w4ch6

Questions and Answers

What is the default intersite IP topology in an MPLS-VPN implementation?

Hub and Spoke

Partial Mesh

Full Mesh (correct)

Point-to-Point

What is the purpose of the inner label in an MPLS-VPN forwarding mechanism?

To identify the VPN (correct)

To identify the CE device

To identify the destination PE device

To identify the service provider network

What routing protocol is mandated by RFC 2547 for exchanging prefixes and labels between PE devices in an MPLS-VPN network?

EIGRP

BGP (correct)

OSPF

RIP

How do CE devices advertise routes to PE devices in an MPLS-VPN network?

Using either static or dynamic routing

What is the benefit of MPLS-VPN over dedicated WAN connections between sites?

Cost-effectiveness

What is the purpose of the outer label in an MPLS-VPN forwarding mechanism?

To identify the destination PE device

How do service providers carry packets to customer routes in an MPLS-VPN network?

By carrying packets to those routes across its network

What protocol is CE red1 using to advertise the 192.168.4.0/24 prefix to PE A?

eBGP

What routing protocol does CE green2 use?

RIPv2

What is the purpose of PE A in the MPLS-based Layer 3 VPN configuration?

To import prefixes announced by the CE into the route table

What is the function of iBGP in the MPLS-based Layer 3 VPN configuration?

To announce reachability for each of its attached customer sites

What is the next hop for the 192.168.4.0 route on CE red2?

192.168.2.1

How does PE A identify the next hop for a packet going from CE green1 to CE green2?

As a BGP neighbor

What is the purpose of the label imposed by PE A on the packet going from CE green1 to CE green2?

To identify the VPN routing table

How does PE A find the route to 192.168.3.0?

Through a BGP route

What is the topology of the iBGP sessions between the PEs?

Full mesh

What type of VPN is configured in the given example?

MPLS based Layer 3 VPN

What is the purpose of the 'tag-switching ip' command in the interface configuration?

To enable label switching

What is a mandatory attribute of every VPN on a Cisco router?

Dedicated interfaces

What is used to establish route reachability within an MPLS VPN?

Selective import of BGP routes

How many iBGP sessions are established in the given example?

2

What is the purpose of a route-target in BGP?

To associate a numeric value to all exported routes

What is the purpose of the 'route-target both 101:1' command in the VRF configuration?

To configure the route-target and RD values

What is the IP address of the Loopback0 interface?

12.0.0.1 255.255.255.255

What is the function of a route-distinguisher in BGP?

To make private routes globally unique

What is carried in BGP updates in an MPLS VPN?

Route-target

What is the VRF name configured in the given example?

RED

What is the purpose of the 'ip vrf forwarding RED' command?

To forward traffic to the VRF instance

What is the purpose of the import value in a route-target?

To filter incoming routes

What is the purpose of the 'rd 101:1' command in the VRF configuration?

To configure the RD value

Why is a route-distinguisher used in an MPLS VPN?

To avoid conflict in address space

What is a characteristic of route-targets in an MPLS VPN?

The import and export values do not have to match

What is the main application of MPLS that has caused the most interest?

Layer 3 VPN

What type of routers exchange routes with service provider edge routers?

Customer edge routers

What prevents a CE-PE link from being shared with other customer traffic?

Standard IP traffic

What connects customer sites in an MPLS-VPN reference architecture?

LSRs

What is a key characteristic of an MPLS-VPN service?

Sites in a VPN can communicate only with other sites in the same VPN

What is the function of a PE router in an MPLS-VPN reference architecture?

To peer with CEs that belong to different customers

What is the purpose of a VRF in an MPLS-VPN configuration?

To provide route isolation

What is the benefit of an MPLS-VPN service over dedicated WAN connections?

Increased scalability

What is the purpose of the 'ip vrf forwarding RED' command?

To specify the VRF for the VPN

What is the function of the 'rd 101:1' command in the VRF configuration?

To specify the route distinguisher

What is the purpose of the 'route-target both 101:1' command in the VRF configuration?

To specify the route target for import and export

What is the IP address of the Loopback0 interface?

12.0.0.3

How many iBGP sessions are established in the given example?

2

What is the VRF name configured in the given example?

RED

What is the purpose of a route-target in BGP?

To control the import and export of routes

What is carried in BGP updates in an MPLS VPN?

VPN-IPv4 and VPN-IPv6 routes

What is the label imposed by PE A to identify the next-hop LSR on the IGP path to PE D?

96

What do the LSRs in the core have visibility of?

Labeled traffic along LSPs

What is used to identify which VPN routing table to use for the packet?

The remaining label

What is the purpose of a VPN ID?

To define a VPN in a network

What happens to the packet at the penultimate hop?

The outer label is popped

What is the function of PE D in the MPLS-based Layer 3 VPN configuration?

To use the remaining label to identify which VPN routing table to use for the packet

How does PE D forward the packet after popping the label?

PE D forwards the packet to CE green2

What is the purpose of the IGP in the MPLS-based Layer 3 VPN configuration?

To forward labeled traffic along LSPs

What is the purpose of a VRF in an MPLS-VPN configuration?

To separate customer routing domains

Why do standard commands like ping, telnet, and traceroute need a new parameter in an MPLS-VPN?

Because they need to specify the VPN to originate from

What is the default behavior of a PE in an MPLS-VPN architecture?

To forward traffic directly to its destination

What is the purpose of the 'tag-switching ip' command in the interface configuration?

To enable MPLS on the interface

Why do some enterprise networks need to change the default behavior of a PE in an MPLS-VPN architecture?

Because they require a hub-and-spoke configuration

What is the purpose of the 'neighbor' commands in the BGP configuration?

To establish iBGP sessions between the PEs

What is the benefit of using VRFs in an MPLS-VPN configuration?

To provide a separate routing domain for each customer

Why is a VRF necessary on a PE device in an MPLS-VPN configuration?

To separate the customer routing domains

What is the purpose of the 'tag-switching ip' command in the interface configuration?

To enable label switching on the interface

What is the function of a route-distinguisher in BGP?

To distinguish between routes from different VPNs

What is the purpose of a VRF in an MPLS-VPN configuration?

To isolate customer traffic

What is carried in BGP updates in an MPLS VPN?

IP routes and labels

What is the purpose of the 'ip vrf forwarding RED' command?

To enable VRF forwarding on the interface

What is the purpose of the 'rd 101:1' command in the VRF configuration?

To configure the route-distinguisher for the VRF

How many iBGP sessions are established in the given example?

2

What is the VRF name configured in the given example?

RED

What is the benefit of using MPLS-VPN over dedicated WAN connections between sites?

It is more cost-effective and easier to route between sites

What allows MPLS-VPN to support customer address-space independence?

The forwarding mechanism that uses a two-label hierarchy

What is the purpose of the service provider in an MPLS-VPN network?

To exchange customer routes and carry packets to those routes across its network

What routing protocol does CE red1 use to advertise the 192.168.4.0/24 prefix to PE A?

eBGP

What is the function of PE A in the MPLS-based Layer 3 VPN configuration?

To exchange customer routes and carry packets to those routes across its network

What is the intersite IP topology in an MPLS-VPN implementation?

Arbitrary complexity

What is the advantage of MPLS-VPN over traditional WAN connections?

It is more cost-effective and easier to route between sites

What is the purpose of the two-label hierarchy in MPLS-VPN?

To support customer address-space independence

What is the key benefit of an MPLS-VPN service over dedicated WAN connections?

No architecture change to the customer's network

What is the main application of MPLS that has caused the most interest?

Layer 3 VPN

What connects customer sites in an MPLS-VPN reference architecture?

PE and CE routers

What is the function of a PE router in an MPLS-VPN reference architecture?

To peer with CEs that belong to different customers

What is a characteristic of an MPLS-VPN service?

Sites in a VPN can communicate only with other sites in the same VPN

Why can't a CE-PE link be shared with other customer traffic?

Because standard IP traffic runs over the link

What is the purpose of a VRF in an MPLS-VPN configuration?

To provide a separate routing table for each VPN

What type of routers exchange routes with service provider edge routers?

CE routers

What is the advantage of using MPLS-VPN over dedicated WAN connections?

Cost-effectiveness

How do CE devices exchange routes with PE devices?

Using static or dynamic routing

What is the primary function of the inner label in MPLS-VPN?

Identifying the VPN

What is the result of default MPLS-VPN implementation?

Full-mesh connectivity

What is the purpose of the service provider in MPLS-VPN?

Exchanging customer IP routes

What is the benefit of MPLS-VPN in terms of routing?

Easier routing between CEs

What is the characteristic of intersite IP topology in MPLS-VPN?

Arbitrarily complex

What is the protocol used to exchange prefixes and labels between PE devices?

BGP

What is the purpose of the routing table for each VPN on a PE router?

To store the routes of a specific VPN

How do PE routers announce reachability for each of their attached customer sites?

Using iBGP

What happens when PE A needs to find the route to 192.168.3.0?

It will perform another lookup to find the route

What is the role of PE C in the MPLS-VPN network?

It is a provider edge router

How does PE A identify the next hop for a packet going from CE green1 to CE green2?

It checks the routing table for the green VPN

What is the purpose of the label imposed by PE A on the packet going from CE green1 to CE green2?

To identify the VPN routing table

What is the topology of the iBGP sessions between the PE routers?

Full mesh

How does CE green2 forward IP packets to PE A?

It forwards IP packets to PE A as it would to any other router

What is the purpose of the label 96 imposed by PE A?

To identify the next-hop LSR on the IGP path to PE D

What is the role of LSR B in the packet flow?

To remove the outer label

What is used by PE D to identify which VPN routing table to use for the packet?

The label 22

What is the benefit of using a VPN ID in an MPLS VPN?

It allows for easier definition of a VPN in a network

What is the characteristic of the LSRs in the core?

They do not have visibility of the VPN traffic

What is the role of the IGP in the MPLS VPN?

It is used to forward labeled traffic along LSPs

What is the purpose of the VPN routing table?

To find the outgoing interface and forward the IP packet to CE green2

What is the relationship between the IGP running on the CE-PE links and the IGP running in the service provider core?

They are different IGPs

What might be the reason for a security policy that requires all sites in a certain area to forward traffic through a regional hub?

To use an expensive virus-checking package for e-mail

In a hub-and-spoke topology, what is the role of the hub?

To import routes from all spokes

What is the purpose of route-targets in MPLS VPNs?

To configure the hub-and-spoke topology

What is the characteristic of a hub in a hub-and-spoke topology?

It imports routes from all spokes

What is the purpose of a spoke in a hub-and-spoke topology?

To import routes from the hub

What is the benefit of using route-targets in MPLS VPNs?

It simplifies the configuration of hub-and-spoke topologies

What is the purpose of an extranet in MPLS VPNs?

To provide a VPN with limited reachability of destinations

What is the role of PEs in a hub-and-spoke topology?

To forward traffic between the hub and spokes

What does PE A use to announce reachability for each of its attached customer sites?

iBGP

What is the function of PE C in the given MPLS-VPN configuration?

To import routes into the routing table used for the red VPN

How does PE A identify the next hop for a packet going from CE green1 to CE green2?

By checking the BGP neighbor table

What is the purpose of the label imposed by PE A on the packet going from CE green1 to CE green2?

To identify the VPN routing table

How many iBGP sessions does PE A have in the given example?

2

What is the topology of the iBGP sessions between the PEs?

Full mesh

What is the purpose of a VRF in an MPLS-VPN configuration?

To isolate customer traffic

What is the label imposed by PE A to identify the next-hop LSR on the IGP path to PE D?

22

What is the purpose of the 'update-source Loopback0' command in the BGP peer configuration?

To specify the source IP address of BGP updates

What is the function of a VRF in an MPLS-VPN configuration?

To separate customer routing tables

In an MPLS-VPN network, how does a service provider identify and differentiate between customer routes?

Using a two-label hierarchy with route-distinguishers

What is the function of a VRF in an MPLS-VPN configuration?

To separate customer routes from the service provider's network

What is the purpose of the 'redistribute connected' command in the VRF configuration?

To redistribute connected routes into BGP

What is the purpose of the 'route-target' command in an MPLS-VPN Cisco IOS configuration?

To import/export routes between VRFs

What is the purpose of the 'tag-switching ip' command in the interface configuration?

To enable MPLS VPN on the interface

Why do standard commands like ping, telnet, and traceroute not work in a VRF?

Because they use the global routing table

How do CE devices typically exchange routes with PE devices in an MPLS-VPN network?

Using dynamic routing protocols such as RIP, eBGP, or OSPF

What is the purpose of the 'neighbor 12.0.0.2 send-community extended' command in the BGP configuration?

To send extended community attributes to the BGP peer

What is the function of the 'rd' command in an MPLS-VPN Cisco IOS configuration?

To configure the route-distinguisher for a VRF

What is the benefit of using a VRF in an MPLS-VPN configuration?

It separates customer routing tables

What is the purpose of the 'ip vrf forwarding' command in an MPLS-VPN Cisco IOS configuration?

To associate an interface with a VRF

What is the function of the 'rd 101:1' command in the VRF configuration?

To specify the route distinguisher

What is the benefit of using MPLS-VPN over dedicated WAN connections between sites?

All of the above

What is the purpose of the BGP peer configuration in an MPLS-VPN network?

To advertise customer prefixes to other PEs

What is the primary function of a route-distinguisher in an MPLS-VPN network?

To make sure each BGP peer treats the prefixes as belonging to different networks

Which of the following is true about BGP peer configuration in an MPLS-VPN network?

Only PE devices with the same VPN and matching route-target import the route

What is the purpose of a VRF in an MPLS-VPN configuration?

To separate routing tables for each VPN

What is the purpose of the route-distinguisher in the given MPLS-VPN configuration?

To distinguish between different VPNs on the same PE router

What is required on CE routers in an MPLS-VPN network?

No VRF is required

What is the purpose of the 'neighbor 12.0.0.1 remote-as 101' command in the BGP peer configuration?

To establish an iBGP session with the remote PE router

What is the purpose of the VRF configuration in the given MPLS-VPN example?

To define a virtual routing table for the VPN

What is the purpose of the MPLS-VPN Cisco IOS configuration?

To deploy a simple MPLS VPN

What is the benefit of having the same route-distinguisher throughout a VPN?

It provides operational simplicity

What is the purpose of the 'ip vrf forwarding RED' command in the CE-PE link configuration?

To add the CE-PE link to the VRF

What is populated using information from VRFs?

The LFIBs

What is the purpose of the 'tag-switching ip' command in the interface configuration?

To enable MPLS on the interface

What is the purpose of a VRF in a CE router?

It is not required on CE routers

What is carried in BGP updates in an MPLS VPN?

Both IP prefixes and MPLS labels

What is the purpose of the 'route-target both 101:1' command in the VRF configuration?

To import and export routes to and from the VRF

How many iBGP sessions are established in the given example?

2

Study Notes

MPLS VPN Reference Architecture

• /MPLS VPN is a peer architecture where customer edge (CE) routers exchange routes with service provider edge routers (PE)
• CE routers connect to PE routers, which are connected by Label Switching Routers (LSRs)
• A single PE can peer with CEs that belong to different customers
• CEs can also peer with different PEs that belong to the same or different service providers
• Sites in a VPN can communicate only with other sites in the same VPN

MPLS-VPN Reference Architecture

• Standard IP traffic runs over the CE-PE link, so this link cannot be shared with other customer traffic
• CE and PE do not exchange labels or labeled packets
• MPLS-VPN architecture provides full-mesh connectivity between sites, despite each site having only one link into the service provider cloud
• Intersite IP topology can be of arbitrary complexity

Routing in an MPLS VPN Network

• MPLS-VPN model makes it easier to route between CEs compared to dedicated WAN connections
• Service provider needs to exchange customer IP routes and carry packets to those routes across its network
• MPLS provides a solution that supports customer address-space independence using a two-label hierarchy
• Inner label identifies the VPN and the outer label identifies the destination PE device
• RFC 2547 mandates the use of BGP to exchange prefixes and labels between PE devices

MPLS-VPN Routing

• CEs can use static or dynamic routing (RIP, eBGP, or OSPF) to exchange routes with a PE
• PE imports prefixes announced by the CE into the route table for this VPN
• Each VPN has its own routing table
• PE uses iBGP to announce reachability for each of its attached customer sites
• PEs are in a full iBGP mesh and can run many different VPNs

MPLS-VPN Attributes

• Each VPN on a Cisco router has dedicated interfaces, routing table, local name, and numeric ID
• Rules determine how VPN routes are advertised to peer routers
• Route reachability is established through the selective import of BGP routes
• Several new extended attributes have been added to BGP in accordance with RFC 2547

BGP Attributes

• Route-target: a numeric value associated with all routes exported to BGP peers
• Route-target export value must match the import value at the receiving device
• Route-distinguisher: a BGP attribute that is appended to private routes to make them globally unique

MPLS-VPN Cisco IOS Configuration

• VRF configuration: defines the VPN routing table and imports routes
• Route-target and RD values must match, but VRF names don't have to
• Egress CE-PE link configuration: defines the IP address and routing for the CE-PE link

MPLS-VPN Reference Architecture

• Even with a single link to the service provider cloud, MPLS-VPN architecture allows for full-mesh connectivity between sites.
• The intersite IP topology can be arbitrarily complex, but MPLS-VPN implementations default to full mesh and must be constrained to provide a more hierarchical model.
• MPLS-VPN makes it easier to route between CEs compared to using dedicated WAN connections between sites and routing over point-to-point networks.

MPLS-VPN Architecture

• MPLS-VPN uses a two-label hierarchy, where the inner label identifies the VPN and the outer label identifies the destination PE device.
• RFC 2547 mandates the use of BGP to exchange prefixes and labels between PE devices.
• Customer address-space independence is achieved using a forwarding mechanism.

Routing in an MPLS VPN Network

• CE devices can use static or dynamic routing (RIP, eBGP, or OSPF) to exchange routes with a PE.
• The packet must travel across the MPLS network, so PE A imposes another label that identifies the next-hop LSR on the IGP path to PE D.
• Each LSR in the core swaps labels and forwards the packet as normal toward PE D.
• The penultimate hop pops the outer label, and PE D uses the remaining label to identify which VPN routing table to use for the packet.

Packet Flow in MPLS-VPN Network

• LSRs have no visibility of the VPN traffic and forward labeled traffic along LSPs established by the routing protocol running in the service provider core.
• The IGP running on the CE-PE links can be different from the IGP running on the core.

MPLS-VPN Attributes

• Defining an MPLS VPN is harder than expected, and a VPN ID has been introduced to address this problem.
• The underlying network topology is the same as used in the examples.

MPLS-VPN Configuration

• PE configuration involves setting up a VRF for the VPN with route-distinguisher and route-target values.
• Each CE-PE link needs to be added to the VRF.
• iBGP is used to establish sessions to peers.
• The VPNv4 address-family establishes the peers as being MPLS-VPN savvy.

LSR Configuration

• LSR configuration is straightforward and involves setting up core-facing links.

PE Configuration

• PE configuration involves setting up a VRF for the VPN with route-distinguisher and route-target values that match the other side of the network.
• Egress CE-PE link and core-facing links need to be configured.

VRF Options

• Ping, telnet, and traceroute have VRF options to make them usable between PEs.
• Standard commands don't work because they use the global routing table, which is different from the VRF.
• VRF represents an entirely private routing space.

MPLS VPN Reference Architecture

• MPLS VPN is a Layer 3 VPN that allows for full-mesh connectivity between customer sites without point-to-point connections.
• Customer Edge (CE) routers connect to Service Provider Edge (PE) routers, which are connected by Label Switching Routers (LSRs).
• A single PE can peer with multiple CEs from different customers.
• CE-PE links are standard IP traffic and cannot be shared with other customer traffic.

Routing in an MPLS VPN Network

• Customer routes are advertised in an MPLS VPN network using Border Gateway Protocol (BGP).
• CE routers can use static or dynamic routing (RIP, eBGP, or OSPF) to exchange routes with a PE.
• Each VPN has its own routing table, and PE routers use iBGP to announce reachability for each attached customer site.
• PE routers are in a full iBGP mesh and can run multiple VPNs.

MPLS-VPN Packet Flow

• When traffic needs to go between sites, the CE forwards IP packets to the PE as it would to any other router.
• The PE identifies the next hop (PE) for the packet as a BGP neighbor and imposes a label that identifies the VPN routing table.
• The packet is then forwarded across the MPLS network, where each LSR swaps labels and forwards the packet towards the next hop.
• The penultimate hop pops the outer label, and the final PE uses the remaining label to identify the VPN routing table and forward the packet to the CE.

MPLS-VPN Attributes

• Defining an MPLS VPN requires a VPN ID, which is a unique identifier for a VPN in a network.
• MPLS VPNs can be deployed as hub-and-spoke topologies using route-targets.
• Route-targets are used to control the flow of traffic between sites in a VPN.

VRF (Virtual Routing and Forwarding)

• A VRF is a virtual routing table used to separate customer traffic in an MPLS VPN.
• Each VRF has its own routing table and is used to forward traffic between sites in a VPN.

MPLS-VPN Configuration

• Cisco IOS configuration for MPLS VPN involves defining the VRF, route-targets, and importing/exporting routes between VPNs.
• Examples of configuration commands are shown for hub-and-spoke topologies and extranets.

MPLS-VPN Configuration

• A CE uses RIPv2 to announce prefixes to a PE.
• The PE imports the prefixes into the route table for its VPN.
• Each VPN has its own routing table.
• A PE uses iBGP to announce reachability for each of its attached customer sites.

PE Configuration

• A PE has its own routing table for each VPN.
• A PE announces itself as the next hop for routes.
• A PE identifies the next hop (another PE) for a packet as a BGP neighbor.
• A PE imposes a label that identifies the VPN routing table to the next hop PE.

MPLS-VPN Operation

• Traffic between sites is forwarded by CEs to the PE as it would to any other router.
• A PE announces routes to all its PE peers, but only those with the same VPN and matching route-target import it.
• The route-distinguisher (RD) is included in the routing exchange to make sure that each BGP peer treats the prefixes as belonging to different networks.

VRFs

• VRFs are populated by routing processes associated with each VPN.
• In Cisco IOS, there are independent OSPF processes for each VPN, but BGP is a single process across the whole router.
• LFIBs are populated using information from VRFs.
• No VRFs are required on CE routers.

Cisco IOS Configuration

• The configuration extracts are necessary to deploy a simple MPLS VPN.
• A VRF is set up for the VPN with a route-distinguisher, route-target, and interface configurations.
• iBGP is configured to announce reachability for each of its attached customer sites.

Full-Mesh Configuration

• MPLS-VPN architecture provides full-mesh configuration by default.
• A PE forwards traffic directly to its destination.
• The intersite IP topology can be of arbitrary complexity.
• MPLS-VPN implementations default to full mesh and must be constrained to provide a more hierarchical connectivity model.

Description

Learn about MPLS VPN reference architecture, routing, attributes, VRF, and Cisco IOS configuration. This chapter covers the configuration of MPLS based Layer 3 VPN on Cisco Routers.