Mpls NSN Training

MPLS VPN Technology Basics
Mitrabh Shukla
National IP Manager
Agenda
VPN Concepts
Terminology
VPN Connection model
Forwarding Example
VPN Topologies
For internal use

2
Nokia Siemens Networks
MPLS / Mitrabh Shukla
What is an MPLS-VPN?
An IP network infrastructure delivering private network services
over a public infrastructure
Use a layer 3 backbone
Scalability, easy provisioning
Global as well as non-unique private address space
QoS
Controlled access
Easy configuration for customers
For internal use

3
VPN Models
There are two basic types of design models that deliver VPN
functionality
Overlay Model
Peer Model
For internal use

4
The Overlay model
Private trunks over a TELCO/SP shared infrastructure

Leased/Dialup lines
FR/ATM circuits
IP (GRE) tunnelling
Transparency between provider and customer networks
Optimal routing requires full mesh over over backbone
For internal use

5
The Peer model
Both provider and customer network use same network

protocol and control plane
CE and PE routers have routing adjacency at each site
All provider routers hold the full routing information about all
customer networks
Private addresses are not allowed
May use the virtual router capability
Multiple routing and forwarding tables based on Customer
Networks
For internal use

6
MPLS-VPN = True Peer model
MPLS-VPN is similar in operation to peer model

Provider Edge routers receive and hold routing information
only about VPNs directly connected
Reduces the amount of routing information a PE router will
store
Routing information is proportional to the number of VPNs
a router is attached to
MPLS is used within the backbone to switch packets (no
need of full routing)
For internal use

7
MPLS VPN Connection Model
A VPN is a collection of sites sharing a common routing

information (routing table)
A site can be part of different VPNs
A VPN has to be seen as a community of interest (or
Closed User Group)
Multiple Routing/Forwarding instances (VRF) on PE
For internal use

8
Site-4
Site-1
VPN-C
VPN-A
Site-3
Site-2
VPN-B
A site belonging to different VPNs may or MAY NOT be

used as a transit point between VPNs
If two or more VPNs have a common site, address space
must be unique among these VPNs
For internal use
9
The VPN backbone is composed by MPLS LSRs

PE routers (edge LSRs)
P routers (core LSRs)
The customer router connecting to the VPN backbone is
called the Customer Edge (CE)
PE routers are faced to CE routers and distribute VPN
information through MP-BGP to other PE routers
VPN-IPv4 addresses, Extended Community, Label
P routers do not run MP-BGP and do not have any VPN

knowledge
For internal use

10
MPLS VPN Components
CE
PE
ELSR
P
LSR
PE
LSR
LSR
For internal use

11
LSR
P Network
(Provider Control)
ELSR
ELSR
ELSR
C Network
(Customer Control)
CE
C Network
(Customer Control)
PE-CE Routing
CE1
PE
CE2
PE-CE routing
PE and CE routers exchange routing information through eBGP,

Static, OSPF, ISIS, RIP, EIGRP
The CE router runs standard routing software, not aware it is
connected to a VPN network
For internal use

12
PE-CE routing protocols
Static/BGP are the most scalable

Single PE router can support 100s or 1000s of CE routers
BGP is the most flexible
Particularly for multi-homing but not popular with Enterprise
Very useful if Enterprise requires Internet routes
Use the others to meet customer requirements
OSPF popular with Enterprises but sucks up processes
EIGRP not popular with Service Providers (Cisco
proprietary)
IS-IS less prevalent in Enterprise environments
RIPv2 provides very simple functionality
For internal use
13
Routing Protocol Contexts
Routing
processes
BGP
RIP
Static
Routing processes run within
specific routing contexts
Routing
contexts
BGP
1
BGP
BGP
RIP
RIP
Populate specific VPN routing

table and FIBs (VRF)
Interfaces are assigned to VRFs
VRF Routing
tables
VRF Forwarding
tables
For internal use

14
VRF
VRF
VRF
Site A
Site B
Site C
OSPF and Single Routing Instances
Routing
processes
OSPF
OSPF
OSPF
With OSPF there is a single
process per VRF
Routing
contexts
Same for IS-IS

No routing contexts
VRF Routing
tables
VRF Forwarding
tables
For internal use

15
VRF
Site A
VRF
Site B
VRF
Site C
Prior to 12.0(27)S and 12.3(4)T

maximum of 28 processes
allowed
Routing Tables
CE1
VRF
PE
CE2
PE-CE routing
VPN Backbone IGP (OSPF, ISIS)
Global Routing Table
PE routers maintain separate routing tables

Global Routing Table
All the PE and P routes populated by the VPN backbone IGP (ISIS or
OSPF)
VPN Routing and Forwarding Tables (VRF)

Routing and Forwarding table associated with one or more directly
connected sites (CEs)
VRF are associated to (sub/virtual/tunnel) interfaces
Interfaces may share the same VRF if the connected sites may share the
same routing information
For internal use
16
IGP and label distribution in the backbone
CE1
P1
PE1
P2
CE3
PE2
CE2
CE4
LFIB for PE-1
LFIB for P1
LFIB for P2
LFIB for PE2
Dest
Next Hop
IN
OUT
Dest
Next Hop
IN
OUT
Dest
Next Hop
IN
OUT
Dest
Next Hop
IN
OUT
PE2
P1
17
50
PE2
P2
50
34
PE2
P1
34
POP
P1
P2
44
38
P2
P1
18
65
P2
E0/2
65
POP
P1
E0/1
38
POP
P2
P2
36
65
P1
S0/0
19
POP
PE1
S3/0
67
POP
PE1
P1
39
67
PE1
P2
18
39
All routers (P and PE) run an IGP and label distribution

protocol
Each P and PE router has routes for the backbone nodes
and a label is associated to each route
MPLS forwarding is used within the core
For internal use
17
VPN Routing and Forwarding Table
CE1
PE1
P1
P2
CE2
PE2
CE3
CE4
MP-iBGP session
Multiple routing tables (VRFs) are used on PEs

Each VRF contain customer routes
Customer addresses can overlap
VPNs are isolated
Multi-Protocol BGP (MP-BGP) is used to propagate these
addresses + labels between PE routers only
For internal use

18
MPLS VPN Requirements
CE1
PE1
P1
P2
CE2
PE2
CE3
CE4
MP-iBGP session
VPN services allow

Customers to use the overlapping address space
Isolate customer VPNs Intranets
Join VPNs - Extranets
MPLS-VPN backbone MUST
Distinguish between customer addresses
Forward packets to the correct destination
For internal use
19
VPN Address Overlap
CE1
PE1
P1
P2
CE2
PE2
CE3
CE4
MP-iBGP session
BGP propagates ONE route per destination

Standard path selection rules are used
What if two customers use the same address?
BGP will propagate only one route - PROBLEM !!!
Therefore MP-BGP must DISTINGUISH between
customer addresses
For internal use
20
VPN Address Overlap
CE1
PE1
P1
P2
CE2
PE2
CE3
CE4
MP-iBGP session
When PE router receives VPN routes from MP-BGP how

do we know what VRF to place route in?
How do we distinguish overlapping addresses between
two VPNs
For internal use

21
Route-Target and Route-Distinguisher

update X
CE1
update X
P1
PE1
P2
PE2
CE2
CE3
CE4
x
MP-iBGP session
update X
update X
VPN-IPv4 update:
RD1:X, Next-hop=PE1
RT=RED, Label=10
VPN-IPv4 update:
RD2:X, Next-hop=PE1
RT=ORANGE, Label=12
VPN-IPv4 updates are

translated into IPv4
address and inserted into
the VRF corresponding to
the RT value
MP-BGP prepends an Route Distinguisher (RD) to each

VPN route in order to make it unique
MP-BGP assign a Route-Target (RT) to each VPN route to
identify VPN it belongs to (or CUG)
Route-Target is the colour of the route
For internal use
22
Route Propagation through MP-BGP

update X
CE1
update X
P1
PE1
P2
PE2
CE2
CE3
CE4
x
MP-iBGP session
update X
update X
VPN-IPv4 update:
RD1:X, Next-hop=PE1
RT=RED, Label=10
VPN-IPv4 update:
RD2:X, Next-hop=PE1
RT=ORANGE, Label=12
VPN-IPv4 updates are

translated into IPv4
address and inserted into
the VRF corresponding to
the RT value
When a PE router receives an MP-BGP VPN route:

It checks the route-target value to VRF route-targets
If match then route is inserted into appropriate VRF
The label associated with the VPN route is stored and
used to send packets towards the destination
For internal use
23
Multi-Protocol BGP
Propagates VPN routing information
Customer routes held in VPN Routing and Forwarding tables
(VRFs)
Only runs on Provider Edge
P routers are not aware of VPNs only labels
PEs are fully meshed
Using Route Reflectors or direct peerings between PE routers
For internal use

24
MPLS VPN Protocols
OSPF/IS-IS
Used as IGP provides reachability between all Label
Switch Routers (PE <-> P <-> PE)
TDP/LDP
Distributes label information for IP destinations in core
MP-BGP4
Used to distribute VPN routing information between PEs
RIPv2/BGP/OSPF/eiGRP/ISIS/Static
Can be used to route between PE and CE
For internal use

25
VPN Components
VRF Tables
Hold customer routes at PE
Route-Distinguisher
Allows MP-BGP to distinguish between identical
customer routes that are in different VPNs
Route-Targets
Used to import and export routes between different VRF
tables (creates Intranets and Extranets)
Route-maps
Allows finer granularity and control of importing
exporting routes between VRFs instead of just using
route-target
For internal use
26
MPLS VPN Operation

CE
= RT?
RD +
RD +
VPN labels, RTs
PE
P
RR
Si
RD +
CE
PE
PE
RD +
RD +
VPN labels, RTs
Import routes into VRF if route-targets match (export = import)

Customer routes placed into separate VRF tables at each PE
IGP (OSPF,ISIS) used to establish reachability to destination networks.

Label Distribution Protocol establishes mappings to IGP addresses
CE-PE dynamic routing (or static) populate the VRF routing tables
MP-BGP between PE router to distribute routes between VPNs
For internal use

27
CE
Si
RR
PE
= RT?
CE
MPLS VPN Label Stack

There are at least two labels when using MPLS-VPN
The first label is distributed by TDP/LDP
Derived from an IGP route
Corresponds to a PE address (VPN egress point)
PE addresses are MP-BGP next-hops of VPN routes
The second label is distributed MP-BGP
Corresponds to the actual VPN route
Identifies the PE outgoing interface or routing table
L2 Header
For internal use
28
Label 1
Label 2
L3 Header
Frame, e.g. HDLC, PPP, Ethernet
Data
MPLS VPN Forwarding

Example
CE
CE
PE
PE
P
CE
Si
P
CE
Si
PE
PE
Swap IGP Label

(From LFIB)
POP IGP Label

(Pentultimate Hop)
Push VPN Label

(Red Route)
For internal use

29
Push IGP Label

(Green PE Router)
Pop VPN Label

(Red Route)
Basic Intranet Full Mesh

Finance
Site 3
VLAN 205
F FF
FF F
Finance
Site 1
Finance
Site 2
MPLS Core
F FF
FF F
F FF
FF F
VRF
Each site has of all other sites (same VPN)

CE can be router or switch
MP-BGP VPNv4 updates propagated between PEs
Routing is optimal in the backbone
No site is used as central point for connectivity
For internal use
30
Basic Extranet Partial Mesh

Engineering
Site B (EB)
DA
DA EB
E DA
EB
E
EA
E
EB
E EA
E
Engineering
Site A (EA)
E E
Design
Site A (DA)
MPLS Core
Design
Site B (DB)
D
D
D D
VRF
EB
EB D EB
D
D
D D
Basic Extranet
Routes can be imported directly into corresponding VRF
NAT may be necessary if Enterprise have overlapping addressing
Import granularity can be very fine
Single host address can be imported as Extranet route
For internal use
31
Branch to HQ Hub and Spoke

Bank
Branch 3
BGP/OSPF/RIP
routing
VRF
Spoke OUT
S3 S1h
X S2h
S3
S2h
S1h S3h
S1 S2 S3
X
MPLS Core
Bank
Branch 2
S2
Optional
Firewall
NAT to X
Hub IN
S2 S1h
X S3h
VRF
BGP/OSPF/RIP
routing
S1 S2h
X S3h
Central
HQ
VRF
Bank
Branch 1
S1
Forces all branches through the Central HQ

Spokes cannot communicate directly
Appropriate security screening can be applied
Firewalls can be used with NAT to ensure correct return path
For internal use
32
Per Group Internet Access
Legal
VRF
L L L
L D3
D3
Internet
Legal Only
Internet
Legal/Sales &
Marketing Backup
Internet
Sales and
Marketing
Gateway 3
Sales
S
S
S
S D1
MPLS Core
S M
D2
Gateway 2
Marketing
M M
M D
S M1
DI
Gateway 1
Choose appropriate Internet Gateway per group requirements

Use other gateways as backup in case of failure
Gateways can provide different service attributes/levels
Speed of access
Type of Content accessed
Address translation
if required
For internal use

33
VPN with Internet
This example uses default route only to access Internet

If customer addresses are RFC1983 then NAT must be done
Can be done at Internet Gateway or at customer edge
Another model could use default route pointing to gateway in
the global table
This assumes that customer uses registered address
space
For internal use

34
Enterprise Disaster Recovery

Backup Data Centre
(LOCALPREF=50)
CC
S1 C
S2 C C S3
Site 1
Site 2
CC
S1 C
S2 C C S3
VRF
S1 C
CC
Primary Data Centre

(LOCALPREF=100)
Site 3
MPLS Core
S3 C
CC
S2 C
CC
Disaster recovery can be provided to each site in the Enterprise

If Primary site fails, Backup site takes over with no intervention
Virtualisation/Mirroring takes place between Primary/Secondary
For internal use
35
Carrier Supporting Carrier
BBB B
POP 2
AS100
P1
P2 P3
iBGP session
iBGP session
BBB B
P1
P2 P3
VRF
P1
P2 P3
Import/Export IGP
routes
MPLS Core
POP 1
AS100
iBGP session
For internal use

36
P1
P2 P3
P1
P2 P3
P1
P2 P3
POP 3
AS100
BBB B
ISP Backup
Interne
t
Backup Gateway
BGP Routes in
Internet Gateway
Loopback is L1
Interne
t
Internet Gateway
Primary Internet Path
Loopback is L2
Tier 3 ISP
T L1T T
B BB B
AS
17897
VRF
T T L2
T L1 D
BGP Routes from Internet

Gateway
For internal use

37
T TL2
T L1 D
MPLS Core
VRF
VRF
T TL2
T L1D
T L2T T
BBB B
AS
12701
Loopback is L1

Mpls NSN Training

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Mpls NSN Training

Hochgeladen von

Copyright:

Verfügbare Formate

MPLS VPN Technology Basics

For internal use

MPLS / Mitrabh Shukla

For internal use

MPLS / Mitrabh Shukla

For internal use

MPLS / Mitrabh Shukla

The Overlay model

Private trunks over a TELCO/SP shared infrastructure

For internal use

MPLS / Mitrabh Shukla

The Peer model

Both provider and customer network use same network

For internal use

MPLS / Mitrabh Shukla

MPLS-VPN = True Peer model

MPLS-VPN is similar in operation to peer model

For internal use

MPLS / Mitrabh Shukla

MPLS VPN Connection Model

A VPN is a collection of sites sharing a common routing

For internal use

MPLS / Mitrabh Shukla

MPLS VPN Connection Model

A site belonging to different VPNs may or MAY NOT be

MPLS / Mitrabh Shukla

MPLS VPN Connection Model

The VPN backbone is composed by MPLS LSRs

P routers do not run MP-BGP and do not have any VPN

For internal use

MPLS / Mitrabh Shukla

MPLS VPN Components

For internal use

MPLS / Mitrabh Shukla

PE and CE routers exchange routing information through eBGP,

For internal use

MPLS / Mitrabh Shukla

PE-CE routing protocols

Static/BGP are the most scalable

MPLS / Mitrabh Shukla

Routing Protocol Contexts

Populate specific VPN routing

For internal use

MPLS / Mitrabh Shukla

OSPF and Single Routing Instances

Same for IS-IS

For internal use

MPLS / Mitrabh Shukla

Prior to 12.0(27)S and 12.3(4)T

VPN Backbone IGP (OSPF, ISIS)

Global Routing Table

PE routers maintain separate routing tables

VPN Routing and Forwarding Tables (VRF)

MPLS / Mitrabh Shukla

IGP and label distribution in the backbone

LFIB for PE-1

LFIB for PE2

All routers (P and PE) run an IGP and label distribution

MPLS / Mitrabh Shukla

VPN Routing and Forwarding Table

Multiple routing tables (VRFs) are used on PEs

For internal use

MPLS / Mitrabh Shukla