[c-nsp] Cisco 10K MPLS VPN

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Fri Mar 28 03:01:36 EDT 2008 

FAHAD ALI KHAN <mailto:fahad.alikhan at gmail.com> wrote on Friday, March
28, 2008 6:45 AM:

> Now im introducing Cisco products as PE only, to offer MPLS VPN
> services to Broadband clients...everything with cisco is going
> good....but this seems to be little bit scalability issue in our
> case....if we have to put static routes for each VPN route per tunnel
> (it will be a mess for me)....

Right, and I never mentioned any static VRF routes to remote CEs over
the tunnel (I never saw this being done, not sure it would work).
 
> than...autoroute announce is also not
> suitable...as it can distrub my IGP traffic flows.

Right. However: If the 10ks will terminate predominantly VPN customers
(and most of the traffic it sends is vpn traffic), you could deploy
autoroute-announce on the 10ks acting as TE headend. Or is this not the
case? Please bear in mind that autoroute is only acting locally, other
IGP nodes don't see the PE using the tunnel (this is different from
forwarding-adjaceny, which would actually advertise the tunnel as link
in the IGP).

> Now u have given two options....and seems good....but can u share
> some sample configuration with scanrio for the deployment of 1)  use
> a different BGP next-hop for your VPNv4 route (either via "bgp
> next-hop Loopback1" in the "ip vrf" definition in newer releases) 2)
> using a route-map, and point a static route to this next-hop over the
> tunnel.   
> 
> Kindly suggest the best option & that doesnt giv us hard time in
> large scale deployment. Suggestion from other MPLS VPN service
> providers are also welcome. What are the BCP to fwd only VPN traffic
> to TE tunnels with the scalability is mind.   

Well, I haven't come across such a scenario, most of the time only
selected VPNs had to be send over a tunnel, while the default was to
follow IGP.

I don't have a config example stored, so let me make something up
(untested, but you should get the idea):

Assuming you have 4 remote PEs (PE2 through PE5). You allocate a
distinct Loopback1 on all of these nodes (10.0.0.2 through 10.0.0.5/32)
and configure 4 tunnels (Tunnel2 through Tunnel5) going to PE2-PE5. Then
add statics on PE1 pointing the individual Loopback over the respective
tunnel:

int tunnel2
 description vpn to PE2
 ip unnumbered Loopback0 (<-- this is your TE ID)
 tunnel destination <Loopback0-of-PE2>
 tunnel mode mpls traffic-eng  
 tunnel mpls traffic-eng path-option 10 <whatever-path>
 mpls ip         ! you need LDP on the tunnel
!
int tunnel3
 description vpn to PE3
 ip unnumbered Loopback0 (<-- this is your TE ID)
 tunnel destination <Loopback0-of-PE3>
 tunnel mode mpls traffic-eng  
 tunnel mpls traffic-eng path-option 10 <whatever-path>
 mpls ip         ! you need LDP on the tunnel
!
! .. and so on ..
! and then static routes
ip route 10.0.0.2 255.255.255.255 Tunnel2
ip route 10.0.0.3 255.255.255.255 Tunnel3
ip route 10.0.0.4 255.255.255.255 Tunnel4
ip route 10.0.0.5 255.255.255.255 Tunnel5

Repeat this on the other PEs accordingly. With this, you set up a full
mesh of tunnels between the PEs.


on each remote PE (PE2 through PE5), you now have the option of 

a) selectively setting the next-hop for certain VRFs only using:

  ip vrf foo
   rd x:y
   ...
   bgp next-hop Loopback1

or

b) modifying the next-hop of all vpnv4 routes advertised over the tunnel
using a route-map on your iBGP vpnv4 connection to the route reflectors:

  router bgp ...
   address-family vpnv4
    neighbor <rr-address> activate
    neighbor <rr-address> send-community both
    neighbor <rr-address> route-map foo out
  
  route-map foo permit 10
   set ip next-hop <loopback1-address>


I guess this is as scalable as it gets, when you introduce a new PE, you
need to build new tunnels on all existing PEs, and add a static route.
But it is a TE design after-all, which is always more complex than
regular IGP.

hope this helps..

	oli


> On Thu, Mar 20, 2008 at 12:46 PM, Oliver Boehmer (oboehmer)
> <oboehmer at cisco.com> wrote: 
> 
> 
> 
> 	Fahad,
> 
> 	the only option you have is to use a different BGP next-hop for
your
> 	VPNv4 route (either via "bgp next-hop Loopback1" in the "ip vrf"
> 	definition in newer releases), or using a route-map, and point a
> 	static route to this next-hop over the tunnel. This way, all
VRFs
> 	configured this way will be sent over the tunnel, all other
traffic
> 	will be sent via regular IGP shortest path. You need to run LDP
over
> 	the tunnel for this to work so the headend will see the imp-null
LDP
> for this next-hop. 
> 
> 	       oli
> 	> Oli
> 	>
> 	> autoroute announce will send all the traffic (IGP + VPN)
towards
> 	> tunnel, where as i dont want to send IGP traffic but only VPN
> 	> traffic.
> 	>
> 	> Is there any way.....well u say static...managment of static
will
> 	b a > great hurdle in routing of 1000s of VPNs routes...
> 	>
> 	> Is there any solution, to this issue. As Juniper by default
select
> 	> RSVP tunnel as the next-hop if BGP next-hop is also the same
for
> 	the > VPN route and it seems to be pretty simple & straight
forward.
> 	>
> 	> All the suggestions will be welcome.

More information about the cisco-nsp mailing list