Anda di halaman 1dari 98

MPLS Enterprise Switching

Product Update and Designs


Sankar Venkat

Product Manager

Minhaj Uddin

Technical Marketing Engineer

Session ID : BRKMPL-1102

Agenda

Introduction

Segmentation in Enterprise

MPLS Designs for Enterprise

MPLS Product Update

MPLS Configurations

Q&A

Summary

Session Goals
This session will focus on MPLS for
Campus Switching network deployments.
At the end of the session, the participants should:

Understand different Segmentation Options

Understand the building blocks of MPLS in Enterprise

Understand different MPLS designs and use cases

Understand the different product options for MPLS design

Understand typical configurations for MPLS in Enterprise

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

MPLS Enterprise Requirements

A unique Standards Based Segmentation Technology across LAN-WAN

Enterprise/Campus Segmentation

Basic MPLS Features

L3 VPN (IPv4), L3 VPN(IPv6)


L2 VPN (EoMPLS)
Multicast VPN (MVPN)

Data Center Interconnect/Inter Campus Connect over WAN

L2 Extensions with EoMPLS


Pseudowires, VPLS, H-VPLS, Advanced VPLS

Advanced MPLS Features MPLS Services with Netflow, QoS, Multicast

Multi-tenancy / Dual Homing

Traffic Engineering, High Availability/Fast Reroute


BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Network Virtualization with MPLS


A
Data Center

PE

MPLS Core

PE

CE

Backup
Data Center

CE

L2 VPN

MPLS
(L2 VPN)

Campus

Mirror

DC Interconnect

Mirror

Branch to DC
Connectivity

Storage

Data Center

Enterprise Segmentation
SP Network
Internet

Access

Core

Access
Bay Area DC

L2

L3 (MPLS)

L2

L3 (MPLS)

L3 (MPLS)

L3 (MPLS)

Service Provider

Enterprise WAN
(MPLS)

AsiaPac DC

Washington DC

Enterprise WAN Edge


BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Segmentation in Enterprise

Factors for Network Segmentation

Unique security policies per logical domain

Traffic isolation per application, group, service etc

Logically separate traffic using one physical infrastructure


Guest Access

Merged Company

Isolated Services

Virtual Network

Virtual Network

Virtual Network

Virtual
Private
Network

Actual Physical Infrastructure


BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Network Segmentation Benefits

Service isolation

Telephony systems, badging, building control, surveillance


Security policies are unique to each virtual group/service

Meet regulatory compliance requirements

HIPAA
PCI
SOX
etc

Low
Security

Medium
Security

High
Security

Guest Access

Merged Company

Isolated Services

Virtual Network

Virtual Network

Virtual Network

Actual Physical Infrastructure


BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Network Segmentation Use Cases


Sales
Finance

HR

POS
Network

Medical Device

Other
Network

Doctor

Staff

Partner

Line of business

Payment Card Industry

Hospital Network

Mergers and Acquisitions

Multi-Tenancy

INTERNET

Bring-Your-Own-Device (BYOD)

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

10

Segmentation Options in Enterprise


Cisc
o ISE

VPN
SGT

VPN

SGT

VPN
SGT

VPN

SGT

VPN
SGT

Voice VLAN

Data VLAN

Guest VLAN

Endpoints

Traditional Segmentation
VLAN/VRF-Lite Based Segmentation
Policy enforcement is done using ACLs and
Firewall rules
CLI based Manageability

Endpoints

Endpoints

Trustsec Based Segmentation


User/Device Group Based Segmentation
Secure Group Tags (SGT) used to create
user / device group policies
Cisco ISE based Manageability

BRKMPL-1102

MPLS Based Segmentation


L2/L3 VPN Based Logical Segmentation
MPLS labels used to identify and create
traffic isolation between the groups
CLI based Manageability

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

11

VLAN Based Segmentation


Applications

access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list

102
102
102
102
102
102
102
102
102
102
102
102
102
102

deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165


deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384

Enforcement
IP Based Policies ACLs, Firewall Rules

Propagation
Carry Segment
context through the
network using VLAN,
IP address, VRF-Lite

Enterprise
Backbone

Aggregation Layer

Limitations of Traditional Segmentation


Security Policy based on Topology
Not Scalable
Complex provisioning
No notion of User/Device Group

VACL

Classification
Static or Dynamic
VLAN assignments

Access Layer

Non-Compliant

Voice

Quarantine
VLAN

Voice
VLAN

Employee

Supplier

BYOD

Data
VLAN

Guest
VLAN

BYOD
VLAN

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

12

Cisco TrustSec Segmentation


Simplified segmentation with Group Based Policy
Enforcement
Group Based Policies
ACLs, Firewall Rules

Shared
Services

Application
Servers

DC Switch
or Firewall

Enforcement

Propagation
Carry Group context
through the network
using only SGT

Classification
Static or Dynamic
SGT assignments

Enterprise
Backbone

ISE

Campus Switch

Campus Switch

DC switch receives policy


for only what is connected

Employee Tag
Supplier Tag
Non-Compliant Employee

VLAN A

Voice

Voice

Employee

Supplier

Non-Compliant

Non-Compliant Tag

VLAN B
BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

13

Agenda

Introduction

Segmentation in Enterprise

MPLS Designs for Enterprise

MPLS Product Update

MPLS Configurations

Q&A

Summary

MPLS Designs for Enterprise

Why choose MPLS in Enterprise ?

End-to-end solution

Campus, MAN, WAN, DC head-end


Standards-based

Layer 3 VPN/Segmentation

IPv6

6VPE
6PE

MPLS Services

IPv4 VPN
Provides Any-to-Any connectivity
Multicast VPN

Layer 2 VPN

Ethernet over MPLS


Point-to-point pseudo-wire
Multi-point VPLS/H-VPLS

MPLS QoS
MPLS over WAN
Path Selection
Traffic Engineering
Node/Link Protection
Fast-Re-Route(FRR)
50 msec switchover

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

16

MPLS Fundamentals ReCap

Device Virtualization

Physically one device

Logically many devices


Control plane
Data plane

Virtual devices
Switch
Router
Firewall

VRF: Virtual Routing and Forwarding

VRF Red
VRF Green
VRF Blue
BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

18

PE

MPLS-VPN Terminology

LDP

LDP

PE

LDP

PE (Provider Edge) router


MP-BGP

Imposes and removes MPLS labels


Runs an IGP, LDP and MP-BGP

P (Provider) router

Connects into the PE, Translates labels


Runs an IGP and LDP

CE (Customer Edge) router

Label Distribution Protocol (LDP)

Connects into the PE


IGP to label binding

Multi-Protocol BGP
Address-family support (IPv4, IPv6, multicast, etc)
Used for VRF route exchange

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

19

PE

MPLS-VPN

PE

Label Stack
PE

PE

4 Byte
IGP Label

4 Byte
VPN Label

Original Packet

MPLS VPN packet format


BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

20

PE

PE

MPLS-VPN Label Exchange


Router
P2

Router
P3

OSPF

OSPF

OSPF

Routing
Table

Routing
Table

Router PE1
BGP
VRF RED
RT 1:1
172.16.1.0

Routing
Table

172.16.1.0

Routing
Table

Router PE4
OSPF

BGP
VRF RED
RT 1:1

Routing
Table
172.16.1.0

FIB

FIB

FIB

FIB

LFIB

LFIB

LFIB

LFIB

FIB

Routing
Table

172.16.4.0

FIB
VRF GRN
RT 1:2

VRF GRN
RT 1:2
172.17.1.0

Routing
Table

IGP Label Exchange


172.17.1.0

172.17.1.0

Routing
Table

172.17.4.0

FIB

FIB
172.17.1.0
RT1:2
172.16.1.0
RT1:1

MP-BGP

172.17.1.0
RT1:2
172.16.1.0
RT1:1

172.16.1.0 RT=1:1 NH=PE1 VPN Label


MP-BGP
172.17.1.0 RT=1:2 NH=PE1 VPN Label
BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

21

PE

PE

MPLS-VPN Packet Flow


Router PE1
BGP
VRF RED
RT 1:1
172.16.1.0

Routing
Table

OSPF
Routing
Table

172.16.1.0

Router
P2

Router
P3

OSPF

OSPF

OSPF

Routing
Table

Routing
Table

Routing
Table

Router PE4
BGP
VRF RED
RT 1:1

172.16.1.0

FIB

FIB

FIB

FIB

LFIB

LFIB

LFIB

LFIB

FIB

Routing
Table

172.16.4.0

FIB
VRF GRN
RT 1:2

VRF GRN
RT 1:2
172.17.1.0

Routing
Table

172.17.1.0

4 Byte
IGP
Label

4 Byte
VPN
Label

Original Packet

172.17.1.0

Routing
Table

172.17.4.0

FIB

FIB
172.17.1.0
RT1:2
172.16.1.0
RT1:1

MP-BGP

172.17.1.0
RT1:2
172.16.1.0
RT1:1

172.16.1.0 RT=1:1 NH=PE1 VPN Label


MP-BGP
172.17.1.0 RT=1:2 NH=PE1 VPN Label
BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

22

MPLS-VPN Terminology

Route-Target

Route Distinguisher

Route attribute used to uniquely identify prefixes among VPNs (64 bits)

VPN-IPv4 addresses

Identifier used for importing and exporting routes (64 bit)

Includes the 64 bits Route Distinguisher and the 32 bits IP address

VPN-IPv6 addresses

Includes the 64 bits Route Distinguisher and the 128 bits IP address

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

23

MPLS-VPN - Routing and Switching


MPLS VPN
CE

PE

PE

CE

Routing

MPLS VPN

Core

Distribution

PE

Access

CE

Campus
Switching

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

24

MPLS L3 VPN

MPLS L3 VPN Campus Segmentation Use Cases


End to End Network Virtualization

Core

Core
Core

L3 VPN

Distribution

Distribution

L3 VPN
C3850
Access

Access
L3 VPN

Standard Access

Access

C3850

Routed Access
BRKMPL-1102

Collapsed Access
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

26

MPLS L3 VPN for IPv4


IPv4 VRF
BLUE

IPv4 VRF
RED

CE/Access

SITE A
PE/Distribution

SITE C
PE/Distribution

IGP

CE/Access

IPv4 VRF
RED

IPv4 VRF
GREEN

CE/Access

CE/Access
P/Core

CE/Access

P/Core
IPv4 VRF
BLUE

IPv4 VRF
GREEN

CE/Access
IPv4 VRF
RED

CE/Access

SITE B
PE/Distribution

SITE D
PE/Distribution

MP-BGP

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

27

MPLS L3 VPN for IPv6 (6VPE)


IPv4 VRF
BLUE

IPv6 VRF
RED

CE/Access

SITE A
6PE/Distribution

SITE C
6PE/Distribution

IGP

CE/Access

IPv6 VRF
RED

IPv4 VRF
GREEN

CE/Access

CE/Access
P/Core

CE/Access

P/Core
IPv4 VRF
BLUE

IPv4 VRF
GREEN

CE/Access
IPv6 VRF
RED

CE/Access

SITE B
6PE/Distribution

SITE D
6PE/Distribution

MP-BGP

IPv6 VPN Provider Edge(6VPE) over MPLS

6VPE is like a regular IPv4 MPLS VPN provider edge(PE), with the addition of IPv6 support
within Virtual Routing and Forwarding (VRF).

Provides logically separate routing table entries for VPN member devices for IPv4 & IPv6.
BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

28

IPv6 over MPLS (6PE)


6PE

6PE

v6

v6
IPv6
IPv6
P/Core

v6

v6

P/Core

IPv6
6PE

6PE

IPv6

MP-BGP

P routers in the MPLS core are not IPv6 aware and just use IPv4 MPLS Control Plane
PE routers are dual stack and use IPv4 MPLS Control Plane with the core, Native IPv6 with IPv6 routers
P and PE routers share a common IPv4 IGP
6PE routers are MP-BGP4 capable

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

29

MPLS-VPN
BGP Scalability iBGP Neighbor Relationships

iBGP requires a full mesh of neighbors


N * (N-1) / 2 = 8 * 7 / 2 = 28

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

30

MPLS-VPN Scale Considerations


BGP Scalability Route Reflectors
Use purpose-built RRs
Dont place RRs in data path
Geographically diverse
Non-transit devices

Route Reflector

BRKMPL-1102

Route Reflector

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

31

L2 VPNs

L2-VPN Basics
interface Ethernet0/0
no ip address
xconnect 192.168.0.1 123 encapsulation mpls
interface Loopback0
ip address 192.168.0.2/32

MPLS
Network
interface Loopback0
ip address 192.168.0.1/32
pseudowire
Ethernet
Header

MPLS Label

MPLS Label
PW-ID

Ethernet Payload

interface Ethernet0/0
no ip address
xconnect 192.168.0.2 123 encapsulation mpls

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

33

Virtual Private Lan Services (VPLS)


PE-2

PE-1

CE-2

CE-1

PE-3

VPLS allows MPLS networks to offer Layer 2 Ethernet Services


It provided Multipoint Ethernet service as compared to EoMPLS which is Point to Point
Service Provider emulates an IEEE Ethernet bridge network.
No routing interaction between Customer and Service Provider networks
Virtual Bridges linked with virtual ports aka Pseudo Wires or PWs.

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

34

Hierarchical VPLS(H-VPLS) for VPLS Scaling


N-PE1

N-PE2

MPLS
CORE

U-PE2

U-PE1
.1q

N-PE3
.1q

.1q

.1q

DC2-CE

DC3-CE
DC1-CE

Scales VPLS deployments


Use Cases : Campus/DC Interconnect, DCI

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

35

Advanced Virtual Private LAN Service (A-VPLS)


A-VPLS Multipoint Services
PE-2

PE-1

CE-2

CE-1

VFI

VFI
VFI
PE-3

AVPLS built on top of VPLS infrastructure


Simplifies VPLS configurations
Enhances VPLS Load balancing & High Availability
Use Cases: Campus/DC Interconnect, DCI

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

36

Other MPLS Transport Options


L2

Point-to-point
MPLS over GRE

Ethernet
Header

MPLS
Label(s)

IP
Header

Data

L2

Ethernet
Header

MPLS
Label(s)

IP
Header

Data

Tunnel
L3

Multipoint
MPLS-VPN over mGRE
MPLS over DMVPN

Campus
MPLS
L3 Transport
BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

37

MPLS-VPN over mGRE

MPLS VPN over mGRE


Ties MPLS VRFs across sites with IP multi-point GRE tunnel over IP Core
PE1

PE2

CE1

CE2

IP
IPv4 Route Exchange

IPv4 Route Exchange


VRF

VRF
GRE Header

VPN Label

src add
dst add

src add
dst add

src add
dst add

data

data

data

VPN traffic forwarded by PEs using separate routing instance (VRFs)


GRE header and VPN label imposed on VPN traffic
Packets switched to egress PE based on GRE header
Egress PE uses VPN label to forward packet to remote CE
BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

39

MPLS QoS

MPLS QoS Uniform Mode


Propagate EXP Markings
IPP 4
VPN Imposition
ip packet
IPP 4

IPP 4

CE

IPP 6

Pop

EXP 6
EXP 6

Ingress

EXP 6

IPP 4

EXP 6
EXP 6

IPP 4

EXP 6

IPP 6

Egress

PE
match ip prec 4
set mpls exp imp 6
match mpls exp 6
priority

By default, IP ToS byte is unchanged.

PE

CE

mpls propagate-cos
match mpls exp 6
priority

The use of mpls propogate-cos command will cause the EXP


value to be copied down to the IP packet after a POP operation.
BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

41

MPLS QoS Short Pipe Mode


IPP 4
VPN Imposition
ip packet
IPP 4

IPP 4

CE

IPP 4

Pop

EXP 6
EXP 6

Ingress

EXP 6

IPP 4

EXP 6
EXP 6

IPP 4

EXP 6

IPP 4

Egress

PE
match ip prec 4
set mpls exp imp 6
match mpls exp 6
priority

PE

CE

match mpls exp 6


priority

Consistent policy in MPLS core


BRKMPL-1102

Egress classification based on IP DSCP


not MPLS exp
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

42

MPLS QoS Pipe Mode


IPP 4
VPN Imposition
ip packet
IPP 4

IPP 4

CE

IPP 4

Pop

EXP 6
EXP 6

Ingress

EXP 6

IPP 4

EXP 6
EXP 6

IPP 4

EXP 6

IPP 4

Egress

PE
match ip prec 4
set mpls exp imp 6
match mpls exp 6
priority

PE

CE

match mpls exp 6


priority

Egress classification based on MPLS


Ingress EXP not IP DSCP
BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

43

MPLS QoS Options Summary


Uniform, Pipe and Short Pipe Modes
Uniform Mode:
This mode provides consistent QoS classification/marking throughout the network. This includes
the CE and the Core routers. EXP marking is propagated to the underlying TOS byte on egress

Short Pipe Mode:


In this mode the QoS policies being implemented in the Core do NOT propagate to the packet TOS
byte. The classification based on MPLS EXP ends at the customer facing egress PE interface and
queuing is based on the IPP/DSCP values in the IP header (supported default mode)

Pipe Mode:
Pipe Mode is similar to Short Pipe Mode except that at the egress PE, classification at the CE
facing interface is done based on ingress EXP

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

44

Agenda

Introduction

Segmentation in Enterprise

MPLS Designs for Enterprise

MPLS Product Update

MPLS Configurations

Q&A

Summary

MPLS Product Update

MPLS Catalyst Campus Switching Portfolio


Catalyst 3650/3850

Features Features

MODULAR

FIXED

MPLS
Jul 16

Catalyst 6880-X

Catalyst 6K

Up to 80 10G Ports
12p/24p/48p 10G 1RU Aggregation

Catalyst C6840-X

Industry-Leading
Campus Backbone Platform

Up to 40 10G Ports

Stackable Access

Scale

Scale
* Roadmap Item

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

47

MPLS Portfolio Catalyst 3K

MPLS Shipping
In Jul 2016

Catalyst 3850 Series


Stackpower
FRU Fans, Power
Supplies

480 Gbps
Stacking
Bandwidth

Up to 100APs per stack,


and 40G per switch
Wireless CAPWAP
Termination

Up to 2000 Clients
per Stack

MPLS
40 Gbps Uplink
Bandwidth

Granular
QoS/Flexible NetFlow
Line Rate on All
Ports

Multigigabit
(mGig)

Full POE+ and


UPOE

MPLS on UADP powered Stackable Access Programmable Switches

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

MPLS Shipping
In Jul 2016

Cisco Catalyst 3850 Multigigabit Ethernet

48 Port Version

24 Port Version

Downlinks:

Downlinks:

36 x 1G LineRate 10/100/1000BASE-T, 12 x
GE/mGig/10GT

24 x GE/mGig/10GT
PoE/PoE+/UPoE, EEE, MACSec

PoE/PoE+/UPoE, EEE, MACSec


Uplinks:
4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G
SFP+ (NEW)

Uplinks:
4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G
SFP+ (NEW)

MPLS on Access with Multigigabit Ethernet


2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

MPLS Shipping
In Jul 2016

Catalyst 3850 10G: 12 and 24 Port

C3850-NM4x10G

C3850-NM4x10G

UADP ASIC

Converged
Access

StackWise-480

StackPower

Line-Rate

C3850-NM2x40G

C3850-NM8x10G

1+1 Power
Redundancy

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

MPLS Shipping
In Jul 2016

Catalyst 3850 10G: 48 Port


UADP ASIC

4 x QSFP Fixed
48 x SFP+ Fixed

New 750W AC Power Supplies

Front-to-Back and
Back-to-Front Fan options

1+1 Power Supply Redundancy

*No StackWise or StackPower on 48p SKU

UADP ASIC

Converged
Access

Line-Rate

No Stacking

Front-to-Back & Back-to-Front


Fans and Power Supplies

1+1 Power
Redundancy

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

MPLS Shipping
In Jul 2016

Cisco Catalyst 3650 Switch


Dual FRU
Optional StackWise-160
Power Supplies
9 member Stack
FRU Fans
Multi-Core CPU
MACsec

802.11n
802.11ac

50 APs and
1000 Clients Per Stack

MPLS

40G Wireless
Capacity Per
Switch

EEE

Full Netflow/QoS
for wired/wireless
Line Rate
on All Ports

Multigigabit
(mGig) New

POE+

Fixed Uplinks
4 x 1G
2 x10G
4 x 10G
2 x 40G (New)
8 x 10G (new)

MPLS on UADP powered Stackable Access Programmable Switches


2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

MPLS Portfolio Catalyst 6K

The New Catalyst 6807-XL


Taking Catalyst 6K Up to 880G/Slot
7 Slots 10 RU
Up to 880G/Slot capable
Side-to-side air flow
(redirectable via airflow baffles)

Catalyst 6500 DNA


Next-generation ready

Investment Protection!
Compatible with Sup2T, 6700, 6800,
6900 Series and latest Service Modules

Low-power and noise


High-efficiency fans

Backwards compatible backplane connectors

Up to 4 (N+1) power
supply redundancy
3000W AC

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

55

Shipping!!

Supervisor 6T
Taking Catalyst 6800 to a New Level
1M IPv4 Route

High-Scale Control Plane


with X86 CPU

1M NetFlow
256K QoS / ACL

2 x 40G QSFP and


8 x 10G SFP+ uplinks

Improved Fabric
Provides 440G/Slot in the
6807-XL
Fiber & Copper
Management and
Console Ports

VSS, LISP, SGT,


MACSEC, HQoS, on all
Ports

Feature Parity with Sup2T from Day 1: 3500+ Features


2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

C6800 Multi-Rate Line Cards


32 ports of SFP/SFP+ or
up to 8 ports of QSFP*
10/100/1000M GLC-T
100M FX

1M IPv4 Routes

160G Throughput,

2M NetFlow

Performance mode
for line rate

256K QoS & ACL

250MB per Port


500MB per Port in
Performance Mode

VSS, SGT, MACSec, LISP,


HQoS

Feature Rich MPLS

* With CVR-4SFP-QSFP Adapter

Not Every Port is Created Equal!


2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

The Catalyst 6880-X

C6K-Based Extensible Fixed Platform


Up to 80 x 1G/10G ports

VSS, MPLS, VPLS, LISP,


MACSEC, SGT, on every port

Low Power &


Low Noise Fans

Platinum Efficiency

Each Card has 16 x 1G/10G


up to 4 x 40G ports

Fixed Supervisor module


X86 2.0 GHz CPU
up to 4GB DDR3 DRAM

Redundant AC & DC PS

Front Serviceable Power Supplies and Fan Tray,


NEBS Level 3-Compliant Platform

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

or

Shipping Since
October 2015

The New Catalyst 6840-X


16, 24, 32 or 40 SFP+ Uplinks
Convert 4 x SFP+ to QSFP*

256K IPv4 Routes

2 models with 2 QSFP Uplinks

1.5M NetFlow

Convert 4 x SFP+ to QSFP*

64K QoS / ACL

Height:
2RU
Depth:
21.8

High-Scale Control
Plane with 2.0GHz CPU
Higher Scale for IA

750W or 1100W Power


VSS, MPLS, LISP, SGT,
MACSEC, HQoS, etc.

Redundant AC / DC
Front-to-Back Airflow

All Catalyst 6800 Features in a Smaller Fixed Form Factor


2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

MPLS Portfolio Catalyst N7K

MPLS on Nexus 7K - M Series

Nexus 7700 M3 Series


10G & 40G Modules
NEW

24x 40G QSFP Ports

Large Table Size & Packet Buffers -

2M FIB (1M @ FCS), 128K ACL/QoS

384K MAC (128K @ FCS)

MACSEC 256-bit AES

Deep Buffers

Nexus M2 Series Modules

N7K-M202CF-22L

N7K-M206FQ-23L

N7K-M224XP-23L

48x 1/10G SFP+ Ports

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

61

MPLS on Nexus 7K - F3 Series


Nexus F3 Series Modules

Nexus 7700 F3 10G

Nexus 7700 F3 40G

Nexus 7700 F3 100G

Cisco
Nexus
7000/7700
Nexus 7000 F3 10G

Nexus 7000 F3 40G

BRKMPL-1102

Nexus 7000 F3 100G

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

62

What product option do I choose

MPLS Deployment Options Medium to Large Campus


MPLS

MPLS

C6K/N7K

C6K/N7K

Core

C6K/N7K

C6K/N7K

Distribution

Access
Catalyst 3850/3650

Catalyst 3850/3650 or 4500

Routed Access

Standard Access

Key Design factors: VRF/Route Scale, Port Density, MPLS features, Fixed vs. Modular in Access/Backbone

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

64

MPLS Deployment Options Small to Medium Campus


MPLS

MPLS

C6840-X

C3850

Core

Distribution

C6840-X

C3850

MPLS

Core

C6840-X/
C3850

Distribution

C3850/
C3650
C3850/
C3650

Access

Standard Access

C3850/
C3650

Core

Access +
Distribution

Access

Routed Access

BRKMPL-1102

Collapsed Access

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

65

Unprecedented Services

Catalyst Campus Innovations

Secure Segmentation
with TrustSec

One Policy with Identity


Services Engine

NG PnP for Zero Touch


Deployment of Network
Devices

Programmable Enterprise
Campus Fabric

Network as Sensor with


Device Profiler,
Netflow and Wireshark

One Network with


Converged Access

One Management with


Prime Infrastructure

High Availability with VSS,


ISSU and Stackpower

UADP Flexparser ASIC,


SDN-ready

UPOE to Connect Broad


Range of End Points
VDI and LED lights

Simplifies Operations
with Instant Access

Maximize Throughput
and Resiliency with VSS

IT Simplicity with Auto Conf,


Interface Template and EEM

Rich-media Experiences

Energy Savings

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

67

Robust Enterprise Security


IPv6 First Hop Security
RA
Guard

Protection:
Rogue or
malicious RA
MiM attacks

DHCPv6
Guard

Protection:
Invalid DHCP
Offers
DoS attacks
MiM attacks

Core Features

Source/Prefi
x Guard

Protection:
Invalid source
address
Invalid prefix
Source address
spoofing

Destination
Guard

Protection:
DoS attacks
Scanning
Invalid
destination
address

Advance Features

RA
Throttler

ND Multicast
Suppress

Facilitates:
Scale
converting
multicast
traffic to
unicast

Reduces:
Control
traffic ,
improves
performance

Scalability & Performance

Robust Security for Next Generation Enterprise


BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

68

Application Visibility with Flexible NetFlow


Day0 Attacks

SLA

Detect Anomaly

Visibility

App. M&T

Compliance

Capacity Planning

Control with
EEM Integration

Flexible NetFlow

IP, Ports

TCP
Flags

L2
MAC

L2
VLAN

UDP
Flags

IPv6

IP
Options

Campus
BranchNetwork Virtualization
Mobility, Unified Communications,

Benefits

Multicast

Collector Ecosystem

Capabilities

Lower CAPEX/OPEX

Unprecedented visibility with new L2L7 fields

Better insights for network capacity planning

Scalable, flexible flow monitors

Better service and user experience

Customizable policy action with EEM

Increased IT staff productivity, IT security

Broad collector partner


2016 Cisco ecosystem
and/or its affiliates. All rights reserved.

Cisco Public

69

Agenda

Introduction

Segmentation in Enterprise

MPLS Designs for Enterprise

MPLS Product Update

MPLS Configurations

Q&A

Summary

MPLS Configurations

MPLS Configurations

L3VPN

L2VPN

MPLS-VPN Services

L3VPN
MPLS VPN Protocols
P

Core

IPV4 and IPv6

Core

OSPF, ISIS
L3 VPN

EBGP, OSPF, RIPv2, Static

PE

PE Distribution

CE

MP-IBGP

L3 VPN

PE

PE Distribution

CE

CE

CE
Access

Access

VRF Green

VRF Green

VRF Blue

VRF Blue

IGP Protocols are used to exchange the routes between PE and CE Devices
MP-IBGP is used for exchanging VPNv4 routes between the PE Devices
MPLS or Label forwarding is configured between PE and P Devices
BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

73

VRF Definition

L3VPN

Ip vrf VPN-Green

MPLS VPN Protocols

Rd 1:1
Route-target import 100:1
P

Route-target export 100:1


!
Interface vlan 10

Core

Ip address 192.168.10.1
255.255.255.0
Ip vrf forwarding VPN-Green

L3 VPN

PE

PE

Distribution

!
Router ospf 1

OSPF

CE

CE
Access

Router ospf 2 vrf VPN-Green

Vlan 10
VRF Green

VRF Blue

Network 192.168.10.0 0.0.0.255 area


0

Redistribute bgp 1 subnets


!
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Router eigrp 1

L3VPN

MPLS VPN Protocols

no auto-sumary

address-family ipv4 vrf VPN-Green


neighbor 192.168.10.0 0.0.0.255
P

P
automonous-system
1

Redistribute bgp 1 metric 100000 100


255 1 1500
P

Core

!
router bgp 1

L3 VPN

BGP

PE

PE

CE

!
Distribution

CE
Access

VRF Green

address-family ipv4 vrf VPN-Green


EIGRP

neighbor 192.168.10.2 remote-as 2


neighbor 192.168.10.2 activate
exit-address-family

VRF Blue

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

75

router rip

L3VPN

MPLS VPN Protocols

version 2

address-family ipv4 vrf VPN-Green


no auto-summary
P

Network 192.168.10.0
Redistribute bgp 1 metric
transparent

L3 VPN

RIP

PE

PE

CE

Core

Distribution

CE
Access

VRF Green

Static

Ip route vrf VPN-Green 10.1.1.0


255.255.255.0 192.168.10.2

VRF Blue

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

76

L3VPN
PE-P
Interface x/x
P

PIp

address 130.130.1.1 255.255.255.252

Mpls ip
!

Core

L3 VPN

Router ospf 1
OSPF

PE

PE

CE

Network 130.130.1.0 0.0.0.3 area 0

Distribution

CE
Access

VRF Green

VRF Blue

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

77

Router bgp 1

L3VPN

Neighbor 1.2.3.4 remote-as 1


Neighbor 1.2.3.4 update-source
loopback0

IBGP
P

!
Address-family vpnv4
Neighbor 1.2.3.4 activate

Neighbor 1.2.3.4 send-community both


Core

L3 VPN

Core

L3 VPN
PE

PE

CE

IBGP
Distribution

PE

PE

CE

CE

CE

Access

VRF Green

Distribution

Access

VRF Green

VRF Blue

BRKMPL-1102

VRF Blue

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

78

L3VPN
IPv6 VPN
P

Core

L3 VPN

P
L3 VPN

PE

CE

IPV4/IPv6

PE

Distribution

PE

CE
IPV4/IPv6

CE
Access

VRF Green

VRF Blue

BRKMPL-1102

PE#
!
vrf definition v2
rd 2:2
!
address-family ipv4
route-target export 1:2
route-target import 1:2
exit-address-family
!
address-family ipv6
route-target export 2:2
route-target import 2:2
exit-address-family
!
P
!
router bgp 1
!
Core
address-family vpnv4
neighbor 10.13.1.21 activate
neighbor 10.13.1.21 send-community both
PE
exit-address-family
Distribution
!
address-family vpnv6
neighbor 10.13.1.21 activate
CE
neighbor 10.13.1.21 send-community both
exit-address-family Access
!
address-family ipv4 vrf v2
VRFexit-address-family
Green VRF Blue
!
address-family ipv6 vrf v2
neighbor 200::2 remote-as 30000
neighbor 200::2 activate
exit-address-fam
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

79

L3VPN
MPLS VPN Protocols
P

MP-IBGP
P

Core

IPV4 and IPv6


OSPF, ISIS
L3 VPN

EBGP, OSPF, RIPv2, Static

PE

PE Distribution

CE

L3 VPN

P
PE

PE Distribution

CE

CE

CE
Access

Access

VRF Green

Core

VRF Green

VRF Blue

BRKMPL-1102

VRF Blue

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

80

MPLS Configurations

L3VPN

L2VPN

MPLS-VPN Services

MPLS L2VPN
L2VPN Protocols

VPLS

Core

Core

EOMPLS
Distribution

PE

PE

Ethernet/Vlan

Distribution

Access
Distribution

Access

CE

PE

CE

Access

VRF Green

VRF Blue

VRF Green VRF Blue

CE

VRF Green

VRF Blue

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

82

MPLS L2VPN
L2VPN Protocols

# Vlan mode
interface GigabitEthernet7/4.2
encapsulation dot1Q 3

Core

Core

xconnect 13.13.13.13 3
EOMPLS
encapsulation
mpls
PE

Distribution

Distribution

PE

no shut
# Port mode

Ethernet or VLAN

Ethernet or VLAN
Access

Access

CE

interface GigabitEthernet7/4
xconnect 13.13.13.13 3
encapsulation mpls

VRF Green

VRF Blue

CE

VRF Green

VRF Blue

no shut

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

83

MPLS L2VPN
L2VPN Protocols

# L2 Interface Config -> CE


Switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200
switchport mode trunk

VPLS

Core

Core

# Define the VFI and bind it to the Intf


Distribution

PE

PE

Ethernet/Vlan
Access

CE

l2 vfi Cust_A manual


vpn id 200
neighbor 10.10.10.102Distribution
encapsulation
mpls
PE
interface vlan 200
xconnect vfi Cust_A
Access

VRF Green

VRF Blue

Distribution

Access

CE

VRF Green VRF Blue

CE

VRF Green

VRF Blue

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

84

MPLS Configurations

L3VPN

L2VPN

MPLS-VPN Services

Multicast VPN (MVPN)


# Configure the Default MDT and Data
MDT for the VRF under VRF Definition
Core

Core

Distribution

PE

Default MDT
for all groups

Access

CE

VRF Green

VRF Blue

MPLS Backbone
Ip vrf test
Rd 100:!
Route target import 100:1
Route target export 100:1
mdt default group-address
Distribution
PE
Mdt data group-address mask

Distribution

PE

Access

CE

# Enable PIM and Multicast Routing at


Access
the interfaces
towards the CE and P
CE

VRF Green

VRF Green

VRF Blue

VRF Blue

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

86

MPLS over GRE

Core

Core

Distribution

Ethernet or VLAN
Access

L2VPN
SITE

PE

MPLS
overCloud
GRE
IPv4

Distribution

PE

L3VPN
SITE

L3VPN
SITE
Distribution

PE

CE

CE

Access

L2VPN
SITE
Access

CE
VRF Green

VRF Blue

VRF Green
VRF Green

VRF Blue

VRF Blue

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

87

MPLS-VPN Services
Providing QoS to VPN Customers

VPN customers may want SLA so as to treat real-time, mission-critical and besteffort traffic appropriately

QoS can be applied to VRF interfaces


- Just like any global interface
- Same old QoS mechanisms are applicable

Remember - IP precedence bits are copies to MPLS TC/EXP bits ( default


behavior )

MPLS Traffic-Eng could be used to provide the bandwidth-on-demand for Fast


Rerouting to VPN customers

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

88

In Conclusion

Key Takeaways
MPLS
End

offers Secure Segmentation for Enterprise Networks Design

to End Standards based Segmentation from Access to WAN in Enterprise

MPLS

offers a wide range of features and services

MPLS

L3VPN and L2VPN are most commonly deployed in Enterprise

MPLS

Technology is available on a wide range of Switching products:

Cisco Catalyst 3850 and 3650 Series (New)


Cisco Catalyst 6K Fixed and Modular Series
Cisco Nexus 7K Series

End to End Network Virtualization for Digital Enterprise


2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

MPLS Sessions at Cisco Live 2016

BRKMPL-1100

Introduction to MPLS

BRKMPL-1102

MPLS Enterprise Switching Product Update and Designs

BRKMPL-2100

Deploying MPLS Traffic Engineering

BRKMPL-2102

Designing MPLS-based IP VPNs

BRKMPL-2108

Designing MPLS in Next Generation Data Center: A Case Study

BRKMPL-2110

Enterprise MPLS - Customer Case Studies

BRKMPL-2115

MPLS Architectural approaches for Data Center and Cloud

BRKMPL-2333

E-VPN & PBB-EVPN: the Next Generation of MPLS-based L2VPN

BRKMPL-3124

Troubleshooting End-to-End MPLS

LTRMPL-2104

Cisco WAN Automation Engine (WAE) Network Programmability with Segment Routing

LTRMPL-3102

Enterprise Network Virtualization using IP and MPLS Technologies: Advanced

TECMPL-3200

SDN WAN Orchestration in MPLS and Segment Routing Networks


BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

91

Terminology Reference
Acronyms Used in MPLS Reference Architecture
Terminology

Description

AC

Attachment Circuit. An AC Is a Point-to-Point, Layer 2 Circuit Between a CE and a PE.

AS

Autonomous System (a Domain)

CoS

Class of Service

ECMP

Equal Cost Multipath

IGP

Interior Gateway Protocol

LAN

Local Area Network

LDP

Label Distribution Protocol, RFC 3036.

LER

Label Edge Router. An Edge LSR Interconnects MPLS and non-MPLS Domains.

LFIB

Labeled Forwarding Information Base

LSP

Label Switched Path

LSR

Label Switching Router

NLRI

Network Layer Reachability Information

P Router

An Interior LSR in the Service Provider's Autonomous System

PE Router

An LER in the Service Provider Administrative Domain that Interconnects the Customer Network and the Backbone Network.

PSN Tunnel

Packet Switching Tunnel

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

92

Terminology Reference
Acronyms Used in MPLS Reference Architecture (cont.)
Terminology

Description

Pseudo-Wire

A Pseudo-Wire Is a Bidirectional Tunnel" Between Two Features on a Switching Path.

PWE3

Pseudo-Wire End-to-End Emulation

QoS

Quality of Service

RD

Route Distinguisher

RIB

Routing Information Base

RR

Route Reflector

RT

Route Target

RSVP-TE

Resource Reservation Protocol based Traffic Engineering

VPN

Virtual Private Network

VFI

Virtual Forwarding Instance

VLAN

Virtual Local Area Network

VPLS

Virtual Private LAN Service

VPWS

Virtual Private WAN Service

VRF

Virtual Route Forwarding Instance

VSI

Virtual Switching Instance

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

93

Further Reading
MPLS References at Cisco Press and cisco.com

http://www.cisco.com/go/mpls

http://www.ciscopress.com

MPLS and VPN Architectures Cisco Press

Traffic Engineering with MPLS Cisco Press

Eric Osborne, Ajay Simha

Layer 2 VPN Architectures Cisco Press

Jim Guichard, Ivan Papelnjak

Wei Luo, Carlos Pignataro, Dmitry Bokotey, and Anthony Chan

MPLS QoS Cisco Press

Santiago Alvarez
BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

94

Complete Your Online Session Evaluation

Give us your feedback to be


entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.

Complete your session surveys


through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.
Dont forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

95

Continue Your Education

Demos in the Cisco campus

Walk-in Self-Paced Labs

Lunch & Learn

Meet the Engineer 1:1 meetings

Related sessions

BRKMPL-1102

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

96

Thank you