RE: OT: how to filter out several VPNs from a MPLS backbone

From: Ravi Ramaswamy \(raramasw\) (raramasw@cisco.com)
Date: Sat Mar 25 2006 - 21:55:41 GMT-3

• Next message: Jesse Loggins CCIE#14661: "Re: IPSEC on the R&S Lab"
• Previous message: xprtofnet: "Re: Port-security with HSRP"
• Maybe in reply to: Ravi Ramaswamy \(raramasw\): "RE: OT: how to filter out several VPNs from a MPLS backbone"
• Next in thread: Olopade Olorunloba: "RE: OT: how to filter out several VPNs from a MPLS backbone"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi - I agree with you. I guess I was not reading the question
correctly.

It depends on the topology in the core. If the backup link became the
best IGP path to the BGP NH PE, then clearly that link won't be used if
tag-switching is enabled, but then VPN traffic won't flow at all. I
guess the requirement is VPN traffic should flow, but not on the backup
link.

You could try and assign a higher IGP metric to the backup link, in
which case VPN traffic will not flow across this backup link. However,
if there a topology change in the core, you will end up with the same
issue above.

(In general, if some link in the IGP path from PE to PE has
tag-switching disabled, then VPN traffic will be forwarded into the
core, and be dropped at that P router).

The TE approach to force the LSP to bypass the backup link is the best
approach....

-----Original Message-----
From: Olopade Olorunloba [mailto:lolopade@ipnxnigeria.net]
Sent: Saturday, March 25, 2006 6:57 PM
To: Ravi Ramaswamy (raramasw); 'Reinhold Fischer'; sheherezada@gmail.com
Cc: 'Cisco certification'; comserv@groupstudy.com
Subject: RE: OT: how to filter out several VPNs from a MPLS backbone
backup path

Disabling MPLS on the link between the 2 PEs will not stop them from
trying
to use the link. The path the MPLS VPN traffic takes is determined by
the
path the IGP has for the BGP next-hop of that MPLS VPN. If the IGP,
therefore thinks the BGP next-hop should be reached across the backdoor
link
(on which you have disabled MPLS). It will try and send the traffic
across
the link, but will not be successful.

I will rather go with the other suggestion of using MPLS TE tunnels. The
important thing to note is that the path the MPLS VPN traffic takes is
the
path you to reach the BGP next-hop. And MPLS TE, are your best tools to
use
to determine which path a traffic should take.

Regards.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ravi
Ramaswamy (raramasw)
Sent: 25 March 2006 23:22
To: Reinhold Fischer; sheherezada@gmail.com
Cc: Cisco certification; comserv@groupstudy.com
Subject: RE: OT: how to filter out several VPNs from a MPLS backbone
backup
path

Assuming the picture is like this

PE1 --- P1 ---- P2 ------ PE2
| |
|--------------------------------|

And that PE1 and PE2 "backdoor" link is also in the global space, then
why not simply disable tag-switching on the backdoor link? It will
never be used for VPN traffic between PE1 and PE2.

Ravi Ramaswamy, Cisco Systems Inc.
Advanced Services Central Engg
(732) 261 3814

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Reinhold Fischer
Sent: Friday, March 24, 2006 4:26 PM
To: sheherezada@gmail.com
Cc: Cisco certification; comserv@groupstudy.com
Subject: Re: OT: how to filter out several VPNs from a MPLS backbone
backup path

On Fri, Mar 24, 2006 at 12:50:28PM +0200, sheherezada@gmail.com wrote:
> Hi all,
>
> I have four routers linked in a row, let's say A-B-C-D, and a lower
> bandwidth backup link between A and D. I have just added MPLS and set
> up several VPNs, but I don't want all VPNs to generate traffic on the
> backup link when it comes up. Any idea of how to do it?
>
> Thanks,
>
> Mihai
>

Hi Mihai,

here is a possible solution. I have put also the CCIE SP list on CC
since this is more a topic for there...

- create a second loopback interface on the pe-routers.

- add your second loopback interface into your igp so it is reachable

- filter your LDP so it is not assigning and distributing any labels
for this second loopback

- change the next-hop ip-address that bgp will advertise for the
  VPN that you do not want to have on the low-bandwidth backup link

  Example> Assuming Lo1 is the Loopback where you are not distributing
labels
  for:
!
 ip vrf TWO
 rd 2:1
 route-target export 2:1
 route-target import 2:1
 bgp next-hop Loopback1
!

- at this point this VPN will not work anymore, because you have no
  LSP to the new Loopbacks

- enable MPLS Traffic Engineering, use the new loopback ip as router-id
  for mpls traffic engineering

- build mpls-te tunnels between the new loopback addresses. Use an
  explicit path that excludes the ip addresses of the low-bandwidth
  backup link.

- at this point the VPN will work again. LSPs are provided through
  MPLS-TE. As soon as the main link between your PE routers goes
  down the MPLS-TE Tunnel will also go down because they are not
  allowed to signal a path through your low-bandwidth link.

hope the explanation is not too confusing.

regards

reinhold

• Next message: Jesse Loggins CCIE#14661: "Re: IPSEC on the R&S Lab"
• Previous message: xprtofnet: "Re: Port-security with HSRP"
• Maybe in reply to: Ravi Ramaswamy \(raramasw\): "RE: OT: how to filter out several VPNs from a MPLS backbone"
• Next in thread: Olopade Olorunloba: "RE: OT: how to filter out several VPNs from a MPLS backbone"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3