MPLS VPN Questions
Here you will find answers to MPLS VPN Questions – Part 1
Question 1
Refer to the diagram. What problem can be caused by the second P
router summarizing the loopback address of the egress PE router?
A. The first P router will be faced with a VPN label which it does not understand.
B. The second P router will be faced with a VPN label which it does not understand.
C. The egress PE router will not be able to establish a label switch path (LSP) to the ingress PE router.
D. A label switch path (LSP) will be established from the ingress PE
router to the egress PE router, an event that is not desirable.
E. The ingress PE router will not be able to receive the VPN label from the egress PE router via MP-IBGP.
Answer: B
Explanation
When running MPLS VPN, there is a feature called
penultimate hop popping
(PHP). The “penultimate hop” is not the last LSR to process a labeled
packet but the second-to-last LSR to process a labeled packet (which
means the nearest router to the egress LSR). With this feature, the
egress LSR does not have to perform two label lookups as PHP causes
the penultimate hop to pop the MPLS label; leaving only VPN label for
the egress LSR to proceed.
In this question, if the second P router summarizes the loopback IP
address of the egress PE router then the Label Switch Path (LSP) tunnel
will be broken.To understand why, let’s assume that the loopback
address of the egress PE is
1.1.1.1/32 and the second P router summaries it as
1.1.0.0/16. The second P router has both networks in the routing table as below:
+ 1.1.1.1/32 (the original network)
+ 1.1.0.0/16 (the summary network)
The second P router only sends the summary network 1.1.0.0/16 to the
first P router and ingress PE router. Also, the second P router thinks
it is the last hop of the summary network 1.1.0.0/16 (because other
routers don’t have information about this summary network) so it sends a
pop label for this network to “First P router”. It also sends a label
(7, for example) for the original netwok 1.1.1.1/32 to “First P
router”.
As the “Second P router” only sends summary network 1.1.0.0/16,
“First P router” will understand that it needs to pop (remove) the label
destined for this network, according to the PHP feature. It then sends
this packet to the “second P router”. Therefore the “second P router”
will get a VPN label which it cannot understand and the packet will be
dropped.
Notice that in MPLS VPN, the next-hop label mapping to the
downstream PE router’s loopback is used to forward the packet through
the MPLS domain so the loopback address of the egress PE router is very
important.
Some other useful information about MPLS VPN:
The VPN label of the BGP route is recognized only by the egress PE
router, and will not be understood by any other router (core routers).
At the egress PE router, that prefix is associated with an outgoing
interface belonging to a specific VRF on the router depending on the
value in the VPN label. The VPN label is never touched until it
reaches the egress PE router.
Aggregation should not be used where end-to-end LSPs are required, such as with:
– MPLS VPNs
– MPLS TEs
– MPLS-enabled ATM network
– Transit BGP where core routers are not running BGP
Question 2
On a dedicated subinterface implementation, PE-2 must establish an
address-family vrf IPv4 BGP neighbor relationship with which router?
Internet Access Through a Dedicated Subinterface
A. CE-1
B. CE-2
C. PE-1
D. PE-IG
E. CE-1 and CE-2
F. PE-1 and PE-IG
Answer: B
Explanation
PE router needs to learn IP prefix from customer edge (CE) router so
it must establish neighbor relationship with CE. The IP prefix is a
member of IPv4 address family. After learning it, the PE converts it
into a VPN-IPv4 prefix which is a member of VPN-IPv4 address family. It
specifies the customer address uniquely even if the customer site uses
private IP address.
Note:
You always have to configure a BGP address family for each VRF and
configure route redistribution into BGP for each VRF, even if you do not
use BGP as the PE-CE routing protocol.
(Reference: MPLS Student Guide)
Question 3
What are three drawbacks of a peer-to-peer VPN using a shared provider edge (PE) router? (Choose three)
A. A full mesh of virtual circuits is required between the customer sites.
B. All the customers have to share a common IP address space.
C. Optimal routing between customer sites cannot be guaranteed.
D. The shared PE router has to know all routes for all customers.
E. Packet filters are required on the PE routers.
Answer: B D E
Question 4
What is the difference in implementation between a managed CE services MPLS VPN and a central services MPLS VPN?
A. RD assignment
B. selective routes export
C. selective routes import
D. MP-BGP route redistribution filtering
E. CE-PE routing process
F. none
Answer: B
Question 5
What benefit does AToM provide to the service provider’s customers?
A. By supporting Layer 2 VPNs, customers maintain control of their site-to-site routings over the WAN.
B. By supporting Layer 3 VPNs, a full mesh of virtual circuits will not
be required between the different customer sites to enable optimal
routing.
C. By supporting secured Layer 3 VPNs, customers do not have to deal with the complexity of configuring IPSec.
D. By supporting MPLS traffic engineering over ATM, customers can better utilize their WAN link.
E. By supporting Diff-Serv QoS, ATOM allows customers to deploy voice/video applications across the WAN.
Answer: A
Question 6
What is the purpose of the global configuration command, ip dhcp relay information option vpn?
A. enables the DHCP relay agent to insert the VPN suboptions to the BOOTP request
B. enables the DHCP relay agent to convert the broadcast DHCP request to a unicast DHCP request to a shared DHCP server
C. enables the DHCP relay agent to perform VRF-aware NAT before forwarding the DHCP request to a shared DHCP server
D. enables ODAP (On-Demand Address Pool) on the DHCP relay agent
Answer: A
Question 7
With MPLS VPN-aware NAT, what additional information is tracked inside the NAT translation table?
A. RD information
B. RT information
C. VRF information
D. Multi-protocol BGP prefixes
E. MPLS Labels
Answer: C
Question 8
Which of the following could be called a VPN identifier in the MPLS/VPN architecture?
A. route target
B. route distinguisher
C. VRF
D. VPN IPv4 address
E. BGP site-of-origin (SOO) extended community attribute
Answer: A
Explanation
The Route Distinguisher (RD) number is used to prefix the IP
addresses for the site. This gives us a way to distinguish duplicate
private addresses. For example, subnet 10.1.1.0 for VPN 16 is different
than subnet 10.1.1.0 for VPN 20. From the MPLS VPN provider’s point of
view they are 16:10.1.1.0 and 20:10.1.1.0, which are different. The RD
is configured on the interface (or subinterface) connecting to the
site.
But the RD cannot indicate that a site participates in more than one
VPN. Therefore, route target (RT) were introduced in the MPLS VPN
architecture to support complex VPN topologies. The RT indicates the VPN
membership of a route and allows VPN routes to be imported or exported
into or out of your VRFs. Similar to RDs, the RTs can be specified in
one of these two formats:
* 16-bit AS number followed by a 32-bit decimal number (ASN:nn). For example, 15:3
* 32-bit IP address followed by a 16-bit decimal number (A.B.C.D:nn). For example, 172.16.23.45:10
Notice that while a particular prefix can have only one RD, that same prefix can have one or more RTs assigned to it.
Note: The route target can be considered a VPN identifier but route
target is the closest approximation to a VPN identifier in the MPLS/VPN
architecture.
Question 9
Refer
to the exhibit. The MPLS VPN Customer A is using a separate interface
for Internet access. However, with the current configurations shown, the
CE router is not receiving any Internet routes from the PE router.
Which two additional configuration commands can resolve the Internet
connectivity issue? (Choose two)
A. At the CE router, under router bgp 50101, add the neighbor 10.1.1.66 remote-as 50102 command.
B. At the CE router, under router bgp 50101, add the network 0.0.0.0 command.
C. At the CE router, under router bgp 50101, add the ip route 0.0.0.0 0.0.0.0 10.1.1.66 command.
D. At the PE router, under address-family ipv4 vrf Customer_A, add the neighbor 10.1.1.65 remote-as 50101 command.
E. At the PE router, under address-family ipv4 vrf Customer_A, add the neighbor 10.1.1.17 default-originate command.
F. At the PE router, under router bgp 50102, add the neighbor 10.1.1.65 remote-as 50101 command
Answer: A F
Question 10
Refer to the exhibit and the following connectivity requirements. How many different VRFs are required?
Sites CE1A, CE1B, CE1C, and CE1D require connectivity among them.
Sites CE2A and CE2B require connectivity between them.
Site CE12A requires connectivity to sites CE1A, CE1B, CE1C, CE1D, and CE12B.
Site CE12B requires connectivity to sites CE2A, CE2B, and CE12A.
A. 2 VRFs
B. 3 VRFs
C. 4 VRFs
D. 6 VRFs
E. 8 VRFs
F. 10 VRFs
Answer: C