Using MPLS/VPN for Policy Routing

1
Using MPLS/VPN for Policy Routing

• Walt Prue With Significant Help From Ken Lindahl
  and Jim Warner
• Sponsored by CENIC (Corporation for Education
  Network Initiatives in California

2
Introduction

• Cisco suggested MPLS/VPN as a possible solution
  to CENICs policy routing needs.
• CENIC needs to know if it will scale to the
  requirements of the network.

3
Agenda

• Define Problem
• Examine Ciscos ability to solve our problem
• Viability of Ciscos solution
• Junipers Compatibility with Ciscos MPLS/VPN

4
Overview

• Does it scale to 100,000 routes?
• Can the existing equipment be used?
• Can it be maintained?
• Can CENIC introduce technology with minimal
  disruption?
• Can Junipers play too?

5
Vocabulary

• MPLS (MultiProtocol Label Switching)
• VPN (Virtual Private Network)
• VRF (VPN Routing and Forwarding)
• PE (Provider Edge) router
• P (Provider) router
• CE (Customer Edge) router

6
MPLS

Exp
Label
S
TTL
IP
14
IP
P
IP
23
PE
IP
PE
17
IP
Tag in Tag out I/F out
1 55 4

14 23 2
P
7
MPLS Issues

• MPLS over ethernet
• MTU discovery
• TTL
• Traceroute Across MPLS Enabled Net
• MPLS and ATM

8
MPLS/VPN
PE
PE
10.1.1.1
134.1.17.1
ip vrf cust-a rd 1100 route-target export
1100 route-target import 1100
cust-a VRF
BGP Table
Route Nexthop
10.1.1.0 10.1.1.1
192.168.6.0 10.1.1.1
128.2.0.0 134.1.17.1
route RD
10.1.1.0 1100
128.1.0.0
192.168.6.0 1.100
9
Policy Routing on CENIC
ISP-B
ISP-A
Cisco
SB
CIT
SB Campus
CIT Campus
ESnet
UCLA Campus
UCLA
USC
USC Campus
10
Routing Connectivity Matrix
11
Ciscos MPLS/VPN

• Current rel. 12 software cant support 100,000
  routes
• Engine 1 gigabit ethernet ports couldnt support
  MPLS/VPN
• MPLS/VPN doesnt currently support multicast
• Cisco can forward MPLS traffic at near OC-12 line
  rates with engine 0 line cards
• A workaround solution exists for multicast and
  100,000 routes problem

12
Configuring and Maintaining MPLS/VPN

• Configuring and syntax was straight forward (see
  below)
• Troubleshooting was reasonable but a bit
  different than net engineers are used to
• Installing on existing network would be
  disruptive
• Each campus would need two logical ports for
  access to multicast and ISP service (use to
  reduce installation disruption )
• Cisco has MPLS/VPN Tools Available

13
Syntax (Global)
ip vrf VPN-A rd 521 route-target import
123341 route-target import 45561
route-target export 521 route-target import
521
14
Per CE I/F
interface serial0 ip vrf forarding VPN-A
ip address 10.1.2.3 255.255.255.0    
15
Per Trunk I/F
interface serial4/0/0 ip mpls mpls
label-distribution ldp ip address 1.2.3.4
255.255.255.0 Or globally as mpls label
protocol ldp
16
Routing
router bgp 11422 no bgp default ipv4-unicast
neighbor 2.3.4.5 remote-as 11422 neighbor
2.3.4.5 update-source loopback0 ...  
17
Routing (cont.)
address-family ipv4 vrf VPN-A neighbor 1.2.3.4
remote-as 52 neighbor 1.2.3.4 activate no
auto-summary no syncronization
exit-address-family   address-family vpnv4
neighbor 2.3.4.5 activate neighbor 2.3.4.5
send-community extended exit address-family
18
Junipers and MPLS/VPN

• Compatible if LDP used instead of TAG
  distribution
• A bit more complex to configure
• Can handle 200,000 routes
• Can forward at OC-12 Line Rates

19
Summary

• MPLS/VPN can be used to solve our policy routing
  problems
• Ciscos cant do MPLS/VPN with full routes or
  supporting multicast today
• With a modified network design MPLS/VPN may be
  our solution

20
Where to Get More Information

• RFC2547 BGP/MPLS VPNs
• RFC 3031 Muliprotocol Label Switching
  Architecture
• MPLS and VPN Architectures Cisco Press
• Juniper Documentation CD-ROM Release 5.0