LTRMPL 3102

Enterprise Network Virtualization
using IP and MPLS Technologies:

Advanced
Travis Jones, Consulting Systems Engineer
CCIE #4603 Data Center, R&S, Security, Service Provider & Voice
CCDE 2013:60
LTRMPL-3102
Agenda
Introduction
Session prerequisites and goals
Lab Overview
Technology
Design Logic
Access Instructions
Execute Lab
The Prerequisites
Know how to navigate and configure Cisco IOS
Familiarity with MPLS (what it is, what it does, and how it does it)
Understanding of IP routing fundamentals
This is an advanced lab
LTRMPL-3102 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Session Goal
Provide every attendee with hands-on experience in the configuration of multiple
network virtualization technologies.
Demonstrate the interoperability of various network virtualization protocols and
the integration of services within a functioning end-to-end topology.
This lab should not be considered a design guide.
Lab Overview
MPLS Concepts and Capabilities
Reference points and their roles within an MPLS domain (P, PE, CE)
Virtual Routing and Forwarding (VRFs)
Inter-AS options (Options A, B, and C)
MPLS over GRE
Use cases
Services Edge
Definition
The Services Edge functional area is where a great deal of policy enforcement
and traffic manipulation is done.
Three main functionalities:
Control inter-VPN traffic/access
Control access to VPN-dedicated resources
Control access to shared resources
Two types of access to shared services
Uncontrolled access
Controlled access
Uncontrolled Access
Sharing Between VPNs with Route-target
Export 3:3 VRF

VRF Export 3:3
Import 1:1
Import 1:1
Export 2:2
VRF Export 2:2
Import 1:1 VRF
Import 1:1
VRF Import 3:3 No transitivity: imported

Bi-directional communication
Import 2:2 routes are no re-exported.
between all VRFs and central Export 1:1
services VRF. Shared
Services Blue and Red VRFs remain
Central services routes imported into isolated. No routes are
both VRF red and blue (1:1) exchanged.
Central VRF imports routes for blue

and red subnets (3:3, 2:2)
Controlled Access
FW + Fusion Router
Fusion router:
Inter-VPN connectivity
Shared resource connectivity (Internet, VPN A
servers, etc)
VPN B I-Net
ASASM contexts: Fusion
VPN C VDC or VRF
VPN isolation / protection
VPN D
Per VPN policies: ACL, NAT
250 contexts per FW Shared Firewall Contexts
Map to VLANs Services or zone-pairs
IOS Zone Based Firewall

Inter-Zone Policies
Traffic Classes
A WAN Core Layer Dual Plane
IGP isolation between each plane
Isolate topology changes
Flexible topology
Highly redundant
Similar to two provider environments
Traffic engineering
Refer to BRKMPL-2108 for more details
Big Picture Design

DCs connect using dark fiber, GRE, or
leased lines
The IGP used in the WAN core is separate
DCs peer to the WAN core using eBGP
Inter-AS option C
Only feed infra routes to WAN Core
VPN exchanged between RRs at
each DC
Advantages:
Scale & Flexibility
IGP Isolation
Adding/removing DCs is seamless
High level of HA
R19
Host3
R20 Host4
Lab Topology FW2

R17
DC2
AS65002
R18
R9 R10
R2 R5
AS65000
WAN Core
R3
DC1 R1 SP
AS65001
FW1 R22
R6 R25 R12 Host5
R4
R14 R7
AS100
R11 R23
R8 R21
Host6
R13
R15
Host1 DC3 R24

AS65003
R16 Host2 FW3
Complete Your Online Session Evaluation
Please complete your Online
Session Evaluations after each
session
Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
All surveys can be completed via
the Cisco Live Mobile App or the
Dont forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
Presentation ID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Continue Your Education
Demos in the Cisco Campus
Walk-in Self-Paced Labs
Table Topics
Meet the Engineer 1:1 meetings
Q&A
Reference
Network Virtualization
Giving one physical network the ability to support multiple virtual networks
Separation between:
Line of business
Customers
App layers Alpha Network Cust2 Cust2
Virtual Network Virtual Network Virtual Network
Actual Physical Infrastructure

Virtual Routing Forwarding Instance (VRF) Defined
MPLS/IP Core
IP Switching to VPN/VRF users
MPLS/Tunnel Labels
and Route Targets
IP link
802.1q
VRF
VRF
VRF
Logical or Physical
PE Router Int
(Layer 3)
Background
Info
MPLS Technology Overview 2. In the Core:

1. At Ingress Edge:
Label imposition Label swapping or
Classify & Push switching
PE
Label(s) onto Forward using labels (not IP
P P
packets address); label indicates
PE service class and
destination
Label Edge Router
(LER) OR P P 3. At Egress Edge:
Provider Edge- PE Label disposition
PE PE Remove labels and forward
PE packets
Label Switch Router (LSR)
Customer Customer or P (Provider) router
A B
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Label 20bits EXP S TTL-8bits
EXP = Class of Service: 3 Bits; S = Bottom of Stack; TTL = Time to Live
MPLS Inter-AS Use Cases
Cust1 Cust1
AS1 AS3
DC1 WAN
Core (AS2) DC2
Cust2 Cust2
Extend VPN services over multiple independently managed MPLS domains

Fast geographic service coverage expansion
Two MPLS VPN Providers peering to cover for a common customer base
Build MPLS VPN networks on original multi-domain network

IGP isolation with service continuity
Interconnect BGP confederations with different IGPs in the same AS
Two available as described in RFC 4364 :

Carrier Supporting Carrier (CSC)
Inter-Autonomous Systems (I-AS)
Extending MPLS with Inter-AS
Back-to-Back VRFs
ASBR1 (Option A)
ASBR2
MP-eBGP for VPNv4

AS #1 (Option B) AS #2
MPLS MPLS
Multihop MP-eBGP
PE11 between RRs PE22
(Option C)
MP-eBGP+Labels
CE1 CE2
VPN-R1 VPN-R2
Option C: Interesting since we offload the VPN routes from ASBRs

Deployment & Implementation Scenarios
Point to Point Tunneling : MPLS to MPLS over GRE
IP Network
MPLS MPLS
DC1 MPLSoGRE
DC2
PE1 P1 P2 PE2
IGP Label GRE Header IGP Label
VPN Label IGP Label VPN Label
IP Payload VPN Label IP Payload
IP Payload
IP WAN Transport
IPSEC Option for security
P to P Tunnel
Looks like an MPLS Link
Drawbacks:
Cumbersome with multiple sites (MPLSoMGRE is an alternate solution)
MTU
Big Picture: Using VDC or VRF Sandwich Design

VDC or VRF Sandwich Design
VDC-Agg VDC-Agg
Virtual firewalls assigned to VRF
by VLAN association
Active/Standby
One pair of physical or virtual firewall VRF B VRF C
per VRF
VRF A
Each firewall requires two VLANs;
inside and outside VDC-Sub-Agg VDC-Sub-Agg
Firewall in transparent or routed mode
Big Picture
Design: Firewall Placement w/Virtualization
Option1 CORE Option2
MPLS
LB
LB
Default Gateway
Spine Layer (N7k)
Default Gateway
Spine Layer (N7k)
F2e
FabricPath
FabricPath
Recommended Reading
Coming
Soon
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Thank You

LTRMPL 3102

Uploaded by

Copyright:

Available Formats

LTRMPL 3102

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LTRMPL 3102

Uploaded by

Copyright:

Available Formats

Enterprise Network Virtualization

using IP and MPLS Technologies:

Export 3:3 VRF

VRF Import 3:3 No transitivity: imported

Central VRF imports routes for blue

IOS Zone Based Firewall

Big Picture Design

Lab Topology FW2

Host1 DC3 R24

R16 Host2 FW3

Virtual Network Virtual Network Virtual Network

Actual Physical Infrastructure

MPLS Technology Overview 2. In the Core:

Label 20bits EXP S TTL-8bits

EXP = Class of Service: 3 Bits; S = Bottom of Stack; TTL = Time to Live

Extend VPN services over multiple independently managed MPLS domains

Build MPLS VPN networks on original multi-domain network

Two available as described in RFC 4364 :

MP-eBGP for VPNv4

Option C: Interesting since we offload the VPN routes from ASBRs

Big Picture: Using VDC or VRF Sandwich Design

Firewall in transparent or routed mode

You might also like