Beruflich Dokumente
Kultur Dokumente
MPLS -VPN
• Layer 1 VPN
• Sold by service providers in the form of Layer 1 circuits
– ISDN
– Digital Service hierarchy (DS0, DS1, etc.)
– SONET (Synchronous Optical Network)
Rick Graziani graziani@cabrillo.edu 7
Layer 2 Overlay
• Layer 2 VPN
• Most IT people think of traditional WAN service
– X.25
– Frame Relay
– ATM
• Leaves higher-level services to the customer’s discretion
• Hub-and-spoke topology is common
– Routing updates sent over VCs
– Disadvantage: Hub is a single point of failure, using dial backup
Rick Graziani graziani@cabrillo.edu 8
Layer 3 Overlay VPNs
Router A
• Although the local loop has not changed, the essence of the network
has.
• The provider is now part of the customer routing infrastructure.
• The network is more flexible and resilient because it is an extension
of the customer’s routing infrastructure.
• Each customer’s routing information is kept securely separate from
every other customer’s routing information.
• Penultimate hop pop (PHP) – The final P router in the P network pops
the label prior to the arrival at the egress PE router.
• Route distinguisher (RD) – A 64 bit identifier prepended to an IPv4
address to make it a globally unique VPNv4 address.
• Route target (RT) – An atribute appended to a VPNv4 BGP route to
indicate VPN membership.
• Virtual routing and forwarding (VRF) table – A customer specific
routing table instance.
• CE router is a router.
– Runs an IGP (OSPF, EIGRP, IS-IS, etc.)
– Not MPLS aware
– Does not participate in MPLS
• PE router
– Similar to a typical PoP
– Relatively high end router (Cisco 7200VXR)
– Each customer is assigned its own RD and VRF table dedicated to
maintaining routing information
– Routing across backbone is performed by another routing process
using a global IP routing table.
– Single router but runs multiple instances of a routing protocol (IGP)
– one for each customer.
– Multiple instances of IGP are redistributed into global routing table.
Rick Graziani graziani@cabrillo.edu 17
PE Router
• BGP the only real protocol of choice for the provider - scalability.
• Very large routing tables
– Number of prefixes advertised by each customer
– P network routes
• BGP neighbor relationships are configured between PE routers directly
so that prefixes can be exchanged for a given customer.
• The global IP routing table in the P network need not actually carry
any of the actual customer routes.
• P Router
– Do not carry VPN routes
– Provide transport for traffic between PEs
– Run IGP
– Carry only P network routing information in their routing tables
– Interface with PE routers to facilitate the transport of BGP peering
information to remote PE routers.
– Participate in LDP
P P
PE PE
VPN Backbone IGP
P P
MP-iBGP Session
PE Routers P Routers
• Edge routers • P routers are in the core of the
• Use MPLS with P routers MPLS cloud
• Uses IP with CE routers • P routers do not need to run
• Connects to both CE and P routers BGP and doesn’t need to have
Distribute VPN information through any VPN knowledge
MP-BGP to other PE router with • Forward packets by looking
VPN-IPv4 addresses, extended at labels
community, label
• P and PE routers share a
common IGP
–
CE
–VPN 2
PE
EBGP, OSPF, RIPv2, Static
CE MPLS Backbone IGP (OSPF, ISIS)
VPN 1
CE
VPN 2 VRF Green
PE
EBGP, OSPF, RIPv2, Static
CE MPLS Backbone IGP (OSPF, ISIS)
VPN 1
VRF Blue
• What’s a VRF ?
• Associates to one or more interfaces on PE
– Privatize an interface i.e., coloring of the interface
• Has its own routing table and forwarding table (CEF)
• VRF has its own instance for the routing protocol
– (static, RIP, BGP, EIGRP, OSPF)
• CE router runs standard routing software
CE
VPN 2
PE
EBGP, OSPF, RIPv2, Static
CE MPLS Backbone IGP (OSPF, ISIS)
VPN 1
Conclusion:
BGP is used to exchange customer routes directly between PE routers.
Rick Graziani graziani@cabrillo.edu 37
Propagation of Routing Information
Across the P-Network (Cont.)
Let’s Discuss:
• Route Distinguisher (RD); VPNv4 route
• Route Target (RT)
• Label
Rick Graziani graziani@cabrillo.edu 41
MPLS VPN Control Plane
MP-BGP Update Components: VPNv4 Address
• Route-target (RT): Identifies the VRF for the received VPNv4 prefix. It
is an 8-byte extended community (a BGP attribute)
• Each VRF is configured with RT(s) at the PE
– RT helps to color the prefix
MPLS Backbone
3
RD:10.1.1.0 5 Next-Hop=PE-2
Site 2
Site 1 Next-Hop=PE-1
RT=Green, Label=100
10.1.1.0/24 CE1 CE2
P P
PE1 PE2
10.1.1.0/24
Next-Hop=CE-1
P P
1
MPLS Backbone
100 10.1.1.1
P P
50 100 10.1.1.1
25 100 10.1.1.1
– Overview
– VPN Packet Forwarding Across an MPLS VPN
Backbone
– VPN Penultimate Hop Popping
– VPN Label Propagation
– MPLS VPN and Label Propagation
– MPLS VPN and Packet Forwarding
Question: How will the PE routers forward the VPN packets across the
MPLS VPN backbone?
Answer #1: They will label the VPN packets with an LDP label for the egress
PE router and forward the labeled packets across the MPLS backbone.
Question: How will the PE routers forward the VPN packets across the
MPLS VPN backbone?
Answer #1: They will label the VPN packets with an LDP label for the egress
PE router and forward the labeled packets across the MPLS backbone.
Results:
• The P routers perform the label switching, and the packet reaches the
egress PE router.
• However, the egress PE router does not know which VRF to use for packet
switching, so the packet is dropped.
(Remember, customers may be using RFC 1918 addresses.)
• How about using a label stack?
Rick Graziani graziani@cabrillo.edu 49
VPN Packet Forwarding Across an MPLS
VPN Backbone (Cont.)
Question: How will the PE routers forward the VPN packets across the
MPLS VPN backbone?
Answer #2: They will label the VPN packets with a label stack, using:
1. the LDP label for the egress PE router as the top label, and
2. the VPN label assigned by the egress PE router as the second label
in the stack.
Question: How will the PE routers forward the VPN packets across the
MPLS VPN backbone?
Answer #2: They will label the VPN packets with a label stack, using:
1. the LDP label for the egress PE router as the top label, and
2. the VPN label assigned by the egress PE router as the second label
Result: in the stack.
• The P routers perform label switching, and the packet reaches the egress
PE router.
• The egress PE router performs a lookup on the VPN label and forwards the packet
toward the CE router.
• Configure CEF.
• Configure MPLS on a frame mode interface.
• (Optional) Configure the MTU size in label switching.
Router(config)#
ip cef [distributed]
Router(config-if)#
ip route-cache cef
Router#
show ip cef detail
Parameter Description
Network (Optional) Displays the FIB entry for the specified destination
network
Mask (Optional) Displays the FIB entry for the specified destination
network and mask
Longer-prefixes (Optional) Displays the FIB entries for all the specific
destinations
type number (Optional) Lists the interface type and number for which to
display FIB entries
Router(config-if)#
mpls label protocol [tdp | ldp | both]
Router(config-if)#
mpls mtu bytes