Table Of Contents
MPLS Virtual Private Network Enhancements
Distribution of VPN Routing Information
Supported Standards, MIBs, and RFCs
Configuring BGP Routing Sessions
MPLS Virtual Private Network Enhancements
This document describes the Multiprotocol Label Switching (MPLS) virtual private network (VPN) enhancements available in Cisco IOS Release 12.0(7)T. It also includes information about the new Border Gateway Protocol (BGP) commands available for enhanced VPN traffic management.
This document includes the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
The MPLS VPN enhancements provide increased BGP functionality enabling you to manage and route traffic within a VPN. With these MPLS VPN enhancements you can
•
•
•
•
•
Table 1 lists the MPLS VPN enhancements and the associated BGP commands.
Table 1 MPLS VPN Enhancements in Release 12.0(7)T
MPLS VPN Overview
Using MPLS VPNs in a Cisco IOS network provide the capability to deploy and administer scalable Layer 3 VPN backbone services including applications, data hosting network commerce, and telephony services, to business customers. A VPN is a secure IP-based network that shares resources on one or more physical networks. A VPN contains geographically dispersed sites that can communicate securely over a shared backbone.
A one-to-one relationship does not necessarily exist between customer sites and VPNs; a given site can be a member of multiple VPNs. However, a site can associate with only one VRF. Each VPN is associated with one or more VPN routing/forwarding instances (VRFs). A VRF includes routing and forwarding tables and rules that define the VPN membership of customer devices attached to CE routers. A VRF consists of the following:
•
•
•
•
VPN routing information is stored in the IP routing table and the CEF table for each VRF. A separate set of routing and CEF tables is maintained for each VRF. These tables prevent information from being forwarded outside a VPN and also prevent packets that are outside a VPN from being forwarded to a router within the VPN.
Distribution of VPN Routing Information
The distribution of VPN routing information is controlled through the use of VPN route target communities, implemented by border gateway protocol (BGP) extended communities. Distribution of VPN routing information works as follows:
•
•
BGP Operation
A service provider edge (PE) router can learn an IP prefix from a customer edge (CE) router by static configuration, through a BGP session with the CE router, or through the routing information protocol (RIP) exchange with the CE router. The IP prefix is a member of the IPv4 address family. After it learns the IP prefix, the PE converts it into a VPN-IPv4 prefix by combining it with an 8-byte route distinguisher (RD). The generated prefix is a member of the VPN-IPv4 address family. It uniquely identifies the customer address, even if the customer site is using globally nonunique (unregistered private) IP addresses.
The route distinguisher used to generate the VPN-IPv4 prefix is specified by a configuration command associated with the VRF on the PE router.
BGP distributes reachability information for VPN-IPv4 prefixes for each VPN. BGP communication takes place at two levels: within IP domains, known as autonomous systems (interior BGP or IBGP) and between autonomous systems (external BGP or EBGP). PE-PE or PE-RR (route reflector) sessions are IBGP sessions, and PE-CE sessions are EBGP sessions.
BGP propagates reachability information for VPN-IPv4 prefixes among PE routers by means of the BGP multiprotocol extensions (see RFC 2283, Multiprotocol Extensions for BGP-4), which define support for address families other than IPv4. It does this in a way that ensures the routes for a given VPN are learned only by other members of that VPN, enabling members of the VPN to communicate with each other.
Benefits
Configuring BGP Hub and Spoke Connections—Configuring PE routers in a hub and spoke configuration allows a CE router to readvertise all prefixes containing duplicate autonomous system numbers (ASNs) to neighboring PE routers. Using duplicate ASNs in a hub and spoke configuration provides faster convergence of routing information within geographically dispersed locations.
Configuring Faster Convergence for BGP VRF Routes—Configuring scanning intervals of BGP routers decreases import processing time of VPNv4 routing information, thereby providing faster convergence of routing information. Routing tables are updated with routing information about VPNv4 routes learned from PE routers or route reflectors.
Limiting VPN VRFs—Limiting the number of routes in a VRF prevents a PE router from importing too many routes, thus diminishing the router's performance. This enhancement can also be used to enforce the maximum number of members that can join a VPN from a particular site. A threshold is set in the VRF routing table to limit the number of VRF routes imported.
Reuse ASNs in an MPLS VPN Environment—Configuring a PE router to reuse an existing ASN allows customers to configure BGP routes with the same ASNs in multiple geographically dispersed sites, providing better scalability between sites.
Distributing BGP OSPF Routing Information—Setting a separate router ID for each interface or subinterface on a PE router attached to multiple CE routers within a VPN provides increased flexibility through OSPF when routers exchange routing information between sites.
Related Documents
For more information about the MPLS VPN functionality including BGP distribution of routing information, see the MPLS Virtual Private Network Feature Module, Cisco IOS Release 12.0(5)T on CCO at http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/index.htm.
Supported Platforms
The MPLS VPN enhancements support the following platforms:
•
•
•
•
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
Configuration Tasks
Perform the following tasks to configure and verify VPNs:
•
Defining VPNs
To define VPNs, perform the following steps on the PE router:
Configuring BGP Routing Sessions
To configure BGP routing sessions in a provider network, perform the following steps on the PE routers:
Verifying VPN Operation
To verify VPN operation by displaying routing information on the PE routers, you may issue any of the following show commands in any order:
Configuration Examples
For MPLS VPN configuration examples, see the MPLS Virtual Private Network Feature Module,
Cisco IOS Release 12.0(5)T.Command Reference
This section documents the new VPN commands for Cisco IOS Release 12.0(7). All other commands used with MPLS VPNs are documented in Cisco IOS Release 12.0(5)T.
bgp scan-time
To configure scanning intervals of BGP routers for next hop validation or to decrease import processing time of Virtual Private Network version 4 (VPNv4) routing information, use the bgp scan-time command in address family or router configuration mode. To return the scanning interval of a router to its default scanning interval of 15 seconds, use the no form of this command.
bgp scan-time [import] scanner-interval
no bgp scan-time [import] scanner-interval
Syntax Description
Defaults
The default scanning interval is 15 seconds.
Command Modes
Address family configuration
Router configuration
Command History
Usage Guidelines
The import keyword is supported in address family VPNv4 unicast mode only.
Entering the no form of this command does not disable scanning, but removes it from the output of the show running-config command.
Examples
In the following router configuration example, the scanning interval for next hop validation of IPv4 unicast routes for BGP routing tables is set to 20 seconds:
router bgp 100no synchronizationbgp scan-time 20In the following address family configuration example, the scanning interval for next hop validation of address family VPNv4 unicast routes for BGP routing tables is set to 45 seconds:
router bgp 150address-family vpn4 unicastbgp scan-time 45In the following address family configuration example, the scanning interval for importing address family VPNv4 routes into IP routing tables is set to 30 seconds:
router bgp 150address-family vpnv4 unicastbgp scan-time import 30Related Commands
maximum routes
To limit the maximum number of routes in a Virtual Private Network routing/forwarding instance (VRF) to prevent a provider edge (PE) router from importing too many routes, use the maximum routes command in VRF configuration mode. To remove the limit on the maximum number of routes allowed, use the no form of this command.
maximum routes limit {warn-threshold | warn-only}
no maximum routes
Syntax Description
Defaults
No default behavior or values.
Command Modes
VRF configuration mode
Command History
Usage Guidelines
You can use the maximum routes command to monitor and limit the number of routes in a VRF on a PE router.
To limit the number of routes allowed in the VRF, use the maximum routes limit command with the warn-threshold argument. The warn-threshold argument generates a warning and does not allow the addition of routes to the VRF when the maximum number set by the limit argument is reached. The software generates a warning message everytime a route is added to a VRF when the VRF route count is above the warning threshold. The software also generates a route rejection notification when the maximum threshold is reached and everytime a route is rejected after the limit is reached.
To set a number of routes at which you receive a notification, but which does not limit the number of routes that can be imported into the VRF, use the maximum routes limit command with the warn-only keyword.
To use the maximum routes command, you must enter the VRF configuration submode.
Examples
The following example shows how to set a limit threshold of VRF routes to 1000. When the number of routes for the VRF reaches 1000, the router issues a SYSLOG error message, but continues to accept new VRF routes.
Router(config)# ip vrf vrf1Router(config-vrf)# rd 100:1Router(config-vrf)# route-target import 100:1Router(config-vrf)# maximum routes 1000 warn-onlyThe following example shows how to set the maximum number of VRF routes allowed to 1000 and set the warning threshold at 80 percent of the maximum. When the number of routes for the VRF reaches 800, the router issues a warning message. When the number of routes for the VRF reaches 1000, the router issues a SYSLOG error message and rejects any new routes.
Router(config)# ip vrf vrf2Router(config-vrf)# rd 200:1Router(config-vrf)# route-target import 200:1Router(config-vrf)# maximum routes 1000 80Related Commands
neighbor allowas-in
To configure PE routers to allow readvertisement of all prefixes containing duplicate ASNs, use the neighbor allowas-in router configuration command. To disable the readvertisement of a PE router's ASN, use the no form of this command.
neighbor allowas-in number
no neighbor allowas-in number
Syntax Description
number
Specifies the number of times to allow the advertisement of a PE router's ASN. Valid values are from 1 to 10 times.
Defaults
No default behavior or values.
Command Modes
Router configuration
Command History
Usage Guidelines
In a hub and spoke configuration, a PE router readvertises all prefixes containing duplicate autonomous system numbers. Use the neighbor allowas-in command to configure two VRFs on each PE router to receive and readvertise prefixes:
1.
2.
You control the number of times an ASN is advertised by specifying a number from 1 to 10.
Examples
In the following example, the PE router with ASN 100 is configured to allow prefixes from the VRF address family VPN IPv4 vrf1. The neighboring PE router with the IP address 192.168.255.255 is set to be readvertised to other PE routers with the same ASN 6 times:
router bgp 100address-family ipv4 vrf vrf1neighbor 192.168.255.255 allowas-in 6Related Commands
address-family
Enters the address family submode used to configure routing protocols including BGP, OSPF, RIP, and static routing.
neighbor as-override
To configure a PE router to override a site's ASN with a provider's ASN, use the neighbor as-override router configuration command. To remove VPN IPv4 prefixes from a specified router, use the no form of this command.
neighbor ip-address as-override
no neighbor ip-address as-override
Syntax Description
Defaults
No default behavior or values.
Command Modes
Router configuration
Command History
Usage Guidelines
This command is used in conjunction with the site-of-origin feature, identifying the site where a route originated from, and preventing routing loops between routers within a VPN.
Examples
In the following example, the router's ASN of 100 overrides the neighboring routers IP address 192.168.255.255.
router bgp 100neighbor 192.168.255.255 remote-as 100neighbor 192.168.255.255 update-source loopback0address-family ipv4 vrf vpn1neighbor 192.168.255.255 activateneighbor 192.168.255.255 as-overrideRelated Commands
Guest