Cisco Systems OL-4344-01 manual Creating a VRF Instance, Route Distinguishers and Route Targets

Page 18

Chapter 1 About Cisco IP Solution Center

About MPLS VPNs

The MPLS VPN backbone relies on the appropriate Interior Gateway Protocol (IGP) that is configured for MPLS, for example, EIGRP, or OSPF. When you issue a show ip route command on a PE, you see the IGP-derived routes connecting the PEs together. Contrast that with the show ip route vrf VRF_name command, which displays routes connecting customer sites in a particular VPN.

Creating a VRF Instance

The configuration commands to create a VRF instance are as follows:

 

Command

Description

Step 1

 

 

Router# configure terminal

Enter global configuration mode.

 

Router(config)#

 

Step 2

 

 

Router(config)# ip vrf vrf_name

For example, ip vrf CustomerA initiates a VPN routing table

 

 

and an associated CEF table named CustomerA. The command

 

 

enters VRF configuration submode to configure the variables

 

 

associated with the VRF.

Step 3

 

 

Router(config-vrf)# rd RD_value

Enter the eight-byte route descriptor (RD) or IP address. The PE

 

 

prepends the RD to the IPv4 routes prior to redistributing the

 

 

route into the MPLS VPN backbone.

Step 4

 

 

Router(config-vrf)#route-target import

Enter the route-target information for the VRF.

 

export both community

 

 

 

 

Route Distinguishers and Route Targets

MPLS-based VPNs employ BGP to communicate between PEs to facilitate customer routes. This is made possible through extensions to BGP that carry addresses other than IPv4 addresses. A notable extension is called the route distinguisher (RD).

The purpose of the route distinguisher (RD) is to make the prefix value unique across the backbone. Prefixes should use the same RD if they are associated with the same set of route targets (RTs) and anything else that is used to select routing policy. The community of interest association is based on the route target (RT) extended community attributes distributed with the Network Layer Reachability Information (NLRI).The RD value must be a globally unique value to avoid conflict with other prefixes.

The MPLS label is part of a BGP routing update. The routing update also carries the addressing and reachability information. When the RD is unique across the MPLS VPN network, proper connectivity is established even if different customers use non-unique IP addresses.

For the RD, every CE that has the same overall role should use a VRF with the same name, same RD, and same RT values. The RDs and RTs are only for route exchange between the PEs running BGP. That is, for the PEs to do MPLS VPN work, they have to exchange routing information with more fields than usual for IPv4 routes; that extra information includes (but is not limited to) the RDs and RTs.

The route distinguisher values are chosen by the ISC software.

CEs with hub connectivity use bgp_AS:value.

CEs with spoke connectivity use bgp_AS:value + 1

Each spoke uses its own RD value for proper hub and spoke connectivity between CEs; therefore, the ISC software implements a new RD for each spoke that is provisioned.

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

1-18

OL-4344-01

 

 

Image 18
Contents About Cisco IP Solution Center Overview of ISC ISC Network Management SubnetISC Features Service Provider Network for Vlan ID Management Access Domain Assigned Resource PoolsFeatures and Functions Provided in Provisioning with ISC VPN Service Profile-Based ProvisioningRole-Based Access Control Rbac CPE Customer’s and Provider’s View of the Network Customer’s View of the NetworkAbout Provider Edge Routers PEs About Multi-VRF CEsA Multi-VRF CE Providing Layer 3 Aggregation Using Templates to Customize Configuration Files Mapping IPsec Tunnels to Mpls VPNsAuditing Service Requests Uses for the Template FunctionAbout Mpls VPNs VPNs Sharing SitesCharacteristics of Mpls VPNs Intranets and ExtranetsVPN Routing and Forwarding Tables VRFs VRF Implementation Considerations Ip vrf site2 rdCreating a VRF Instance Route Distinguishers and Route TargetsRoute Target Communities CE Routing CommunitiesHub and Spoke Considerations Address Space Separation Security Requirements for Mpls VPNsAddress Space and Routing Separation Routing SeparationHiding the Mpls Core Structure Resistance to Attacks Securing the Routing ProtocolLabel Spoofing Trusted Devices Routing AuthenticationSecuring the Mpls Core PE-CE InterfaceLDP Authentication Separation of CE-PE LinksConnectivity Between VPNs MP-BGP Security Features Security Through IP Address ResolutionNorth Bound Interface NBI Ensuring VPN IsolationAPI Functionality Supported Distributed Load Balancing NBI BenefitsAPI Approach 11 Simple Flat-Based Server Load Balancing Configuration Four-Tier System Architecture Client tierControl tier