mpls l3 vpn tmpll3v001
DESCRIPTION
ICAOTRANSCRIPT
-
CETTM MTNL
1MPLS L3 VPN
MPLS L3 VPN
MODULE ID: TMPLL3V001
-
CETTM MTNL
2MPLS L3 VPN
Topics Covered
Introduction to VPN VPN Implementations VPN Classification MPLS Layer 3 VPN L3 VPN Forwarding Case Study
-
CETTM MTNL
3MPLS L3 VPN
VPN - VIRTUAL PRIVATE NETWORK
Provides Secure Communications between internal networks over a public network
Commonly used to connect company branch offices, business partners and company mobile users.
VPN REQUIREMENTS
Opaque Transport of data - even non IP protocols
Security of data - avoid modification, spoofing, snooping
QoS guarantee for bandwidth and latency
What is a VPN
-
CETTM MTNL
4MPLS L3 VPN
Remote Access VPNs For Telecommuters , mobile users
Site to Site VPNs For business Intranets, Extranets
VPN Implementations
-
CETTM MTNL
5MPLS L3 VPN
Remote Access VPN
POP
POP
Router
Central site
DSL cable
TelecommuterMobile
I nternet
Remote Access Client
Extension of classic DIAL
-
CETTM MTNL
6MPLS L3 VPN
Site-to-Site VPN
POP Router
Central site
DSL cable
Extranetconsumer-to- Business
Internet
Remote Site
Extension of classic WAN
IntranetBusiness -to- Business
-
CETTM MTNL
7MPLS L3 VPN
VPNs span across variety of Technologies & Topologies
The Business problem a VPN is trying to SolveIntranet / Extranet / Remote
The Layer at which the service provider exchanges the topology information with the customer
Layer 2 / Layer 3By operation mode
CPE Based / Network Provider BasedThe topology of the network
Full Mesh / Partial MeshBy networking model
VPDN / VLL / VPLS / VPRN
VPN Classification
-
CETTM MTNL
8MPLS L3 VPN
Intranet VPN
Each site only belongs to one VPN: Intranet
Site A Site B
Site C
Site X
Site Z Site Y
-
CETTM MTNL
9MPLS L3 VPN
Extranet VPN
Site1
Site4
Site5
Site 2 Site3
Intranet
ExtranetA Site may belong to multiple VPNs.
-
CETTM MTNL
10MPLS L3 VPN
VPN Classification
CPE-Based VPN Network-Based VPN ( Provider VPN )
VPRN VLL VPLS
MPLS/BGP VPN
IP-VPN
VPN
VR-VPN
-
CETTM MTNL
11MPLS L3 VPN
IP-VPN: Service emulation implemented for dedicated line services (such using the IP network (including the public Internet and private IP backbone network, etc.).
Network-Based IP-VPN: It refers to the case where the VPN service is provided from Network built and operated by an operator (the user is also allowed to perform certain service management and control) and the functional features are implemented at the network side equipment in the centralized way.
Tunnel: It is a technology that uses a type of protocol to transmit another type of protocol. Provides isolation between networks; protocols. The tunnel technology a tunneling protocol.
VPN Classification -1
-
CETTM MTNL
12MPLS L3 VPN
Virtual Leased Line (VLL): It provides point-to-point connection service between two pieces of CPE equipment for the user.
Virtual Private Dial Network (VPDN): The remote user dials to the public IP network via PSTN/ISDN, and the data packet passes through the public network via a tunnel for the destination network.
Virtual Private LAN Service (VPLS): VPLS is a virtual method to establish LAN via the public IP resources. The networking is based on the MAC layer forwarding, and it is completely transparent to the network layer protocol.
Virtual Private Routed Network (VPRN): VPRN is defined as a kind of emulation for multi-site wide area route network services via the public IP network, and the data packet of VPN is forwarded at the network layer.
VPN Classification -2
-
CETTM MTNL
13MPLS L3 VPN
Constructing VPN via Tunnel
10.0.1.1/24
10.0.0.0/24
10.0.0.0/24
129.0.0.2/30129.0.0.1/30
129.0.1.1/30
129.0.1.2/30
Public IP network
129.0.2.2/30
129.0.2.1/30
129.0.3.1/30
129.0.3.2/30
GRE tunnel
GRE tunnel
10.0.1.1/24
10.0.1.2/24
10.0.1.2/24
RT1 RT2
HQ1
HQ2
CPE Based VPN
Operator not involved in VPN setup The forwarding efficiency is low
-
CETTM MTNL
14MPLS L3 VPN
VPN Tunnels
Mechanism of tunnel is to use one protocol to encapsulate packets of another protocol
Some Tunnelling Protocols :
PPTP - Point to Point Tunneling ProtocolL2TP - Layer 2 Tunnel ProtocolGRE - Generic Route EncapsulationIPSec - IP Security Protocol
and in MPLS - LSP is the tunnel.
-
CETTM MTNL
15MPLS L3 VPN
MPLS VPN Network Structure
Network based VPN : Also called as PPVPN ( Provider Provisioned VPN
10.2.2.0 /2410.2.2.0 /24
192.168.1.0 / 24192.168.1.0 / 24
10.2.2.0 /2410.2.2.0 /24
10.2.4.0 /2410.2.4.0 /24
192.168.1.0 / 24 192.168.1.0 / 24
10.2.6.0 /2410.2.6.0 /24
MPLS VPN Domain
-
CETTM MTNL
16MPLS L3 VPN
VPN Terminology
VPNs contain the following types of network devices Provider edge (PE) routers
PE routers connect CE devices & support VPN and label functionality.
Provider (P) routers are core of the provider's network & support MPLS Not connected to any customer site
Customer edge (CE) devices CE devices are typically IP routers connected to PE
routers The CE routers have no special configuration
requirements for VPNs.
-
CETTM MTNL
17MPLS L3 VPN
Characteristics of MPLS VPN
All the construction, connection and management work of VPN is implemented on PE.Network configuration is simple.The existing routing protocol can be directly used
without any change.MPLS VPN network features good expandability.VPN with QOS and TE can be implemented.
-
CETTM MTNL
18MPLS L3 VPN
MPLS Based VPNs
MPLS Based Layer 3 VPNs Providers router participates in customers layer 3 routing CPE routers advertise their routes to the provider Provider router manages VPN-specific routing tables,
distributes routes to remote sites
MPLS Based Layer 2 VPNs
Provider delivers Layer 2 circuits to the customer, one for each remote site
Customer maps their Layer 3 routing to the circuit mesh Customer routes are transparent to provider
-
CETTM MTNL
19MPLS L3 VPN
Layer 3 VPN Overview
Layer 3 VPNs are based on RFC 2547bis A Layer 3 VPN is a set of sites spread across
the public infrastructure and share common routing information
their connectivity is controlled by a collection of policies
Also known as BGP/MPLS VPNs because BGP is used to distribute VPN routing
information (VPN Labels) across the provider's backbone and
MPLS is used to forward VPN traffic across the backbone to remote VPN sites.
-
CETTM MTNL
20MPLS L3 VPN
MPLS Layer 3 VPN
Blue VPN Site
CEPP
PECE
CE
CE
PE VPN AVPN A
VPN B
VPN B
PE
Provider Edge (PE) Provider Routers (P)
MPLS Core
Red VPNCustomer EdgeRouter
Customer Routes exchanged via MPLS networkCustomer Data transported over MPLS LSP
-
CETTM MTNL
21MPLS L3 VPN
P
P
P PE 2
VPN ASite 3
VPN ASite 1 VPN B
Site2
VPN BSite 1
PE 1PE 3
VPN ASite2
CEA1
CEB1 CEA3
CEA2
CEB2
P
VPN BSite3
CEB3
10.1/16
10.3/16
10.2/16
10.3/16
10.2/16
10.1/16
The sites within VPNA and VPNB use the same address spaces 10.1.0.0/16, 10.2.0.0/16, and 10.3.0.0/16 for their private networks.
Overlapping Address Spaces
-
CETTM MTNL
22MPLS L3 VPN
Solution for Overlapping Addresses
Route Distinguisher
P
P
P PE 2
VPN ASite 3
VPN ASite 1 VPN B
Site2
VPN BSite 1
PE 1PE 3
VPN ASite2
CEA1
CEB1
CEA3
CEA2
CEB2
P
VPN BSite3
CEB3
10.1/16
10.3/16
10.2/16
10.3/16
10.2/16
10.1/16
10458:22:10.1/1610458:23:10.1/16
BGP
Modify the IPv4 address
-
CETTM MTNL
23MPLS L3 VPN
VPN-IPv4 Address Family
Route Distinguisher (RD) is prefixed to each address from a particular VPN site
8 bytes for RD or VPN identifier disambiguates overlapping IPv4 addresses
The new address family is called VPN-IPv4 Address family. These are distributed to other VPN sites using Multi Protocol- Border Gateway Protocol (MP-BGP)
The original standard address family is IPv4. VPNv4 address family mainly serves to transfer VPN routes between PE routers.
Route Distinguisher (8 bytes) IPv4 address
-
CETTM MTNL
24MPLS L3 VPN
MPLS/VPN RD
RD format:
16-bit Autonomous System Number (ASN): 32-bit user-defined number, e.g. 100:1 - Mostly used
32-bit IP address: 16-bit customized number, e.g. 172.1.1.1:1
4-byte assigned number
2-byte assigned number4-byte IP address 1
2-byte ASN0
Assigned Number FieldAdministrator FieldTYPE (2-byte)
RD structure:
-
CETTM MTNL
25MPLS L3 VPN
VPNv4 and IPv4 Address Family
RD is unique among different VPNs which removes IP address conflicts and is the identifier of VRF
Normally RD of a VPN is configured same at all sites.
For Example :
Route Received from CE Router : 10.1.1.0 /24 ( IPv4.0Address)
Route Modified as : 10458:22:10.1.1.0/24 ( VPNv4.0 address )and announced to other VPN sites of same customer
In this case 10458:22 is the RD
-
CETTM MTNL
26MPLS L3 VPN
Distribution of VPN-IPv4 Addresses
The Border Gateway Protocol is modified to carry VPN-IPv4 routes in addition to normal IPv4 routes. MP-BGP (Multi Protocol BGP)
To maintain compatibility, only two BGP attributes are added for MBGP : MP_REACH_NLRI and MP_UNREACH_NLRI.
These two attributes are used in the BGP UPDATE message to notify or cancel the network reachability information
-
CETTM MTNL
27MPLS L3 VPN
Relationship Between PE and CE
PEPE
CE
CE
Site-2Site-2
Site-1Site-1
EBGP, RIP, Static
VPNA
VPNB
VRF for VPNA
VRF for VPNBGlobal route
VRF - VPN Routing and Forwarding TableDifferent VRFs for different VPNs
-
CETTM MTNL
28MPLS L3 VPN
Relationship Between PE and CE
PE and CE routers exchange information via the EBGP, RIP and Static route. CE runs the standard routing protocol.
PE maintains separate routing tables of the public network and private network. Routing table of public network, includes the routes of all PE and P routers, generated by the backbone network IGP of VPN.
VRF (VPN routing & forwarding), includes tables of routing & forwarding to one or multiple directly connected CEs. VRF can be bound with any types of interfaces. The PE router interface/sub-interface connected with CE is mapped to VPN.
If the directly connected sites belong to the same VPN, these interfaces can use the same VRF.
-
CETTM MTNL
29MPLS L3 VPN
VPN Routing and Forwarding Table
The PE router creates one VPN routing and forwarding(VRF) VRF table for each VPN that has a connection to a CErouter.
VRF Provides isolation between VPNs The routes in VRF are distributed to other sites of the same
VPN
Each VRF is populated with: Routes received from directly connected CE routers that
are associated with the VRF Routes received from PE routers (from other sites
belong to same VPN)
-
CETTM MTNL
30MPLS L3 VPN
Distribution of VRF Routes
PE PECE Router CE Router
P Router
Site SiteMP-iBGP
The PE router distributes the local VPN route information via the MPLS/VPN backbone network.
The transmitting PE exports the local VRF routes via MP-iBGP (with the export-target attribute).
The receiving PE imports the route to the VRF where it belongs (with the matched import-target attribute).
Route Targets
-
CETTM MTNL
31MPLS L3 VPN
Distributing MP-iBGP Routes to VRF
Each VRF has configurations of import route-target and export route-target.
When the transmitting PE sends MP-iBGP updates, the export attribute is attached in the packet.
When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge whether the received export is equal to the import of the local VRF. If yes, it will be added to the corresponding VRF routing table; otherwise, it will be discarded.
-
CETTM MTNL
32MPLS L3 VPN
Importing VRF Routes to MP-iBGP
BGP, RIPv2 updatefor 149.27.2.0/24, NH=CE
PE1
CE-1
MP-iBGPPE2
VPN- v4 update:RD:1:27: 149.27.2.0/24,
Next-
hop= PE-1 RT=VPN-ALabel=(28)
CE-2
Delhi Mumbai
Importing VRF route to MP-iBGP: PE router converts the route (in the VRF routing table) received from CE into the VPN-V4 route; labels it with RD and RT based on the configuration; changes the next hop as PE itself (loopback); assigns the label based on the interface; finally sends the MP-iBGP update packet to all PE neighbors.
-
CETTM MTNL
33MPLS L3 VPN
Exporting MP-iBGP Routes to VRF
-
PE
MP-I BGP
PEVPN v4 update:RD:1:27:149.27.2.0/24RT=VPN ALabel=(28)
CE-2
PE receives the update packet, converts VPN-v4 into the IPv4 address, and distributes it to VFR VPN-A (RT=VPN-A) routing table, then broadcasts it to CE.
Mumbai
i p vrf VPN-B
vpn-t arget i mport - VPNA
CE1
Del hi
-
CETTM MTNL
34MPLS L3 VPN
L3 VPN Operational Model
Control Flow Exchange of Routes between CE and PE (Static/Default, RIP /
OSPF /eBGP ) Exchange of Routes between PEs (MP-iBGP)
Data flow Forwarding user traffic thru LSP established already between PE
routers
P
P
P
PE 2
VPN ASite 3
VPN ASite 1 VPN B
Site2
VPN BSite 1
PE 1
PE 3
VPN ASite2
CEA1
CEB1 CEA3
CEA2
CEB2
P
-
CETTM MTNL
35MPLS L3 VPN
PE and P routers are reachable using IGP. Label Stack is used for packet forwarding The external layer label
indicates how to reach the next hop, and the internal layer label indicates the outgoing interface of the packet of the home VRF (home VPN).
MPLS node forwarding is based on the external layer label regardless of the internal layer label
MPLS/VPN Label Distribution
-
CETTM MTNL
36MPLS L3 VPN
MPLS/VPN Packet Forwarding-1
149.27.2.0/24
In Label FEC Out Label- 197.26.15.1/32 41
149.27.2.27
PE -1149.27.2.272841
VPN A VRF
149.27.2.0/24,NH=197.26.15.1
Label=(28)
MumbaiDelhi
When the ingress PE receives an ordinary IP packet from CE, PE adds it to the corresponding VPN forwarding table based on the VRF to which the ingress interface belongs, and searches for the next hop and label.
-
CETTM MTNL
37MPLS L3 VPN
MPLS/VPN Packet Forwarding-2
In Label FEC Out Label41 197.26.15.1/32 POP
Delhi
149.27.2.27
PE-1
Mumbai
149.27.2.2741 28
VPN A VRF149.27.2.0/24,
NH =197.26.15.1Label=(28)
149.27.2.2728
In Label FEC Out Label28(V)149.27.2.0/24 -
VPN A VRF149.27.2.0/24 NH=Delhi
149.27.2.27
The second last hop router pops up the external layer label and sends it to the egress PEaccording to the next hop.
The egress PE router judges the CE that the packet will go to based on the internal layer label.
Pop up the internal layer label and forward the packet to the destination CE as an ordinary IPpacket.
-
CETTM MTNL
38MPLS L3 VPN
Typical Data Flow in L3 VPN
Site 2(10.1/16)Site 1
Site 1Site 2
PE-2CE-4
PE-1
CE-2
CE-3
CE-1
VRFVRF
VRFVRF
PE-1 1. Lookup route in Red VRF2. Push VPN Inner label (Z)3. Push IGP label (U)4. Forward to P-1
IP 10.1.2.3
BGP label (Z)IGP label (U)
P-1 P-2
P-1 1. Lookup MPLS table2. Swap IGP label U with V 3. Forward to P-2
IP 10.1.2.3
BGP label (Z)IGP label (V)
P-2 1. Lookup MPLS table2. Pop the IGP label V3. Forward to PE-2
IP 10.1.2.3
BGP label (Z)
PE-2 1. Lookup route in Red VRF2. Pop VPN Inner Label (Z)3. Forward native IP pkt to CE-4
IP 10.1.2.3
IP 10.1.2.3
-
CETTM MTNL
39MPLS L3 VPN
Layer 3 - Basic Intranet Model
P RouterP Router
MPLS/VPN Backbone
MP-iBGP
Site site-3 &site 4 routesRT=VPN-A RT=VPN-A
Site site1 & site 2 routes VPN A
VPN A
VPN A
VPN A Site site-1 routessite site-2 routessite site-3 routessite site-4 routes
Site site-1 routessite site-2 routessite site-3 routessite site-4 routes
RT=VPN-A RT=VPN-A Site - 1
Site-2
Site-3
Site-4
-
CETTM MTNL
40MPLS L3 VPN
Internet Access from MPLS VPN
Ways to set-up Internet Access from a VPNBy Packet leaking between a VRF and Global
Routing TableBy separate sub-interface which is not placed in any
VRFBy having a separate Internet VPN
-
CETTM MTNL
41MPLS L3 VPN
A public address is assigned to an Internet/VPN customer
A global static route for an assigned address block is configured on the PE router
The static route has to be redistributed into BGP to provide full connectivity to the customer
A default route toward a global Internet exit point is installed in the customer VRF
This default route is used to forward packets to unknown destinations (Internet) into the global address space
A single label (IGP Label) is used for packets forwarded towards the global nexthop
Internet Access by Packet Leaking
-
CETTM MTNL
42MPLS L3 VPN
Internet Access by Packet Leaking
PE
PE
Internet
Site-1
PE-IG
Site-2
Network 171.68.0.0/16
Serial0
192.168.1.1
192.168.1.2
ip route-static 171.68.0.0 255.255.0.0 Serial0
ip route-static vpn-instance VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 public
BGP-4
MP-BGP
-
CETTM MTNL
43MPLS L3 VPN
PE
PE
Internet
Site-1
PE-IG
Site-2
Network 171.68.0.0/16
Serial0
192.168.1.1
192.168.1.2
Site-2 VRF0.0.0.0/0 192.168.1.1 (public)Site-1 routesSite-2 routes
Global Table and LFIB192.168.1.1/32 Label=3192.168.1.2/32 Label=5...
IP packetD=yahoo.com
Label = 3
IP packetD=yahoo.com
IP packetD=yahoo.com
Configure the Static Default Route-PE
Internet Access by Packet Leaking
-
CETTM MTNL
44MPLS L3 VPN
Internet Access by Separate Sub-interface
Requires separate physical links or separate sub-interfaces
Traditional Internet access implementation model
Maximum design flexibility; Internet access is totally independent from MPLS VPN
Specific WAN encapsulation required
PE may be required to carry full internet routing which is risky
-
CETTM MTNL
45MPLS L3 VPN
Internet Access by Separate Sub-interface
PE
PE
Internet
Site-1
PE-IG
Site-2Network 171.68.0.0/16
Serial0.1
192.168.1.1
192.168.1.2
Serial0.2
Serial0.1
Serial0.2CE routing table
Site-2 routes ----> Serial0.1Internet routes ---> Serial0.2
IP packetD=yahoo.com
PE Global TableInternet routes ---> 192.168.1.1192.168.1.1, Label=3
Label = 3
IP packetD=yahoo.com
IP packetD=yahoo.com
Configure the Sub-interface
-
CETTM MTNL
46MPLS L3 VPN
Summarizing VPN
VPN classifications CPE / Network Based
Intranet and Extranet VPNs
MPLS L3 VPN - Configurations and forwarding process VPNv4, RD, RT
MPLS does not provide all security requirements for VPN . It has to be complemented with other solutions
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46