WIXLIB

CopyrightCopyright 2003 Cisco Systems, Inc.CiscoPress logois a trademark of Cisco Systems, Inc. Table of Contents IndexPublished by:MPLS and VPN Architectures, Volume IICisco PressByJimWestGuichard, IvanStreetPepelnjak, Jeff Apcar201103rdIndianapolis, IN 46290 USAPublisher: Cisco PressAll rightsreserved. No part of this book may be reproduced or transmitted in any form or byPub Date: June 06, 2003any means, electronic or mechanical, including photocopying, recording, or by anyISBN: 1-58705-112-5information storage and retrieval system, without written permission from the publisher,Pages: 504except for the inclusion of brief quotations in a review.Printed in the United States of America 1 2 3 4 5 6 7 8 9 0Library of Congress Cataloging-in-Publication Number: 619472051122WithMPLS and VPN Architectures, Volume II , you'll learn:Warning and DisclaimerHow to integrate various remote access technologies into the backbone providing VPNserviceto many differenttypesof customersThis bookis designedto provideinformationabout MPLS and VPN architectures. Every efforthas been made to make this book as complete and as accurate as possible, but no warrantyThe newPE-CE routing options as well as other advanced features, including per-VPNor fitnessis implied.Network Address Translation (PE-NAT)The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems,How haveVRFsneithercan be liabilityextendedintoa customer tositeto personprovideorseparationinsidetheto anyInc. shallnorresponsibilityanyentity withrespectcustomernetworkloss or damages arising from the information contained in this book or from the use of thediscs or programs that may accompany it.The latest MPLS VPN security features and designs aimed at protecting the MPLS VPNbackboneThe opinionsexpressed in this book belong to the authors and are not necessarily those ofCisco Systems, Inc.How to carry customer multicast traffic inside a VPNThe latest inter-carrier enhancements to allow for easier and more scalable deploymentTrademarkAcknowledgmentsof inter-carrier MPLS VPN servicesAll termsAdvancedmentionedtroubleshootingin this booktechniquesthat are knownincludingto h availabilityhavebeen appropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to theMPLS andofVPNVolume, buildson bookthe best-sellingand VPNaccuracythisArchitectures,information. Useof a IItermin thisshould not MPLSbe regardedas affectingArchitectures,VolumeI (1-58705-002-1),from Cisco Press. Extending into more advancedthevalidity of anytrademarkor service mark.topics and deployment architectures, Volume II provides readers with the necessary toolsthey need to deploy and maintain a secure, highly available VPN.Feedback InformationMPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPNArchitecture. Part II describes advanced MPLS VPN connectivity including the integration ofAt Cisco Press, our goal is to create in-depth technical books of the highest quality and value.service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routingEach book is crafted with care and precision, undergoing rigorous development that involvesprotocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how tothe unique expertise of members from the professional technical community.integrate these features into the VPN backbone. Part III details advanced deployment issuesincludingsecurity, outliningthecontinuationnecessary stepstheservice Ifprovidermustto protect theReaders' feedbackis a naturalof thisprocess.you andalsodetailingthelatestsecurityfeaturesto allowregarding how we could improve the quality of this book, or otherwise alter it to artalsocoversmulti-carrierMPLSVPNyour needs, you can contact us through e-mail at feedback@ciscopress.com. Please makedeployments.PartIV andprovidesfor advanced MPLS VPNsure to includeFinally,the booktitleISBN ainmethodologyyour message.troubleshooting.CreditsMPLS and VPN Architectures, Volume II , also introduces the latest advances in customerintegration, security, and troubleshooting features essential to providing the advanced

We greatly appreciate your assistance.PublisherJohn WaitEditor-In-ChiefJohn KaneCisco RepresentativeAnthony Wolfenden Table of ContentsProgram Manager Cisco Press IndexMPLS and VPN Architectures, Volume IIManager, Marketing Communications, Cisco SystemsSonia Torres ChavezScott MillerByJim Guichard, Ivan Pepelnjak, Jeff ApcarCisco Marketing Program ManagerEdie QuirozPublisher: CiscoPressAcquisitionsEditorAmy MossPub Date: June 06, 2003Production ManagerPatrick KanousePages: 504 EditorDevelopmentGrant MunroeProject EditorLori LyonsCopy EditorKaren A. GillISBN: 1-58705-112-5Technical EditorsWithMPLS and VPN Architectures, Volume II , you'll learn:Content EditorMatt Birkner, Dan TappanMonique MorrowHowto integrate various remote access technologies into thebackboneTeamCoordinatorTammiRoss providing VPNservice to many different types of customersBook DesignerGina RexrodeThe new PE-CE routing options as well as other advanced features, including per-VPNCover DesignerLouisa AdairNetwork Address Translation (PE-NAT)Production TeamMark ShirarHow VRFs can be extended into a customer site to provide separation inside theIndexerTim Wrightcustomer networkThe latest MPLS VPN security features and designs aimed at protecting the MPLS VPNbackboneHow to carry customer multicast traffic inside a VPNThe latest inter-carrier enhancements to allow for easier and more scalable deploymentCorporateHeadquartersof inter-carrierMPLS VPN servicesCisco Systems, Inc.170 WestTasmanDriveAdvancedtroubleshootingtechniques including router outputs to ensure high availabilitySan Jose, CA 95134-1706USAMPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPNwww.cisco.comArchitectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advancedTel:408526-4000topicsanddeployment architectures, Volume II provides readers with the necessary tools800553-NETS(6387)theyneedto deployand maintain a secure, highly available VPN.Fax: 408 526-4100MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPNEuropeanHeadquartersArchitecture.Part II describes advanced MPLS VPN connectivity including the integration ofCiscoSystemsBVserviceproviderInternationalaccess technologies(dial, DSL, cable, Ethernet) and a variety of routingHaarlerbergparkprotocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how toHaarlerbergweg13-19 into the VPN backbone. Part III details advanced deployment issuesintegrate these features1101CH Amsterdamincludingsecurity, outlining the necessary steps the service provider must take to protect theTheNetherlandsbackboneand any attached VPN sites, and also detailing the latest security features to allowwww-europe.cisco.commore advanced topologies and filtering. This part also covers multi-carrier MPLS VPNTel:31 0 20 3571000Part IV provides a methodology for advanced MPLS . 1100AmericasHeadquartersMPLS and VPNArchitectures, Volume II , also introduces the latest advances in customerCiscoSystems,Inc. and troubleshooting features essential to providing the advancedintegration,security,

170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel: 408 526-7660Fax: 408 527-0883Asia Pacific Headquarters Table of ContentsCisco Systems, Inc. IndexCapital TowerMPLS and VPN Architectures, Volume II168 Robinson RoadByJim Guichard, Ivan Pepelnjak, Jeff Apcar#22-01to #29-01Singapore 068912www.cisco.comPublisher: Cisco PressTel:Pub 656317Date:June 777706, 2003Fax: 6563177799ISBN: 1-58705-112-5Pages: 504Cisco Systemshas more than 200 offices in the following countries and regions. Addresses,phone numbers, and fax numbers are listed on the Cisco.comWeb site atwww.cisco.com/go/offices.Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC ColombiaCosta Croatia VolumeCzech RepublicWithMPLS andVPNRicaArchitectures,II , you'llDenmarklearn: Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland Israel ItalyJapan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norwayto integratevarious remoteinto thebackboneprovidingVPN PeruHow Philippines PolandPortugalaccessPuertotechnologiesRico Romania Russia SaudiArabia serviceto many differenttypesof customersScotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela The newPE-CE routing options as well as other advanced features, including per-VPNVietnamZimbabweNetwork Address Translation (PE-NAT)Copyright 2003 Cisco Systems, Inc. All rights reserved. CCIP, CCSP, the Cisco Arrow logo,How PoweredVRFs canNetworkbe extendedcustomersite Verifiedto provideseparationinsidethe Methe Ciscomark,intotheaCiscoSystemslogo,Cisco Unity,FollowcustomernetworkiQ Net Readiness Scorecard, Networking Academy, and ScriptShareBrowsing,FormShare,are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn,The latestVPN securityfeaturesQuotient,and designsprotectingthe MPLSVPNThe FastestWayMPLSto IncreaseYour InternetandaimediQuickatStudyare servicemarksofbackboneCisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP,Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, CiscoHow to carry customer multicast traffic inside a VPNPress, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering theInternetEnterprise/Solver,EtherChannel,Fast scalableStep, GigaStack,TheGeneration,latest inter-carrierenhancementsto allow forEtherSwitch,easier and se,theiQlogo,LightStream,MGX,MICA, theof inter-carrier MPLS VPN servicesNetworkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ataViewincludingPlus, tchProbe,outputs to ensurehigh availabilityTransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates intheU.S.certainother countries.MPLSandandVPNArchitectures,Volume II , builds on the best-selling MPLS and VPNArchitectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advancedAllothertrademarksmentionedin thisVolumedocumentor Web readerssite are withthe propertyof theirtopicsanddeploymentarchitectures,II providesthe necessarytoolsrespectiveowners.of the wordpartnerdoesnot implya partnership relationshipthey need todeployTheandusemaintaina secure,highlyavailableVPN.between Cisco and any other company. (0303R)MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPNPrintedin thePartUSAII describes advanced MPLS VPN connectivity including the integration ofArchitecture.service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routingprotocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how tointegrate these features into the VPN backbone. Part III details advanced deployment issuesincluding security, outlining the necessary steps the service provider must take to protect thebackbone and any attached VPN sites, and also detailing the latest security features to allowTomyadvancedwife Sadie,for puttingwith meThiswritingbookmulti-carrierand the artanotheralso coversVPNassociatedwithsuch anundertaking.my children Aimeeand Thomas,deployments.Finally,PartIV providesToa methodologyfor advancedMPLS whoVPN always help tokeepme feVPNKarmen,who wasVolumealways IItherewhenI neededTo myMPLSArchitectures,, alsointroducestheencouragementlatest advancesorinsupport.customerchildrenMajaand Monika,who waited patientlyforessentialmy attentionon too manyintegration,security,and troubleshootingfeaturesto providingthe advanced

occasions.—IvanTo my wife Anne, who is an exceptional person in every way. To my children Caitlin, Conor,and especially Ronan: Despite his constant efforts to reboot my PC, I managed to lose a draftonly once.—Jeff Table of Contents IndexMPLS and VPN Architectures, Volume IIByJim Guichard, Ivan Pepelnjak, Jeff ApcarPublisher: Cisco PressPub Date: June 06, 2003ISBN: 1-58705-112-5Pages: 504WithMPLS and VPN Architectures, Volume II , you'll learn:How to integrate various remote access technologies into the backbone providing VPNservice to many different types of customersThe new PE-CE routing options as well as other advanced features, including per-VPNNetwork Address Translation (PE-NAT)How VRFs can be extended into a customer site to provide separation inside thecustomer networkThe latest MPLS VPN security features and designs aimed at protecting the MPLS VPNbackboneHow to carry customer multicast traffic inside a VPNThe latest inter-carrier enhancements to allow for easier and more scalable deploymentof inter-carrier MPLS VPN servicesAdvanced troubleshooting techniques including router outputs to ensure high availabilityMPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPNArchitectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advancedtopics and deployment architectures, Volume II provides readers with the necessary toolsthey need to deploy and maintain a secure, highly available VPN.MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPNArchitecture. Part II describes advanced MPLS VPN connectivity including the integration ofservice provider access technologies (dial, DSL, cable, Ethernet) and a variety of routingprotocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how tointegrate these features into the VPN backbone. Part III details advanced deployment issuesincluding security, outlining the necessary steps the service provider must take to protect thebackbone and any attached VPN sites, and also detailing the latest security features to allowmore advanced topologies and filtering. This part also covers multi-carrier MPLS VPNdeployments. Finally, Part IV provides a methodology for advanced MPLS VPNtroubleshooting.MPLS and VPN Architectures, Volume II , also introduces the latest advances in customerintegration, security, and troubleshooting features essential to providing the advanced

About the AuthorsJim Guichard, CCIE No. 2069, is a Technical Leader II within the Internet TechnologiesDivision (ITD) at Cisco Systems. During the past six years at Cisco and previously at IBM, Jimhasbeen involvedthe design, implementation, and planning of many large-scale WAN and Table ofinContentsLANnetworks.Hisbreadthof industry knowledge, hands-on experience, and understanding Indexofcomplexinternetworkingarchitectures have enabled him to provide valued assistance toMPLS and VPN Architectures, Volume IImany of Cisco's larger service provider customers. His previous publications include MPLSByJim Guichard, Ivan Pepelnjak, Jeff Apcarand VPN Architectures, by Cisco Press.IvanPublisher:Pepelnjak,Cisco PressCCIE No. 1354, is the Chief Technology Advisor and member of the boardwithPubNILData(www.NIL.si), a high-tech data communications companyDate:JuneCommunications06, 2003that focusesonprovidinghigh-valueservices in new-world service provider technologies.ISBN: 1-58705-112-5Pages: 504Ivan has more than 10 years of experience in designing, installing, troubleshooting, andoperating large corporate and service provider WAN and LAN networks, several of themalready deploying MPLS-based virtual private networks (VPNs). He is the author or leaddeveloper of a number of highly successful advanced IP courses covering MPLS/VPN, BGP,OSPF, and IP QoS, and he is the architect of NIL's remote lab solution. Ivan's previousWithMPLS andVPN Architectures,II , you'lllearn:publicationsincludeMPLS and VPNVolumeArchitecturesandEIGRP Network Design Solutions, byCisco Press.How toisintegrateaccesstechnologiesintoPacificthe backboneprovidingJeff Apcara Senior variousDesign remoteConsultingEngineerin the AsiaAdvancedServicesVPNto Systems.many differenttypescustomersgroupserviceat CiscoHe is oneof oftheCisco lead consultants on MPLS in the region andhas designed MPLS networks for many service providers in AsiaPac using packet-based andThe newPE-CEoptionsas wellother advancedincluding(500 per-VPNcell-basedMPLS.Jeffroutinghas alsodesignedand asmaintainedlarge IPfeatures,router networksNetworkAddressTranslation(PE-NAT)nodes) and has a broad and deep range of skills covering many facets of networkingcommunications.How VRFs can be extended into a customer site to provide separation inside thecustomernetworkJeff hasmore than24 years of experience in data communications and holds Dip. Tech(Information Processing) and B.App.Sc (Computing Science) (Hons) from the University ofThe latest MPLS VPN security features and designs aimed at protecting the MPLS VPNTechnology, Sydney, Australia.backboneHow to carry customer multicast traffic inside a VPNThe latest inter-carrier enhancements to allow for easier and more scalable deploymentof inter-carrier MPLS VPN servicesAdvanced troubleshooting techniques including router outputs to ensure high availabilityMPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPNArchitectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advancedtopics and deployment architectures, Volume II provides readers with the necessary toolsthey need to deploy and maintain a secure, highly available VPN.MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPNArchitecture. Part II describes advanced MPLS VPN connectivity including the integration ofservice provider access technologies (dial, DSL, cable, Ethernet) and a variety of routingprotocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how tointegrate these features into the VPN backbone. Part III details advanced deployment issuesincluding security, outlining the necessary steps the service provider must take to protect thebackbone and any attached VPN si

Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture.