Beruflich Dokumente
Kultur Dokumente
ODC010003 MPLS L3
VPN Principle
ISSUE 1.4
www.huawei.com
Page 2
Page 3
Page 4
VPN Classification
VPN: Virtual Private Network
VPN
IP-VPN
CPE-Based VPN
VLL
MPLS/BGP VPN
Network-Based VPN
VPRN
VPLS
VPDN
VR-VPN
Page 5
VPN Tunnel
Tunnel: It is a technology that uses a type of protocol to transmit another type
of protocol. Mainly the tunnel protocol serves to implement this function. The
tunnel technology involves three types of protocols: tunneling protocol, bearer
protocol under the tunnel protocol, and the protocol borne on the tunnel
protocol.
Page 6
between two pieces of CPE equipment for the user via the edge node of the
operator.
Virtual Private Dial Network (VPDN): The remote user dials to the public IP
network via PSTN/ISDN, and the data packet passes through the public
network via a tunnel for the destination network.
Page 7
Page 8
10.0.1.2/24
10.0.1.1/24
GRE tunnel
129.0.0.2/30
129.0.0.1/30
129.0.1.1/30
129.0.2.1/30
Public IP
network
Rt1
129.0.1.2/30
10.0.0.0/24
129.0.2.2/30
HQ1
129.0.3.1/30
Rt2
GRE tunnel
129.0.3.2/30
10.0.1.1/24
10.0.1.2/24
HQ2
each network.
It is unnecessary for the operator network to know the internal route of VPN.
Different VPNs can employ the same address space.
The forwarding efficiency is low.
HUAWEI TECHNOLOGIES CO., LTD.
Page 9
Exercise-1
1. Which VPN technologies belong to layer 3 VPN (
A GRE
B L2TP
C BGP/MPLS
D VPLS
Page 10
Page 11
iBGP sessions
CE
CE
VPN_B
10.2.0.0 CE
VPN_A
11.6.0.0
CE
VPN_B
10.1.0.0 CE
PE
PE
PE
PE
VPN_A
11.5.0.0
CE
CE
VPN_A
10.1.0.0
VPN_B
10.3.0.0
CE (Custom Edge Router): The user equipment directly connected with the service
provider.
PE (Provider Edge Router): The edge router on the backbone network, connected with CE
Page 12
Question
One PE connect with several CEs which belong to different VPNs,
Page 13
VPNA
Site - 1
PE
VRF for VPNA
VPNB
Global route
VRF for VPNB
Site - 2
PE and CE routers exchange information via the EBGP, RIP or static route. CE runs the
Routing table of public network, including the routes of all PE and P routers, generated by
the backbone network IGP of VPN.
VRF (VPN routing & forwarding), including tables of routing & forwarding to one or multiple
directly connected CEs.
Page 14
VRF Detail
VRF can be regarded as a virtual router
If (and only if) two sites have identical forwarding table, they share a VRF.
The routes in VRF will be distributed to the sites (usually connected on other PEs)
Page 15
P Router
CE Router
PE
Site
PE
CE Router
iBGP
Site
The PE router distributes the local VPN route information via the backbone
Page 16
IPv4 address
RD structure:
TYPE (2byte)
0
1
Administrator Field
2-byte ASN
4-byte IP address
Assigned Number
Field
Page 17
Question
PE and PE set up IBGP session and exchange routing
Page 18
MBGP
MBGP (Multiprotocol Extensions for BGP-4 )
Page 19
MBGP: MP_REACH_NLRI
Page 20
MBGP: MP_UNREACH_NLRI
Page 21
Question
When PE received the routing information from other PEs
Page 22
Route Target
Route Target attribute (RT) is one of the MBGP extension community
attributes
There are two types of RT, the values of the type field are 0x0002 or
0x0102.
RT structure:
TYPE(2 bytes
0x0002
0x0102
Administrator Field
AS number(2bytes)
IP address(4 bytes)
Page 23
Route Target
RT is used to separate VPN routing information advertisement
There are two sets of Route Target attributes: Export Targets
Page 24
site3
site20
site3
0
site2
Page 25
Intranet
site5
site2
site3
Extranet
HUAWEI TECHNOLOGIES CO., LTD.
Page 26
Application of RT
RT Export Target and import Target can be configured with several attributes
im:b
ex:a
im:a
ex:b
Trandition Mode
a
Hub-spoke mode
im:a
ex:a
im:b
ex:c
im:a,c
ex:a,b
b
Extranet
im:a
ex:a
Page 27
Function of RT
VPN A
SITE -1
MPLS/VPN Backbone
Site-1routes RT=VPN A
Site-2routes RT=VPN B
Site-3routes RT=VPN A
Site-4routes RT=VPN B
MP-iBGP
VPN A
SITE -3
P Router
SITE -2
Site1-routes
Site3-routes
VPN B
Site2-routes
Site4-routes
VPNA
Site1-routes
Site3-routes
VPNB
Site2-routes
Site4-routes
VPNA
SITE -4
VPN B
VPNB
Page 28
Question
After the completion of exchanging routing information between PEs,
now site3 want to access site1, the right PE look for the VRF table
and find out the nexthop left PE, forward the packet to the left PE
using MPLS. When the packet arrived the left PE, the public MPLS
label is removed, which VPN the packet belongs to? And how to get
the correct nexthop?
VPN A
VPN A
SITESITE-1
SITESITE-3
P Router
SITESITE-2
VPN B
Site1-routes
Site3-routes
VPNA
Site1-routes
Site3-routes
VPNA
Site2-routes
Site4-routes
VPNB
Site2-routes
Site4-routes
VPNB
SITESITE-4
VPN B
Page 29
Multiple labels can be attached. The first 20 bits of each label refer to the label
domain, while of the last 4 bits, the first three refer to the EXP domain and the last one
indicates whether it is the stack base.
Note that this label must be assigned by the LSR referred to in the Next-Hop of the
MP_REACH_NLRI attribute.
There are two methods to cancel the route information (meanwhile to release label
binding).
Re-distribute a different route (and a new Label) for the same destination.
Use the Withdraw message to include the destination in MP_UNREACH_NLRI.
HUAWEI TECHNOLOGIES CO., LTD.
Page 30
next-hop:
NLRI:
lable
prefix
RD:64bit IP prefix
Followed is RT list
Extended_Communities RT1
Extended_Communities RT2
Page 31
PE
VPN-v4 update:
RD:1:27:149.27.2.0/24,
Next-hop=PE-1
RT=VPN-A
Label=( 28)
CE-2
CE-1
Shanghai
Beijing
Importing VRF route to MP-iBGP: PE router converts the route (in the VRF
routing table) received from CE into the VPN-V4 route; labels it with RD and
RT based on the configuration; changes the next hop as PE itself
(loopback); assigns the label based on the interface; finally sends the MPiBGP update packet to all PE neighbors.
HUAWEI TECHNOLOGIES CO., LTD.
Page 32
VPN-v4 update:
RD:1:27:149.27.2.0/24,
Next-hop=PE-1
RT=VPN -A
Label=(28)
PE
ip vrf VPN-B
vpn -target import VPN-A
CE-1
Beijing
CE-2
Shanghai
the packet.
When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge whether
the received export is equal to the import of the local VRF. If yes, it will be added to the
corresponding VRF routing table; otherwise, it will be discarded.
HUAWEI TECHNOLOGIES CO., LTD.
Page 33
VPN A
SITE -1
MPLS/VPN Backbone
SiteSite-1 & Site -2 routes
RT=VPN -A
VPN A
MP-iBGP
SITE -3
P Router
SITE -2
VPN A
SiteSite-1 routes
SiteSite-2 routes
SiteSite-3 routes
SiteSite-4 routes
SiteSite-1 routes
SiteSite-2 routes
SiteSite-3 routes
SiteSite-4 routes
Page 34
SITE -4
VPN A
FEC
197.26.15.1/32
Out Label
-
In Label
41
FEC
Out Label
In Label
FEC
197.26.15.1/32
197.26.15.1/32 POP
Out Label
41
PE-1
P router
Use labelimplicit-null for
destination 197.26.15.1/32
Beijing
149.27.2.0/24
197.26.15.1/32
VPN-v4 update:
RD:1:27 :149.27.2.0/24,
NH= 197.26.15.1
RT=VPN-A
Label= 28)
(
Shanghai
Page 35
FEC
Out Label
197.26.15.1/32
41
VPN-A VRF
149.27.2.0/24,
NH=197.26.15.1
Label=(28)
PE-1
41
28
149.27.2.27
149.27.2.27
Beijing
Shanghai
149.27.2.0/24
Page 36
In Label
28(V)
FEC
149.27.2.0/24
VPN-A VRF
149.27.2.0/24,
NH=beijing
Out Label
In Label
FEC
Out Label
41
197.26.15.1/32
POP
VPN-A VRF
149.27.2.0/24,
NH=197.26.15.1
Label=(28)
PE-1
149.27.2.27
28
149.27.2.27
41
28
149.27.2.27
Beijing
Shanghai
149.27.2.0/24
149.27.2.27
Page 37
149.27.2.0/24
Out 28
CE B2
CE A2
VPN-v4 update:
RD:1:27:149.27.2.0/24,
Next-hop=PE-C
RT=VPN-A, Label=(28)
PE
A
NH: PE-C
MPLS
BGP, OSPF, RIPv2 update
for 149.27.2.0/24,NH=PE-A
PB
IN 28
CE A1
PE
C
CE B1
Page 38
149.27.2.0/24
NH: CE A2
VPN-v4 update:
RD:1:27:149.27.2.0/24,
Next-hop=PE-C
RT=VPN-A, Label=(28)
20
PE
A
1.1.1.1/32
149.27.2.0/24
out 20
Out 28
MPLS
IGP
NH: PE-C
3
PB
In 20 1.1.1.1/32 out 3
IGP
PE
C
1.1.1.1/32
IN 28
149.27.2.0/24
Page 39
NH: CE A2
CE A2
28
CE B2
PE
A
1.1.1.1/32 out 20
149.27.2.0/24
Out 28
MPLS
NH: PEC
PB
In 20 1.1.1.1/32 out 3
Ping 149.27.2.1
CE A1
PE
1.1.1.1/32
C
CE B1
IN 28
149.27.2.0/24
Page 40
NH: CE A2
Exercise-2
1. Describe the structure of RD and RT
Page 41
Summary
VPN Classification
MPLS L3 VPN Label Distribution
MPLS L3 VPN Forwarding Process
Page 42
Thank You
www.huawei.com