Beruflich Dokumente
Kultur Dokumente
Wide application of MPLS technologies allows service providers to provide better extended/value-added services. Therefore, the implementation of MPLS functions can help an equipment vendor gain competitive advantages over other vendors.
Page 1
References
l VRP5 Operation Manual
VPN
Solutions
l Technical White Paper for HoPE l RFC 2547
RFC 3107
Page 2
Page 3
Chapter 1 Cross-AS Solution Chapter 2 HoPE Solution Chapter 3 Internet Connection Solution Chapter 4 Multi-Role Host Technology
Page 4
Page 5
In the technical system of MPLS, an MPLS domain and a router AS overlap each other. In actual networking, however, an MPLS domain frequently crosses multiple ASs: [ The carrier defines one province as one AS of the carrier network but requires to provide cross-province MPLS VPN services. [ Carriers cooperate with each other (especially with international carriers to provide international services).
To implement these services, cross-AS MPLS VPN solutions must be applied to solve the following two problems: [ Technical problem: how can VPN-IPv4 routes and VPN labels be distributed to another AS. [ Managerial problem: Normally, cross-AS LSPs are not allowed (this is especially important in the case of carrier cooperation).
Page 6
Page 7
AS #100
AS #200
PE-2
CE-1
CE-2
different ASs.
l One VPN operates in multiple ASs.
VPN-A-2
Page 8
AS#100
MP-iBGP
PE VPN2-CE2
VPN-LSP1 LSP-1
IP Forwarding
VPN-LSP2 LSP-2
PE
l
ASBR-1
ASBR-2
PE
An ASBR considers the peer ASBR its CE, and creates a VRF for each VPN. IP forwarding is applied between the ASBRs and MPLS forwarding is applied within the AS. Advantages: Simple with no need of protocol extension or special configuration, natural support; applicable in the case of a small number of cross-domain VPNs. Disadvantages: The ASBR must create a VRF for each VPN. To cross multiple domains, large configuration efforts are needed. The scalability is poor. All rights reserved Page 9
VPN1-CE1 PE-1
VPN1-CE2 PE-3
MP-iBGPASBR-1
ASBR-2
MP-iBGP
AS#100
AS#200
VPN2-CE1
PE-2
PE-4
MP-iBGP
D: D:161.10.1.0/24 161.10.1.0/24 NH: NH:ASBR-1 ASBR-1
MP-iBGP
VPN2-CE2
VPN-LSP1 LSP-1
IP Forwarding
VPN-LSP2 LSP-2
PE
HUAWEI TECHNOLOGIES CO., LTD.
ASBR-1
ASBR-2
PE
Page 10
VPN1-CE1
161.10.1.1 161.10.1.1
161.10.1.1 161.10.1.1
VPN1-CE2
MP-iBGP
ASBR-1
161.10.1.1 161.10.1.1
ASBR-2
MP-iBGP
Lx Lx L2 L2 161.10.1.1 161.10.1.1PE
PE
AS#100
Ly Ly
L1 L1
AS#200
161.10.1.1 161.10.1.1
VPN2-CE1
PE
PE
MP-iBGP
MP-iBGP
VPN2-CE2
VPN-LSP1 LSP-1
IP Forwarding
VPN-LSP2 LSP-2
PE
ASBR-1
ASBR-2
PE
Page 11
AS#100
MP-iBGP
MP-EBGP
(VPN-V4)
PE VPN2-CE2
VPN-LSP1 LSP-1
VPN-LSP2
VPN-LSP3 LSP-2
PE
l l
ASBR-1
ASBR-2
PE
EBGP is used to advertise VPN-IPv4 routes between ASBRs. ! Advantages : [ No need of creating a VRF for each VPN on ASBR. [ No need of cross-domain extension protocol, easy to manage and configure
Disadvantages: All VPN routes need be stored on the ASBR. This imposes high requirements on the router so that the ASBR is easier to become faulty. !
Page 12
MP-iBGP
AS#100
MP-iBGP
AS#200
MP-iBGP
VPN2-CE1
MP-iBGP
VPN2-CE2
VPN-LSP1 LSP-1
VPN-LSP2
VPN-LSP3 LSP-2
PE
HUAWEI TECHNOLOGIES CO., LTD.
ASBR-1
ASBR-2
Page 13
PE
VPN1-CE1
161.10.1.1 161.10.1.1 L1 L1 161.10.1.1 161.10.1.1 Lx Lx L3 L3
VPN1-CE2
161.10.1.1 161.10.1.1 161.10.1.1 161.10.1.1
PE-1
L3 L3 Ly Ly L1 L1 161.10.1.1 161.10.1.1 161.10.1.1 161.10.1.1
PE-3
MP-iBGP
AS#100
MP-iBGP
AS#200
VPN2-CE1
PE-2
PE-4
MP-iBGP
MP-iBGP
L2 L2
161.10.1.1 161.10.1.1
VPN2-CE2
Page 14
VPN1-CE2 ASBR-2 PE
AS#200
VPN2-CE1
PE
PE VPN2-CE2
LSP-1
LSP-2
PE
l l
ASBR-1
ASBR-2
PE
Establish MP-EBGP peer between PEs and distribute VPN-IPV4 routes using this connection. Advantages : [ This is the optimal solution because it meets the structural requirements of MPLS VPN. Only PE knows the VPN routing information. P only concerns the forwarding of packets. [ The advantage is more notable when a VPN crosses multiple AS. This solution also supports load sharing. Disadvantages :BGP extensions are needed. The setup of tunnels differs from the common MPLS VPN structure so that the solution is hard to maintain or understand.
Page 15
VPN1-CE1
VPN1-CE2
BGP, BGP, OSPF, OSPF, RIPv2 RIPv2 162.11.1.0/24, 162.11.1.0/24, NH=CE-1 NH=CE-1
BGP, BGP, OSPF, OSPF, RIPv2 RIPv2 162.11.1.0/24, 162.11.1.0/24, NH=PE-2 NH=PE-2
PE-1
AS#100
ASBR-1 EBGP
ASBR-2
AS#200
PE-2 PE-4
VPN2-CE1
PE-3
VPN2-CE2
Page 16
PE-1
Ly L3 161.10.1.1 L10 L3 161.10.1.1
PE-3
ASBR-1
AS#100
ASBR-2 EBGP
AS#200
VPN2-CE1
PE-2
PE-4
L9 L3 161.10.1.1
VPN2-CE2
Page 17
Page 18
L1 PE L2 PE L1 CE
L1 PE L1 CE
L2 PE
Level 2 carrier
Level 1 carrier
Level 2 carrier
VPNB
VPNA
VPNA
VPNB
[ Level 2 carriers do not use VPN technologies. [ Level 2 carriers use VPN technologies.
l Level 1 carriers use L2 MPLS VPN technologies.
Page 20
CE-1 Level-2 SP
PE-1 Level-1 SP
PE-2
CE-2 Level-2 SP
l l l
Level 2 carriers do not provide MPLS/BGP VPN. Level 1 carriers do not have IGP routing information of level 2 carriers. If traffic flows from CE-1 to CE-2, the LSP starts at CE-1 and ends at PE-2. All rights reserved Page 21
PE-1 Level-1 SP
PE-2
VPN 1 Site 2
VPN 2 Site 2
Page 22
PE-1 Level-1 SP
PE-2
VPN 1 Site 1
VPN 2 Site 1
VPN 1 Site 2
VPN 2 Site 2
Static or dynamic routing protocol Yes, multi-instance LDP is needed. IP encapsulated by MPLS (L2 or L3 labels)
NO
Chapter 1 Cross-AS Solution Chapter 2 HoPE Solution Chapter 3 Internet Connection Solution Chapter 4 Multi-Role Host Technology
Page 25
Page 26
Background of HoPE
Condition of PE
CORE LAYER
DISTRIBUTION LAYER
ACCESS LAYER
l
PE is in an awkward position at different layers: [ Access layer: unable to support because of small capacity [ Distribution layer: a large number of interfaces (or subinterfaces) are needed for subscriber identification. The number of subscribers is large but PE provides limited interfaces. [ Core layer: the number of subscribers is larger, the number of interfaces become more limited, and the bandwidth granularity is larger.
The lower layer the PE is located, the more specific the routes are, and the more routes the PE needs to maintain.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 27
Background of HoPE
Problem
l l l
The number of interfaces and storage capacity must increase, finally reaches the equipment limit. The growth of network scale and the increase of subscribers in the local and peer sites require the local PE to have larger storage capacity. Solution [ Expand and migrate PE [ Add PEs to share the load of the VPN subscribers
Background of HoPE
Cause
l Large numbers of interfaces are needed to access subscribers. Large amounts of
same time.
l A typical network constitutes of different layers, featuring many edge interfaces and a
position of the PE in the network. When a PE is expanded toward the edge, more memory is required whereas the capacity the network equipment decreases.
Key point: the model of MPLS VPN differs from the typical network model.
Page 29
Background of HoPE
Multi-VRF Solution
VPN1 Site1 VPN2 Site1
VCE2
l l l l l
the CE functionality so that it has the VRF function, called Multi-VRF CE (VCE for short). A VCE can access multiple VPN subscribers and simulate multiple CEs. The VCE connects with the PE through multiple interfaces (or subinterfaces). The VCE only needs to maintain routes of the local site. No changes are needed in the PE. All rights reserved Page 30
Background of HoPE
Defects of Multi-VRF Solution
l Large numbers of interfaces and subinterfaces out of the limited interface resources
repetitive.
l The use of dynamic routing protocol for route exchange between PE and VCE
requires both PE and VCE to run multiple instances. The use of static routes, however, demands large configuration efforts.
l If PE and CE are not connected directly but through tunnels, each VRF needs a tunnel
Page 32
Framework of HoPE
New Solution#Hierarchy of PE
VPN1 Site1 VPN2 Site1 VPN1 Site3
UPE1
PE
MP-BGP
MPLS network
VPN1 Site2 VPN2 Site2
MPLS network
SPE
VPN2 Site3
UPE2
HOPE
l l l l
PE
A PE is connected with other PEs to fulfill the functions of a traditional PE together. The PEs form a hierarchy. A PE that directly accesses VPN subscribers is a UPE (Underlayer PE). One inside the network is an SPE (Superstratum PE). A UPE and an SPE can be connected directly or through an IP/MPLS network. Such a structure is called HoPE (Hierarchy of PE). All rights reserved Page 33
Framework of HoPE
Functions of UPE and SPE
l The UPE only maintains the routes of the directly connected VPN Site other than
the remote VPN Sites. The SPE maintains all routes in the VPN it connects through UPEs, including routes of the local and remote VPN Sites.
l The UPE assigns inner layer labels for routes of the directly connected VPN Site
and advertises the routes to the SPE. The SPE only advertises the default VRF route to the UPE with its label.
l Label switching is used between UPE and SPE and therefore only one interface (or
subinterface) is needed for their interconnection. If an IP/MPLS network is present between UPE and SPE, GRE/LSP tunnels are used for their interconnection.
Framework of HoPE
Forwarding of Data
SPE1 advertises UPE advertises the the default route of default route to CE1. VPN to the UPE with an inner label. PE2 assigns an inner label for the CE2 advertises a route of Site2 route
0/0
0/0, L0
Dest/Mask, Li
Dest/Mask
Site1
Site2
CE1
UPE
SPE1
PE2
CE2
Dest/Mask
Forward the packets destined to Site2 from Site1 to the UPE according to the default route.
Dest/Mask
Push the inner layer label and forward the packets to SPE1 according to the default VPN route
Page 35
Framework of HoPE
Forwarding of Data
CE1 advertises a route of Site1. UPE assigns an inner route label and advertises the route to SPE1 SPE1 replaces the label assigned by UPE with another inner label PE2 advertises a route to CE2 without a label
Dest/Mask
Dest/Mask, Li1
Dest/Mask, Li2
Dest/Mask
Site1
Site2
CE1
Dest/Mask
UPE
SPE1
PE2
Dest/Mask
CE2
Dest/Mask, Li1
Query VRF Route Table and PUSH inner and outer labels
Page 36
Framework of HoPE
SPE-UPE Protocol
VRF1 Import route-target 100:1
VPN route (label) ORF (extended community list)
Global Global Import Import route-target route-target 100:1, 100:1, 200:1 200:1
VRF default route (label)
SPE
Use MP-BGP to distribute VPN-IPv4 routes [ SPE and UPE belong to a same carrier, MP-iBGP is used and the SPE serves as RR. [ If SPE and UPE belong to different carriers, MP-eBGP is used and the UPE uses the private AS number.
SPE creates the global import route-target list using the union set of the VRF import route-target lists of UPE [ UPE transfers import route-target list using the ORF mechanism and SPE generates the global import route-target list automatically. [ The global import route-target list is created manually on SPE.
Page 37
Framework of HoPE
SPE-UPE Connection
SPE Lease line
UPE
l l
UPE
Through any form of interface/subinterface Through tunnel interface [ MP-BGP can cross multiple hops. [ When LSPs are used, LDP/RSVP-TE operates on UPE/SPE
Page 38
Framework of HoPE
HoPE Hierarchy
SPE
VRF default route VRF default route
MPE
VRF default route VRF default route
UPE
The middle level PE is called MPE. An SPE can connect with a standalone UPE when connecting with a PE in a hierarchy.
UPE
UPE
Endless hierarchies
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 39
Framework of HoPE
Multi-homed UPE
SPE1
VPN1 route VRF default route VPN2 route VRF default route
SPE2
UPE
l l
The multiple SPEs all advertise the VRF default routes to the UPE. The UPE selects one default route in preference or selects multiple routes for load sharing.
The UPE broadcasts its VPN routes to all the multiple SPEs or part of the VPN routes to each of the SPEs for load sharing.
Page 40
Framework of HoPE
SPE Connected with Both UPE and CE
SPE
CE
UPE
VPN1 Site1 l l
an SPE is connected with a UPE, it can still be connected to CEs. Sites of a same VPN intercommunicate through SPE All rights reserved Page 41
Framework of HoPE
Back Door Connection between UPEs
SPE
UPE1
MP-BGP
UPE2
SPEA back door connection is established between two UPEs. VPN sites intercommunicate directly through this connection without the help of SPE. A UPE communicates with the peer and they exchange their routes through MP-BGP. UPEs can communicate across a network All rights reserved Page 42
l l
Framework of HoPE
Best Solution
l l l
An SPE and a UPE communicate through only one interface/subinterface, which saves the limited interface resources. No need to configure the same VRF in SPE which already configured on UPE, which minimizes the configuration efforts. SPE and UPE exchange routes and advertise labels using the dynamic routing protocol MP-BGP. Each UPE only needs to run MP-BGP with one peer so that the protocol overhead is small and the configuration efforts are reduced. SPE and UPE can connect with each other through the tunnel interface so that they can communicate across a network. Especially, this can be an MPLS network, which features excellent scalability when MPLS VPNs are deployed in tiers. The back door connection between UPEs can reduce the load of SPE. Only one interface/subinterface is needed between UPEs.
BGP/MPLS VPN can be deployed on a tier by tier basis. When the performance of UPE is insufficient, an SPE can be added and the UPE is moved a lower tier. When the access capability of SPE becomes insufficient, more UPEs can be added. HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 43
Page 44
Applications of HoPE
Application in Finance/Government Networks
SPE MPLS backbone SPE
Province
SPE
NE80/NE40/NE20/NE20s NE16/08/05
MPE
NE08/NE05 R3680
City
R3680 R2630
UPE
County
Page 45
Applications of HoPE
Application in MAN
core core
distribution(PE)
NE16/08 S8016
C75XX C6509
NE16/08 S8016
C75XX C6509
access
access(UPE)
NE05 R3680
core(SPE)
NE80
core(SPE)
NE80
distribution(UPE)
NE16/08 S8016
C75XX C6509
NE16/08 S8016
C75XX C6509
access
access(UPE)
NE05 R3680
Page 46
Applications of HoPE
Application in Cross-AS MAN-Backbone
ASBR SPE
NE80
backbone
All routes in the AS VRF default route All routes in the AS VRF default route
ASBR/RR UPE
NE80/40/20 NE16/08
MAN A
MAN B
Page 47
Chapter 1 Cross-AS Solution Chapter 2 HoPE Solution Chapter 3 Internet Connection Solution Chapter 4 Multi-Role Host Technology
Page 48
Page 49
VPN1
Eudemon
PE1
VPN1
CE2
l l
VPN1
CE3
Advantages: All VPN1 sites use CE1 as the egress, convenient for management. This solution is also called centralized access and is widely applied. Disadvantages: Multiple default routes may be added to the VRF instances of VPN, which may result in that the packet forwarding of multiple default gateways is not optimal. All rights reserved Page 50
VPN1
.1 PE1 61.1.1.0 .2
VPN1
CE2
l
PE2
PE3
CE3
Advantages: Each VPN site can access Internet though the local PE, which facilitates management. This solution is also called distributed access. Disadvantages: The network segment of CE will be broadcasted in a public network. The security cannot be assured. NAT configuration is needed on CE. All rights reserved Page 51
VPN1
PE1
VPN1
CE2
CE3
Features: CE and PE are connected through subinterfaces. One subinterface is responsible for VPN communication and the other is responsible for public network access.
Page 52
Chapter 1 Cross-AS Solution Chapter 2 HoPE Solution Chapter 3 Internet Connection Solution Chapter 4 Multi-Role Host Technology
Page 53
[ L2TP accessing PE [ PPPOE accessing PE [ Mapping between 802.1X and VPN [ VLAN+Web
l PE selection modes
Page 54
Radius/CAMS
PE
Typical application of MPLS VPN access L2TP adapter can take place of real network adapter. Dynamic VPN selection implemented through L2TP authentication mechanism All rights reserved Page 55
PE MPLS VPN
Shared server VRF
Configure Configure VRF VRF for for the the multimultipurpose server. Configure purpose server. Configure firewall firewall to to protect protect the the server. server. l l l l
Multiple VPNs share a server, with a fixed position and fixed role. Configure a private VRF for the multi-purpose server to exchange routes with multiple VPNs. IP address of the multi-purpose server is globally unique. Enhance protection for the server. All rights reserved Page 56
Summary
multi-role host technologies are very useful extensions to MPLS and solve many problems in current networks.
l We must understand these technologies
Page 57
Thank You
www.huawei.com