Professional Documents
Culture Documents
Azhar Sayeed
• Background
• Technology Basics
What is MPLS? Where Is it Used?
• Label Distribution in MPLS Networks
LDP, RSVP, BGP
• Building MPLS Based Services
VPNs
AToM
Traffic Engineering
• Configurations
Configuring MPLS, LDP, TE
• Summary
Provider Any
Traffic IP+Optical
Provisioned IP+ATM Transport
Engineering GMPLS
VPNs Over MPLS
MPLS
Network Infrastructure
Azhar Sayeed
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Label = 20 bits
COS/EXP = Class of Service, 3 bits
S = Bottom of Stack, 1 bit
TTL = Time to Live, 8 bits
LAN MAC Label Header MAC Header Label Layer 2/L3 Packet
ATM MPLS Cell Header GFC VPI VCI PTI CLP HEC DATA
Label
Azhar Sayeed
128.89 1 128.89 0
171.69 1 1 ...
171.69
... ...
128.89
0
0 128.89.25.4 Data
1 128.89.25.4 Data
1
128.89.25.4 Data 128.89.25.4 Data
171.69
Packets Forwarded Based
on IP Address
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 24
MPLS Example: Routing Information
0 128.89
1 0
0 128.89
1 0
Label Distribution
Use label 7 for 171.69 171.69
Protocol (LDP)
(Downstream Allocation)
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 26
MPLS Example: Forwarding Packets
0 128.89
0
128.89.25.4 Data
1
9 128.89.25.4 Data
128.89.25.4 Data 4 128.89.25.4 Data 1
• Downstream unsolicited
Downstream node just advertises labels for prefixes/FEC
reachable via that device
Previous example
• Downstream on-demand
Upstream node requests a label for a learnt prefix via the
downstream node
Next example—ATM MPLS
1 0 128.89
1 0
2
I need a label for 128.89
I need another label for 128.89
I need a label for 128.89 3
1
I need a label for 171.69 I need a label for 171.69
1 0 128.89
1 0
2
Use label 9 for 128.89
Use label 10 for 128.89
Use label 4 for 128.89 3
1
Use label 5 for 171.69 Use label 7 for 171.69
1 0 128.89
0
2
128.89.25.4 Data
1
9 128.89.25.4 Data
128.89.25.4 Data 1
4 128.89.25.4 Data
1 5 128.89 0 3
2 8 128.89 0 3
Cells ... ... ... ... ...
5 Help!
5
Packet 5
5
1 0
128.89
Packet 8 2 3 3 3 3 3 3
8
8 8
1 5 128.89 0 3
2 8 128.89 0 7
Cells ... ... ... ... ...
5 Much better!
5
Packet 5
5
1 0
128.89
Packet 8 2 7 3 7 3 7 3
8
8 8
• Label Merge
Done by default for packet networks—
unique label advertised per FEC
Requires VC merge for ATM networks
Prefix 129.161/16
Prefix 129.161/16
1 5 128.89 0 3
2 8 128.89 0 3
Cells ... ... ... ... ...
5
5
Packet 5
5
1 0
128.89
Packet 8 2 3 3 3 3 3 3
8
8 8
• Neighbor discovery
Discover directly attached Neighbors—pt-to-pt links (including
Ethernet)
Establish a session
Exchange prefix/FEC and label information
• Extended Neighbor Discovery
Establish peer relationship with another router that is not a
neighbor
Exchange FEC and label information
May be needed to exchange service labels
Step 5 Router(config-if)# mpls Configures the use of LDP for a specific interface;
label protocol ldp Sets the default label distribution protocol for the specified interface to be
LDP, overriding any default set by the global mpls label protocol command
Step 6 Router# configure terminal Configures the use of LDP on all interfaces;
Router(config)# mpls label Sets the default label distribution protocol for all interfaces to be LDP
protocol ldp
Router# show mpls interfaces show mpls ip binding [vrf vpn-name] [network {mask |
Interface IP Tunnel Operational length} [longer-prefixes]]
Ethernet1/1/1 Yes (tdp) No No [local-label {atm vpi vci | label [- label]}]
Ethernet1/1/2 Yes (tdp) Yes No [remote-label {atm vpi vci | label [- label]}]
Ethernet1/1/3 Yes (tdp) Yes Yes [neighbor address] [local]
POS2/0/0 Yes (tdp) No No [interface interface] [generic | atm]
ATM0/0.1 Yes (tdp) No No (ATM labels) show mpls ip binding summary
ATM3/0.1 Yes (ldp) No Yes (ATM labels)
ATM0/0.2 Yes (tdp) No Yes
Router# show mpls ldp discovery Router# show mpls ip binding 194.44.44.0 24
Local LDP Identifier: 194.44.44.0/24
118.1.1.1:0 in label: 24
Discovery Sources: in vc label: 1/37 lsr: 203.0.7.7:2 ATM1/0.8
Interfaces: Active egress (vcd 56)
POS2/0 (ldp): xmit/recv out label: imp-null lsr: 155.0.0.55:0 inuse
LDP Id: 155.0.0.55:0 Router#
Tunnel1 (ldp): Targeted -> 133.0.0.33
Targeted Hellos:
118.1.1.1 -> 133.0.0.33 (ldp): active, xmit/recv
LDP Id: 133.0.0.33:0
118.1.1.1 -> 168.7.0.16 (tdp): passive, xmit/recv
TDP Id: 168.7.0.16:0
Route
RIB Routing
Process Updates/
Adjacency
Label Bind
LIB MPLS
Updates/
Process
Adjacency
LFIB FIB
Azhar Sayeed
Presentation_ID
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 50
MPLS VPNs
• Layer 2 VPNs
Customer End points (CPE) connected via layer 2 such as Frame Relay DLCI,
ATM VC or point to point connection
If it connects IP routers then peering or routing relationship is between the end
points
Multiple logical connections (one with each end point)
• Layer 3 VPNs
Customer end points peer with provider routers
Single peering relationship
No mesh of connections
Provider network responsible for
Distributing routing information to VPN sites
Separation of routing tables from one VPN to another
Monique Morrow
Multicast
VPN BVPN A
VPN C VPN C VPN B Hosting
Intranet
VPN A
VoIP
Extranet
VPN A
VPN B
VPN C VPN C
VPN A VPN B
Overlay VPN MPLS-based VPNs
• Pushes content outside the network • Enables content hosting inside
• Costs scale exponentially the network
• Transport dependent • “Flat” cost curve
• Groups endpoints, not groups • Transport independent
• Complex overlay with QoS, tunnels, IP • Easy grouping of users and services
• Enables QoS inside the VPNs
Cust A A A Cust A
---- ----
--- ---
---- ----
B
----
---
----
Cust A
B MPLS
----
---
---- Network
Cust B Cust B
• Simple idea
Use a label to designate VPN prefix
Route that VPN packet to egress PE advertising that prefix
Use the IGP label to the VPN packet to the egress node
• How is it done?
Routers need to maintain separate VPN routing tables called VRFs
(Virtual Routing and Forwarding Tables)
Routers then export and import routes using BGP extensions to
identify and separate one VPNs routes from another
Routers then exchange labels for VPN routes in addition to IGP
routes
VPN B/Site 1
CE1B1 CEB2
16.1/16 RIPv2
16.2/16
RIPv2
P1 PE2
2
CE B1
VPN B/Site 2
PE1 BGP
RIPv2
P2 IGP/EBGP
CE
Step 1 Step 2 Net=16.1/16 A3
IGP/EBGP
Step 3 OSPF
OSPF
Net=16.1/16 Step 4
CEA1 VPN-IPv4
16.2/16
P3 PE3
Net=RD:16.1/16
NH=PE1 VPN A/Site 2
Route Target Import
16.1/16 Label=42 Net=RD:16.1/16
VPN A
NH=PE1
VPN A/Site 1 Label=42
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 67
MPLS-VPN Packet Forwarding
CE CE
IPv4 Route
Exchange
PE P P PE
IPv4 IPv4
CE CE
IPv4 IPv4
IPv4
Forwarded PE PE
Packet
VPNv4 Routes Advertised via BGP
IPv4 Labels Exchanged via BGP
VPN-IPv4
Net=RD:16.1/16
NH=PE1 P1
Label=42 PE2
BGP
PE1
P2 IP
CEA3
IP Dest=16.1.1.1
Dest=16.1.1.1
Step 3
Step 4
CEA1
Label 42
Dest=CEa1 Step 1
16.2/16
P3 Step 2 PE3
IP
Dest=16.1.1.1
Label N VPN A/Site 2
Dest=PE1
16.1/16 Label 42
Dest=CEa1
IP
VPN A/Site 1 Dest=16.1.1.1
CE
CE iBGP—VPNv4 VRF
Label Exchange
VRF
PE iBGP—VPNv4 CE
iBGP—VPNv4
PE
CE
Overlapping Addresses Are VRF
Made Unique by Appending RD
CE and Creating VPNv4 Addresses
Presentation_ID
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 74
Import/Export Policies
• Full mesh:
All sites import X:Y and export X:Y
VPN A/Site 5
CEA5 16.5/16
All Clients Get All 16.Z/16
Routes Because All Sites CEA4
Import and Export X:Y 16.4/16
PE2 VPN A/Site 4
PE1 Net=X:Y:16.Z/16
CEA3
CEA1
16.2/16
P3 PE3
CEA2 VPN A/Site 3
16.1/16
VPN A/Site 2
16.3/16
VPN A/Site 1
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 76
Hub and Spoke
CEA1
16.2/16
PE3
CEA2 VPN A/Site 3
16.1/16
VPN A/Site 2
16.3/16
VPN A/Site 1
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 78
Hub and Spoke
0/0 CEA4
2) Spokes Export: 0/0
Net=X:S:16.X/16 16.4/16
Label 42
PE1: 1.1.1.1/32 Dest=PE1
? VRF Label
Dest=CEa1
P1 PE3
1.1.1.0/24, L:42
PE2: 1.1.1.2/32
ip cef {distributed}
mpls ip (on by default)
Global Config on PE
ip cef {distributed}
mpls ip (on by default)
CE1 PE1
Global Config on PE
ip vrf foo
rd 100:1
route-target import 247:1
route-target export 247:1b
CE1 PE1
interface Serial0
ip vrf forwarding foo
ip address 10.1.1.1 255.255.255.0
CE1 PE1
10.1.1.2
10.1.1.1
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 85
Run an IGP within a VRF—RIP
router rip
address-family ipv4 vrf foo
version 2
no auto-summary
network 10.0.0.0
exit-address-family
CE1 PE1
10.1.1.2
10.1.1.1
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 86
Run an IGP within a VRF—EIGRP
router eigrp 1
address-family ipv4 vrf test
network 10.1.1.0 0.0.0.255
autonomous-system 1
exit-address-family
CE1 PE1
10.1.1.2
10.1.1.1
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 87
Run an IGP within a VRF—OSPF
CE1 PE1
10.1.1.2
10.1.1.1
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 88
Run BGP within a VRF
CE1 PE1
AS1000 AS3402
10.1.1.2
10.1.1.1
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 89
Enable VPNv4 BGP in the Backbone
1.2.3.4
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 90
Get Routes from
Customer Routing to VPNv4
1.2.3.4
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 91
Get Routes from
VPNv4 to Customer Routing
• If CE routing is not BGP, need to redistribute from VPNv4 to CE routing
• Redistributing BGP into IGP makes some people nervous; don’t worry about it, it’s
hard to screw up
Please note that “hard” != “impossible”…:)
router rip
address-family ipv4 vrf foo
version 2
redistribute bgp 3402 metric 1
no auto-summary
network 10.0.0.0
exit-address-family
Client
neighbor 1.2.3.4 remote-as 3402
neighbor 1.2.3.4 update-source loopback0
Reflector On by Default
router bgp 3402 If Configured
[no bgp default route-target filter] with RR-clients
neighbor 1.2.3.6 remote-as 3402
neighbor 1.2.3.6 update-source loopback0
address-family vpnv4
neighbor 1.2.3.6 route-reflector-client
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 97
Route Reflectors—Peer Groups
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 100
Advanced Services: Carrier Supporting Carrier
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 101
Carrier’s Carrier: The Problem
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 102
Carrier’s Carrier: The Problem (Internet)
Carrier
PE2
PE1 IP
BGP Dest=Internet CEA3
P1
CEA1 Step 1
PE3
ISP A/Site 2
MPLS-VPN
iBGP IPv4
Provider
ISP A/Site 1
MPLS-VPN Internet
Provider
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 103
Carrier’s Carrier: The Problem (VPN)
Carrier
Label (iBGP VPnv4)
PE2 Dest=VRF A
PE1 IP
BGP Dest=1.2.3.4
CEA3
P1
ISP A/Site 2
MPLS-VPN
iBGP VPNv4
Provider
ISP A/Site 1 VRF A
MPLS-VPN 1.2.3.0/24
Provider
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 104
Carrier’s Carrier: The Solution (Internet)
Carrier
PE2
Label (LDP/BGP+Label)
Dest=CEa1
PE1
BGP IP
IP
Dest=Internet CEA3
Dest=Internet Step 3 P1
Step 2
Step 4 Label (VPNv4)
Dest=CEa1
CEA1 Label (LDP/TE) PE3 Step 1
IP Dest=PE1
Dest=Internet ISP A/Site 2
Label (VPNv4/IBGP)
Dest=CEa1 MPLS-VPN
IP Provider
Dest=Internet
ISPA/Site 1 Internet
MPLS-VPN
Provider
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 105
Carrier’s Carrier: The Solution (VPN)
Carrier
Label (LDP/BGP)
Dest=CEa1
PE2 Label (iBGP VPNv4)
Label (VPNv4) Dest=VPN1
Dest=VPN1 PE1
BGP IP
IP Dest=VPN1-Cust CEA3
Dest=VPN1-Cust Step 3 P1
Step 2
Step 4 Label (VPnv4)
Dest=CEa1
CEA1 PE3 Step 1
Label (VPNv4) Label (LDP/TE)
Dest=VPN1 Dest=PE1 ISPA/Site 2
IP Label (VPnv4) MPLS-VPN
Dest=VPN1-Cust Dest=CEa1
Provider
Label (VPNv4)
ISP A/Site 1 VPN1-Cust IP
Dest=VPN1
MPLS-VPN Dest=VPN1-Cust
Provider
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 106
2547 Intra-AS Connectivity Model
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 107
Distribution of local routing information
P-4
2547bis Backbone BG
P-
BG 4
VPN-A VPN-A
San Jose New York
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 108
VRF Population of MP-BGP
ip vrf VPN-A
VPN-v4
VPN-v4 update:
update:
rd 123:27
RD:123:27:149.27.2.0/24,
RD:123:27:149.27.2.0/24,
route-target export NH=PE-1
NH=PE-1
123:231 SOO=SanJose,
SOO=SanJose, RT=123:231,
RT=123:231,
149.27.2.0/24,
149.27.2.0/24,
NH=CE-1
NH=CE-1 Label=(28)
Label=(28)
149.27.2.0/24
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 109
MP-BGP Updated Processing
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 110
Ingress PE Label Imposition
VPN-A FIB
149.27.2.0/24, Label
P-1
41 28 149.27.2.27 Stack {41 28}
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 111
Egress PE Label Disposition
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 112
VPN Connectivity between AS#s
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 113
Inter-Provider Vs. Inter-AS
Inter-Provider Connectivity
RR RR RR
RR
ASBR ASBR NY
SF POP
POP
WASH
POP
LA ASBR ASBR
POP
RR RR
RR RR
Service Provider Service Provider
A B
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 114
Inter-Provider Vs Inter-AS
Inter-AS Connectivity
NY
POP
ASBR
LON
POP
WASH
POP
ASBR
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 115
VPN Route Distribution
Service Provider
A
AS# 124
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 116
VPN Route Distribution Options
Option
A
ASBR ASBR
Back-to-back VRFs
Option
AS# 123 B AS# 456
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 117
Option A – Back-to-back VRFs
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 118
Back-to-back VRF Connectivity Model
One logical
interface & VRF per
PE-ASBR VPN client
PE-ASBR
VPN-A VPN-B
VPN-B VPN-A
149.27.2.0/24 152.12.4.0/24
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 119
Back-to-back Prefix Distribution
VPN-B VRF
Import routes with
PE-ASBR1 route-target PE-ASBR2
123:222
VPN-v4 VPN-v4
VPN-v4 update:
update:
VPN-v4 update:
update:
RD:123:27:152.12.4.0/24, BGP, RD:123:27:152.12.4.0/24,
RD:123:27:152.12.4.0/24,
RD:123:27:152.12.4.0/24, BGP, OSPF,
OSPF, RIPv2
RIPv2 NH=PE-ASBR-2
NH=PE-1
NH=PE-1 152.12.4.0/24 NH=PE-ASBR-2
152.12.4.0/24 RT=456:222,
RT=123:222,
RT=123:222, Label=(29)
Label=(29) NH=PE-ASBR1 RT=456:222, Label=(92)
Label=(92)
NH=PE-ASBR1
AS# 123 AS# 456
PE-1 PE-2 VPN-B VRF
Import routes with
Service Provider Service Provider route-target
CE-2 A B CE-3 456:222
152.12.4.0/24,
152.12.4.0/24,
NH=CE-2
NH=CE-2 152.12.4.0/24,
152.12.4.0/24,
NH=PE-2
NH=PE-2
VPN-B
VPN-B
152.12.4.0/24
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 120
Back-to-back Packet Flow
PE-ASBR1 PE-ASBR2
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 121
Back-to-back VRFs Summary
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 122
Option B – External MP-BGP
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 123
Label allocation at receiving PE-ASBR
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 124
External MP-BGP Connectivity Model
External MP-BGP
for VPNv4
ASBR-1 ASBR-2
Label exchange
between Gateway
ASBR routers using
MP-eBGP
AS# 123 AS# 456
PE-1 PE-2
Service Provider Service Provider
CE-1 CE-2 A B CE-3 CE-4
VPN-A VPN-B
VPN-B VPN-A
149.27.2.0/24 152.12.4.0/24
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 125
External MP-BGP Prefix Distribution
VPN-v4
VPN-v4 update:
update:
RD:123:27:152.12.4.0/24,
RD:123:27:152.12.4.0/24,
ASBR-1 NH=ASBR-1
NH=ASBR-1 ASBR-2
RT=123:222,
RT=123:222, Label=(42)
Label=(42)
VPN-v4 VPN-v4
VPN-v4 update:
update:
VPN-v4 update:
update:
RD:123:27:152.12.4.0/24, RD:123:27:152.12.4.0/24
RD:123:27:152.12.4.0/24
RD:123:27:152.12.4.0/24,
NH=PE-1 ,, NH=ASBR-2
NH=ASBR-2
NH=PE-1
RT=123:222, RT=123:222,
RT=123:222, Label=(92)
Label=(92)
RT=123:222, Label=(29)
Label=(29)
AS# 123 AS# 456
PE-1 PE-2
Service Provider Service Provider
CE-2 A B CE-3
152.12.4.0/24,
152.12.4.0/24,
NH=CE-2
NH=CE-2 152.12.4.0/24,
152.12.4.0/24,
NH=PE-2
NH=PE-2
Green VPN
Green VPN
152.12.4.0/24
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 126
External MP-BGP Packet Flow
42 152.12.4.1
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 127
VPN Client Connectivity
VPN-v4 Update:
RD:1:27:149.27.2.0/24, Edge Router1 Edge Router2
NH=PE-1
RT=1:231, Label=(28)
VPN-A VRF
AS #2 Import Routes with
PE-1 AS #1 Route-target 1:231
PE2
How to Distribute
BGP, OSPF, RIPv2 Routes between
149.27.2.0/24,NH=CE-1
SPs?
CE-1 CE2
VPN-A-1
VPN-A-2
149.27.2.0/24
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 129
External MP-BGP Summary (Cont).
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 130
VPNv4 Distribution Options
PE-ASBR-1 PE-ASBR-2
MP-eBGP for VPNv4
Multihop MP-eBGP
between RRs
PE-1 AS #1 AS #2
PE-2
CE-1 CE-2
VPN-A-1 VPN-A-2
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 131
ASBR Router Protection/Filtering
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 132
Option C – Multihop MP-eBGP between RRs
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 133
RFC3107 – Carrying labels with BGP-4
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Address Family Identifier (1) | SAFI (4) | Next-
Next-hop Lth |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ MP_REACH_NLRI Attribute
| Network Address of next-
next-hop (variable) | (Specified in RFC 2858)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| # of SNPAs | Network Layer Reachability Info (variable) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Length | MPLS Label |
Prefix plus MPLS label
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ (Specified in RFC 3107)
| | Prefix (variable) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 134
Multihop MP-eBGP Connectivity Model
RR-1 RR-2
ASBR-1 ASBR-2
VPN-A VPN-B
VPN-B VPN-A
149.27.2.0/24 152.12.4.0/24
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 135
Multihop MP-eBGP Prefix Distribution
VPN-v4
VPN-v4 update:
update:
RD:123:27:152.12.4.0/24,
RD:123:27:152.12.4.0/24,
NH=PE-1
NH=PE-1
RT=123:222,
RT=123:222, Label=(29)
Label=(29)
RR-1 RR-2
ASBR-1 ASBR-2
VPN-v4
VPN-v4 update:
update:
VPN-v4
VPN-v4 update:
update: RD:123:27:152.12.4.0/24,
RD:123:27:152.12.4.0/24, RD:123:27:152.12.4.0/24,
RD:123:27:152.12.4.0/24, NH=PE-1
NH=PE-1
NH=PE-1
NH=PE-1 RT=123:222,
RT=123:222, Network=PE-1 RT=123:222, Label=(29)
Label=(29)
RT=123:222, Label=(29)
Label=(29) Network=PE-1
AS# 123 AS# 456
NH=ASBR-2
NH=ASBR-2
PE-1 Label=(68)
Label=(68) PE-2
Network=PE-1
Network=PE-1
Service Provider
NH=ASBR-1
NH=ASBR-1 Service Provider
Label=(47)
CE-2 A Label=(47) B CE-3
152.12.4.0/24,
152.12.4.0/24,
NH=CE-2
NH=CE-2
Green VPN
Green VPN
152.12.4.0/24
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 136
Multihop MP-eBGP Packet Flow
47 29 152.12.4.1
LDP ASBR-2 Label
29 152.12.4.1 68
AS# 123 AS# 456 29
PE-1 PE-2 152.12.4.1
Service Provider Service Provider
CE-2 A B CE-3
152.12.4.1
152.12.4.1
Green VPN
Green VPN
152.12.4.0/24
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 137
Multihop MP-eBGP Summary
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 138
ASBR/RR Router Protection/Filtering
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 139
Distribution of VPNv4 Prefix Information
MP-
MP-BGP
! "# Peering ! "#
'( $%&'
PE Router
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 140
Route-reflector Topology
RR
PE
SF PE NY
POP RR POP
RR
RR
RR RR
WASH
LA PE
POP
POP RR
PE
RR
West East
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 141
Route-reflectors with Reflector-groups
! "#
'(
RR
Cluster-id 1 RR
Cluster-id 3
SF NY
POP POP
Full Mesh
RR
RR
RR RR
WASH
LA
POP
POP RR
RR
Cluster-id 2 Cluster-id 4
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 142
Key Features
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 143
Key Features (Cont.)
• Quality of Service:
Flexible and scaleable support for a CoS-based networks
• Scalability:
Total capacity of the system isn’t bounded by the capacity
of an individual component
Scale to virtually unlimited number of VPNs per VPN
Service Provider and scale to thousands of sites per VPN
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 144
Key Features (Cont.)
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 145
BGP/MPLS VPN—Summary
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 146
Deployment/Architecture Challenges
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 147
MPLS Traffic Engineering
Azhar Sayeed
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 148
What Is MPLS Traffic Engineering?
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 149
Why Traffic Engineering?
• Capacity planning
TE improves aggregate availability of the network
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 150
Background – Why Have MPLS-TE?
• IP networks route based only on destination (route)
• ATM/FR networks switch based on both source and destination
(PVC, etc)
• Some very large IP networks were built on ATM or FR to take
advantage of src/dst routing
• Overlay networks inherently hinder scaling (see “The Fish
Problem”)
• MPLS-TE lets you do src/dst routing while removing the major
scaling limitation of overlay networks
• MPLS-TE has since evolved to do things other than bandwidth
optimization
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 151
IP Routing and The Fish
R8 R3
R4
R5
R2
R1
R6
R7
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 152
The Problem with Shortest-Path
• Some links are DS3, some
are OC-3
Node Next-Hop Cost
B B 10 • Router A has 40Mb of traffic for
C C 10 Route F, 40Mb of traffic for Router G
D C 20
E B 20 • Massive (44%) packet loss at
Changing to A->C->D->E
F B 30 Routerwon’t
B->Router
help E!
G B 30
Router B Router F
35M
OC-3 bD OC-3
rop
Router A s! Router E
ffic DS3
r a Router G
0M bT
8
OC-3
OC-3 DS3
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 153
How MPLS TE Solves the Problem
Router B Router F
OC-3 OC-3
Router A Router E
DS3
Mb Router G
40
OC-3
OC-3 40Mb DS3
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 154
A terminology slide – head, tail, LSP, etc
TE tunnel
R1 R2 R3
Network X
Upstream Downstream
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 155
TE Fundamentals—“Building Blocks”
Path Calculation—Uses IGP
Advertisements to Compute
“Constrained” Paths
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 156
Example
RESV
RESV
RESV PATH
PATH
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 157
Traffic Engineering
Presentation_ID
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 158
Theory
• Information Distribution
• Path Calculation
• Path Setup
• Routing Traffic Down A Tunnel
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 159
Information Distribution
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 160
Information Distribution
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 161
Path Calculation
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 162
Path Setup
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 163
Path Setup
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 164
Path Setup
• PATH message: “Can I have 40Mb along this path?”
• RESV message: “Yes, and here’s the label to use”
• LFIB is set up along each hop
= PATH Messages
= RESV Messages
Router B
Router F
Router A Router E
Router G
L=null
L=300 L=100
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 166
Path Setup
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 167
Routing Traffic Down A Tunnel
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 168
Autoroute
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 169
Autoroute
Router B
Router F
Router H
Router A Router E
Router G
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 170
Autoroute
Router B
Router F
Router H
Router A Router E
Tunnel1 Router G
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 171
Autoroute
Router B
Router F
Router H
Router A Router E
Tunnel1 Router G
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 172
Autoroute
Router B
Router F
Router H
Router A Router E
Tunnel1 Router G
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 173
Forwarding Adjacency
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 174
ATM Model
E F G
H
A I
C
B
D
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 175
Before FA
F G
E
H
A I
B C D
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 176
F-A Advertises TE Tunnels in the IGP
F G
E
H
A I
B C D
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 177
Unequal Cost Load Balancing
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 179
Unequal Cost: Example 1
Router F
Router A Router E
Router G
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 180
Unequal Cost: Example 1
Router F
Router G
20MB
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 181
Practice
ip cef {distributed}
mpls traffic-eng tunnels
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 182
Practice
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 183
Information Distribution
OSPF
mpls traffic-eng tunnels
mpls traffic-eng router-id loopback0
mpls traffic-eng area <x>
ISIS
mpls traffic-eng tunnels
mpls traffic-eng router-id loopback0
mpls traffic-eng level-<x>
metric-style wide
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 184
Information Distribution
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 185
Path Calculation
EITHER
int Tunnel0
tunnel mpls traffic-eng path-option <num> dynamic
OR
int Tunnel0
tunnel mpls traffic-eng path-option <num> explicit
name foo
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 186
Path Calculation
Global config:
ip explicit-path name foo
next-address 1.2.3.4 {loose}
next-address 1.2.3.8 {loose}
(etc)
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 187
Path Calculation
Global config:
ip explicit-path name foo
next-address 1.2.3.4 {loose}
next-address 1.2.3.8 {loose}
(etc)
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 188
Path Calculation
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 189
Path Setup
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 190
Routing Traffic Down A Tunnel
Autoroute:
tunnel mpls traffic-eng autoroute announce
Forwarding adjacency:
tunnel mpls traffic-eng forwarding-adjacency
then
isis metric <x> level-<y>
or
ip ospf cost <x>
on tunnel interface
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 191
Static routes
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 192
Policy routing
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 193
Summary Config
ip cef (distributed}
mpls traffic-eng tunnels
interface Tunnel0
tunnel mode mpls traffic-eng
ip unnumbered Loopback0
tunnel destination <RID of tail>
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 10 dynamic
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 194
Summary Config
(in
IGP)
mpls traffic-eng tunnels
mpls traffic-eng router-id Loopback0
OSPF mpls traffic-eng area <x>
mpls traffic-eng level-<x>
ISIS
metric-style wide
(
physical interface)
interface POS0/0
mpls traffic-eng tunnels
ip rsvp bandwidth <kbps>
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 195
Tips
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 197
Terminology
Protected LSP
R1 R2 R6 R7 R8
Reroutable LSP
Merge Point
PLR
NHOP backup LSP
R9
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 198
Applications of MPLS TE – MPLS Fast Re-Route
R8 R9
R3
R4
R2
R1 R5
R7
R6
Mimic SONET APS
Re-route in 50ms or Less
• Multiple hops can be by-passed; R2 swaps the label which R4 expects before pushing
the label for R6
• R2 locally patches traffic onto the link with R6
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 199
Fast ReRoute
MPLS Fast Reroute local repair
R3 R4 R5
• Node protection: the
backup tunnel tail-end
R1 R2 R6 R7 R8
(MP) is two hops
away from the PLR.
R9
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 200
IP failure recovery
For IP to recover from a failure, several things need to
happen:
Thing Time
Link Failure Detection usec-msec
TOTAL: ~500ms-10sec
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 201
FRR failure recovery
Thing Time
Link Failure Detection usec-msec
Failure Propagation+SPF 0
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 202
Caveats
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 203
FRR Procedures
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 204
Link Protection
Router X Router Y
Router C
*Actual time varies—well below 50ms in lab tests, can also be higher
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 205
Node Protection
Router X Router Y
Router C
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 206
Path Protection
Router X Router Y
Router C
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 207
FRR Configuration
interface Tunnel0 R3
.. dest R4
.. explicit-path R2-R3-R4
.. NO autoroute!!!
R1 R2 R4 R5
2) protect an interface
interface POS0/0
3) headend requests protection mpls traffic-eng backup-path Tunnel0
interface Tunnel0
.. dest R4
.. etc ...
tunnel mpls traffic-eng fast-reroute
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 208
FRR Tips
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 210
Designing with primary tunnels
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 211
Strategic TE (full mesh)
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 212
Strategic
• Physical topology is:
Router A
Router B Router C
Router D Router E
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 213
Strategic
• Logical topology is*
*Each link is actually 2 unidirectional tunnels
• Total of 20 tunnels in this network
Router A
Router B Router C
Router D Router E
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 214
Strategic
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 215
Tactical
Case Study: A Large US ISP
Router A
Router B Router C
• All links are OC12
• A has consistent ±700MB to
send to C
• ~100MB constantly dropped!
Router D Router E
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 216
Tactical
Router B Router C
• Tunnels with bandwidth in 3:1 (12:4)
ratio = 525:175Mb
• 25% of traffic sent the long way
• 75% sent the short way
• No out-of-order packet issues— CEF’s
normal per-flow hashing is used!
Router D Router E
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 217
Strategic vs. Tactical
• Connectivity protection
Router calculates the path for its backup tunnel
Assume that any found path can carry any link’s traffic
during failure
Don’t signal bandwidth for the backup tunnel!
Use DiffServ to solve any contention due to congestion
while FRR is in use
• Bandwidth protection
Offline tool calculates paths for protection LSPs
Assurance that bandwidth is available during failure
More complex to maintain, may require additional network
bandwidth
Allows you to always meet SLAs during failure
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 219
Reasonable combinations
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 220
1hop FRR
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 221
Bandwidth override on path option
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 222
LSP Attribute Lists
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 223
AutoTunnel
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 224
Benefits of TE over Policy Routing
• Policy Routing
Hop-by-hop decision making
No accounting of bandwidth
• Traffic Engineering
Head end based
Accounts for available link bandwidth
Admission control
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 225
TE Deployment Scenarios
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 226
Tactical TE Deployment
Requirement: Need to handle scattered congestion points in the Network
Solution: Deploy MPLS TE on only those nodes that face congestion
Internet
Service Provider
Backbone
Oversubscribed
Shortest Links
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 227
Full Mesh TE Deployment
Requirement: Need to increase “bandwidth inventory” across the network
Solution: Deploy MPLS TE with a full logical mesh over a partial physical mesh
and use Offline Capacity Planning Tool
Service Provider
Backbone
Service Provider
Backbone
VPN Site A
Service Provider
Backbone
Central Site
Primary Tunnel
VPN Site B Backup Tunnel
Tight QoS—
Policing, Queuing Etc.
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 230
MPLS TE Summary
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 231
Management Considerations and
MPLS OAM
Monique Morrow
Presentation_ID
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 232
What is MPLS Operations And Management?
Fault-management
Configuration
Accounting
Performance
Security
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 233
Customer Requirements
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 234
Summary Customer Requirements
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 235
Fault Detection and Isolation
Control Plane Verification
• Consistency check
• Authentication
Data Plane Verification
• Ability to verify connectivity and trace
Paths from PE to PE – Global routing table as well
as VPNs
Paths from CE to CE within a VPN
TE tunnels
Pseudo-wires
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 236
VC/LSP Connection Verification and Trace
Requirements
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 237
VC/LSP Connection Verification and Trace
Requirements (cont)
• Automatic lightweight IP-like ping to test end-to-end
path connectivity (e.g.: CE-CE).
• Operator configurable parameters/actions:
–Frequency of VCCV.
–MPLS Fast-Reroute
–Automated VCCV
• Verification of VPN integrity by providing a
mechanism to detect LSP mis-merging.
• Documented in:
www.ietf.org/internet-drafts/draft-ietf-pwe3-vccv-01.txt
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 238
LSP Ping
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 239
MPLS Ping: Operation
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 240
MPLS Ping Message Format
Message Type
0 1 2 3 1 Echo Request
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2 Echo Reply
| Version Number | Must Be Zero |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message Type | Reply mode | Return Code | Return Subcode|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Reply Mode
| Sender's Handle
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
No reply
| Sequence Number
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
IPv4 UDP packet
| TimeStamp Sent (seconds)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
IPv4 UDP packet with
| TimeStamp Sent (microseconds)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Router alert
| TimeStamp Received (seconds)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
Control Plane
| TimeStamp Received (microseconds) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
:
TLVs ... |
: TLVs include
:
|
:
| FEC to be checked
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 241
MPLS Ping: Packet Flow
R3
192.168.10.0/24
R1 R2 R5
R4
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 242
Packet Flow Ping Mode: R1 R2
R3
R5
Egress node R4
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 243
MPLS Traceroute: Packet Flow
R3
192.168.10.0/24
R1 R2 R5
R4
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 244
Packet Flow Trace Mode: R3
R1 R2 R5
Transit Node R4
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 245
Packet Flow Trace Mode: R3
R1 R2 R5
Transit Node R4
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 246
Trace Mode: TTL>1
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 247
Motivation
• Scalability
• Locality of alerts
• Exchange Link Local Identifiers if your IGP can’t do
it for you
• Test dormant paths
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 248
Self Test
POP B
POP A CORE
• Instead of testing every path
• Test every segment
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 249
Self Test
D
U
O
P
W
S
N
T
S
R
T
E
R
A
E
M
A
• Instead of testing every path M
• Test every segment
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 250
Dormant Interfaces
A C
B D
• Interface labels programmed ahead of time
• E2E OAM tests only active paths
• If link D-E fails link D will begin using link C-D C gets no
notification of this event
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 251
Overview of Operation
Loop Test
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 253
Initiation details
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 254
Echo Request
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 255
Downstream LSR Response
Loop Test
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 256
Self Test Evaluation
LSR E
• Compare actual and expected
Router
Interface
Label stack
• On error notify network management
Other automated responses possible
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 257
Bidirectional Forwarding Detection
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 258
BFD Control Packet
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Vers | Diag |H|D|P|F| Rsvd | Detect Mult | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| My Discriminator |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Your Discriminator |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Desired Min TX Interval |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Required Min RX Interval |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Required Min Echo RX Interval |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 259
Variable detection intervals
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 260
Determining Detection Time
TX – Transmission Interval
RX – Receive Interval
Note that TX(a->b) = RX(b->a)
TX(a->b) = max(Desired Min TX(a), Required Min
RX(b))
TX(b->a) = max(Desired Min TX(a), Required Min
RX(b))
Detection Time(b) = Detect Mult(a) x T(a->b)
TX is jittered by 25%
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 261
Diagnostics
0 -- No Diagnostic
1 -- Control Detection Time Expired (RDI)
2 -- Echo Function Failed (N/A to VCCV)
3 -- Neighbor Signaled Session Down (FDI)
4 -- Forwarding Plane Reset (Indicates local
equipment failure)
5 -- Path Down (Alarm Suppression)
6 -- Concatenated Path Down (used to propagate
access link alarms)
7 -- Administratively Down
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 262
Virtual Circuit Connection Verification
(VCCV)
Emulated Service
Pseudo Wire
PSN Tunnel
PW1
CE1 PE1 PW2
PE2 CE2
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 263
VCCV Overview
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 264
In Band VCCV Format
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 265
PWE3 OAM Example:
Continuity Verification
Attachment VCs
BFD Packet
over VCCV channel
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 266
SLA Monitoring / Verification
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 267
Example of Operation
CV/Trace Using VCCV and LSP Ping
NMS/mgr Triggers LSP ping
trace when failure detected
VCCV Packet
Attachment VC Is lost
Attachment VC
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 268
MPLS Security Considerations
Monique Morrow
Presentation_ID
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 269
Three Pillars of Security
security
Implementation
Architecture /
Algorithm
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 271
Threat Points of References
Backbone
Customer Access Infrastructure
CE PE
Internet
MPLS Core
CE PE
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 272
Outside Backbone
Backbone
Customer Access Infrastructure
CE PE
MPLS Core
CE PE
CE PE
CE PE
CE PE
CE PE
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 275
Ways to Attack
- Vendor implementation
- Correct config and management Use IPsec
between CEs!
• “Denial-of-Service”: Deny access of others
Much more interesting…
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 276
DoS against MPLS
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 277
Attacking a CE from MPLS (other VPN)
CE2
IP(CE2) IP(PE; fa1) VRF CE2
VRF
Internet
Attack points
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 280
DoS Attacks to PE can come from:
Has to be secured
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 281
Layer 2 Comparison Context
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 282
Non-IP networks: Not 100% secure!!
Example: Telephone Network
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 283
Non-IP networks: Not 100% secure!!
Example: ATM Switch
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 284
Comparison with ATM / FR
ATM/FR MPLS
Address space separation yes yes
Routing separation yes yes
Resistance to attacks yes yes
Resistance to Label yes yes
Spoofing
Direct CE-CE yes with
Authentication (layer 3) IPsec
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 285
From RFC2547bis:
Data Plane Protection
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 286
From RFC2547bis:
Control Plane Protection
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 287
Inter-AS: Case 10.a)
VRF-VRF back-to-back
Cust. AS 1 AS 2 Cust.
CE CE
PE ASBR ASBR PE
mbehring
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 288
Security of Inter-AS 10.a)
• Static mapping
SP1 does not “see” SP2’s network
And does not run routing with SP2, except within the VPNs.
Quite secure
• Potential issues:
SP 1 can connect VPN connection wrongly
(like in ATM/FR)
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 289
Inter-AS: Case 10.b)
ASBR exchange labelled VPNv4 routes
Cust. AS 1 AS 2 Cust.
CE CE
PE ASBR MP-BGP+labels ASBR PE
mbehring
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 290
Security of Inter-AS 10.b)
Cust. AS 1 AS 2 Cust.
CE VPNv4 routes + labels CE
PE ASBR PE loopb+labels PE
ASBR
mbehring
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 292
Security of Inter-AS 10.c)
• Potential Issues:
SP1 can bring a CE into any VPN on “shared” PEs
SP1 can intrude into any VPN on “shared” PEs
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 294
Inter-AS Recommendation
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 295
Carrier’s Carrier
Carrier’s Cust.
Cust. Carrier Carrier
Carrier
CE CE
PE PE
PE PE
PE PE
IP data IP data
• Control Plane:
PE1 assigns label to PE2
• Data Plane:
PE1 only accepts packets with this label on this i/f
PE1 controls data plane
No label spoofing possible Watch layer-2 security!!
(more later)
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 297
Carrier’s Carrier: Security
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 298
Carrier’s Carrier: Summary
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 299
Watch out for Layer 2 Security!!
But….
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 301
Within (!) a VLAN, Attacks are Easy!!
Solutions:
• For 1 and 2: port security (hard to maintain…)
Few SPs do this normally, so this attack is easy
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 302
ARP Spoofing
C-
>A >b
,A a-
IP a A-
RP , IP, IP b
>C ,b - > B
=C C
MAC A , IP MAC B
,a
->b
C-
>A
,A
RP
A-
>C ,b IP c
=C
, IP MAC C
C- ,a
• C is sending faked gratuitous >B ->b
, IP
ARP reply to A ,a
->b
• C sees traffic from IP a to IP b
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 303
Arpspoof in Action
[root@hacker-lnx dsniff-2.3]# ./arpspoof 15.1.1.1
0:10:83:34:29:72 ff:ff:ff:ff:ff:ff 0806 42: arp
C:\>test
reply 15.1.1.1 is-at 0:10:83:34:29:72
C:\>arp -d 15.1.1.1
C:\>ping -n 1 15.1.1.1
C:\>arp -a
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 304
CAM Overflow 1/3
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 305
CAM Overflow 2/3
MAC port
A
X 1
3
B
Y 2
3
MAC A C 3 MAC B
Port 1
Port 2
X is on port 3
X->
Port 3 ?
Y-> MAC C
?
Y is on port 3
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 306
CAM Overflow 3/3
MAC port
X 3
Y 3 ->B
A
MAC A C 3 MAC B
A-
>B Port 1
Port 2
I see traffic
Port 3 to B !
MAC C
A->
B unknown… B
flood the frame
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 307
Within (!) a VLAN, Attacks are Easy!!
Solutions:
• For 1 and 2: port security (hard to maintain…)
Few SPs do this normally, so this attack is easy
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 308
Labelled packets on a VLAN
Data plane:
• Any label combination can be sent, by any station
in the VLAN
• For CsC, top label (LSP) is checked by PE, VPN
label cannot be checked, but affects only VPNs
from the Carrier (not other carriers).
• For Inter-AS, neither LSP label nor VPN label is
checked.
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 309
Recommendation for
Advanced MPLS Networks
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 310
Best Practice Security Overview (1)
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 311
PE-CE Routing Security
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 312
Securing the MPLS Core
MPLS core
CE
BGP Route Reflector Internet
PE
P
VPN
PE
P
CE VPN
VPN
CE BGP peering with
PE MD5 authentic.
PE VPN VPN PE
ACL and
CE CE CE secure routing
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 313
Neighbour Authentication (1)
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 314
Neighbour Authentication (2)
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 315
Neighbour Authentication (3)
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 316
Use IPsec if you need:
• Encryption of traffic
Maybe more
• Direct authentication of CEs important than
encryption?
• Integrity of traffic
• Replay detection
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 317
End-to-End Security with IPsec
MPLS core
CE PE PE CE
P P
VPN VPN
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 318
Where to do IPsec
MPLS core
CE PE PE CE
P P
VPN VPN
1. CE to CE
2. PE to PE
3. Mixture
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 319
Where to do IPsec
1. CE to CE
SP not involved (unless manages CEs)
MPLS network only sees IPsec traffic Very secure
2. PE to PE
Does not prevent sniffing access line
Not very secure for the customer
There are some specific applications for this (US ILECs)
3. Mixtures
Need to trust SP
Mostly for access into VPN
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 320
MPLS doesn’t provide:
• Protection against
mis-configurations in the core
• Protection against
attacks from within the core
• Confidentiality, authentication, integrity, anti-replay
Use IPsec if required
• Customer network security
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 321
A Word About G-MPLS
Monique Morrow
Presentation_ID
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 322
Legacy Data Reference Architecture Today
Separate Layers
CPE Aggregation Distribution Core
ATM/FR ATM/FR
PSTN
Mod / TA PSTN
PoP Services
SDH/SONET SDH/SONET
ATM ATM
Optical
HFC
channelised / LL IP/MPLS Internet
SDH
Fibre Plant
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. Optical 323
What is Happening in Core ?
IP
Optical Layer 2
SDH
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 325
E2e IP Infrastructures Today
Dark Fibre
DWDM
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 326
Data Reference Architecture
Future IP + Optical
CPE Aggregation Distribution Core
ATM/FR
PSTN
Mod / TA PSTN
PoP Services
802.11
dWDM dWDM Optical
HFC
IP/MPLS Internet
Ethernet / channelised / LL
GMPLS
• Simplest model
• Very high BW connections
•STM-16c – STM-256c, RPR, GE, 10GE
•WAN PHY & LAN PHY Long Distance
• Static - Does it matter ?
• No layer 1 recovery
•L3 or FRR
• Cheap and efficient solution
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 328
Core Infrastructures Option 2
Overlay without Signalling
Control plane
OXC OXC
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 329
Core Infrastructures Option 3
Overlay with UNI
Control plane
OXC OXC
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 330
Core Infrastructures Option 4
Peer Model – GMPLS / G.ASON / …
OXC OXC
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 331
Standards Bodies
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 332
…. when MPLS started …
• General-purpose tunneling mechanism • Separate Control Plane from Forwarding
carry IP and non-IP payloads Plane
uses label switching to forward • Effort began 1996 ….. RFCs out 2001
packets/cells through the network
• RFC 3031 MPLS Architecture
can operate over any data-link layer
Control
Plane Label Distribution Protocols
IP Routing Protocols LDP, RSVP
MPLS Domain - OSPF, ISIS, iBGP
Outside RIP2, BGP4
Router
Router Packet LSP Packet LSR Packet LSR
ATM LSR
Router
Router
Router Packet LSR
Packet LSR ATM LSR
Router
TE LSP
ATM LSR Router
OXC
Router
TE λ LSP
OXC
OXC OXC
Router Router
λS Domain
MPλ
Forwarding Plane
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 335
.… finally Generalized MPLS - GMPLS …
• GMPLS control plane supports multiple
switching and forwarding planes
GMPLS = MPLS + MPλS + N
• where N is MPLS control of new switching planes
• Introduces new functions to accommodate
circuit-oriented optical network regimes • draft-ietf-ccamp-gmpls-architecture-07.txt
MPLS TE
GMPLS Control RSVP TE
Plane IP Routing Protocols Label Distribution Protocols
With Extensions CR LDP, RSVP TE
OSPF, ISIS
Forwarding Plane
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 336
.… N-dimensional GMPLS …
MPLS TE
RSVP TE
IP Routing Protocols Label Distribution Protocols
With Extensions CR LDP, RSVP TE
OSPF, ISIS Unified Control
Plane
GMPLS
TE
LSP
OTN
GMPLS Domain
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 337
Multiple Sub-Domains in GMPLS Domain
MPLS TE
RSVP TE
IP Routing Protocols Label Distribution Protocols
With Extensions CR LDP, RSVP TE
OSPF, ISIS Unified Control
Plane
GMPLS
OXC
TDM Fiber
Lambda Domain
Domain Domain OXC OXC
OXC
OTN
PSC
Forwarding Domain
Plane
OXC
OXC
TDM Fiber
Fiber Lambda Domain
TDM Lambda Domain Domain Domain OXC OXC
Domain Domain OXC OXC
OXC
OXC
OTN
OTN
GMPLS Domain
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 338
Multiple GMPLS Domains …
MPLS TE MPLS TE
RSVP TE RSVP TE
CR LDP, RSVP TE OSPF, ISIS CR LDP, RSVP TE
OSPF, ISIS
Unified Control Unified Control
Plane 1 Plane 3
GMPLS GMPLS
TD LD FD TD LD FD
?
OTN OTN
PSC PSC
Domain Domain
TD LD FD FD TD LD FD
TD LD FD TD LD
TD LD FD
? ?
OTN
PSC
Domain
FD TD LD FD
TD LD
OTN OTN
GMPLS Domain 2
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. Forwarding Plane 2 339
Basic Concepts & Components
• Topology Discovery
running an IGP (OSPF or IS-IS) with
extensions
Routing Signaling
• Route Computation
R Route computation done by NEs
C Link state aggregation and lack of lightpath
O I S
R related information affects efficiency
S S V
L • Neighbor Discovery
P I P
D
F S T Link Management Protocol like LMP/NDP run
P in distributed way
E
• Lightpath Setup
LMP Done by ingress NE using signaling protocol
like RSVP-TE
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 341
Link Bundling & Unnumbered Links
1
2
3
LSR1 LSR2
• Issue
Neighboring LSRs connected by multiple parallel links
Each link is addressed at each end and advertised into routing
database … lots of links !!!
• Solution
Aggregate multiple Components Links into a single Abstract Link
Use (Router ID, Interface #) for link identifiers
• Reduces number of links in routing database and amount of per-link
configuration
• draft-kompella-mpls-bundle-05.txt
• draft-kompella-mpls-unnum-02.txt
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 342
Hierarchical LSPs
MPLS TE
RSVP TE
IP Routing Protocols Label Distribution Protocols
With Extensions CR LDP, RSVP TE
OSPF, ISIS Unified Control Plane
GMPLS
An LSP must start and
end on the LSRs of the
same type.
TE
LSP
Router SONET λ Switch OXC SONET Router
Router SDH NE λ Switch SDH NE Router
Forwarding PSC TSC LSC Fiber
Plane Domain Domain Domain OXC Domain OXC
TE SONET Router
Router SONET λ Switch LSP SDH NE Router
λ Switch
Router SDH NE OXC
OTN
GMPLS Domain
Nested LSPs
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 343
LSP Hierarchy
FA-LSP…Forwarding Adjacency LSP
Nested LSPs
FA-PCS LSP FA-TDM LSP FA-LSC LSP
LSP Packet TDM Lambda Fiber
• draft-ietf-mpls-lsp-hierarchy-08.txt
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 344
LMP & Link Management
IP based
Control Network
...
...
...
In-band
Component links
Link Verification Messages FA
• LMP Functionality
Most LMP messages sent out-of-band through CC
In-band messages sent for Component Link Verification
Once allocated, Component Link is not assumed to be
opaque
Port ID mapping
One CC per one or more Component Link Bundles
Fault isolation
End-system and service discovery (UNI related) • draft-ietf-mpls-lmp-02.txt
• Flooding Adjacencies are maintained over CC (via • draft-ietf-ccamp-lmp-10.txt
control network)
• Forwarding Adjacencies (FA) are maintained over • draft-ietf-ccamp-lmp-wdm-02.txt
Component Links and announced as links into the IGP
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 345
GMPLS Signaling
TE
LSP
OTN
GMPLS Domain
• Extended label semantics for Fiber, Waveband, Lambda, TDM and PSC LSP setup
• Extend RSVP-TE/CR-LDP for opaquely carrying new label objects over explicit path
• Suggested Label - conveyed by upstream LSR to downstream LSR to speed up
configuration (on upstream)
• Label Set - limits choice of labels that downstream LSR can choose from
If no wavelength conversion available then same lambdas must be used ete
• Bidirectional LSP setup
draft-ietf-mpls-generalized-signaling-09.txt
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 346
GMPLS Routing Extensions
• Extensions needed to deal with the polymorphic nature of GMPLS links
links that are not capable of forwarding packets nor can they support router
adjacencies
links that are aggregates of many component links (e.g. link bundles)
links that are FAs between non-adjacent routers
• Define new sub-TLVs for
OSPF Link TLV
IS-IS Reachability TLV
• Flooded over bi-directional control channels (CC) connecting GMPLS nodes
CC may not necessarily follow topology of data bearing (component) links
• draft-ietf-ccamp-gmpls-routing-09.txt
• draft-ietf-ccamp-ospf-gmpls-extensions-12.txt
• draft-ietf-isis-gmpls-extensions-19.txt
• draft-ietf-ccamp-rsvp-te-exclude-route-00.txt
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 347
GMPLS Routing sub-TLVs
• Link Descriptor
link encoding type and bandwidth granularity
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 348
GMPLS Overlay Routing Model
OTN
Signaling Signaling
Signaling/Routing
LMP LMP LMP LMP
UNI UNI
LSP
Signaling/Routing
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 350
Protection & Restoration
SDH IP
draft-ietf-ccamp-gmpls-recovery-terminology-02.txt
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 351
GMPLS Protection / Restoration
Based on MPLS TE FRR
R3
R3 R4 R5
R1 R2 R4 R5
R1 R2 R6 R7 R8
Link Protection R9
Node Protection
• FRR mechanism to minimize packet loss during Link / Node Failure
• Pre-provisioned protection tunnels carry traffic when protected
resource goes down
• MPLS-TE to signal FRR protection tunnels
MPLS TE traffic doesn’t have to follow IGP shortest path
• Can protect MPLS or IP traffic !
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 352
GMPLS Based Recovery
Terminology draft-ietf-ccamp-gmpls-recovery-terminology-02.txt
March 02
Functional
Specification draft-ietf-ccamp-gmpls-recovery-functional-01.txt
July 02
Aug 02
GMPLS RSVP-TE
Specification draft-ietf-ccamp-gmpls-recovery-e2e-signaling-02.txt
• LSP Protection
full LSP signaling (cross-connection) before failure occurrence
• Pre-Planned Rerouting (with shared rerouting as particular case)
Pre-signaling before failure – LSP activation after failure – allows for low
priority
• LSP Dynamic Rerouting (aka restoration)
full LSP signaling after failure occurrence
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 353
GMPLS MIBs
• Based on MPLS MIBs - Revision 3 now ready
http://www.olddog.co.uk/download
• Open issues
Expand conformance statements for configuration/monitoring tunnel
resources in GMPLS systems like SONET/SDH or G.709
Extend performance tables for technology specific GMPLS LSPs
Consider way to expose
Tunnel heads
Tunnel tail
Tunnel transfer entries
Support for IF_ID control and error reporting
LSR or interface config for Hellos and Restart
• draft-ccamp-ietf-gmpls-tc-mib-01.txt
• draft-ccamp-ietf-gmpls-lsr-mib-01.txt
• draft-ccamp-ietf-gmpls-te-mib-01.txt
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 354
ITU-T SG 15 Communications to IETF CCAMP
Qestion14 – Optical Control Plane
ASON
Discovery Management
G.disc_arch G.frame Framework
Architecture
G.7714.1 G.7713.1
Protocol
Discovery Mechanisms Specifications
•ECC Interoperability G.7713.2 References RFC 3474
• draft-ietf-ccamp-gmpls-ason-reqts-04.txt
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 356
GMPLS Extensions for ASON
Reference Point Terminology - UNI, ENNI, INNI
• Soft permanent connection capability
MPLS TE
RSVP TE • Call & connection separation, Call segments
OSPF, ISIS CR LDP, RSVP TE
Unified Control • Extended restart capabilities during control plane
Plane 1
Administrative GMPLS
failures
Domain 1 - eg. SP1 • Extended label association
FD
INNI • Crankback capability
TD LD
INNI • Additional error cases
OTN
UNI PSC
Domain
MPLS TE
FD TD LD FD RSVP TE
TD LD
OSPF, ISIS CR LDP, RSVP TE
OTN Unified Control
OTN
INNI Plane 2
Administrative
GMPLS Domain 1 ENNI GMPLS
Domain 2 - eg. SP2
Forwarding Plane 1
FD
INNI
TD LD
INNI
• ASON Reference Points
OTN
Between administrative domain & user aka. User- PSC
Domain UNI
network-interface (UNI)
Between administrative domains aka. External- TD LD FD TD LD FD
network-interface (E-NNI)
OTN
Between areas of the same administrative domain OTN INNI
& between controllers within areas aka. Internal- GMPLS Domain 2
network-network-interface (I-NNI)
Forwarding Plane 2
• Definition of GMPLS (RFC3473) compliant UNI
• GMPLS-OVERLAY & GMPLS-VPN
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 357
GMPLS Extensions for ASON
E2E Signaling over GMPLS and Non-GMPLS Domains
Administrative GMPLS
• No restricted use of other protocols
Domain 1 - eg. SP1
within the control domain
TD LD FD
INNI
UNI PSC OTN Administrative Non-GMPLS
Domain
Domain - eg. SP3
FD TD LD FD
TD LD
OTN
OTN
INNI FD
GMPLS Domain 1 INNI
TD LD
INNI
Forwarding Plane 1 PSC OTN
Domain UNI
ENNI TD LD FD TD LD FD
OTN
OTN INNI
• e2e signalling regardless of administrative
boundaries & protocols within the network Forwarding Plane
not OTN
OTN INNI
GMPLS Domain 2
Forwarding Plane 2
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 358
G.7713.2 / RFC3474 – RFC3473 Interworking
draft-dimitri-ccamp-gmpls-rsvp-te-ason-01.txt
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 360
ASON Routing Requirements
draft-alanqar-ccamp-gmpls-ason-routing-reqts-00.txt
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 361
Inter-Region / Inter-AS MPLS TE
• One common method for different “Regions”
• Requirements defined by TEWG
Inter-AS draft-ietf-tewg-interas-mpls-te-req-01.txt
Inter-area draft-boyle-tewg-interarea-reqts-00.txt
• Each Region may either nest or stitch the Inter-Region TE LSP into a
“different” Intra-Region TE LSP to carry the ete Multi-Region TE LSP
RSVP-TE signaling based on LSP Hierarchy (for both nested and
stitching)
Nesting of multiple inter-region LSPs into intra-region LSP
Control & forwarding plane scalability
• draft-ayyangar-inter-region-te-01.txt
Multiple LSP pieces nested or stitched together
Per region control
• draft-vasseur-inter-as-te-01.txt
Contiguous LSP ete
Head end control
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 362
Inter-AS MPLS TE
• draft-vasseur-inter-AS-TE-01.txt
• Defines signaling and routing mechanisms to make possible
the creation of paths that span multiple IGP areas, multiple
ASs, and multiple providers, including techniques for
crankback ….
• Draft defines two cenarios for signaling and routing of TE LSP
spanning multiple ASs
Per AS path computation
Distributed path computation between PSCs (ASBR)
• Can be used in combination with Hierarchical LSPs,
crankback, …
• draft-vasseur-mpls-loose-path-reopt-01.txt proposes a set of
mechanisms allowing a Head-end to exert a strict control on
the TE LSP reoptimizing process and draft-ietf-mpls-nodeid-
subobject-00.txt to support MPLS TE Fast Reroute
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 363
Two Scenarios
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 365
Interaction with other WGs
• TEWG
Multi-area AS requirements
draft-ietf-tewg-interas-mpls-te-req
• MPLS
Ptmp LSPs - requirements and solutions include all switching types
draft-yasukawa-mpls-p2mp-requirements)
• OSPF / IS-IS
GMPLS extensions complete
May interact for solutions to ASON routing requirements
• IPO
IP over Optical Networks – a framework
draft-ietf-ipo-framework
Just completing IESG review
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 366
What is O-UNI ?
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 367
Where does O-UNI fit in the network ?
User Domain
OXC
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 369
Where does O-NNI fit in the network ?
O-NNI-IaDI OXC
OXC
O-NNI-IrDI O-NNI-IrDI
OXC OXC
Optical Transport Network
O-UNI (signaling)
Connection Control Plane
• Bandwidth On Demand
High bandwidth transient, time of day network reconfiguration,
multiple optical client types
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 371
O-UNI Key Features
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 372
OIF O-UNI 1.0 Key Protocols
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 373
OIF O-UNI 1.0 Key Connection Attributes
Key Connection Attributes beyond Src & Dst TNA & ports
Connection ID (M) Contract ID (O)
Framing Type (M) Transparency (M)
Bandwidth (M) Concatenation (M)
Directionality (O) Payload (O)
Service level (O) Diversity (O)
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 374
O-UNI
Transport Network Applications
Customer A
Sub-network A1
O-UNI
OXC
SONET
SDH NE Service Provider A
OC-48 Ring O-UNI Optical Network
OXC OC-48/192 OXC
SONET
SDH NE SONET
SDH NE
OXC
O-UNI O-UNI
• Interconnect SONET/SDH
Subnetwork A1 to A2 SONET
SDH NE
OC-48 Ring
• Offer Bandwidth On Demand,
OVPN, and new Transport SONET
SDH NE SONET
SDH NE
classes of services Customer A
Sub-network A2
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 375
O-UNI IP
Router Network Applications
Customer A
IP network A1
OXC
. O-UNI
. Service Provider A
. OXC Optical Network OXC
OXC
O-UNI
• Interconnect IP networks
A1 and A2 to each other & other
IP subnetworks .
.
.
• Offer Bandwidth On Demand,
OVPN, and new Transport Customer A
classes of services IP network A2
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 376
O-UNI Multi-Service Network Applications
ATM LSR
OXC
SONET SONET
SDH NE OXC SDH NE
OXC
OXC
ATM LSR
Experimental environments
Web100 for network researchers
NLR
Advanced services
I2-Abilene, for education
SurfNet 5
CALREN
Dante
Quantum
Nordunet
SuperJanet
DFN
NGI Renater2
CENIC NLR FUNET
SURFNET
CUDI RedIRIS
MirNET
CLARA
IUNet
Sankhya Vahini
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. IUCC 379
http:// … Advanced Internets
www.dante.net/quantum.html
www.nordu.net
www.canarie.ca www.ukerna.ac.uk www.dfn.de
www.renater.fr www.surfnet.nl
www.internet2.edu www.csc.fi/english/funet
www.ngi.gov
www.startap.net www.friends-partners.org/friends/mirnet/
www.cenic.org
apan.or.kr
www.cudi.edu.mx/
www.nii.ac.jp
www.rnp.br/ www.tanet2.net.tw/
www.reuna.cl/ www.singaren.net.sg
www.retina.ar www.machba.ac.il/index.html
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 380
Summary
Azhar Sayeed
Presentation_ID
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 381
MPLS: The Key Technology for the delivery
of L2 & L3 Services
ATM IP
Services Services
IP
IP+ATM: MPLS Brings IP and ATM Together
• eliminates IP “over” ATM overhead and complexity
PNNI MPLS • one network for Internet, Business IP VPNs, and transport
IP+ATM Switch
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 382
MPLS: The Key Technology for the delivery
of L2 & L3 Services
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 383
MPLS: The Key Technology for the delivery
of L3 Services
Optical IP
Services Services
IP+Optical Integration
• eliminates IP “over” Optical Complexity
IP • Uses MPLS as a control Plane for setting up lightpaths
(wavelengths)
O-UNI MPLS
• one control plane for Internet, Business IP VPNs, and
IP+Optical Switch optical transport
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 384
Recommended Reading
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 385
Recommended Reading
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 386
Questions?
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 387
Layer 2 VPNs
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 388
Layer 2 VPNs
Similar to L3VPN
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 389
Architecture
Attachment Circuit
VPN A Ethernet VLAN, FR DLCI, ATM VC, PPP Session VPN A
CE CE
PE PE
Emulated VC/Pseudowire
Labels Exchanged via Directed LDP
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 390
Frame Relay over MPLS—Example
VC1—Connects DLCI 101 to DLCI 201
VC2—Connects DLCI 102 to DLCI 202
Directed LDP
Label Exchange for VC1—Label 10
Label Exchange for VC2—Label 21
PE2
PE1 101 10 50 101 10 90
MPLS LSP
CPE Router, CPE Router,
FRAD Any Transport FRAD
over MPLS
(AToM) Tunnel
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 391
Summary
APRICOT 2004 © 2003 Cisco Systems, Inc. All rights reserved. 392