Mpls10s07-Mpls VPN Technology

8/14/2019 Mpls10s07-Mpls VPN Technology

http://slidepdf.com/reader/full/mpls10s07-mpls-vpn-technology 1/108

© 2001, Cisco Systems, Inc.

MPLS VPNTechnology

Module 7



© 2001, Cisco Systems, Inc. MPLS v1.0—7-2

Objectives

Upon completion of this lesson, youwill be able to perform the followingtasks:

• Identify major Virtual Private network

topologies, their characteristics and usagescenarios

• Describe the differences between overlayVPN and peer-to-peer VPN

• List major technologies supporting overlayVPNs and peer-to-peer VPNs

• Position MPLS VPN in comparison withother peer-to-peer VPN implementations

• Describe major architectural blocks ofMPLS VPN



Introduction toVirtual Private

Networks





Objectives

Upon completion of this section,you will be able to perform thefollowing tasks:

•Describe the concept of VPN

•Explain VPN terminology as defined byMPLS VPN architecture






Service Provider Network

Virtual Private Networks

•Virtual Private Networks (VPNs) replacededicated point-to-point links with emulatedpoint-to-point links sharing commoninfrastructure.

•Customers use VPNs primarily to reduce theiroperational costs.

Customer Site

Customer Premises

Router (CPE) Large Customer Site

CPE Router

Other

CustomerRouters

Provider Edge Device

(Frame Relay Switch)

PE Device

Provider Core

Device

PE DeviceCPE Router

Virtual Circuit (VC) #2

Virtual Circuit (VC) #1


http://slidepdf.com/reader/full/mpls10s07-mpls-vpn-technology 7/108© 2001, Cisco Systems, Inc. MPLS v1.0—7-7

Customer Site

Large Customer Site

VPN Terminology

Customer network (C-network): the part

of the network still under customer

control

Provider network (P-network): the

service provider infrastructure

used to provide VPN services

Customer Site: a contiguous part of the

customer network (can encompass many

physical locations)




Customer Site

Large Customer Site

VPN Terminology

Customer edge (CE) device: the

device in the C-network that links to

into P-network; also called customer

premises equipment (CPE)

Provider edge (PE) device: the

device in the P-network to which

the CE devices are connected

Provider (P) device: the

device in the P-network

with no customer

connectivity




Customer Site

CPERouter Large Customer Site

CPE Router

OtherCustomer

RoutersPE Device(Frame Relay switch)

PE Device

PDevice

PE DeviceCPE Router

VC #2

VC #1

VPN TerminologySpecific to Switched WANs

• A permanent virtual circuit (PVC) is established through out-of-

band means (network management) and is always active.

• A switched virtual circuit (SVC) is established through CE-PE

signaling on demand from the CE device.

Virtual Circuit (VC): emulated

point-to-point link established

across shared Layer 2infrastructure



Summary

After completing this section, you

should be able to perform thefollowing tasks:

•Describe the concept of VPN

•Explain VPN terminology as defined byMPLS VPN architecture



Review Questions

•Why are customers interested inVirtualPrivate Networks?

•What is the main role of a VPN?•What is a C-network?

•What is a customer site?

•What is a CE-router?•What is a P-network?

•What is the difference between aPE-device and a P-device?



Overlay and

Peer-to-Peer VPN




Objectives


•Describe the differences betweenoverlay and peer-to-peer VPN

•Describe the benefits and drawbacksof each VPN implementation option

•List major technologies supportingoverlay VPNs

•Describe traditional peer-to-peer VPN

implementation options



VPN ImplementationTechnologies

VPN services can be offered basedon two major paradigms:

•Overlay VPNs, in which the serviceprovider provides virtual point-to-pointlinks between customer sites

•Peer-to-Peer VPNS, in which the

service provider participates in thecustomer routing




Overlay VPN Implementation(Frame Relay Example)

Customer Site

Router A

Customer Site

Router B

Customer Site

Router C

Customer Site

Router D

PE Device

(Frame Relay Switch)

Frame Relay

Edge Switch

Frame Relay

Edge Switch

Frame Relay

Edge Switch

VC #3

VC #2

VC #1



Layer 3 Routing in OverlayVPN Implementation

• Service provider infrastructure appears aspoint-to-point links to customer routes.

• Routing protocols run directly betweencustomer routers.

• Service provider does not see customer routesand is responsible only for providing point-to-point transport of customer data.

Router A

Router B Router C Router D



Overlay VPNLayer 1 Implementation

This is the traditional TDM solution:

Service provider establishes physical-layerconnectivity between customer sites.

Customer takes responsibility for all higherlayers.

ISDN E1, T1, DS0 SDH, SONET

PPP HDLC

IP



Overlay VPNLayer 2 Implementation

This is the traditional switched WANsolution:

Service provider establishes Layer 2 virtualcircuits between customer sites.

Customer takes responsibility for all higherlayers.

X.25 Frame Relay ATM

IP





Overlay VPNLayer 2 Forwarding

VPN is implemented with PPP-over-IPtunnels:

Usually used in access environments (dialup,

digital subscriber line)

Layer 2 Tunnel

Protocol (L2TP)

IP

PPP

Layer 2Forwarding

Protocol (L2F

Protocol)

Point-to-PointTunneling Protocol

(PPTP)

IP




Peer-to-Peer VPN Concept

Customer Site

Router A

Customer Site

Router B

Customer Site

Router C

Customer Site

Router D

PERouter

PE Router

PE Router

PE Router

Routing information is exchangedbetween CE and PE routers.

PE routers exchange

customer routes through

the core network.

Finally, the customer routes

propagated through the PE network

are sent to other CE routers.






Peer-to-Peer VPN withControlled Route Distribution

Service provider networkCustomer ASite #1

Customer ASite #2

Customer BSite #1

Point of Presence (POP)

PE Router

Customer A

PE Router

Customer B

P Router

Uplink

Each customer has a

dedicated PE routerthat carries only its

routes.

The P-router contains

all customer routes.

Customer isolation is

achieved through lack of

routing information on the

PE router.




Benefits of Various VPNImplementations

Overlay VPN:

• Well-known and easyto implement.

• Service provider doesnot participate incustomer routing.

• Customer network

and service providernetwork are wellisolated.

Peer-to-peer VPN:

• Guarantees optimumrouting betweencustomer sites.

• Easier to provision anadditional VPN.

• Only the sites are

provisioned, not thelinks between them.

f i




Drawbacks of Various VPNImplementations

Overlay VPN:

• Implementingoptimum routingrequires full mesh of

virtual circuits.• Virtual circuits have

to be provisionedmanually.

•Bandwidth must beprovisioned on a site-to-site basis.

• Overlay VPNs alwaysincur encapsulation

overhead.

Peer-to-peer VPN:

• Service providerparticipates incustomer routing.

• Service providerbecomes responsiblefor customerconvergence.

•PE routers carry allroutes from allcustomers.

• Service providerneeds detailed IP

routing knowledge.

D b k f T di i l




Drawbacks of TraditionalPeer-to-Peer VPNs

Shared PE router:

• All customers sharethe same (provider-assigned or public)

address space.• High maintenance

costs are associatedwith packet filters.

•Performance is lower— each packet has topass a packet filter.

Dedicated PErouter:

• All customers share

the same addressspace.

• Each customerrequires a dedicatedrouter at each POP.




VPN Taxonomy

Virtual Networks

Virtual Dialup Networks Virtual LANsVirtual Private

Networks

Peer-to-Peer VPN

Access Lists(Shared Router)

Split Routing

(Dedicated Router)

MPLS VPN

Overlay VPN

Layer 2 VPN Layer 3 VPN

X.25

Frame Relay

ATM

IPSec

GRE




Summary

After completing this section, youshould be able to perform thefollowing tasks:

•Describe the differences betweenoverlay and peer-to-peer VPN

•Describe the benefits and drawbacksof each VPN implementation option

•List major technologies supportingoverlay VPNs

•Describe traditional peer-to-peer VPNimplementation options




Review Questions

• What is an overlay VPN?

• Which routing protocol runs between thecustomer and the service provider in an overlayVPN?

• Which routers are routing protocol neighbors ofaCE-router in overlay VPN?

• List three IP-based overlay VPN technologies.

• What is the major benefit of peer-to-peer VPNas compared to overlay VPN?

• List two traditional peer-to-peer VPNimplementations.

• What is the drawback of all traditional peer-to-



Major VPN

Topologies





Objectives


• Identify major VPN topologies•Describe the implications of usingoverlay VPN or peer-to-peer VPNapproach with each topology

•List sample usage scenarios for eachtopology




VPN Topology Categorization

Overlay VPNs are categorizedbased on the topology of the virtual

circuits:• (Redundant) Hub and spoke topology

•Partial mesh topology

•Full mesh topology•Multilevel topology—combines severallevels of overlay VPN topologies

O l VPN





Overlay VPNHub-and-Spoke Topology

Central Site

(Hub)

Remote Site (Spoke)

Remote Site (Spoke)

Remote Site (Spoke)Central Site

Router

Remote Site (Spoke)

O l VPN R d d t H b





Overlay VPN Redundant Huband Spoke Topology

Central Site

(Hub)

Remote Site (Spoke)

Remote Site (Spoke)

Remote Site (Spoke)Redundant

Central Site

Router

Remote Site (Spoke)

Redundant

Central Site

Router

O erla VPN




Overlay VPNPartial Mesh

Moscow

Sydney

Guam

Berlin

Hong Kong

New York

Virtual circuits (Frame Relay Data-

Link Connection Identifier)






VPN Business Categorization

VPNs can be categorized on thebusiness needs they fulfill:

• Intranet VPN—connects sites withinan organization.

•Extranet VPN—connects differentorganizations in a secure way.

•Access VPN — VPDN provides dialupaccess into a customer network.

Extranet VPN Overlay




Extranet VPN—OverlayVPN Implementation

Provider IP BackboneGlobalMotors

Firewall

AirFilters Inc.

Firewall

BoltsAndNuts

Firewall

SuperBrakes Inc.

Firewall

Firewall

Frame RelaySwitch

Frame Relay

Switch

Frame Relay

Switch

Frame Relay

Switch

Frame Relay VCs

(DLCI)

Extranet VPN Peer to Peer




Extranet VPN—Peer-to-PeerVPN Implementation

Provider IP BackboneGlobalMotors

Firewall

AirFilters Inc.

Firewall

BoltsAndNuts

Firewall

SuperBrakes Inc.

Firewall

PE Router

PE Router

PE Router

PE Router

PE Router

VPN Connectivity




VPN ConnectivityCategorization

VPNs can also be categorized bythe connectivity required betweensites:

• Simple VPN—every site can communicatewith every other site.

• Overlapping VPN—some sites participatein more than one simple VPN.

• Central Services VPN—all sites cancommunicate with central servers, butnot with each other.

• Managed Network—a dedicated VPN is

established to manage CE routers.




Central Services Extranet


Service Provider Extranet

Infrastructure

London

VoIP Gateway

Amsterdam

VoIP Gateway

Paris

VoIP Gateway

Customer A

Customer B

Customer C








Summary

After completing this section, youshould be able to perform the followingtasks:

• Identify major VPN topologies

•Describe the implications of usingoverlay VPN or peer-to-peer VPN

approach with each topology

•List sample usage scenarios for eachtopology




Review Questions

•What are the major Overlay VPNtopologies?

•Why would the customers prefer

partial mesh over full mesh topology?

•What is the difference between anIntranet and an Extranet?

•What is the difference between asimple VPN and a Central ServicesVPN?

•What are the connectivity

requirements of a Central Services



MPLS VPN

Architecture







MPLS VPN Architecture

MPLS VPN combines the bestfeatures of overlay VPN and peer-to-peer VPN:

•PE routers participate in customerrouting, guaranteeing optimumrouting between sites and easyprovisioning.

•PE routers carry a separate set ofroutes for each customer (similar tothe dedicated PE router approach).

•Customers can use overlappingaddresses.




MPLS VPN Terminology

Customer A

Site #1

Site #1

CE router

Customer A

Site #2

Customer B

Site #1

Customer B

Site #3

Customer B

Site #2

Customer A

Site #4

Remote

Office

Remote

Office

Customer A

Site #3

Customer B

Site #4

PE Router

POP-XP Router PE Router

POP-Y

P-Network



ou ng n orma on




P-Network

P Router

Customer A

Customer B

Customer A

Customer C

Customer B

PE Router X PE Router Y

Customer C

ou ng n orma onPropagation Across the P-

Network

: How will PE routers exchange customer routing information?

IGP for Customer C

IGP for Customer B

IGP for Customer A

IGP for Customer C

IGP for Customer B

IGP for Customer A

A1: Run a dedicated Interior Gateway Protocol (IGP) for each

customer across P-network.

Wrong answer:

• The solution does not scale.

• P routers carry all customer routers.

ou ng n orma on




P-Network

P Router

Customer A

Customer B

Customer A

Customer C

Customer B


Customer C


Network (cont.)


Better answer, but still not good enough:

• P routers carry all customer routers.

Run a single routing protocol that will carry all customer routes

inside the provider backbone.

A dedicated routing protocol used

to carry customer routes

ou ng n orma on




P-Network


to carry customer routes between PE routers

P Router

Customer A

Customer B

Customer A

Customer C

Customer B


Customer C


Network (cont.)


e best answer:

P routers do not carry customer routes; the solution is scalable.

: Run a single routing protocol that will carry all customer routes

between PE routers. Use MPLS labels to exchange packets between

PE routers.

ou ng n orma on




P-Network



P Router

Customer A

Customer B

Customer A

Customer C

Customer B


Customer C

ou g o a oPropagation Across the P-

Network (cont.)

: Which protocol can be used to carry customer routes between PE rout

: The number of customer routes can be very large. BGP is the only

routing protocol that can scale to a very large number of routes.

nclusion:

BGP is used to exchange customer routes directly between PE routers

ou ng n orma on




P-Network



P Router

Customer A

Customer B

Customer A

Customer C

Customer B


Customer C

gPropagation Across the P-

Network (cont.)

Q: Customers can have overlapping address spaces. How will

information about the same subnet of two customers bepropagated via a single routing protocol?

A: Customer addresses are extended with a 64-bit prefix (route

distinguisher—RD) to make them unique. Unique 96-bit

addresses are exchanged between PE routers.

R Di i i h




Route Distinguisher

•The RD is a 64-bit quantity prepended toan IP version 4 (IPv4) address to makeit globally unique.

•The resulting 96-bit address is called aVPNv4 address.

•VPNv4 addresses are exchanged onlyvia BGP between PE routers.

•BGP that supports address familiesother than IPv4 addresses is calledmultiprotocol BGP (MP-BGP).

Route Distinguisher Usage in




Route Distinguisher Usage inan MPLS VPN

P-Network

PE 1 PE 2

Customer A

Customer B

Customer A

Customer B

The CE-router sends an IPv4

routing update to the PE-

router.

A 64-bit Route Distinguisheris prepended to the

customer IPv4 prefix to

make it globally unique,

resulting in 96-bit VPNv4

prefix.A 96-bit VPNv4 prefix is

propagated via BGP to the

other PE router.

Route Distinguisher Usage in




Route Distinguisher Usage inan MPLS VPN

P-Network

PE 1 PE 2

Customer A

Customer B

Customer A

Customer B

The PE router sends the

resulting IPv4 prefix to the

CE router.

The RD is removed from the

VPNv4 prefix, resulting in a 32-

bit IPv4 prefix.



Complex VPN—Sample VoIP




P-Network

Complex VPN Sample VoIPService

quirements:

All sites of one customer need to communicate.

Central sites of both customers need to communicate with VoIP gatewa

and other central sites.

Other sites from different customers do not communicate with each oth

Customer A

Central Site

Customer B

Site 2

Customer B

Site 1

Customer B

Central Site

Customer A

Site 2

VoIP

Gateway

VoIP

GatewayCustomer A

Site 1

PE Router X P Router PE Router Y

Sample VoIP Service




VOIP VPN

Sample VoIP ServiceConnectivity Requirements

Customer A

Customer B

Central Site A Site A-1 Site A-2

Central Site B Site B-1 Site B-2

POP-X

VoIP

Gateway

POP-Y

VoIP

Gateway

R t T t




Route Targets

•Some sites have to participate in morethan one VPN—RD cannot identifyparticipation in more than one VPN.

•A different method is needed in which aset of identifiers can be attached to aroute.

•RDs were introduced in the MPLS VPNarchitecture to support complex VPNtopologies.

Wh t A R t T t ?




What Are Route Targets?

•Route targets (RTs) are additionalattributes attached to VPNv4 BGProutes to indicate VPN membership.

•Extended BGP communities are used toencode these attributes.

• Extended communities carry the meaning ofthe attribute together with its value.

•Any number of RTs can be attached to asingle route.

H D R t T t W k?




How Do Route Targets Work?

•Export RTs identifying VPN membershipare appended to the customer routewhen it is converted into a VPNv4

route.

•Each virtual routing table has a set ofassociated import RTs that selectroutes to be inserted into the virtualrouting table.

•Route targets usually identify VPNmembership, but they can also be used

in more complex scenarios.

Virtual Private Networks




Redefined

With the support of complex VPNtopologies, VPNs have to beredefined

•A VPN is a collection of sitessharing common routinginformation.

•A site can be part of differentVPNs.

•A VPN can be seen as a communityof interest (closed user group—

CUG).

Impact of Complex VPNT l i Vi t l R ti




Topologies on Virtual RoutingTables

•A virtual routing table in a PE router canbe used only for sites with identicalconnectivity requirements.

•Complex VPN topologies require morethan one virtual routing table per VPN.

•As each virtual routing table requires a

distinct RD value, the number of RDs inthe MPLS VPN network increases.

Sample VoIP Service




VoiceIP VPN

pVirtual Routing Tables

Customer A

Customer B

Central Site A Site A-1 Site A-2

Central Site B Site B-1 Site B-2

POP-X

VoIP

Gateway

POP-Y

VoIP

Gateway

Central Site A needsits own routing table.

Central Site B needsits own routing table.

Site A-1 and A-2 canshare the same routing

table.

Voice gateways can

share routing tables.

Site B-1 and B-2 can

share the same routing

table.

Benefits of MPLS VPN




Technology

MPLS VPN technology has all thebenefits ofpeer-to-peer VPN technology:

• Easy provisioning

• Optimal routing

It also bypasses most drawbacks oftraditional peer-to-peer VPN

technologies:• RDs enable overlapping customer address

spaces.

• RTs enable topologies that were hard to

implement with other VPN technologies.

Summary




Summary


• Describe the difference betweentraditional peer-to-peer models and MPLSVPN

• List the benefits of MPLS VPN

• Describe major architectural blocks ofMPLS VPN

• Explain the need for route distinguishers

and route targets

Review Questions




Review Questions

• How does MPLS VPN support overlappingcustomer address spaces?

• How are customer routes exchanged acrossthe P-network?

• What is a route distinguisher?

• Why is the RD not usable as VPN identifier?

• What is a route target?

• Why were the route targets introduced in MPLSVPN architecture?

• How are route targets used to build virtualrouting tables in the PE routers?

• What is the impact of complex VPN topologieson virtual routing tables in the PE routers?



MPLS VPN Routing

Model


Objectives




Objectives

Upon completion of this section, youwill be able to perform the followingtasks:

•Describe the routing model of MPLSVPN

•Describe the MPLS VPN routing modelfrom customer and provider

perspectives• Identify the routing requirements of CE-routers, PE-routers and P-routers

MPLS VPN Routing




gRequirements

•Customer routers (CE routers) have torun standard IP routing software.

•Provider core routers (P routers) haveno VPN routes.

•Provider edge routers (PE routers) haveto support MPLS VPN and Internetrouting.

MPLS VPN Routing—




CE Router Perspective

The CE routers run standard IP routingsoftware and exchange routing updates with

the PE router.• External BGP (EBGP), Open Shortest Path First

(OSPF), RIP version 2 (RIPv2), and static routesare supported.

The PE router appears as another router in the-

MPLS VPN Backbone

PE router

CE router

CE router

u —Overall Customer




Overall CustomerPerspective

To the customer, the PE routers appear as core

routers connected via a BGP backbone.The usual BGP and IGP design rules apply.

The P routers are hidden from the customer.

Site IGP

BGP Backbone

CE router

PE router

Site IGP Site IGP

PE router

MPLS VPN Routing—




P Router Perspective

•P routers do not participate in MPLS VPNrouting and do not carry VPN routes.

•P routers run backbone IGP with the PE routersand exchange information about global subnets(core links and loopbacks).

MPLS VPN Backbone

P routerPE router PE router





Routing Tables on PE Routers




Routing Tables on PE Routers

PE routers contain a number of routing tables:

• Global routing table that contains core routes (filled withcore IGP) and Internet routes (filled with IPv4 BGP).

• VRF tables for sets of sites with identical routingrequirements.

• VRFs filled with information from CE routers and MP-BGPinformation from other PE routers.

MPLS VPN Backbone

P RouterPE Router PE Router

CE Router

CE Router

CE Router

CE Router

MP-BGP

Core IGP Core IGP

VPN routing VPN routing

IPv4 BGP for Internet

n - o- nRouting Information Flow




Routing Information Flow(1/3)

PE routers receive IPv4 routing updatesfrom CE routers and install them in the

appropriate VRF table.

MPLS VPN Backbone


CE Router

CE Router

CE Router

CE Router

IPv4 Update



MP-BGP Update




MP-BGP Update

An MP-BGP update contains:•VPNv4 address

•Extended communities

(route targets, optionally Site-of-Origin, or SOO)

•Label used for VPN packet forwarding

•Any other BGP attribute (for example,

AS path, local preference, multi-exitdiscriminator (MED), standardcommunity)

MP-BGP Update—VPN 4 Add




VPNv4 Address

A VPN IPv4 address contains:

•RD

•64 bits

•Makes the IPv4 route globally unique

•RD is configured in the PE for eachVRF

•RD may or may not be related to a siteor a VPN

•IPv4 address (32 bits)

MP-BGP Update—E t d d C iti




Extended Communities

64-bit attribute attached to a routeSet of communities can be attached to asingle route

High-order 16 bits identify extendedcommunity type

•RT: identifies the set of sites to whichthe route must be advertised

•SOO: identifies the originating site•OSPF route type: identifies the link-state advertisement (LSA) type of OSPFroute redistributed into MP-BGP

Extended BGP CommunityDi l F




Display Format

Two display formats aresupported:

• <16bits type>:<ASN>:<32 bitnumber>-Uses registered AS number

•<16bits type>:<IP address>:<16bit number>-Uses registered IP address

n - o- nRouting Information Flow




Routing Information Flow(3/3)

• Receiving PE router imports incoming VPNv4routes into the appropriate VRF based onroute targets attached to the routes

• Routes installed in VRF are propagated to CErouters

MPLS VPN Backbone


CE Router

CE Router

CE Router

CE Router

MP-BGP Update

Route Distribution toCE R t




CE Routers

Route distribution to sites is drivenby the SOO and RT EBGPcommunities.

A route is installed in the site VRFthat matches the RT attribute.

•A PE router that connects sites

belonging to multiple VPNs willinstall the route into the site VRF ifthe RT attribute contains one ormore VPNs to which the site is

associated.

Summary




Summary


•Describe the routing model of MPLSVPN

•Describe the MPLS VPN routing model

from customer and providerperspective

•Identify the routing requirements ofCE-routers, PE-routers and P-routers

Review Questions




Review Questions

• What is the impact of MPLS VPN on CE-routers?

• What is the customer’s perception of end-to-end MPLS VPN routing?

• What is the P-router perception of end-to-endMPLS VPN routing?

• How many routing tables does a PE-routerhave?

• How many routing tables reside on a P-router?

• Which routing protocols fill the global routingtable of a PE-router?

• Which routing protocols fill the Virtual

More Review Questions




More Review Questions

• How is the Internet routing supported byMPLS VPN architecture?

• How is the VPN routing informationexchanged between the PE-routers?

• Which attributes are always present in aMP-BGP update?

• Which attributes can be optionally presentin a MP-BGP update?

• Which BGP attributes drive the import ofVPNv4 route into a VRF?

• Which BGP attributes control the VPN routedistribution toward CE-routers?



MPLS VPN Packet

Forwarding


Objectives




Objectives

Upon completion of this section, youwill be able to perform the followingtasks:

• Describe the MPLS VPN forwarding

mechanisms• Describe the VPN and backbone label

propagation

• Explain the need for end-to-end LSP

between PE routers• Explain the implications of BGP next-hop

on MPLS VPN forwarding



ac e orwar ngAcross an MPLS VPN




c oss a SBackbone

Q: How will the PE routers forward the VPN packets across the MPLS

VPN backbone?

MPLS VPN Backbone

P RouterIngress

PE

Router

Egress

PE

Router

CE Router

CE Router CE Router

CE Router

P RouterIP

However, the egress PE router does not know which VRF to use for packet

switching, so the packet is dropped.

How about using a label stack?

2: They will label the VPN packets with a label distribution protocol (LDP)

label for the egress PE router and forward the labeled packets across

the MPLS backbone.

IP L1

etter answers:The P routers perform the label switching and the packet reaches the

egress PE router.

IP L2 IP L3



VPN Packet Forwarding—Penultimate Hop Popping




Penultimate Hop Popping

MPLS VPN Backbone

P RouterIngress

PE

Router

Egress

PE

Router

CE Router

CE Router CE Router

CE Router

P RouterIP

IP

The egress PE router performs label lookup only on th

VPN label, resulting in faster and simpler label lookup

IP lookup is performed only once—in the ingress PE

router.

Penultimate hop popping on the LDP label can be

performed on the last P router.

IP V L1 IP V L2 IP V

VPN Label Propagation




p g

How will the ingress PE router get the second label in the label stack

from the egress PE router?

MPLS VPN Backbone

P RouterIngress

PE

Router

Egress

PE

Router

CE Router

CE Router CE Router

CE Router

P Router

: Labels are propagated in MP BGP VPNv4 routing updates.





p g

tep #1: A VPN label is assigned to every VPN route by the egress

PE router.

MPLS VPN Backbone

P RouterIngress

PE

Router

Egress

PE

Router

CE Router

CE Router CE Router

CE Router

P Router

Egress-PE#show tag-switching forwarding vrf SiteA2

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

26 Aggregate 150.1.31.36/30[V] 0

37 Untagged 203.1.2.1/32[V] 0 Se1/0.20 point2point

38 Untagged 203.1.20.0/24[V] 0 Se1/0.20 point2point





p g

tep #2: The VPN label is advertised to all other PE routers in an MP-BGP

update.

MPLS VPN Backbone

P RouterIngress

PE

Router

Egress

PE

Router

CE Router

CE Router CE Router

CE Router

P Router

Ingress-PE#show ip bgp vpnv4 all tags

Network Next Hop In tag/Out tag

Route Distinguisher: 100:1 (vrf1)

12.0.0.0 10.20.0.60 26/notag

10.20.0.60 26/notag

203.1.20.0 10.15.0.15 notag/38





p g

Step #3: A label stack is built in VFR table.

MPLS VPN Backbone

P RouterIngress

PE

Router

Egress

PE

Router

CE Router

CE Router CE Router

CE Router

P Router

Ingress-PE#show ip cef vrf Vrf1 203.1.20.0 detail

203.1.20.0/24, version 57, cached adjacency to Serial1/0.2

0 packets, 0 bytes

tag information setlocal tag: VPN-route-head

fast tag rewrite with Se1/0.2, point2point, tags imposed: {26 38}

via 192.168.3.103, 0 dependencies, recursive

next hop 192.168.3.10, Serial1/0.2 via 192.168.3.103/32

valid cached adjacency

tag rewrite with Se1/0.2, point2point, tags imposed: {26 38}

Effects of MPLS VPN LabelPropagation




Propagation

The VPN label must be assigned by the BGPnext hop.

The BGP next hop should not be changed in theMP-IBGP update propagation.

• Do not use next-hop-self on confederation

boundaries.

The PE router must be the BGP next hop.

• Use next-hop-self on the PE router.

The label must be reoriginated if the next hop ischanged.

• A new label is assigned every time the MP-BGPupdate crosses the AS boundary where the nexthop is changed.

• This functionality is supported by Cisco IOS

Effects of MPLS VPN PacketForwarding




Forwarding

The VPN label is understood only by theegress PE router.

An end-to-end LSP tunnel is requiredbetween the ingress and egress PErouters.

BGP next hops must not be announcedas BGP routes.

LDP labels are not assigned to BGProutes.

BGP next hops announced in IGP mustnot be summarized in the core network.

•

VPN Packet Forwarding




with Summarization in the Core

MPLS VPN Backbone

P RouterIngress

PE

Router

Egress PE

CE Router

CE Router CE-router

CE Router

P RouterP router

summarizes PE

loopbackPenultimate hop

popping is requested

through LDP

IP V

P router performs

penultimate hop

popping

IP

IP V L1

PE router builds a label stack and

forwards labeled packet toward

egress PE router

P router is faced witha VPN label it does not

understand

Summary




After completing this section, youshould be able to perform thefollowing tasks:

•Describe the MPLS VPN forwarding

mechanisms

•Describe the VPN and backbone labelpropagation

•Explain the need for end-to-end LSPbetween PE routers

•Explain the implications of BGP next-hop on MPLS VPN forwarding

Review Questions




• How are VPN packets propagated across MPLSVPN backbone?

• How can P-routers forward VPN packets if theydon’t have VPN routes?

• How is the VPN label propagated between PE-routers?

• Which router assigns the VPN label?

• How is the VPN label used on other PE-routers?

• What is the impact of changing BGP next-hopon MP-BGP update?

• How are MP-BGP updates propagated acrossAS boundary?

• What is the impact of BGP next-hop

summarization in the network core?

Summary




After completing this lesson, you should beable to perform the following tasks:

• Identify major Virtual Private networktopologies, their characteristics and usagescenarios

• Describe the differences between overlay VPNand peer-to-peer VPN

• List major technologies supporting overlayVPNs and peer-to-peer VPNs

• Position MPLS VPN in comparison with otherpeer-to-peer VPN implementations

• Describe major architectural blocks of MPLSVPN

• Describe MPLS VPN routing model and packet



© 2000, Cisco Systems, Inc. www.cisco.co Chapter#-107

Blank for Pagination



Documents

Mpls10s07-Mpls VPN Technology