Oda000017 Mpls VPN(l3)

  • View
    216

  • Download
    0

Embed Size (px)

Text of Oda000017 Mpls VPN(l3)

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    1/33

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    2/33

    VPN Classification

    CPE-Based VPN Network-Based VPN

    VLL VPRN VPDN VPLS

    MPLS/BGP VPN

    IP-VPN

    VPN

    VR-VPN

    VPN: Virtual Private Network

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    3/33

    VPN Definitions (1)

    IP-VPN: Service emulation implemented for dedicated line services (such as

    remote dial-up and DDN) of dedicated LAN equipment via the IP facilities

    (including the public Internet and private IP backbone network, etc.).

    Network-Based IP-VPN: It refers to the case where the VPN-related

    maintenance is contracted out to the operator (the user is also allowed toperform certain service management and control) and the functional features

    are implemented at the network side equipment in the centralized way.

    Tunnel: It is a technology that uses a type of protocol to transmit another

    type of protocol. Mainly the tunnel protocol serves to implement this function.The tunnel technology involves three types of protocols: tunneling protocol,

    bearer protocol under the tunnel protocol, and the protocol borne on the

    tunnel protocol.

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    4/33

    VPN Definitions (2)

    Virtual Leased Line (VLL): It provides point-to-point connection service

    between two pieces of CPE equipment for the user via the edge node of

    the operator.

    Virtual Private Dial Network (VPDN): The remote user dials to the public IP

    network via PSTN/ISDN, and the data packet passes through the public

    network via a tunnel for the destination network.

    Virtual Private LAN Segments (VPLS): VPLS is a virtual method to

    establish LAN via the public IP resources. The networking is based on the

    MAC layer forwarding, and it is completely transparent to the network layer

    protocol. It is a L2 VPN.

    Virtual Private Routed Network (VPRN): VPRN is defined as a kind of

    emulation for multi-site wide area route network services via the public IP

    network, and the data packet of VPN is forwarded at the network layer.

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    5/33

    Constructing VPN via GRE

    10.0.1.1/2410.0.0.0/24

    10.0.0.0/24

    129.0.0.2/30

    129.0.0.1/30

    129.0.1.1/30

    129.0.1.2/30

    Public IPnetwork

    129.0.2.2/30

    129.0.2.1/30

    129.0.3.1/30

    129.0.3.2/30

    GRE tunnel

    GRE tunnel

    10.0.1.1/24

    10.0.1.2/24

    10.0.1.2/24

    Rt1 Rt2

    HQ1

    HQ2

    To construct such a network, just make configuration on the access routerof each network.

    It is unnecessary for the operator network to know the internal route of VPN.

    Different VPNs can employ the same address space.

    The forwarding efficiency is low.

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    6/33

    MPLS VPN Network Structure

    VPN_A

    VPN_A

    VPN_B

    10.3.0.0

    10.1.0.0

    11.5.0.0

    CE

    CE

    CE

    VPN_A

    VPN_B

    VPN_B

    10.1.0.0

    10.2.0.0

    11.6.0.0

    CE

    PE

    PECE

    CE

    VPN_A10.2.0.0

    CE

    VPN_A

    VPN_B

    VPN_B

    10.1.0.0

    10.2.0.0

    11.6.0.0

    CE

    PE

    PECE

    CE

    VPN_A10.2.0.0

    CE

    VPN_A

    10.2.0.0

    CE

    iBGPsessions

    P

    P

    P

    P

    PE

    PE

    CE (Custom Edge): The user equipment directly connected with the service

    provider.

    PE (Provider Edge Router): The edge router on the backbone network, connected

    with CE and mainly responsible for access of the VPN service.

    P (Provider Router): The core router on the backbone network, mainly responsible

    for the routing and fast forwarding functions.

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    7/33

    Network Topology-1

    Each site only belongs to one VPN: Intranet

    site1 site3

    site2

    site10

    site20 site30

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    8/33

    Network Topology-2

    site1

    site4

    site5

    stie2 stie3

    Intranet

    Extranet

    Each site may belong tomultiple VPNs.

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    9/33

    Characteristics of MPLS VPN

    In this network structure, service providers provide VPN services for users,

    who do not feel existence of the public network as if they have separate

    network resources.

    P router is only responsible for data transmission inside the backbone

    network, unnecessary to know existence of VPN. However, it must be

    able to support and enable the MPLS protocol.

    All the construction, connection and management work of VPN is

    implemented on PE.

    Network configuration is simple.

    The existing routing protocol can be directly used without any change.

    MPLS VPN network features good expandability.

    VPN with QOS and TE can be implemented.

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    10/33

    Relationship Between PE and CE

    PE

    C

    PE

    CE

    CE

    Site -2Site -2

    Site -1Site -1

    EBGP, RIP, Static

    PE and CE routers exchange information via the EBGP, RIP and static route. CE

    runs the standard routing protocol.

    PE maintains separate routing tables of the public network and private network.

    Routing table of public network, including the routes of all PE and P routers, generated by

    the backbone network IGP of VPN.

    VRF (VPN routing & forwarding), including tables of routing & forwarding to one or multiple

    directly connected CEs. VRF can be bound with any types of interfaces. If the directly

    connected sites belong to the same VPN, these interfaces can use the same VRF.

    VPNA

    VPNB

    VRF for VPNA

    VRF for VPNBGlobal route

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    11/33

    VRF

    VRF can be regarded as a virtual router structured as follows:

    It is associated with some interfaces and has a forwarding table based on these

    interfaces.

    A set of rules is available to control import of the route into VPN or export of the

    route from VPN.

    The route can be redistributed to the routing table (static route, RIP instance,

    BGP) via some routing protocols. VRF is configured on PE and exchange the route with CE. The route

    independently exists in the VRF routing table (routing table of the private

    network).

    PE maintains a separate forwarding table for each site.

    Each site has a unique VRF. If (and only if) two sites have identical forwarding table, they share a VRF.

    The interface/sub-interface connected with CE is mapped to VRF.

    The routes in VRF will be distributed to the sites (usually connected on

    other PEs) belonging to the same VPN.

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    12/33

    Distribution of VRF Routes

    PE PECE Router CE Router

    P Router

    Site SiteMP-iBGP

    The PE router distributes the local VPN route information via the

    MPLS/VPN backbone network.

    The transmitting PE exports the local VRF routes via MP-iBGP

    (with the export-target attribute).

    The receiving PE imports the route to the VRF where it belongs

    (with the matched import-target attribute).

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    13/33

    MBGP

    MBGP (Multiprotocol Extensions for BGP-4 )

    BGP-4 only supports IPv4, and is extended to MBGP to

    transfer the route information of more protocols (IPv6,

    IPX,etc.).

    To maintain compatibility, only two BGP attributes are added

    for MBGP: MP_REACH_NLRI and MP_UNREACH_NLRI. The

    two attributes can be used in the BGP Update message to

    notify or cancel the network reachability information.

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    14/33

    MBGP: MP_REACH_NLRI

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    15/33

    MBGP: MP_UNREACH_NLRI

    The label mapping information is carried in the MP_REACH_NLRI attribute.

    Address Family Identifier and Subsequent Address Family Identifier are

    used together to indicate the address family that the reachability

    information, notified by this attribute, belongs to. AFI as 1 and SAFI as 128

    indicate that the subsequently notified information will be the VPN-IPV4reachability information and the bound MPLS tag.

    Length of Nexthop Network Address and Network Address of Nexthop

    refer to the next hop of the route information. The rule to determine the

    next hop obeys the usual next hop rule of BGP.

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    16/33

    VPNv4 and IPv4 Address Families

    To enable different VPNs to use the same address space, a new

    address family, i.e. VPNv4, is introduced. The original standard

    address family is called IPv4.

    VPNv4 address family mainly serves to transfer VPN routes between

    PE routers.

    RD is unique among different VPNs. If two VPNs use the same IP

    address, PE router will add different RDs for them and convert the

    address into a unique VPN-v4 address without causing conflict of the

    address space.

    The standard route received by PE from CE is the IPv4 route. To

    import VRF routing tables and distribute them to other routers, a RD is

    needed. It is suggested that the RDs of the same VPN be configured

    the same.

    Route Distinguisher (8 bytes) IPv4 address

    VPNV4 address structure:

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    17/33

    MPLS/VPN RD

    RD format: 16-bit Autonomous System Number (ASN): 32-bit user-defined number, e.g. 100:1

    32-bit IP address: 16-bit customized number, e.g. 172.1.1.1:1

    Usually, each site is assigned with a unique RD, which is the identifier of VRF.

    Difference between the routing table of public network and the routing table

    of private network: The routing table of public network is generated by the IGP routes, which may

    include the BGP-4 (IPv4) route, but not the VPN route.

    VRF routing table includes the specific VPN routes. It may include the routes

    redistributed from MP-iBGP route to VRF, or the route obtained from CE by the vrf

    route instance.

    TYPE (2-byte) Administrator Field Assigned Number Field

    0 2-byte ASN 4-byte assigned number

    1 4-byte IP address 2-byte assigned number

    RD structure:

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    18/33

    Mapping Message of the Attached Label

    Multiple labels can be attached. The first 20 bits of each label refer to the

    label domain, while of the last 4 bits, the first three refer to the EXP domain

    and the last one indicates whether it is the stack base.

    Note that this label must be assigned by the LSR referred to in the Next-

    Hop of the MP_REACH_NLRI attribute.

    There are two methods to cancel the route information (meanwhile to

    release label binding).

    Re-distribute a different route (and a new Label) for the same destination.

    Use the Withdraw message to include the destination in MP_UNREACH_NLRI.

    Network Layer Reachability Information:

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    19/33

    Importing VRF Routes to MP-iBGP

    PE

    CE-1

    MP-iBGP

    PE

    BGP, RIPv2 updatefor 149.27.2.0/24,NH=CE-1

    VPN-v4 update:RD:1:27:149.27.2.0/24, Next-hop=PE-1RT=VPN-A -Label=(28)

    CE-2

    Beijing Shanghai

    Importing VRF route to MP-iBGP: PE router converts the route (in

    the VRF routing table) received from CE into the VPN-V4 route;

    labels it with RD and RT based on the configuration; changes the

    next hop as PE itself (loopback); assigns the label based on the

    interface; finally sends the MP-iBGP update packet to all PE

    neighbors.

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    20/33

    Importing MP-iBGP Routes to VRF

    Each VRF has configurations of import route-targetand export route-target.

    When the transmitting PE sends MP-iBGP updates, the export attribute isattached in the packet.

    When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge

    whether the received exportis equal to the importof the local VRF. If yes, it will be

    added to the corresponding VRF routing table; otherwise, it will be discarded.

    PE

    CE-1

    MP-iBGP

    PEVPN-v4 update:RD:1:27:149.27.2.0/24,Next-hop=PE-1RT=VPN -A,Label=(28)

    CE-2

    PE receives the update packet, convertsVPN-v4 into the IPv4 address, anddistributes it to VFR VPN-A (RT=VPN-A)routing table, then broadcasts it to CE.

    Beijing Shanghai

    ip vrfVPN-B

    vpn -target import VPN-A

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    21/33

    Basic Intranet Model

    P RouterP Router

    MPLS/VPN BackboneMPLS/VPN BackboneVPN AVPN A

    VPN A

    SITESITE--22

    VPN A

    SiteSite--1 routes1 routes

    SiteSite--2 routes2 routes

    SiteSite--3 routes3 routes

    SiteSite--4 routes4 routes

    MP-iBGP

    SiteSite--3 & Site3 & Site--4 routes4 routes

    RT=VPNRT=VPN --AASiteSite--1 & Site1 & Site--2 routes2 routes

    RT=VPNRT=VPN --AA

    SiteSite--1 routes1 routes

    SiteSite--2 routes2 routes

    SiteSite--3 routes3 routes

    SiteSite--4 routes4 routes

    SITESITE--11 SITESITE--33

    SITESITE--44

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    22/33

    MPLS/VPN Label Distribution

    P routerP router

    In Label FEC Out Label

    - 197.26.15.1/32 -

    In Label FEC Out Label

    41 197.26.15.1/32 POP

    In Label FEC Out Label

    - 197.26.15.1/32 41

    Use label implicit-nullfordestination 197.26.15.1/32

    Use label41 for destination197.26.15.0/24

    VPN-v4 update:RD:1:27:149.27.2.0/24,NH=197.26.15.1RT=VPN-A -Label=(28)

    PE-1

    Shanghai

    PE and P routers are provided with the reachability to the next hop of bgp via the backbone

    network IGP.

    Run IGP and LDP to distribute the label and establish LSP, and obtain the LSP channel to the next

    hop of BGP.

    The label stack is for packet forwarding. The external layer label indicates how to reach the next

    hop of BGP, and the internal layer label indicates the outgoing interface of the packet or the home

    VRF (home VPN).

    MPLS node forwarding is based on the external layer label regardless of the internal layer label.

    Beijing

    149.27.2.0/24

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    23/33

    MPLS/VPN Packet Forwarding-1

    In Label FEC Out Label

    - 197.26.15.1/32 41

    149.27.2.27

    PE-1

    149.27.2.272841

    VPN-A VRF149.27.2.0/24,

    NH=197.26.15.1Label=(28)

    ShanghaiBeijing

    149.27.2.0/24

    When the ingress PE receives an ordinary IP packet from CE, PE adds itto the corresponding VPN forwarding table based on the VRF to which

    the ingress interface belongs, and searches for the next hop and label.

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    24/33

    MPLS/VPN Packet Forwarding-2

    In Label FEC Out Label

    41 197.26.15.1/32 POP

    Beijing

    149.27.2.27

    PE-1

    Shanghai149.27.2.0/24

    149.27.2.272841

    VPN-A VRF149.27.2.0/24,

    NH=197.26.15.1Label=(28)

    149.27.2.2728

    In Label FEC Out Label

    28(V) 149.27.2.0/24 -

    VPN-A VRF149.27.2.0/24,

    NH=beijign

    149.27.2.27

    The second last hop router pops up the external layer label and

    sends it to the egress PE according to the next hop.

    The egress PE router judges the CE that the packet will go to

    based on the internal layer label.

    Pop up the internal layer label and forward the packet to the

    destination CE as an ordinary IP packet.

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    25/33

    Cross-AS MPLS/VPN (1)

    Site1

    Site2Site4

    Site3

    VPN-A

    VPN-B

    VPN-A

    VPN-B

    PE

    PE PE

    PE

    ASBR

    MPLS LDP

    ASBR

    MP EBGP

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    26/33

    Cross-AS MPLS/VPN (2)

    Site1

    Site2

    Site4

    Site3

    VPN-A

    VPN-B

    VPN-A

    VPN-B

    PE

    PE PE

    PE

    PE/CE PE/CE

    VRF to VRF

    172.1.1.0/24

    18 172.1.1.110

    172.1.1.1

    172.1.1.1

    CE

    2030 172.1.1.1

    172.1.1.1

    AS100 AS200

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    27/33

    Cross-AS MPLS/VPN (3)

    Site1Site2

    VPN-AVPN-A

    PE

    PE

    200 172.1.1.110

    172.1.1.1

    CE

    20020 172.1.1.1

    172.1.1.1

    MP-EBGPPE PE

    CE

    P P

    MPLS LDP MPLS LDP

    MP-IBGP

    200

    100

    172.1.1.130 100300

    MP-IBGP

    30040 172.1.1.1

    300 172.1.1.150

    172.1.1.0/24

    AS100 AS200

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    28/33

    MPLS/VPN Internet Connection

    In MPLS VPN, some sites require access to the Internet.

    To access the Internet, the following conditions must be met:

    Route is available to access the Internet.

    Any place of the Internet site is reachable.

    Ensure security of the VPN network.

    Access mode:

    Configure the static route

    Configure the interface not connected

    MPLS VPN Internet Access (Configure

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    29/33

    MPLS VPN Internet Access (Configurethe Static Default Route-PE)

    PE

    PE

    Internet

    Site-1

    PE-IG

    Site-2

    Network 171.68.0.0/16

    Serial0

    192.168.1.1

    192.168.1.2

    ip route-static 171.68.0.0 255.255.0.0 Serial0

    ip route-staticvpn-instanceVPN-A 0.0.0.0 0.0.0.0

    192.168.1.1 public

    BGP-4

    MP-BGP

    MPLS/VPN Internet Connection

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    30/33

    PE

    PE

    Internet

    Site-1

    PE-IG

    Site-2

    Network 171.68.0.0/16

    Serial0

    192.168.1.1

    192.168.1.2

    Site-2 VRF

    0.0.0.0/0 192.168.1.1(public)

    Site-1 routesSite-2 routes

    Global Table and LFIB

    192.168.1.1/32 Label=3192.168.1.2/32 Label=5

    ...

    IP packet

    D=huawei.com

    Label = 3

    IP packetD=huawei.com

    IP packet

    D=huawei.com

    MPLS/VPN Internet Connection(Configure the Static Default Route CE)

    S A (C fi

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    31/33

    MPLS VPN Internet Access (Configure the

    Sub-interface)

    PE

    PE

    Internet

    Site-1

    PE-IG

    Site-2

    Network 171.68.0.0/16

    Serial0.1

    192.168.1.1

    192.168.1.2

    Serial0.2

    Serial0.1Serial0.2

    CE routing table

    Site-2 routes ----> Serial0.1

    Internet routes ---> Serial0.2

    IP packetD=huawei.com

    PE Global Table

    Internet routes --->192.168.1.1

    192.168.1.1, Label=3

    Label = 3

    IP packetD=huawei.com

    IP packet

    D=huawei.com

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    32/33

    Summary

    Understand VPN classification

    Master MPLS L3 VPN forwarding process

    Master MPLS L3 VPN configurations

    Know implementation of the cross-AS MPLS L3 VPN

    Master the Internet access of MPLS L3 VPN

  • 8/3/2019 Oda000017 Mpls VPN(l3)

    33/33