Date post: | 07-Apr-2018 |
Category: |
Documents |
Upload: | senior-engineer |
View: | 234 times |
Download: | 0 times |
of 33
8/3/2019 Oda000017 Mpls VPN(l3)
1/33
8/3/2019 Oda000017 Mpls VPN(l3)
2/33
VPN Classification
CPE-Based VPN Network-Based VPN
VLL VPRN VPDN VPLS
MPLS/BGP VPN
IP-VPN
VPN
VR-VPN
VPN: Virtual Private Network
8/3/2019 Oda000017 Mpls VPN(l3)
3/33
VPN Definitions (1)
IP-VPN: Service emulation implemented for dedicated line services (such as
remote dial-up and DDN) of dedicated LAN equipment via the IP facilities
(including the public Internet and private IP backbone network, etc.).
Network-Based IP-VPN: It refers to the case where the VPN-related
maintenance is contracted out to the operator (the user is also allowed toperform certain service management and control) and the functional features
are implemented at the network side equipment in the centralized way.
Tunnel: It is a technology that uses a type of protocol to transmit another
type of protocol. Mainly the tunnel protocol serves to implement this function.The tunnel technology involves three types of protocols: tunneling protocol,
bearer protocol under the tunnel protocol, and the protocol borne on the
tunnel protocol.
8/3/2019 Oda000017 Mpls VPN(l3)
4/33
VPN Definitions (2)
Virtual Leased Line (VLL): It provides point-to-point connection service
between two pieces of CPE equipment for the user via the edge node of
the operator.
Virtual Private Dial Network (VPDN): The remote user dials to the public IP
network via PSTN/ISDN, and the data packet passes through the public
network via a tunnel for the destination network.
Virtual Private LAN Segments (VPLS): VPLS is a virtual method to
establish LAN via the public IP resources. The networking is based on the
MAC layer forwarding, and it is completely transparent to the network layer
protocol. It is a L2 VPN.
Virtual Private Routed Network (VPRN): VPRN is defined as a kind of
emulation for multi-site wide area route network services via the public IP
network, and the data packet of VPN is forwarded at the network layer.
8/3/2019 Oda000017 Mpls VPN(l3)
5/33
Constructing VPN via GRE
10.0.1.1/2410.0.0.0/24
10.0.0.0/24
129.0.0.2/30
129.0.0.1/30
129.0.1.1/30
129.0.1.2/30
Public IPnetwork
129.0.2.2/30
129.0.2.1/30
129.0.3.1/30
129.0.3.2/30
GRE tunnel
GRE tunnel
10.0.1.1/24
10.0.1.2/24
10.0.1.2/24
Rt1 Rt2
HQ1
HQ2
To construct such a network, just make configuration on the access routerof each network.
It is unnecessary for the operator network to know the internal route of VPN.
Different VPNs can employ the same address space.
The forwarding efficiency is low.
8/3/2019 Oda000017 Mpls VPN(l3)
6/33
MPLS VPN Network Structure
VPN_A
VPN_A
VPN_B
10.3.0.0
10.1.0.0
11.5.0.0
CE
CE
CE
VPN_A
VPN_B
VPN_B
10.1.0.0
10.2.0.0
11.6.0.0
CE
PE
PECE
CE
VPN_A10.2.0.0
CE
VPN_A
VPN_B
VPN_B
10.1.0.0
10.2.0.0
11.6.0.0
CE
PE
PECE
CE
VPN_A10.2.0.0
CE
VPN_A
10.2.0.0
CE
iBGPsessions
P
P
P
P
PE
PE
CE (Custom Edge): The user equipment directly connected with the service
provider.
PE (Provider Edge Router): The edge router on the backbone network, connected
with CE and mainly responsible for access of the VPN service.
P (Provider Router): The core router on the backbone network, mainly responsible
for the routing and fast forwarding functions.
8/3/2019 Oda000017 Mpls VPN(l3)
7/33
Network Topology-1
Each site only belongs to one VPN: Intranet
site1 site3
site2
site10
site20 site30
8/3/2019 Oda000017 Mpls VPN(l3)
8/33
Network Topology-2
site1
site4
site5
stie2 stie3
Intranet
Extranet
Each site may belong tomultiple VPNs.
8/3/2019 Oda000017 Mpls VPN(l3)
9/33
Characteristics of MPLS VPN
In this network structure, service providers provide VPN services for users,
who do not feel existence of the public network as if they have separate
network resources.
P router is only responsible for data transmission inside the backbone
network, unnecessary to know existence of VPN. However, it must be
able to support and enable the MPLS protocol.
All the construction, connection and management work of VPN is
implemented on PE.
Network configuration is simple.
The existing routing protocol can be directly used without any change.
MPLS VPN network features good expandability.
VPN with QOS and TE can be implemented.
8/3/2019 Oda000017 Mpls VPN(l3)
10/33
Relationship Between PE and CE
PE
C
PE
CE
CE
Site -2Site -2
Site -1Site -1
EBGP, RIP, Static
PE and CE routers exchange information via the EBGP, RIP and static route. CE
runs the standard routing protocol.
PE maintains separate routing tables of the public network and private network.
Routing table of public network, including the routes of all PE and P routers, generated by
the backbone network IGP of VPN.
VRF (VPN routing & forwarding), including tables of routing & forwarding to one or multiple
directly connected CEs. VRF can be bound with any types of interfaces. If the directly
connected sites belong to the same VPN, these interfaces can use the same VRF.
VPNA
VPNB
VRF for VPNA
VRF for VPNBGlobal route
8/3/2019 Oda000017 Mpls VPN(l3)
11/33
VRF
VRF can be regarded as a virtual router structured as follows:
It is associated with some interfaces and has a forwarding table based on these
interfaces.
A set of rules is available to control import of the route into VPN or export of the
route from VPN.
The route can be redistributed to the routing table (static route, RIP instance,
BGP) via some routing protocols. VRF is configured on PE and exchange the route with CE. The route
independently exists in the VRF routing table (routing table of the private
network).
PE maintains a separate forwarding table for each site.
Each site has a unique VRF. If (and only if) two sites have identical forwarding table, they share a VRF.
The interface/sub-interface connected with CE is mapped to VRF.
The routes in VRF will be distributed to the sites (usually connected on
other PEs) belonging to the same VPN.
8/3/2019 Oda000017 Mpls VPN(l3)
12/33
Distribution of VRF Routes
PE PECE Router CE Router
P Router
Site SiteMP-iBGP
The PE router distributes the local VPN route information via the
MPLS/VPN backbone network.
The transmitting PE exports the local VRF routes via MP-iBGP
(with the export-target attribute).
The receiving PE imports the route to the VRF where it belongs
(with the matched import-target attribute).
8/3/2019 Oda000017 Mpls VPN(l3)
13/33
MBGP
MBGP (Multiprotocol Extensions for BGP-4 )
BGP-4 only supports IPv4, and is extended to MBGP to
transfer the route information of more protocols (IPv6,
IPX,etc.).
To maintain compatibility, only two BGP attributes are added
for MBGP: MP_REACH_NLRI and MP_UNREACH_NLRI. The
two attributes can be used in the BGP Update message to
notify or cancel the network reachability information.
8/3/2019 Oda000017 Mpls VPN(l3)
14/33
MBGP: MP_REACH_NLRI
8/3/2019 Oda000017 Mpls VPN(l3)
15/33
MBGP: MP_UNREACH_NLRI
The label mapping information is carried in the MP_REACH_NLRI attribute.
Address Family Identifier and Subsequent Address Family Identifier are
used together to indicate the address family that the reachability
information, notified by this attribute, belongs to. AFI as 1 and SAFI as 128
indicate that the subsequently notified information will be the VPN-IPV4reachability information and the bound MPLS tag.
Length of Nexthop Network Address and Network Address of Nexthop
refer to the next hop of the route information. The rule to determine the
next hop obeys the usual next hop rule of BGP.
8/3/2019 Oda000017 Mpls VPN(l3)
16/33
VPNv4 and IPv4 Address Families
To enable different VPNs to use the same address space, a new
address family, i.e. VPNv4, is introduced. The original standard
address family is called IPv4.
VPNv4 address family mainly serves to transfer VPN routes between
PE routers.
RD is unique among different VPNs. If two VPNs use the same IP
address, PE router will add different RDs for them and convert the
address into a unique VPN-v4 address without causing conflict of the
address space.
The standard route received by PE from CE is the IPv4 route. To
import VRF routing tables and distribute them to other routers, a RD is
needed. It is suggested that the RDs of the same VPN be configured
the same.
Route Distinguisher (8 bytes) IPv4 address
VPNV4 address structure:
8/3/2019 Oda000017 Mpls VPN(l3)
17/33
MPLS/VPN RD
RD format: 16-bit Autonomous System Number (ASN): 32-bit user-defined number, e.g. 100:1
32-bit IP address: 16-bit customized number, e.g. 172.1.1.1:1
Usually, each site is assigned with a unique RD, which is the identifier of VRF.
Difference between the routing table of public network and the routing table
of private network: The routing table of public network is generated by the IGP routes, which may
include the BGP-4 (IPv4) route, but not the VPN route.
VRF routing table includes the specific VPN routes. It may include the routes
redistributed from MP-iBGP route to VRF, or the route obtained from CE by the vrf
route instance.
TYPE (2-byte) Administrator Field Assigned Number Field
0 2-byte ASN 4-byte assigned number
1 4-byte IP address 2-byte assigned number
RD structure:
8/3/2019 Oda000017 Mpls VPN(l3)
18/33
Mapping Message of the Attached Label
Multiple labels can be attached. The first 20 bits of each label refer to the
label domain, while of the last 4 bits, the first three refer to the EXP domain
and the last one indicates whether it is the stack base.
Note that this label must be assigned by the LSR referred to in the Next-
Hop of the MP_REACH_NLRI attribute.
There are two methods to cancel the route information (meanwhile to
release label binding).
Re-distribute a different route (and a new Label) for the same destination.
Use the Withdraw message to include the destination in MP_UNREACH_NLRI.
Network Layer Reachability Information:
8/3/2019 Oda000017 Mpls VPN(l3)
19/33
Importing VRF Routes to MP-iBGP
PE
CE-1
MP-iBGP
PE
BGP, RIPv2 updatefor 149.27.2.0/24,NH=CE-1
VPN-v4 update:RD:1:27:149.27.2.0/24, Next-hop=PE-1RT=VPN-A -Label=(28)
CE-2
Beijing Shanghai
Importing VRF route to MP-iBGP: PE router converts the route (in
the VRF routing table) received from CE into the VPN-V4 route;
labels it with RD and RT based on the configuration; changes the
next hop as PE itself (loopback); assigns the label based on the
interface; finally sends the MP-iBGP update packet to all PE
neighbors.
8/3/2019 Oda000017 Mpls VPN(l3)
20/33
Importing MP-iBGP Routes to VRF
Each VRF has configurations of import route-targetand export route-target.
When the transmitting PE sends MP-iBGP updates, the export attribute isattached in the packet.
When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge
whether the received exportis equal to the importof the local VRF. If yes, it will be
added to the corresponding VRF routing table; otherwise, it will be discarded.
PE
CE-1
MP-iBGP
PEVPN-v4 update:RD:1:27:149.27.2.0/24,Next-hop=PE-1RT=VPN -A,Label=(28)
CE-2
PE receives the update packet, convertsVPN-v4 into the IPv4 address, anddistributes it to VFR VPN-A (RT=VPN-A)routing table, then broadcasts it to CE.
Beijing Shanghai
ip vrfVPN-B
vpn -target import VPN-A
8/3/2019 Oda000017 Mpls VPN(l3)
21/33
Basic Intranet Model
P RouterP Router
MPLS/VPN BackboneMPLS/VPN BackboneVPN AVPN A
VPN A
SITESITE--22
VPN A
SiteSite--1 routes1 routes
SiteSite--2 routes2 routes
SiteSite--3 routes3 routes
SiteSite--4 routes4 routes
MP-iBGP
SiteSite--3 & Site3 & Site--4 routes4 routes
RT=VPNRT=VPN --AASiteSite--1 & Site1 & Site--2 routes2 routes
RT=VPNRT=VPN --AA
SiteSite--1 routes1 routes
SiteSite--2 routes2 routes
SiteSite--3 routes3 routes
SiteSite--4 routes4 routes
SITESITE--11 SITESITE--33
SITESITE--44
8/3/2019 Oda000017 Mpls VPN(l3)
22/33
MPLS/VPN Label Distribution
P routerP router
In Label FEC Out Label
- 197.26.15.1/32 -
In Label FEC Out Label
41 197.26.15.1/32 POP
In Label FEC Out Label
- 197.26.15.1/32 41
Use label implicit-nullfordestination 197.26.15.1/32
Use label41 for destination197.26.15.0/24
VPN-v4 update:RD:1:27:149.27.2.0/24,NH=197.26.15.1RT=VPN-A -Label=(28)
PE-1
Shanghai
PE and P routers are provided with the reachability to the next hop of bgp via the backbone
network IGP.
Run IGP and LDP to distribute the label and establish LSP, and obtain the LSP channel to the next
hop of BGP.
The label stack is for packet forwarding. The external layer label indicates how to reach the next
hop of BGP, and the internal layer label indicates the outgoing interface of the packet or the home
VRF (home VPN).
MPLS node forwarding is based on the external layer label regardless of the internal layer label.
Beijing
149.27.2.0/24
8/3/2019 Oda000017 Mpls VPN(l3)
23/33
MPLS/VPN Packet Forwarding-1
In Label FEC Out Label
- 197.26.15.1/32 41
149.27.2.27
PE-1
149.27.2.272841
VPN-A VRF149.27.2.0/24,
NH=197.26.15.1Label=(28)
ShanghaiBeijing
149.27.2.0/24
When the ingress PE receives an ordinary IP packet from CE, PE adds itto the corresponding VPN forwarding table based on the VRF to which
the ingress interface belongs, and searches for the next hop and label.
8/3/2019 Oda000017 Mpls VPN(l3)
24/33
MPLS/VPN Packet Forwarding-2
In Label FEC Out Label
41 197.26.15.1/32 POP
Beijing
149.27.2.27
PE-1
Shanghai149.27.2.0/24
149.27.2.272841
VPN-A VRF149.27.2.0/24,
NH=197.26.15.1Label=(28)
149.27.2.2728
In Label FEC Out Label
28(V) 149.27.2.0/24 -
VPN-A VRF149.27.2.0/24,
NH=beijign
149.27.2.27
The second last hop router pops up the external layer label and
sends it to the egress PE according to the next hop.
The egress PE router judges the CE that the packet will go to
based on the internal layer label.
Pop up the internal layer label and forward the packet to the
destination CE as an ordinary IP packet.
8/3/2019 Oda000017 Mpls VPN(l3)
25/33
Cross-AS MPLS/VPN (1)
Site1
Site2Site4
Site3
VPN-A
VPN-B
VPN-A
VPN-B
PE
PE PE
PE
ASBR
MPLS LDP
ASBR
MP EBGP
8/3/2019 Oda000017 Mpls VPN(l3)
26/33
Cross-AS MPLS/VPN (2)
Site1
Site2
Site4
Site3
VPN-A
VPN-B
VPN-A
VPN-B
PE
PE PE
PE
PE/CE PE/CE
VRF to VRF
172.1.1.0/24
18 172.1.1.110
172.1.1.1
172.1.1.1
CE
2030 172.1.1.1
172.1.1.1
AS100 AS200
8/3/2019 Oda000017 Mpls VPN(l3)
27/33
Cross-AS MPLS/VPN (3)
Site1Site2
VPN-AVPN-A
PE
PE
200 172.1.1.110
172.1.1.1
CE
20020 172.1.1.1
172.1.1.1
MP-EBGPPE PE
CE
P P
MPLS LDP MPLS LDP
MP-IBGP
200
100
172.1.1.130 100300
MP-IBGP
30040 172.1.1.1
300 172.1.1.150
172.1.1.0/24
AS100 AS200
8/3/2019 Oda000017 Mpls VPN(l3)
28/33
MPLS/VPN Internet Connection
In MPLS VPN, some sites require access to the Internet.
To access the Internet, the following conditions must be met:
Route is available to access the Internet.
Any place of the Internet site is reachable.
Ensure security of the VPN network.
Access mode:
Configure the static route
Configure the interface not connected
MPLS VPN Internet Access (Configure
8/3/2019 Oda000017 Mpls VPN(l3)
29/33
MPLS VPN Internet Access (Configurethe Static Default Route-PE)
PE
PE
Internet
Site-1
PE-IG
Site-2
Network 171.68.0.0/16
Serial0
192.168.1.1
192.168.1.2
ip route-static 171.68.0.0 255.255.0.0 Serial0
ip route-staticvpn-instanceVPN-A 0.0.0.0 0.0.0.0
192.168.1.1 public
BGP-4
MP-BGP
MPLS/VPN Internet Connection
8/3/2019 Oda000017 Mpls VPN(l3)
30/33
PE
PE
Internet
Site-1
PE-IG
Site-2
Network 171.68.0.0/16
Serial0
192.168.1.1
192.168.1.2
Site-2 VRF
0.0.0.0/0 192.168.1.1(public)
Site-1 routesSite-2 routes
Global Table and LFIB
192.168.1.1/32 Label=3192.168.1.2/32 Label=5
...
IP packet
D=huawei.com
Label = 3
IP packetD=huawei.com
IP packet
D=huawei.com
MPLS/VPN Internet Connection(Configure the Static Default Route CE)
S A (C fi
8/3/2019 Oda000017 Mpls VPN(l3)
31/33
MPLS VPN Internet Access (Configure the
Sub-interface)
PE
PE
Internet
Site-1
PE-IG
Site-2
Network 171.68.0.0/16
Serial0.1
192.168.1.1
192.168.1.2
Serial0.2
Serial0.1Serial0.2
CE routing table
Site-2 routes ----> Serial0.1
Internet routes ---> Serial0.2
IP packetD=huawei.com
PE Global Table
Internet routes --->192.168.1.1
192.168.1.1, Label=3
Label = 3
IP packetD=huawei.com
IP packet
D=huawei.com
8/3/2019 Oda000017 Mpls VPN(l3)
32/33
Summary
Understand VPN classification
Master MPLS L3 VPN forwarding process
Master MPLS L3 VPN configurations
Know implementation of the cross-AS MPLS L3 VPN
Master the Internet access of MPLS L3 VPN
8/3/2019 Oda000017 Mpls VPN(l3)
33/33