has been a network engineer for more than 12 years and is a CCIE (#4168) for Routing & Switching and Service Provider.


Remember to use the rating system to let Harold know if you have received an adequate response.


Harold might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through January 12, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (6 ratings)
Loading.
fmeetz Tue, 01/02/2007 - 16:10
User Badges:
  • Bronze, 100 points or more

Harold,

How is using MPLS VPN different when deployed in an enterprise network rather than a SP network?

Regards, Frank

Harold Ritter Tue, 01/02/2007 - 16:27
User Badges:
  • Cisco Employee,

Frank,


In fact, MPLS VPN as such is pretty much the same whether it is deployed in an enterprise or SP context.


The market penetration is very different for the moment. This is changing rapidly as many enterprises are migrating to an MPLS based network.


Hope this helps,

cassio.gomes Wed, 01/03/2007 - 09:32
User Badges:

Hello Harold,


I need to build a project with VRF-Lite and Backup ISDN. In my lab, VRF-Lite is perfect, but now, I need to configure a backup of Dedicated Link through ISDN Link, Dialer Interface.


So I would like to get an help to build this project. What the best way to configure a Backup link with VRF-LITE? and the routing table needs to keep separated, if possible.


Very Thanks,



Harold Ritter Wed, 01/03/2007 - 18:59
User Badges:
  • Cisco Employee,

Cassio,


This is slightly off topic but let me get a shot at answering your question.


If I remember correctly from a previous posting, your scenario needs to provide backup on the CE for all the VRFs via a unique dialer interface, right?


This could probably be accomplished by using a separate GRE tunnel interface per VRF. These tunnels would use global IP addresses and would all be carried over the dialer interfaces in case of failure of the main interface. Add a couple of floating static routes for each VRF pointing at their respective tunnel interface and there you go.


Does it sound like the solution you came up with in your lab?


Let me know if that answers your question,

cassio.gomes Thu, 01/04/2007 - 04:40
User Badges:

Thank you very much and sorry about off topic.

First question, yes, unique dialer for all VRFs.


Second question, NO, when the main link is DOWN, the CE router will be a PE router, I configured TAG switching and LDP in Dialer interface and BGP Peer VPNV4, very strange but it is working. This solution solved my problem, but I am not sure if it is correct and in the future I might be wrong.

If you want, I can share the configs and LAB.


Best Regards,


Cassio


Harold Ritter Thu, 01/04/2007 - 13:41
User Badges:
  • Cisco Employee,

Interesting solution. This will certainly work but I wouldn't do that unless the CE is managed by the SP itself. Just to keep the control on the core.


Hope this helps,

pascal_parrot Wed, 01/03/2007 - 12:59
User Badges:

Hi Harold,


If a customer uses an SP MPLS network to connect various branches,

1) can the CE router (from a SP perspective) be a P router (from the entrerprise perspective)

2) if yes, what routing protocols would you suggest to use beween the SP PE-CE and the enterprise P-PE?

3) in a small branch with an ISR (P) and 3550 (PE and CE?), what would be the best way to have the same type of functionality as MPLS across the WAN?

4) Are there any design potential issues to keep in mind?

Thanks,

Best regards,

Pascal

Harold Ritter Wed, 01/03/2007 - 16:42
User Badges:
  • Cisco Employee,

So if I undetstand you correctly, you are discussing deploying MPLS VPN in your enterprise network using your SP MPLS VPN network to connect your remote branches.


This can be done indeed using Carrier Supporting Carrier (CSC).


1) The customer P could indeed be the provider CE.


2) You could use an IGP such as RIP, OSPF, EIGRP or static routes between the SP PE-CE along with LDP for label exchange. You could also use BGP IPv4+label, which does both the routes and labels exchange.


3) Not sure I understand the difference between this small branch and the others. CSC is supported on the ISR, so it doesn't matter whether the branch is small, medium or large.


4) Make sure the device (Provider CE) you choose supports CSC.


Make sure the SP already offers or is willing to support CSC.


Support for baby giant MTU might be required between the SP PE and CE.


Let me know if you have further questions,


pascal_parrot Wed, 01/03/2007 - 19:31
User Badges:

Thank you. I will check the CSC option.

The question in 3) relates to a branch that has an ISR and a switch (3550 or 3560). That's all, just two devices capable of routing. Could the ISR be a P and PE at the same time from the enterprise perspective?



Harold Ritter Wed, 01/03/2007 - 20:10
User Badges:
  • Cisco Employee,

The ISR in this case would act as a PE as it would be responsible for label imposition and disposition.


BTW, any device that can do label imposition and disposition (PE functionality) is also capable of doing label swapping (P functionality).


Hope this helps,

pascal_parrot Fri, 01/05/2007 - 09:50
User Badges:

Thanks.

On the acess switches connecting end users (multiple vlans), is it possible to assign a vrf to the vlan on the switch? In that case, the access switch becomes a PE/CE. Is it correct?

More generally, is the MPLS for enterprise compatible with a routed campus (layer 3 until the access switches)?

Harold Ritter Fri, 01/05/2007 - 16:35
User Badges:
  • Cisco Employee,

Pascal,


For the access switch to become the PE, it would need to run L3 code and support MPLS.


I believe you would need something like the 3750 Metro to do that.


Let me know if you have further questions,


titankapo Wed, 01/03/2007 - 13:08
User Badges:

hi harold


we?re currently designing a new mpls topology for one of our custome.

we?ve joining the PE?s routers using 10G ports, to build a ring.

The question is regarding the nature of these ports. Are they L2 or L3? Is it neccesary to implement STP or just we need to assing a L3 ip and run a IGP routing protocol between ports?

I appreciate in deep any document relating these questions.

Thanks in advance


christian

Harold Ritter Wed, 01/03/2007 - 16:02
User Badges:
  • Cisco Employee,

These would be L3 ports on the PEs. There is therefore no need to implement STP on the PEs themselve. STP may or may not be required if you are using a L2 topology between the PEs.


As you indicated, point to point 10 GigE connections terminating on the PEs and running an IGP on top of that topology would be ideal.


Let me know if you have further questions,

brispin Thu, 01/04/2007 - 12:44
User Badges:

I'm an enterprise customer currently running EIGRP in my network. Do I need to migrate to OSPF or IS-IS in order to deploy MPLS VPN?

Thnks, Ben

Harold Ritter Thu, 01/04/2007 - 13:46
User Badges:
  • Cisco Employee,

Ben,


There is no need for you the migrate to ospf or isis in order to deploy MPLS VPN. MPLS VPN will work perfectly well with EIGRP as your IGP.


That beeing said, you would need to migrate to ospf or isis if you intended to deploy MPLS Traffic Engineering over that same network. MPLS TE is not an absolute most though in an MPLS VPN network.


Let me know if you have further questions,

attrgautam Thu, 01/04/2007 - 20:15
User Badges:
  • Silver, 250 points or more

Harold


In a CSC environment, can my Customer PE also run AToM [FRoMPLS/EWS/ERS] also (iam assuming it is possible). Secondly, how would multicast-vpns be configured over the CsC network, will my Provider need to turn multicast-routing in the core as well ? If you could share deployment scenarios it will be useful

Harold Ritter Fri, 01/05/2007 - 06:12
User Badges:
  • Cisco Employee,

Gautam,


In the CSC context, it is certainly possible to have the customer PE to act as a termination point for the pseudo wire.


As for your second question, the SP definitely needs to run mcast and offer mVPN in order for you to run mcast in your network and then in turn offer mVPN yourself to your own customers.


In this case there would be three distinct mcast domains. The P-domain and C-domain as it is normally the case for mVPN and the third one would be your own customer mcast domain.


Let me know if you have further questions,

thomas.chen Fri, 01/05/2007 - 12:43
User Badges:
  • Silver, 250 points or more

What is the advantage of using MPLS VPN in an enterprise network?

Harold Ritter Fri, 01/05/2007 - 16:45
User Badges:
  • Cisco Employee,

Thomas,


A rapidly growing number of entreprise customers are migrating to MPLS to offer isolation to their different customers while using the same core network infrastructures. The IT department in these companies often model themselves as a service provider to their many internal users. It therefore makes a lot of sense for them to use a technology that has already proved itself in the SP world to solve the same issue.


Let me know if you have further questions,

amarquezramirez Fri, 01/05/2007 - 12:52
User Badges:

hello Harold, my name is Alma and I have a problem with my catalyst 500 switch, I configured for the first time by the web console, but I make a mistake because I configure all the ports in a same VLAN (that I call datos) and then I cannot see mi web browser.I dont know how I have to configure my computer I try but it cannot works. My question is how I can to restart my switch by default values, I connect mi computer to the blink port but I cannot see my switch. Please help me. I need help.

Thanks for all and I hope you will have a very good new year.

Harold Ritter Fri, 01/05/2007 - 16:49
User Badges:
  • Cisco Employee,

Hello Alma,


I suggest you post this question on the LAN Switching section of NetPro (under Network Infrastructure), where you will have much appropriate people to solve this issue.


Happy New Year to you too and everybody on the list as well.

m-dellamore Fri, 01/05/2007 - 13:43
User Badges:

Hello Harold,


My need is to provide a very reliable point-to-multipoint multicast flow. We have only one transmitter and two receivers, but we need a very hight reliability degree and very fast rollover in case of a path failure.

My idea is to use L2VPN over MPLS, first PW use standard IGP path, while second use TE path, and have the two PW forming an etherchannel to assure subsecond recovery. Is this feasible ? Or any other suggestion is appreciated of course.


Thanks in advance

Maurizio

Harold Ritter Fri, 01/05/2007 - 19:14
User Badges:
  • Cisco Employee,

I do not think L2 circuit bundling is currently supported. What type of convergence time are you looking at. Why not just use MPLS TE FRR if the convergence time is so critical. You could also have sub second convergence just by tuning your IGP and using BFD for fast failure detection.


Let me know if you have further questions,

m-dellamore Sat, 01/06/2007 - 16:17
User Badges:

Harold,


The application is for tranport ip multicast video at 270Mbps, and fast convergence is for the purpose to minimize loss of data in case of failure. I'm ivestigating about a solution without rely on SDH protection and having a pure ip Mpls over a mix of dark fiber and POS circuits.

In my knowledge TE is not able to deliver multicast (please correct me if it is wrong). The idea of tuning IGP is fine, but in this case I need to have this application directly in the core, is it ? Any way to do this with VPLS ?


thanks for your help

Maurizio

Harold Ritter Sun, 01/07/2007 - 11:08
User Badges:
  • Cisco Employee,

Thanks for the additional information Maurizio,


I have seen core networks achieving ~200 to 300 milliseconds convergence with fine tuning and BFD where needed. It all bolis down to what kind of convergence you determine to be sufficient for you.


I have seen people broadcasting two sources via different paths in the network so if one fails the other one is still on but you need the receiver to be able to monitor both streams and switch from one to the other if the primary fails.


I'm not sure you need VPLS for that kind of application. Most of the SPs (mostly MSOs) I have seen deploying similar scenarios, do it in native multicast.


Let me know if you have further questions,

dhickey Fri, 01/05/2007 - 14:20
User Badges:

Harold,


We recently purchased 8 7604's with the SUP32 10 gig blades for deployment at 8 companies. We intend to use it for our IPTV (multicast) and Internet traffic. I am looking at MPLS (in the same vrf) to carry the multicast traffic between companies (in fact have that working). As far as our Internet related traffic (Public addresses), I was not planning on using MPLS. We will be running BGP for the possibility of a second DS3 from another provider. In the future we will be adding VOD content (which will be unicast from the Set Top Boxes (private addresses) and I was planning on MPLS for that, with each company being a seperate vrf back to the centralized VOD server.


Does this sound like the correct way about setting up this network. I understand I am not providing a very good descripton, so I am trying to keep it a little generic as far as specific questions. I will try and ask those in a different thread later.


Thanks


Don Hickey

Harold Ritter Fri, 01/05/2007 - 17:00
User Badges:
  • Cisco Employee,

It is hard for me to comment on this design without having all the relevant information.


So if I understand your scenario, you are using mVPN to carry your video streams through your network, right? I have seen some Service Providers doing the same for the sake of isolating their mcast stream traffic in a VRF.


Let me know if you have further questions,

dhickey Fri, 01/05/2007 - 18:04
User Badges:

Harold,


You are correct. I am using mvpn.


Currently we have two separate networks. Our IPTV network is 1 gig links (about 480meg of traffic) between the 8 companies. We have a shared headend. The IPTV network is mostly multicast with a little unicast in there so the STB's can communicate with our encryption servers.


Our data (Internet traffic) is another network that is T-1's and DS3's. We currently have one DS3 that we all connect to.


We will soon be adding VOD which is why we purchased all the 10 gig equipment. Our plan is to combine the networks and run everything over the 10 gig links.


I wanted the multicast separated from the Internet traffic and plan to use mVPN. The VOD traffic is unicast and I was planning on a different vrf for each company back to our headend router. However for our Internet traffic, I don't see a reason to have to use MPLS to carry that traffic over the network. I guess my biggest question is should I run our Internet traffic the old fashion way, routing?

Or would there be an advantage to use MPLS to carry our traffic to the Point of Presence in our network?


Thanks


Don


Harold Ritter Fri, 01/05/2007 - 19:08
User Badges:
  • Cisco Employee,

Don,


Thanks for the additional information. It sounds exactly as I expected.


The answer to your last question depends on whether you want to run a BGP free core or not. Many SPs also run their Internet traffic over MPLS for that very reason.


Let me know if you have firther questions,

royalblues Sun, 01/07/2007 - 07:43
User Badges:
  • Green, 3000 points or more

Harold


I am pretty new to MPLS envirinment and would like to know the major advantages of running MPLS in the core ISP/enterprise than the traditional networks


Narayan

Harold Ritter Sun, 01/07/2007 - 11:28
User Badges:
  • Cisco Employee,

Narayan,


The advantage of MPLS is that it decouples the packet forwarding (data plane) from the controle plane. This offers the capability to easily deploy a variety of services without having to modify your core network, which will solely do packet forwarding based on the top MPLS label in the transit packets.


For instance, you could be forwarding IPv6, L2, CLNS or any other kind of traffic but all your core routers need to know is how to forward MPLS traffic.


This brings another benefits for large Internet SPs, where they can run a BGP free core since core routers will forward traffic to the egress router without having to hold the full Internet routing table. This does not only free resources on the core routers but also brings more stability by protecting them from any Internet network churn.


It also lets you deploy services such as L2VPN, L3VPN, MPLS Traffic Engineering, IPv6 over MPLS and many others that could come in the future.


Let me know if you have further questions,

o_dogorshom Mon, 01/08/2007 - 00:40
User Badges:

Hi Harold,


I think it is one of the most interesting topics, I just want some good documents about L2VPN if you don't mind.

thanks in advance for your consideration.


Regards,

Harold Ritter Mon, 01/08/2007 - 06:49
User Badges:
  • Cisco Employee,

You can find a couple of good papers and presentations at the following link:


http://www.cisco.com/en/US/products/ps6603/products_ios_protocol_group_home.html


But if you really want an indepth look at L2VPN I would recommend you go with the following CiscoPress book:


Layer 2 VPN Architecture:

http://www.ciscopress.com/bookstore/product.asp?isbn=1587051680&rl=1


Let me know if you have further questions,

jlaitinen Mon, 01/08/2007 - 02:54
User Badges:

Hi Harold,


Typically in enterprise data centers VLANs are spanned to multiple switches in multiple geographical locations, creating a large Spanning Tree region. How would MPLS L2VPNs help to resolve this? L2 adjacency is still needed for server clusters and firewall redundancy. MPLS L2VPNs are only point-to-point, and I don't see that deploying SIP cards in C6500's are a cost-effective method - only to get VPLS functionality. Any thoughts?


BR,


Jussi

Harold Ritter Mon, 01/08/2007 - 13:10
User Badges:
  • Cisco Employee,

L2VPN confines the L2 domain to the attachment circuit on each PE.


MPLS L2VPN is the generic concept. L2VPN offers both point to point (EoMPLS) or point to multipoint (VPLS).


You indeed need a SIP card to support VPLS on the 6500. If you find this not to be cost effective in your scenario, you could consider using other devices such as the 3750 ME.


Let me know if you have further questions,



lyiangou Mon, 01/08/2007 - 14:10
User Badges:

We are building a new network for a University and they want to use MPLS VPN. They will have 2 6500 switches at the Core with 10 GiG inerconnectivity to each other. They will use 3 pairs of 6500 switches at the distribution layer to 3 different buildings (also with 10GIG connections in pairs). Below those distribution switches there will be multiple stacks of 3750 stacks at access layer.


What will be the best way to design such setup for MPLS VPN. Should we configure all Core and distribution switches as the MPLS backbone with 2 RRs and the 6 distribution switches will act as both PE and CE? what do we have to do to avoid black hole in such network when all access switches will have connectivity to both distribution switches at each building?


We will probably use EIGRP for the VRFs and BGP in the MPLS. Any recommendation will really be appreciated.


Thanks


Harold Ritter Mon, 01/08/2007 - 17:27
User Badges:
  • Cisco Employee,

The simple approach is as you mentionned to run MPLS on all devices (core and distribution). The distribution switches will be your PEs (CEs are not really required).


Given the size of this network, RRs are optional but you could use the the core boxes to fulfill this functionality if you wanted.


As for the blackholes, it should be fine as long as you can detect L2 link failures between the access and distribution using UDLD.


You probably meant that you will be using EIGRP as your core IGP. This will work just fine.


One recommendation would be to make sure you enable giant frame support on all 6500s. Other than that you should be fine.


Let me know if you have further questions,


lyiangou Mon, 01/08/2007 - 21:20
User Badges:

Thanks for the reply. That will help a lot.


"You probably meant that you will be using EIGRP as your core IGP. This will work just fine."


What I meant is that we will be creating multiple VRFs for virualization and we will propably be using EIGRP to create separate forwarding tables for each VRF. Also the global routing could be EIGRP. The MPLS will be BGP of course.


I have read a lot of documents from Cisco.com, but still I feel I am missing something. Do you happen to have some good links that could help me any further? Any sample configurations of similar network setups will be very helpfull.



Harold Ritter Tue, 01/09/2007 - 04:59
User Badges:
  • Cisco Employee,

Thanks for the additional information. Using EIGRP within the context of each VRF and in the core should be fine.


There is a wealth of information pertaining to L3VPN at the following URL:


http://www.cisco.com/en/US/products/ps6604/products_ios_protocol_group_home.html


If you wish, you could also get the MPLS and VPN Architectures book from Cisco Press, which is an excellent reference book when it comes to L3VPN.


http://www.ciscopress.com/bookstore/product.asp?isbn=1587050021&rl=1



Let me know if you have further questions,

Svante Bolander Tue, 01/09/2007 - 07:27
User Badges:

I have some questions about IPv6 in MPLS-VPN. We need to transport some IPv6-traffic between a few sites in a VPN in our MPLS-network and we have heard about a feature named 6VPN. As we understand this is very similair to IPv4-VPN but we are not sure how to configure it and on which platforms it is supported. We like to avoid putting ipv6 on all P and PE-routers, only on the PE:s that have IPv6 on their vrf-interfaces.


Could you please bring some light on this interesting topic.



Harold Ritter Tue, 01/09/2007 - 18:59
User Badges:
  • Cisco Employee,

Svante,


6VPE is indeed the implementation of L3VPN for IPv6. 6VPE is not currently available for more information on the 6VPE roadmap, please contact your account team.


On the other hand, if all you want is carry IPv6 traffic across your network without your core routers being IPv6 enabled then what you could use 6PE instead. This has been available for a while.


For more information on 6PE, please see the following documents:


http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_data_sheet09186a008052edd3.html


http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_8-2/ipv6.html


Let me know if you have further questions,



lyiangou Tue, 01/09/2007 - 18:33
User Badges:

hritter, thanks again for the information. I also have another question:


All the servers will be connected to the two core 6500 switches which will be at the center of MPLS network. Those 2 switches will be running only BGP and they are not attached to access layer. Will it work if I just route the server network with BGP?


Also on those cores we will have NAM, IDS, and FWSM modules. I am a little confused how those modules will work in a switch that is running only BGP....especially when the FWSM module will be the default gateway for each VRF I will have to also route the logical vlans between the core the the FWSM modules.


Thank you

Harold Ritter Wed, 01/10/2007 - 06:20
User Badges:
  • Cisco Employee,

If the FWSM module is going to be the default gateway for each VRF, you probably don't need MPLS VPN but rather VRF lite.


Since all the VRFs terminate at the core switches, you might not need BGP at all, except maybe for the purpose of routing traffic through the FWSM.


Can you please confirm.

lyiangou Wed, 01/10/2007 - 10:23
User Badges:

hritter,


Yes it would be much simplier if we did not use MPLS, but the problem is that Cisco recommended to the client to use MPLS. So my job is to configure MPLS and not vrf-lite. It does not really make sense, but I have to provide what the client asked.


It is really very strange to me because I am used to using IGP routing for the whole enterprised. All servers and FWSM are located on the Cores that will only be using BGP due to the MPLS requirements. That's what is really confusing to me. I am sure lot of customers will be asking for MPLS in their enterprised networks in the future and we will always run into similar situations. If Cisco is recommending MPLS then there should be a complete solution in place to satisfy not just the VRF designs, but also the server farms which will mostly be on the CORES running only BGP. Many service modules will also be located on the Cores. If Cisco thinks that those server farms and service modules will not work properly on the Cores with BGP then Cisco should not recommend MPLS in enterprised networks.


Are there any clients that already using MPLS in their enterprised networks with server farms at the center of MPLS?


Thank you.



Harold Ritter Wed, 01/10/2007 - 13:15
User Badges:
  • Cisco Employee,

Loizos,


I'm not saying that your design will or won't work but I'm rather trying to understand your requirements and what would be the best way to implement it. At this point, I simply do not have enough information to tell you whether it is a safe and sound design or not.


Would there be a way for you to provide me with a design document that details what you intend to do. A network diagram would also be appreciated.


You can send me the information offline if you prefer.


Thanks,

Samer Labaky Thu, 11/04/2010 - 08:11
User Badges:

Dear Hritter,

is there any document from Cisco showing a clear configuration in a network environment implementing MPLS where we have FWSM on the PE Routers.

Thank you in advance.


I need to check what is Cisco's recommendations where we have MPLS in the enterprise and FWSM securing the users.

keithpalka Tue, 01/09/2007 - 07:09
User Badges:

Harold,


Given that I'm studying for the CCNP ISCW, seeing your topic gave me a glimmer of hope. As you may know, the CCNP tests changed as of Jan 1 07, but, alas, study materials do not come out for the ONT and ISCW until May 07, which is well beyond my timeline for completing the series of tests. On the ISCW blueprint, it is required to describe components and operation of Frame-Mode MPLS (VPN's) and to configure and verify the same. I've been searching near and far for materials that will explain this adequately, but to no avail. Would you be able to shed some light on this topic, or recommend a link or document to read? I've found enough to establish a very basic understanding of the concepts of MPLS, but that's about it. Thank you for any help you are able to provide.


-Keith

Harold Ritter Tue, 01/09/2007 - 19:16
User Badges:
  • Cisco Employee,
m.pandey Tue, 01/09/2007 - 14:14
User Badges:

Is it possible to have Layer2 MPLS co-exist with Layer3 MPLS? I have 10 location spread locally within an area of <1 Miles, which I want to integrate in a VPLS scenario(Layer2)... and then all this will land to one Centralized hub which will be part of Global MPLS cloud?


Is it feasible to do so and what needs to be looked upon as part of Planning design.


How cost wise and performance wise it is cost effective to go for Metro Ethernet instead of Layer 2 MPLS? Are anyone really using VPLS at enterprise level and this kind of mix & match scenario..


Please suggest. As part of this design we will be running Voice,Video( EF priority) and Data in so called Unified closed network...


Regards,

Mani


Actions

This Discussion