Implementing MPLS VPNs over IP Tunnels
Advertising Tunnel Type and Tunnel Capabilities Between PE Routers—BGP
Border Gateway Protocol (BGP) is used to advertise the tunnel endpoints and the subaddress family identifier
(SAFI) specific attributes (which contains the tunnel type, and tunnel capabilities). This feature introduces
the tunnel SAFI and the BGP SAFI-Specific Attribute (SSA) attribute.
These attributes allow BGP to distribute tunnel encapsulation information between PE routers. VPNv4 traffic
is routed through these tunnels. The next hop, advertised in BGP VPNv4 updates, determines which tunnel
to use for routing tunnel traffic.
SAFI
The tunnel SAFI defines the tunnel endpoint and carries the endpoint IPv4 address and next hop. It is identified
by the SAFI number 64.
BGP SSA
The BGP SSA carries the BGP preference and BGP flags. It also carries the tunnel cookie, tunnel cookie
length, and session ID. It is identified by attribute number 19.
PE Routers and Address Space
One multipoint L2TPv3 tunnel must be configured on each PE router. To create the VPN, you must configure
a unique Virtual Routing and Forwarding (VRF) instance. The tunnel that transports the VPN traffic across
the core network resides in its own address space.
Packet Validation Mechanism
The MPLS VPNs over IP Tunnels feature provides a simple mechanism to validate received packets from
appropriate peers. The multipoint L2TPv3 tunnel header is automatically configured with a 64-bit cookie and
L2TPv3 session ID. This packet validation mechanism protects the VPN from illegitimate traffic sources.
The cookie and session ID are not user-configurable, but they are visible in the packet as it is routed between
the two tunnel endpoints. Note that this packet validation mechanism does not protect the VPN from hackers
who are able to monitor legitimate traffic between PE routers.
Quality of Service Using the Modular QoS CLI
To configure the bandwidth on the encapsulation and decapsulation interfaces, use the modular QoS CLI
(MQC).
Note
This task is optional.
Use the MQC to configure the IP precedence or Differentiated Services Code Point (DSCP) value set in the
IP carrier header during packet encapsulation. To set these values, enter a standalone set command or a police
command using the keyword tunnel. In the input policy on the encapsulation interface, you can set the
precedence or DSCP value in the IP payload header by using MQC commands without the keyword tunnel.
Advertising Tunnel Type and Tunnel Capabilities Between PE Routers—BGP
Cisco IOS XR Virtual Private Network Configuration Guide for the Cisco CRS Router, Release 6.1.x
37