Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
This slides will introduce MPLS L3 VPN system structure, label distribution, data forwarding and typical application.
Page 2
Upon completion this course, you will be able to: [ Describe VPN Classification [ Describe MPLS L3 VPN Concept [ Describe Label Distribution and Data Forwarding [ Describe MPLS L3 VPN Typical Application
Page 3
Page 4
VPN Classification
VPN: Virtual Private Network
VPN IP-VPN
CPE-Based VPN
Network-Based VPN
VLL
VPRN
VPDN
VPLS
MPLS/BGP VPN
VR-VPN
Page 5
VPN Tunnel
l Tunnel: It is a technology that uses a type of protocol to transmit another type
of protocol. Mainly the tunnel protocol serves to implement this function. The tunnel technology involves three types of protocols: tunneling protocol, bearer protocol under the tunnel protocol, and the protocol borne on the tunnel protocol.
Page 6
between two pieces of CPE equipment for the user via the edge node of the operator.
l Virtual Private Dial Network (VPDN): The remote user dials to the public IP
network via PSTN/ISDN, and the data packet passes through the public network via a tunnel for the destination network.
Page 7
method to establish LAN via the public IP resources. The networking is based on the MAC layer forwarding, and it is completely transparent to the network layer protocol. It is a L2 VPN.
kind of emulation for multi-site wide area route network services via the public IP network, and the data packet of VPN is forwarded at the network layer.
Page 8
10.0.1.1/24
129.0.0.2/30 129.0.0.1/30
GRE tunnel
129.0.2.2/30 129.0.2.1/30
HQ1
129.0.1.1/30
129.0.3.1/30
129.0.1.2/30 10.0.0.0/24
129.0.3.2/30
10.0.1.1/24
10.0.1.2/24
HQ2
of each network.
l It is unnecessary for the operator network to know the internal route of VPN. l Different VPNs can employ the same address space. l The forwarding efficiency is low.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 9
Exercise-1
1. Which VPN technologies belong to layer 3 VPN (
Page 10
Page 11
VPN_B 10.3.0.0
l CE (Custom Edge Router): The user equipment directly connected with the service
provider.
l PE (Provider Edge Router): The edge router on the backbone network, connected with CE
Question
l One PE connect with several CEs which belong to different VPNs,
as VPNs may have overlapping address space, how to identify each VPN"s information?
Page 13
VPNA
CE
VPNB
l l
PE and CE routers exchange information via the EBGP, RIP or static route. CE runs the standard routing protocol. PE maintains separate routing tables of the public network and private network. [ Routing table of public network, including the routes of all PE and P routers, generated by the backbone network IGP of VPN. [ VRF (VPN routing & forwarding), including tables of routing & forwarding to one or multiple directly connected CEs.
Page 14
VRF Detail
l VRF can be regarded as a virtual router l PE maintains a separate forwarding table for each site.
l If (and only if) two sites have identical forwarding table, they share a VRF.
l The routes in VRF will be distributed to the sites (usually connected on other PEs)
Page 15
P Router
CE Router PE PE CE Router
Site
iBGP
Site
l The PE router distributes the local VPN route information via the backbone
network. the transmitting via BGP Question: PE and PE set up IBGP session and exchange routing information, while some VPN may have the same private IP address space, when BGP transfer the routing information on the public network, there get address overlapping problem, how to solve it?
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 16
RD structure:
TYPE (2byte) 0 1 Administrator Field 2-byte ASN 4-byte IP address Assigned Number Field
Page 17
Question
l PE and PE set up IBGP session and exchange routing
information by BGP, by adding RD prefix , now the VPN "s address is VPNv4 address family, BGP-4 only supports IPv4 ,BGP can"t recognise such routing information, how to solve it?
Page 18
MBGP
l MBGP (Multiprotocol Extensions for BGP-4 )
[ BGP-4 only supports IPv4, and is extended to MBGP to transfer the route information of more protocols (IPv6, IPX,etc.). [ To maintain compatibility, only two BGP attributes are added for MBGP: MP_REACH_NLRI and MP_UNREACH_NLRI. The two attributes can be used in the BGP Update message to notify or cancel the network reachability information.
Page 19
MBGP: MP_REACH_NLRI
Page 20
MBGP: MP_UNREACH_NLRI
An UPDATE packet that contains the MP_UNREACH_NLRI does not carry any other path attributes
Page 21
Question
l When PE received the routing information from other PEs
carried by MBGP, PE how to separate the routing information which belongs to different VPN?
Page 22
Route Target
l Route Target attribute (RT) is one of the MBGP extension community
attributes
l There are two types of RT, the values of the type field are 0x0002 or
0x0102. RT structure:
TYPE(2 bytes 0x0002 0x0102 Administrator Field AS number(2bytes) IP address(4 bytes) Assigned Number Field Assigned Number (4 bytes) Assigned Number(2 bytes)
Page 23
Route Target
l RT is used to separate VPN routing information advertisement l There are two sets of Route Target attributes: Export Targets
and Import Targets [ Export Targets is added to the route received from a direct-connected Site in advertising local routes to remote PE routers. [ Import Targets is used to decide which routes can be imported into the routing table of this Site in receiving routes from remote PE routers.
Page 24
site3
site20
site3 0 site2
Page 25
site4 site1
Intranet
site5
site2
site3
Extranet
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 26
Application of RT
l RT Export Target and import Target can be configured with several attributes
im:b ex:a
a Hub-spoke mode
a im:a ex:b
im:a ex:a
Trandition Mode
c im:b ex:c b
Extranet
im:a ex:a
im:a,c ex:a,b
Page 27
Function of RT
VPN A
MPLS/VPN Backbone
Site-1routes RT=VPN A Site-2routes RT=VPN B Site-3routes RT=VPN A Site-4routes RT=VPN B
VPN A
SITESITE-1
SITESITE-3
MP-iBGP
P Router
SITE-2
VPN B
VPNA
Site1-routes Site3-routes
VPNA
SITESITE-4
VPN B
VPNB
Site2-routes Site4-routes
VPNB
Page 28
Question
l After the completion of exchanging routing information between PEs,
now site3 want to access site1, the right PE look for the VRF table and find out the nexthop !left PE, forward the packet to the left PE using MPLS. When the packet arrived the left PE, the public MPLS label is removed, which VPN the packet belongs to? And how to get the correct nexthop?
VPN A VPN A
SITESITE-1
SITESITE-3
P Router
SITESITE-2
VPN B
VPNA VPNB
VPNA VPNB
SITESITE-4
VPN B
Page 29
l Multiple labels can be attached. The first 20 bits of each label refer to the label domain,
while of the last 4 bits, the first three refer to the EXP domain and the last one indicates whether it is the stack base.
l Note that this label must be assigned by the LSR referred to in the Next-Hop of the
MP_REACH_NLRI attribute.
l There are two methods to cancel the route information (meanwhile to release label
binding). [ Re-distribute a different route (and a new Label) for the same destination. [ Use the Withdraw message to include the destination in MP_UNREACH_NLRI.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 30
l Followed is RT list #
Extended_Communities"RT1 Extended_Communities"RT2 ##
Page 31
PE
CE-1
CE-2
Beijing
Shanghai
l Importing VRF route to MP-iBGP: PE router converts the route (in the VRF
routing table) received from CE into the VPN-V4 route; labels it with RD and RT based on the configuration; changes the next hop as PE itself (loopback); assigns the label based on the interface; finally sends the MP-iBGP update packet to all PE neighbors.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 32
PE
CE-1
Beijing
PE receives the update packet, converts VPN-v4 into the IPv4 address, and distributes it to VFR VPN-A (RT=VPN-A) routing table, then transmit it to CE with route protocol between PE and CE.
CE-2
Shanghai
l Each VRF has configurations of import route-target and export route-target. l When the transmitting PE sends MP-iBGP updates, the export attribute is attached in
the packet.
l When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge whether
the received export is equal to the import of the local VRF. If yes, it will be added to the corresponding VRF routing table; otherwise, it will be discarded.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 33
VPN A
MPLS/VPN Backbone
SiteSite-1 & SiteSite-2 routes RT=VPNRT=VPN -A SiteSite-3 & SiteSite-4 routes RT=VPNRT=VPN-A
VPN A
SITE-1
SITE-3
MP-iBGP
P Router
SITESITE-2
VPN A
SITE -4
VPN A
Page 34
PE-1 P router
Use labelimplicit-nullfor destination 197.26.15.1/32 Use label 41for destination 197.26.15.1/32
Beijing
149.27.2.0/24
Shanghai
Page 35
PE-1
149.27.2.27
Beijing
149.27.2.0/24
Shanghai
Page 36
In Label 28(V)
FEC 149.27.2.0/24
Out Label -
In Label 41
FEC 197.26.15.1/32
PE-1
28 149.27.2.27 41 28 149.27.2.27
149.27.2.27
149.27.2.27
Beijing
149.27.2.0/24
Shanghai
Page 37
CE A2
CE B2
PE
A
BGP, OSPF, RIPv2 update for 149.27.2.0/24,NH=CE-A2
NH: PE-C
MPLS
BGP, OSPF, RIPv2 update for 149.27.2.0/24,NH=PE-A
IN 28
149.27.2.0/24
NH: CE A2
CE A1
CE B1
PE
Page 38
20 PE
149.27.2.0/24
MPLS
3 P
In 20
1.1.1.1/32 out 20
Out 28
IGP
B
NH: PE-C
1.1.1.1/32 out 3
IGP
PE
IN 28
C
NH: CE A2
1.1.1.1/32
149.27.2.0/24
Page 39
CE A2 A
CE B2
PE
1.1.1.1/32 out 20
149.27.2.0/24 Out 28 NH: PEC
MPLS
P
In 20
Ping 149.27.2.1
1.1.1.1/32 out 3
CE A1
CE B1
IN 28
PE
C
NH: CE A2
1.1.1.1/32
149.27.2.0/24
Page 40
Exercise-2
1. Describe the structure of RD and RT
Page 41
Summary
l VPN Classification l MPLS L3 VPN Label Distribution l MPLS L3 VPN Forwarding Process
Page 42
Thank You
www.huawei.com