08-06 sam 5.0 vprn configuration

Section 8 � Module 6 �

All Rights Reserved © 2007, Alcatel-Lucent

Do not delete this graphic elements in here:

All Rights Reserved © Alcatel-Lucent 2007

5620 Service Aware Manager 5.0 Core

8�6 Module 6VPRN Configuration

Section 8Basic Services



All Rights Reserved © Alcatel-Lucent 20075620 Service Aware Manager 5.0 Core

Basic Services � VPRN Configuration 8 � 6 � 2

Blank Page

Switch to notes view!

This page intentionally left blank





Objectives

� Upon successful completion of this module, the student will be familiar with:

� Operation and benefits of a VPRN service

� VPRN features, functions, components and topologies

� VPRN configuration on the Service Router using the SAM





Virtual Private Routed Network

PE A PE C

PE B

PE D

IP / MPLS

Network

MP-IBGP Route

Exchange

For all

Services

VPRN Service

Red

RI-1

RI-2

RI-1

RI-2

RI-1

RI-2

RI-1

RI-2

VPRN Service

Green

CE A

CE D

CE C

CE B

VPRN is a class of VPN that allows the

connection of multiple sites in a routed

domain over a provider managed IP/MPLS network

� From the customer’s perspective it looks as ifall sites are connected toa routed domain

� Service provider can reuse the IP/MPLS infrastructure to offer multiple services

� Each VPRN appears like an additionalrouting instance, routes for a service between the various PE’s are exchangedusing MP-BGP

� Customer data is encapsulated usingMPLS or GRE encapsulation

As of R4.0, inter-AS VPRNs are supported.

In Feb. 2006, Internet Draft RFC2547bis was moved to ‘standard’ status, as RFC 4364.

A Virtual Private Routed Network (VPRN) service allows service providers to use their IP backbone to

provide a Layer 3 VPN service to their customers. VPRNs are also known as BGP/MPLS VPNs because

BGP is used to distribute VPN routing information across the provider's backbone and MPLS is used to

forward VPN traffic from one VPN site to another.

Each CE router becomes a peer of the PE router that it is directly connected to, not a peer to the

other CE routers. A CE router provides the PE router with route information for the private customer

network. Each associated PE router maintains a separate IP forwarding table for each VPRN.

Additionally, the PE routers exchange the routing information configured or learned from all

customer sites via MP-BGP peering. Each route exchanged via the MP-BGP protocol includes a Route

Distinguisher (RD), which identifies the VPRN association.

MPLS handles the forwarding between the PE routers. This means that the routers in the core of the

network need not know about the routes connecting the private networks. A VPRN service uses a

two-level label stack — the ingress PE router pushes both an inner VC label and an outer tunnel label

onto a packet. After reaching the egress PE router via one or more MPLS Label Switched Paths (LSPs),

the PE router pops the MPLS headers and delivers a normal IP packet to the customer.





VPRN Features

� Consistent QoS model used across all VPN services

� Highly scalable implementation

� Per VPN controls to limit route table growth

� Consistent service and feature support over IP or MPLS backbone

� PE-CE routing support

� Comprehensive set of OA&M tools

� Statistics, billing and accounting data

Highly scalable:

� VPN routing and forwarding (VRF) tables

� Total routes

� BGP Peerings

� IP Interfaces

PE-CE routing supports:

� Static Routes

� BGP

� RIP

� OSPF

Statistics, billing and accounting data:

� Per IP-VPN (VPRN)

� Current routes

� Current routes per protocol source (Static, Local, BGP (PE-CE or Network), OSPF

� Maximum number of routes (high watermark)

� Per IP-VPN Interface:

� Packets (In/Out)

� Bytes (In/Out)

� Errors In/Out





VPRN Architecture and Components


In a Virtual Private Routed Network (VPRN) the service provider network distributes its

customer’s routing information using MP-BGP and forwards their data packets using MPLS or GRE

tunnels.

The routers in the service provider’s network perform one of two possible roles:

� Provider (P) routers in the core.

These routers simply support the switching of LSPs. They do not have any knowledge of the

existence of the VPRNs.

� Provider Edge (PE) routers at the edge of the service provider’s network.

These devices provide the MPLS signaling and forwarding and partitioned IP routing and

forwarding capabilities to partition customer data flows received from or destined to the

various customer sites.

The routers in the customer’s network which connect to the PEs are known as CE (Customer Edge)

devices and are simple IP routers that forward and receive IP packets and distribute routing

information using standard IP routing protocols or configured static routes and

are VPRN unaware. The architecture of the VPRN service is shown on the opposite page.

The components of a VPRN VPN are:

1.MP-BGP sessions between PEs to distribute customer routes across the service provider’s

backbone.

2. Virtual Routing and Forwarding (VRF) tables on PEs specifying the import and export rules for

customer routes advertised between PEs.

3. Configured or learned VPRN routes from the customer sites.

4. MPLS or GRE tunnels between PEs for transporting customers’ traffic across the service

provider’s backbone.





VPRN Architecture and Components

CE

CE

CE

CE

CEPE

PE

CE

CE

CE

CE

PE

PE

Core Network

VPN Instance #1

Customer 1

VPN

VRF for Customer 1 VPRN

VPN Instance #2

Customer 2

VPN

VRF for Customer 2 VPRN

CE to PE

Routing:

BGP

RIP

Static

OSPF

Tunneling Mechanisms:

RSVP-TE

LDP

GRE





VPRN Functions

Switch to notes view!Learning Routes from Local CEsA PE learns the routes from a CE by through static routes or a dynamic routing protocol such as BGP.

Locally reachable IPv4 addresses as well as remote routes learned from other PEs are stored in the

appropriate VRF.

Distributing RoutesThe PEs establish MP-BGP sessions with each other to distribute the routes they have learned from

locally connected CEs. The PEs maintain one or more VRF for each VPRN it is involved with,

depending on the VPN topology (mesh or hub and spoke, intranet or extranet).

Ensuring Unique Customer RoutesBecause different customers may use the same IP addresses within their respective networks, a

method is need to ensure that they remain unique when they are distributed across the service

provider network. This is achieved by pre-pending the 4-byte IPv4 address with an 8-byte Route

Distinguisher to form a new address called the “VPN-IPv4 address”. A distinct RD value can be

associated with individual routes or with all routes learned from a particular CE.

Populating Routes Into VRFsWhen a PE receives routes from another PE via their MP-BGP session it adds the learned routes into

the appropriate VRFs based on the route targets configured in each VRF, and contained in the route

advertisement. An export route target is included in the route advertisement. If it matches the

import route target configured in a VRF, those routes are populated into the VRF.

Forwarding Data Among Customer SitesThe PEs forward customer traffic across the service provider’s network via GRE or LSP tunnels (outer

label). LSPs can be established using LDP or RSVP-TE signaling.

When the destination PE receives a data packet it determines the appropriate VRF to use to forward

the packet onward to the correct CE based on the inner label associated to a given VRF. The inner

label is allocated by the local PE and advertised to the peer PE as part of a VPN-IPv4 route update.





VPRN Topologies

� Full Mesh

� Hub and Spoke

� Extranet

(Full or partial) Route Exchange between

multiple VRFs using Route Policies

PE1

PE3PE2

PE4

CE

6

CE

4

CE

3

CE

2

CE

1

CE

5

Hub and spoke can be

achieved in either full mesh or

extranet using Route Policies that

make a single PE/CE the Hub

and all other PE/CE spokes

PE1

PE3PE2

PE4

CE

1

CE

6

CE

5

CE

4

CE

3

CE

2

Full MeshA fully meshed VPRN network provides full redundancy. This requires each PE to be connected to

every other PE in the network. The disadvantage is reduced scalability. As the number of nodes

grows, the number of paths will increase exponentially.

Hub and SpokeTo contain the vast numbers of paths that exist in a large fully meshed network, the concept of a

hub and spoke arrangement is introduced. This design has two main benefits:

Reduced number of VPN tunnels that need to be managed, and

Simplified filtering policies with the introduction of a hub

ExtranetAn Extranet topology allows routes to be exchanged between two or more VRFs. The shared routes

are identified by Route Policies.





VRFs in a CE Hub and Spoke environment

PE-A PE-B

PE-C

CE-1 CE-2

CE-3

Service 1

VRF-1

Service 1

VRF-1

VRF-2

VRF-1

Hub Spoke

Spoke� Hub CE-1 advertises its routes to VRF-2 in PE-A, next hop CE-1.

� VRF-2 advertises its routes (or default route) via MP-BGP to PE-B & PE-C, next hop PE-A.

� PE-B & PE-C advertise the routes (or default route) received from the Hub to their respective CEs.

� The Spoke CEs advertise their routes to their respective PEs, next hop the appropriate CE

� The spoke PEs advertise the spoke routes to the Hub PE VRF-1, next hop the appropriate Spoke PE.

� The hub PE, advertises the spoke routes to the Hub CE.

All spoke to spoke traffic

must go via Hub CE-1

Arrows signify the

direction of route

announcements

In a hub and spoke topology the majority of the traffic is exchanged between spoke sites and a hub

site. A banking institution is an example of a customer which would likely use a hub and spoke VPN

topology as most traffic is sent between branch offices (i.e. spoke sites) and a head office (i.e. hub

site). If some traffic is exchanged between spoke sites it traverses the hub site. The spoke sites

advertise their routes to the hub site. The hub site may then re-advertises these routes to the other

spoke sites with itself as the next hop. Hence traffic from one spoke site to another traverses the

hub site.

In order for the hub site to receive routes from spoke sites, and re-advertise them to the other spoke

sites, it needs two VRFs – one for routes coming in from the various spoke sites and one for routes it

advertises out to the spoke sites (either traffic originating at the hub site, or traffic forwarded from

other spoke sites).





Blank Page







Transport Tunnels

Switch to notes view!Each PE involved in a given VPRN service must be configured with a tunnel to every other PE

participating in the same VPRN service to transport a customer’s VPN traffic from one site to

another.

The tunnel is created either through the configuration of a SDP or using the auto-bind option when

creating a VPRN service instance. For VPRN services, SDP tunnels can be created using MPLS with

RSVP-TE or GRE encapsulation. The auto-bind method for creating tunnels can be used with LDP or

GRE.

If SDP tunnels are used, they must be created prior to the creation of the VPRN services. The

configuration of a SDP includes specifying the far-end PE and the type of encapsulation used, GRE or

MPLS with RSVP-TE.

When RSVP-TE signaling is used, the outer LSP tunnels must be explicitly configured in addition to

the creation of the SDPs. When the outer tunnels are created using auto-bind with LDP there is no

need to explicitly configure the LSP tunnels. It is only necessary to enable LDP signaling on the

appropriate interfaces and once the MP-BGP sessions have been established, the LSP is automatically

established. Similarly, outer tunnels created using auto-bind with GRE do not require any preliminary

configuration – the VPRN service only needs to be auto-bound to GRE.

When the auto-bind option is used traffic from all VPRN services (configured with the auto-bind

option) traverse the same LSPs. In this case it is not possible to have alternate tunneling mechanisms

(like GRE) or the ability to configure sets of LSP's with bandwidth reservations for specific customers

as is available with explicit SDPs for the service. If LSPs with reserved bandwidth are needed then

SDPs with RSVP-TE signaling should be used for the outer tunnels.

If distinct tunnels per VPRN service are desired, then SDPs with GRE or RSVP-TE signaling should be

used so that VPRN instances can be explicitly bound to specific SDPs.





Transport Tunnels and Service Binding

� Outer Label� Each PE in the VPRN connected by a tunnel

� Tunnels created by:

� Creating an SDP (RSVP-TE or GRE)

� Auto-bind (LDP only)

� Tunnel binding depends on the tunnel signaling protocol:

� LDP signaled LSP tunnels

� GRE tunnels

� RSVP-TE signaled tunnels





PE to CE Route Distribution

Switch to notes view!Static RoutesAll routes to be advertised by the CE to other CEs belonging to the VPRN are configured as static

routes in theVPRN service instance.

eBGP RoutingeBGP is configured between the PE and each attached CE belonging to the same VPRN in the VPRN

service instance.

The explicit configuration of the autonomous system number and router-id is optional. If omitted,

these values simply inherit the router’s global AS number and router-id. The local address is also an

optional parameter. When it is not specified, it inherits the system IP address when communicating

with IBGP peers and the interface address for directly connected eBGP peers.

If no import route policy is specified, then all BGP routes advertised by the CE are accepted by the

PE.

An export policy is needed for the PE to advertise the routes learned from other PE sites in the VPRN

instance via MP-BGP to the CE router via eBGP.

RIP RoutingWhen RIP is used as the PE-CE routing protocol, a RIP instance must be enabled on the PE router in

the router context. Subsequently RIP can be configured on the PE-CE interface during the

configuration of the VPRN service. RIP is configured between the PE and each attached CE belonging

to the same VPN in the VPRN service instance.

By default RIP does not export routes it has learned to its neighbors. Therefore it is necessary to

configure an export policy to enable MP-BGP routes learned from remote CEs belonging to the VPN,

to be redistributed into RIP and to the local CE.

OSPF RoutingAs of R4.0 of the 7X50 routers, OSPF can be used at the PE-CE routing protocol. This provides a way

for a network to continue using a single protocol as it is migrated to an IP-VPN backbone.

OSPF LSA information is not transmitted natively across the IP-VPN. The OSPF routes are “imported”

into MP-BGP as AS externals. As a result, other OSPF-attached VPRN sites on remote PEs will receive

these via type 5 LSA. This process is not automatic and requires the configuration of (existing) Route

Policies.

Stub areas, OSPF-TE and sham links are not currently supported.





Configuration Workflow - VPRN

Create ServiceCreate Service � Specify Service Type� Specify Service Sites

Create SAPsCreate SAPs� Add a Layer 3 Access Interface to each site� Configure Access ports� Specify MTU� Assign Encapsulation value

Manage ServiceManage Service� Service Topology View � Properties

Create a

Customer

Create a

Customer� Create a Customer

Configure BGPConfigure BGP � Configure an BGP mesh among participating sites

VPRN Configuration WorkflowThe workflow illustrated above describes the steps for a network administrator or operator to

configure a Virtual Private LAN Service.

� BGP Network Configuration

� Configure BGP for VPRN connectivity

� Customer - must be assigned to the service. Though the service can have only one Customer,

that

customer may be assigned to more than one service.

� Create Service - specify the service type (VPRN) and add the appropriate service sites.

� Create Service Access Points – Add a Layer 3 Access Interface to each site. Configure the port

Mode

for Access, define the Encapsulation Type, specify the Encapsulation ID (as required) and

specify

the service MTU size.

� Bind Service Tunnels to create the SDPs. It is possible to use Auto-Bind, when using LDP, or

manually assign Spoke SDPs, if RSVP is to be used for tunnel transport.

� Manage Service – through the Properties window and/ or by using the Service Topology View.





Enable BGP

1. Select the Routing Instance-12. Select Properties

3.Verify that BGP is enabled

BGP Configuration

The following steps will cover the configuration of an iBGP mesh, which will be used for the

advertisement of VPRN routes from each customer’s VRFs.

An BGP mesh will be required among all participating sites in the VPRN service.

� Check that BGP is enabled on the base routing instance as should have been configured

previously.

Right click on Routing Instance – 1, select the Protocols tab, and verify that BGP is checked.





Configure BGP AS

1. Select the BGP Routing Instance2. Select Properties

3. Verify the Site ID is the System Interface Address

Configure BGP AS

� Select the BGP routing instance for your router from the Navigation Tree Network view, right

click

and select Properties.

� In the General tab, verify the Site ID is the system interface IP address.





Configure BGP AS

1. Select the AS Properties tab2. Verify the AS Number is 100

3. In the VPN tab, enable Family: VPN-IPV4 and IPv4

Configure BGP AS� Select the AS Properties tab, and verify the AS Number; 100 is used here as an example.

� Leave all other entries as the defaults.

� In the VPN tab, enable Family: VPN-IPV4 and IPv4.

It is essential that you enable the VPN-IPV4 family as this is required to carry VPRN routes.





Create Peer Group

1. Select the Group tab 2. Select Add3. Specify the Name.

4. Select the AS Properties tab5. Set the Peer AS to 1006. Select OK, OK, Apply and Yes

Configure Peer Group� Select the Group tab. Select Add. Specify the Name. Click Apply and OK.

� Select the AS Properties tab and set the Peer AS to 100. Other parameters will be inherited

from

the global configuration. Select OK, OK, Apply and Yes.





Create BGP Peers

1. Select the Peer tab2. Select Add

3.Enter the System ID for the other router4.In the General tab, choose Select under the Routing Instance group

Create BGP Peers� Select the Peer tab, and create a BGP peer to one of the PE routers.

� Select Add, and enter the system ID for the other router in the Peer Address field.

� Under Routing Instance Group: choose Select.





Create BGP Peers

1. Select the Peer Group from the list2. Click OK, OK, Apply and Yes 3. Click Close or Cancel

Create BGP Peers� Select the peer group from the list.

� Click OK, OK, Apply and Yes. Click Close or Cancel.





Verify BGP Configuration

1. Double click on a Peer

2. Ensure the connection state is Established

Verify BGP Configuration� Repeat the steps on the previous two pages for all PE routers in your network.

� Your peering relationships will be up when all objects and aggregated alarms have cleared.

� Double click on each peer and check that the connection state is Established.





Create a Customer

1.Select Manage�Customers 2.Select Create

3.Define the Customer Attributes

Configure a CustomerA service it must be associated with a customer. The customer may be associated with multiple

services yet there can only be one customer per service.

To create a customer:

� Select Manage �� Customers from the Main menu

� Click on the Create button

� Under the General tab of the Customer Create window, complete the appropriate customer

information then click OK.

Verify that the customer has been created by selecting Manage �� Customers from the Main menu

and click the Search button. A list of customers, based upon the configured filter, will appear.

Verify the customer appears in the list.

Alternatively, you can select a previously configured customer in the Create Service stage





Configure Access Port

Configure Access PortAs discussed, a service requires a port facing the customer edge to be configured for Access and an

Encapsulation type specified. To configure a port:

� Navigate to the Equipment tab in the Navigation Tree

� Expand the tree and select the appropriate port or ports. It is possible to configure multiple

ports at the same time by through the Shift – Click or Ctrl – Click method.

� Right-click and select Properties from the contextual menu

� From the Mode drop-down menu, select Access

� From the Encapsulation Type drop-down menu, select the appropriate encapsulation type

� Set the port MTU. Remember that the port MTU must be set to a value set to support the

largest service MTU to be supported on that port.

� Select OK to complete the configuration.





Create a VPRN

2.Choose Select

3.Select the Customer

Description (optional)

Service Name

1. Select Create�Service �VPRN

Create a VPRNTo create a service, select the service type and assign the managed devices upon which the service

will terminate, referred to as the Service Sites.

To create a VPRN:

� Select Create �� Service �� VPRN from the Main Menu

� Click the Select button in the Customer block

� Select a customer from the list that appears and click the OK button

� Complete the remaining parameters, as required. Though optional, providing a service name and

relevant description will enable the network administrator or operator to find the service using

the

Search filter.

� Click Apply





Create a VPRN

1. Select the Components Tab

2. Select the PE Nodes participating in the service

3. Click OK

4. Select the Components Tab to view the service sites

Create a VPRN� Add and configure PE Sites:

� Click on the Components Tab then right click on VPRN.

� Select Create Site

� Select the sites participating in the service.

� Click OK

� Select the Components Tab to view the service sites.





Create a VPRN

3.Give a selected site a Name and Description

1. Select the Routing Instance2. Select Properties

Create a VPRN� Select the first Routing Instance

� Right click and select Properties.

� Give the site a Name and a Description.





Create a VPRN

1.Assign values as shown

Create a VPRN� Click on the Routing tab. This enables us to configure the virtual router instance. Configure the

following properties:

� Router id = the system address of the router

� AS number = 100

� Route Distinguisher Type = Type 0 (use an assigned value as a route distinguisher)

� Type 0 Administrative Value = 100

� Type 0 Assigned Value = a unique identifier in order to make the network address unique to

this VPRN; 60 is used as an example.





Create a VPRN

1. Assign values as shown

Create a VPRN� Click on the VRF-Target sub tab and set the VRF route target properties as follows:

� VRF Target Type = Define Default

� Target Format = AS

� Target AS Value = 100

� Target Extended Community Value = unique value, which must match each distant end Route

Target Value of the other sites participating in the service in order to allow the population of

network addresses in the VRF; 95 is used as an example.





Create a VPRN

1.Set the transport to MPLS:LDP2.Click OK and OK

Create a VPRN� Click on the Auto-Bind tab and set the Transport to MPLS:LDP. This will enable the use of LDP

signaled LSPs to reach each remote site, rather than SDPs. Click OK and OK.





Layer 3 Access Interfaces

4.Give the Layer 3 Access Interface a Name and Description

1.Select Access Interfaces 2.Select Create L3 Access Interface3.Select a Site

Layer 3 Access Interfaces� In the Components window, select Access Interfaces,

� Right click and select on the Create L3 Access Interface. This will add a Layer 3 customer facing

interface to the virtual router on this site for this VPRN instance.

� Give the interface a Name and Description.






1.Choose Select2.Click OK

3.Click Search4. Select a Port5. Click OK

Port Selection� Add a SAP to the interface via the Port tab

� In the Port tab, Choose Select in the Terminating Port Region. Click OK.

� In the Select Terminating Port window, select Search.






3.Assign an Outer Encapsulation Value4.Enter a SAP Description

1.Select a port2.Click OK

Outer Encapsulation Value Assignment� In the Port tab, assign the port an Outer Encapsulation Value or use the Auto-Assign ID

feature.

� Enter a SAP Description.






Configure the IP Address fora specific site as shown.

IP Address Assignment� Select the Address tab. Click Add. Configure an address on the interface of the specific router.

Note: Unlike IES, it does not matter if customer address spaces overlap on each VPRN service as

the

route distinguisher keeps them unique.

� In the IP Address window, type in the IP Address and Prefix Length, and click OK, OK, OK, OK.

� Repeat all of the previous steps, starting with assigning a Name and Description for the other

site(s)

participating in the service. In this example, the other site is node 146.





Final Steps

1.Click Apply, Yes 2. Select Topology View

Final Steps� In the Components window, select Apply, Yes and then Topology View to view the newly

created VPRN.





Service Topology View

Service ID: Site ID

Service Type

Port ID:Outer Encap: Inner Encap

Service Access Point

Service Tunnels

Service Topology View� Having selected Topology View, the Service Topology window above will appear.

� An alternative is to elect Manage �� Services, search for your VPRN service, select it.

� Click on the Topology View button.

� View the properties of the service.





Blank Page







Questions

?Questions1. What method does a VPRN service use to differentiate overlapping customer address space?

a. Router target

b. Policies

c. Route Distinguisher

d. Filters

2. Select all CE to PE routing methods or protocols supported on the SR:

a. Static Routes

b. RIP

c. OSPF

d. IS-IS

e. BGP

3. Which two types of Route Distinguisher are used in the SR?

a. IP-Address and Autonomous System Number

b. Router Id and Autonomous System Number

c. IP-Address and Cluster-Id

d. Router-Id and Cluster-Id

4. What method is used to exchange routes between PEs?

a. OSPF

b. RIP

c. Static

d. MP-BGP





Answers

Answers1. What method does a VPRN service use to differentiate overlapping customer address space?

a. Router target

b. Policies

c. Route Distinguisher �

d. Filters

2. Select all CE to PE routing methods or protocols supported on the SR:

a. Static Routes �

b. RIP �

c. OSPF �

d. IS-IS

e. BGP �

3. Which two types of Route Distinguisher are used in the SR?

a. IP-Address and Autonomous System Number �

b. Router Id and Autonomous System Number

c. IP-Address and Cluster-Id

d. Router-Id and Cluster-Id

4. What method is used to exchange routes between PEs?

a. OSPF

b. RIP

c. Static

d. MP-BGP �





End of ModuleVPRN Configuration





Blank Page



08-06 sam 5.0 vprn configuration

Documents

pe routing

attached ce

routing instance

ce routing

autonomous

rights reserved

select manage

configure