Cisco CCNP Enterprise 300-420 ENSLD – Discovering Service Provider Managed VPN’s

1. Discovering Service Provider Managed VPN’s

Hello and welcome to Discovering Service Provider managed VPNs. This video will overview the topics that are presented in action, as well as inform you of what you will be able to understand and achieve by directing your attention to the design recommended provided. Characteristics and attributes discussed in addition to the examples, case studies and explanations of the architectures and features emphasized in this section. Let’s begin. The basic premise begins with how business enhance their service and product offerings by outsourcing network traffic and administrative activities, basically extended resources utilizing a variety of service provider offerings.

The first topic describes the major den points in choosing your van connection with considerations regarding using layer two or three VPNs, which influences convert and scalability. Considerations are provided for end to end QoS and service level agreements, which influences the type of traffic supported and electing to use a shared or public infrastructure, including a chart that compares two service types managed Site to Site IPVPN and Managed Remote Access IPVPN, explaining how each type parts referencing the Internet, extranet and access speed.

Now, here’s, where customer premise equipment and VPN intelligence is defined, multiprotocol label switching MPLS is the most common layer three N. There is an explanation of the MPLS characteristics, naming the core technologies with advantages and disadvantages, including diagrams outlining the main components, defining the provider router, customer edge provider, and routing protocol redistribution to BGP. Also detailed is the customer dependence on the service provider, indicating who controls where, routing, converges and reliability functions.

All of this is within the architect’s cushion. The routing protocol topic continues comparing deploying EIGRP versus OSPF in APC A environment. EIGRP is covered first with a deployment overview describing the interact EIGRP with BGP listing possible redistribution challenges encountered with recommendations for confit standard BGP communities to resolve the issues. Included is a discussion of the general operation of ERP in a layer three P-E-C-A environment, example scenarios with network diagrams and charts, disc considerations when implementing EIGRP with the same or different autonomous system numbers, and best practices if implementing with a backdoor. Similar topics are addressed if you implement Soppy E-C-E. The Architectural Review has network design scenarios demonstrating how to propagate and redistribute OSPF routes with multiprotocol BGP, as well as detailing the use of extended communities to address issues of redistribution. Detail is added addressing the intra area routes across a backdoor.

This provides a seamless transition to a multiprotocol BGPP EC, a routing protocol overview which discusses the two autonomous system allocation ops that are available, along with the effects each has on network behavior such as load balancing, route, loop avoidance, winterization including advantages and disadvantages, and the challenges to consider. The overview continues speaking about the tradeoff of multiprotocol BGP MPLS using the same autonomous system number in terms of seeing the chance of A S collisions versus creating complexity.

In addition to design recommendations for loop prevention and avoiding possible issues with multi home sites, the section ends with how to address undesirable route advertising if the customer has a backdoor link between sites with design and configuration recommendations. Wimped in the beginning of this review, the reasons and perspectives of connecting to a service provider are so much different today than in the past, only because more options are available, but also because the needs of the business have evolved enormously. This and provides insight into how to guide a customer in what to consider and how to position them in these major decision points. Well, that is our overview. Thank you.

2. WAN Connection Decision Points

Van connection. Decision Points There are some major decision points when you are choosing your van connection. These decision points may include service availability and financial and technical aspects. When you design your van, you need to check VPN service availability. Not all services are always available at all customer sites. You might be forced to combine multiple services if you have different options. There are some major decision points to Qian connection. The financial aspect is very important. When you choose your van connection, you compare the cost of the service, the equipment cost and the operational cost. Another important aspect is the Lurk lock in, which is created with the layer three VPN. It is harder to change service providers because you need rest all your ce devices. You need to establish new routing policies and so on.

It is much easier ingle the service provider when you choose the layer two VPN because the routing is under your control. When choosing your Vanish ion, consider the following convergence with the layer three VPN the routing is under service provider control so includes the convergence time. When you choose the layer two VPN solution, you are responsible for the routing. Scalability when you choose the layer two VPN, you can have scalability issues in full mesh topologies routing protocols may fail due to many neighbors and adjacencies with the layer three VPN solution. E Device only has an adjacency with the P eight device and is therefore much more scalable. QoS van connections have limited bandwidth, therefore you often need QoS to prioritize, for example real time traffic. Service providers often offer QoS for your traffic, but this solution usually leads to higher costs. SLE some providers may offer some sort of service level agreement for their services. This SLA should be reviewed to achieve the minimal service level that is agreed with the contracted traffic.

You may often need to transfer traffic such as multicast. Some service providers support multicast while others do not. Multicast is especially needed with layer two VPNs to allow the exchange of routing mills. MTU Size it is important to reduce fragmentation to a minimum. Therefore, you need to know the maximum transmission unit size to set the appropriate MTU values on your network. Also, you might need to forward jumbo frames. Basic VPN Service Types Virtual private network instructed over a shared or public infrastructure that uses a range of technologies to help ensure reliability, separation and data privacy. A VPN can be built on the Internet or on a service provider’s infrastructure. VPNs can offer businesses the same security, quality of service, reliability and manageability Iota networks.

A service provider can help you assess your business communications requirements and determine the Preamp managed IPVPN solutions for your organization. This table outlines basic managed IPVPN service types for site to site and remote access networking needs and categorizes them by Internet and extranet network access speeds. Ivan’s architectures includes network based Pigpens VN Intelligence is in the service provider network and is generally completely transparent to users. By using a network based architecture, service providers can reduce the scaling, complexity and cost of delivering VPN service customers. Customer Premises equipment Based IPVPN The VPN intelligence is in work access equipment at the customers sites. A single class or multiple classes of service may be implemented as the van, depending on the capability of the service provider’s. Network Infrastructure an IPVPN provider foundation for additional value added services, including managed security and extranet services, webcasting war, and more. A service provider works with you to determine the basic and enhanced services that best fit your current Ning growth requirements.

3. Layer 3 MPLS

The most common implementation of the layer three VPN has multiprotocol label switching. MPLS VPN MPLS is a technology that is used to forward packets over the core network by doing forwarding decisions that are based on labels. On the other hand, VPN is a technology that provides a bridge between private networks over a public net.

Layer three MPLS VPN has the following characteristics uses two core technologies one MPLS to forward packets through the core network. Two border gateway protocol BGP exchange the customer routes requires the service provider to perform the following tasks one, transferring routes from one location to the others. Two forwarding IP packets from one location to the others has the following disadvantages one service provider dependency the routing, convergence and relativity is not under your control. MPLS VPN Architecture The layer three MPLS VPN is the energy that is used to connect multiple customer sites. The solution uses two core technologies. MPLS is used to forward packets through the service provider.

Core and multiprotocol border gateway protocol is used to exchange the customer routes between service provider edge Routers as shown in the graphic, the main components of MPLS VPN architecture are the following customer Network this is a customer controlled domain. Ce Router ce routers are located on the edge of the customer network. These routers have direct connectivity to the P network. Provider Network this is the provider controlled domain comprising the provider edge and core routers. These routers connect the customer sites on the shared infrastructure. The P A router is located at the edge of the MPLS service provider cloud. It is connected to the and provider routers. PRS P Router P routers are located in the core of the P network and outed to either another P router or the PA router. Layer three MPLS VPN technology is relative from the customer point of view. The customer must connect the equipment directly to the IP network. If the customer uses dynamic routing to transfer

routes to another location, it must configure an interior gateway on its own routers. The service provider must implement IGP as well. Bothe’s need to agree on the IGP parameters. When the service provider receives the routes from IGP, it must route these routes to the other locations. BGP is used for this task. You can easily connect many sites together because MP BGP is properly designed to carry many routes. If you implement layer three MPVPN, you are very dependent on the service provider. It is not easy to change the service provider because complete routing must be reconfigured on the organization edge network. When you choose the layer three MPLS VPN to connect the sites, the provider network P network is actually your core network. Therefore, routing currents and reliability are not under your control and you are mostly dependent on the service provider routing.

In MPLS VPN architecture, the customer must push all the routes that will be accessible at the other customer sites to the source. The customer is responsible for implementing the proper routing protocol for this task. Customer and the service provider run a routing protocol between the Ce and P A routers. The customer is all the routes that need to be accessible to the other sites into this routing protocol. It can be the same instant internal routing protocol at the customer sites. It is the matter of agreement between the customer and the servicer. The Ce router peers only to the PA router outside of its own site. The Ce does not pair with any of the Ce routers from the other sites across the P network. The PA router reduces the customer routes to the BGP routing protocol. These redistributed routes are then carried to the other P routers which are used to connect to the same customer. These routes are redistributed from Mpbgp into IGP between the P A and Ce routers is then responsible for transferring the routes to the Ce router. Mpbgp sessions are only established between the P A routers in the P network.

4. Use Routing Protocols at the PE-CE

Pica is a router label that is used in MPLS VPN networks. The P E provider is a router that is located at the provider network and is connected to the Ce customer edge router that is located. The customer’s EIGRP is the P-E-C-A routing protocol? Enhanced Interior Gateway routing protocol can be used as a provider edge customer Edge when you deploy EIGRP as the P-E-C-A routing protocol, it is important to understand EIGRP behaves and is treated in a layer three MPLS VPN environment. An overview of EIGRP as the P-E-C-A routing protocol follows. Deploying EIGRP as the P-E-C routing protocol is relatively simple when there is a single P-E-C-A link and there are no backdoor links between sites, the general operation of EIGRP in a layer three MPLS VPN environment follows.

One the Ce router runs EIGRP. Two the p a router runs EIGRP in a f instance. Three, the P A router redistributes EIGRP into Mpbgp and sends an update to other P A routers. Four. The P. A router redistributes. The Mpbgp routes into EIGRP. BGP extended communities were introduced to maintain the EIGRP route outs. Redistributing the routes from BGP into EIGRP makes all the routes externally IGR routes. It means that some pieces of information are lost during redistribution, and this situation can cause some problems when you have backdoor links between sites. To alleviate the problem, new extended BGP communes were introduced. These new communities enable the remote P A routers to reconstruct the EIGR piece with all their characteristics.

These characteristics are metric components autonomous System A S tag N for external routes, the remote autonomous System number ASN the remote ID, the remote protocol and the retire EIGRP. MPLS same ASN all sites are running Eigrplus same Eigrpasn. There are multiple possible scenarios when implementing EIGRP as the P-E-C-A routing protocol. In this figure, the enterprise is running EIGRP at all its sites. The enterprise is also using the same ASN at all its sites. The following steps are used the Ce One router advertises a network via EIGRP to the local P E One router. This can be internal or external. The P E One router redistributes the network from EIGRP into MPDP with encoded route information. In the extended community attributes within Mpbgp, it sends the updates to other P A routers. The P. E. Two router receives the Mpbgp update. That includes ed community information for EIGRP and a matching Eigrpasn. The p e two router recreates the EIGRP roots and sends them to the ce two router? These roots have the same root type as the all routes, and they have the same metric as the sending P E One had for these routes.

The backbone appears exhaust. EIGRP MPLS different ASN all sites are running EIGRP with eigrpasn. In this figure, the enterprise is running EIGRP at all its sites but using different Eigrpasns. The following steps are used. The Ce one router adds a network via EIGRP to the local P E One router. The P E one router redistribute work from EIGRP into Mpbgp with route information encoded in the extended community attributes with EBGP, the P E two router receives the Mpbgp update that includes extended communitymation for EIGRP and an Eigrpasn. The P E two router recreates the EIGRP route as an externally iGRP route using the configured default metric and advertises the route to the Ce two router. EIGRP ECA with a backdoor link. EIGRP is the P ESA routing protocol with the backdoor link. In this figure, Ce routers are connected with the backdoor link as a blink.

The ce one router runs EIGRP between the ce one and p e one routers and between the ce one and c e two routers. When the Ce one router advertises a prefix, it is advertised to the P One and Ce Two routers. The P E one router installs this route into VRF, redistributes the GRP route into BGP, and passes the route to the P E two router. Similarly, the Ce two advertises this route to the P E two router. The P E two router has two BGP parts that are available the prefix the internal border gateway protocol advertisement from the P E one router, the locally redistributed BGP route from the Ce Two EIGRP advertisement in this case, the locally originated route is preferred based on the BGP best path decision process.

This disease to traffic being forwarded over the backdoor link as its primary path, it is not what you want to achieve. The additional attribute that is known as the BGP cost community was developed to handle these cases. The beach cost community is configured on the PA router, which attaches an extended community attribute. The community value is compared and it influences the path determination by adjusting this community as new traffic can be forwarded to the correct path by default, when the P A redistributes the EIGRP path to BGP, the BGP cost community attribute is populated with the EIGRP metric.

The IBP GP path that has learned from P E One are the locally originated BGP that is learned through redistribution of the EIGRP route from Ce Two. The EIGRP metric of that is advertised from Ce Two includes the added cost of traversing the back door link. Therefore, the BG cost community of the IBGP path is lower and is thus preferred and installed OSPF as the P-E-A rooting protocol open shortest path first, OSPF can be used as the P EC aim protocol. When you deploy OSPF as the P-E-C-A routing protocol, it is important to understand how OSPF behaves and is treated in the layer three MPLS VPN environment. To propagate the customer routes from P A to P A, OSPF is redistributed into MP BGP and vice versa on the P Carobs.

The downside of this is that all OSPF routes become external roots on the remote P A when the roots distributed back into OSPF. This redistribution will make routes less preferable than the roots that will love the backdoor link. Internal OSPF routes are advertised as summary routes link state advertisements on the P E when they are redistributed from BGP back into OSPF. This solution will prevent all redistributed routes from becoming OSPF external routes. They will become intra area roots. It is different from normal behavior because the P A routers are performing redistribution which would normally generate ignore OSPF routes. LSA type Five the P A routers actually become area border routers are instead of autonomous system boundary routers. However, all OSPF internal routes into area routes after traversing the MPLS VPN backbone. This is true even if the area number met on different PA routers. Several additional BGP extended communities were defined to transport routes of the OSPF routes across the MPLS VPN backbone. Route type, area Number OSP Router ID, domain ID and Metric type one or two. The P. E. Sets the BGP med a tribute with SPF metric and vice versa.

The P A sets the BGP multi exit discriminator a tribute with the OSPF metric and vice versa. The PA router is able to completely reconstruct the OSPF route with these OSPF specific BGP extended communities. The root type indicates which kind of route the P A router should advertise in OSPF. The remote P A router will advertise an interred summary route LSA type three into the OSPF area for root types one, Two and three.

LSA type One Two or the domain ID indicates to the remote P A router how to advertise an external OSPF route. By default, the domain ID is the same as the process ID. If the domain ID of the received route is different from the OSPF process in VRF, then the route is advertised as an OSPF external route two. Otherwise, the router is advertised as an internal route to preserve the OSPF. The P A router uses the OSPF metric to set the BGP met attribute when the route is redistributed again to OSPF on the remote P A router uses the met to set the OSPF metric of the Ospateral or external route. OSPF network design scenarios. OSPF uses area network hierarchy. Area zero is the backbone area that connects all other areas. The MPLS VPN backbone can be considered as an added hierarchy that is higher than the OSPF backbone area. It can be called the Mplsvp and Superbagbone. It is actually not an area because it runs IBGP. However, it acts as an area and the P A acts as an ABR because it advertises type three LSAs to the Ce routers.

The Ce routers can be in area zero or any other area. If there is more than one area at the customer site, the PA router must be in area zero because it is an ABR. If it is not a word link between the PA router and the nearest ABR in the customer site must bring area zero up to the P A router OSPF with a badger link and Sham link in the normal OSPF operation. Intra area route preferred than interarea OSPF routes in MPLS VPN all internal OSPF routes. Interrearia routes are the remote sites. When there is a backdoor link between sites, there can be a problem because ultra area routes remain intra area roots across the back door link. Therefore, the intra area routes that are added across the backdoor link are always preferred. To avoid this situation, you must configure a special link between a routers. This link is called the Sham link. The Sham link is a fake link between two P routers. It has two endpoints with a 32 IP address. This IP address must be ERF routing table for the customer. IBGP must advertise this IP address from one P A to the Sharm link is a point to point link between these two IP addresses.

The Sharm link isn’t in the shortest path. First SPF Computation just as any other link in OSPF, the LSAs are flooded across the Sharm link, and all OSPF route types are preserved and not converted to LSA type three or five. If the Sharm link fails, routing is still possible, but all the routes become interarea roots and routes through the backdoor link reference. Even if the Sharm link exists and the OSPF routes are flooded across it, BGP must still advertise the OSPF routes as VPN v four routes from P A to P E. The reason for this is that BGP must carry MPLS VPN labels for correct forwarding across the MPLS VPN backbone. Pbgpp routing protocol. Overview the Mpbgp can be used as the P-E-A routing protocol. It is one of the most common protocols that are used for routing between the Ce and P devices. An overview of using Mpbgp as the P-E-C-A routing protocol follows.

There are two options for A S allocation a unique Mpbgpa S for each customer site the same Mpbgpa S for every customer site mpbgp operation with a unique Mpbgps for each customer site after choosing the Mpbgp as your P-E-C you must next determine the Mpbgpa’s allocation scheme. The selection of an Mpbasn for enterprise sites is an important consideration. It affects other aspects of network behavior such as load balancing, route loop avoidance, and site characterization over the origin A S. There are be two options for A S allocation. You can use the same or unique Mpbgpa S for every customer site. One of the main advantages of allocating a unique A S per site is that you identify the originator of it. You can achieve this by checking the A S path attribute for the origin Mpbgpa S.

This identification simplifies troubleshooting. A unique A S per site also allows simple A S paths to perform Mpbgp route manipulation for a particular site. These advantages are the reasons that a unique A S per site is the preferred solution. MP BGP MPLS same ASN this BGP is the P-E-C-A routing protocol with the same ASN on all sites. One advantages of using the same autonomous system for every site is that it reduces the chance of as collisions. However, the use of the same autonomous system for every customer site also creates some complexity. An MPDP peer performs autonomous system loop prevention by verifying that the autonomous system path attribute in the received dub contains its own ASN. If the route meets these conditions, it is discarded. Because the Ce router on the other side sees its own ASN in the autonomous system path attribute, it discards the update.

If you use the same autonomous system number for every customer site, you must disable autonomous system loop prevention. Service provider uses the as override command to perform this task. When the service provider uses this command, it replaces the customer autonomous system number with its own number in the autonomous system path attribute. Mechanisms such as as override produce some additional complexity and configuration requirements for the service provider. Another issue when using as override is that none of the Mpbgp routes can be uniquely identified as originating specific site that is based on the autonomous system path attribute. If the Ce router must identify the tune of the route that is based on some attribute, you must use some other mechanisms such as Mpbgp standard community.

You need extra configuration on the Ce router to support this option. Rewriting the autonomous system path attribute prevents the Ce router from detecting an Mpbgp loop, which can create problems at Multicores. You can avoid this situation by using the site of origin extended community attribute. It is an extended community attribute that is attached to an Mpbgp route, and it is used to identify origin of the route. If the So is the same as the configured S O for Mpbgp peering route is blocked from being advertised Mpbgp with a backdoor link. When the customer has a bag between sites, the same route is advertised over the backdoor link using the IGP and over the MPLS VPN backbone. Because you need to redistribute routes from the Mpbgp to the IGP on the Ce router, the routes that traverse the MPLS VPN backbone become external. Routes over the backdoor link are internal. An Internet is preferred over an external route, so the routers use the backdoor link instead of the MPLS VPN backbone. This behavior is not desirable. One way to solve the problem is to summarize the roots on the back door link. The roots over the MPLS VPN will become more specific. The routers will therefore use this route.