Bgp Mpls VPN Principle

8/13/2019 Bgp Mpls VPN Principle

1/41

HUAWEI TECHNOLOGIES CO., LTD.

www.huawei.com

HUAWEI Confidential

Security Level:

BGP MPLS VPN Principle

ISSUE 1.0


2/41

HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 1

This course mainly introduce BGP MPLS VPN

principle and packet forwarding process.


3/41


Reference Material

VRP 3.30 /5.10operation guidecommand guide

Troubleshooting guide


4/41


After completion of this courseyou

should be

Understand BGP/MPLS VPN principle

Understand BGP/MPLS VPN

forwarding process


5/41


Chapter 1 BGP MPLS VPN Overview

Chapter 2 BGP MPLS VPN Routing Exchange

Chapter 3 BGP MPLS VPN Label Switching


6/41


VPN_A

VPN_A

VPN_B

10.3.0.0

10.1.0.0

11.5.0.0

CE

CE

CE

VPN_A

VPN_B

VPN_B

10.1.0.0

10.2.0.0

11.6.0.0

CE

PE

PECE

CE

VPN_A

10.2.0.0

CE

VPN_A

VPN_B

VPN_B

10.1.0.0

10.2.0.0

11.6.0.0

CE

PE

PECE

CE

VPN_A

10.2.0.0

CE

VPN_A

10.2.0.0

CE

iBGPsessions

P

P

P

P

P

E

PE

VPN Structure

CE (Custom Edge Router): The user equipment directly connected with the service provider.

PE (Provider Edge Router): The edge router on the backbone network, connected with CE and

mainly responsible for access of the VPN service.

P (Provider Router): The core router on the backbone network, mainly responsible for the routing

and fast forwarding functions.


7/41


Overlay VPNTunnel establish on CE

VPN_A

VPN_B

10.3.0.0

10.3.0.0

P

PE

PE CE

CEVPN_A

VPN_B

10.1.0.0

10.1.0.0

CE

PE

CE

P Network

GRE tunnel

GRE tunnel

Features

The tunnel establish on the CE, and exchange the routing information directly.

The service provider dont know the structure of the customs. E.g.GREIPSec

advantage

The address space of different customs can overlap, and with highest security.

disadvantage

The customers need build and maintenance VPN by themselves.

P


8/41


Overlay VPNTunnel establish on PE

Features

The tunnel is established on the PE. The private routing information exchange

between the PE, and the P equipment dont know the private routing information.

advantage

The service provider build and maintenance for the customers, and with higher

security.

disvantage

The address space of different VPN users cant overlap .If not ,it need many

ACL and policies.

VPN_A

VPN_B

11.3.0.0

10.3.0.0

P

PE

PE CE

CEVPN_A

VPN_B

11.1.0.0

10.1.0.0

CE

PE

CE

P NetworkGRE tunnel

GRE tunnel

P


9/41


Overlay VPN Nature

Actually Overlay VPN is the static VPN ,it is similar with the static route, and

have the same disadvantages

1. All configuration and deploy must complete manually .It will occur the N^2

problems .

2. It isnt fit for the real time change of the network

3. Meanwhileif the tunnel establish on the CE ,the customer must be build and

maintenance by themselves. But if the tunnel establish on the PE, it cant solve the

address conflict.


10/41


Peer-to-Peer VPN

To solve the problem, firstly, we must change the VPN deployment and routing

advertisement dynamically. Then PeertoPeer VPN is generated.

PeertoPeer refers to CEtoPE. The private routing information exchange

between CE and PE, then PE advertises the routes into the P-Networkafter that the

private routing information is transmitted to other PEs dynamically.

Because this VPN leaks the private routes into the public network, so we must be

control the route strictly. i.ewe must ensure the CEs belonging to the same VPN

only have the route of their VPN.


11/41


Peer to Peer VPN share PE

All the CEs belonging to different VPNs connect with the same PE. Run

different routing protocols between the CE and the PE.(or the same routing protocol,

but with different process ) .

Because the PE transmits the private routes into the public network, so we must

filter the routes firstly, then transmit these routes to the corresponding CEs.

Disadvantage

We must configure many ACLs on the PE to avoiding the communication

among different CEs connectted to the same PE.

VPN_A

VPN_B

10.3.0.0

11.3.0.0

P P

PE CE

CEVPN_A

VPN_B

10.1.0.0

11.1.0.0

CE

PE

CE

P Network

Private routes transmit on the public network

rip

ospf

ospf

isis


12/41


Peer-to-Peer VPNPrivate PE

VPN_A

VPN_B

10.3.0.0

11.3.0.0

P P

PE CE

CEVPN_A

VPN_B

10.1.0.0

11.1.0.0

CE

PE

CE

P Network

Private routes transmit on the public network

rip

rip

ospf

ospf

Every VPN has a private PE, then we can run any routing protocol between the

CE and PE. Run BGP between PE and P , and filter the routes using the attributes.

Advantageno need any ACL.

Disadvantage

The cost is too high.

PEPE


13/41


Peer-to-Peer VPN Nature

Although Peer-to-PeerVPN solve the static problem, but also has some defects:

Because of no tunnel technology, the private routes leak into the public network .Then

the security is very worse.

The CEs also can't share the same address space.

How to solve


14/41


Solution Scheme

Tunnel technology MPLSTo ensure the security, we must use the tunnel technology. Although there are

many tunnel technologies ,e.g GRE IPSec, but they cant suit the large network. LSP

of MPLS is established by dynamic LDP protocol, and it is the suitable tunnel.

Address conflict BGP The number of VPN routes is very huge. The BGP is the only routing protocol supporting the

huge routes

BGP is based on the TCP connection. It can establish the neighbor relationship between the

routers which dont connect with each other directly. So the P routers neednt have the

VPN routing information

BGP can support many optional attributes , and it can make the route transmitting easily.


15/41


Address Conflict Problem

Local routes conflicti.eThe same PE cant distinguish the same routes

from different VPNs .control plane

During the transmitting of the route, if there are two same routes transmitted

on the network, the receiver how to distinguishcontrol plane

After solving the route conflict, when the PE receives the IP packet to the

same destination address, how to know which VPN is transmitted to

forwarding plane


16/41


solution

To solve the local routes conflictwe can build the different routing table on the

same router , and different interfaces belongs to different routing table. This is equal

to say that the share PE simulates several private PEs.

Add the identifier into the route to distinguish the different VPNs during the routestransmitting .

Because we cant change the structure of IP packets, add the additional identifier

before the IP headerthen the PE can forward the packet according to the identifier.


17/41


1local routes conflict

PE

CE

VPN-A

VPN-A

CEVPN-B

Global Routing Table

VRF for VPN-

A

VRF for VPN-

B

VPN Routing Table

CE

IGP &/or

BGP

VRF

PE

CE

VPN-A

VPN-A

CEVPN-B Global Routing Table

CE

IGP &/or

BGPPE

P Private PE


18/41


VRF

VRF---VPN Routing & Forwarding Instance

VRF can be regarded as a virtual router, and act as a private PE.

This virtual router includes following elements

A independent routing table, including independent address

space.

A group interfaces belonging to the VRF.

A group routing protocol only using within the VRF.

Every PE maintenance one or several VRF and one public routing

table. Every VRF is independent.

What is the relationship between the VRF?


19/41


Relationship of VRF -------Route Target

Route Target attribute (RT) is one of the MBGP extension community

attributes

There are two types of RT, the values of the type field are 0x0002 or 0x0102.

TYPE(2 bytes Administrator Field Assigned Number Field

0x0002 AS number(2bytes) Assigned Number (4 bytes)

0x0102 IP address(4 bytes) Assigned Number(2 bytes)

RT structure:


20/41


Route Target

RT is used to control the advertisement of VPN routing information.

There are two sets of Route Target attributes: Export Targets and Import

Targets

Export Targets is added to the route in advertising local routes to

remote PE routers.

Import Targets is used to decide which routes can be imported into the

routing table of this Site in receiving routes from remote PE routers.


21/41


Application of RT

RT Export Target and import Target can be configured with several attributes

b

aim:a

ex:b

im:b

ex:a

im:a

ex:a

aim:a

ex:ac

b

im:a,c

ex:a,b

im:b

ex:c

aTrandition Mode

Hub-spoke mode

Extranet


22/41


2Address Conflict during the route transmitting

After we solve the local route conflict, then the address conflict during the route

transmitting is solved at the same way. We only need add a identifier into the route. Can

we use the RT as the identifier?

Theoretically, we can use it. But when the route is withdrawed, the route withdrawpacket of BGP dont bring the attribute (without RT). So we need define RD(Route

Distinguisher.


23/41


RD

TYPE (2-

byte)

Administrator Field Assigned

Number Field

0 2-byte ASN 4-byte assigned number

1 4-byte IP address 2-byte assigned

number

RD structure:

VPNV4 address structure:

Route Distinguisher (8 bytes) IPv4 address

VPNv4 address is used to transmit VPN routes among the PEs.RD is unique among the different VPNs. If the two VPNs have the same IP address, the

PE add the different RD to convert them into VPNV4 address. So it cant occur the

address conflict.


24/41


3Packet forward address conflict

Here nowthe first two problems have been solved. But if the remote PE

receives the IP packet to the same destination, but both the two VRFs have the same

route on the PE, which CE it will forward? We need add some information into the

packet.

we need a short identifier. This identifier is defined as the private Label

distributed by MP-BGP.

what is MP-BGP?


25/41


MBGP

MBGP (Multiprotocol Extensions for BGP-4 )

BGP-4 only supports IPv4, and is extended to MBGP to transfer the

route information of more protocols (IPv6, IPX,etc.).

To maintain compatibility, only two BGP attributes are added for

MBGP: MP_REACH_NLRI and MP_UNREACH_NLRI. The twoattributes can be used in the BGP Update message to notify or cancel

the network reachability information.


26/41


NLRINetwork Layer Reachability Information, include address family, private labeland RT )

Followed is RT list

MP_REACH_NLRIaddressfamily VPN-IPV4 address familynext-hop: PEs ipv4 addressusually is loopback addressNLRI:

lable 24 bitslike MPLS label but without TTL portionprefix RD:64bitIP prefix

Extended_Communities

RT1

Extended_CommunitiesRT2

Network Layer Reachability Information:


27/41


Concept Summary

VRFa virtual router on the PE, include special interfaces, a routing table, a routing

protocol, a RD and RT.

RTcontrol the routing information among the different VRFs. Actually, it is the

community attribute of BGP .

RDidentify the same route from different VPN.

Labelidentify the packet to the same destination of different VRF.SITEa VRF and the connected CE.

VPNa set of sites .


28/41






29/41


Relationship Between PE and CE

PE and CE routers exchange information via the EBGP, RIP or static route. CE runs the

standard routing protocol.

PE maintains separate routing tables of the public network and private network.

Routing table of public network, including the routes of all PE and P routers, generated by

the backbone network IGP of VPN.

VRF (VPN routing & forwarding), including tables of routing & forwarding to one or multiple

directly connected CEs.

PE

C

PE

CE

CE

Site -2Site -2

Site -1Site -1

EBGP, RIP, Static

VPNA

VPNB

VRF for VPNA

VRF for VPNB

Global route


30/41


VRF Route Distribute Step 1:Importing VRF Routes

to MP-iBGP

Importing VRF route to MP-iBGP:

PE router converts the route (in the VRF routing table) received from CE into the VPN-V4 route; labels it with RD and RT based on the configuration;

changes the next hop as PE itself (loopback);

assigns the label based on the interface;

finally sends the MP-iBGP update packet to all PE neighbors.

PE

CE-1

MP-iBGP

PE

BGP, RIPv2 updatefor 149.27.2.0/24,NH=CE-1

VPN-v4 update:RD:1:27:149.27.2.0/24,Next-hop=PE-1RT=VPN-ALabel=(28)

CE-2

Beijing Shanghai


31/41


VRF Route Distribute Step 2:Importing Importing

MP-iBGP Routes to VRF

Each VRF has configurations of import route-target and export route-target.

When the transmitting PE sends MP-iBGP updates, the export attribute is attached in the packet.

When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge whether the received

export is equal to the import of the local VRF. If yes, it will be added to the corresponding VRF

routing table; otherwise, it will be discarded.

PE

CE-1

MP-iBGP

PEVPN-v4 update:RD:1:27:149.27.2.0/24,Next-hop=PE-1RT=VPN-ALabel=(28)

CE-2

PE receives the update packet,

converts VPN-v4 into the IPv4 address,and distributes it to VFR VPN-A

(RT=VPN-A) routing table, then

transmit it to CE with route protocol

between PE and CE.Beijing Shanghai

ip vrfVPN-B

vpn -target import VPN-A


32/41






33/41


MPLS/VPN Label Distribution

P routerP router

In Label FEC Out Label

- 197.26.15.1/32 -


41 197.26.15.1/32 POP


197.26.15.1/32 41

Use labelimplicit-nullfor

destination 197.26.15.1/32

Use label41for destination

197.26.15.1/32

VPN-v4 update:

RD:1:27:149.27.2.0/24,

NH=197.26.15.1RT=VPN-A -

Label=

(

28)

PE-1

ShanghaiBeijing

149.27.2.0/24

-


34/41


MPLS/VPN Packet Forwarding-1


- 197.26.15.1/32 41

149.27.2.27

PE-1

149.27.2.272841

VPN-A VRF

149.27.2.0/24,

NH=197.26.15.1

Label=(28)

ShanghaiBeijing

149.27.2.0/24


35/41




- 197.26.15.1/32 41

149.27.2.27

PE-1

149.27.2.272841

VPN-A VRF

149.27.2.0/24,

NH=197.26.15.1

Label=(28)

ShanghaiBeijing

149.27.2.0/24


36/41




41 197.26.15.1/32 POP

Beijing

149.27.2.27

PE-1

Shanghai

149.27.2.0/24

149.27.2.272841

VPN-A VRF

149.27.2.0/24,

NH=197.26.15.1

Label=(28)

149.27.2.2728


28(V) 149.27.2.0/24 -

VPN-A VRF

149.27.2.0/24,

NH=beijing

149.27.2.27


37/41


Demo- Private Label Distribution

MPLS

PEA

PB

PEC

MP-BGP

IBGP Peer

CE A1 CE B1

CE A2 CE B2VPN-v4 update:RD:1:27:149.27.2.0/24,Next-hop=PE-CRT=VPN-A, Label=(28)

VPN-v4 update:

RD:1:27:149.27.2.0/24,

Next-hop=PE-C

RT=VPN-A, Label=(28)

BGP, OSPF, RIPv2 update

for 149.27.2.0/24,NH=PE-A


for 149.27.2.0/24,NH=CE-

A2

149.27.2.0/24IN 28 NH: CE A2

149.27.2.0/24

Out 28 NH: PE-C


38/41


Demo- Public Label Distribution

The loopback IP address of PE-C is 1.1.1.1/32

MPLS

PEAPB

PEC

20

1.1.1.1/32

1.1.1.1/32

1.1.1.1/32

IGP

IGPIn 20 out 3

3out 20149.27.2.0/24

Out 28 NH: PE-C

149.27.2.0/24IN 28 NH: CEA2


39/41


Demo- Packet Forwarding

MPLS

PEA

PB

PECCE A1 CE B1

CE A2 CE B2

Ping 149.27.2.1

20 28

31.1.1.1/32 out 20

1.1.1.1/32In 20 out 3

1.1.1.1/32

149.27.2.0/24IN 28 NH: CE A2

149.27.2.0/24

Out 28 NH: PEC


for 149.27.2.0/24,NH=PE-A


40/41


VPN Classification

MPLS L3 VPN Label Distribution

MPLS L3 VPN Forwarding Process

Summary


41/41

www.huawei.com

Documents

Bgp Mpls VPN Principle