MPLS Enterprise Switching - lvk.cs.msu.sulvk.cs.msu.su/~vbabernov/BRKMPL-1102.pdf · MPLS Enterprise Switching Product Update and Designs Sankar Venkat Product Manager ... MP-BGP

MPLS Enterprise Switching Product Update and Designs

Sankar Venkat Product Manager

Minhaj Uddin Technical Marketing Engineer

Session ID : BRKMPL-1102

• Introduction

• Segmentation in Enterprise

• MPLS Designs for Enterprise

• MPLS Product Update

• MPLS Configurations

• Q&A

• Summary

Agenda

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Session Goals

This session will focus on MPLS for

Campus Switching network deployments.

At the end of the session, the participants should:

Understand different Segmentation Options

Understand the building blocks of MPLS in Enterprise

Understand different MPLS designs and use cases

Understand the different product options for MPLS design

Understand typical configurations for MPLS in Enterprise

BRKMPL-1102 4


MPLS Enterprise Requirements• A unique Standards Based Segmentation Technology across LAN-WAN

• Enterprise/Campus Segmentation

• L3 VPN (IPv4), L3 VPN(IPv6)

• L2 VPN (EoMPLS)

• Multicast VPN (MVPN)

• Data Center Interconnect/Inter Campus Connect over WAN

• L2 Extensions with EoMPLS

• Pseudowires, VPLS, H-VPLS, Advanced VPLS

• MPLS Services with Netflow, QoS, Multicast

• Multi-tenancy / Dual Homing

• Traffic Engineering, High Availability/Fast Reroute

Basic MPLS Features

Advanced MPLS Features

BRKMPL-1102 5


Network Virtualization with MPLS

Access Core Access

SP Network

L2 L3 (MPLS) L2

L3 (MPLS) L3 (MPLS) L3 (MPLS)

Internet

Enterprise WAN

(MPLS)

Bay Area DC AsiaPac DC

Washington DC

MPLS CorePE

A

BPE

CECE

Mirror

Mirror

Data Center Backup

Data Center

Campus

MPLS

(L2 VPN)

Storage

L2 VPN

DC Interconnect

Branch to DC

Connectivity

A

B

Enterprise Segmentation Data Center

Service ProviderEnterprise WAN Edge

BRKMPL-1102 6

Segmentation in Enterprise


Factors for Network Segmentation Unique security policies per logical domain

Traffic isolation per application, group, service etc…

Logically separate traffic using one physical infrastructure

Virtual

“Private”

Network

Merged Company

Virtual Network

Isolated Services

Virtual Network

Guest Access

Virtual Network

Actual Physical InfrastructureBRKMPL-1102 8


Merged Company

Virtual Network

Isolated Services

Virtual Network

Guest Access

Virtual Network

Actual Physical Infrastructure

Network Segmentation Benefits Service isolation

– Telephony systems, badging, building control, surveillance

– Security policies are unique to each virtual group/service

Meet regulatory compliance requirements

– HIPAA

– PCI

– SOX

– etc…

Low

Security

Medium

Security

High

Security

BRKMPL-1102 9


Line of business Payment Card Industry Hospital Network

Bring-Your-Own-Device (BYOD) Mergers and Acquisitions Multi-Tenancy

POS

Network Other

NetworkDoctor Staff

Medical Device

Network Segmentation Use Cases

INTERNET

HRFinance

Sales

Partner

BRKMPL-1102 10


• VLAN/VRF-Lite Based Segmentation• Policy enforcement is done using ACLs and

Firewall rules• CLI based Manageability

• L2/L3 VPN Based Logical Segmentation• MPLS labels used to identify and create

traffic isolation between the groups• CLI based Manageability

Segmentation Options in Enterprise

Traditional Segmentation MPLS Based Segmentation

Endpoints

VPN

VPN

VPN

VPN

VPN

• User/Device Group Based Segmentation

• Secure Group Tags (SGT) used to create user / device group policies

• Cisco ISE based Manageability

Trustsec Based Segmentation

SGT

SGT

SGT

Endpoints

Cisc

o ISE

SGT

SGT

Endpoints

Voice VLAN Data VLAN Guest VLAN

BRKMPL-1102 11


Access Layer

Enterprise

Backbone

Voice

VLAN

Voice

Data

VLAN

Employee

Aggregation Layer

Supplier

Guest

VLAN

BYOD

BYOD

VLAN

Non-Compliant

Quarantine

VLAN

VACLLimitations of Traditional Segmentation

• Security Policy based on Topology

• Not Scalable

• Complex provisioning

• No notion of User/Device Group

Applications

access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384

VLAN Based Segmentation

Classification

Static or Dynamic

VLAN assignments

Propagation

Carry “Segment”

context through the

network using VLAN,

IP address, VRF-Lite

Enforcement

IP Based Policies -

ACLs, Firewall Rules

BRKMPL-1102 12


Cisco TrustSec SegmentationSimplified segmentation with Group Based Policy

VLAN BVLAN A

Campus Switch

DC Switch

or Firewall

Application

Servers

ISE

Enterprise

Backbone

Enforcement

Campus Switch

Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant

Shared

Services

Employee Tag

Supplier Tag

Non-Compliant Tag

DC switch receives policy

for only what is connected

Classification

Static or Dynamic

SGT assignments

Propagation

Carry “Group” context

through the network

using only SGT

Enforcement

Group Based Policies

ACLs, Firewall Rules

BRKMPL-1102 13

• Introduction ✓

• Segmentation in Enterprise ✓

• MPLS Designs for Enterprise



• Q&A

• Summary

Agenda

MPLS Designs for Enterprise


Why choose MPLS in Enterprise ?

End-to-end solution – Campus, MAN, WAN, DC head-end

– Standards-based

Layer 3 VPN/Segmentation – IPv4 VPN

– Provides Any-to-Any connectivity

– Multicast VPN

Layer 2 VPN– Ethernet over MPLS

– Point-to-point “pseudo-wire”

– Multi-point – VPLS/H-VPLS

IPv6– 6VPE

– 6PE

MPLS Services– MPLS QoS

– MPLS over WAN

– Path Selection

– Traffic Engineering

– Node/Link Protection

– Fast-Re-Route(FRR)

– 50 msec switchover

BRKMPL-1102 16

MPLS Fundamentals ReCap


Device Virtualization

Physically one device

Logically many devices

– Control plane

– Data plane

Virtual devices

– Switch

– Router

– Firewall

VRF: Virtual Routing and Forwarding

VRF Green

VRF Red

VRF Blue

BRKMPL-1102 18


MPLS-VPN Terminology

PE (Provider Edge) router

– Imposes and removes MPLS labels

– Runs an IGP, LDP and MP-BGP

P (Provider) router

– Connects into the PE, Translates labels

– Runs an IGP and LDP

CE (Customer Edge) router

– Connects into the PE

Label Distribution Protocol (LDP)

– IGP to label binding

Multi-Protocol BGP

– Address-family support (IPv4, IPv6, multicast, etc…)

– Used for VRF route exchange

PPE P PE

LDP LDP LDP

MP-BGP

BRKMPL-1102 19


MPLS VPN packet format

4 Byte

IGP Label Original Packet

4 Byte

VPN Label

MPLS-VPNLabel Stack

P

PE

PE

PPE P PE

BRKMPL-1102 20


MPLS-VPN – Label Exchange

FIB

VRF RED

RT 1:1

Routing

Table

Router PE1

BGP

172.16.1.0172.16.1.0

FIB

VRF GRN

RT 1:2

Routing

Table172.17.1.0172.17.1.0

172.16.1.0

RT1:1

172.17.1.0

RT1:2

MP-BGP

OSPF

Routing

Table

FIB

LFIB

VRF RED

RT 1:1

Router PE4

BGP

FIB

Routing

Table 172.16.4.0

172.17.4.0

MP-BGP

OSPF

Routing

Table

FIB

LFIB

VRF GRN

RT 1:2

FIB

Routing

Table

OSPF

Routing

Table

FIB

LFIB

OSPF

Routing

Table

FIB

LFIB

Router

P2

Router

P3

172.16.1.0

RT1:1

172.17.1.0

RT1:2

172.16.1.0

172.17.1.0

172.16.1.0 RT=1:1 NH=PE1 VPN Label


IGP Label Exchange

PPE P PE

BRKMPL-1102 21


MPLS-VPN – Packet Flow

FIB

VRF RED

RT 1:1

Routing

Table

Router PE1

BGP

172.16.1.0172.16.1.0

FIB

VRF GRN

RT 1:2

Routing

Table172.17.1.0172.17.1.0

172.16.1.0

RT1:1

172.17.1.0

RT1:2

MP-BGP

OSPF

Routing

Table

FIB

LFIB

VRF RED

RT 1:1

Router PE4

BGP

FIB

Routing

Table 172.16.4.0

172.17.4.0

MP-BGP

OSPF

Routing

Table

FIB

LFIB

VRF GRN

RT 1:2

FIB

Routing

Table

OSPF

Routing

Table

FIB

LFIB

OSPF

Routing

Table

FIB

LFIB

Router

P2

Router

P3

172.16.1.0

RT1:1

172.17.1.0

RT1:2

172.16.1.0

172.17.1.0



4 Byte

IGP

Label Original Packet

4 Byte

VPN

Label

PPE P PE

BRKMPL-1102 22


Route-Target

– Identifier used for importing and exporting routes (64 bit)

Route Distinguisher

– Route attribute used to uniquely identify prefixes among VPNs (64 bits)

VPN-IPv4 addresses

– Includes the 64 bits Route Distinguisher and the 32 bits IP address

VPN-IPv6 addresses

– Includes the 64 bits Route Distinguisher and the 128 bits IP address

MPLS-VPN Terminology

BRKMPL-1102 23


MPLS-VPN - Routing and Switching

PPE P PECE CE

MPLS VPN

MPLS VPN

CE

Core

Access

Distribution PE

P

Campus

Switching

Routing

BRKMPL-1102 24

MPLS L3 VPN


MPLS L3 VPN Campus Segmentation Use CasesEnd to End Network Virtualization

Distribution

Core

Access

C3850

Distribution

Core

Access

C3850

Core

Access

Standard AccessRouted Access Collapsed Access

L3 VPN

L3 VPN

L3 VPN

BRKMPL-1102 26


MPLS L3 VPN for IPv4

MP-BGP

SITE B

PE/Distribution

IGP

SITE A

PE/Distribution

SITE C

PE/Distribution

SITE D

PE/Distribution

P/Core P/Core

CE/Access

CE/Access

CE/Access

CE/Access CE/Access

CE/Access

CE/Access

IPv4 VRF

BLUE

IPv4 VRF

RED

IPv4 VRF

GREEN

IPv4 VRF

RED

IPv4 VRF

RED

IPv4 VRF

GREEN

IPv4 VRF

BLUE

BRKMPL-1102 27


MPLS L3 VPN for IPv6 (6VPE)

MP-BGP

SITE B

6PE/Distribution

IGP

SITE A

6PE/Distribution

SITE C

6PE/Distribution

SITE D

6PE/Distribution

P/Core P/Core

CE/Access

CE/Access

CE/Access

CE/Access CE/Access

CE/Access

CE/Access

IPv4 VRF

BLUE

IPv6 VRF

RED

IPv4 VRF

GREEN

IPv6 VRF

RED

IPv6 VRF

RED

IPv4 VRF

GREEN

IPv4 VRF

BLUE

• IPv6 VPN Provider Edge(6VPE) over MPLS

• 6VPE is like a regular IPv4 MPLS VPN provider edge(PE), with the addition of IPv6 support within Virtual Routing and Forwarding (VRF).

• Provides logically separate routing table entries for VPN member devices for IPv4 & IPv6.

BRKMPL-1102 28


IPv6 over MPLS (6PE)

• P routers in the MPLS core are not IPv6 aware and just use IPv4 MPLS Control Plane

• PE routers are dual stack and use IPv4 MPLS Control Plane with the core, Native IPv6 with IPv6 routers

• P and PE routers share a common IPv4 IGP

• 6PE routers are MP-BGP4 capable

6PE

6PE

IPv6

6PE

6PE

MP-BGP

IPv6

v6

v6

IPv6

v6

v6

IPv6

P/Core P/Core

BRKMPL-1102 29


N * (N-1) / 2 = 8 * 7 / 2 = 28

iBGP requires a full mesh of neighbors

MPLS-VPNBGP Scalability – iBGP Neighbor Relationships

BRKMPL-1102 30


Route Reflector Route Reflector

MPLS-VPN Scale Considerations

BGP Scalability – Route Reflectors

Use “purpose-built” RRs

Don’t place RRs in data path

Geographically diverse

Non-transit devices

BRKMPL-1102 31

L2 VPNs


L2-VPN Basics

interface Loopback0ip address 192.168.0.2/32

interface Loopback0ip address 192.168.0.1/32

pseudowire

MPLS Label Ethernet PayloadMPLS Label

PW-ID

Ethernet

Header

MPLS Network

interface Ethernet0/0

no ip address

xconnect 192.168.0.1 123 encapsulation mpls

interface Ethernet0/0

no ip address


BRKMPL-1102 33


Virtual Private Lan Services (VPLS)

PE-1PE-2

CE-1CE-2

PE-3

• VPLS allows MPLS networks to offer Layer 2 Ethernet Services

• It provided Multipoint Ethernet service as compared to EoMPLS which is Point to Point

• Service Provider emulates an IEEE Ethernet bridge network.

• No routing interaction between Customer and Service Provider networks

• Virtual Bridges linked with virtual ports aka Pseudo Wires or PWs.

BRKMPL-1102 34


Hierarchical VPLS(H-VPLS) for VPLS Scaling

• Scales VPLS deployments

• Use Cases : Campus/DC Interconnect, DCI

N-PE1 N-PE2MPLS

CORE

DC1-CE

DC3-CE

DC2-CE.1q.1q

U-PE1

.1q.1q

U-PE2

N-PE3

BRKMPL-1102 35


Advanced Virtual Private LAN Service (A-VPLS)

• AVPLS built on top of VPLS infrastructure

• Simplifies VPLS configurations

• Enhances VPLS Load balancing & High Availability

• Use Cases: Campus/DC Interconnect, DCI

PE-1PE-2

CE-1CE-2

PE-3

VFI VFI

VFI

A-VPLS Multipoint Services

BRKMPL-1102 36


L2

IP

HeaderData

Ethernet

Header

MPLS

Label(s)

L3

CampusMPLS

L2 IP

HeaderData

Ethernet

Header

MPLS

Label(s)

Tunnel

L3 Transport

Point-to-point

– MPLS over GRE

Other MPLS Transport Options

Multipoint

– MPLS-VPN over mGRE

– MPLS over DMVPN

BRKMPL-1102 37

MPLS-VPN over mGRE


MPLS VPN over mGRE

GRE Header

VPN Label

src add

dst add

data

src add

dst add

data

src add

dst add

data

IP

CE1 CE2

PE1

¥

PE2

IPv4 Route Exchange IPv4 Route Exchange

VRFVRF

• VPN traffic forwarded by PEs using separate routing instance (VRFs)

• GRE header and VPN label imposed on VPN traffic

• Packets switched to egress PE based on GRE header

• Egress PE uses VPN label to forward packet to remote CE

Ties MPLS VRFs across sites with IP multi-point GRE tunnel over IP Core

BRKMPL-1102 39

MPLS QoS


MPLS QoS – Uniform ModePropagate EXP Markings

CE PE P PE CEmatch ip prec 4

set mpls exp imp 6

IPP 4 IPP 4

EXP 6

match mpls exp 6

priority

match mpls exp 6

priority

IPP 4 EXP 6

mpls propagate-cos

IPP 4 EXP 6

The use of “mpls propogate-cos” command will cause the EXP

value to be copied down to the IP packet after a POP operation.

IPP 6

ip packet

Ingress Egress

By default, IP ToS byte is unchanged.

EXP 6

EXP 6

IPP 4 EXP 6

VPN Imposition Pop

IPP 6

BRKMPL-1102 41


MPLS QoS – Short Pipe Mode


set mpls exp imp 6

IPP 4 IPP 4

EXP 6

match mpls exp 6

priority

match mpls exp 6

priority

IPP 4 EXP 6 IPP 4 EXP 6

IPP 4

IPP 4

ip packet

Ingress Egress

EXP 6

EXP 6

IPP 4 EXP 6

VPN Imposition Pop

Egress classification based on IP DSCP

not MPLS expConsistent policy in MPLS core

BRKMPL-1102 42


MPLS QoS –Pipe Mode


set mpls exp imp 6

IPP 4 IPP 4

EXP 6

match mpls exp 6

priority

match mpls exp 6

priority

IPP 4 EXP 6 IPP 4 EXP 6

IPP 4

IPP 4

ip packet

Ingress Egress

EXP 6

EXP 6

IPP 4 EXP 6

VPN Imposition Pop

Egress classification based on MPLS

Ingress EXP not IP DSCP

BRKMPL-1102 43


MPLS QoS Options SummaryUniform, Pipe and Short Pipe Modes

Uniform Mode:

This mode provides consistent QoS classification/marking throughout the network. This includes

the CE and the Core routers. EXP marking is propagated to the underlying TOS byte on egress

Short Pipe Mode:

In this mode the QoS policies being implemented in the Core do NOT propagate to the packet TOS

byte. The classification based on MPLS EXP ends at the customer facing egress PE interface and

queuing is based on the IPP/DSCP values in the IP header (supported – default mode)

Pipe Mode:

Pipe Mode is similar to Short Pipe Mode except that at the egress PE, classification at the CE

facing interface is done based on ingress EXP

BRKMPL-1102 44



• MPLS Designs for Enterprise ✓



• Q&A

• Summary

Agenda

MPLS Product Update


Industry-LeadingCampus Backbone Platform

FIXED

Fe

atu

res

Scale

MODULAR

* Roadmap Item

Catalyst 6880-X

Up to 80 10G Ports

Catalyst C6840-X

Up to 40 10G Ports

Catalyst 3650/3850

12p/24p/48p 10G 1RU Aggregation

MPLS Catalyst Campus Switching PortfolioF

eatu

res

Scale

Stackable Access

MPLS

Jul 16

Catalyst 6K

BRKMPL-1102 47

MPLS Portfolio – Catalyst 3K


Catalyst 3850 Series

Wireless CAPWAP TerminationUp to 2000 Clients

per Stack

40 Gbps Uplink Bandwidth

FRU Fans, Power Supplies

Granular QoS/Flexible NetFlow

Up to 100APs per stack, and 40G per switch

480 GbpsStackingBandwidth

Stackpower

Line Rate on All Ports

MPLS

Full POE+ and UPOE

Multigigabit(mGig)

MPLS on UADP powered Stackable Access Programmable Switches

MPLS Shipping

In Jul 2016


Cisco Catalyst 3850 Multigigabit Ethernet

48 Port Version 24 Port Version

Downlinks:

36 x 1G LineRate 10/100/1000BASE-T, 12 x GE/mGig/10GT

PoE/PoE+/UPoE, EEE, MACSec

Uplinks:

4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G

SFP+ (NEW)

Downlinks:

24 x GE/mGig/10GT

PoE/PoE+/UPoE, EEE, MACSec

Uplinks:

4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G

SFP+ (NEW)

MPLS on Access with Multigigabit Ethernet

MPLS Shipping

In Jul 2016


UADP ASICConverged

AccessStackWise-480 StackPower Line-Rate

Catalyst 3850 10G: 12 and 24 Port

1+1 Power

Redundancy

C3850-NM-4x10G

C3850-NM-2x40G

C3850-NM-8x10G

C3850-NM-4x10G

MPLS Shipping

In Jul 2016


UADP ASIC

*No StackWise or StackPower on 48p SKU

Catalyst 3850 10G: 48 Port

UADP ASICConverged

AccessLine-Rate No Stacking

Front-to-Back & Back-to-Front

Fans and Power Supplies

1+1 Power

Redundancy

4 x QSFP Fixed48 x SFP+ Fixed

Front-to-Back and

Back-to-Front Fan options

New 750W AC Power Supplies

1+1 Power Supply Redundancy

MPLS Shipping

In Jul 2016


Optional StackWise-160 9 member Stack

Dual FRUPower Supplies

FRU Fans

Cisco Catalyst 3650 Switch

Full Netflow/QoSfor wired/wireless

MPLS

POE+

40G WirelessCapacity Per Switch

Fixed Uplinks4 x 1G2 x10G 4 x 10G2 x 40G (New)8 x 10G (new)

EEE

MACsec

Multi-Core CPU

Line Rate on All Ports

802.11n802.11ac

50 AP’s and 1000 Clients Per Stack

MPLS on UADP powered Stackable Access Programmable Switches

MPLS Shipping

In Jul 2016

Multigigabit(mGig) New

MPLS Portfolio – Catalyst 6K


The New Catalyst 6807-XLTaking Catalyst 6K Up to 880G/Slot

Investment Protection!

Compatible with Sup2T, 6700, 6800,

6900 Series and latest Service Modules

Backwards compatible backplane connectors

Catalyst 6500 DNA

7 Slots 10 RU

Low-power and noise

High-efficiency fans

Up to 4 (N+1) power

supply redundancy

3000W AC

Up to 880G/Slot capable

Next-generation ready

Side-to-side air flow (redirectable via airflow baffles)

BRKMPL-1102 55


Supervisor 6TTaking Catalyst 6800 to a New Level

Shipping!!

VSS, LISP, SGT,

MACSEC, HQoS, on all

Ports

Fiber & Copper

Management and

Console Ports

1M IPv4 Route

1M NetFlow

256K QoS / ACL

2 x 40G QSFP and

8 x 10G SFP+ uplinks

High-Scale Control Plane

with X86 CPU

Improved Fabric

Provides 440G/Slot in the

6807-XL

Feature Parity with Sup2T from Day 1: 3500+ Features


C6800 Multi-Rate Line Cards

32 ports of SFP/SFP+ or

up to 8 ports of QSFP*

10/100/1000M GLC-T

100M FX

250MB per Port

500MB per Port in

Performance Mode

VSS, SGT, MACSec, LISP,

HQoS

160G Throughput,

Performance mode

for line rate

1M IPv4 Routes

2M NetFlow

256K QoS & ACL

Feature Rich MPLS

* With CVR-4SFP-QSFP Adapter

Not Every Port is Created Equal!


The Catalyst 6880-XC6K-Based “Extensible” Fixed Platform

Fixed Supervisor module

X86 2.0 GHz CPU

up to 4GB DDR3 DRAM

Each Card has 16 x 1G/10G or

up to 4 x 40G ports

VSS, MPLS, VPLS, LISP,

MACSEC, SGT, on every portUp to 80 x 1G/10G ports

Low Power &

Low Noise Fans

Platinum Efficiency

Redundant AC & DC PS

Front Serviceable Power Supplies and Fan Tray,

NEBS Level 3-Compliant Platform


Depth:

21.8”

Height:

2RU

16, 24, 32 or 40 SFP+ Uplinks

Convert 4 x SFP+ to QSFP*

256K IPv4 Routes

1.5M NetFlow

64K QoS / ACL

High-Scale Control

Plane with 2.0GHz CPU

Higher Scale for IA

Shipping Since

October 2015

The New Catalyst 6840-X

All Catalyst 6800 Features in a Smaller Fixed Form Factor

2 models with 2 QSFP Uplinks

Convert 4 x SFP+ to QSFP*

VSS, MPLS, LISP, SGT,

MACSEC, HQoS, etc.

750W or 1100W Power

Redundant AC / DC

Front-to-Back Airflow

MPLS Portfolio – Catalyst N7K


MPLS on Nexus 7K - M Series

48x 1/10G SFP+ Ports24x 40G QSFP Ports

Nexus 7700 M3 Series

10G & 40G Modules

Large Table Size & Packet Buffers -

2M FIB (1M @ FCS), 128K ACL/QoS

384K MAC (128K @ FCS)

MACSEC 256-bit AES

Deep Buffers

NEW

N7K-M224XP-23L

N7K-M202CF-22L N7K-M206FQ-23L

Nexus M2 Series Modules

BRKMPL-1102 61


MPLS on Nexus 7K - F3 Series

CiscoNexus

7000/7700

Nexus 7700 F3 40G Nexus 7700 F3 100GNexus 7700 F3 10G

Nexus 7000 F3 100GNexus 7000 F3 10G Nexus 7000 F3 40G

Nexus F3 Series Modules

BRKMPL-1102 62

What product option do I choose…


MPLS Deployment Options – Medium to Large Campus

Standard Access

Distribution

Core

Access

MPLS

Catalyst 3850/3650

C6K/N7K

Routed Access

MPLS

Catalyst 3850/3650 or 4500

C6K/N7K

C6K/N7K

C6K/N7K

Key Design factors: VRF/Route Scale, Port Density, MPLS features, Fixed vs. Modular in Access/Backbone

BRKMPL-1102 64


MPLS Deployment Options – Small to Medium Campus

Distribution

Core

Access

Standard Access

MPLS

C6840-X

C3850

C3850/ C3650

C3850/

C3650

Access + Distribution

Collapsed Access

CoreC6840-X/

C3850

MPLS

Distribution

Core

Access

Routed Access

MPLS

C6840-X

C3850

C3850/ C3650

BRKMPL-1102 65

Unprecedented Services


Catalyst Campus Innovations

Secure Segmentation with TrustSec

One Policy with Identity Services Engine

NG PnP for Zero Touch Deployment of Network

Devices

Programmable Enterprise Campus Fabric

Network as Sensor with Device Profiler,

Netflow and Wireshark

One Network with Converged Access

One Management with Prime Infrastructure

High Availability with VSS, ISSU and Stackpower

UADP Flexparser ASIC, SDN-ready

UPOE to Connect Broad Range of End Points—

VDI and LED lights

Simplifies Operations with Instant Access

Maximize Throughput and Resiliency with VSS

IT Simplicity with Auto Conf, Interface Template and EEM Rich-media Experiences

Energy Savings

BRKMPL-1102 67


Robust Enterprise Security

Robust Security for Next Generation Enterprise

RA Guard

DHCPv6Guard

Source/Prefix Guard

Destination Guard

Protection:• Rogue or

malicious RA• MiM attacks

Protection:• Invalid DHCP

Offers• DoS attacks• MiM attacks

Protection:• Invalid source

address• Invalid prefix• Source address

spoofing

Protection:• DoS attacks • Scanning• Invalid

destination address

RA Throttler

Facilitates:• Scale

converting multicast traffic to unicast

ND Multicast Suppress

Reduces:• Control

traffic , improves performance

C o r e F e a t u r e s A d v a n c e F e a t u r e s S c a l a b i l i t y & P e r f o r m a n c e

IPv6 First Hop Security

BRKMPL-1102 68


Application Visibility with Flexible NetFlow

Control with

EEM Integration

IP, PortsTCP

Flags

L2

MAC

L2

VLAN

UDP

FlagsIPv6

IP

OptionsMulticast …

Day0 Attacks

Detect Anomaly

Compliance

SLA

App. M&T

Capacity Planning

Flexible NetFlow

Visibility

Mobility, Unified Communications, Network Virtualization

Campus

Branch

Collector Ecosystem

• Lower CAPEX/OPEX

• Better insights for network capacity planning

• Better service and user experience

• Increased IT staff productivity, IT security

CapabilitiesBenefits

• Unprecedented visibility with new L2–L7 fields

• Scalable, flexible flow monitors

• Customizable policy action with EEM

• Broad collector partner ecosystem 69



• MPLS Designs for Enterprise ✓

• MPLS Product Update ✓


• Q&A

• Summary

Agenda

MPLS Configurations

• L3VPN

• L2VPN

• MPLS-VPN Services

MPLS Configurations


L3VPNMPLS VPN Protocols

• IGP Protocols are used to exchange the routes between PE and CE Devices

• MP-IBGP is used for exchanging VPNv4 routes between the PE Devices

• MPLS or Label forwarding is configured between PE and P Devices

P

L3 VPN

P

Distribution

Core

AccessCE CE

L3 VPN

P

EBGP, OSPF, RIPv2, Static

MP-IBGP

IPV4 and IPv6

PEPE

P P

Distribution

Core

AccessCE CE

PEPE

P P

OSPF, ISIS

VRF Green VRF BlueVRF Green VRF Blue

BRKMPL-1102 73


Distribution

Core

AccessCE CE

L3 VPN

OSPF

PEPE

P P


PPP

VRF Definition

Ip vrf VPN-Green

Rd 1:1

Route-target import 100:1

Route-target export 100:1

!

Interface vlan 10

Ip address 192.168.10.1 255.255.255.0

Ip vrf forwarding VPN-Green

!

Router ospf 1

!

Router ospf 2 vrf VPN-Green

Network 192.168.10.0 0.0.0.255 area 0

Redistribute bgp 1 subnets

!

Vlan 10

VRF Green VRF Blue


Distribution

Core

Access

CE CE

L3 VPN

BGP

PEPE

P P


PPP

router bgp 1

!

address-family ipv4 vrf VPN-Green

neighbor 192.168.10.2 remote-as 2

neighbor 192.168.10.2 activate

exit-address-family

!

EIGRP

VRF Green VRF Blue

Router eigrp 1

!


no auto-sumary

neighbor 192.168.10.0 0.0.0.255

automonous-system 1

Redistribute bgp 1 metric 100000 100 255 1 1500

!

BRKMPL-1102 75


Distribution

Core

Access

CE CE

L3 VPN

RIP

PEPE

P P


PPP

Static

router rip

!


version 2

no auto-summary

Network 192.168.10.0

Redistribute bgp 1 metric transparent

!

Ip route vrf VPN-Green 10.1.1.0 255.255.255.0 192.168.10.2

VRF Green VRF Blue

BRKMPL-1102 76


Distribution

Core

Access

CE CE

L3 VPN

PEPE

P P

L3VPNPE-P

PPP

OSPF

VRF Green VRF Blue

Interface x/x

Ip address 130.130.1.1 255.255.255.252

Mpls ip

!

Router ospf 1

Network 130.130.1.0 0.0.0.3 area 0

BRKMPL-1102 77


Distribution

Core

Access

CE CE

L3 VPN

PEPE

P P

L3VPNIBGP

PPP

Distribution

Core

Access

CE CE

L3 VPN

PEPE

P P

IBGP

VRF Green VRF Blue VRF Green VRF Blue

Router bgp 1

Neighbor 1.2.3.4 remote-as 1

Neighbor 1.2.3.4 update-source loopback0

!Address-family vpnv4

Neighbor 1.2.3.4 activate

Neighbor 1.2.3.4 send-community both

BRKMPL-1102 78


Distribution

Core

Access

CE CE

L3 VPN

PEPE

P P

L3VPNIPv6 VPN

PPP

Distribution

Core

Access

CE CE

L3 VPN

PEPE

P P

IPV4/IPv6IPV4/IPv6

VRF Green VRF BlueVRF Green VRF Blue

PE#

!

vrf definition v2

rd 2:2

!

address-family ipv4

route-target export 1:2

route-target import 1:2

exit-address-family

!

address-family ipv6

route-target export 2:2

route-target import 2:2

exit-address-family

!

!

router bgp 1

!

address-family vpnv4


neighbor 10.13.1.21 send-community both

exit-address-family

!

address-family vpnv6


neighbor 10.13.1.21 send-community both

exit-address-family

!

address-family ipv4 vrf v2

exit-address-family

!

address-family ipv6 vrf v2

neighbor 200::2 remote-as 30000

neighbor 200::2 activate

exit-address-fam

BRKMPL-1102 79



P

L3 VPN

P

Distribution

Core

AccessCE CE

L3 VPN

P

EBGP, OSPF, RIPv2, Static

MP-IBGP

IPV4 and IPv6

PEPE

P P

Distribution

Core

AccessCE CE

PEPE

P P

OSPF, ISIS

VRF Green VRF Blue VRF Green VRF Blue

BRKMPL-1102 80

• L3VPN ✓

• L2VPN


MPLS Configurations


MPLS L2VPNL2VPN Protocols

Distribution

Core

Access

Distribution

Access

PE

CE

Distribution

Access

VPLS

CE

PE

PE

CE

EOMPLS

Core

Ethernet/Vlan

VRF Green VRF Blue

VRF Green VRF Blue

VRF Green VRF Blue

BRKMPL-1102 82



Distribution

Core

Access

Distribution

Access

PE

CE

Ethernet or VLAN

PE

CE

EOMPLS

Core

# Vlan mode

interface GigabitEthernet7/4.2

encapsulation dot1Q 3


no shut

# Port mode

interface GigabitEthernet7/4

xconnect 13.13.13.13 3encapsulation mpls

no shutVRF Green VRF Blue

VRF Green VRF Blue

Ethernet or VLAN

BRKMPL-1102 83



Distribution

Core

Access

Distribution

Access

PE

CE

Distribution

Access

VPLS

CE

PE

PE

CE

Core

Ethernet/Vlan

VRF Green VRF Blue

VRF Green VRF Blue

VRF Green VRF Blue

# L2 Interface Config -> CE

Switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 200

switchport mode trunk

# Define the VFI and bind it to the Intf

l2 vfi Cust_A manual

vpn id 200

neighbor 10.10.10.102 encapsulation

mpls

interface vlan 200

xconnect vfi Cust_A

BRKMPL-1102 84

• L3VPN ✓

• L2VPN ✓


MPLS Configurations


Multicast VPN (MVPN)

Distribution

Core

Access

Distribution

Access

PE

CE

Distribution

Access

CE

PE

PE

CE

Core

Default MDT for all groups

VRF Green VRF Blue

VRF Green VRF Blue

VRF Green VRF Blue

MPLS Backbone

# Configure the Default MDT and Data

MDT for the VRF under VRF Definition

Ip vrf test

Rd 100:!

Route target import 100:1

Route target export 100:1

mdt default group-address

Mdt data group-address mask

# Enable PIM and Multicast Routing at

the interfaces towards the CE and P

BRKMPL-1102 86


MPLS over GRE

Distribution

Core

Access

Distribution

Access

PE

CE

Distribution

Access

Ethernet or VLAN

CE

PE

PE

CE

Core

IPv4 CloudMPLS over GRE

L3VPN

SITEL3VPN

SITE

L2VPN

SITE L2VPN

SITE

VRF Green VRF Blue

VRF Green VRF Blue

VRF Green VRF Blue

BRKMPL-1102 87


MPLS-VPN Services

• VPN customers may want SLA so as to treat real-time, mission-critical and best-effort traffic appropriately

• QoS can be applied to VRF interfaces

- Just like any global interface

- Same old QoS mechanisms are applicable

• Remember - IP precedence bits are copies to MPLS TC/EXP bits ( default behavior )

• MPLS Traffic-Eng could be used to provide the bandwidth-on-demand for Fast Rerouting to VPN customers

Providing QoS to VPN Customers

BRKMPL-1102 88

In Conclusion…


Key Takeaways

MPLS offers Secure Segmentation for Enterprise Networks Design

End to End Standards based Segmentation from Access to WAN in Enterprise

MPLS offers a wide range of features and services

MPLS L3VPN and L2VPN are most commonly deployed in Enterprise

MPLS Technology is available on a wide range of Switching products:

• Cisco Catalyst 3850 and 3650 Series (New)

• Cisco Catalyst 6K Fixed and Modular Series

• Cisco Nexus 7K Series

End to End Network Virtualization for Digital Enterprise


MPLS Sessions at Cisco Live 2016

• BRKMPL-1100 Introduction to MPLS

• BRKMPL-1102 MPLS Enterprise Switching Product Update and Designs

• BRKMPL-2100 Deploying MPLS Traffic Engineering

• BRKMPL-2102 Designing MPLS-based IP VPNs

• BRKMPL-2108 Designing MPLS in Next Generation Data Center: A Case Study

• BRKMPL-2110 Enterprise MPLS - Customer Case Studies

• BRKMPL-2115 MPLS Architectural approaches for Data Center and Cloud

• BRKMPL-2333 E-VPN & PBB-EVPN: the Next Generation of MPLS-based L2VPN

• BRKMPL-3124 Troubleshooting End-to-End MPLS

• LTRMPL-2104 Cisco WAN Automation Engine (WAE) Network Programmability with Segment Routing

• LTRMPL-3102 Enterprise Network Virtualization using IP and MPLS Technologies: Advanced

• TECMPL-3200 SDN WAN Orchestration in MPLS and Segment Routing Networks

BRKMPL-1102 91


Terminology ReferenceAcronyms Used in MPLS Reference Architecture

Terminology Description

AC Attachment Circuit. An AC Is a Point-to-Point, Layer 2 Circuit Between a CE and a PE.

AS Autonomous System (a Domain)

CoS Class of Service

ECMP Equal Cost Multipath

IGP Interior Gateway Protocol

LAN Local Area Network

LDP Label Distribution Protocol, RFC 3036.

LER Label Edge Router. An Edge LSR Interconnects MPLS and non-MPLS Domains.

LFIB Labeled Forwarding Information Base

LSP Label Switched Path

LSR Label Switching Router

NLRI Network Layer Reachability Information

P Router An Interior LSR in the Service Provider's Autonomous System

PE Router An LER in the Service Provider Administrative Domain that Interconnects the Customer Network and the Backbone Network.

PSN Tunnel Packet Switching Tunnel

BRKMPL-1102 92


Terminology ReferenceAcronyms Used in MPLS Reference Architecture (cont.)

Terminology Description

Pseudo-Wire A Pseudo-Wire Is a Bidirectional “Tunnel" Between Two Features on a Switching Path.

PWE3 Pseudo-Wire End-to-End Emulation

QoS Quality of Service

RD Route Distinguisher

RIB Routing Information Base

RR Route Reflector

RT Route Target

RSVP-TE Resource Reservation Protocol based Traffic Engineering

VPN Virtual Private Network

VFI Virtual Forwarding Instance

VLAN Virtual Local Area Network

VPLS Virtual Private LAN Service

VPWS Virtual Private WAN Service

VRF Virtual Route Forwarding Instance

VSI Virtual Switching Instance

BRKMPL-1102 93


Further Reading

• http://www.cisco.com/go/mpls

• http://www.ciscopress.com

• MPLS and VPN Architectures — Cisco Press®

• Jim Guichard, Ivan Papelnjak

• Traffic Engineering with MPLS — Cisco Press®

• Eric Osborne, Ajay Simha

• Layer 2 VPN Architectures — Cisco Press®

• Wei Luo, Carlos Pignataro, Dmitry Bokotey, and Anthony Chan

• MPLS QoS — Cisco Press ®

• Santiago Alvarez

MPLS References at Cisco Press and cisco.com

BRKMPL-1102 94

http://www.cisco.com/go/mpls

http://www.ciscopress.com/


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.

BRKMPL-1102 95

CiscoLive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/us

http://ciscolive.com/us


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

BRKMPL-1102 96

Thank you

Documents

MPLS Enterprise Switching - lvk.cs.msu.sulvk.cs.msu.su/~vbabernov/BRKMPL-1102.pdf · MPLS Enterprise Switching Product Update and Designs Sankar Venkat Product Manager ... MP-BGP