Computer Networks

Lecture20:

MPLS,andVPN Destination

Source1

Source2

Routercanforwardtrafficforthesame

destinationondifferentinterfaces/paths

Multi-ProtocolLabelSwitching(MPLS)Initialgoal:speedupintra-domainIPforwardingby

usingcircuitidentifiers(fixed-lengthlabels)instead

ofIPaddresses

•  borrowideasfromVCapproach

(butIPdatagramstillkeepsIPaddress!)

LabelSwitching:CircuitAbstraction

Label-switchedpaths(LSPs):

• pre-computeapathforeach“flow”•  a“flow”canrangefromasingleconnectionto

apairofAPsoraggregatedAPs,etc.

• pathsare“named”bythelabelatthepath’sentrypoint

• eachMPLSrouterusesadifferentlabeltoidentifyaflow

• “downstream”MPLSroutertellsupstreamneighboritslabel

foreachflow

LabelSwapping

Ateachhop,MPLSroutersforwardpacketsto

outgoinginterfacebasedonlyonlabelvalue

(doesn’tevenlookatIPaddress)

•  uselabeltodetermineoutgoinginterface

•  replaceincominglabelwithneighbor’slabelfortheflow

• MPLSforwardingtabledistinctfromIPforwardingtables

A1 2

3

A 2 D

TagOutNew

D

LabelDistribution

Signalingprotocolneededtosetupforwarding

•  responsiblefordisseminatingsignalinginformation•  LabelDistributionProtocol(LDP)•  RSVPforTrafficEngineering(RSVP-TE)

•  allowsforforwardingalongpathsnototherwise

obtainedfromIProuting(e.g.,source-specificrouting)

• mustco-existwithIP-onlyrouters

Destination

Source1

Source2

MPLSEncapsulationPutanMPLSheaderinfrontofIPpacket

•  MPLSheaderincludesalabel

PPPorEthernetheader IPheader remainderoflink-layerframeMPLSheader

label ToS S TTL

20bits 3 1 5

IPpacket

MPLSheader

ToS&TTLcopiedfromIP

S:1ifbottomoflabelstack

Network(layer3):IPlayer2.5?:MPLS

DataLink(layer2):Ethernet,FrameRelay,

ATM,PPP,etc.

Physical(layer1)

BGP-FreeBackboneCore

A

B

R2

R1

R3

R4

C

D

12.11.1.0/24

eBGP

iBGP

labelbasedonthe

destinationprefix

RoutersR2andR3don’tneedtospeakBGP

VPNsWithPrivateAddressesWhyVPN?

Customerhasseveralgeographicallydistributedsites• wantsprivatecommunicationsoverthepublicnetwork

• wantsauniqueIPnetworkconnectingthesites•  singleIPaddressingplan•  virtualleasedlineconnectingthesites•  guaranteedqualityofservice

Providershaveoverprovisionedbackbones• wanttosellpseudo-wires(leasedlines)thatallowfor

increasedbackboneutilization

• wanttechnologythathas•  lowconfigurationandmaintenancecosts

•  isscalabletothenumberofcustomers,i.e.,

corestatesdependontopology,notnumberofcustomers

Recall:Customer-basedVPN

Encryptpacketsatnetworkentryanddecryptatexit

Eavesdroppercannotsnoopthedata

ordeterminetherealsourceanddestination

NetworkVPNs

Customerbased:•  customerbuysownequipment,

configuresIPSectunnelsacrossthe

globalInternet,manages

addressingandrouting

•  ISPplaysnorole•  customerhasmorecontrolover

securityandISPchoices,but

requiresskills

Site Site

Site Site

CE CE

CE CE

Internet

Providerbased:•  providermanagesallthe

complexityoftheVPN,

usuallywithMPLS

•  customersimplyconnectstothe

providerequipment

Site Site

Site Site

ISP PE PE

PE PE

CE

CE CE

CE

TypesofMPLSRouters

Customeredge(CE)routers:

• donotspeakMPLS,donotrecognizelabelsatall

•  speakeBGPwithMPLSroutersonprovidernetwork

toadvertiseAPs

•  orstaticallyconfiguredwithallocatedAPs

advertises

12.11.1.0/24 usingeBGP

reachabilityof

12.11.1.0/24 advertisedusingeBGP

CE CEA B C D

MPLSRouters

Providerrouters:

• provideredge(PE):routersAandE•  push(atingress)orpop(ategress)labelontostack

•  forwardIPpacketsto/fromcustomerrouters

•  core(P):routersB,C,andD•  swap(pop+push)labelontopofstack

•  doesn’tinteractwithcustomerrouters

advertises

12.11.1.0/24 usingeBGP

reachabilityof

12.11.1.0/24 advertisedusingeBGP

CE CEA B C D

inner

label

Provider-basedVPNLayer3BGP/MPLSVPNs(RFC2547)• providesisola,on:mul,plelogicalnetworksoverasingle,sharedphysicalinfrastructure

• usesBGPtoexchangeroutes

•  eBGPtoannounceAPs

toPErouters

• MPLStoforward

traffic

•  tunneling:Pcoreroutersdon’thave

todorouting,just

labelswitching

PEedge

router

PEedge

router

Pcore

router

CEcustomer

router

CEcustomer

router

High-LevelOverviewofOperation

IPpacketsarriveatprovider

edge(PE)router

DestinationIPlookedupin

“virtual”forwardingtable•  therearemultiplesuchtables,

onepercustomer

Datagramsenttocustomer’snetworkusing

tunneling(i.e.,anMPLSlabel-switchedpath)

ToUseLevel3BGP/MPLSVPN

Twostepsneeded:

1. setuptheVPN

2. forwardpacketsontheVPN

IdentifyingaBGP/MPLSVPN

ThreethingsareneededtoidentifyaBGP/MPLSVPN

1.  innerlabel:awayfortheprovideredge(PE)routersateach

endofaVPNtoassociateaVPNwithitsowner’scustomer

edge(CE)router

2. VPN-APs:awayforthecustomer’saddressprefixes(APs)to

beadvertisedbyBGP

•  theissueis:sincecustomerscanuseprivateaddressranges(10/8,172.16/12,and192.168/16),howtodifferentiatethesameprivate

addressrangethathasbeenchosenandusedbydifferentcustomers?

3. outerlabel:theMPLSlabelsusedbyprovider’score(P)

routerstoidentifyaVC

Setup:InnerLabelProvider-edge(PE)routers:

• setupaVirtualRoutingandForwarding(VRF)

tableforeachcustomerAP

• theVRFIDservesastheinnerlabelfortheVPN

VRFID:C1

VRFID:C2

10.0.1.0/24 VPNID(RD):Tan

10.0.1.0/24 VPNID(RD):Salmon

10.0.1.0/24

10.0.1.0/24

Customer1

Customer2

Setup:VPN-APsProvider-edge(PE)routers:

• useMulti-ProtocolBGP’sRouteDistinguisher(RD)asthe

VPNIDtodifferentiatethesameAPsofdifferentcustomers

• useMP-BGPtoannounceVPN-APsreachability,alongwith

theirinnerlabels

• runsiBGPtootheredgerouterstodistributeVPN-APreachabilities

VRFID:C1

VRFID:C2

10.0.1.0/24 VPNID(RD):Tan

10.0.1.0/24 VPNID(RD):Salmon

10.0.1.0/24

10.0.1.0/24

Customer1

Customer2

Setup:OuterLabelBothprovider-edge(PE)andcore(P)routers:

• runMPLS

• useLDP(LabelDistributionProtocol)tosetupouterlabelsforforwarding

•  thePErouteradvertisingacustomerAP(i.e.,the“destination”oregress

router)initiatesLDPtodistributelabels

22

inner

label

TouseLevel3BGP/MPLSVPN

Twostepsareneededtousealevel3BGP/MPLSVPN:

1. SetuptheVPN

2. ForwardpacketsontheVPN

ForwardinginBGP/MPLSVPNs

Step1:packetarrivesfromCErouteratPErouter’s

incominginterface•  lookupcustomer’sVRFtodetermineegressPEandinner

label(LabelI)

Step2:egressPElookup,addcorrespondingouterlabel(LabelO,alsoatcustomer’sVRF)

IPDatagramLabel

I

IPDatagramLabel

ILabel

O

Forwarding

IngressPErouterencapsulatesIPpacketinMPLSwithouterandinnerlabels

Two-labelstackisusedforpacketforwarding• toplabelindicatesnext-hopProuter(outerlabel)• secondlabelindicatesoutgoingCEinterface/VRF(innerlabel)

IPDatagramLabel

ILabel

OLayer2Header

Correspondstolabelof

next-hop(P)

CorrespondstoVRF/

interfaceatexit

ForwardingonBGP/MPLSVPNsSourceCEroutersendsIPpackettoingressPErouter

thatadvertisesdestinationAP

IngressPErouterlooksupegressPErouter’svirtual

interfaceaddressandtheinnerlabelfordestinationAP,

thenencapsulatesIPpacketinMPLSwithouterand

innerlabels

CoreProutersalongthepathswapouterlabels

PenultimatecoreProuterpopouterlabelonly

EgressPErouterusesinnerlabeltolookupVRFand

forwardpackettocustomerCErouter

PacketForwarding

AdvantagesofMPLSVPNCustomer’saddingorchangingAPsdoesnotrequire

manualconfigurationatprovider

CoreProutersdonotneedtoknowcustomer’sCE

routersorAPs⇒forwardingtablesonlyneedtoscale

tonumberofedgePErouters,notnumberof

customers,APs,orVPNs

Theonlymanualconfigurationsrequiredareatthe

edgePErouters:• VRFIDandcustomer’sCErouter’sIPaddress

• MP-BGPRouteDistinguisherasVPNID

StatusofMPLSDeployedinpractice

• BGP-freebackbone/core

• VirtualPrivateNetworks

•  Trafficengineering

Challenges

•  protocolcomplexity

•  configurationcomplexity

•  difficultyofcollectingmeasurementdata