• Table of Contents • Index MPLS and VPN Architectures, Volume II ByJ im Guichard, Ivan Pepelnjak, Jeff Apcar Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504 With MPLS and VPN Architectures, Volume II, you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced services based on MPLS VPN technology in a secure and scalable way. This book is part of the Networking Technology Series from Cisco Press, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers. • Table of Contents • Index MPLS and VPN Architectures, Volume II ByJ im Guichard, Ivan Pepelnjak, Jeff Apcar Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504 With MPLS and VPN Architectures, Volume II, you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced •• TTaabbllee ooff CCoonntteennttss •• IInnddeexx MMPPLLSS aanndd VVPPNN AArrcchhiitteeccttuurreess,, VVoolluummee IIII BByyJJ iimm GGuuiicchhaarrdd,, IIvvaann PPeeppeellnnjjaakk,, JJeeffff AAppccaarr PPuubblliisshheerr:: CCiissccoo PPrreessss PPuubb DDaattee:: JJuunnee 0066,, 22000033 IISSBBNN:: 11--5588770055--111122--55 PPaaggeess:: 550044 Copyright With MPLS and VPN Architectures, Volume II, you'll learn: About the Authors About the Technical Reviewers HAboowut tthoe iCnotnetegnrta Rteev ivewaerrious remote access technologies into the backbone providing VPN sAcekrnvoiwcele dtgom menatsny different types of customers Introduction ThWeh no eSwho uPlEd -RCeaEd rTohuist Binoogk ?options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How This Book Is Organized HIcoonws UVsRedF isn cTahins Bboeo kextended into a customer site to provide separation inside the cCoumstmoamnde Sr ynnteatxw Coonrkventions Part I. Introduction Th e C hlaaptteesr t1 .M MPPLLSS VVPPNN A rscheicteucrtuitrye Ofeveartvuierwes and designs aimed at protecting the MPLS VPN backbMoPLnSe VPN Terminology Connection-Oriented VPNs How to carry customer multicast traffic inside a VPN Connectionless VPNs The lMatPeLSs-tB ianseted rV-PcNasrrier enhancements to allow for easier and more scalable deployment of intNeerw- cMaPrLrSi eVrP NM DPeLvSel oVpmPNen tsservices Summary Advanced troubleshooting techniques including router outputs to ensure high availability Part II. Advanced PE-CE Connectivity M PL S an Cdh aVpPteNr 2A. r Rcehmitoetec tAucrceesss, tVo oanlu MmPLeS IVIP,N builds on the best-selling MPLS and VPN A rc hitecturFeeast,u rVeo Elnuhmanece Im (e1nt-s5 fo8r7 M0P5L-S0 V0P2N -R1e)m, oftreo Amcc eCssisco Press. Extending into more advanced t o p ics andO dveerpvileowy mof eAcncte sas rPcrhotiotecoclst uarned sP,r oVceodluurmese II provides readers with the necessary tools t h e y need Ptroo vdideinpgl oDyia la-Inn dA cmcesasi ntot aainn M aPL sSe VcPuNre, highly available VPN. Providing Dial-Out Access via LSDO MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Providing Dial-Out Access Without LSDO (Direct ISDN) Architecture. Part II describes advanced MPLS VPN connectivity including the integration of Providing Dial Backup for MPLS VPN Access service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing p ro tocols (PIrSov-iIdSin,g EDISGL RAcPc,e sas ntod a On SMPPLFS) V, PaNrming the reader with the knowledge of how to i n te grate tPhroevsidei nfge aCatbulree Asc cienstso t ot hane MVPPLSN V bPNackbone. Part III details advanced deployment issues i n cl uding sAedcvuanrciteyd ,F eoaututrliens ifnogr M tPhLeS VnPeNc eResmsaotrey A sccteespss the service provider must take to protect the b ac kbone Saunmdm aanryy attached VPN sites, and also detailing the latest security features to allow m or e ad Cvhaanptceer d3 .t oPpE-oClEo Rgoieutsin ag nPdro tfoicltoel rEinnhgan. cTemhiesn tps aarntd aAdlsvoan cceodv Feerast umresulti-carrier MPLS VPN d ep loymenPtEs-.C EF Cinoannlleyc,t ivPitayr: tO ISVPF provides a methodology for advanced MPLS VPN troubleshooting. PE-CE Connectivity: Integrated IS-IS M PL S and PVEP-CNE ACorncnheictteivcittyu:r EeIsG,R VPolume II, also introduces the latest advances in customer i n te grationS,u msemcauryrity, and troubleshooting features essential to providing the advanced Chapter 4. Virtual Router Connectivity Configuring Virtual Routers on CE Routers Linking the Virtual Router with the MPLS VPN Backbone VRF Selection Based on Source IP Address Performing NAT in a Virtual Router Environment Summary Part III. Advanced Deployment Scenarios • Table of Contents Chapter 5. Protecting the MPLS-VPN Backbone • Index Inherent Security Capabilities MPLS and VPN Architectures, Volume II Neighbor Authentication ByJ im Guichard, Ivan Pepelnjak, Jeff Apcar CE-to-CE Authentication Control of Routes That Are Injected into a VRF Publisher: Cisco Press PE to CE Circuits Pub Date: June 06, 2003 Extranet Access ISBN: 1-58705-112-5 Internet Access Pages: 504 IPSec over MPLS Summary Chapter 6. Large-Scale Routing and Multiple Service Provider Connectivity Large Scale Routing: Carrier's Carrier Solution Overview W it h MPLS Caanrrdie rV BPaNck bAornceh Citoenncetuctriveitsy, Volume II, you'll learn: Label Distribution Protocols on PE-CE Links BGP-4 Between PE/CE Routers How Htoie rianrctheigcarla VtPeN sv:a Craiorruiesr' sr Ceamrroietre M PaLcSc eVPsNss technologies into the backbone providing VPN service to many different types of customers VPN Connectivity Between Different Service Providers The nSeuwmm PaEry-CE routing options as well as other advanced features, including per-VPN Ne tCwhaoprtker A7.d dMrueltsicsa sTt rVaPnNslation (PE-NAT) Introduction to IP Multicast How EVnRteFrpsr icsae nM ublteic aesxt tine an dSeerdvi cien tPoro vai dceur sEntovimronemr esnitte to provide separation inside the custommVePNr Anrechtwiteoctrukre MDTs The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbCoasnee Study of mVPN Operation in SuperCom Summary Ho wCh atpot ecr a8r.r yIP cVuesrstioonm 6e Trr amnsuplotritc Aacsrto stsr aanf fMicP LiSn sBiadcekb oan VePN IPv6 Business Drivers The latest inter-carrier enhancements to allow for easier and more scalable deployment Deployment of IPv6 in Existing Networks of inter-carrier MPLS VPN services Quick Introduction to IPv6 AdvaInnc-Deedp tthr o6uPEb Olepsehraotioonti anngd tCeocnhfignuirqautieons including router outputs to ensure high availability Complex 6PE Deployment Scenarios M PL S and SVuPmNm aArrychitectures, Volume II, builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced Part IV. Troubleshooting topics and deployment architectures, Volume II provides readers with the necessary tools Chapter 9. Troubleshooting of MPLS-Based Solutions they need to deploy and maintain a secure, highly available VPN. Introduction to Troubleshooting of MPLS-Based Solutions M PL S and TVroPuNb leAsrhcohotiitnegc tthuer MePsL,S V Boalcukmbonee II, begins with a brief refresher of the MPLS VPN A rc hitecturOeth. ePr aQrutic kII C dheecskcsribes advanced MPLS VPN connectivity including the integration of s e rv ice proMvPiLdSe Cro antcrcole Pslsan tee Tcrhounboleloshgoioetsin g(dial, DSL, cable, Ethernet) and a variety of routing p ro tocols (MIPSL-SI DSa, taE IPGlanReP T,r oaunbdle sOhoSoPtiFng), arming the reader with the knowledge of how to i n te grate tMhPeLsSe V fPeNa Ttruourbelse sihnotooti ntghe VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the In-Depth MPLS VPN Troubleshooting backbone and any attached VPN sites, and also detailing the latest security features to allow Summary more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN d eploIynmdeexnts. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced Copyright Copyright© 2003 Cisco Systems, Inc. Cisco Press logo is a trademark of Cisco Systems, Inc. • Table of Contents • Index Published by: MPLS and VPN Architectures, Volume II Cisco Press B2y0J 1im W Gueiscth a1r0d,3 Ivrdan S Pterpeeelntjak, Jeff Apcar Indianapolis, IN 46290 USA Publisher: Cisco Press All rights reserved. No part of this book may be reproduced or transmitted in any form or by Pub Date: June 06, 2003 any means, electronic or mechanical, including photocopying, recording, or by any ISBN: 1-58705-112-5 information storage and retrieval system, without written permission from the publisher, exceptP afgoers :t h50e4 inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Library of Congress Cataloging-in-Publication Number: 619472051122 With MPLS and VPN Architectures, Volume II, you'll learn: Warning and Disclaimer How to integrate various remote access technologies into the backbone providing VPN This bsoeorvk icise dteos miganneyd dtoif fperroevnitd tey pinefso romf acutisotno mabeorsut MPLS and VPN architectures. Every effort has been made to make this book as complete and as accurate as possible, but no warranty The new PE-CE routing options as well as other advanced features, including per-VPN or fitness is implied. Network Address Translation (PE-NAT) The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems, How VRFs can be extended into a customer site to provide separation inside the Inc. shall have neither liability nor responsibility to any person or entity with respect to any customer network loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc. How to carry customer multicast traffic inside a VPN TraTdhee lmateastr inkte rA-ccarkrienr oenwhanlecemdegnmts teo anllotws for easier and more scalable deployment of inter-carrier MPLS VPN services All terAmdsv amnecendti otrnoeudb ilne sthhoiso tbinogo kt etchhant iaqruee sk ninocwlund tino gb ero turatedre omuatprkust so tro s eenrvsiucree m haigrhk sa hvaavileability been appropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the MacPcLuSr aacnyd o Vf PthNi sA irncfhoirtmecatutiroens., UVsoelu omf ea ItIe,r mbu iinld sth oisn bthoeo kb sehsto-usledl lninogt MbeP LrSeg aanrdd eVdP aNs affecting Athrec hviatelicdtiutyre osf, aVnoylu tmraed Ie m(1a-r5k8 o7r0 5se-0rv0i2c-e1 m), afrrko.m Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. Feedback Information MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing Each book is crafted with care and precision, undergoing rigorous development that involves protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to the unique expertise of members from the professional technical community. integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the Readers' feedback is a natural continuation of this process. If you have any comments backbone and any attached VPN sites, and also detailing the latest security features to allow regarding how we could improve the quality of this book, or otherwise alter it to better suit more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN your needs, you can contact us through e-mail at [email protected]. Please make deployments. Finally, Part IV provides a methodology for advanced MPLS VPN sure to include the book title and ISBN in your message. troubleshooting. MCPrLSe adnidt VsPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced We greatly appreciate your assistance. Publisher John Wait Editor-In-Chief John Kane Cisco Representative Anthony Wolfenden • Table of Contents •C isco Press IPnrdoegxram Manager Sonia Torres Chavez MPLS and VPN Architectures, Volume II Manager, Marketing Communications, Cisco Systems Scott Miller ByJ im Guichard, Ivan Pepelnjak, Jeff Apcar Cisco Marketing Program Manager Edie Quiroz AcqPuubilsisihtieor:n Csi sEcod iPtroerss Amy Moss Pub Date: June 06, 2003 Production Manager Patrick Kanouse ISBN: 1-58705-112-5 DevelPoapgems:e 5n0t4 Editor Grant Munroe Project Editor Lori Lyons Copy Editor Karen A. Gill Technical Editors Matt Birkner, Dan Tappan With MPLS and VPN Architectures, Volume II, you'll learn: Content Editor Monique Morrow TeamH oCwoo trod iinnatetogrrate various remote access technologies into thTae mbamcik Rboosnse providing VPN service to many different types of customers Book Designer Gina Rexrode The new PE-CE routing options as well as other advanced features, including per-VPN Cover Designer Louisa Adair Network Address Translation (PE-NAT) Production Team Mark Shirar How VRFs can be extended into a customer site to provide separation inside the Indexcuesrtomer network Tim Wright The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment Corporate Headquarters of inter-carrier MPLS VPN services Cisco Systems, Inc. 170 WAedsvta Tnacsemd atrno uDbrlieveshooting techniques including router outputs to ensure high availability San Jose, CA 95134-1706 MUSPLAS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN Awrwchwi.tceicstcuor.ecso,m Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced tToepl:ic 4s0 a8n d5 2d6e-p4l0o0ym0 ent architectures, Volume II provides readers with the necessary tools t h e y8 0n0e e5d5 3to- NdEeTpSlo (y6 a3n8d7 )maintain a secure, highly available VPN. Fax: 408 526-4100 MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN AEurcrhoitpeecatunr eH. ePaadrtq uIIa dretescrrsibes advanced MPLS VPN connectivity including the integration of sCeisrcvoic eS ypsrtoevmidse Irn atcecrensast iotencahl nBoVlogies (dial, DSL, cable, Ethernet) and a variety of routing pHraoatrolceorblse r(gISp-aIrSk, EIGRP, and OSPF), arming the reader with the knowledge of how to iHnateagrlreartbee trhgewseeg f e1a3t-u1r9es into the VPN backbone. Part III details advanced deployment issues i1n1c0lu1d CinHg Asmecsutreitryd,a omutlining the necessary steps the service provider must take to protect the bThacek Nbeotnhee ralnadn dasny attached VPN sites, and also detailing the latest security features to allow mwworwe- eaudrvoapnec.ecdis tcoop.coolomgies and filtering. This part also covers multi-carrier MPLS VPN dTeelp:l o3y1m 0e n20ts .3 5Fi7n a1l0ly0,0 Part IV provides a methodology for advanced MPLS VPN tFraoxu:b 3le1s h0o 2o0ti n3g5.7 1100 MAmPLeSr iacnads VHPeNa Adrqcuhaitretcetursres, Volume II, also introduces the latest advances in customer iCnitsecgor aStyiostne,m ses,c uInrict.y, and troubleshooting features essential to providing the advanced 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters • Table of Contents Cisco Systems, Inc. • Index Capital Tower MPLS and VPN Architectures, Volume II 168 Robinson Road B#y2J i2m- 0G1ui cthoa r#d,2 Iv9a-n0 1Pepelnjak, Jeff Apcar Singapore 068912 www.cisco.com Publisher: Cisco Press Tel: +65 6317 7777 Pub Date: June 06, 2003 Fax: +65 6317 7799 ISBN: 1-58705-112-5 Cisco SPaygsetse: m50s4 has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the Cisco.com Web site at www.cisco.com/go/offices. Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • WCoitlohm MPbLiaS •a nCdo sVtaP NR iAcrac h• itCercotautrieas •, VCozleucmhe R IeIp,u yboluic' lDl leenamrna:rk • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • PeruH o• wP htoili pinptiengersa •te P voalarniodu s• rPeomrtoutgea al cPcueesrst ote Rcihcnoo •lo Rgoiems ainntiao t•h Reu bsasciak b•o Snaeu pdri oAvridaibniag •VPN Scotlasnedrv •ic Se intog ampaonrye d• iSffleorveankt iaty •p eSsl oovfe cnuiast o• mSeorusth Africa • Spain • Sweden Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • VietnaTmhe •n Zewim PbEa-bCwEe routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) Copyright © 2003 Cisco Systems, Inc. All rights reserved. CCIP, CCSP, the Cisco Arrow logo, the CiHsocow PVoRwFesr ecadn N beetw eoxrtke nmdeadrk i,n tthoe a C cisucsoto Smyesrt esmites Vtoe rpifrioevdi dloeg soe,p Cairsactoio Unn iintsyi,d Feo tllhoew Me Browsciunsgt,o Fmoerrm nSehtawroer,k iQ Net Readiness Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of backbone Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco How to carry customer multicast traffic inside a VPN Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, The latest inter-carrier enhancements to allow for easier and more scalable deployment Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the of inter-carrier MPLS VPN services Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, RegisAtrdavr,a nScliedde Ctraosutb, lSeMshAoRoTtninegt ,t eScthrantiaqVuieesw i nPclulusd, inSgtr arotmut,e Sr wouittcphuPtrso btoe ,e TnesulerReo huitgehr ,availability TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in MthPeL US. aSn. da nVdP Nce Artracihni toetchtuerre cso, uVnotlruiemse. II, builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced tAollp oictsh earn dtr addeepmloyamrkes nmt eanrcthiointeecdt uinre tsh, isV odloucmuem IeIn pt roorv Wideesb rseitaed earrse wthieth p trhoep enretcye ossf atrhye itrools trheespye ncetievde toow dneeprlso.y T ahned u msea oinf ttahien wa osredc upraer,t nheigrh dlyo easv aniolat bimlep VlyP Na. partnership relationship between Cisco and any other company. (0303R) MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN APrricnhtietdec itnu rteh.e PUaSrtA II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to iDnteegdraitce tahetsieo fneastures into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow mToo mrey a wdvifaen Sceadd ieto, pfoorlo pguietsti nagn du pfi lwteirtihn gm. eT hwirsi tpinagrt aanlsooth ceorv beorso km aunltdi- tchaer rlioenr gM lPoLnSe lVyP nNights dasespolocyiamteedn tws.it hFi nsuacllhy ,a Pna rutn IdVe rptraokvinidge.s T ao mmeyt hchoidldorloegny A fiomr eaed avannd cTehdo MmPaLsS, wVPhNo always help to tkreoeupb lmeseh somotiilningg..—Jim MToP LmSy a wndif eV KPNar Amrecnh,i twechtou rwesa,s V aolwluamyes ItIh,e raels wo hinetnr oId nueceedse tdh ee nlactoeusrta agdevmaenncte so ri ns ucuppstoormt. eTro my icnhtieldgrreanti oMna,j ase acnudri tMy,o nainkda ,t rwohuob lwesahitoeodt ipnagt ifeenattluyr efosr e mssye nattitaeln ttoio pnr oovni dtoinog m thaen yadvanced occasions.—Ivan To my wife Anne, who is an exceptional person in every way. To my children Caitlin, Conor, and especially Ronan: Despite his constant efforts to reboot my PC, I managed to lose a draft only once.—Jeff • Table of Contents • Index MPLS and VPN Architectures, Volume II ByJ im Guichard, Ivan Pepelnjak, Jeff Apcar Publisher: Cisco Press Pub Date: June 06, 2003 ISBN: 1-58705-112-5 Pages: 504 With MPLS and VPN Architectures, Volume II, you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced About the Authors Jim Guichard, CCIE No. 2069, is a Technical Leader II within the Internet Technologies Division (ITD) at Cisco Systems. During the past six years at Cisco and previously at IBM, Jim has been involved in the design, implementation, and planning of many large-scale WAN and • Table of Contents LAN networks. His breadth of industry knowledge, hands-on experience, and understanding • Index of complex internetworking architectures have enabled him to provide valued assistance to MPLS and VPN Architectures, Volume II many of Cisco's larger service provider customers. His previous publications include MPLS BaynJ dim V GPuNic hAarrcdh, Iivtaenc tPuerpeesln,j abky, J Cefifs Acpoc aPrress. IvaPnu bPlisehpere: lCnisjcaok P,r eCssCIE No. 1354, is the Chief Technology Advisor and member of the board with NIL Data Communications (www.NIL.si), a high-tech data communications company Pub Date: June 06, 2003 that focuses on providing high-value services in new-world service provider technologies. ISBN: 1-58705-112-5 Pages: 504 Ivan has more than 10 years of experience in designing, installing, troubleshooting, and operating large corporate and service provider WAN and LAN networks , several of them already deploying MPLS-based virtual private networks (VPNs). He is the author or lead developer of a number of highly successful advanced IP courses covering MPLS/VPN, BGP, OSPF, and IP QoS, and he is the architect of NIL's remote lab solution. Ivan's previous Wpuitbhli McaPtLioSn asn idn cVluPdNe A MrcPhLiSte actnudr eVsP,N V oAlrucmhiete IcIt,u yreosu 'alln lde aErInG:RP Network Design Solutions, by Cisco Press. Jeff AHpocwa rto i si nat eSgernaitoer vDaersioiguns rCeomnsoutelt iancgc eEsnsg itneechenr oinlo tghiees A isnitao P tahcei fbica Ackdbvoannec epdr oSveirdvinicge sVPN groups eartv Ciciesc too Smysatneym dsi.f fHeree inst otnype eosf othf ec uCsitsocmo elersad consultants on MPLS in the region and has designed MPLS networks for many service providers in AsiaPac using packet-based and The new PE-CE routing options as well as other advanced features, including per-VPN cell-based MPLS. Jeff has also designed and maintained large IP router networks (500+ Network Address Translation (PE-NAT) nodes) and has a broad and deep range of skills covering many facets of networking communications. How VRFs can be extended into a customer site to provide separation inside the customer network Jeff has more than 24 years of experience in data communications and holds Dip. Tech (Information Processing) and B.App.Sc (Computing Science) (Hons) from the University of The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN Technology, Sydney, Australia. backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced About the Technical Reviewers Matthew H. Birkner, CCIE No. 3719, is a Technical Leader at Cisco Systems, specializing in IP and MPLS network design. He has influenced multiple large carrier and enterprise designs worldwide. Matt has spoken at Cisco Networkers on MPLS VPN technologies in both the U.S. • Table of Contents and EMEA over the past few years. A "double CCIE", he has published the Cisco Press book, • Index Cisco Internetwork Design. Matt holds a BSEE from Tufts University, where he majored in MPLS and VPN Architectures, Volume II electrical engineering. ByJ im Guichard, Ivan Pepelnjak, Jeff Apcar Dan Tappan is a distinguished engineer at Cisco Systems. He has 20 years of experience withP uibnlitsehernr:e Ctiwscoo rPkreinssg, having worked on the ARPANET transition from NCP to TCP at Bolt, Beranek, and Newman. For the past several years, Dan has been the technical lead for Pub Date: June 06, 2003 Cisco's implementation of MPLS (tag switching) and MPLS/VPNs. ISBN: 1-58705-112-5 Pages: 504 With MPLS and VPN Architectures, Volume II, you'll learn: How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT) How VRFs can be extended into a customer site to provide separation inside the customer network The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone How to carry customer multicast traffic inside a VPN The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN. MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting. MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced
Description: