Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT – DEPLOYING MPLS VPN

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Harold Ritter about various issues that should be addressed before or while deploying MPLS VPN in a Service Provider network or in an Inter Autonomous System (InterAS) environment. Harold is a network consulting engineer with the Cisco Advanced Services team for Service Provider. He is responsible for helping Cisco top-tier Service Provider customers to design implement and troubleshoot routing protocols and MPLS solutions in their environment. He has been a network engineer for more than 10 years. Harold is a CCIE (#4168) for Routing & Switching and Service Provider.

Remember to use the rating system to let Harold know if you have received an adequate response.

Harold might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 10, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

28 REPLIES

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Hi Harold,

How far are you with implementing 6VPE, which IOS, which hardware, when do we see this as supported feature in public releases?

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Hello Martin,

This should be available pretty soon. I don't have anything specific about the roadmap though.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Hi Harold,

I started preparing for a Project where is 45 sites to be connected to Headoffice through MPLS IP VPN provided by a Service Provider .

First could you please provide me with some URLs , presentations or sample configurations of the CE and PE routers that help understanding the MPLS IP VPN network and outlines the major steps to verify the connectivity and to troubleshoot in case of any failure ?

-each MPLS Primary Circuit at the Customer edge , must be protected in a case of failure by a dial backup circuit , could that be done in a similar way like protecting a primary frame relay or leased line circuit ? if no ,please let me know how .

over the MPLS IP VPN Network, the customer at the remote Branches will access the apllication at Headquarter using the standard SSL Protocol terminated by a Safenet SSL iGate , do you think there will be problems running SSL over MPLS IP VPN as performance issue ?

Thanks for your help

Regards,

Yaacoub

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Hi Yaacoub,

First regarding the CE configurations the CE router doesn't MPLS-VPN aware so you don't need and addtional configurations on the CE you will configure the a specific encapsulation&IP address (Get it from the Provider) on the WAN interface and the reset of configurations will be depending on your site req..

Second, the connectivity troubleshooting steps will be same way of troubleshoot Internet Connectivity (Ping other sites, traceroute ...etc)

3rd also the backup link will be used as the same way as Frame-Relay

any traffic type will not face any issue over MPLS-VPN network as soon as you don't need Multicast traffic but this not mean you can not used multicast traffic but i think you have to discuss this issue your ISP to provide you will Multicast VRF (MVRF)

http://www.cisco.com/en/US/products/ps6557/prod_presentation_list.html

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00800a6c11.shtml

Best Regards,

Mounir Mohamed

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Yaacoub,

There is tons or configuration example on CCO but I would recommend starting with a good book on this topic, such as MPLS and VPN Architecture by Cisco Press, as this book not only gives you sample configuration but also goes in detail explanations about it:

http://www.ciscopress.com/title/1587050021

Dial backup is certainly possible in this context and is widely used.

I don,t see any issue with running SSL over the MPLS VPN network.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Hello Harold,

I'm hoping to get you to comment on the addition of ipsec to mpls, both from the the client perspective and the service provider perspective. Do clients typically ask about this? Do service providers typically suggest/offer ipsec on top of MPLS if the client does not ask about it? The experience I've had with our provider is that they did not mention/offer/suggest additional ipsec, and they seemed rather reluctant to do it for us when we brought it up.

Their first response was "mpls is already secure." And indeed it does appear to be as secure as atm or frame relay, assuming everything is configured properly by the provider (4). But several reports, some even by Cisco suggest that combining mpls with ipsec would be a good thing (3,6).

Their second argument was the performance/throughput hit we would incur but for our needs the performance (is it roughly 400Mb/s on a pix 535 with a Gb pipe?) was well over what we needed.

QoS was their third issue, but again when you've got bandwidth to burn this seems like a minor issue, besides we can pick and choose what goes over the ipsec tunnel, and can exclude something if we must sacrifice security for performance.

Each of these was like pulling teeth to get - I got the impression they simply wanted to disuade us and only came up with each argument if their previous argument didn't already convince us that we should trust them.

It seems to boil down to "do you trust your service provider." But it also seems to me that the providers don't stress that the client should be

considering this, or they downright discourage you from doing this. It also seems that companies do not put as much consideration into this as they should. "Do you trust your provider" is a HUGE question to me - personally I don't think anyone should, but then I think there's no such thing as "too paranoid."

So I guess my questions are - what has been your experience with service providers and ipsec? Are providers usually this hard to convince to implement ipsec (i mean sure they'll do anything for the right price but even then they didn't seem like they wanted to sell it to us) how prevalant is ipsec over mpls? Do many clients even consider it? What are some of the data privacy laws that might apply here? (I'm Canadian but I'd still be interested in the US laws) And lastly, should you trust your service provider?

Thanks,

Andy

Please see attachment for document references and juicy quotes.

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

To answer you main question, I haven't seen many Service Providers offering IPsec over MPLS. Then again, I haven't seen too many SPs offering IPsec over ATM or FrameRelay. It comes back to the Miercom report, which states that MPLS VPN is as secure as the above mentionned technologies.

On the other hand I have seen some customers providing their own encryption on the CE router.

As far as the privacy laws in the US or else where, I'm not an expert but maybe someone else on the forum can chip in.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Hello,

there are two distinct things with IPSec and MPLS:

A) IPSec as access technology into a MPLS L3VPN

B) IPSec over an MPLS L3VPN

Option A) might be interesting to offer in order to have a complete access solution for customers at hand. Security is against internet and the customer trusts the MPLS SP. You can use f.e. a Radius server at the customer site for AAA and the highly available IPSec gateways are with the SP. Makes sense, if you ask me.

Option B) is used also in several networks I know of.

In fact some customers in Germany have legal obligations to encrypt certain traffic (f.e. banks), or are because of security policies obliged to use IPSec whenever a SP network is involved.

In most of these cases I have seen, a MPLS L3VPN is just a cost effective way of interconnecting the customer IPSec gateways - potentially WITH QoS. The latter comes in handy and differentiates against pure internet solutions, when the customer has VoIP installations or need to prioritize certain traffic.

(NB: IPSec will normally get the IP precedence of the original header and thus allow for proper QoS treatment without compromising the payload)

Handing off clear text IP to the SP and then request encryption would not make too much sense from a customer security perspective. I have seen this only once - though it was no MPLS network involved.

Hope this helps! Please rate all posts.

Regards, Martin

Silver

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Hmm, IPSec as access technology into an MPLS L3VPN?, I thought it was a dream yet to be realised. Is that possible?. Any sample config or links to support that?

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Hello,

IPSec into MPLS VPN is around for quite some time. We use this for accessing some remote labs with Cisco VPN client or VPN routers.

Have a look at: "VRF-Aware IPSec" found at

http://www.cisco.com/en/US/products/ps6604/products_white_paper09186a00801541dd.shtml

This should answer most questions and has some configuration examples in it. In case you have additional questions: post them, I will be happy to answer them.

Hope this helps! Please rate all posts.

Regards, Martin

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

There is also a CiscoPress book covering this very topic:

IPSec VPN Design:

http://www.ciscopress.com/title/1587051117

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
bsc
New Member

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Hello,

I have a question regarding a term and maybe you can clarify it for me.

What does "MPLS in the datacenter" mean or include. It seems to become a buzz word.

Can you clarify this term for me or refer me to some documentation?

Thanks.

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

This is indeed a fairly new buzzword ;o) It refers to network partioning in the datacenter using MPLS.

I haven't found much documentation or whitepapers on the topic but I will be happy to post more information as soon as I put my hand on good material.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Silver

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

How would you integrate your mobile IP network into the MPLS L3VPN. The objective is to have the mobile nodes belongs to different VPNs.

Would this require multiple Home Agents, or virtual agents, or it is not possible?.

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

I suppose you are referring to a Mobile IPO service that would be provided by the SP, correct?

Mobile IP is currently not VRF aware. From what I gather there is no push for it either. If you think this is something that would valuable you can bring it up with your account team.

There is nothing that would prevent to run Mobile IP in the customer network over the MPLS VPN network though.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Hello,

I am currently involved in two projects setting up MPLS VPN and/or Multi-VRF environments in data centers. The main idea is - as Harold wrote - to have a separated IP routing functionality on a per customer basis. This gets very interesting in case there is a multi customer environment. As many IT departments are profit centers nowadays, this is an option to be ready for external customers.

To add a few buzz words: the environment designed in one project contains Virtual servers connected through Virtual LANs to Virtual routers (VRFs) and Virtual firewalls.

Only the customers are real ;-)

Hope this helps! Please rate all posts.

Regards, Martin

New Member

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Harold,

In an MPLS/VPN implementation with customer facing interfaces on a PE router bound to a VRF, as a security measure against DoS attack of spoofed source addresses, does it make sense to enable strict mode uRPF on CE-facing interfaces on the PE routers. Also, would the RPF check use the VRF FIB, or the global FIB. I would assume the VRF, but just want to make sure.

Bob

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

It does make sense to use uRPF.

For the strict mode, the same constraints you have in a normal IP network also apply here. So If you had a multihomed site and for some reasons you would like to prefer one PE connection to that site rather than the other, you might want to make sure the traffic to and from that site is not asymetric before you apply strict mode.

And yes, the uRPF would ckeck the source IP address against the VRF and not the global.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Harold,

which InterAS solutions are implemented mostly (back-to-back VRF, PE-PE. RR-RR, ...)?

What pros and cons do you see?

Regards, Martin

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

I have never see any one impelmenting the back to back approach (option A). Although this is a fairly simple approach, its drawback is that it doesn't scale as each and every VRF needs to be configured on the ASBR.

What I have mostly seen implemented so far is the VPNv4 eBGP solution (Option B). The drawback of this approach is that it requires the ASBR to hold all of the VPNv4 routes.

There seems to be a tendancy for customer building new interAS to use IPv4 + labels (option C) these days. This approach put very little stress on the ASBR as it only needs to exchange ipv4 prefixes + labels between the two ASes, leaving the VPNv4 prefixes to the RRs. Proper filtering must be applied on the ASBR to make sure that only required prefixes (/32) are exchanged.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Harold,

can you provide a sample config of RR VPNv4 filtering (inbound and outbound) - especially towards allowed RDs and RTs - usable in a InterAS VPN environment.

Regards, Martin

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Martin,

One way would be to filter using and expanded extended community list.

route-map test permit 10

match extcommunity 100

!

ip extcommunity-list 100 permit ^RT:1:.*$

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Hi Harold,

Currently I am testing ATM over MPLS on 7206 VXR routers . I would like to know

1) Test cases for ATM over MPLS in vc an vp modes ( aal5ompls , cell relay , packed cell relay )

2) How to achieve CoS on such setups

Thanks and Regard

Raj Panchal

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

1) I'm not sure I can help you with the test cases.

2) Here's an example of how you can set the EXP bits for an ATM VC.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a008016102a.html#wp1151351

Although this example refers to a 7500, the config would be pretty similar on a 7200.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Would you have an idea why when I trace route from the corporate office to a LAN IP (X.X.X.X) that the same interface appears twice? I am going across an MPLS network.

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

If the device attached to this LAN is a 6500 with a Sup720, you kmight be hitting CSCef16357.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

I am Working in MPLS VPN Environment with MBGP, i want some technical documentation for troubleshooting..of MPLS as well as MBGP in complete MPLS VPN environmewnt

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING MPLS VPN

Sharma,

The MPLS OAM Tools (lsp ping and traceroute) are great for troubleshooting mpls vpn since they can help identify very quickly where an LSP is broken. Before these tools, you might have had to go through several core routers to find the source of the issue.

MPLS OAM Tools for Troubleshooting MPLS Networks

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns172/c654/cdccont_0900aecd80272b7f.pdf

Another great tool for troubleshooting mpls vpn network is the MPLS Diagnostics Expert (MDE).

You can find more on MDE at the following link:

http://www.cisco.com/go/mde

I'm also attaching a few links that will certainly be helpful in troubleshooting mpls vpn.

Troubleshooting LSP Failure in MPLS VPN

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_tech_note09186a0080144ab2.shtml

How to Troubleshoot the MPLS VPN

http://www.cisco.com/en/US/tech/tk436/tk428/technologies_tech_note09186a0080093fcd.shtml

Packet Flow in an MPLS VPN Environment

http://www.cisco.com/en/US/tech/tk436/tk798/technologies_tech_note09186a0080093d42.shtml

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
50
Views
16
Helpful
28
Replies