Introduction to Cisco MPLS VPN Technology

VPNSC: MPLS Solution is a scalable, provider-focused VPN technology that allows service providers to plan, provision, and manage for IP VPN services according to a customer's service level agreement. This product complements Cisco's MPLS-based VPN solutions by simplifying the provisioning, service assurance, and billing processes, thereby reducing the cost of deploying and operating VPN services. VPNSC: MPLS Solution does not contain a billing application, but the product enables billing by providing the usage data on services that a billing engine can process.

Using the VPN Solutions Center (VPNSC) software, service providers can do the following:

• Provision IP-based MPLS VPN services

• Generate audit reports for service requests

• Perform data collection to measure SLA performance

• Evaluate service usage for each VPN

The set of IP addresses used in a VPN, however, must be exclusive of the set of addresses used in the provider network. Every CE must be able to address the PEs to which it is directly attached. Thus, the IP addresses of the PEs must not be duplicated in any VPN.

This simple view of the customer's network is the advantage of employing VPNs: the customer experiences direct communication to their sites as though they had their own private network, even though their traffic is traversing a public network infrastructure and they are sharing that infrastructure with other businesses.

About PEs

• A platform for rapid deployment of additional value-added IP services, including intranets, extranets, voice, multimedia, and network commerce

• Privacy and security equal to Layer-2 VPNs by constraining the distribution of a VPN's routes to only those routers that are members of that VPN, and by using MPLS for forwarding

• Seamless integration with customer intranets

• Increased scalability with thousands of sites per VPN and hundreds of thousands of VPNs per service provider

• IP Class of Service (CoS) with support for multiple classes of service within a VPN, as well as priorities among VPNs

• Easy management of VPN membership and rapid deployment of new VPNs

• Scalable any-to-any connectivity for extended intranets and extranets that encompass multiple businesses

In MPLS VPN, a VPN generally consists of a set of sites that are interconnected by means of an MPLS provider core network, but it is also possible to apply different policies to different systems that are located at the same site. Policies can also be applied to systems that dial in; the chosen policies would be based on the dial-in authentication processes.

A given set of systems can be in one or more VPNs. A VPN can consist of sites (or systems) that are all from the same enterprise (intranet), or from different enterprises (extranet); it may consist of sites (or systems) that all attach to the same service provider backbone, or to different service provider backbones.

MPLS-based VPNs are created in Layer 3 and are based on the peer model, which makes them more scalable and easier to build and manage than conventional VPNs. In addition, value-added services, such as application and data hosting, network commerce, and telephony services, can easily be targeted and deployed to a particular MPLS VPN because the service provider backbone recognizes each MPLS VPN as a secure, connectionless IP network.

• Multiprotocol Border Gateway Protocol-Multiprotocol (MP-BGP) extensions are used to encode customer IPv4 address prefixes into unique VPN-IPv4 Network Layer Reachability Information (NLRI) values.

• Extended MP-BGP community attributes are used to control the distribution of customer routes.

• Each customer route is associated with an MPLS label, which is assigned by the provider edge router that originates the route. The label is then employed to direct data packets to the correct egress customer edge router.

  When a data packet is forwarded across the provider backbone, two labels are used. The first label directs the packet to the appropriate egress PE; the second label indicates how that egress PE should forward the packet.

• Multiprotocol Border Gateway Protocol-Multiprotocol (MP-BGP) between PEs carries CE routing information

• Route filtering based on the VPN route target extended MP-BGP community attribute

• MPLS forwarding carries packets between PEs (across the service provider backbone)

• Each PE has multiple VPN routing and forwarding instances (VRFs)

While the basic unit of interconnection is the site, the MPLS VPN architecture allows a finer degree of granularity in the control of interconnectivity. For example, at a given site, it may be desirable to allow only certain specified systems to connect to certain other sites. That is, certain systems at a site may be members of an intranet as well as members of one or more extranets, while other systems at the same site may be restricted to being members of the intranet only.

A CE router can be in multiple VPNs, although it can only be in a single site. When a CE router is in multiple VPNs, one of these VPNs is considered its primary VPN. In general, a CE router's primary VPN is the intranet that includes the CE router's site. A PE router may attach to CE routers in any number of different sites, whether those CE routers are in the same or in different VPNs. A CE router may, for robustness, attach to multiple PE routers. A PE router attaches to a particular VPN if it is a router adjacent to a CE router that is in that VPN.

MPLS VPNs remain unaware of one another. Traffic is separated among VPNs using a logically distinct forwarding table and RD for each VPN. Based on the incoming interface, the PE selects a specific forwarding table, which lists only valid destinations in the VPN. To create extranets, a provider explicitly configures reachability among VPNs.

The forwarding table for a PE contains only address entries for members of the same VPN. The PE rejects requests for addresses not listed in its forwarding table. By implementing a logically separate forwarding table for each VPN, each VPN itself becomes a private, connectionless network built on a shared infrastructure.

IP limits the size of an address to 32 bits in the packet header. The VPN IP address adds 64 bits in front of the header, creating an extended address in routing tables that classical IP cannot forward. MPLS solves this problem by forwarding traffic based on labels, so one can use MPLS to bind VPN IP routes to label-switched paths. PEs are concerned with reading labels, not packet headers. MPLS manages forwarding through the provider's MPLS core. Since labels only exist for valid destinations, this is how MPLS delivers both security and scalability.

When a virtual circuit is provided using the overlay model, the egress interface for any particular data packet is a function solely of the packet's ingress interface; the IP destination address of the packet does not determine its path in the backbone network. Thus, unauthorized communication into or out of a VPN is prevented.

In MPLS VPNs, a packet received by the backbone is first associated with a particular VPN by stipulating that all packets received on a certain interface (or subinterface) belong to a certain VPN. Then its IP address is looked up in the forwarding table associated with that VPN. The routes in that forwarding table are specific to the VPN of the received packet.

In this way, the ingress interface determines a set of possible egress interfaces, and the packet's IP destination address is used to choose from among that set. This prevents unauthorized communication into and out of a VPN.

• IP routing table

• Derived forwarding table, based on the Cisco Express Forwarding (CEF) technology

• A set of interfaces that use the derived forwarding table

• A set of routing protocols and routing peers that inject information into the VRF

Each PE maintains one or more VRFs. VPNSC software looks up a particular packet's IP destination address in the appropriate VRF only if that packet arrived directly through an interface that is associated with that VRF. The so-called "color" MPLS label tells the destination PE to check the VRF for the appropriate VPN so that it can deliver the packet to the correct CE and finally to the local host machine.

The VRF name for a hub: ip vrf Vx:[VPN_name]

The x parameter is a number assigned to make the VRF name unique.

For example, if we consider a VPN called Blue, then a VRF for a hub CE would be called:

ip vrf V1:blue 

A VRF for a spoke CE in the Blue VPN would be called:

ip vrf V1:blue-s

A VRF for an extranet VPN topology in the Green VPN would be called:

ip vrf V1:green-etc

Thus, you can read the VPN name and the topology type directly from the name of the VRF.

• A local VRF interface on a PE is not considered a directly-connected interface in a traditional sense. When you configure, for example, a Fast Ethernet interface on a PE to participate in a particular VRF/VPN, the interface no longer shows up as a directly-connected interface when you issue a show ip route command. To see that interface in a routing table, you must issue a show ip route vrf vrf_name command.

• The global routing table and the per-VRF routing table are independent entities. Cisco IOS commands apply to IP routing in a global routing table context. For example, show ip route, and other EXEC-level show commands—as well as utilities such as ping, traceroute, and telnet—all invoke the services of the Cisco IOS routines that deal with the global IP routing table.

• You can issue a standard Telnet command from a CE router to connect to a PE router. However, from that PE, you must issue the following command to connect from the PE to the CE:

  telnet CE_RouterName /vrf vrf_name

  Similarly, you can utilize the Traceroute and Ping commands in a VRF context.

• The MPLS VPN backbone relies on the appropriate Interior Gateway Protocol (IGP) that is configured for MPLS, for example, EIGRP, or OSPF. When you issue a show ip route command on a PE, you see the IGP-derived routes connecting the PEs together. Contrast that with the show ip route vrf VRF_name command, which displays routes connecting customer sites in a particular VPN.

Step	Command	Description
1	Router# configure terminal Router(config)#	Enter global configuration mode.
2	Router(config)# ip vrf vrf_name	For example, ip vrf CustomerA initiates a VPN routing table and an associated CEF table named CustomerA. The command enters VRF configuration submode to configure the variables associated with the VRF.
3	Router(config-vrf)# rd RD_value	Enter the eight-byte route descriptor (RD) or IP address. The PE prepends the RD to the IPv4 routes prior to redistributing the route into the MPLS VPN backbone.
4	Router(config-vrf)# route-target import | export | both community	Enter the route-target information for the VRF.

The MPLS label is part of a BGP routing update. The routing update also carries the addressing and reachability information. When the RD is unique across the MPLS VPN network, proper connectivity is established even if different customers use non-unique IP addresses.

For the RD, every CE that has the same overall role should use a VRF with the same name, same RD, and same RT values. The RDs and RTs are only for route exchange between the PEs running BGP. That is, for the PEs to do MPLS VPN work, they have to exchange routing information with more fields than usual for IPv4 routes; that extra information includes (but is not limited to) the RDs and RTs.

The route distinguisher values are chosen by the VPNSC: MPLS Solution software.

• CEs with hub connectivity use bgp_AS:value.

• CEs with spoke connectivity use bgp_AS:value + 1

Each spoke uses its own RD value for proper hub and spoke connectivity between CEs; therefore, the VPNSC: MPLS Solution software implements a new RD for each spoke that is provisioned.

VPNSC: MPLS Solution chooses route target values by default, but you can override those values if necessary.

• When a VPN route is injected into MP-BGP, the route is associated with a list of VPN route-target communities. Typically, this is set through an export list of community values associated with the VRF from which the route was learned.

• An import list of route-target communities is associated with each VRF. This list defines the values that should be matched against to decide whether a route is eligible to be imported into this VRF.

  For example, if the import list for a particular VRF is {A, B, C}, then any VPN route that carries community value A, B, or C is imported into the VRF.

The most common types of VPNs are hub-and-spoke and full mesh.

These two basic types of VPNs—full mesh and hub and spoke—can be represented with a single CERC.

Whenever you create a VPN, the VPNSC: MPLS Solution software creates one default CERC for you. This means that until you need advanced customer layout methods, you will not need to define new CERCs. Up to that point, you can think of a CERC as standing for the VPN itself—they are one and the same. If, for any reason, you need to override the software's choice of route target values, you can do this by editing the CERC definition, since this is where these values are stored.

To build very complex topologies, it is necessary to break down the required connectivity between CEs into groups, where each group is either fully meshed, or has a hub and spoke pattern. (Note that a CE can be in more than one group at a time, so long as each group has one of the two basic patterns.) Each subgroup in the VPN needs its own CERC. Any CE that is only in one group just joins the corresponding CERC (as a spoke if necessary). If a CE is in more than one group, then you can use the Advanced Setup choice during provisioning to add the CE to all the relevant groups in one service request. Given this information, the provisioning software does the rest, assigning route target values and VRF tables to arrange exactly the connectivity the customer requires. You can use the Topology tool to double-check the CERC memberships and resultant VPN connectedness.

VPNSC: MPLS Solution supports multiple CEs per site and multiple sites connected to the same PE. Each CERC has unique route targets (RT), route distinguisher (RD) and VRF naming. After provisioning a CERC, it is a good idea to run the audit reports to verify the CERC deployment and view the topologies created by the service requests. The product supports linking two or more CE routing communities in the same VPN.

Hub and Spoke Considerations

Due to the current MPLS VPN implementation, you must apply a different RD for each spoke VRF. The MP-BGP selection process applies to all the routes that have to be imported into the same VRF plus all routes that have the same RD of such a VRF. Once the selection process is done, only the best routes are imported. In this case this can result in a best route which is not imported. Thus, customers must have different RDs per spoke-VRF.

Full Mesh Considerations

The routers in the cable network are as follows:

• Provider (P) router—Routers in the MPLS core of the service provider network. P routers run MPLS switching, and do not attach VPN labels (MPLS labels in each route assigned by the PE router) to routed packets. VPN labels direct data packets to the correct egress router.

• Provider Edge (PE) router—A router that attaches the VPN label to incoming packets based on the interface or subinterface on which they are received. A PE router attaches directly to a CE router. In the MPLS-VPN approach, each Cisco uBR72xx series router acts as a PE router.

• Customer (C) router—A router in the ISP or enterprise network.

• Customer Edge (CE) router—Edge router on the ISP's network that connects to the PE router on the MSO's network. A CE router must interface with a PE router.

• Cable CE—The cable CE is an object with the VPN Solutions Center only. In the VPN Solutions Center software, the cable CE represents the cable modem and its associated hosts for a particular site.

• Management CE (MCE) router—The MCE emulates the role of a customer edge router (CE), but the MCE is in provider space and serves as a network operations center gateway router. The network management subnet is connected to the Management CE (MCE). The MCE is part of a management site as defined in the VPNSC: MPLS Solution software.

• Management PE (MPE) router—The MPE emulates the role of a PE in the provider core network. The MPE connects the MCE to the provider core network. An MPE can have a dual role as both a PE and the MPE.

The shared cable plant supports Internet connectivity from ISP A to its subscribers and from ISP B to its subscribers.

• Real-time response to system events

• Local caching of system data

• Synchronization of one or more tasks to create a process flow

While executing, the Cisco VPN Solutions Center software publishes events at the following times:

• Each time an element is created, modified, or destroyed in any of the four VPN Solutions Center repositories

• Each time a scheduled task begins or ends its execution

• When a Watchdog event signals a change in execution status for any VPN Solutions Center server

Each event contains identifying information that appropriately corresponds with the event type. The ESS is supported by the following:

• Event Gateway server

• Cisco Event Gateway Callback interface (in the CiscoEventGateway.idl file)

• TIB®/Rendezvous software

For details on this feature, refer to "Part 5, Using the Event Subscription Service" in the Cisco VPN Solutions Center: MPLS Solution API Programmer Guide.

There is no practical limit to the number of clients the Event Gateway server can support. Within the scope of each client, the Event Gateway server can support the Event Gateway Callback objects that subscribe to subjects of interest, which are events generated during the execution of the VPN Solutions Center software.

The Event Gateway Server complements the APIs that VPN Solutions Center provides to enable third party software access to VPNSC data. The TIB/Rendezvous software is the means by which VPNSC signals the occurrences of significant events within VPNSC (for example, the beginning and ending of tasks, the completion of data processing, and so on). If your third party software has special requirements, such as real-time notification of events within VPNSC software, you can use the Event Subscription Service to subscribe to those events.

• Supporting dedicated bandwidth

• Improving loss characteristics

• Avoiding and managing network congestion

• Setting traffic priorities across the network

To properly deploy QoS, enforcement of QoS measurements and policies must be in place throughout the network, from the first internetwork forwarding device (such as a Layer 2 switch or router) to the last device that front-ends the ultimate IP destination station. QoS requires an end-to-end approach because it requires mechanisms both at the edge and in the core.

To service providers, QoS is desirable because it has the potential of helping them support many types of traffic (data, voice, and video) over the same network infrastructure. It allows them to offer business-quality IP VPN services, and the end-to-end service level agreements (SLAs) that customers demand.

In an MPLS VPN environment, the service provider must consider both packet and cell routers. In a packet environment, MPLS Class of Service is fairly straightforward. A PE simply copies the IP precedence to the MPLS Class of Service field. The CoS field can then be used as input to Weighted Random Early Detection (WRED), as well as Weighted Fair Queuing (WFQ). The challenge is to provide MPLS CoS in environments where PEs are connected to ATM. Class of Service is more involved on ATM interfaces and within the ATM PEs themselves. QoS is discussed in-depth in other resources available from Cisco. The emphasis in this section is to investigate differentiated services in MPLS intranet and extranet VPN environments.

In mega-scale VPNs, applying QoS on a flow-by-flow basis is not practical because of the number of IP traffic flows in carrier-sized networks. The key to QoS in large-scale VPNs is implementing controls on a set of service classes that applications are grouped into. For example, a service provider network may implement three service classes: a high-priority, low-latency "premium" class; a guaranteed-delivery "mission-critical" class; and a low-priority "best-effort" class. Each class of service is priced appropriately, and subscribers can buy the mix of services that suits their needs. For example, subscribers may wish to buy guaranteed-delivery, low-latency service for their voice and video conferencing applications, and best-effort service for e-mail traffic and bulk file transfers.

Because QoS requires intensive processing, the Cisco model distributes QoS duties between the PEs and core routers. This approach assumes a lower-speed, high-touch edge and a high-speed, lower-touch core for efficiency and scalability.

The customer can initially "paint" the packets that leave the customer edge router (heading to the PE), and VPNSC: MPLS Solution allows policing or repainting of packets that enter the provider edge router.

GTS smooths out bandwidth peaks by class of service. GTS shapes by looking at bandwidth (for example, 40 kbps for "gold," or best of service), and uses a buffering technique for handling excess (or out-of-contract) traffic. GTS is useful as a tool to protect the link between the PE and CE by limiting bursty traffic that exits the CE.

Generic Traffic Shaping can take place on the CE's egress subinterface for traffic shaping and on the PE's egress subinterface for congestion management.

VPNSC: MPLS Solution has the option to apply traffic shaping to either a) in-contract and out-of-contract packets leaving the CE interface, or b) out-of-contract traffic flow exiting the CE interface. GTS is provisioned so that traffic does not exceed a specified bandwidth and performs burst traffic control for the PE-CE link.

The out-of-contract bandwidth is, by default, equal to the in-contract bandwidth. You have the option to allow the out-of-contract bandwidth to be set to a percentage of the in-contract bandwidth. VPNSC: MPLS Solution also allows the application of adaptive traffic shaping for Frame Relay; the traffic shaping responds to Frame Relay traffic congestion control.

WRED is designed to avoid congestion in internetworks before it becomes a problem. It leverages the flow monitoring capabilities of TCP. It monitors traffic load at points in the network and discards packets if the congestion begins to increase. The result is that the source detects the dropped traffic and slows its transmission. WRED interacts with other QoS mechanisms to identify class of service in packet flows. It selectively drops packets from low-priority flows first, ensuring that high-priority traffic gets through. WRED is supported on the same interface as WFQ. You should run both of these queueing algorithms on every interface where congestion is likely to occur. In the service provider core, apply WRED by IP precedence and WFQ by service class.

Weighted Fair Queuing (WFQ) employs a differential scheduling policy that results in packets of different classes getting different amounts of link bandwidth during outbound congestion. WFQ is the differentially-oriented counterpart to a first-in, first-out (FIFO) scheduling policy.

WFQ ensures that queues are not starved for bandwidth and that traffic achieves predictable service so that mission-critical traffic receives highest priority to ensure guaranteed delivery and latency. Lower-priority traffic streams share the remaining capacity proportionally among them. The WFQ algorithm also addresses the problem of round-trip delay variability. If multiple high-volume conversations are active, their transfer rates and inter-arrival periods are made much more predictable. Algorithms such as the Transmission Control Protocol (TCP) congestion control and slow-start features are much enhanced by WFQ. The result of WFQ is more predictable throughput and response time for each active flow.

WFQ is IP precedence-aware; that is, it is able to detect higher priority packets marked with precedence by the IP forwarder and schedule them faster, providing superior response time for this traffic. The IP precedence field has values between 0 (the default) and 7. As the precedence value increases, the algorithm allocates more bandwidth to that conversation to make sure that it gets served more quickly when congestion occurs. WFQ assigns a weight to each flow, which determines the transmit order for queued packets. It provides the ability to reorder packets and control latency at the edge and in the core. By assigning different weights to different service classes, a switch can manage buffering and bandwidth for each service class. This mechanism constrains delay bounds for time-sensitive traffic such as voice or video.

Service providers can tailor each class to the specific service needs of their customers. For example, a service provider can offer a "Gold class" for voice traffic. Here, a large bandwidth allocation policy ensures that sufficient bandwidth is available for all the cells in the voice queue while a moderately-sized buffer limits the potential cell delay. Since these shares are relative weights, allocating a large share to gold means that a minimum is guaranteed. If the gold class is under utilized, the bandwidth is shared by the remaining classes in proportion to their weights. This ensures maximum efficiency and that paying customer traffic is sent if bandwidth is available.

Because of their unidirectional nature, flows from a client to a server are differentiated from flows from the server to a client. Flows are also differentiated on the basis of protocol. For example, Hypertext Transfer Protocol (HTTP) Web packets from a source device to a destination device constitute a separate flow from File Transfer Protocol (FTP) packets between the same pair of devices.

NetFlow works by recording the initial IP packet attributes in a flow such as IP protocol type, type of service (ToS), and interface identifiers. In this way, NetFlow enables subsequent packets that belong to the same flow to be efficiently matched and counted. Likewise, it streamlines services appropriate to that traffic flow, such as security filtering, quality of service (QoS) policy, or traffic engineering. This real-time information flow is held in the NetFlow Cache, where it can be retrieved with a NetFlow data export operation.

NetFlow FlowCollector 3.0 provides fast, scalable, and economical data collection from multiple NetFlow Export-enabled devices. A UNIX or Windows NT application, the FlowCollector reduces data volume through selective filtering and aggregation. The FlowCollector also stores flow information in flat files on disk for post-processing.