BRKMPL 1102

MPLS Enterprise Switching
Product Update and Designs

Sankar Venkat
Product Manager
Minhaj Uddin
Technical Marketing Engineer
Session ID : BRKMPL-1102
Agenda
Introduction
Segmentation in Enterprise
MPLS Designs for Enterprise
MPLS Product Update
MPLS Configurations
Q&A
Summary
Session Goals
This session will focus on MPLS for
Campus Switching network deployments.
At the end of the session, the participants should:
Understand different Segmentation Options
Understand the building blocks of MPLS in Enterprise
Understand different MPLS designs and use cases
Understand the different product options for MPLS design
Understand typical configurations for MPLS in Enterprise
BRKMPL-1102
2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS Enterprise Requirements
A unique Standards Based Segmentation Technology across LAN-WAN
Enterprise/Campus Segmentation
Basic MPLS Features
L3 VPN (IPv4), L3 VPN(IPv6)

L2 VPN (EoMPLS)
Multicast VPN (MVPN)
Data Center Interconnect/Inter Campus Connect over WAN
L2 Extensions with EoMPLS

Pseudowires, VPLS, H-VPLS, Advanced VPLS
Advanced MPLS Features MPLS Services with Netflow, QoS, Multicast
Multi-tenancy / Dual Homing
Traffic Engineering, High Availability/Fast Reroute

BRKMPL-1102
Network Virtualization with MPLS

A
Data Center
PE
MPLS Core
PE
CE
Backup
Data Center
CE
L2 VPN
MPLS
(L2 VPN)
Campus
Mirror
DC Interconnect
Mirror
Branch to DC
Connectivity
Storage
Data Center
Enterprise Segmentation
SP Network
Internet
Access
Core
Access
Bay Area DC
L2
L3 (MPLS)
L2
L3 (MPLS)
L3 (MPLS)
L3 (MPLS)
Service Provider
Enterprise WAN
(MPLS)
AsiaPac DC
Washington DC
Enterprise WAN Edge

BRKMPL-1102
Factors for Network Segmentation
Unique security policies per logical domain
Traffic isolation per application, group, service etc
Logically separate traffic using one physical infrastructure

Guest Access
Merged Company
Isolated Services
Virtual Network
Virtual Network
Virtual Network
Virtual
Private
Network
Actual Physical Infrastructure

BRKMPL-1102
Network Segmentation Benefits
Service isolation
Telephony systems, badging, building control, surveillance

Security policies are unique to each virtual group/service
Meet regulatory compliance requirements
HIPAA
PCI
SOX
etc
Low
Security
Medium
Security
High
Security
Guest Access
Merged Company
Isolated Services
Virtual Network
Virtual Network
Virtual Network
Actual Physical Infrastructure

BRKMPL-1102
Network Segmentation Use Cases

Sales
Finance
HR
POS
Network
Medical Device
Other
Network
Doctor
Staff
Partner
Line of business
Payment Card Industry
Hospital Network
Mergers and Acquisitions
Multi-Tenancy
INTERNET
Bring-Your-Own-Device (BYOD)
BRKMPL-1102
10
Segmentation Options in Enterprise

Cisc
o ISE
VPN
SGT
VPN
SGT
VPN
SGT
VPN
SGT
VPN
SGT
Voice VLAN
Data VLAN
Guest VLAN
Endpoints
Traditional Segmentation
VLAN/VRF-Lite Based Segmentation
Policy enforcement is done using ACLs and
Firewall rules
CLI based Manageability
Endpoints
Endpoints
Trustsec Based Segmentation

User/Device Group Based Segmentation
Secure Group Tags (SGT) used to create
user / device group policies
Cisco ISE based Manageability
BRKMPL-1102
MPLS Based Segmentation

L2/L3 VPN Based Logical Segmentation
MPLS labels used to identify and create
traffic isolation between the groups
CLI based Manageability
11
VLAN Based Segmentation

Applications
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
102
102
102
102
102
102
102
102
102
102
102
102
102
102
deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165

deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
Enforcement
IP Based Policies ACLs, Firewall Rules
Propagation
Carry Segment
context through the
network using VLAN,
IP address, VRF-Lite
Enterprise
Backbone
Aggregation Layer
Limitations of Traditional Segmentation

Security Policy based on Topology
Not Scalable
Complex provisioning
No notion of User/Device Group
VACL
Classification
Static or Dynamic
VLAN assignments
Access Layer
Non-Compliant
Voice
Quarantine
VLAN
Voice
VLAN
Employee
Supplier
BYOD
Data
VLAN
Guest
VLAN
BYOD
VLAN
BRKMPL-1102
12
Cisco TrustSec Segmentation

Simplified segmentation with Group Based Policy
Enforcement
Group Based Policies
ACLs, Firewall Rules
Shared
Services
Application
Servers
DC Switch
or Firewall
Enforcement
Propagation
Carry Group context
through the network
using only SGT
Classification
Static or Dynamic
SGT assignments
Enterprise
Backbone
ISE
Campus Switch
Campus Switch
DC switch receives policy

for only what is connected
Employee Tag
Supplier Tag
Non-Compliant Employee
VLAN A
Voice
Voice
Employee
Supplier
Non-Compliant
Non-Compliant Tag
VLAN B
BRKMPL-1102
13
Agenda
Introduction
MPLS Product Update
MPLS Configurations
Q&A
Summary
Why choose MPLS in Enterprise ?
End-to-end solution
Campus, MAN, WAN, DC head-end

Standards-based
Layer 3 VPN/Segmentation
IPv6
6VPE
6PE
MPLS Services
IPv4 VPN
Provides Any-to-Any connectivity
Multicast VPN
Layer 2 VPN
Ethernet over MPLS

Point-to-point pseudo-wire
Multi-point VPLS/H-VPLS
MPLS QoS
MPLS over WAN
Path Selection
Traffic Engineering
Node/Link Protection
Fast-Re-Route(FRR)
50 msec switchover
BRKMPL-1102
16
MPLS Fundamentals ReCap
Device Virtualization
Physically one device
Logically many devices

Control plane
Data plane
Virtual devices
Switch
Router
Firewall
VRF: Virtual Routing and Forwarding
VRF Red
VRF Green
VRF Blue
BRKMPL-1102
18
PE
MPLS-VPN Terminology
LDP
LDP
PE
LDP
PE (Provider Edge) router

MP-BGP
Imposes and removes MPLS labels

Runs an IGP, LDP and MP-BGP
P (Provider) router
Connects into the PE, Translates labels

Runs an IGP and LDP
CE (Customer Edge) router
Label Distribution Protocol (LDP)
Connects into the PE

IGP to label binding
Multi-Protocol BGP
Address-family support (IPv4, IPv6, multicast, etc)
Used for VRF route exchange
BRKMPL-1102
19
PE
MPLS-VPN
PE
Label Stack
PE
PE
4 Byte
IGP Label
4 Byte
VPN Label
Original Packet
MPLS VPN packet format

BRKMPL-1102
20
PE
PE
MPLS-VPN Label Exchange

Router
P2
Router
P3
OSPF
OSPF
OSPF
Routing
Table
Routing
Table
Router PE1
BGP
VRF RED
RT 1:1
172.16.1.0
Routing
Table
172.16.1.0
Routing
Table
Router PE4
OSPF
BGP
VRF RED
RT 1:1
Routing
Table
172.16.1.0
FIB
FIB
FIB
FIB
LFIB
LFIB
LFIB
LFIB
FIB
Routing
Table
172.16.4.0
FIB
VRF GRN
RT 1:2
VRF GRN
RT 1:2
172.17.1.0
Routing
Table
IGP Label Exchange

172.17.1.0
172.17.1.0
Routing
Table
172.17.4.0
FIB
FIB
172.17.1.0
RT1:2
172.16.1.0
RT1:1
MP-BGP
172.17.1.0
RT1:2
172.16.1.0
RT1:1
172.16.1.0 RT=1:1 NH=PE1 VPN Label

MP-BGP
BRKMPL-1102
21
PE
PE
MPLS-VPN Packet Flow

Router PE1
BGP
VRF RED
RT 1:1
172.16.1.0
Routing
Table
OSPF
Routing
Table
172.16.1.0
Router
P2
Router
P3
OSPF
OSPF
OSPF
Routing
Table
Routing
Table
Routing
Table
Router PE4
BGP
VRF RED
RT 1:1
172.16.1.0
FIB
FIB
FIB
FIB
LFIB
LFIB
LFIB
LFIB
FIB
Routing
Table
172.16.4.0
FIB
VRF GRN
RT 1:2
VRF GRN
RT 1:2
172.17.1.0
Routing
Table
172.17.1.0
4 Byte
IGP
Label
4 Byte
VPN
Label
Original Packet
172.17.1.0
Routing
Table
172.17.4.0
FIB
FIB
172.17.1.0
RT1:2
172.16.1.0
RT1:1
MP-BGP
172.17.1.0
RT1:2
172.16.1.0
RT1:1

MP-BGP
BRKMPL-1102
22
MPLS-VPN Terminology
Route-Target
Route Distinguisher
Route attribute used to uniquely identify prefixes among VPNs (64 bits)
VPN-IPv4 addresses
Identifier used for importing and exporting routes (64 bit)
Includes the 64 bits Route Distinguisher and the 32 bits IP address
VPN-IPv6 addresses
Includes the 64 bits Route Distinguisher and the 128 bits IP address
BRKMPL-1102
23
MPLS-VPN - Routing and Switching

MPLS VPN
CE
PE
PE
CE
Routing
MPLS VPN
Core
Distribution
PE
Access
CE
Campus
Switching
BRKMPL-1102
24
MPLS L3 VPN
MPLS L3 VPN Campus Segmentation Use Cases

End to End Network Virtualization
Core
Core
Core
L3 VPN
Distribution
Distribution
L3 VPN
C3850
Access
Access
L3 VPN
Standard Access
Access
C3850
Routed Access
BRKMPL-1102
Collapsed Access
26
MPLS L3 VPN for IPv4

IPv4 VRF
BLUE
IPv4 VRF
RED
CE/Access
SITE A
PE/Distribution
SITE C
PE/Distribution
IGP
CE/Access
IPv4 VRF
RED
IPv4 VRF
GREEN
CE/Access
CE/Access
P/Core
CE/Access
P/Core
IPv4 VRF
BLUE
IPv4 VRF
GREEN
CE/Access
IPv4 VRF
RED
CE/Access
SITE B
PE/Distribution
SITE D
PE/Distribution
MP-BGP
BRKMPL-1102
27
MPLS L3 VPN for IPv6 (6VPE)

IPv4 VRF
BLUE
IPv6 VRF
RED
CE/Access
SITE A
6PE/Distribution
SITE C
6PE/Distribution
IGP
CE/Access
IPv6 VRF
RED
IPv4 VRF
GREEN
CE/Access
CE/Access
P/Core
CE/Access
P/Core
IPv4 VRF
BLUE
IPv4 VRF
GREEN
CE/Access
IPv6 VRF
RED
CE/Access
SITE B
6PE/Distribution
SITE D
6PE/Distribution
MP-BGP
IPv6 VPN Provider Edge(6VPE) over MPLS
6VPE is like a regular IPv4 MPLS VPN provider edge(PE), with the addition of IPv6 support
within Virtual Routing and Forwarding (VRF).
Provides logically separate routing table entries for VPN member devices for IPv4 & IPv6.
BRKMPL-1102
28
IPv6 over MPLS (6PE)

6PE
6PE
v6
v6
IPv6
IPv6
P/Core
v6
v6
P/Core
IPv6
6PE
6PE
IPv6
MP-BGP
P routers in the MPLS core are not IPv6 aware and just use IPv4 MPLS Control Plane
PE routers are dual stack and use IPv4 MPLS Control Plane with the core, Native IPv6 with IPv6 routers
P and PE routers share a common IPv4 IGP
6PE routers are MP-BGP4 capable
BRKMPL-1102
29
MPLS-VPN
BGP Scalability iBGP Neighbor Relationships
iBGP requires a full mesh of neighbors

N * (N-1) / 2 = 8 * 7 / 2 = 28
BRKMPL-1102
30
MPLS-VPN Scale Considerations

BGP Scalability Route Reflectors
Use purpose-built RRs
Dont place RRs in data path
Geographically diverse
Non-transit devices
Route Reflector
BRKMPL-1102
Route Reflector
31
L2 VPNs
L2-VPN Basics
interface Ethernet0/0
no ip address
xconnect 192.168.0.1 123 encapsulation mpls
interface Loopback0
ip address 192.168.0.2/32
MPLS
Network
interface Loopback0
ip address 192.168.0.1/32
pseudowire
Ethernet
Header
MPLS Label
MPLS Label
PW-ID
Ethernet Payload
interface Ethernet0/0
no ip address
xconnect 192.168.0.2 123 encapsulation mpls
BRKMPL-1102
33
Virtual Private Lan Services (VPLS)

PE-2
PE-1
CE-2
CE-1
PE-3
VPLS allows MPLS networks to offer Layer 2 Ethernet Services

It provided Multipoint Ethernet service as compared to EoMPLS which is Point to Point
Service Provider emulates an IEEE Ethernet bridge network.
No routing interaction between Customer and Service Provider networks
Virtual Bridges linked with virtual ports aka Pseudo Wires or PWs.
BRKMPL-1102
34
Hierarchical VPLS(H-VPLS) for VPLS Scaling

N-PE1
N-PE2
MPLS
CORE
U-PE2
U-PE1
.1q
N-PE3
.1q
.1q
.1q
DC2-CE
DC3-CE
DC1-CE
Scales VPLS deployments

Use Cases : Campus/DC Interconnect, DCI
BRKMPL-1102
35
Advanced Virtual Private LAN Service (A-VPLS)

A-VPLS Multipoint Services
PE-2
PE-1
CE-2
CE-1
VFI
VFI
VFI
PE-3
AVPLS built on top of VPLS infrastructure

Simplifies VPLS configurations
Enhances VPLS Load balancing & High Availability
Use Cases: Campus/DC Interconnect, DCI
BRKMPL-1102
36
Other MPLS Transport Options

L2
Point-to-point
MPLS over GRE
Ethernet
Header
MPLS
Label(s)
IP
Header
Data
L2
Ethernet
Header
MPLS
Label(s)
IP
Header
Data
Tunnel
L3
Multipoint
MPLS-VPN over mGRE
MPLS over DMVPN
Campus
MPLS
L3 Transport
BRKMPL-1102
37
MPLS-VPN over mGRE
MPLS VPN over mGRE

Ties MPLS VRFs across sites with IP multi-point GRE tunnel over IP Core
PE1
PE2
CE1
CE2
IP
IPv4 Route Exchange
IPv4 Route Exchange

VRF
VRF
GRE Header
VPN Label
src add
dst add
src add
dst add
src add
dst add
data
data
data
VPN traffic forwarded by PEs using separate routing instance (VRFs)

GRE header and VPN label imposed on VPN traffic
Packets switched to egress PE based on GRE header
Egress PE uses VPN label to forward packet to remote CE
BRKMPL-1102
39
MPLS QoS
MPLS QoS Uniform Mode

Propagate EXP Markings
IPP 4
VPN Imposition
ip packet
IPP 4
IPP 4
CE
IPP 6
Pop
EXP 6
EXP 6
Ingress
EXP 6
IPP 4
EXP 6
EXP 6
IPP 4
EXP 6
IPP 6
Egress
PE
match ip prec 4
set mpls exp imp 6
match mpls exp 6
priority
By default, IP ToS byte is unchanged.
PE
CE
mpls propagate-cos
match mpls exp 6
priority
The use of mpls propogate-cos command will cause the EXP

value to be copied down to the IP packet after a POP operation.
BRKMPL-1102
41
MPLS QoS Short Pipe Mode

IPP 4
VPN Imposition
ip packet
IPP 4
IPP 4
CE
IPP 4
Pop
EXP 6
EXP 6
Ingress
EXP 6
IPP 4
EXP 6
EXP 6
IPP 4
EXP 6
IPP 4
Egress
PE
match ip prec 4
set mpls exp imp 6
match mpls exp 6
priority
PE
CE
match mpls exp 6

priority
Consistent policy in MPLS core

BRKMPL-1102
Egress classification based on IP DSCP

not MPLS exp
42
MPLS QoS Pipe Mode

IPP 4
VPN Imposition
ip packet
IPP 4
IPP 4
CE
IPP 4
Pop
EXP 6
EXP 6
Ingress
EXP 6
IPP 4
EXP 6
EXP 6
IPP 4
EXP 6
IPP 4
Egress
PE
match ip prec 4
set mpls exp imp 6
match mpls exp 6
priority
PE
CE
match mpls exp 6

priority
Egress classification based on MPLS

Ingress EXP not IP DSCP
BRKMPL-1102
43
MPLS QoS Options Summary

Uniform, Pipe and Short Pipe Modes
Uniform Mode:
This mode provides consistent QoS classification/marking throughout the network. This includes
the CE and the Core routers. EXP marking is propagated to the underlying TOS byte on egress
Short Pipe Mode:

In this mode the QoS policies being implemented in the Core do NOT propagate to the packet TOS
byte. The classification based on MPLS EXP ends at the customer facing egress PE interface and
queuing is based on the IPP/DSCP values in the IP header (supported default mode)
Pipe Mode:
Pipe Mode is similar to Short Pipe Mode except that at the egress PE, classification at the CE
facing interface is done based on ingress EXP
BRKMPL-1102
44
Agenda
Introduction
MPLS Product Update
MPLS Configurations
Q&A
Summary
MPLS Product Update
MPLS Catalyst Campus Switching Portfolio

Catalyst 3650/3850
Features Features
MODULAR
FIXED
MPLS
Jul 16
Catalyst 6880-X
Catalyst 6K
Up to 80 10G Ports
12p/24p/48p 10G 1RU Aggregation
Catalyst C6840-X
Industry-Leading
Campus Backbone Platform
Up to 40 10G Ports
Stackable Access
Scale
Scale
* Roadmap Item
BRKMPL-1102
47
MPLS Portfolio Catalyst 3K
MPLS Shipping
In Jul 2016
Catalyst 3850 Series

Stackpower
FRU Fans, Power
Supplies
480 Gbps
Stacking
Bandwidth
Up to 100APs per stack,

and 40G per switch
Wireless CAPWAP
Termination
Up to 2000 Clients
per Stack
MPLS
40 Gbps Uplink
Bandwidth
Granular
QoS/Flexible NetFlow
Line Rate on All
Ports
Multigigabit
(mGig)
Full POE+ and

UPOE
MPLS on UADP powered Stackable Access Programmable Switches
MPLS Shipping
In Jul 2016
Cisco Catalyst 3850 Multigigabit Ethernet
48 Port Version
24 Port Version
Downlinks:
Downlinks:
36 x 1G LineRate 10/100/1000BASE-T, 12 x
GE/mGig/10GT
24 x GE/mGig/10GT
PoE/PoE+/UPoE, EEE, MACSec
PoE/PoE+/UPoE, EEE, MACSec

Uplinks:
4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G
SFP+ (NEW)
Uplinks:
4x10GE SFP+, 2 x 40G QSFP (NEW), 8x10G
SFP+ (NEW)
MPLS on Access with Multigigabit Ethernet

MPLS Shipping
In Jul 2016
Catalyst 3850 10G: 12 and 24 Port
C3850-NM4x10G
C3850-NM4x10G
UADP ASIC
Converged
Access
StackWise-480
StackPower
Line-Rate
C3850-NM2x40G
C3850-NM8x10G
1+1 Power
Redundancy
MPLS Shipping
In Jul 2016
Catalyst 3850 10G: 48 Port

UADP ASIC
4 x QSFP Fixed
48 x SFP+ Fixed
New 750W AC Power Supplies
Front-to-Back and
Back-to-Front Fan options
1+1 Power Supply Redundancy
*No StackWise or StackPower on 48p SKU
UADP ASIC
Converged
Access
Line-Rate
No Stacking
Front-to-Back & Back-to-Front

Fans and Power Supplies
1+1 Power
Redundancy
MPLS Shipping
In Jul 2016
Cisco Catalyst 3650 Switch

Dual FRU
Optional StackWise-160
Power Supplies
9 member Stack
FRU Fans
Multi-Core CPU
MACsec
802.11n
802.11ac
50 APs and
1000 Clients Per Stack
MPLS
40G Wireless
Capacity Per
Switch
EEE
Full Netflow/QoS
for wired/wireless
Line Rate
on All Ports
Multigigabit
(mGig) New
POE+
Fixed Uplinks
4 x 1G
2 x10G
4 x 10G
2 x 40G (New)
8 x 10G (new)
MPLS on UADP powered Stackable Access Programmable Switches

MPLS Portfolio Catalyst 6K
The New Catalyst 6807-XL

Taking Catalyst 6K Up to 880G/Slot
7 Slots 10 RU
Up to 880G/Slot capable
Side-to-side air flow
(redirectable via airflow baffles)
Catalyst 6500 DNA

Next-generation ready
Investment Protection!
Compatible with Sup2T, 6700, 6800,
6900 Series and latest Service Modules
Low-power and noise

High-efficiency fans
Backwards compatible backplane connectors
Up to 4 (N+1) power
supply redundancy
3000W AC
BRKMPL-1102
55
Shipping!!
Supervisor 6T
Taking Catalyst 6800 to a New Level
1M IPv4 Route
High-Scale Control Plane

with X86 CPU
1M NetFlow
256K QoS / ACL
2 x 40G QSFP and

8 x 10G SFP+ uplinks
Improved Fabric
Provides 440G/Slot in the
6807-XL
Fiber & Copper
Management and
Console Ports
VSS, LISP, SGT,

MACSEC, HQoS, on all
Ports
Feature Parity with Sup2T from Day 1: 3500+ Features

C6800 Multi-Rate Line Cards

32 ports of SFP/SFP+ or
up to 8 ports of QSFP*
10/100/1000M GLC-T
100M FX
1M IPv4 Routes
160G Throughput,
2M NetFlow
Performance mode
for line rate
256K QoS & ACL
250MB per Port

500MB per Port in
Performance Mode
VSS, SGT, MACSec, LISP,

HQoS
Feature Rich MPLS
* With CVR-4SFP-QSFP Adapter
Not Every Port is Created Equal!

The Catalyst 6880-X
C6K-Based Extensible Fixed Platform

Up to 80 x 1G/10G ports
VSS, MPLS, VPLS, LISP,

MACSEC, SGT, on every port
Low Power &

Low Noise Fans
Platinum Efficiency
Each Card has 16 x 1G/10G

up to 4 x 40G ports
Fixed Supervisor module

X86 2.0 GHz CPU
up to 4GB DDR3 DRAM
Redundant AC & DC PS
Front Serviceable Power Supplies and Fan Tray,

NEBS Level 3-Compliant Platform
or
Shipping Since
October 2015
The New Catalyst 6840-X

16, 24, 32 or 40 SFP+ Uplinks
Convert 4 x SFP+ to QSFP*
256K IPv4 Routes
2 models with 2 QSFP Uplinks
1.5M NetFlow
Convert 4 x SFP+ to QSFP*
64K QoS / ACL
Height:
2RU
Depth:
21.8
High-Scale Control
Plane with 2.0GHz CPU
Higher Scale for IA
750W or 1100W Power

VSS, MPLS, LISP, SGT,
MACSEC, HQoS, etc.
Redundant AC / DC
Front-to-Back Airflow
All Catalyst 6800 Features in a Smaller Fixed Form Factor

MPLS Portfolio Catalyst N7K
MPLS on Nexus 7K - M Series
Nexus 7700 M3 Series

10G & 40G Modules
NEW
24x 40G QSFP Ports
Large Table Size & Packet Buffers -
2M FIB (1M @ FCS), 128K ACL/QoS
384K MAC (128K @ FCS)
MACSEC 256-bit AES
Deep Buffers
Nexus M2 Series Modules
N7K-M202CF-22L
N7K-M206FQ-23L
N7K-M224XP-23L
48x 1/10G SFP+ Ports
BRKMPL-1102
61
MPLS on Nexus 7K - F3 Series

Nexus F3 Series Modules
Nexus 7700 F3 10G
Nexus 7700 F3 40G
Nexus 7700 F3 100G
Cisco
Nexus
7000/7700
Nexus 7000 F3 10G
Nexus 7000 F3 40G
BRKMPL-1102
Nexus 7000 F3 100G
62
What product option do I choose
MPLS Deployment Options Medium to Large Campus

MPLS
MPLS
C6K/N7K
C6K/N7K
Core
C6K/N7K
C6K/N7K
Distribution
Access
Catalyst 3850/3650
Catalyst 3850/3650 or 4500
Routed Access
Standard Access
Key Design factors: VRF/Route Scale, Port Density, MPLS features, Fixed vs. Modular in Access/Backbone
BRKMPL-1102
64
MPLS Deployment Options Small to Medium Campus

MPLS
MPLS
C6840-X
C3850
Core
Distribution
C6840-X
C3850
MPLS
Core
C6840-X/
C3850
Distribution
C3850/
C3650
C3850/
C3650
Access
Standard Access
C3850/
C3650
Core
Access +
Distribution
Access
Routed Access
BRKMPL-1102
Collapsed Access
65
Unprecedented Services
Catalyst Campus Innovations
Secure Segmentation
with TrustSec
One Policy with Identity

Services Engine
NG PnP for Zero Touch

Deployment of Network
Devices
Programmable Enterprise
Campus Fabric
Network as Sensor with

Device Profiler,
Netflow and Wireshark
One Network with

Converged Access
One Management with

Prime Infrastructure
High Availability with VSS,

ISSU and Stackpower
UADP Flexparser ASIC,

SDN-ready
UPOE to Connect Broad

Range of End Points
VDI and LED lights
Simplifies Operations
with Instant Access
Maximize Throughput
and Resiliency with VSS
IT Simplicity with Auto Conf,

Interface Template and EEM
Rich-media Experiences
Energy Savings
BRKMPL-1102
67
Robust Enterprise Security

IPv6 First Hop Security
RA
Guard
Protection:
Rogue or
malicious RA
MiM attacks
DHCPv6
Guard
Protection:
Invalid DHCP
Offers
DoS attacks
MiM attacks
Core Features
Source/Prefi
x Guard
Protection:
Invalid source
address
Invalid prefix
Source address
spoofing
Destination
Guard
Protection:
DoS attacks
Scanning
Invalid
destination
address
Advance Features
RA
Throttler
ND Multicast
Suppress
Facilitates:
Scale
converting
multicast
traffic to
unicast
Reduces:
Control
traffic ,
improves
performance
Scalability & Performance
Robust Security for Next Generation Enterprise

BRKMPL-1102
68
Application Visibility with Flexible NetFlow

Day0 Attacks
SLA
Detect Anomaly
Visibility
App. M&T
Compliance
Capacity Planning
Control with
EEM Integration
Flexible NetFlow
IP, Ports
TCP
Flags
L2
MAC
L2
VLAN
UDP
Flags
IPv6
IP
Options
Campus
BranchNetwork Virtualization
Mobility, Unified Communications,
Benefits
Multicast
Collector Ecosystem
Capabilities
Lower CAPEX/OPEX
Unprecedented visibility with new L2L7 fields
Better insights for network capacity planning
Scalable, flexible flow monitors
Better service and user experience
Customizable policy action with EEM
Increased IT staff productivity, IT security
Broad collector partner

2016 Cisco ecosystem
and/or its affiliates. All rights reserved.
Cisco Public
69
Agenda
Introduction
MPLS Product Update
MPLS Configurations
Q&A
Summary
MPLS Configurations
MPLS Configurations
L3VPN
L2VPN
MPLS-VPN Services
L3VPN
MPLS VPN Protocols
P
Core
IPV4 and IPv6
Core
OSPF, ISIS
L3 VPN
EBGP, OSPF, RIPv2, Static
PE
PE Distribution
CE
MP-IBGP
L3 VPN
PE
PE Distribution
CE
CE
CE
Access
Access
VRF Green
VRF Green
VRF Blue
VRF Blue
IGP Protocols are used to exchange the routes between PE and CE Devices
MP-IBGP is used for exchanging VPNv4 routes between the PE Devices
MPLS or Label forwarding is configured between PE and P Devices
BRKMPL-1102
73
VRF Definition
L3VPN
Ip vrf VPN-Green
MPLS VPN Protocols
Rd 1:1
Route-target import 100:1
P
Route-target export 100:1

!
Interface vlan 10
Core
Ip address 192.168.10.1
255.255.255.0
Ip vrf forwarding VPN-Green
L3 VPN
PE
PE
Distribution
!
Router ospf 1
OSPF
CE
CE
Access
Router ospf 2 vrf VPN-Green
Vlan 10
VRF Green
VRF Blue
Network 192.168.10.0 0.0.0.255 area

0
Redistribute bgp 1 subnets

!
Router eigrp 1
L3VPN
MPLS VPN Protocols
no auto-sumary
address-family ipv4 vrf VPN-Green

neighbor 192.168.10.0 0.0.0.255
P
P
automonous-system
1
Redistribute bgp 1 metric 100000 100

255 1 1500
P
Core
!
router bgp 1
L3 VPN
BGP
PE
PE
CE
!
Distribution
CE
Access
VRF Green

EIGRP
neighbor 192.168.10.2 remote-as 2

neighbor 192.168.10.2 activate
exit-address-family
VRF Blue
BRKMPL-1102
75
router rip
L3VPN
MPLS VPN Protocols
version 2

no auto-summary
P
Network 192.168.10.0
Redistribute bgp 1 metric
transparent
L3 VPN
RIP
PE
PE
CE
Core
Distribution
CE
Access
VRF Green
Static
Ip route vrf VPN-Green 10.1.1.0

255.255.255.0 192.168.10.2
VRF Blue
BRKMPL-1102
76
L3VPN
PE-P
Interface x/x
P
PIp
address 130.130.1.1 255.255.255.252
Mpls ip
!
Core
L3 VPN
Router ospf 1
OSPF
PE
PE
CE
Network 130.130.1.0 0.0.0.3 area 0
Distribution
CE
Access
VRF Green
VRF Blue
BRKMPL-1102
77
Router bgp 1
L3VPN
Neighbor 1.2.3.4 remote-as 1

Neighbor 1.2.3.4 update-source
loopback0
IBGP
P
!
Address-family vpnv4
Neighbor 1.2.3.4 activate
Neighbor 1.2.3.4 send-community both

Core
L3 VPN
Core
L3 VPN
PE
PE
CE
IBGP
Distribution
PE
PE
CE
CE
CE
Access
VRF Green
Distribution
Access
VRF Green
VRF Blue
BRKMPL-1102
VRF Blue
78
L3VPN
IPv6 VPN
P
Core
L3 VPN
P
L3 VPN
PE
CE
IPV4/IPv6
PE
Distribution
PE
CE
IPV4/IPv6
CE
Access
VRF Green
VRF Blue
BRKMPL-1102
PE#
!
vrf definition v2
rd 2:2
!
address-family ipv4
route-target export 1:2
route-target import 1:2
exit-address-family
!
address-family ipv6
route-target export 2:2
route-target import 2:2
exit-address-family
!
P
!
router bgp 1
!
Core
address-family vpnv4
neighbor 10.13.1.21 send-community both
PE
exit-address-family
Distribution
!
address-family vpnv6
CE
neighbor 10.13.1.21 send-community both
exit-address-family Access
!
address-family ipv4 vrf v2
VRFexit-address-family
Green VRF Blue
!
address-family ipv6 vrf v2
neighbor 200::2 remote-as 30000
neighbor 200::2 activate
exit-address-fam
79
L3VPN
MPLS VPN Protocols
P
MP-IBGP
P
Core
IPV4 and IPv6

OSPF, ISIS
L3 VPN
EBGP, OSPF, RIPv2, Static
PE
PE Distribution
CE
L3 VPN
P
PE
PE Distribution
CE
CE
CE
Access
Access
VRF Green
Core
VRF Green
VRF Blue
BRKMPL-1102
VRF Blue
80
MPLS Configurations
L3VPN
L2VPN
MPLS-VPN Services
MPLS L2VPN
L2VPN Protocols
VPLS
Core
Core
EOMPLS
Distribution
PE
PE
Ethernet/Vlan
Distribution
Access
Distribution
Access
CE
PE
CE
Access
VRF Green
VRF Blue
VRF Green VRF Blue
CE
VRF Green
VRF Blue
BRKMPL-1102
82
MPLS L2VPN
L2VPN Protocols
# Vlan mode
interface GigabitEthernet7/4.2
encapsulation dot1Q 3
Core
Core
xconnect 13.13.13.13 3
EOMPLS
encapsulation
mpls
PE
Distribution
Distribution
PE
no shut
# Port mode
Ethernet or VLAN
Ethernet or VLAN
Access
Access
CE
interface GigabitEthernet7/4
xconnect 13.13.13.13 3
encapsulation mpls
VRF Green
VRF Blue
CE
VRF Green
VRF Blue
no shut
BRKMPL-1102
83
MPLS L2VPN
L2VPN Protocols
# L2 Interface Config -> CE

Switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200
switchport mode trunk
VPLS
Core
Core
# Define the VFI and bind it to the Intf

Distribution
PE
PE
Ethernet/Vlan
Access
CE
l2 vfi Cust_A manual

vpn id 200
neighbor 10.10.10.102Distribution
encapsulation
mpls
PE
interface vlan 200
xconnect vfi Cust_A
Access
VRF Green
VRF Blue
Distribution
Access
CE
VRF Green VRF Blue
CE
VRF Green
VRF Blue
BRKMPL-1102
84
MPLS Configurations
L3VPN
L2VPN
MPLS-VPN Services
Multicast VPN (MVPN)

# Configure the Default MDT and Data
MDT for the VRF under VRF Definition
Core
Core
Distribution
PE
Default MDT
for all groups
Access
CE
VRF Green
VRF Blue
MPLS Backbone
Ip vrf test
Rd 100:!
Route target import 100:1
Route target export 100:1
mdt default group-address
Distribution
PE
Mdt data group-address mask
Distribution
PE
Access
CE
# Enable PIM and Multicast Routing at

Access
the interfaces
towards the CE and P
CE
VRF Green
VRF Green
VRF Blue
VRF Blue
BRKMPL-1102
86
MPLS over GRE
Core
Core
Distribution
Ethernet or VLAN
Access
L2VPN
SITE
PE
MPLS
overCloud
GRE
IPv4
Distribution
PE
L3VPN
SITE
L3VPN
SITE
Distribution
PE
CE
CE
Access
L2VPN
SITE
Access
CE
VRF Green
VRF Blue
VRF Green
VRF Green
VRF Blue
VRF Blue
BRKMPL-1102
87
MPLS-VPN Services
Providing QoS to VPN Customers
VPN customers may want SLA so as to treat real-time, mission-critical and besteffort traffic appropriately
QoS can be applied to VRF interfaces

- Just like any global interface
- Same old QoS mechanisms are applicable
Remember - IP precedence bits are copies to MPLS TC/EXP bits ( default

behavior )
MPLS Traffic-Eng could be used to provide the bandwidth-on-demand for Fast

Rerouting to VPN customers
BRKMPL-1102
88
In Conclusion
Key Takeaways
MPLS
End
offers Secure Segmentation for Enterprise Networks Design
to End Standards based Segmentation from Access to WAN in Enterprise
MPLS
offers a wide range of features and services
MPLS
L3VPN and L2VPN are most commonly deployed in Enterprise
MPLS
Technology is available on a wide range of Switching products:
Cisco Catalyst 3850 and 3650 Series (New)

Cisco Catalyst 6K Fixed and Modular Series
Cisco Nexus 7K Series
End to End Network Virtualization for Digital Enterprise

MPLS Sessions at Cisco Live 2016
BRKMPL-1100
Introduction to MPLS
BRKMPL-1102
MPLS Enterprise Switching Product Update and Designs
BRKMPL-2100
Deploying MPLS Traffic Engineering
BRKMPL-2102
Designing MPLS-based IP VPNs
BRKMPL-2108
Designing MPLS in Next Generation Data Center: A Case Study
BRKMPL-2110
Enterprise MPLS - Customer Case Studies
BRKMPL-2115
MPLS Architectural approaches for Data Center and Cloud
BRKMPL-2333
E-VPN & PBB-EVPN: the Next Generation of MPLS-based L2VPN
BRKMPL-3124
Troubleshooting End-to-End MPLS
LTRMPL-2104
Cisco WAN Automation Engine (WAE) Network Programmability with Segment Routing
LTRMPL-3102
Enterprise Network Virtualization using IP and MPLS Technologies: Advanced
TECMPL-3200
SDN WAN Orchestration in MPLS and Segment Routing Networks

BRKMPL-1102
91
Terminology Reference
Acronyms Used in MPLS Reference Architecture
Terminology
Description
AC
Attachment Circuit. An AC Is a Point-to-Point, Layer 2 Circuit Between a CE and a PE.
AS
Autonomous System (a Domain)
CoS
Class of Service
ECMP
Equal Cost Multipath
IGP
Interior Gateway Protocol
LAN
Local Area Network
LDP
Label Distribution Protocol, RFC 3036.
LER
Label Edge Router. An Edge LSR Interconnects MPLS and non-MPLS Domains.
LFIB
Labeled Forwarding Information Base
LSP
Label Switched Path
LSR
Label Switching Router
NLRI
Network Layer Reachability Information
P Router
An Interior LSR in the Service Provider's Autonomous System
PE Router
An LER in the Service Provider Administrative Domain that Interconnects the Customer Network and the Backbone Network.
PSN Tunnel
Packet Switching Tunnel
BRKMPL-1102
92
Terminology Reference
Acronyms Used in MPLS Reference Architecture (cont.)
Terminology
Description
Pseudo-Wire
A Pseudo-Wire Is a Bidirectional Tunnel" Between Two Features on a Switching Path.
PWE3
Pseudo-Wire End-to-End Emulation
QoS
Quality of Service
RD
Route Distinguisher
RIB
Routing Information Base
RR
Route Reflector
RT
Route Target
RSVP-TE
Resource Reservation Protocol based Traffic Engineering
VPN
Virtual Private Network
VFI
Virtual Forwarding Instance
VLAN
Virtual Local Area Network
VPLS
Virtual Private LAN Service
VPWS
Virtual Private WAN Service
VRF
Virtual Route Forwarding Instance
VSI
Virtual Switching Instance
BRKMPL-1102
93
Further Reading
MPLS References at Cisco Press and cisco.com
http://www.cisco.com/go/mpls
http://www.ciscopress.com
MPLS and VPN Architectures Cisco Press
Traffic Engineering with MPLS Cisco Press
Eric Osborne, Ajay Simha
Layer 2 VPN Architectures Cisco Press
Jim Guichard, Ivan Papelnjak
Wei Luo, Carlos Pignataro, Dmitry Bokotey, and Anthony Chan
MPLS QoS Cisco Press
Santiago Alvarez
BRKMPL-1102
94
Complete Your Online Session Evaluation
Give us your feedback to be

entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.
Complete your session surveys

through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.
Dont forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
BRKMPL-1102
95
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions
BRKMPL-1102
96
Thank you

BRKMPL 1102

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

BRKMPL 1102

Diunggah oleh

Hak Cipta:

Format Tersedia

MPLS Enterprise Switching

Product Update and Designs

Technical Marketing Engineer

MPLS Designs for Enterprise

MPLS Product Update

Understand different Segmentation Options

Understand the building blocks of MPLS in Enterprise

Understand different MPLS designs and use cases

Understand the different product options for MPLS design

Understand typical configurations for MPLS in Enterprise

MPLS Enterprise Requirements

A unique Standards Based Segmentation Technology across LAN-WAN

Basic MPLS Features

L3 VPN (IPv4), L3 VPN(IPv6)

Data Center Interconnect/Inter Campus Connect over WAN

L2 Extensions with EoMPLS

Advanced MPLS Features MPLS Services with Netflow, QoS, Multicast

Multi-tenancy / Dual Homing

Traffic Engineering, High Availability/Fast Reroute

Network Virtualization with MPLS

Enterprise WAN Edge

Factors for Network Segmentation

Unique security policies per logical domain

Traffic isolation per application, group, service etc

Logically separate traffic using one physical infrastructure

Actual Physical Infrastructure

Network Segmentation Benefits

Telephony systems, badging, building control, surveillance

Meet regulatory compliance requirements

Actual Physical Infrastructure

Network Segmentation Use Cases

Payment Card Industry

Mergers and Acquisitions

Segmentation Options in Enterprise

Trustsec Based Segmentation

MPLS Based Segmentation

VLAN Based Segmentation

deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165

Limitations of Traditional Segmentation

Cisco TrustSec Segmentation

DC switch receives policy

MPLS Designs for Enterprise

MPLS Product Update

MPLS Designs for Enterprise

Why choose MPLS in Enterprise ?

Campus, MAN, WAN, DC head-end

Ethernet over MPLS

MPLS Fundamentals ReCap

Physically one device

Logically many devices

VRF: Virtual Routing and Forwarding

PE (Provider Edge) router

Imposes and removes MPLS labels

Connects into the PE, Translates labels

CE (Customer Edge) router

Label Distribution Protocol (LDP)

Connects into the PE

MPLS VPN packet format

MPLS-VPN Label Exchange

IGP Label Exchange

172.16.1.0 RT=1:1 NH=PE1 VPN Label

MPLS-VPN Packet Flow

172.16.1.0 RT=1:1 NH=PE1 VPN Label