350-501 SPCOR Cisco CCNP Service Provider – Virtual Private Networks part 2

3. VPN Models – Advantages-DisAdvantages

So let us see what are the advantages and disadvantages and the drawbacks of the overlay model and the pet to pin mode. So when you talk about overlay we need to think about Frame delay or IPsec GRE GRE kind of implementations. So frame lays not much used in the production networks now in today’s networks but still so when you talk about overlay model the they are very well known because we have been using for many years so they are very easy to implement because most of the people who are very well aware of these implementations and here the service boarder is not going to participate any of the customer routing. That’s what we discussed overlay model the service porter will not receive any routes.

It is only responsible for providing a virtual point to point connection between the two customer sites but the service portal will not at all participate in any of the customer routing information. Now, customer networks and the service port networks are completely isolated which means the customer and service folder, whatever the routing they do, they are not at all relating with each other, they are completely different. So these are some of the advantages we get in the overlay models but at the same time we have some disadvantages here with overlay models the more number of virtual circuits so this is one of the major problem with the frame builder. Let’s take an example I got multiple customer sites and you’re providing a connection.

If I want to have a connection between each and every side, I want to have a full mesh. We need to have a separate virtual circuit from here to here. Separate virtual circuit and separate virtual circuit from like this. Again, it is not going to provide the redundancy so more number of connections require we need to have more number of virtual circuits, which means it’s really going to add more overhead on the service folder to provide virtual circuit. The same thing happens with the GRE. Also, if you want redundancy, you need to have multiple virtual tunnels established, GRE tunnels established from each and every point again, so that is one of the major disadvantages. And virtual circuits has to be created manually and then bandwidth has to be a provision side to side basis again.

And the overlay models will add some encapsulation overhead. Because whenever you’re sending a packet, a normal IP packet, once it enters the service folder, it is going to add some extra GRE or IPsec header informations, or if you’re using frame relay, it’s going to add some delc values. It’s going to add some extra overhead on the routers to add and remove that encapsulations. Now, when you talk about P to pin models so when they say P to pin models means just think about MPLS because we have any other models as well like so we’ll be talking about MPLS L, three Vpncm. Now the major advantage with P to pin model is it guarantees the optimum routing between the customer sites. Because now once it enters the service portal, the Service Portal is going to maintain the customer routes.

It’s going to provide the best shortest path to reach the other end of the provider’s router. And it’s really easier to add additional VPNs. Now it’s really easy because when we get into that VPN concept we’ll see. So whenever you want to add a one virtual point to point connection here, it’s going to be very easy because it uses one similar kind of implementation like Aura servers we have in PGP. So we don’t need to have a separate point to point connection for each and every side. We can still use a concept of Aura service just like we do in BGP and we can have a virtual point to point connections like this. We don’t need to have a separate VPN from here to here.

Each and every side we can have, each P router can connect to the centralized device and then from there again, we can have a multiple VPN establishments. So it’s going to be very easy to add an additional VPN when you compare with the previous models and the only sites provision not links between them. Which means whenever you add any new customer site, we just need to add a link here because this router is already connecting to the other side of the provider router. So we don’t really need to add a virtual VPN from this side to other side. So most likely we just need to add just a link connecting between this PE to C. That’s it. So one of the drawbacks again, the customer, the Service Porter is going to participate in the customer routing.

That is one of the drawback. And you need to ensure that you apply some filtering applied to the customer links. But anyway, Service Porter will ensure that your customer routes will not go from one customer to another customer. They’re completely differentiated through VRS. But that is one of the disadvantage. We can say Service Portal is majorly responsible for customer convergence, that is the customer router. When it comes to connects to the provider edge router, the Service Portal need to ensure that the customer route should get converged between C to P before they send to the other side. So that is one of the things we need to consider when we are using peer to peer models and the peer routers carry all the routes from all the customers.

Now the same provider edge router might be connecting to multiple customers and it is responsible for carrying all the routes for all the customers. And we need to provide a secure environment between the customers anyway, that is something the Service Portal has to take care of. Ensuring that the no customer routes from the route from one customer should not go to another customer. It’s going to be a bit complex configurations, but it’s going to provide a huge advantage. So if you just list out these disadvantages, I can say petabyte models are very much provide some good advantages, much more better than when you compare with other VPN models. The response need to have a detailed IP routing knowledge. So this will not make much difference when it comes to MPLS.

So MPLS is one of the kind of pet to peer models which is going to carry the customer routes in the form of labels. Again, it’s a completely different thing. And one more advantage we get in the MPLS is especially now the service portal is not going to maintain. So I can say MPLS comes under this kind of VPN technology but at the same time it’s a kind of combination of overlay model and peer to peer model. So we’re when you talk about MPLS technology, it has advantages of both overlay model and the PTP model. So this is something I’ll give you some more in detail introduction in my next video. So probably we’ll see that much more in detail like how MPLS is going to provide the best of the both models.

4. Cisco Express Forwarding – CEF

In this section we’ll be focusing on Cisco Express forwarding method of switching the packets. Now what is exactly safe? As the name itself it says Cisco Express forwarding means it is a scope proprietary method of forwarding the packets. Now, normally if you take an example, whenever any packet, let’s say there is a network called 192-1681 dot network, want to communicate with some other network, let’s say 192 162 dot network. Now, whenever this is my source address and this is my destination address. So by default whenever a PC realizes that the destination is on a different subnet, it’s going to forward the packet to the gateway. Now, the router’s job is to find the destination network ID. So it is going to verify the routing table.

It says show IP route and it will ensure that there is a destination network ID present in the routing table. And based on that if it is present then it will see what is the next stop address and based on that next stop address again it is going to forward via specific exit interface and then finally it is going to forward the packet. This is our traditional layer three lookup which generally happens in our routers or if you are doing any routing process, this is the default process. Now, this safe is something in advance to this process. So Safe is going to ensure that this process can happen much faster than a default process. Let’s try to see what are the different types of methods first before we get into the safe concept.

Now, before SIF, we have some two initial methods which was generally used to forward your packets. The first one is process switching. Now in case of process switching whenever any packet enters the router. So router is going to do some layer three lookup which is more like a software based. It’s going to check the destination network ID and then it is going to check the next top IP address and then it will see what is the exit interface for that next top IP address and then finally it is going to forward the packet. Now, similar way, if any other packet comes again the same process happens one more time. So which means every time whenever any packet comes, even if it is for the same destination, so it is still going to do the lookup.

That is something what happens. In case of process switching it requires a CPU. The router CPU has to be personally involved in each and every forwarding distinction. So which means in each and every packet entering the router it is going to do the layer three lookup and forward the packet. Now in this way it is going to add some more overhead on the router or a multilayer switches we can say. So whatever routing process. Now then came we have something called fast switching method. Now in case of fast switching method what it is going to do is it is going to do the same job what generally process switching is going to do like whenever any packet comes it is going to see the destination network ID and then see the next top IP address.

And then what is the exit interface? And then forward the packet, and after that it is going to cache this information in the router cache. It’s going to maintain that information in the cache so that if any other user want to go for the same destination, probably it doesn’t need to do that again the routing look up, it will simply catch this information and forward out of this specific interface. So now in this, the main advantage we get here is we are a little bit reducing the processing utilization here by not looking up each and every time whenever a packet comes, it’s not going to look up every time.

So if the entry is present in the cache, it is going to use that cache information and in case if there is no entry in that cache, probably it is going to use the normal laythrough lookup and it is going to cache again, so that next time for the same destination, if anything comes again, it’s going to use that cache. So now these two methods are no more used. We can say now Cisco introduced something called a new method, cisco Express Forwarding method. Now in this method what is going to happen here is before a packet comes into your network, before a packet arrives. So already the router is going to maintain one lay three routing table.

Now this layer three routing table is taken in your hardware which means this layer three table is being downloaded to the hardware and the processing is done at the hardware level rather than doing at the software level which means the processing is not going to happen in your routing table. Instead it is going to run on the hardware. So generally we have something called Data plane control plane, I’ll get into that a technical terminology. Now that is the main thing here. So when it is doing on the hardware it can provide wide speed of information. At the same time this information, whatever is downloaded from the routing table, it is done on the hardware providing the wide speed.

At the same time it is proactively doing these things which means before the packet arrives it is proactively downloading that information and then keeping that information your hardware so that the entire packet switches through your hardware and it’s going to provide a wide speed performance. So Asif is something by default enable in most of the iOS in today’s networks, it’s going to optimize the router to make it able to forward the packets much faster than normal. So let’s try to get into some more in detail about this safe. Cisco Express Forwarding in most of the layer three switches we have lately, switches as well as the routers we can say if I specifically say switches means it also applies for the routers here.

Now Majorly, we have two planes here, we have something called Control plane and your data plane. So the control plane, I can say it’s more like a software information which is going to build a routing table we call as Rip Routing Information based table. And based on that routing table now CF is going to copy this routing table. Information is carried into your data plane. So now in the data plane you are going to have two tables. We have something called Fib Forwarding Information Base. And then we have something called Adjacency Table. So I have that in my next slide here. This is your FRB table. Now this is your layer three engine which is your normal control plane and this is your data plane here.

Okay? So now this layer control plane is responsible for building the routing information just like a normal router which is going to do and based on that, this FRB table is going to have each and every destination network ID and it is built proactively before a packet arrives a router. So which means let’s say if I say 192, 168, two dot network is the destination network ID and to reach that destination we have a mixture of let’s say ten one one. Now this information is maintained in your FRB table, the layer three forwarding engine here and then it is also going to maintain one more table called Adjacency table. In that Adjacency table it is going to maintain the exit interface information. So which means whenever any packet arrests for this destination it’s not going to do the lookup again.

So the lookup is prebuilt. It’s going to simply forward the packet out of that exit interface without actually doing the routing lookup, without the software processing going on here because it is something pre built already. It’s going to forward the exit interface and this is going to provide a wide speed performance, and it’s going to ensure that your packets travel moves through your layer three device much faster than a normal routing. Generally. Now to verify I got my four routers which I generally use in all my CCMP routing labs. You can see I got four routers connected and all the four routers are already pre configured with your routing protocol. If you verify Shaw Iposp of Neighbor I did that already just for this is the basic thing which I did.

And to verify the safe, it’s by default enable in most of the iOS. And if you want to verify whether it is enabled or not, when you show IP safe command you can see this is your forwarding information based table where you have a specific network entry for specific networks. Let’s say if I take an example of any one network, let’s say 120, it’s going to send my next top address and what is the exit interface. Now this is something pre built and this is done based on your routing table. Again, it is not going to decide any best routes, all the best routes, whatever is given by the routing table. And based on that it is going to maintain that information so that if any packet come for this specific destinations it’s going to simply forward the packet out of S one by one interface.

So it’s going to make your routing process much faster than normal. So if you want to disable generally not recommended we can use something called no IPSF. This command is going to disable it and when I disable if I use show IPSF it simply says safe is not running on your router. So whenever you see this information you just need to say IPSF command, IPSF command. Again, re enables that. So it’s generally not recommended to disable it. But whenever Safe is enabled it’s going to ensure that your fast switching is something happens automatically. Now, even in the switches lay three switches. Also we have the same kind of process, there’s no much difference. Now in your layer three switches here like take an example, I have a source IP A, want to send a packet to B. Now your packet is going between two different VLANs, VLAN ten to VLAN 20.

Now, this stuff is very much useful, especially in your layer two networks, which environment where you want to follow the traffic between the two different VLANs. Probably they are on the same land segment. But we need to ensure that they need to communicate much faster than a normal routing. That’s the reason we have some multi day switches involved here and they send your information at a wide speed and that is possible because of Safe that is going to forward the packet. Now, this switch is going to maintain that layer three information, the software information. This will be forwarded to your layer two. That is your hardware with FRB table and also it is going to maintain some adjacency table and based on that it is going to see the destination network ID and then forward the packet to that interface. That’s how the Safe is going to work.

5. MPLS VPN – Overview

In this video I’m going to show you how MPLS VPNs are going to work a little bit differently. So I’m just going to give some overview of how it’s going to work. But in fact, we’ll probably get into some more practical based MPLS and three VPNs later on sessions. So, as we have already discussed in our previous session, if you remember, we have seen some of the basic things about the lease line connections. Like we have been using dedicated lines for over years, very long back, which provides a separate dedicated point to point connections. But the problem with the lease lines are it’s not scalable. At the same time they are a very expensive solution.

Now, most of the lease line connections in today’s networks have replaced with VPN type of implementations which is going to provide a virtual point to point connection between the two different sites over the service portal network. Now, we got two major categories of VPN models. We have something called Overlay Model and Virtue Model which we discuss in detail in our previous sections. Now Overlay Model, the service folder is just providing a layer to virtual connection between the two endpoints. Here it’s more like a virtual point to point connection where service board is not participating any of the customer routings.

So when you talk about petabyte models, the service boarder is responsible for taking the routes of the customer and installs in a routing table and it’s responsible for sending to the other end and then finally reaches the customer. Now, we have also seen some of the advantages and disadvantages of both the models. Now in this section we’ll see how MPLS VPNs are going to differ and how MPLS VPNs are going to work exactly when you compare with other models. Now, the first thing when you say MPL is multiprotocol label switching. Now you can see the name itself says Label Switching which means when you are packets from the customer side it enters as a normal IP packet and inside the respond network from this end to other end, it will be a label switch.

And it is not going to forward based on the IP packets, it will be forwarded based on the label switch. That’s what a label switching says here. So forward the packets based on the labels instead of a normal IP packets, it is going to combine some of the advantages of both Overlay model and the peer to peer model. Now, let us see how it is going to work. We have seen in case of MPLS, the packet enters as a normal IP packet and then goes to the router provides router and then it goes as a label packet and then it will identify the label and change the label to another label and then finally reaches the other end. Now, in case of MPLS, just like we discussed in a P to P model, also the customer, let’s say tender network is going to advertise his network to the providers router.

Which means we are going to do some routing between the service portal and the customer. And now the service portal is going to maintain the routes in a separate VRF routing table. Now VRF is a virtual route forwarding where the provider edge router is going to maintain a separate routing tables for each and every customer. Let’s say you have another customer, let’s say customer B or Customer XYZ, whatever. So if he is connecting here, let’s say Customer XYZ also connecting the same B, then those routes are placed in a separate VRF routing table. Now once the provider edge router receives the routes, now the same thing happens on the other side. Also this customer advertises its own network to the provider edged router and the P router is going to maintain the customer routes in a separate VR routing table.

Now in order to exchange the routes from one end to another end from P to P, we are going to configure something called VPN V Four. Peering has to be established between P to P. Now we can have a direct VPN V Four pairing between PE to P. Or if you are working for a big service for network, you can have a VPN vivo pairing established to any of the peer router and then back to PE again. So here, let’s take an example. Whatever the way you are doing so there is a VPN V Four pairing has to be established between PE to Peer outer. Now this pairing is more similar to your tunnel tunneling what we do in a GRE or IPsec tunnels, it’s more similar kind of thing. Now once we establish a VPN pairing between these two, now what the peer router is going to do is peer receives a normal IP packet.

It’s going to take the IP packet and once we establish a VPN viewpoint, it’s going to add one label and that label will be your VPN label. Now, based on this VPN label, now this P router is going to see this label and based on that label information, it will simply try to forward to another edge of the powered edge router without actually seeing any information inside the IP packet. Which means now any traffic coming from customer to reach from one P to another P, it is only concerned about the label. It is not at all bothered what is the source from where the packet is coming, what is the destination, what is exactly inside that IP packet. So it’s going to see that label and then it will automatically switch based on the label.

Again, that label is built based on the OSP of our EHRP protocol running inside the service port network. That again, I’ll come to that much more in detail. How the labels, how the labels are added, how the label information is propagated about all those things. Now based on this label, it is only concerned to forward the packet on the other end. Now, if you talk about here, unlike your peer to bite model, now the P router do not know anything about the customer route, so it do not maintain any of the customer routes, which means now the Service Porter do not need to maintain any of the customer routes except the provider edge router.

Now, this P router is only going to maintain the customer routes in a separate VR routing table, and this P router is going to maintain the customer routes in a separate routing table, whereas the complete service border router, which is P routers they don’t really bother. What are the customer routes? Because the entire packet from one end to another end is forwarded based on the label. It is a label switch. So the good thing about the MPLS VPNs when you compare with the PDP model is it’s going to provide a BGP free code, which means without actually running any BGP, without actually running any BGP inside the service folder, we are still providing the reachability from one side to another side of the customer.

Unlike in the PDP model, apart from providing the VGP free code, it also just works like a frame layer where the packets from one end to another end or label suite just like your layer two. So in general, generally we call as MPLS works at OSM or Loft 2. 5. So it’s going to follow the packet based on the labels more like a layer to layer two technology. But at the same time it is responsible for exchanging the route from customer to customer and we are going to configure some PE to C routing through that. So in this section we have seen some basic introduction to MP’s VPNs, how they exactly work. But probably in our next sessions we get into some more in detail practical verification of how the labels assign how LDP and then we also see some more in detail like the different kinds of configurations we do.