Odc010003 Mpls l3 VPN Principle Issue1_4

8/13/2019 Odc010003 Mpls l3 VPN Principle Issue1_4

1/43

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved

www.huawei.com

Internal

ODC010003 MPLS L3

VPN Principle

ISSUE 1.4

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
http://www.huawei.com/http://www.pdffactory.com/http://www.pdffactory.com/http://www.huawei.com/


2/43

HUAWEI TECHNOLOGIES CO., LTD. Page 2All rights reserved

This slides will introduce MPLS L3 VPN

system structure, label distribution, data

forwarding and typical application.

http://www.pdffactory.com/http://www.pdffactory.com/


3/43


Upon completion this course, you will be able to:

[ Describe VPN Classification

[ Describe MPLS L3 VPN Concept

[ Describe Label Distribution and Data

Forwarding

[ Describe MPLS L3 VPN Typical

Application



4/43


Chapter 1 VPN ClassificationChapter 1 VPN Classification

Chapter 2 MPLS L3 VPN PrincipleChapter 2 MPLS L3 VPN Principle



5/43


VPN Classification

VPN: Virtual Private NetworkVPN: Virtual Private Network

CPE-Based VPN Network-Based VPN

VLL VPRN VPDN VPLS

MPLS/BGP VPN

IP-VPN

VPN

VR-VPN



6/43


VPN Tunnel

l Tunnel: It is a technology that uses a type of protocol to transmit another type

of protocol. Mainly the tunnel protocol serves to implement this function. The

tunnel technology involves three types of protocols: tunneling protocol, bearer

protocol under the tunnel protocol, and the protocol borne on the tunnel

protocol.



7/43


VPN Type (1)

l Virtual Leased Line (VLL): It provides point-to-point connection service

between two pieces of CPE equipment for the user via the edge node of the

operator.

l Virtual Private Dial Network (VPDN): The remote user dials to the public IP

network via PSTN/ISDN, and the data packet passes through the public

network via a tunnel for the destination network.



8/43


VPN Type (2)

l Virtual Private LAN Segments (VPLS): VPLS is a virtual!

method to establish LAN via the public IP resources. The

networking is based on the MAC layer forwarding, and it is

completely transparent to the network layer protocol. It is a L2

VPN.

l Virtual Private Routed Network (VPRN): VPRN is defined as a

kind of emulation for multi-site wide area route network

services via the public IP network, and the data packet of VPN

is forwarded at the network layer.



9/43


Example: Constructing VPN via GRE Tunnel

l To construct such a network, just make configuration on the access router

of each network.

l It is unnecessary for the operator network to know the internal route of VPN.l Different VPNs can employ the same address space.

l The forwarding efficiency is low.

10.0.1.1/2410.0.0.0/24

10.0.0.0/24

129.0.0.2/30

129.0.0.1/30

129.0.1.1/30

129.0.1.2/30

Public IPnetwork

129.0.2.2/30

129.0.2.1/30

129.0.3.1/30

129.0.3.2/30

GRE tunnel

GRE tunnel

10.0.1.1/24

10.0.1.2/24

10.0.1.2/24

Rt1 Rt2

HQ1

HQ2



10/43


Exercise-1

1. Which VPN technologies belong to layer 3 VPN ( )

A GRE

B L2TP

C BGP/MPLS

D VPLS



11/43


Chapter 1 VPN ClassificationChapter 1 VPN Classification

Chapter 2 MPLS L3 VPN PrincipleChapter 2 MPLS L3 VPN Principle



12/43


MPLS VPN Network Structure

VPN_A

VPN_A

VPN_B

10.3.0.0

10.1.0.0

11.5.0.0

CE

CE

CE

VPN_A

VPN_B

VPN_B

10.1.0.0

10.2.0.0

11.6.0.0

CE

PE

PECE

CE

VPN_A

10.2.0.0

CE

VPN_A

VPN_B

VPN_B

10.1.0.0

10.2.0.0

11.6.0.0

CE

PE

PECE

CE

VPN_A

10.2.0.0

CE

VPN_A

10.2.0.0

CE

iBGP sessions

P

P

P

P

PE

PE

l CE (Custom Edge Router): The user equipment directly connected with the service

provider.

l PE (Provider Edge Router): The edge router on the backbone network, connected with CE

and mainly responsible for access of the VPN service.

l P (Provider Router): The core router on the backbone network, mainly responsible for the

routing and fast forwarding functions.



13/43


Question

l One PE connect with several CEs which belong to different VPNs,

as VPNs may have overlapping address space, how to identify

each VPN"s information?



14/43


Relationship Between PE and CE

l PE and CE routers exchange information via the EBGP, RIP or static route. CE runs the

standard routing protocol.

l PE maintains separate routing tables of the public network and private network.

[ Routing table of public network, including the routes of all PE and P routers, generated by

the backbone network IGP of VPN.[ VRF (VPN routing & forwarding), including tables of routing & forwarding to one or multiple

directly connected CEs.

PE

C

PE

CE

CE

Site - 2Site - 2

Site - 1Site - 1

EBGP, RIP, Static

VPNA

VPNB

VRF for VPNA

VRF for VPNBGlobal route



15/43


VRF Detaill VRF can be regarded as a virtual router

l PE maintains a separate forwarding table for each site.

l Each site has a unique VRF.

l If (and only if) two sites have identical forwarding table, they share a VRF.

l The interface/sub-interface connected with CE is mapped to VRF.

l The routes in VRF will be distributed to the sites (usually connected on other PEs)

belonging to the same VPN.



16/43


Distribution of VRF Routes

l The PE router distributes the local VPN route information via the backbone

network. the transmitting via BGP

PE PECE Router CE Router

P Router

Site SiteiBGP

Question: PE and PE set up IBGP session and exchange routing information, while

some VPN may have the same private IP address space, when BGP transfer therouting information on the public network, there get address overlapping problem,

how to solve it?



17/43


VPNv4 and IPv4 Address Families

Route Distinguisher (8 bytes) IPv4 address

VPNV4 address structure:

4-byte assigned number

2-byte assigned number4-byte IP address1

2-byte ASN0

Assigned Number

Field

Administrator FieldTYPE (2-

byte)

RD structure:



18/43


Question

l PE and PE set up IBGP session and exchange routing

information by BGP, by adding RD prefix , now the VPN "s

address is VPNv4 address family, BGP-4 only supports

IPv4 ,BGP can"t recognise such routing information, how to

solve it?



19/43


MBGP

l MBGP (Multiprotocol Extensions for BGP-4 )

[ BGP-4 only supports IPv4, and is extended to MBGP to

transfer the route information of more protocols (IPv6,

IPX,etc.).

[ To maintain compatibility, only two BGP attributes areadded for MBGP: MP_REACH_NLRI and

MP_UNREACH_NLRI. The two attributes can be used in

the BGP Update message to notify or cancel the network

reachability information.



20/43


MBGP: MP_REACH_NLRI



21/43


MBGP: MP_UNREACH_NLRI

l Used for withdrawing one or multiple unfeasible routes

l An UPDATE packet that contains the MP_UNREACH_NLRI

does not carry any other path attributes



22/43


Question

l When PE received the routing information from other PEs

carried by MBGP, PE how to separate the routing information

which belongs to different VPN?

Remember RD? Can we use it?



23/43


Route Target

l Route Target attribute (RT) is one of the MBGP extension community

attributes

l There are two types of RT, the values of the type field are 0x0002 or

0x0102.

Assigned Number (4 bytes)

Assigned Number(2 bytes)IP address(4 bytes)0x0102

AS number(2bytes)0x0002

Assigned Number FieldAdministrator FieldTYPE(2 bytes

RT structure:



24/43


Route Target

l RT is used to separate VPN routing information advertisement

l There are two sets of Route Target attributes: Export Targets

and Import Targets

[ Export Targets is added to the route received from a

direct-connected Site in advertising local routes to remotePE routers.

[ Import Targets is used to decide which routes can be

imported into the routing table of this Site in receiving

routes from remote PE routers.



25/43


Typical Network Topology-1

Each site only belongs to one VPN: IntranetEach site only belongs to one VPN: Intranet

site1 site3

site2

site10

site20 site3

0



26/43


Typical Network Topology-2

site1

site4

site5

site2 site3

Intranet

Extranet

Site may belongs to multipleSite may belongs to multiple VPNsVPNs: Extranet: Extranet



27/43


Application of RT

l RT Export Target and import Target can be configured with several attributes

b

aim:a

ex:b

im:b

ex:a

im:a

ex:a

aim:a

ex:ac

b

im:a,c

ex:a,b

im:b

ex:c

aTrandition Mode

Hub-spoke mode

Extranet



28/43


Function of RT

P RouterP Router

MPLS/VPN BackboneMPLS/VPN BackboneVPN AVPN A

VPN B

SITESITE--22

VPN B

MP-iBGPSITESITE--11 SITESITE--33

SITESITE--44

Site-1routes RT=VPN A

Site-2routes RT=VPN B

Site-3routes RT=VPN A

Site-4routes RT=VPN B

VPNBSite2-routes

Site4-routes

VPNASite1-routes

Site3-routes

VPNBSite2-routes

Site4-routes

VPNASite1-routes

Site3-routes



29/43


Question

l After the completion of exchanging routing information between PEs,

now site3 want to access site1, the right PE look for the VRF table

and find out the nexthop!left PE, forward the packet to the left PE

using MPLS. When the packet arrived the left PE, the public MPLS

label is removed, which VPN the packet belongs to? And how to get

the correct nexthop?

P RouterP Router

VPN AVPN A

VPN B

SITESITE--22

VPN B

SITESITE--11 SITESITE--33

SITESITE--44

VPNBSite2-routesSite4-routes

VPNASite1-routesSite3-routes

VPNBSite2-routesSite4-routes

VPNASite1-routesSite3-routes



30/43


Network Layer Reachability Information:

l Multiple labels can be attached. The first 20 bits of each label refer to the label domain,

while of the last 4 bits, the first three refer to the EXP domain and the last one

indicates whether it is the stack base.

l Note that this label must be assigned by the LSR referred to in the Next-Hop of the

MP_REACH_NLRI attribute.

l There are two methods to cancel the route information (meanwhile to release label

binding).

[ Re-distribute a different route (and a new Label) for the same destination.

[ Use the Withdraw message to include the destination in MP_UNREACH_NLRI.



31/43


l NLRI" Network Layer Reachability Information, include address family,private label and RT )

l Followed is RT list#

RD:64bitIP prefixprefix24 bits"like MPLS label but without TTL portionlable

NLRI:

PEs ipv4 address"usually is loopback addressnext-hop:VPN-IPV4 address familyaddress#family

MP_REACH_NLRI

##

Extended_Communities"RT2

Extended_Communities"RT1

Network Layer Reachability Information:



32/43


VRF Route Distribute Step 1:Importing VRF Routes to

MP-iBGP

l Importing VRF route to MP-iBGP: PE router converts the route (in the VRF

routing table) received from CE into the VPN-V4 route; labels it with RD and

RT based on the configuration; changes the next hop as PE itself (loopback);assigns the label based on the interface; finally sends the MP-iBGP update

packet to all PE neighbors.

PE

CE-1

MP-iBGP

PE

BGP, RIPv2 updatefor 149.27.2.0/24,NH=CE-1

VPN-v4 update:RD:1:27:149.27.2.0/24,Next-hop=PE-1RT=VPN-ALabel=(28)

CE-2

Beijing Shanghai



33/43


VRF Route Distribute Step 2: Importing MP-iBGP

Routes to VRF

l Each VRF has configurations of import route-target and export route-target.

l When the transmitting PE sends MP-iBGP updates, the export attribute is attached in

the packet.

l When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge whetherthe received export is equal to the import of the local VRF. If yes, it will be added to

the corresponding VRF routing table; otherwise, it will be discarded.

PE

CE-1

MP-iBGP

PEVPN-v4 update:RD:1:27:149.27.2.0/24,Next-hop=PE-1RT=VPN-ALabel=(28)

CE-2

PE receives the update packet, converts

VPN-v4 into the IPv4 address, and

distributes it to VFR VPN-A (RT=VPN-A)

routing table, then transmit it to CE withroute protocol between PE and CE.

Beijing Shanghai

ip vrfVPN-B

vpn -target import VPN-A



34/43


Basic Intranet Model

P RouterP Router

MPLS/VPN BackboneMPLS/VPN BackboneVPN AVPN A

VPN A

SITESITE--22

VPN A

SiteSite--1 routes1 routes




MP-iBGP

SiteSite--3 & Site3 & Site--4 routes4 routes

RT=VPNRT=VPN--AASiteSite--1 & Site1 & Site--2 routes2 routes

RT=VPNRT=VPN--AA





SITESITE--11 SITESITE--33

SITESITE--44



35/43


MPLS/VPN Label Distribution

P routerP router

In Label FEC Out Label

- 197.26.15.1/32 -


41 197.26.15.1/32 POP


197.26.15.1/32 41

Use labelimplicit-null for

destination 197.26.15.1/32

Use label41for destination

197.26.15.1/32

VPN-v4 update:

RD:1:27 :149.27.2.0/24,

NH= 197.26.15.1

RT=VPN-A -

Label=(28)

PE-1

ShanghaiBeijing

149.27.2.0/24

-



36/43


MPLS/VPN Packet Forwarding-1


- 197.26.15.1/32 41

149.27.2.27

PE-1

149.27.2.272841

VPN-A VRF

149.27.2.0/24,

NH=197.26.15.1

Label=(28)

ShanghaiBeijing

149.27.2.0/24



37/43


MPLS/VPN Packet Forwarding-2


41 197.26.15.1/32 POP

Beijing

149.27.2.27

PE-1

Shanghai149.27.2.0/24

149.27.2.272841

VPN-A VRF

149.27.2.0/24,

NH=197.26.15.1

Label=(28)

149.27.2.2728


28(V) 149.27.2.0/24 -

VPN-A VRF

149.27.2.0/24,

NH=beijing

149.27.2.27



38/43


MPLS

PEA

PB

PEC

MP-BGPIBGP Peer

CE A1 CE B1

CE A2 CE B2VPN-v4 update:RD:1:27:149.27.2.0/24,Next-hop=PE-CRT=VPN-A, Label=(28)

VPN-v4 update:

RD:1:27:149.27.2.0/24,

Next-hop=PE-C

RT=VPN-A, Label=(28)

BGP, OSPF, RIPv2 update

for 149.27.2.0/24,NH=PE-A


for 149.27.2.0/24,NH=CE-A2

149.27.2.0/24IN 28 NH: CE A2

149.27.2.0/24 Out 28 NH: PE-C

Demo- Private Label Distribution



39/43


MPLS

PEAPB

PEC

20

1.1.1.1/32

1.1.1.1/32

1.1.1.1/32

IGP

IGPIn 20 out 3

3out 20149.27.2.0/24 Out 28 NH: PE-C

149.27.2.0/24IN 28 NH: CE A2

Demo- Public Label Distribution

l The loopback IP address of PE-C is 1.1.1.1/32



40/43


MPLS

PEA

PB

PECCE A1 CE B1

CE A2 CE B2

Ping 149.27.2.1

20 28

31.1.1.1/32 out 20

1.1.1.1/32In 20 out 3

1.1.1.1/32

149.27.2.0/24IN 28 NH: CE A2

149.27.2.0/24 Out 28 NH: PEC


for 149.27.2.0/24,NH=PE-A

Demo- Packet Forwarding



41/43


Exercise-2

1. Describe the structure of RD and RT

2. Describe the procedure of VRF route distribution

3. Describe the procedure of VPN packet forwarding



42/43


l VPN Classification

l MPLS L3 VPN Label Distribution

l MPLS L3 VPN Forwarding Process

Summary



43/43

www.huawei.com

Thank You

http://www.huawei.com/http://www.pdffactory.com/http://www.pdffactory.com/http://www.huawei.com/

Documents

Odc010003 Mpls l3 VPN Principle Issue1_4