Sie sind auf Seite 1von 35

Autumn 2010

philip.heimer@hh.se

MULTIPROTOCOL LABEL SWITCHING (MPLS) AND MPLS VPNS

How Routers Forward Packets


Process switching
Hardly ever used today Router looking inside the packet, at the ip address, comparing it to its routing table. See what the next hop ip address is, eventually performing an arp lookup.

Fast switching
First packet will be process switched chances are big that there will be more packets going to the same destination. So, most recent destinations are entered in the cache The router wont have to look at the routing table, combining ip with mac, for the subsequent packets. Had some fallbacks, didnt support per packet load sharing (requires multiple cache entries).

Topology-driven switching
Cisco Express Forwarding (CEF) Eliminates the first packet problem Prebuilds the cache by making a copy of the routing table and creating the FIB Forwarding Information Moves all routes into the cache. Also creates an adjacency table that premaps all next hops. The mac addresses are also added to this table by consulting the arp cache. Adds the feature of per packet load sharing.

DATA

PR

IP

MAC

CEF Switching Overview

MPLS
What is Multi Protocol Label Switching?
CEF is the fundamental switching path for MPLS. Without CEF, MPLS forwarding does not occur. MPLS forwarding relies heavily on the IP routing table and the CEF architecture. Therefore, MPLS VPN relies on CEF because MPLS VPN depends on MPLS for successful operation.

MPLS is a switching mechanism that assigns labels, or numbers, to packets and then uses those labels to forward packets. The labels are assigned at the edge of the MPLS network, and forwarding inside the MPLS network is based solely on labels. The content of the label may vary
Destination network Level of Quality of Service

The Label Distribution Protocol (LDP) is often used to establish MPLS and handle the labels. Tag Distribution Protocol (TDP) is a Cisco proprietary protocol managing the same thing. Its forwarding decisions is based on layer 2 labels.

The Label
DATA PR IP L2

Labels L1 MAC (L2)

LABEL

EXP

BS

TTL

32 bits

MPLS Example
Exchanging routes Assigning labels Sharing labels Building tables

20.0.0.0 /8 Router A NON-MPLS

MPLS DOMAIN

May be running IS-IS, BGP, OSPF etc.

20.0.0.0 =25 Router B NON-MPLS

MPLS Example - Z-router


Z LIB Z Routing Table
Network 20.0.0.0 Next Hop Y Network 20.0.0.0 20.0.0.0 LSR Local Y Label 35 30
Label 35 30

Z LFIB
Action Next hop Y

20.0.0.0 /8 Router A

Router Y 20.0.0.0 =30

MPLS DOMAIN

Router X

20.0.0.0 =35

20.0.0.0 =25

20.0.0.0 = 45

Router Z

Router B

Tables
Routing Table
Network 20.0.0.0 15.0.0.0 16.0.0.0 Next Hop Y H O

Label Information Base LIB


Network 20.0.0.0 20.0.0.0 15.0.0.0 15.0.0.0 LSR Local Y Local Y Label 35 30 36 12

Label Forwarding Information Base LFIB


Label 35 40 50 Action 30 untagged pop Next hop Y Y B

Forwarding Information Base FIB


Network 20.0.0.0 15.0.0.0 16.0.0.0 Next Hop Y H O Label -

LIB FIB LFIB... FBI? Confused? ;-)


LIB Label Information Base - whenever a labeled packet comes this table will be referred FIB Forwarding Information Base -whenever a nonlabeled packet comes this table will be referred LFIB- Label Forwarding Information Base - Any route in the LFIB will also be in the LIB, but not the other way around. (FIB, along with the adjacency table is what comprises CEF.)

Functions of Label Switching Routers (LSRs)


Control Plane
Controls the routing information exchange and the label exchange between adjacent devices. Exchanges routing information via normal routing protocols Exchanges label information using Label Distribution Protocol (LDP) Sets up framework for how everything is going to be forwarded.

Data Plane where the action occurs


Also known as the forwarding plane, this plane controls forwarding based on either destination addresses or labels. L3 or L2 information Router becomes almost like a switch If theres no label, it will work as normal. (CEF) Takes care of label swapping replacing labels.

Control Plane Components Example

Label Switching Routers


IP header L2 header IP header MPLS header L2 header IP header L2 header

EDGE LSR

LSR

LSR

EDGE LSR

LSR forwarding packets Edge LSR primarily labels packets or removes them

Core router Primary purpose to switch labels

Edge LSR

MPLS Terminology
MPLS, Multiprotocol Label Switching LDP (Label Distribution Protocol) LSR (Label Switching Router) LSP (Label Switch Path)

Penultimate Hop Popping


Label

Y LFIB
Next hop Z

Action Pop

15.0.0.0 = 20

20

<-15.0.0.0 = pop

15.0.0.0

Configuring Frame Mode MPLS

Configuring Frame Mode MPLS

Configuring Frame Mode MPLS

MPLS VPNS

Two traditional categories of VPNs


Overlay VPNs
Links / Virtual Circuits

Point-to-Point Circuits between customer sites Virtual Links Layer 1, 2 Becomes expensive to buy virtual circuits for many sites

Peer-to-Peer VPNs
Service Provider becoming a part of your network Managing routing between parts of the organization
Bringing our tables into their

ISP

Private addresses from different customers will be a problem


No NAT Customers will be using the same private addresses sometimes.

MPLS VPNs - overview


Provider is forwarding routes between the sites. Virtual Route Forwarding allows you to run Separate Routing tables and forwarding tables per customer. Eliminates the problem of using the same address-space since VRFs make them look like they are different routing tables. PE routers Provider Edge, like Edge LSR. P routers doing core business. Wont see any routes. Routing information packets are encapsulated using tags.
Performed by PE routers. Customer one may tag it with a 1. PE routers remove tags and propagate routes out to the customer 1. P routers only forward those packets.

Route Distinguisher (tag) and Route Target


Route distinguisher (RD)
64-bit tag identifies customer route advertisements
May be any number the service provider chooses to use.

Keeps customer routes unique

Route Target (RT)


Additional field to allow customers to participate in multiple VPNs. VRFs use the route target attribute to control the import and export of VPNv4 routes through iBGP. The route target is an extended BGP community that indicates which routes should be imported from MP-BGP into the VRF.

The problem with overlaping customer addresses


BGP/MPLS VPN support a mechanism that converts nonunique IP addresses into globally unique addresses by combining the use of VPN-IPV4 address family with the deployment of Multiprotocol Extensions (MPBGP)

VPN-IPv4
A VPN-IPv4 address is a 12-byte quantity composed of an 8-byte Route Distinguisher (RD) followed by a 4-byte IPv4 address prefix.

Example RD1 RD2

(length)

AS 1111 (SP) AS 1111 (SP)

1 2

10.0.0.0 10.0.0.0

Multiprotocol BGP Extensions (MP-BGP)


Conventional BGP4 was originally designed to carry routing information only for the IPv4 address family. Realizing this limitation, the IETF is standardizing the Multiprotocol Extensions for BGP4. The extensions allow BGP4 to carry routing information for multiple Network Layer protocols such as IPv6, IPX, VPN-IPv4 etc.

BGP/MPLS VPN can use up to three different types of BGP extended community attributes
The route target attribute identifies a collection of sites (VRFs) to which a PE router distributes routes. A PE router uses this attribute to constrain the import of remote routes into its VRFs. The VPN-of-origin attribute The site-of-origin attribute

The MPLS part


CE routers should not be MPLS VPN-aware; they should run standard IP routing software. PE routers must support MPLS VPN services and traditional Internet services. To make the MPLS VPN solution scalable, P routers must not carry VPN routes. Multi Protocol BGP within the SP
RD RT

Customer

EIGRP

PE
MPBGP MPLS

P PE

Customer

The MPLS part


The top label in the stack is the LDP label for normal frame forwarding in the MPLS network. This label guarantees that the packet will traverse the MPLS VPN backbone and arrive at the egress PE router. The second label in the stack identifies the egress PE router. This label tells the router how to forward the incoming VPN packet. The second label can point directly toward an outgoing interface. In this case, the egress PE router performs label lookup only on the VPN packet. The second label can also point to a VRF table. For this case, the egress PE router first performs a label lookup to find the target VRF table and then performs an IP lookup within the VRF table. When you are implementing MPLS VPN, you need to increase the MTU size to allow for two labels.

MPLS Virtual Private Networks


Connectionless Service Centralized Service (Group of VPN users)
Allowing multicast QoS Telephony support within a VPN

Security Easy to Create Flexible Addressing

BGP/MPLS and IPSec VPNs compared


Data Confidentiality IPSec VPNs provide data confidentiality through robust encryption algorithms. BGP/MPLS VPNs seek to ensure data confidentiality by defining a single path between physical sites on a service provider network. This prevents attackers from accessing transmitted data unless they place sniffers on the service provider network. Though BGP/MPLS minimizes the chance that data may be intercepted, IPSec provides for better data confidentiality through encryption. A third option is to use IPSec over BGP/MPLS VPNs. This option would certainly provide a very high degree of data confidentiality.

Recommended reading
Metro Ethernet by Sam Halabi

Laboration 4.2 MPLS VPN


GNS3 7200 Routers

Das könnte Ihnen auch gefallen