Cisco press mpls and vpn architectures, volume ii 2003 (by laxxuss) kho tài liệu training

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (8.94 MB, 611 trang )

•

Table of Contents

•

Index

MPLS and VPN Architectures, Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press
Pub Date: June 06, 2003
ISBN: 1-58705-112-5
Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn:
How to integrate various remote access technologies into the backbone providing VPN
service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN
Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the
customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced

topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

services based on MPLS VPN technology in a secure and scalable way.
This book is part of the Networking Technology Series from Cisco Press, which offers
networking professionals valuable information for constructing efficient networks,
understanding new technologies, and building successful careers.

•

Table of Contents

•

Index

MPLS and VPN Architectures, Volume II

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press
Pub Date: June 06, 2003
ISBN: 1-58705-112-5
Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn:
How to integrate various remote access technologies into the backbone providing VPN
service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN
Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the
customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the

About the Technical Reviewers
About
Content Reviewer
How the
to integrate
various
Acknowledgments
service to many

remote access technologies into the backbone providing VPN
different types of customers

Introduction

The
new
PE-CE
Who
Should
Read routing
This Book?options as well as other advanced features, including per-VPN
Network
Address
Translation (PE-NAT)
How This Book Is Organized
Icons Used in This Book

How VRFs can be extended into a customer site to provide separation inside the
Command
Conventions

customerSyntax
network
Part I. Introduction

TheChapter
latest1.MPLS
VPNArchitecture
security Overview
features and designs aimed at protecting the MPLS VPN
MPLS VPN
backbone
MPLS VPN Terminology
Connection-Oriented VPNs

How to carry customer multicast traffic inside a VPN
Connectionless VPNs

MPLS-Based
VPNs
The latest
inter-carrier
enhancements to allow for easier and more scalable deployment
New MPLS VPN
Developments
of inter-carrier
MPLS
VPN services
Summary

Advanced

troubleshooting
techniques including router outputs to ensure high availability
Part II. Advanced
PE-CE Connectivity
Chapter 2. Remote Access to an MPLS VPN

MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Feature
Enhancements
for MPLS VPN Remote
Access
Architectures,
Volume
I (1-58705-002-1),
from
Cisco Press. Extending into more advanced
of Access
Protocols and Procedures
topics andOverview
deployment
architectures,
Volume II provides readers with the necessary tools
Dial-In
to an MPLS
VPN
they need Providing
to deploy
andAccess
maintain
a secure,

highly available VPN.
Providing Dial-Out Access via LSDO

MPLS and Providing
VPN Architectures,
II , begins
with a brief refresher of the MPLS VPN
Dial-Out AccessVolume
Without LSDO
(Direct ISDN)
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
Providing Dial Backup for MPLS VPN Access
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
Providing DSL Access to an MPLS VPN
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
Providing
Cable Access
an MPLS
integrate these
features
intotothe
VPNVPN
backbone. Part III details advanced deployment issues
Advanced Features
for MPLS
Remote Access
including security,
outlining
the VPN
necessary

steps the service provider must take to protect the
backbone Summary
and any attached VPN sites, and also detailing the latest security features to allow
more advanced
and
filtering.
This part
covers
multi-carrier MPLS VPN
Chapter 3.topologies
PE-CE Routing
Protocol
Enhancements
and also
Advanced
Features
deployments.
PartOSPF
IV provides a methodology for advanced MPLS VPN
PE-CEFinally,
Connectivity:
troubleshooting.
PE-CE Connectivity: Integrated IS-IS
PE-CE Connectivity: EIGRP

MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
Summary
integration,
security, and troubleshooting features essential to providing the advanced

Chapter 4. Virtual Router Connectivity
Configuring Virtual Routers on CE Routers
Linking the Virtual Router with the MPLS VPN Backbone
VRF Selection Based on Source IP Address
Performing NAT in a Virtual Router Environment
Summary
Part III. Advanced Deployment Scenarios

•
•

Table of Contents

Chapter 5. Protecting the MPLS-VPN Backbone

Index

Inherent Security Capabilities
MPLS and VPN Architectures, Volume II
Neighbor Authentication
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar
CE-to-CE Authentication
Control of Routes That Are Injected into a VRF
Publisher: Cisco Press
PE to CE Circuits
Pub Date: June 06, 2003
Extranet Access
ISBN: 1-58705-112-5
Internet Access

Pages: 504
IPSec over MPLS
Summary
Chapter 6. Large-Scale Routing and Multiple Service Provider Connectivity
Large Scale Routing: Carrier's Carrier Solution Overview
Carrier Backbone Connectivity

WithMPLS and VPN Architectures, Volume II , you'll learn:
Label Distribution Protocols on PE-CE Links
BGP-4 Between PE/CE Routers

How Hierarchical
to integrate
various
access
VPNs:
Carrier'sremote
Carrier MPLS
VPNs technologies into the backbone providing VPN
service
to
many
different
types
of
customers
VPN Connectivity Between Different Service Providers
Summary

The new PE-CE routing options as well as other advanced features, including per-VPN

Chapter Address
7. Multicast
VPN
Network
Translation
(PE-NAT)
Introduction to IP Multicast

How Enterprise
VRFs can
be extended
into
a customer
site to provide separation inside the
Multicast
in a Service
Provider
Environment
customer
network
mVPN Architecture
MDTs

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
Case Study of mVPN Operation in SuperCom
backbone
Summary
Chapter
8. IP customer
Version 6 Transport

Across
an MPLS
Backbone
How
to carry
multicast
traffic
inside
a VPN
IPv6 Business Drivers

The latest
inter-carrier
enhancements
to allow for easier and more scalable deployment
Deployment
of IPv6 in Existing
Networks
of inter-carrier MPLS VPN services
Quick Introduction to IPv6

In-Depth
6PE Operation and techniques
Configuration including router outputs to ensure high availability
Advanced
troubleshooting
Complex 6PE Deployment Scenarios

MPLS and Summary
VPN Architectures, Volume II , builds on the best-selling MPLS and VPN

Architectures,
Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
Part IV. Troubleshooting
topics and
deployment
architectures,
Volume
II provides readers with the necessary tools
Chapter
9. Troubleshooting
of MPLS-Based
Solutions
they need to deploy and maintain a secure, highly available VPN.
Introduction to Troubleshooting of MPLS-Based Solutions

the MPLSVolume
BackboneII , begins with a brief refresher of the MPLS VPN
MPLS and Troubleshooting
VPN Architectures,
Other
Quick
Architecture.
Part
IIChecks
describes advanced MPLS VPN connectivity including the integration of
MPLS Control
Plane
Troubleshooting(dial, DSL, cable, Ethernet) and a variety of routing
service provider
access

technologies
protocols (IS-IS,
EIGRP,
and OSPF), arming the reader with the knowledge of how to
MPLS Data
Plane Troubleshooting
integrate these
features
into the VPN backbone. Part III details advanced deployment issues
MPLS VPN
Troubleshooting
including security,
outlining
the necessary steps the service provider must take to protect the
In-Depth MPLS
VPN Troubleshooting
backbone and any attached VPN sites, and also detailing the latest security features to allow
Summary
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
Index
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.

MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

Copyright
Copyright© 2003 Cisco Systems, Inc.
Cisco

Press logo
is a trademark of Cisco Systems, Inc.
•
Table of Contents
•

Index

Published by:
MPLS and VPN Architectures, Volume II
Cisco Press
By
JimWest
Guichard
, IvanStreet
Pepelnjak, Jeff Apcar
201
103rd
Indianapolis, IN 46290 USA
Publisher: Cisco Press

All rights
reserved. No part of this book may be reproduced or transmitted in any form or by
Pub Date: June 06, 2003
any means, electronic or mechanical, including photocopying, recording, or by any
ISBN: 1-58705-112-5
information storage and retrieval system, without written permission from the publisher,
Pages: 504
except for the inclusion of brief quotations in a review.
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

Library of Congress Cataloging-in-Publication Number: 619472051122
WithMPLS and VPN Architectures, Volume II , you'll learn:

Warning and Disclaimer
How to integrate various remote access technologies into the backbone providing VPN
service
to many different
types
of customers
This book
is designed
to provide
information
about MPLS and VPN architectures. Every effort
has been made to make this book as complete and as accurate as possible, but no warranty
The new
PE-CE routing options as well as other advanced features, including per-VPN
or fitness
is implied.
Network Address Translation (PE-NAT)
The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems,
How have
VRFsneither
can be liability
extended
into
a customer to
site
to person
provideor

separation
inside
theto any
Inc. shall
nor
responsibility
any
entity with
respect
customer
network
loss or damages arising from the information contained in this book or from the use of the
discs or programs that may accompany it.
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone
The opinions
expressed in this book belong to the authors and are not necessarily those of
Cisco Systems, Inc.
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
Trademark
Acknowledgments
of inter-carrier MPLS VPN services
All terms
Advanced
mentioned
troubleshooting
in this booktechniques
that are known
including

to be
router
trademarks
outputsortoservice
ensuremarks
high availability
have
been appropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the
MPLS andofVPN
Volume
, builds
on book
the best-selling
and VPN
accuracy
thisArchitectures,
information. Use
of a II
term
in this
should not MPLS
be regarded
as affecting
Architectures,
Volume
I (1-58705-002-1),
from Cisco Press. Extending into more advanced
the
validity of any
trademark

or service mark.
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.

Feedback Information

MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value.
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
Each book is crafted with care and precision, undergoing rigorous development that involves
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
the unique expertise of members from the professional technical community.
integrate these features into the VPN backbone. Part III details advanced deployment issues
including
security, outlining
thecontinuation
necessary steps
the
service If
provider
must
to protect the
Readers' feedback
is a natural
of this
process.
you have
anytake
comments

backbone
and
any
attached
VPN
sites,
and
also
detailing
the
latest
security
features
to allow
regarding how we could improve the quality of this book, or otherwise alter it to better
suit
more
advanced
topologies
and
filtering.
This
part
also
covers
multi-carrier
MPLS
VPN
your needs, you can contact us through e-mail at Please make
deployments.

Part
IV and
provides
for advanced MPLS VPN
sure to includeFinally,
the book
title
ISBN ainmethodology
your message.
troubleshooting.

Credits

MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

We greatly appreciate your assistance.

Publisher

John Wait

Editor-In-Chief

John Kane

Cisco Representative

Anthony Wolfenden

•

Table of Contents

Program Manager
•Cisco Press Index
MPLS and VPN Architectures, Volume II

Manager, Marketing Communications, Cisco Systems

Sonia Torres Chavez
Scott Miller

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Cisco Marketing Program Manager

Edie Quiroz

Publisher: Cisco
Press
Acquisitions
Editor

Amy Moss

Pub Date: June 06, 2003

Production Manager

Patrick Kanouse

Pages: 504 Editor
Development

Grant Munroe

Project Editor

Lori Lyons

Copy Editor

Karen A. Gill

ISBN: 1-58705-112-5

Technical Editors
WithMPLS and VPN Architectures, Volume II , you'll learn:
Content Editor

Matt Birkner, Dan Tappan
Monique Morrow

How
to integrate various remote access technologies into the
backbone
Team
Coordinator

Tammi
Ross providing VPN
service to many different types of customers
Book Designer
Gina Rexrode
The new PE-CE routing options as well as other advanced features, including per-VPN
Cover Designer
Louisa Adair
Network Address Translation (PE-NAT)
Production Team
Mark Shirar
How VRFs can be extended into a customer site to provide separation inside the
Indexer
Tim Wright
customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
Corporate
Headquarters
of inter-carrier
MPLS VPN services
Cisco Systems, Inc.
170 West
Tasman
Drive
Advanced
troubleshooting
techniques including router outputs to ensure high availability

San Jose, CA 95134-1706
USA
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
www.cisco.com
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
Tel:
408
526-4000
topics
and
deployment architectures, Volume II provides readers with the necessary tools
800
553-NETS
(6387)
they
need
to deploy
and maintain a secure, highly available VPN.
Fax: 408 526-4100
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
European
Headquarters
Architecture.
Part II describes advanced MPLS VPN connectivity including the integration of
Cisco
Systems
BV
service
providerInternational
access technologies

(dial, DSL, cable, Ethernet) and a variety of routing
Haarlerbergpark
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
Haarlerbergweg
13-19 into the VPN backbone. Part III details advanced deployment issues
integrate these features
1101
CH Amsterdam
including
security, outlining the necessary steps the service provider must take to protect the
The
Netherlands
backbone
and any attached VPN sites, and also detailing the latest security features to allow
www-europe.cisco.com
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
Tel:
31 0 20 357
1000Part IV provides a methodology for advanced MPLS VPN
deployments.
Finally,
Fax:
31
0
20
357
troubleshooting. 1100
Americas
Headquarters
MPLS and VPN

Architectures, Volume II , also introduces the latest advances in customer
Cisco
Systems,
Inc. and troubleshooting features essential to providing the advanced
integration,
security,

170 West Tasman Drive
San Jose, CA 95134-1706
USA
www.cisco.com
Tel: 408 526-7660
Fax: 408 527-0883
Asia Pacific Headquarters
•
Table of Contents
Cisco Systems, Inc.
•
Index
Capital Tower
MPLS and VPN Architectures, Volume II
168 Robinson Road
By
Jim Guichard
, Ivan Pepelnjak, Jeff Apcar
#22-01
to #29-01
Singapore 068912
www.cisco.com

Publisher: Cisco Press
Tel:Pub
+65
6317
Date:
June 7777
06, 2003
Fax: +65
6317
7799
ISBN: 1-58705-112-5
Pages: 504
Cisco Systems
has more than 200 offices in the following countries and regions. Addresses,
phone numbers, and fax numbers are listed on the Cisco.comWeb site at
www.cisco.com/go/offices.

Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC •
Colombia
Costa
• Croatia • Volume
Czech Republic
WithMPLS •and
VPNRica
Architectures,
II , you'llDenmark
learn: • Dubai, UAE • Finland • France •
Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy
Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway
to integrate

various• remote
into the
backbone
providing
VPN
• PeruHow
• Philippines
• Poland
Portugalaccess
Puertotechnologies
Rico • Romania
• Russia
• Saudi
Arabia •
service
to many different
types
of customers
Scotland
• Singapore
• Slovakia
• Slovenia
• South Africa • Spain • Sweden Switzerland •
Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela •
The•new
PE-CE routing options as well as other advanced features, including per-VPN
Vietnam
Zimbabwe
Network Address Translation (PE-NAT)
Copyright © 2003 Cisco Systems, Inc. All rights reserved. CCIP, CCSP, the Cisco Arrow logo,

How Powered
VRFs canNetwork
be extended
customer
site Verified
to provide
separation
inside
the Me
the Cisco
mark,into
theaCisco
Systems
logo,
Cisco Unity,
Follow
customer
networkiQ Net Readiness Scorecard, Networking Academy, and ScriptShare
Browsing,
FormShare,
are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn,
The latest
VPN security
featuresQuotient,
and designs
protecting
the MPLS
VPN
The Fastest
WayMPLS

to Increase
Your Internet
andaimed
iQuickat
Study
are service
marks
of
backbone
Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP,
Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco
How to carry customer multicast traffic inside a VPN
Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the
Internet
Enterprise/Solver,
EtherChannel,
Fast scalable
Step, GigaStack,
TheGeneration,
latest inter-carrier
enhancements
to allow forEtherSwitch,
easier and more
deployment
Internet
Quotient,
IOS,
IP/TV,
iQ
Expertise,

the
iQ
logo,
LightStream,
MGX,
MICA, the
of inter-carrier MPLS VPN services
Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX,
Registrar,
SlideCast,
SMARTnet,techniques
StrataViewincluding
Plus, Stratm,
TeleRouter,
Advanced
troubleshooting
routerSwitchProbe,
outputs to ensure
high availability
TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in
the
U.S.
certain
other countries.
MPLS
andand
VPN
Architectures,
Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced

All
other
trademarks
mentioned
in thisVolume
document
or Web readers
site are with
the property
of their
topics
and
deployment
architectures,
II provides
the necessary
tools
respective
owners.
of the word
partner
does
not imply
a partnership relationship
they need to
deployThe
anduse
maintain
a secure,
highly

available
VPN.
between Cisco and any other company. (0303R)
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Printed
in thePart
USAII describes advanced MPLS VPN connectivity including the integration of
Architecture.
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
To
myadvanced
wife Sadie,
for putting
with meThis
writing
bookmulti-carrier
and the longMPLS
lonely
nights
more
topologies
andupfiltering.
partanother
also covers
VPN
associated

with
such an
undertaking.
my children Aimee
and Thomas,
deployments.
Finally,
Part
IV providesTo
a methodology
for advanced
MPLS who
VPN always help to
keep
me smiling.—Jim
troubleshooting.

Dedications

To
myand
wifeVPN
Karmen,
who wasVolume
always II
there
when
I needed
To my
MPLS

Architectures,
, also
introduces
theencouragement
latest advancesorinsupport.
customer
children
Maja
and Monika,
who waited patiently
foressential
my attention
on too many
integration,
security,
and troubleshooting
features
to providing
the advanced

occasions.—Ivan
To my wife Anne, who is an exceptional person in every way. To my children Caitlin, Conor,
and especially Ronan: Despite his constant efforts to reboot my PC, I managed to lose a draft
only once.—Jeff

•

Table of Contents

•

Index

MPLS and VPN Architectures, Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press
Pub Date: June 06, 2003
ISBN: 1-58705-112-5
Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn:
How to integrate various remote access technologies into the backbone providing VPN
service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN
Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the
customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN

Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

About the Authors
Jim Guichard, CCIE No. 2069, is a Technical Leader II within the Internet Technologies
Division (ITD) at Cisco Systems. During the past six years at Cisco and previously at IBM, Jim
has
been involved
the design, implementation, and planning of many large-scale WAN and
•
Table ofin
Contents
LAN
networks.
His
breadth
of industry knowledge, hands-on experience, and understanding
•
Index
of

complex
internetworking
architectures have enabled him to provide valued assistance to
MPLS and VPN Architectures, Volume II
many of Cisco's larger service provider customers. His previous publications include MPLS
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar
and VPN Architectures, by Cisco Press.
Ivan
Publisher:
Pepelnjak,
Cisco Press
CCIE No. 1354, is the Chief Technology Advisor and member of the board
withPub
NIL
Data
(www.NIL.si), a high-tech data communications company
Date:
JuneCommunications
06, 2003
that focuses
on
providing
high-value
services in new-world service provider technologies.
ISBN: 1-58705-112-5
Pages: 504

Ivan has more than 10 years of experience in designing, installing, troubleshooting, and
operating large corporate and service provider WAN and LAN networks, several of them
already deploying MPLS-based virtual private networks (VPNs). He is the author or lead

developer of a number of highly successful advanced IP courses covering MPLS/VPN, BGP,
OSPF, and IP QoS, and he is the architect of NIL's remote lab solution. Ivan's previous
WithMPLS and
VPN Architectures,
II , you'll
learn:
publications
include
MPLS and VPNVolume
Architectures
and
EIGRP Network Design Solutions, by
Cisco Press.
How toisintegrate
access
technologies
intoPacific
the backbone
providing
Jeff Apcar
a Senior various
Design remote
Consulting
Engineer
in the Asia
Advanced
ServicesVPN
to Systems.
many different
types

customers
groupservice
at Cisco
He is one
of of
the
Cisco lead consultants on MPLS in the region and
has designed MPLS networks for many service providers in AsiaPac using packet-based and
The new
PE-CE
options
as well
other advanced
including(500+
per-VPN
cell-based
MPLS.
Jeffrouting
has also
designed
and as
maintained
large IPfeatures,
router networks
Network
Address
Translation
(PE-NAT)
nodes) and has a broad and deep range of skills covering many facets of networking
communications.

How VRFs can be extended into a customer site to provide separation inside the
customer
network
Jeff has
more than
24 years of experience in data communications and holds Dip. Tech
(Information Processing) and B.App.Sc (Computing Science) (Hons) from the University of
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
Technology, Sydney, Australia.
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

About the Technical Reviewers
Matthew H. Birkner, CCIE No. 3719, is a Technical Leader at Cisco Systems, specializing in
IP and MPLS network design. He has influenced multiple large carrier and enterprise designs
worldwide.
Matt
spoken at Cisco Networkers on MPLS VPN technologies in both the U.S.
•
Tablehas
of Contents
and
EMEA
over
the
past
few years. A "double CCIE", he has published the Cisco Press book,
•
Index
Cisco
Internetwork
Design.
Matt holds a BSEE from Tufts University, where he majored in
MPLS and VPN Architectures, Volume II
electrical engineering.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Dan Tappan is a distinguished engineer at Cisco Systems. He has 20 years of experience
withPublisher:
internetworking,

Cisco Press having worked on the ARPANET transition from NCP to TCP at Bolt,
Beranek,
and
Newman.
Pub Date:
June
06, 2003 For the past several years, Dan has been the technical lead for
Cisco'sISBN:
implementation
1-58705-112-5 of MPLS (tag switching) and MPLS/VPNs.
Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn:
How to integrate various remote access technologies into the backbone providing VPN
service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN
Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the
customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN

Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

About the Content Reviewer
Monique Morrow is currently CTO Consulting Engineer at Cisco Systems, Inc. She has 20
years of experience in IP internetworking that includes design, implementation of complex
customer
projects,
service development for service providers. Monique has been involved
•
Table of and
Contents
in
developing
managed
network services such as remote access and LAN switching in a
•
Index
service
provider

environment.
She has worked for both enterprise and service provider
MPLS and VPN Architectures, Volume II
companies in the United States and in Europe. She led the Engineering Project team for one
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar
of the first European MPLS-VPN deployments in 1999 for a European service provider.
Publisher: Cisco Press
Pub Date: June 06, 2003
ISBN: 1-58705-112-5
Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn:
How to integrate various remote access technologies into the backbone providing VPN
service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN
Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the
customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of

service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

Acknowledgments
Every major project is a result of teamwork, and this book is no exception. We'd like to thank
everyone who helped us in the long writing process: our development editor, Grant Munroe,
who
helped us
with
the intricacies of writing a book; the rest of the editorial team from Cisco
•
Table
of Contents
Press;
and
especially
our reviewers, Dan Tappan, Matt Birkner, and Monique Morrow. They
•
Index
not
only

corrected
our
errors and omissions, but they also included several useful suggestions
MPLS and VPN Architectures, Volume II
to improve the quality of this publication.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Jeff would like to thank his management team Tony Simonsen, Michael Lim, and Steve Smith,
for Publisher:
providing
Cisco
thePress
time and encouragement to do the book. Also special thanks to the guys in
the Pub
AsiaPac
Lab06,
Group,
Date: June
2003 Nick Stathakis, Ron Masson, and George Lerantges, who let him hog
lots of ISBN:
gear.1-58705-112-5
Last, Jeff would like to thank Jim and Ivan for inviting him to collaborate with
them.Pages: 504
Finally, this book would never have been written without the continuous support and patience
of our families, especially our wives, Sadie, Karmen, and Anne.

WithMPLS and VPN Architectures, Volume II , you'll learn:
How to integrate various remote access technologies into the backbone providing VPN
service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN

Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the
customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

Introduction
Since our first MPLS book (MPLS and VPN Architectures ) was published by Cisco Press a few
years ago, MPLS has matured from a hot leading-edge technology—supporting Internet

services
andTable
leased-line–based
VPN solution—to a set of solutions that are successfully
•
of Contents
deployed
in
large-scale
service
provider
networks worldwide. A number of additional
•
Index
solutions
had
to
be
developed
to
support
the needs of these networks, and many additional
MPLS and VPN Architectures, Volume II
IOS services were made VPN-aware to enable the service providers to deploy the services
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar
they were already offering within the new architectural framework. Therefore, it was a
natural step to continue on the path we charted with the first book and describe the
Publisher: Ciscomade
Press to MPLS architecture or its implementation in Cisco IOS in MPLS and
enhancements

VPNPub
Architectures:
Date: June 06, 2003
Volume II.
ISBN: 1-58705-112-5
Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn:
How to integrate various remote access technologies into the backbone providing VPN
service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN
Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the
customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the

backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

Who Should Read This Book?
This book is not designed to be an introduction to Multiprotocol Label Switching (MPLS) or
virtual private networks (VPNs); Volume I (MPLS and VPN Architectures ) provides you with
that knowledge. This book is intended to tremendously increase your knowledge of advanced
•
Table of Contents
MPLS VPN deployment
scenarios and enable you to deploy MPLS and MPLS VPN solutions in a
•
Index designs. Anyone who is involved in design, deployment, or
variety of complex
MPLS
and VPN Architectures,
Volume
II
troubleshooting
of advanced
or large-scale
MPLS or MPLS VPN networks should read it.
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press

Pub Date: June 06, 2003
ISBN: 1-58705-112-5
Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn:
How to integrate various remote access technologies into the backbone providing VPN
service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN
Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the
customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN

troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

How This Book Is Organized
Although this book could be read cover-to-cover, it is designed to be flexible and allow you to
easily move between chapters and sections of chapters to cover just the material that you
need more information on. If you do intend to read them all, the order in the book is an
•
Table of Contents
excellent sequence
to use.
•

Index

MPLS and
VPN Architectures, Volume II
Part
I: Introduction
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Chapter 1, "MPLS VPN Architecture Overview," serves as a refresher to the information
contained within MPLS and VPN Architectures. It does not describe the MPLS or MPLS VPN
Publisher: Cisco Press
technology
in detail; if you need baseline MPLS or MPLS VPN knowledge, read MPLS and VPN
Pub Date: JuneVolume
06, 2003 I first.

Architectures:
ISBN: 1-58705-112-5

Part II:
Advanced
PE-CEConnectivity
Pages:
504
Chapter 2, "Remote Access to an MPLS VPN," discusses integration of access technologies
such as dial, DSL, and cable into an MPLS VPN backbone. This chapter shows how you can
integrate various access technologies into the backbone, thereby providing VPN service to
many types of customers.
WithMPLS and VPN Architectures, Volume II , you'll learn:
Chapter 3, "PE-CE Routing Protocol Enhancements and Advanced Features," builds on Volume
1 of the MPLS and VPN Architectures book and introduces more advanced options/features for
How to integrate various remote access technologies into the backbone providing VPN
OSPF connectivity as well as support for IS-IS and EIGRP routing protocols.
service to many different types of customers
Chapter 4, "Virtual Router Connectivity," discusses the use of the VRF constructs to build
The new PE-CE routing options as well as other advanced features, including per-VPN
virtual router type connectivity, extending the VRF concept to the CE router. This chapter also
Network Address Translation (PE-NAT)
discusses new VRF-related features, including VRF-lite and PE-based network address
translation
(PE-NAT).
How VRFs
can be extended into a customer site to provide separation inside the
customer network
Part III: Advanced Deployment Scenarios
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN

Chapter 5, "Protecting the MPLS-VPN Backbone," looks at various security issues within the
backbone
backbone and describes the necessary steps that a service provider must take to protect the
backbone
any customer
attached VPN
sites. traffic inside a VPN
How and
to carry
multicast
Chapter
"Large-Scale
Routing
and Multiple
Provider
Connectivity,"
describes
the
The6,
latest
inter-carrier
enhancements
to Service
allow for
easier and
more scalable
deployment
advanced
features,
designs,

and
topologies
that
were
made
possible
with
the
enhancements
of inter-carrier MPLS VPN services
to Cisco IOS since the first MPLS and VPN Architectures book was written.
Advanced troubleshooting techniques including router outputs to ensure high availability
Chapter 7, "Multicast VPN," discusses the deployment of IP multicast between VPN client
sites.
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
Chapter
8, deployment
"IP Version 6architectures,
Across an MPLS
Backbone,"
discusses
a model
(6PE)
that gives
the
topics and
Volume
II provides
readers

with the
necessary
tools
service
providers
an
option
to
provide
IPv6
connectivity
across
an
MPLS-enabled
IPv4
they need to deploy and maintain a secure, highly available VPN.
backbone.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Part
IV: Troubleshooting
Architecture.
Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
Chapter 9, "Troubleshooting of MPLS-Based Solutions," provides a streamlined methodology
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
for identifying faults in MPLS solutions and troubleshooting an MPLS VPN backbone.
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN

deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

Icons Used in This Book
Throughout this book, you will see the following icons used for networking devices:
•

Table of Contents

•

Index

MPLS and VPN Architectures, Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press
Pub Date: June 06, 2003
ISBN: 1-58705-112-5
Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn:
How to integrate various remote access technologies into the backbone providing VPN
service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN
Network Address Translation (PE-NAT)
The following icons are used for peripherals and other devices:

How VRFs can be extended into a customer site to provide separation inside the
customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
The
following
icons
are used
and network
integrate
these
features
into for
the networks
VPN backbone.
Part IIIconnections:
details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the

backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

•

Table of Contents

•

Index

MPLS and VPN Architectures, Volume II
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press
Pub Date: June 06, 2003
ISBN: 1-58705-112-5
Pages: 504

WithMPLS and VPN Architectures, Volume II , you'll learn:
How to integrate various remote access technologies into the backbone providing VPN
service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN
Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the

customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions used
in the IOS Command Reference. The Command Reference describes these conventions as
follows:
•

Table of Contents
•

Index

MPLS and VPN Architectures, Volume II

Vertical bars (|) separate alternative, mutually exclusive elements.

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Square brackets [ ] indicate optional elements.
Publisher: Cisco Press

Braces { } indicate a required choice.

Pub Date: June 06, 2003

ISBN: 1-58705-112-5
Braces
within brackets [{ }] indicate a required choice within an optional element.
Pages: 504

Boldface indicates commands and keywords that are entered literally as shown. In
actual configuration examples and output (not general command syntax), boldface
indicates commands that are manually input by the user (such as a show command).
Italics indicate arguments for which you supply actual values.
WithMPLS and VPN Architectures, Volume II , you'll learn:
How to integrate various remote access technologies into the backbone providing VPN
service to many different types of customers

The new PE-CE routing options as well as other advanced features, including per-VPN
Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the
customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

Part I: Introduction
Chapter 1 MPLS VPN Architecture Overview

Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

Chapter 1. MPLS VPN Architecture
Overview
•

Table of Contents

Virtual private
networks (VPNs) have recently received a lot of attention from equipment
•
Index
manufacturers,
consultants,
network

designers, service providers, large enterprises, and end
MPLS and VPN Architectures,
Volume
II
users
due
to
their
cost
advantages
over
traditional enterprise networks. As with most
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar
technologies, the foundation for today's VPN networks and underlying technologies was
created more than 20 years ago. During its development, end users discovered that it made
Publisher: Cisco Press
financial
sense to replace links between sites in their own private network with virtual
Pub Date: June
06, 2003
connections
across
a shared infrastructure. The assumption for doing this was that a shared
ISBN: 1-58705-112-5
environment
(or VPN) is equivalent in terms of security and privacy to the network (links) it
was replacing.
Pages: 504
This chapter reviews the basic Multiprotocol Label Switching (MPLS) and MPLS-based VPN
concepts and terminologies to ensure an understanding of the terms used in this book. It also

covers the latest developments in the MPLS VPN arena and how they enable the service
provider to offer new MPLS-based services, such as remote access into an MPLS-based VPN
WithMPLS and VPN Architectures, Volume II , you'll learn:
or Internet Protocol (IP) multicast within a VPN. These developments are also described in
depth in later chapters.
How to integrate various remote access technologies into the backbone providing VPN
service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN

NOTE
Network Address Translation (PE-NAT)

You
find
more
in-depth descriptions
of these
concepts
additional
MPLS
Howcan
VRFs
can
be extended
into a customer
site to
provideand
separation
inside
theor

VPN
background
information
in
Ivan
Pepelnjak
and
Jim
Guichard's
MPLS
and
VPN
customer network
Architectures (Volume I), published by Cisco Press, which is a prerequisite to
understanding
this
book.
The latest MPLS
VPN
security features and designs aimed at protecting the MPLS VPN
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN

Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

MPLS VPN Terminology
Since the early days of X.25 and Frame Relay (the two technologies initially used to deploy
VPN services), many different technologies have been proposed as the basis to enable a VPN
infrastructure. These ranged from Layer 2 technologies (X.25, Frame Relay, and
•
Table
of Contents
Asynchronous
Transfer
Mode [ATM]) to Layer 3 technologies (primarily IP) or even Layer 7
•
Index
technologies.
IBM once had a product that transported IP datagrams over Systems Network
MPLS
and VPN (SNA)
Architectures,

Volumesessions,
II
Architecture
application
and TGV (a company later acquired by Cisco
Systems)
had
implemented
transport over DECnet sessions. Not surprisingly, with such a
By
Jim Guichard
, Ivan
Pepelnjak, JeffIPApcar
variety of implementation proposals, the overall terminology in the field has changed
dramatically.
This book uses the terminology introduced with the MPLS-based VPN.
Publisher: Cisco Press
Pub Date: June 06, 2003
MPLS
VPN-based terminology is based on a clear distinction between the service provider
ISBN:
1-58705-112-5
network
(P-network)
and the customer network (C-network), as shown in Figure 1-1.
Pages: 504

Figure 1-1. MPLS VPN-Based Terminology
WithMPLS and VPN Architectures, Volume II , you'll learn:
How to integrate various remote access technologies into the backbone providing VPN

service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN
Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the
customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
The P-network
backbone is always topologically contiguous, whereas the C-network is usually clearly
delineated into a number of sites (contiguous parts of the customer network that are
connected
in carry
somecustomer
way othermulticast
than through
VPNaservice).
Note that a site does not need
How to
trafficthe
inside
VPN
to be geographically contained; if the customer is using a VPN service for its international
The latest
inter-carrier
enhancements
allow for easier and more scalable deployment
connectivity
only,
a site could
span a whole to
country.

of inter-carrier MPLS VPN services
The devices that link the customer sites to the P-network are called customer edge (CE)
Advanced
troubleshooting
techniques
including
router
outputs
to connect
ensure high
availability
devices,
whereas
the service provider
devices
to which
the CE
routers
are called
provider edge (PE) devices. In most cases, the P-network is made up of more than just the PE
MPLS and
VPN Architectures,
Volume
II P
, builds
on(or,
theifbest-selling
MPLS
and VPN
routers.

These
other devices are
called
devices
the P-network
is implemented
with
Architectures,
Volume
I (1-58705-002-1),
from
Cisco Press.
Extending
more
advanced
Layer
3 technology,
P routers).
Similarly, the
additional
Layer
3 devicesinto
in the
customer
sites
topics
andno
deployment
architectures,
II provides

readers
with the necessary tools
that have
direct connectivity
to theVolume
P-network
are called
C routers.
they need to deploy and maintain a secure, highly available VPN.
VPN technologies have evolved into two major approaches toward implementing VPN
MPLS
and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
services:
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
Connection-oriented
PE devices
provide
leased lines
between
protocols
(IS-IS, EIGRP, andVPN—
OSPF),The
arming
the reader
withvirtual
the knowledge
of how
to the
CE devices.

These virtual
leased
lines are called
virtual
circuits
(VCs).deployment
The VCs can
be
integrate
these features
into the
VPN backbone.
Part III
details
advanced
issues
permanent,
out-of-band
the the
service
provider
network
team
including
security,established
outlining the
necessaryby
steps
service
provider

must management
take to protect
the
(called
permanent
virtual
circuits,
They canthe
also
be temporary,
established
on
backbone
and
any attached
VPN
sites, or
andPVCs).
also detailing
latest
security features
to allow
bytopologies
the CE devices
through This
a signaling
protocol
the PE devices
moredemand
advanced

and filtering.
part also
covers that
multi-carrier
MPLS understand.
VPN
(These VCs
are called
switched
virtual
circuits, or for
SVCs).
deployments.
Finally,
Part IV
provides
a methodology
advanced MPLS VPN
troubleshooting.
Connectionless VPN— The PE devices participate in the connectionless data transport
devices. It isVolume
unnecessary
the service
or the customer
to
MPLSbetween
and VPNCE
Architectures,
II , alsofor
introduces

theprovider
latest advances
in customer
establish
VCs in and
these
VPNs, except perhaps
PE and CEthe
routers
if the
integration,
security,
troubleshooting
featuresbetween
essentialthe
to providing
advanced

service provider uses switched WAN as its access network technology.

•

Table of Contents

•

Index

MPLS and VPN Architectures, Volume II

backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

Connection-Oriented VPNs
Connection-oriented VPNs were the first ones to be introduced. They offer a number of clear
advantages, including the following:
•

Table of Contents

The service
Index provider does not need to understand the customer's network; the service
provider
just provides
virtual
MPLS and
VPN Architectures,
Volume
II circuits between the customer sites.
•

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

The service provider is not involved in the customer's routing (as shown in Figures 1-2
and 1-3), and it doesn't need to know which Layer 3 protocols the customer is

Publisher:
Cisco Press
deploying.
Consider, for example, the network shown in Figure 1-2. The VPN network is
Pub
Date: June 06, 2003
implemented
with Frame Relay VCs; therefore, the service provider is unaware of the
routing
ISBN: 1-58705-112-5
protocols that the customer is using. From the customer's routing perspective,
the
customer
routers are directly adjacent (linked with virtual point-to-point links), as
Pages:
504
shown in Figure 1-3.

Figure 1-2. Connection-Oriented VPN: Physical Topology

WithMPLS and VPN Architectures, Volume II , you'll learn:

How to integrate various remote access technologies into the backbone providing VPN
service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN
Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the
customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone

How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services

Figure 1-3. Connection-Oriented VPN: Customer Routing

Advanced troubleshooting techniquesPerspective
including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

Connection-oriented VPNs also have several obvious disadvantages:
All VCs between the customer sites have to be provisioned, either manually by the
service provider network management team or by the CE devices. Even if the VCs are
established automatically by the CE devices, these devices need to be configured with

enough information to establish the links through the signaling protocol of choice.
•

of Contents
The CETable
routers
must exchange the routing information with other CE routers, resulting
in moreIndex
router adjacencies, slower convergence, and generally more complex routing
MPLS and
VPN Architectures, Volume II
setups.
•

ByJim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press
Pub Date: June 06, 2003

NOTE

ISBN: 1-58705-112-5

IfPages:
you are
504 interested in more of the advantages and disadvantages of connectionoriented or connectionless VPNs, you can find them in Chapter 8, "Virtual Private
Network (VPN) Implementation Options," of Jim Guichard and Ivan Pepelnjak's
MPLS and VPN Architectures (Volume I), published by Cisco Press, 2002.
WithMPLS and VPN Architectures, Volume II , you'll learn:
Modern connection-oriented VPNs are implemented with a variety of different technologies,

including
following:various remote access technologies into the backbone providing VPN
Howthe
to integrate
service to many different types of customers
They
can PE-CE
be implemented
with traditional
connection-oriented
Layerincluding
2 technologies
The new
routing options
as well as other
advanced features,
per-VPN
(X.25,
Frame
Relay,
or
ATM)
or
with
connectionless
Layer
2
technologies,
such as virtual
Network Address Translation (PE-NAT)

LANs (VLANs).
How VRFs can be extended into a customer site to provide separation inside the
They
can also
be implemented with tunnels that are established over public Layer 3
customer
network
infrastructure (usually over public IP infrastructure—most commonly the Internet).
These
VPNs
can use
3 over
Layerand
3 tunnels,
asat
generic
routing
The latest
MPLS
VPNLayer
security
features
designssuch
aimed
protecting
theencapsulation
MPLS VPN
(GRE),
which
is

described
in
RFC
2784,
or
tunnels
based
on
IP
security
(IPSec)
backbone
technology. These VPNs can also use Layer 2 over Layer 3 tunnels, which are most
commonly
found
in dial-up
accesstraffic
networks
toaimplement
virtual private dialup
How to carry
customer
multicast
inside
VPN
networks (VPDNs).
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
MPLS and VPN Architectures, Volume II , builds on the best-selling MPLS and VPN

Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced
topics and deployment architectures, Volume II provides readers with the necessary tools
they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II , begins with a brief refresher of the MPLS VPN
Architecture. Part II describes advanced MPLS VPN connectivity including the integration of
service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing
protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

Connectionless VPNs
Contrary to connection-oriented VPNs, connectionless VPNs propagate individual datagrams
that the CE devices send across the P-network. This approach, although highly scalable as
proven by today's Internet, does impose a number of limitations on the customers:
•

Table of Contents

•

Index

TheVPN

customers
can use
only
MPLS and
Architectures,
Volume
IIthe

Layer 3 protocol that the service provider supports. This
was
a
serious
drawback
a
few
years
ago, but it is quickly becoming a moot issue
ByJim Guichard, Ivan Pepelnjak, Jeff Apcar
because most networking devices now support IPv4.
Publisher:
Cisco Press
The customers

must use addresses coordinated with the service provider. In a
every P device must be able to forward every individual
datagram
ISBN: 1-58705-112-5
to its final destination; therefore, each datagram must have a unique
destination
address, known to every P device, as shown in Figure 1-4.

Pages: 504

Pub
Date: June 06, 2003
connectionless
network,

Figure 1-4. Packet Propagation on Connectionless VPNs
WithMPLS and VPN Architectures, Volume II , you'll learn:
How to integrate various remote access technologies into the backbone providing VPN
service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN
Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the
customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN
backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment
of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability
The simplicity of CE router configuration in a connectionless VPN world, as well as the
MPLS and to
VPN
Architectures,
II , builds
on thewith
best-selling
andon
VPN

capability
support
IP-basedVolume
VPN services
together
public IPMPLS
services
the common
Architectures, Volume
I (1-58705-002-1),
from Cisco
Press. Extending
more advanced
infrastructure,
prompted
many service providers
to consider
the rolloutinto
of connectionless
VPN
topics
andHowever,
deployment
Volume
II provides
readersquite
with low
the necessary
tools
services.

the architectures,
acceptance of these
services
was initially
because the
they
need to
deploy
and maintain
a secure,
available
customers
were
unwilling
to renumber
their highly
existing
networkVPN.
infrastructure to comply with
the service provider's addressing requirement. Clearly, a different VPN technology was
MPLS
and
VPN
Architectures,
Volume
II , of
begins
with a brief refresher
of the
needed

that
would
combine the
benefits
a connectionless
VPN (simple
CE MPLS
routerVPN
Architecture.
Part
II
describes
advanced
MPLS
VPN
connectivity
including
the
integration
configuration and lack of explicit provisioning of the virtual circuits) with the benefits
of aof
service
provider
access
technologies
(dial,
DSL,
cable,
Ethernet)
and

a
variety
of
routing
connection-oriented VPN (such as the support of overlapping address spaces and the
protocols
and in
OSPF),
the reader with the knowledge of how to
simplicity (IS-IS,
of data EIGRP,
forwarding
the P arming
devices).
integrate these features into the VPN backbone. Part III details advanced deployment issues
including security, outlining the necessary steps the service provider must take to protect the
backbone and any attached VPN sites, and also detailing the latest security features to allow
more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN
troubleshooting.
MPLS and VPN Architectures, Volume II , also introduces the latest advances in customer
integration, security, and troubleshooting features essential to providing the advanced

Cisco press mpls and vpn architectures, volume ii 2003 (by laxxuss) kho tài liệu training

Tài liệu liên quan

Tài liệu bạn tìm kiếm đã sẵn sàng tải về