Configuring Basic MPLS-VPN Network
One of the most popular MPLS applications is MPLS-VPN. MPLS VPN allows a service provider or even a large enterprise to offer Layer 3 VPN services. This is often used to replace older Layer 2 WAN services like Frame-Relay and ATM services. MPLS VPNs are are aware of customer networks as well as provide private WAN services, and because of that, it can provide various additional services compared to Frame-Relay and ATM.
MPLS VPNs use MPLS unicast IP forwarding inside the SP network, with additional MPLS aware features at the edge between the provider and the customer. MPLS VPNs use MP-BGP to overcome the issue of having duplicate IP address spaces with different customers. This post mainly shows how to configure basic MPLS VPN network with 2 customers with 2 sites each, and 3 SP routers. The basics of MPLS and MPLS VPNs are explained in other posts. This lab shows how to configure MPLS VPN with different routing protocols. You can also configure this lab in GNS3 by using proper IOS.
For this scenario, we have:
- Customer A with sites CE_A_1 and CE_A_2
- Customer B with sites CE_B_1 and CE_B_2
- SP network with 2 PE (PE_1 and PE_2) routers and 1 P router
- Routing protocols:
Read More
- OSPF in SP network and between CE_A_1 and PE_1,
- EIGRP between CE_A_2 and PE_2
- BGP between CE_B_1 and PE_2
- RIP between CE_B_2 and PE_1
First Hop Redundancy Protocols
Router Redundancy in MLS
- Multilayer switching could act as an IP gateways for connected hosts in a vlan through SVI and layer 3 physical interfaces
- These switches can also participate in routing protocols just as routers
- To consider first hop redundancy, we have to have two switches with two IP addresses and hosts pointing those gateways
- There are First Hop Redundancy Protocols (FHRP) which can achieve this so that users have stateful failover in case any of the device went down
- On the normal packet flow, when the host sends the packets which are destined outside its network, it sends it to the default gateway. The destination MAC on the packet is the default gateway’s MAC address
- This could create a problem when there are two devices acting as gateways with different IP address and MAC address
- FHRP solves this problem by using a virtual IP address which is common to them and also using virtual MAC address
- The host will send the packets normally and the active device will respond to hosts ARP requests and fill forward the traffic accordingly. If the active device fails, the standby device will take over the forwarding
- This process is completely transparent to end user
Advanced Spanning Tree Protocols
Rapid Spanning Tree Protocol (RSTP) – 802.1w
- This protocol was mainly developed to improve the convergence time of STP in case of link failures and topology changes
- Cisco proprietary UplinkFast and BackboneFast features are included in RSTP
- RSTP works by communicating with other switches and keeping the network loop free.
- Compared to traditional STP, RSTP has more port roles and less port states
- The BPDUs in traditional STP originate from Root Bridge but in RSTP, BPDUs are sent out every switch port at hello time intervals, regardless of whether BPDUs are received from the root. Because of this, any switch anywhere in the network can play an active role in maintaining the topology.
- Failure detection in RSTP is very quick – 3 Hello misses (6 seconds)
Spanning Tree Protocol (STP) – 802.1d
Bridging loops:
- Layer 2 switch has to be completely transparent to user. The switch has no initial knowledge of any end device’s location. Switch learns the MAC address by listening to the frame coming from a port and inserts that entry into its CAM table
- The switch segments only collision domains and NOT broadcast domains, so when an unknown unicast, broadcast or multicast packets, then switch must forward those packets out through all ports except the port it was received on
- Frames forwarded across the switch cannot be modified by the bridge itself. Therefore the switching process is effectively transparent
- Bridging and switching works really well in hub and spoke or star topology. As soon as second switch is added for redundancy, there is a possibility of loops
- The process of forwarding a single frame around and around between two switches is known as bridging loop
- This happens more often in case of broadcast, and creates broadcast storm and ultimately choking up the CPU and bandwidth
- To prevent this, Spanning Tree Protocol (STP) is used
Preventing loops with STP:
- STP was developed to overcome the possibility of bridging loops so that redundant switches and switch paths could be used for their benefits.
- This protocol enables switches to become aware of each other so they can negotiate loop-free path through the network
- Once loops are discovered, the redundant links are shut down to prevent loops from forming. But if primary path fails, then the down link comes up to use the secondary path
- STP is communicated to all the switches in the network and each switch runs the STP algorithm to get the loop free path.
- The algorithm chooses the reference point in the network and calculates all the redundant paths to that reference point. One the redundant paths are found, then STP algorithm picks one path by which to forward frames and disables or blocks other redundant paths
EtherChannel
- Two to eight links of either FastEthernet (FE), Gigabit Ethernet (GE), or 10Gigabit Ethernet (10GE) are bundled as one logical link of Fast Etherchannel (FEC), Gigabit Etherchannel (GEC) or 10Gigabit Etherchannel (10GEC) respectively.
- This bundle provides a full duplex bandwidth of up to 1600 Mbps on FEC, 16 Gbps on GEC, or 160 Gbps on 10GEC
- Etherchannel provides load-balancing and failover on inter switch links
- If one of the bundled links goes down, STP does not have to reconverge, but the traffic is failed over on other members of the Etherchannel. Once the link is back up, it is used for traffic forwarding right away. This failover process is transparent to user
- Etherchannel works by distributing traffic across all links within Etherchannel using proper load-balancing algorithm
- Load-balancing of traffic can be done based on source IP, destination IP, or combination of source and destination IP, source and destination MAC address or TCP/UDP port numbers
- Etherchannel can have maximum of 8 physical ports of the same Ethernet media type and speed. Configurations have to be equal on all the links.
- Etherchannels can be configured as a layer 2 or layer 3 links. Order of operation is very important while configuring Etherchannel
- When interface is made part of the Etherchannel group, a logical interface is created called “Port-Channel”. Any command applied to this port-channel interface will be inherited by the members of that Etherchannel. This way all the member links are configured identically
- Etherchannel groups numbers range from 1 to 64
- Recommended way to create an Etherchannel is to first select all the interfaces which will be part of the Etherchannel using range command and put them in the Etherchannel group. Once done, port-channel interface will be created and apply additional commands to that port-channel interface. For layer 3 Etherchannel, give the selected member links “no switchport” command before applying Etherchannel group command.
- For layer 3 Etherchannels, IP address is given to port-channel interface
Vlan Trunking Protocol (VTP)
- This is a Cisco proprietary protocol developed to manage VLANs across the campus network
- The VTP uses layer 2 trunk frames to communicate VLAN information with other switches in the domain
- VTP manages the addition, deletion, and renaming of VLANs across the network from the central point of control
- VTP advertisements are propagated out through the trunk links hence VLAN Trunking Protocol
VTP Domains:
- VTP is organized into management domains, or areas with common VLAN requirements
- A switch can belong to only one domain
- Switches in different VTP domains do not share VLAN information
- Whenever a new VLAN is added, deleted or renamed on the switch in the management domain, other switches are notified of the change via VTP advertisements
- Each VTP advertisement contains VTP management domain, VTP revision number, known VLANs, and specific VLAN parameters
- VTP domain names are case sensitive
Vlans and Trunks
Virtual LANs (VLANS)
- In traditional flat network topology, it is a single broadcast domain which allows all broadcast packets traverse to entire topology
- Flat network cannot offer redundant paths for load-balancing or fault-tolerance
- VLANs are used to overcome the problem of flat network by creating multiple broadcast domains
- Each VLAN is one big broadcast domain and the broadcast traffic is limited to the ports enabled for that VLAN
- VLANs hosts can be anywhere within the network and they are reachable to all their members as long as VLAN connectivity can be provided among all members
VLAN memberships:
1) Static VLANs
- Static VLANs offer port-based membership, in which switchports are assigned to specific VLANs
- Switchports are assigned to VLANs by the manual intervention of network administrator, hence static in nature
- Each port received a Port VLAN ID (PVID) that associates it with a VLAN number
- The traffic from one VLAN to another is not allowed even though the devices are connected to the same switch. We need a Layer 3 device to route packets between VLANs
- By default all switchports are assigned to VLAN 1, with MTU size of 1500 bytes
- For traffic to traverse in the VLAN, that VLAN has to be created on the switch first and then assign the ports to that VLAN.
- By default VLAN ranges on the switch is 1 – 1005. VLAN 1002 – 1005 are reserved for legacy purposes
- Catalyst switches also support extended VLANs from 1 – 4096 as long as VTP mode is set to transparent
- The switchport mode access commands forces the port to be assigned to 1 VLAN only
2) Dynamic VLANs
- Dynamic VLANs provide membership based on the MAC address of the device
- When the device is connected to the switch, the switch must query a database to verify which VLAN does that mac address belong to
- These VLAN implementation require high administrative overhead so they not used widely
Switch Port Configuration
Ethernet Concepts
Ethernet technology is based on IEEE 802.3 standard. There are multiple types of Ethernet ports based on their speed like Ethernet, FastEthernet, GigabitEthernet, 10GigabitEthernet. Ethernet is a broadcast media which allows switches to be in one big broadcast domain.
Ethernet (802.3):
- Based on CSMA/CD technology which requires that transmitting stations back off for a random period of time when collision occurs.
- Speed of this port is 10Mbps and default operation is on a half-duplex meaning the station cannot transmit or receive at a same time
- The port is capable of operating at Full-duplex which means transmitting and receiving at the same time. This increases network performance to 10Mbps in each direction
- There is a physical limitation of cabling with maximum distance of 100 Meters between devices
- Ethernet is usually found on access layers rather than distribution or core because of low bandwidth.
- This technology does not support link aggregation (Etherchannel)
Fast Ethernet (802.3u):
- The Ethernet cabling schemes, CSMA/CD operation and all upper-layer protocol operations are maintained with regular Ethernet standard
- Speed of the port is 100Mbps and default auto-negotiation with other Fast Ethernet port will result in Full duplex operation
- If speed and duplex are hard coded on one end to 100-full and auto on other, then on auto side, speed will sync up to 100Mbps but duplex will be synced up at half
- These links are used on access layers and sometimes also on distribution layer
- These links support link aggregation (Etherchannel)
- These ports are also known as 10/100 ports because they are capable of operating at both speeds of 10Mps and 100Mbps
- The link speed is determined by the electrical signalling. If the ports are set to auto negotiation then they will use the highest speed that is common to them