Cisco Systems OL-4344-01 manual Route Target Communities, CE Routing Communities

Page 19

Chapter 1 About Cisco IP Solution Center

About MPLS VPNs

ISC chooses route target values by default, but you can override the automatically assigned RT values if necessary when you first define a CERC in the ISC software (see the “Defining CE Routing Communities” section on page 4-5).

Route Target Communities

The mechanism by which MPLS VPN controls distribution of VPN routing information is through the VPN route-target extended MP-BGP communities. An extended MP-BGP community is an eight octet structure value. MPLS VPN uses route-target communities as follows:

When a VPN route is injected into MP-BGP, the route is associated with a list of VPN route-target communities. Typically, this is set through an export list of community values associated with the VRF from which the route was learned.

An import list of route-target communities is associated with each VRF. This list defines the values that should be matched against to decide whether a route is eligible to be imported into this VRF.

For example, if the import list for a particular VRF is {A, B, C}, then any VPN route that carries community value A, B, or C is imported into the VRF.

CE Routing Communities

A VPN can be organized into subsets called CE routing communities, or CERCs. A CERC describes how the CEs in a VPN communicate with each other. Thus, CERCs describe the logical topology of the VPN. ISC can be employed to form a variety of VPN topologies between CEs by building hub and spoke or full mesh CE routing communities. CERCs are building blocks that allow you to form complex VPN topologies and CE connectivity.

The most common types of VPNs are hub-and-spokeand full mesh.

A hub-and-spoke CERC is one in which one or a few CEs act as hubs, and all spoke CEs talk only to or through the hubs, never directly to each other.

A full mesh CERC is one in which every CE connects to every other CE.

These two basic types of VPNs—full mesh and hub and spoke—can be represented with a single CERC.

Whenever you create a VPN, the ISC software creates one default CERC for you. This means that until you need advanced customer layout methods, you will not need to define new CERCs. Up to that point, you can think of a CERC as standing for the VPN itself—they are one and the same. If, for any reason, you need to override the software’s choice of route target values, you can do so only at the time you create a CERC in the ISC software (see the “Defining CE Routing Communities” section on page 4-5).

To build very complex topologies, it is necessary to break down the required connectivity between CEs into groups, where each group is either fully meshed, or has a hub and spoke pattern. (Note that a CE can be in more than one group at a time, so long as each group has one of the two basic patterns.) Each subgroup in the VPN needs its own CERC. Any CE that is only in one group just joins the corresponding CERC (as a spoke if necessary). If a CE is in more than one group, then you can use the Advanced Setup choice during provisioning to add the CE to all the relevant groups in one service request. Given this information, the provisioning software does the rest, assigning route target values and VRF tables to arrange exactly the connectivity the customer requires. You can use the Topology tool to double-check the CERC memberships and resultant VPN connectedness.

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

 

OL-4344-01

1-19

 

 

 

Image 19
Contents About Cisco IP Solution Center ISC Network Management Subnet Overview of ISCISC Features Service Provider Network for Vlan ID Management Resource Pools Access Domain AssignedVPN Service Profile-Based Provisioning Features and Functions Provided in Provisioning with ISCRole-Based Access Control Rbac CPE Customer’s View of the Network Customer’s and Provider’s View of the NetworkAbout Multi-VRF CEs About Provider Edge Routers PEsA Multi-VRF CE Providing Layer 3 Aggregation Mapping IPsec Tunnels to Mpls VPNs Using Templates to Customize Configuration FilesUses for the Template Function Auditing Service RequestsVPNs Sharing Sites About Mpls VPNsIntranets and Extranets Characteristics of Mpls VPNsVPN Routing and Forwarding Tables VRFs Ip vrf site2 rd VRF Implementation ConsiderationsRoute Distinguishers and Route Targets Creating a VRF InstanceCE Routing Communities Route Target CommunitiesHub and Spoke Considerations Routing Separation Security Requirements for Mpls VPNsAddress Space and Routing Separation Address Space SeparationHiding the Mpls Core Structure Securing the Routing Protocol Resistance to AttacksLabel Spoofing PE-CE Interface Routing AuthenticationSecuring the Mpls Core Trusted DevicesSeparation of CE-PE Links LDP AuthenticationConnectivity Between VPNs Security Through IP Address Resolution MP-BGP Security FeaturesEnsuring VPN Isolation North Bound Interface NBIAPI Functionality Supported NBI Benefits Distributed Load BalancingAPI Approach 11 Simple Flat-Based Server Load Balancing Configuration Client tier Four-Tier System ArchitectureControl tier