Odc010003 Mpls l3 VPN Principle Issue1 - 4

Internal
ODC010003 MPLS L3 VPN Principle

ISSUE 1.4
www.huawei.com
HUAWEI TECHNOLOGIES CO., LTD.
All rights reserved
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
This slides will introduce MPLS L3 VPN system structure, label distribution, data forwarding and typical application.
All rights reserved
Page 2
Upon completion this course, you will be able to: [ Describe VPN Classification [ Describe MPLS L3 VPN Concept [ Describe Label Distribution and Data Forwarding [ Describe MPLS L3 VPN Typical Application
All rights reserved
Page 3
Chapter 1 VPN Classification Chapter 2 MPLS L3 VPN Principle
All rights reserved
Page 4
VPN Classification
VPN: Virtual Private Network
VPN IP-VPN
CPE-Based VPN
Network-Based VPN
VLL
VPRN
VPDN
VPLS
MPLS/BGP VPN
VR-VPN
All rights reserved
Page 5
VPN Tunnel
l Tunnel: It is a technology that uses a type of protocol to transmit another type
of protocol. Mainly the tunnel protocol serves to implement this function. The tunnel technology involves three types of protocols: tunneling protocol, bearer protocol under the tunnel protocol, and the protocol borne on the tunnel protocol.
All rights reserved
Page 6
VPN Type (1)

l Virtual Leased Line (VLL): It provides point-to-point connection service
between two pieces of CPE equipment for the user via the edge node of the operator.
l Virtual Private Dial Network (VPDN): The remote user dials to the public IP
network via PSTN/ISDN, and the data packet passes through the public network via a tunnel for the destination network.
All rights reserved
Page 7
VPN Type (2)

l Virtual Private LAN Segments (VPLS): VPLS is a virtual!
method to establish LAN via the public IP resources. The networking is based on the MAC layer forwarding, and it is completely transparent to the network layer protocol. It is a L2 VPN.
l Virtual Private Routed Network (VPRN): VPRN is defined as a
kind of emulation for multi-site wide area route network services via the public IP network, and the data packet of VPN is forwarded at the network layer.
All rights reserved
Page 8
Example: Constructing VPN via GRE Tunnel

10.0.1.2/24
10.0.0.0/24
10.0.1.1/24
129.0.0.2/30 129.0.0.1/30
GRE tunnel
129.0.2.2/30 129.0.2.1/30
HQ1
129.0.1.1/30
Public IP network Rt1 Rt2 GRE tunnel
129.0.3.1/30
129.0.1.2/30 10.0.0.0/24
129.0.3.2/30
10.0.1.1/24
10.0.1.2/24
HQ2
l To construct such a network, just make configuration on the access router
of each network.
l It is unnecessary for the operator network to know the internal route of VPN. l Different VPNs can employ the same address space. l The forwarding efficiency is low.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 9
Exercise-1
1. Which VPN technologies belong to layer 3 VPN (
A GRE B L2TP C BGP/MPLS D VPLS
All rights reserved
Page 10
Chapter 1 VPN Classification Chapter 2 MPLS L3 VPN Principle
All rights reserved
Page 11
MPLS VPN Network Structure

VPN_A 10.2.0.0 CE VPN_B 10.2.0.0 CE VPN_A 11.6.0.0 CE VPN_B 10.1.0.0 CE PE P P PE P P PE CE PE iBGP sessions CE CE VPN_A 11.5.0.0 VPN_A 10.1.0.0
VPN_B 10.3.0.0
l CE (Custom Edge Router): The user equipment directly connected with the service
provider.
l PE (Provider Edge Router): The edge router on the backbone network, connected with CE
and mainly responsible for access of the VPN service.

l P (Provider Router): The core router on the backbone network, mainly responsible for the
routing and fast forwarding functions.

Question
l One PE connect with several CEs which belong to different VPNs,
as VPNs may have overlapping address space, how to identify each VPN"s information?
All rights reserved
Page 13
Relationship Between PE and CE

C CE
Site - 1
VPNA
PE EBGP, RIP, Static

VRF for VPNA
CE
VPNB
Global route VRF for VPNB Site - 2
l l
PE and CE routers exchange information via the EBGP, RIP or static route. CE runs the standard routing protocol. PE maintains separate routing tables of the public network and private network. [ Routing table of public network, including the routes of all PE and P routers, generated by the backbone network IGP of VPN. [ VRF (VPN routing & forwarding), including tables of routing & forwarding to one or multiple directly connected CEs.
All rights reserved
Page 14
VRF Detail
l VRF can be regarded as a virtual router l PE maintains a separate forwarding table for each site.
l Each site has a unique VRF.
l If (and only if) two sites have identical forwarding table, they share a VRF.
l The interface/sub-interface connected with CE is mapped to VRF.
l The routes in VRF will be distributed to the sites (usually connected on other PEs)
belonging to the same VPN.
All rights reserved
Page 15
Distribution of VRF Routes
P Router
CE Router PE PE CE Router
Site
iBGP
Site
l The PE router distributes the local VPN route information via the backbone
network. the transmitting via BGP Question: PE and PE set up IBGP session and exchange routing information, while some VPN may have the same private IP address space, when BGP transfer the routing information on the public network, there get address overlapping problem, how to solve it?
VPNv4 and IPv4 Address Families

VPNV4 address structure:
Route Distinguisher (8 bytes) IPv4 address
RD structure:
TYPE (2byte) 0 1 Administrator Field 2-byte ASN 4-byte IP address Assigned Number Field
4-byte assigned number 2-byte assigned number
All rights reserved
Page 17
Question
l PE and PE set up IBGP session and exchange routing
information by BGP, by adding RD prefix , now the VPN "s address is VPNv4 address family, BGP-4 only supports IPv4 ,BGP can"t recognise such routing information, how to solve it?
All rights reserved
Page 18
MBGP
l MBGP (Multiprotocol Extensions for BGP-4 )
[ BGP-4 only supports IPv4, and is extended to MBGP to transfer the route information of more protocols (IPv6, IPX,etc.). [ To maintain compatibility, only two BGP attributes are added for MBGP: MP_REACH_NLRI and MP_UNREACH_NLRI. The two attributes can be used in the BGP Update message to notify or cancel the network reachability information.
All rights reserved
Page 19
MBGP: MP_REACH_NLRI
All rights reserved
Page 20
MBGP: MP_UNREACH_NLRI
l Used for withdrawing one or multiple unfeasible routes l
An UPDATE packet that contains the MP_UNREACH_NLRI does not carry any other path attributes
All rights reserved
Page 21
Question
l When PE received the routing information from other PEs
carried by MBGP, PE how to separate the routing information which belongs to different VPN?
Remember RD? Can we use it?
All rights reserved
Page 22
Route Target
l Route Target attribute (RT) is one of the MBGP extension community
attributes
l There are two types of RT, the values of the type field are 0x0002 or
0x0102. RT structure:
TYPE(2 bytes 0x0002 0x0102 Administrator Field AS number(2bytes) IP address(4 bytes) Assigned Number Field Assigned Number (4 bytes) Assigned Number(2 bytes)
All rights reserved
Page 23
Route Target
l RT is used to separate VPN routing information advertisement l There are two sets of Route Target attributes: Export Targets
and Import Targets [ Export Targets is added to the route received from a direct-connected Site in advertising local routes to remote PE routers. [ Import Targets is used to decide which routes can be imported into the routing table of this Site in receiving routes from remote PE routers.
All rights reserved
Page 24
Typical Network Topology-1

Each site only belongs to one VPN: Intranet
site10 site1
site3
site20
site3 0 site2
All rights reserved
Page 25
Typical Network Topology-2

Site may belongs to multiple VPNs: Extranet
site4 site1
Intranet
site5
site2
site3
Extranet
Application of RT
l RT Export Target and import Target can be configured with several attributes
im:b ex:a
a Hub-spoke mode
a im:a ex:b
im:a ex:a
Trandition Mode
c im:b ex:c b
Extranet
im:a ex:a
im:a,c ex:a,b
All rights reserved
Page 27
Function of RT
VPN A
MPLS/VPN Backbone
Site-1routes RT=VPN A Site-2routes RT=VPN B Site-3routes RT=VPN A Site-4routes RT=VPN B
VPN A
SITESITE-1
SITESITE-3
MP-iBGP
P Router
SITE-2
VPN B
Site1-routes Site3-routes Site2-routes Site4-routes
VPNA
Site1-routes Site3-routes
VPNA
SITESITE-4
VPN B
VPNB
Site2-routes Site4-routes
VPNB
All rights reserved
Page 28
Question
l After the completion of exchanging routing information between PEs,
now site3 want to access site1, the right PE look for the VRF table and find out the nexthop !left PE, forward the packet to the left PE using MPLS. When the packet arrived the left PE, the public MPLS label is removed, which VPN the packet belongs to? And how to get the correct nexthop?
VPN A VPN A
SITESITE-1
SITESITE-3
P Router
SITESITE-2
VPN B
VPNA VPNB
VPNA VPNB
SITESITE-4
VPN B
All rights reserved
Page 29
Network Layer Reachability Information:
l Multiple labels can be attached. The first 20 bits of each label refer to the label domain,
while of the last 4 bits, the first three refer to the EXP domain and the last one indicates whether it is the stack base.
l Note that this label must be assigned by the LSR referred to in the Next-Hop of the
MP_REACH_NLRI attribute.
l There are two methods to cancel the route information (meanwhile to release label
binding). [ Re-distribute a different route (and a new Label) for the same destination. [ Use the Withdraw message to include the destination in MP_UNREACH_NLRI.
Network Layer Reachability Information:

l NLRI" Network Layer Reachability Information, include address family,
private label and RT )

MP_REACH_NLRI! address#family ! next-hop: NLRI: lable! prefix! 24 bits"like MPLS label but without TTL portion RD:64bit IP prefix VPN-IPV4 address family PE s ipv4 address"usually is loopback address
l Followed is RT list #
Extended_Communities"RT1 Extended_Communities"RT2 ##
All rights reserved
Page 31
VRF Route Distribute Step 1:Importing VRF Routes to MP-iBGP

MP-iBGP PE
BGP, RIPv2 update for 149.27.2.0/24,NH=CE-1 VPN-v4 update: RD:1:27:149.27.2.0/24, Next-hop=PE-1 RT=VPN-A Label=( 28)
PE
CE-1
CE-2
Beijing
Shanghai
l Importing VRF route to MP-iBGP: PE router converts the route (in the VRF
routing table) received from CE into the VPN-V4 route; labels it with RD and RT based on the configuration; changes the next hop as PE itself (loopback); assigns the label based on the interface; finally sends the MP-iBGP update packet to all PE neighbors.
VRF Route Distribute Step 2: Importing MP-iBGP Routes to VRF

MP-iBGP PE
VPN-v4 update: RD:1:27:149.27.2.0/24, Next-hop=PE-1 RT=VPN-A Label=(28)
PE
ip vrf VPN-B vpn -target import VPN -A
CE-1
Beijing
PE receives the update packet, converts VPN-v4 into the IPv4 address, and distributes it to VFR VPN-A (RT=VPN-A) routing table, then transmit it to CE with route protocol between PE and CE.
CE-2
Shanghai
l Each VRF has configurations of import route-target and export route-target. l When the transmitting PE sends MP-iBGP updates, the export attribute is attached in
the packet.
l When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge whether
the received export is equal to the import of the local VRF. If yes, it will be added to the corresponding VRF routing table; otherwise, it will be discarded.
Basic Intranet Model
VPN A
MPLS/VPN Backbone
SiteSite-1 & SiteSite-2 routes RT=VPNRT=VPN -A SiteSite-3 & SiteSite-4 routes RT=VPNRT=VPN-A
VPN A
SITE-1
SITE-3
MP-iBGP
P Router
SITESITE-2
VPN A
SiteSite-1 routes SiteSite-2 routes SiteSite-3 routes SiteSite-4 routes
SiteSite-1 routes SiteSite-2 routes SiteSite-3 routes SiteSite-4 routes
SITE -4
VPN A
All rights reserved
Page 34
MPLS/VPN Label Distribution

In Label FEC Out Label In Label 41 FEC 197.26.15.1/32 Out Label POP In Label FEC 197.26.15.1/32 Out Label 41 197.26.15.1/32
PE-1 P router
Use labelimplicit-nullfor destination 197.26.15.1/32 Use label 41for destination 197.26.15.1/32
Beijing
149.27.2.0/24
VPN -v4 update: RD:1:27 :149.27.2.0/24, NH= 197.26.15.1 RT=VPN-A Label=(28)
Shanghai
All rights reserved
Page 35
MPLS/VPN Packet Forwarding-1

In Label FEC 197.26.15.1/32 Out Label 41 VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28) 41 28 149.27.2.27
PE-1
149.27.2.27
Beijing
149.27.2.0/24
Shanghai
All rights reserved
Page 36
MPLS/VPN Packet Forwarding-2
In Label 28(V)
FEC 149.27.2.0/24
Out Label -
In Label 41
FEC 197.26.15.1/32
Out Label POP VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28)
VPN-A VRF 149.27.2.0/24, NH=beijing
PE-1
28 149.27.2.27 41 28 149.27.2.27
149.27.2.27
149.27.2.27
Beijing
149.27.2.0/24
Shanghai
All rights reserved
Page 37
Demo- Private Label Distribution

MP-BGP IBGP Peer
VPN-v4 update: RD:1:27:149.27.2.0/24, Next-hop=PE-C RT=VPN-A, Label=(28) 149.27.2.0/24 Out 28
CE A2
CE B2
PE
A
BGP, OSPF, RIPv2 update for 149.27.2.0/24,NH=CE-A2
NH: PE-C
MPLS
BGP, OSPF, RIPv2 update for 149.27.2.0/24,NH=PE-A
IN 28
149.27.2.0/24
NH: CE A2
CE A1
CE B1
PE
VPN-v4 update: RD:1:27:149.27.2.0/24, Next-hop=PE-C RT=VPN-A, Label=(28)
All rights reserved
Page 38
Demo- Public Label Distribution

l The loopback IP address of PE-C is 1.1.1.1/32
20 PE
149.27.2.0/24
MPLS
3 P
In 20
1.1.1.1/32 out 20
Out 28
IGP
B
NH: PE-C
1.1.1.1/32 out 3
IGP
PE
IN 28
C
NH: CE A2
1.1.1.1/32
149.27.2.0/24
All rights reserved
Page 39
Demo- Packet Forwarding

20 28
CE A2 A
CE B2
PE
1.1.1.1/32 out 20
149.27.2.0/24 Out 28 NH: PEC
MPLS
BGP, OSPF, RIPv2 update for 149.27.2.0/24,NH=PE-A
P
In 20
Ping 149.27.2.1
1.1.1.1/32 out 3
CE A1
CE B1
IN 28
PE
C
NH: CE A2
1.1.1.1/32
149.27.2.0/24
All rights reserved
Page 40
Exercise-2
1. Describe the structure of RD and RT
2. Describe the procedure of VRF route distribution
3. Describe the procedure of VPN packet forwarding
All rights reserved
Page 41
Summary
l VPN Classification l MPLS L3 VPN Label Distribution l MPLS L3 VPN Forwarding Process
All rights reserved
Page 42
Thank You
www.huawei.com

Odc010003 Mpls l3 VPN Principle Issue1 - 4

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Odc010003 Mpls l3 VPN Principle Issue1 - 4

Caricato da

Copyright:

Formati disponibili

Internal

ODC010003 MPLS L3 VPN Principle

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Chapter 1 VPN Classification Chapter 2 MPLS L3 VPN Principle

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

VPN Type (1)

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

VPN Type (2)

l Virtual Private Routed Network (VPRN): VPRN is defined as a

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Example: Constructing VPN via GRE Tunnel

Public IP network Rt1 Rt2 GRE tunnel

l To construct such a network, just make configuration on the access router

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

A GRE B L2TP C BGP/MPLS D VPLS

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Chapter 1 VPN Classification Chapter 2 MPLS L3 VPN Principle

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

MPLS VPN Network Structure

and mainly responsible for access of the VPN service.

routing and fast forwarding functions.

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Relationship Between PE and CE

PE EBGP, RIP, Static

Global route VRF for VPNB Site - 2

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

l Each site has a unique VRF.

l The interface/sub-interface connected with CE is mapped to VRF.

belonging to the same VPN.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Distribution of VRF Routes

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com