152 Chapter 4 VPNs: An Overview
Answers to Review Questions
1.A. Point-to-point connections are expensive. VPNs emerged as a cheaper alternative with the same security and privacy.
2.D. The major overlay VPN topologies are full-mesh, partial-mesh, and hub-and-spoke.
3.C. Since most financial organizations have centralized resources that need to be accessed by remote branch offices, a hub-and-spoke topology is usually used for their networks.
4.A. To ensure optimal routing between sites, a full-mesh topology is the best alternative.
5.B. With overlay VPNs, a customer router is not aware of the service provider infrastructure.
6.C. Hands down, peer-to-peer VPNs require the most management to implement proper security.
7.A. With peer-to-peer VPNs, customer routers are aware of the service provider infrastructure because they peer with the service provider routers.
8.B. A shared router peer-to-peer VPN has the most security problems because different customers connect to the same router.
9.A. A peer-to-peer VPN ensures optimal traffic flow. To implement optimal traffic flow between sites with an overlay VPN, a full-mesh topology is required.
10.C. A hub-and-spoke topology, with the least number of VCs, is the least expensive of all overlay VPNs to implement.
11.C. IPSec and GRE are Layer 3 VPN technologies.
12.D. ISDN is a Layer 1 VPN technology. Other technologies at Layer 1 are E1, T1, and SONET.
13.A. In an intranet, sites from the same company or organization are connected in a single network.
14.B. An extranet is when sites from different companies or organizations are connected.
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
Answers to Review Questions 153
15.B. Frame Relay and ATM are Layer 2 VPN technologies. An additional technology at Layer 2 is X.25.
16.A. If you have the money, nothing beats a full-mesh topology for redundancy.
17.A. A dedicated router peer-to-peer VPN requires that each VPN have its own dedicated router used only for that VPN. Dedicated router peer-to-peer VPNs are the most expensive to implement.
18.C. A hub-and-spoke topology is often used by financial organizations because they usually have centralized resources that need to be accessed by remote branch offices.
19.B. In a peer-to-peer VPN, the service provider becomes responsible for routing protocol convergence.
20.A, D. The two ways to implement peer-to-peer VPNs are dedicated router and shared router.
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
Chapter
5
MPLS VPNs
CCIP MPLS EXAM TOPICS COVERED IN THIS CHAPTER:
Describe the major architectural blocks of MPLS VPN.
Describe the MPLS VPN routing model and packet forwarding.
Identify the IOS commands and their proper syntax used to configure virtual routing and forwarding tables.
Identify the IOS commands and their proper syntax used to configure Multi-Protocol BGP in MPLS VPN backbone.
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
Here in Chapter 5, I’ll begin to pull together all the information you’ve learned so far. This chapter starts with a walk-through of the configuration tasks required to configure an IGP, BGP between edge routers, and MPLS. MPLS VPNs are discussed from a 35,000-foot view. You’ll learn about the virtual routing and forwarding tables and about route distinguishers. You will also learn the ins and outs of their configuration.
There is a great deal of configuration required to make MPLS VPNs work. This chapter describes only the basic configuration required to get the network set up to support MPLS VPNs. What you learn in this chapter will be complemented by a discussion in Chapter 6, “MPLS VPNs and RIP,” of routing inside MPLS VPNs and several configuration exercises.
Pay close attention to the configuration commands for MPLS, MP-BGP, and MPLS VPNs discussed in this chapter. Take things slow. This chapter gets you ready for the full-blown end-to-end service provider implementation described in Chapter 6.
Service Provider Configuration
Before talking about MPLS VPNs, let’s put all the pieces together.
MPLS VPNs are an add-on service to an already-up-and-functioning MPLS network.
To start with, you’ve already been exposed to everything necessary to configure a simple network for MPLS support. You may remember a few things from previous chapters. The service provider network runs an IGP (such as OSPF or IS-IS) on all provider devices. BGP is configured only on the network’s edge.
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
Service Provider Configuration 157
The reason you’re doing all the configuration in this chapter is so that you’re aware of all the technologies running in the background that make an MPLS network really work. The next section of this chapter talks about configuring MPLS VPNs in a service provider network where MPLS is already set up.
So, let’s get to the service provider network configuration. Figure 5.1 illustrates a simple network with just the service provider devices.
F I G U R E 5 . 1 A simple service provider network
Serial |
0/0 |
Serial |
0/0 |
Serial |
0/1 |
Serial |
0/0 |
Serial |
0/1 |
Serial |
0/0 |
|
|
|
|
|
|
PE1 P1 P2 PE2
Table 5.1 lists the IP addresses and interfaces of all the service provider devices in Figure 5.1.
T A B L E 5 . 1 Service Provider IP Addressing
Device |
Serial 0/0 |
Serial 0/1 |
Loopback 0 |
|
|
|
|
PE1 |
192.168.1.10 |
|
192.168.1.1 |
P1 |
192.168.1.9 |
192.168.1.14 |
192.168.1.2 |
P2 |
192.168.1.13 |
192.168.1.18 |
192.168.1.3 |
PE2 |
192.168.1.17 |
|
192.168.1.4 |
|
|
|
|
Assuming that you already know how to configure hostnames, bring interfaces up, assign IP addresses, and the like, the first task is to configure all the routing protocols. To avoid confusion with basic IGP routing, let’s use RIPv2 in this configuration example.
On router PE1, you configure RIPv2 with the following commands:
PE1#config t
PE1(config)#router rip
PE1(config-router)#version 2
PE1(config-router)#network 192.168.1.0
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
158 Chapter 5 MPLS VPNs
On router P1, you configure RIPv2 with the following commands:
P1#config t
P1(config)#router rip
P1(config-router)#version 2
P1(config-router)#network 192.168.1.0
On router P2, you configure RIPv2 with the following commands:
P2#config t
P2(config)#router rip
P2(config-router)#version 2
P2(config-router)#network 192.168.1.0
On router PE2, you configure RIPv2 with the following commands:
PE2#config t
PE2(config)#router rip
PE2(config-router)#version 2
PE2(config-router)#network 192.168.1.0
Now that you have an IGP up and running, the next thing you need to do is configure BGP on the PE routers.
On router PE1, you configure BGP with the following commands:
PE1#config t
PE1(config)#router bgp 1 PE1(config-router)#no synchronization
PE1(config-router)#network 192.168.1.1 mask 255.255.255.255 PE1(config-router)#neighbor 192.168.1.4 remote-as 1 PE1(config-router)#neighbor 192.168.1.4 update-source Loopback0
PE1(config-router)#no auto summary PE1(config-router)#redistribute static
On router PE2, you configure BGP with the following commands:
PE2#config t
PE2(config)#router bgp 1 PE2(config-router)#no synchronization
PE2(config-router)#network 192.168.1.4 mask 255.255.255.255 PE2(config-router)#neighbor 192.168.1.1 remote-as 1 PE2(config-router)#neighbor 192.168.1.1 update-source Loopback0
PE2(config-router)#no auto summary PE2(config-router)#redistribute static
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
Service Provider Configuration 159
Now that all the routing protocols are in place, the final task is to enable MPLS on PE1, P1, P2, and PE2.
On PE1, you configure MPLS for Serial 0/0 only with the following commands:
PE1#config t
PE1(config)#ip cef
PE1(config)#mpls ip
PE1(config-if)#interface serial 0/0
PE1(config-if)#mpls ip
On P1, you configure MPLS for both Serial 0/0 and Serial 0/1 with the following commands:
P1#config t
P1(config)#ip cef
P1(config)#mpls ip
P1(config-if)#interface serial 0/0
P1(config-if)#mpls ip
P1(config-if)#exit
P1(config)#interface serial 0/1
P1(config-if)#mpls ip
On P2, you configure MPLS for both Serial 0/0 and Serial 0/1 with the following commands:
P2#config t
P2(config)#ip cef
P2(config)#mpls ip
P2(config-if)#interface serial 0/0
P2(config-if)#mpls ip
P2(config-if)#exit
P2(config)#interface serial 0/1
P2(config-if)#mpls ip
On PE2, you configure MPLS for Serial 0/0 only with the following commands:
PE2#config t
PE2(config)#ip cef
PE2(config)#mpls ip
PE2(config-if)#interface serial 0/0
PE2(config-if)#mpls ip
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |
160 Chapter 5 MPLS VPNs
So you can see from these sets of commands that setting up MPLS is pretty easy: an IGP on all routers, BGP on the edge routers, and MPLS configured globally and then specified for an interface. Piece of cake, eh?
If you want to configure tag switching, you configure an IGP, BGP, and then tag switching on the same device. The commands to configure tag switching are described in the next few paragraphs.
On PE1, you configure tag switching for Serial 0/0 only with the following commands:
PE1#config t
PE1(config)#ip cef
PE1(config)#tag-switching advertise tags
PE1(config-if)#interface serial 0/0
PE1(config-if)#tag-switching ip
On P1, you configure tag switching for both Serial 0/0 and Serial 0/1 with the following commands:
P1#config t
P1(config)#ip cef
P1(config)#tag-switching advertise tags
P1(config-if)#interface serial 0/0
P1(config-if)#tag-switching ip
P1(config-if)#exit
P1(config)#interface serial 0/1
P1(config-if)#tag-switching ip
On P2, you configure tag switching for both Serial 0/0 and Serial 0/1 with the following commands:
P2#config t
P2(config)#ip cef
P2(config)#tag-switching advertise tags
P2(config-if)#interface serial 0/0
P2(config-if)#tag-switching ip
P2(config-if)#exit
P2(config)#interface serial 0/1
P2(config-if)#tag-switching ip
On PE2, you configure tag switching for Serial 0/0 only with the following commands:
PE1#config t
PE1(config)#ip cef
Copyright ©2002 SYBEX, Inc., Alameda, CA |
www.sybex.com |