odc010004 mpls l3 vpn advanced application issue 1_2
DESCRIPTION
L3 VPN Advanced ApplicationTRANSCRIPT
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved
www.huawei.com
Internal
ODC010004 MPLS L3 VPN Advanced
ApplicationISSUE 1.2
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 1All rights reserved
Wide application of MPLS technologies allows service providers to provide better extended/value-added services. Therefore, the implementation of MPLS functions can help an equipment vendor gain competitive advantages over other vendors.
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 2All rights reserved
References
l VRP5 Operation Manual – VPN
l Technical White Paper for Cross-As
Solutions
l Technical White Paper for HoPE
l RFC 2547,RFC 3107
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 3All rights reserved
Upon completion of this course, you will be able to:
[ Learn about cross-AS MPLS VPN, HoPE, Internet access and multi-role host technologies.
[ Understand specifics of the technologies.
[ Understand applications of the technologies.
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 4All rights reserved
Chapter 1 Chapter 1 CrossCross--AS SolutionAS Solution
Chapter 2 Chapter 2 HoPEHoPE SolutionSolution
Chapter 3 Chapter 3 Internet Connection SolutionInternet Connection Solution
Chapter 4 Chapter 4 MultiMulti--Role Host TechnologyRole Host Technology
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 5All rights reserved
Chapter 1 Chapter 1 CrossCross--AS SolutionAS Solution
1.1 1.1 CrossCross--AS SolutionAS Solution
1.2 1.2 Carrier's Carrier Solution Carrier's Carrier Solution
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 6All rights reserved
Cross-AS MPLS VPN
l In the technical system of MPLS, an MPLS domain and a router AS overlap each other. In actual networking, however, an MPLS domain frequently crosses multiple ASs:
[ The carrier defines one province as one AS of the carrier network but requires to provide cross-province MPLS VPN services.
[ Carriers cooperate with each other (especially with international carriers to provide international services).
l To implement these services, cross-AS MPLS VPN solutions must be applied to solve the following two problems:
[ Technical problem: how can VPN-IPv4 routes and VPN labels be distributed to another AS.
[ Managerial problem: Normally, cross-AS LSPs are not allowed (this is especially important in the case of carrier cooperation).
Origin of crossOrigin of cross--AS VPNAS VPN
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 7All rights reserved
Cross-AS MPLS VPN
l Currently three MPLS VPN cross-domain solutions are available:
[VRF-TO-VRF
[MP-eBGP for VPNV4
[Multi-Hop MP-eBGP
Three SolutionsThree Solutions
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 8All rights reserved
Cross-AS MPLS VPN
l Different domains or carriers have different ASs.
l One VPN operates in multiple ASs. VPN-A-1
PE-1
VPN-A-2
PE-2
CE-2
Back-to-back VRFs
MP-eBGP for VPNv4
AS #100 AS #200
ASBR-1ASBR-2
CE-1
Multi-hop MP-eBGP
Overview of the SolutionsOverview of the Solutions
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 9All rights reserved
Cross-AS solution 1: VRF-to-VRF
l An ASBR considers the peer ASBR its CE, and creates a VRF for each VPN. IP forwarding is applied between the ASBRs and MPLS forwarding is applied within the AS.
l Advantages: Simple with no need of protocol extension or special configuration, natural support; applicable in the case of a small number of cross-domain VPNs.
l Disadvantages: The ASBR must create a VRF for each VPN. To cross multiple domains, large configuration efforts are needed. The scalability is poor.
ASBR-1 ASBR-2
PE ASBR-1 ASBR-2 PE
IP ForwardingVPN-LSP1LSP-1 LSP-2
VPN-LSP2
PE
PE
PE
PE
VPN2-CE2
VPN1-CE2
VPN2-CE1
VPN1-CE1
One VRF and one logical interface are created for
each VPN.
AS#100 AS#200
MP-iBGP
MP-iBGP
MP-iBGP
MP-iBGP
VRFVRF--toto--VRF Overview VRF Overview
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 10All rights reserved
Cross-AS solution 1: VRF-to-VRF
BGP, OSPF, RIPv2 161.10.1.0/24,NH=CE-1
BGP, OSPF, RIPv2 161.10.1.0/24,NH=CE-1
ASBR-1 ASBR-2
PE ASBR-1 ASBR-2 PE
IP ForwardingVPN-LSP1
LSP-1 LSP-2
VPN-LSP2
PE-2
PE-1
PE-4
PE-3
VPN2-CE2
VPN1-CE2
VPN2-CE1
VPN1-CE1
AS#100 AS#200
MP-iBGP
MP-iBGP
MP-iBGP
MP-iBGP
Distribution of routing informationDistribution of routing information
VPN-v4 update:RD:1:27:161.10.1.0/24,
NH=PE-1RT=100:1, Label=(L1)
VPN-v4 update:RD:1:27:161.10.1.0/24,
NH=PE-1RT=100:1, Label=(L1)
D:161.10.1.0/24NH:ASBR-1
D:161.10.1.0/24NH:ASBR-1
VPN-v4 update:RD:1:27:161.10.1.0/24,
NH=ASBR-2RT=100:1, Label=(L2)
VPN-v4 update:RD:1:27:161.10.1.0/24,
NH=ASBR-2RT=100:1, Label=(L2)
BGP, OSPF, RIPv2 161.10.1.0/24,NH=PE-3
BGP, OSPF, RIPv2 161.10.1.0/24,NH=PE-3
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 11All rights reserved
Cross-AS solution 1: VRF-to-VRF
ASBR-1 ASBR-2
PE ASBR-1 ASBR-2 PE
IP ForwardingVPN-LSP1
LSP-1 LSP-2
VPN-LSP2
PE
PE
PE
PE
VPN2-CE2
VPN1-CE2
VPN2-CE1
VPN1-CE1
Create a VRF and a Create a VRF and a logical interface for logical interface for
each VPNeach VPN
AS#100 AS#200
MP-iBGP
MP-iBGP
MP-iBGP
MP-iBGP
Label switching procedureLabel switching procedure
161.10.1.1161.10.1.1L2L2LxLx
161.10.1.1161.10.1.1
161.10.1.1161.10.1.1L1L1LyLy
161.10.1.1161.10.1.1
161.10.1.1161.10.1.1
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 12All rights reserved
Cross-AS Solution 2: MP-eBGP for VPNV4
l EBGP is used to advertise VPN-IPv4 routes between ASBRs. 。l Advantages :
[ No need of creating a VRF for each VPN on ASBR.
[ No need of cross-domain extension protocol, easy to manage and configure
l Disadvantages: All VPN routes need be stored on the ASBR. This imposes high requirements on the router so that the ASBR is easier to become faulty. 。
ASBR-1 ASBR-2
PE
PE
PE
PE
VPN2-CE2
VPN1-CE2
VPN2-CE1
VPN1-CE1
AS#100 AS#200MP-EBGP
PE ASBR-1 ASBR-2
VPN-LSP2VPN-LSP1LSP-1 LSP-2
VPN-LSP3
PE
MP-iBGP
MP-iBGP
MP-iBGP
MP-iBGP(VPN-V4)
MPMP--eBGPeBGP for VPNV4 overviewfor VPNV4 overview
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 13All rights reserved
Cross-AS Solution 2: MP-eBGP for VPNV4
ASBR-1 ASBR-2
PE-2
PE-1
PE-4
PE-3
VPN2-CE2
VPN1-CE2
VPN2-CE1
VPN1-CE1
AS#100 AS#200MP-EBGP
PE ASBR-1 ASBR-2
VPN-LSP2VPN-LSP1
LSP-1 LSP-2
VPN-LSP3
PE
MP-iBGP
MP-iBGP
MP-iBGP
MP-iBGP
(VPN-V4)
BGP, OSPF, RIPv2 161.10.1.0/24,NH=CE-1
BGP, OSPF, RIPv2 161.10.1.0/24,NH=CE-1
VPN-v4 update:RD:1:27:161.10.1.0/24,
NH=PE-1RT=100:1, Label=(L1)
VPN-v4 update:RD:1:27:161.10.1.0/24,
NH=PE-1RT=100:1, Label=(L1)
VPN-v4 update:RD:1:27:161.10.1.0/24,
NH=PE-ASBR-1RT=100:1, Label=(L2)
VPN-v4 update:RD:1:27:161.10.1.0/24,
NH=PE-ASBR-1RT=100:1, Label=(L2)
VPN-v4 update:RD:1:27:161.10.1.0/24,
NH=PE-ASBR-2RT=100:1, Label=(L3)
VPN-v4 update:RD:1:27:161.10.1.0/24,
NH=PE-ASBR-2RT=100:1, Label=(L3)
BGP, OSPF, RIPv2 161.10.1.0/24,NH=PE-3
BGP, OSPF, RIPv2 161.10.1.0/24,NH=PE-3
Distribution of routing informationDistribution of routing information
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 14All rights reserved
Cross-AS Solution 2: MP-eBGP for VPNV4
ASBR-1 ASBR-2
PE-2
PE-1
PE-4
PE-3
VPN2-CE2
VPN1-CE2
VPN2-CE1
VPN1-CE1
AS#100 AS#200MP-EBGPMP-iBGP
MP-iBGP
MP-iBGP
MP-iBGP
(VPN-V4)
161.10.1.1161.10.1.1
L2L2 161.10.1.1161.10.1.1
161.10.1.1161.10.1.1L3L3
161.10.1.1161.10.1.1L1L1161.10.1.1161.10.1.1
161.10.1.1161.10.1.1L3L3LxLx
161.10.1.1161.10.1.1L1L1LyLy
Label switching procedureLabel switching procedure
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 15All rights reserved
Cross-AS Solution 3: Multi-Hop eBGP
l Establish MP-EBGP peer between PEs and distribute VPN-IPV4 routes using this connection. l Advantages :
[ This is the optimal solution because it meets the structural requirements of MPLS VPN. Only PE knows the VPN routing information. P only concerns the forwarding of packets.
[ The advantage is more notable when a VPN crosses multiple AS. This solution also supports load sharing. l Disadvantages :BGP extensions are needed. The setup of tunnels differs from the common MPLS VPN structure
so that the solution is hard to maintain or understand.
ASBR-1 ASBR-2
PE
PE
PE
PE
Multi-Hop MP-EBGP(VPN V4)
Multi-Hop MP-EBGPVPN2-CE2
VPN1-CE2
VPN2-CE1
VPN1-CE1
AS#100 AS#200EBGP
PE ASBR-1 ASBR-2 PE
VPN-LSP
LSP-1 LSP-2
MultiMulti--Hop Hop eBGPeBGP overviewoverview
BGP 4+
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 16All rights reserved
Cross-AS Solution 3: Multi-Hop eBGP
ASBR-1 ASBR-2
PE-3
PE-1
PE-4
PE-2
VPN2-CE2
VPN1-CE2
VPN2-CE1
VPN1-CE1
AS#100 AS#200EBGP
BGP, OSPF, RIPv2 162.11.1.0/24,
NH=CE-1
BGP, OSPF, RIPv2 162.11.1.0/24,
NH=CE-1
VPN-v4 update:RD:1:27:162.11.1.0/24,
NH=PE-1RT=100:1, Label=(L3)
VPN-v4 update:RD:1:27:162.11.1.0/24,
NH=PE-1RT=100:1, Label=(L3)
Network=PE-1 NH=ASBR-1Label=(L9)
Network=PE-1 NH=ASBR-1Label=(L9)
Network=PE-1 NH=ASBR-2Label=(L10)
Network=PE-1 NH=ASBR-2Label=(L10)
BGP, OSPF, RIPv2 162.11.1.0/24,
NH=PE-2
BGP, OSPF, RIPv2 162.11.1.0/24,
NH=PE-2
Distribution of routing informationDistribution of routing information
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 17All rights reserved
Cross-AS Solution 3: Multi-Hop eBGP
ASBR-1 ASBR-2
PE-2
PE-1
PE-4
PE-3
VPN2-CE2
VPN1-CE2
VPN2-CE1
VPN1-CE1
AS#100 AS#200EBGP
161.10.1.1
161.10.1.1161.10.1.1
L3 161.10.1.1L10L3 161.10.1.1
161.10.1.1L3L10Lx
Ly
L3 161.10.1.1
L3
L9
Label switching procedureLabel switching procedure
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 18All rights reserved
Chapter 1 Chapter 1 CrossCross--AS SolutionAS Solution
1.1 1.1 CrossCross--AS SolutionAS Solution
1.2 1.2 Carrier's Carrier SolutionCarrier's Carrier Solution
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 19All rights reserved
Carrier’s Carrier Solution
Level 1 carrier Level 2 carrier
VPNA VPNBVPNB
MP-IBGP/Romete-Peer LDP
LDP
LDP/BGP IBGP LDP/BGP
L1 PE L1 PE
L1 CEL1 CE
L2 PEL2 PE
Level 2 carrier
LDP LDP
A level 2 carrier can provide L2&L3 VPNsVPNA
CarrierCarrier’’s Carrier Topologys Carrier Topology
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 20All rights reserved
Carrier’s Carrier Solution
l Level 1 carriers use MPLS/BGP VPN technologies.
[Level 2 carriers do not use VPN technologies.
[Level 2 carriers use VPN technologies.
l Level 1 carriers use L2 MPLS VPN technologies.
Three SolutionsThree Solutions
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 21All rights reserved
Carrier’s Carrier Solution
l Level 2 carriers do not provide MPLS/BGP VPN.
l Level 1 carriers do not have IGP routing information of level 2 carriers.
l If traffic flows from CE-1 to CE-2, the LSP starts at CE-1 and ends at PE-2.
Level-1 SPPE-1
Level-2 SPLevel-2 SPPE-2CE-1 CE-2
BGP/LDP BGP/LDP
BGP
MP-IBGP / LDP
Solution 1Solution 1
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 22All rights reserved
Carrier’s Carrier Solution
l Level 2 carriers provide MPLS/BGP VPN
Level-1 SPPE-1
Level-2 SPLevel-2 SPPE-2CE-1 CE-2
BGP/LDP BGP/LDPLDP LDP
MP-IBGP / Remote Peer LDP
MP-IBGP / LDP
PE-3 PE-4
VPN 1Site 1
VPN 1Site 2
VPN 2Site 1
VPN 2Site 2
Solution 2Solution 2
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 23All rights reserved
Carrier’s Carrier Solution
l Level 2 carriers provide MPLS L2 VPN
Level-1 SPPE-1
Level-2 SPLevel-2 SPPE-2CE-1 CE-2
LDP LDP
MP-IBGP / Remote Peer LDP
MP-IBGP / LDP
PE-3 PE-4
VPN 1Site 1
VPN 1Site 2
VPN 2Site 1
VPN 2Site 2
Solution 3Solution 3
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 24All rights reserved
Carrier’s Carrier Solution
IP encapsulated by MPLS (L2 labels), L2 labels, or MPLS (L1 or L2 labels)
IP encapsulated by MPLS (L2 or L3 labels)
How is encapsulation performed in a level 1 carrier network?
NOYes, multi-instance LDP is
needed.
Does LDP operate between the PE of a level 1 carrier and the CE of a level 2 carrier?
NOStatic or dynamic routing
protocol
Is a routing protocol needed between the PE of a level 1 carrier and the CE of a level 2 carrier?
NOYESDoes a level 1 carrier have the routing information of a level 2 carrier?
Level 1 carrier :
MPLS L2 VPN
Level 1 carrier :
MPLS/BGP VPN
CarrierCarrier‘‘s Carrier Summary s Carrier Summary
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 25All rights reserved
Chapter 1 Chapter 1 CrossCross--AS SolutionAS Solution
Chapter 2 Chapter 2 HoPEHoPE SolutionSolution
Chapter 3 Chapter 3 Internet Connection SolutionInternet Connection Solution
Chapter 4 Chapter 4 MultiMulti--Role Host TechnologyRole Host Technology
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 26All rights reserved
Chapter 2 Chapter 2 HoPEHoPE SolutionSolution
2.1 2.1 Background of Background of HoPEHoPE
2.2 2.2 Framework of Framework of HoPEHoPE
2.3 Applications of 2.3 Applications of HoPEHoPE
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 27All rights reserved
Background of HoPE
The lower layer the PE is located, the more specific the routes are, and the more routes the PE needs to maintain.
CORE LAYERCORE LAYER
DISTRIBUTION LAYERDISTRIBUTION LAYER
ACCESS LAYERACCESS LAYER
l PE is in an awkward position at different layers:
[ Access layer: unable to support because of small capacity
[ Distribution layer: a large number of interfaces (or subinterfaces) are needed for subscriber identification. The number of subscribers is large but PE provides limited interfaces.
[ Core layer: the number of subscribers is larger, the number of interfaces become more limited, and the bandwidth granularity is larger.
Condition of PECondition of PE
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 28All rights reserved
Background of HoPE
l The number of interfaces and storage capacity must increase, finally reaches the equipment limit.
l The growth of network scale and the increase of subscribers in the local and peer sites require the local PE to have larger storage capacity.
l Solution[ Expand and migrate PE[ Add PEs to share the load of the VPN subscribers
ProblemProblem
This is an expensive solution
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 29All rights reserved
Background of HoPE
l Large numbers of interfaces are needed to access subscribers. Large amounts of memory and forwarding capability are needed to handle subscriber packets.
l It is hard for a PE to provide large memory and a large number of interfaces at the same time.
l A typical network constitutes of different layers, featuring many edge interfaces and a large core capacity.
l MPLS VPN is flat. The requirement for memory capacity is similar regardless of the position of the PE in the network. When a PE is expanded toward the edge, more memory is required whereas the capacity the network equipment decreases.
Cause Cause
Key point: the model of MPLS VPN differs from the typical network model.
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 30All rights reserved
Background of HoPE
l the CE functionality so that it has the VRF function, called Multi-VRF CE (VCE for short). l A VCE can access multiple VPN subscribers and simulate multiple CEs. l The VCE connects with the PE through multiple interfaces (or subinterfaces). l The VCE only needs to maintain routes of the local site. l No changes are needed in the PE.
VCE1
VCE2
PE
VPN1 Site1
VPN1 Site2
VPN2 Site1
VPN2 Site2
MPLS network
MultiMulti--VRF SolutionVRF Solution
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 31All rights reserved
Background of HoPE
l Large numbers of interfaces and subinterfaces out of the limited interface resources are needed between PE and VCE.
l Multiple VRFs need be configured at PE and CE. Configuration efforts are large and repetitive.
l The use of dynamic routing protocol for route exchange between PE and VCE requires both PE and VCE to run multiple instances. The use of static routes, however, demands large configuration efforts.
l If PE and CE are not connected directly but through tunnels, each VRF needs a tunnel so that lots of tunnel resources are used.
l VCEs need be interconnected to transfer VPN packets to reduce the load of PE. That means each VRF needs an interface/subinterface.
l The ultimate implementation is a single-layer VPN access. The solution for the access of a separate MPLS VPN is still not provided.
Defects of MultiDefects of Multi--VRF SolutionVRF Solution
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 32All rights reserved
Chapter 2 Chapter 2 HoPEHoPE SolutionSolution
2.1 2.1 Background of Background of HoPEHoPE
2.2 2.2 Framework of Framework of HoPEHoPE
2.3 Applications of 2.3 Applications of HoPEHoPE
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 33All rights reserved
Framework of HoPE
l A PE is connected with other PEs to fulfill the functions of a traditional PE together. l The PEs form a hierarchy. A PE that directly accesses VPN subscribers is a UPE (Underlayer PE).
One inside the network is an SPE (Superstratum PE). l A UPE and an SPE can be connected directly or through an IP/MPLS network. l Such a structure is called HoPE (Hierarchy of PE).
UPE1
UPE2
SPE
VPN1 Site1
VPN1 Site2
VPN2 Site1
VPN2 Site2
MPLS network
HOPE
PE
PE
VPN1 Site3
VPN2 Site3
MP-BGP
MPLSnetwork
New Solution—Hierarchy of PE
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 34All rights reserved
Framework of HoPE
l The UPE only maintains the routes of the directly connected VPN Site other than the remote VPN Sites. The SPE maintains all routes in the VPN it connects through UPEs, including routes of the local and remote VPN Sites.
l The UPE assigns inner layer labels for routes of the directly connected VPN Site and advertises the routes to the SPE. The SPE only advertises the default VRF route to the UPE with its label.
l Label switching is used between UPE and SPE and therefore only one interface (or subinterface) is needed for their interconnection. If an IP/MPLS network is present between UPE and SPE, GRE/LSP tunnels are used for their interconnection.
Functions of UPE and SPE
A UPE is a traditional PE whereas an SPE requires functional
enhancements to a traditional PE.
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 35All rights reserved
Forwarding of Data
Site1 Site2
CE1 UPE SPE1 P PE2 CE2
Dest/MaskDest/Mask, Li0/0, L00/0
Dest/Mask Dest/Mask, L0 Dest/Mask, Li, Lo Dest/Mask, Li Dest/Mask
SPE1 advertises the default route of VPN to the UPE with an inner label.
Forward the packets destined to Site2 from Site1 to the UPE according to the default route.
PE2 assigns an inner label for the route
CE2 advertises a route of Site2
Push the inner layer label and forward the packets to SPE1 according to the default VPN route
POP the inner label of the default route, query the related VRF Route Table and PUSH the inner and outer labels
POP the outer label (PHP)
POP inner lable
UPE advertises the default route to CE1.
Framework of HoPE
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 36All rights reserved
Forwarding of Data
Site1 Site2
CE1 UPE SPE1 P PE2 CE2
Dest/MaskDest/Mask, Li2Dest/Mask, Li1Dest/Mask
Dest/Mask Dest/Mask, Li1 Dest/Mask, Li2 Dest/Mask, Li2, Lo Dest/Mask
CE1 advertises a route of Site1.
UPE assigns an inner route label and advertises the route to SPE1
SPE1 replaces the label assigned by UPE with another inner label
PE2 advertises a route to CE2 without a label
POP the inner label and forward the packets to CE1
Pop outer label (PHP)
SWAP inner label
Query VRF Route Table and PUSH inner and outer labels
Query Route Table and forward packets to PE2
Framework of HoPE
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 37All rights reserved
Framework of HoPE
l Use MP-BGP to distribute VPN-IPv4 routes [ SPE and UPE belong to a same carrier, MP-iBGP is used and the SPE serves as RR.[ If SPE and UPE belong to different carriers, MP-eBGP is used and the UPE uses the private
AS number. l SPE creates the global import route-target list using the union set of the VRF import route-target
lists of UPE [ UPE transfers import route-target list using the ORF mechanism and SPE generates the
global import route-target list automatically. [ The global import route-target list is created manually on SPE.
VRF1Import route-target 100:1
VRF2Import route-target 200:1
GlobalImport route-target
100:1, 200:1
GlobalImport route-target
100:1, 200:1
UPEUPE SPESPE
VPN route (label) ORF (extended community list)
VRF default route (label)
SPE-UPE Protocol
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 38All rights reserved
Framework of HoPE
l Through any form of interface/subinterface
l Through tunnel interface
[ MP-BGP can cross multiple hops.
[ When LSPs are used, LDP/RSVP-TE operates on UPE/SPE
Lease line LSPGRE tunnel
SPE
UPE UPE
One SPE/UPE pair requires only one connection
SPESPE--UPE ConnectionUPE Connection
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 39All rights reserved
Framework of HoPE
l PE in a hierarchy serves as UPE (SPE)
to form another PE hierarchy with
another SPE (UPE).
l The middle level PE is called MPE.
l An SPE can connect with a standalone
UPE when connecting with a PE in a
hierarchy.
HoPE Hierarchy
Endless hierarchies
SPE
VPN1Site1
VPN1Site2
VPN2Site1
VPN2Site2
UPEMPE
VPN1Site3
VPN2Site3
UPE UPE
VRF default route
VRF default route
VRF default route
VRF default route
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 40All rights reserved
Framework of HoPE
l A UPE connects with multiple SPEs.
l The multiple SPEs all advertise the VRF default routes to the UPE. The UPE selects one default route in preference or selects multiple routes for load sharing.
l The UPE broadcasts its VPN routes to all the multiple SPEs or part of the VPN routes to each of the SPEs for load sharing.
SPE2SPE2
UPEUPE
SPE1SPE1
VPN1Site
VPN2Site
VPN1route
VPN2route
Multi-homed UPE
VRF default routeVRF default route
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 41All rights reserved
Framework of HoPE
l an SPE is connected with a UPE, it can still be connected to CEs.
l Sites of a same VPN intercommunicate through SPE
UPEUPE
SPESPE
VPN1Site2
VPN2Site2
CECE
VPN1Site1
SPE Connected with Both UPE and CE
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 42All rights reserved
Framework of HoPE
l SPEA back door connection is established between two UPEs. VPN sites intercommunicate directly through this connection without the help of SPE.
l A UPE communicates with the peer and they exchange their routes through MP-BGP.
l UPEs can communicate across a network
UPE2UPE2
SPESPE
VPN1Site2
VPN2Site2
UPE1UPE1
VPN1Site1
VPN2Site1
Back door connection
MP-BGP
Back Door Connection between UPEs
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 43All rights reserved
Framework of HoPE
l An SPE and a UPE communicate through only one interface/subinterface, which saves the limited interface resources.
l No need to configure the same VRF in SPE which already configured on UPE, which minimizes the configuration efforts.
l SPE and UPE exchange routes and advertise labels using the dynamic routing protocol MP-BGP. Each UPE only needs to run MP-BGP with one peer so that the protocol overhead is small and the configuration efforts are reduced.
l SPE and UPE can connect with each other through the tunnel interface so that they can communicate across a network. Especially, this can be an MPLS network, which features excellent scalability when MPLS VPNs are deployed in tiers.
l The back door connection between UPEs can reduce the load of SPE. Only one interface/subinterface is needed between UPEs.
Best Solution
BGP/MPLS VPN can be deployed on a tier by tier basis. When the performance of UPE is insufficient, an SPE can be added and the UPE is moved a lower tier. When the access
capability of SPE becomes insufficient, more UPEs can be added.
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 44All rights reserved
Chapter 2 Chapter 2 HoPEHoPE SolutionSolution
2.1 2.1 Background of Background of HoPEHoPE
2.2 2.2 Framework of Framework of HoPEHoPE
2.3 Applications of 2.3 Applications of HoPEHoPE
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 45All rights reserved
Applications of HoPE
MPLS backbone
UPE
VPN1Site1
VPN2Site1
MPE
VPN1Site1
VPN2Site1
VPN1Site1
VPN2Site1
VPN1Site1
VPN2Site1
SPEProvince
City
County
SPE SPE
R3680R2630
NE08/NE05R3680
NE80/NE40/NE20/NE20sNE16/08/05
Application in Finance/Government Networks
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 46All rights reserved
Insufficient routing capability
Insufficientinterfaces
core
access
distribution(UPE)
core(SPE)
access
NE16/08S8016
C75XXC6509
NE16/08S8016
C75XXC6509
NE16/08S8016
C75XXC6509
NE80
distribution(MPE)
core(SPE)
distribution(SPE)
core
access(UPE)
NE16/08S8016
C75XXC6509
access(UPE)
NE80
NE05R3680
NE05R3680
Application in MANApplications of HoPE
distribution(PE)
Insufficient routing capability
Insufficientinterfaces
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 47All rights reserved
MAN AMAN A MAN BMAN B
backbonebackbone
ASBR/RRUPE
NE80/40/20NE16/08
ASBRSPE
All routes in the AS
VRF default route
NE80
Application in Cross-AS MAN-Backbone
Applications of HoPE
VRF default route
All routes in the AS
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 48All rights reserved
Chapter 1 Chapter 1 CrossCross--AS SolutionAS Solution
Chapter 2 Chapter 2 HoPEHoPE SolutionSolution
Chapter 3 Chapter 3 Internet Connection SolutionInternet Connection Solution
Chapter 4 Chapter 4 MultiMulti--Role Host TechnologyRole Host Technology
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 49All rights reserved
Three Internet Access Solutions
Internet Connection Solution
l Subscribers of any type of network wish to have access to the Internet, which is an inevitable demand
l In an MPLS VPN, three Internet access solutions are available:
[Through external ISP
[Through static default route
[Through subinterface
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 50All rights reserved
Internet Connection Solution
l Advantages: All VPN1 sites use CE1 as the egress, convenient for management. This solution is also called centralized access and is widely applied.
l Disadvantages: Multiple default routes may be added to the VRF instances of VPN, which may result in that the packet forwarding of multiple default gateways is not optimal.
Internet Access Through External ISP
MPLS VPN
BACKBONE CE2
VPN1
VPN1
CE3
CE1
EudemonExternal ISP
VPN1
PE1
PE3PE2
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 51All rights reserved
MPLS VPN
backbone CE2
VPN1
VPN1
CE3
CE1
External ISP
VPN1
PE1
PE3PE2
Internet Access Through Static Default RouteInternet Access Through Static Default Route
l Advantages: Each VPN site can access Internet though the local PE, which facilitates management. This solution is also called distributed access.
l Disadvantages: The network segment of CE will be broadcasted in a public network. The security cannot be assured. NAT configuration is needed on CE.
61.1.1.0.1 .2
Internet Connection Solution
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 52All rights reserved
Internet Connection Solution
l Features: CE and PE are connected through subinterfaces. One subinterface is responsible for VPN communication and the other is responsible for public network access.
MPLS VPN
CE2
VPN1
VPN1
CE3
CE1
External ISP
VPN1
PE1
PE3PE2
Internet Access Through Internet Access Through SubinterfaceSubinterface
backbone
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 53All rights reserved
Chapter 1 Chapter 1 CrossCross--AS SolutionAS Solution
Chapter 2 Chapter 2 HoPEHoPE SolutionSolution
Chapter 3 Chapter 3 Internet Connection SolutionInternet Connection Solution
Chapter 4 Chapter 4 MultiMulti--Role Host TechnologyRole Host Technology
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 54All rights reserved
Multi-Role Host Solution
l Client selection modes
[L2TP accessing PE
[PPPOE accessing PE
[Mapping between 802.1X and VPN
[VLAN+Web
l PE selection modes
[ACL-based VPN identification
Selection ModesSelection Modes
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 55All rights reserved
Client Selection ModesClient Selection ModesMulti-Role Host Solution
l Typical application of MPLS VPN access
l L2TP adapter can take place of real network adapter.
l Dynamic VPN selection implemented through L2TP authentication mechanism
PE dynamically imports different VPNs and assigns the IP addresses according to the user name and password
PE dynamically imports different VPNs and assigns the IP addresses according to the user name and password
PE
Multi-role HostVLAN
Radius/CAMS
MPLS VPNL2TP
The host accessed PE through L2TP tunnel
The host accessed PE through L2TP tunnel
LNS
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 56All rights reserved
MultiMulti--Purpose ServerPurpose ServerMulti-Role Host Solution
l Multiple VPNs share a server, with a fixed position and fixed role.
l Configure a private VRF for the multi-purpose server to exchange routes with multiple VPNs.
l IP address of the multi-purpose server is globally unique.
l Enhance protection for the server.
Configure VRF for the multi-purpose server. Configure firewall to protect the server.
Configure VRF for the multi-purpose server. Configure firewall to protect the server.
PE
Shared server
MPLS VPN
VRF
Firewall
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
HUAWEI TECHNOLOGIES CO., LTD. Page 57All rights reserved
l Cross-AS, HoPE, Internet access and multi-role host technologies are very useful extensions to MPLS and solve many problems in current networks.
l We must understand these technologies in detail to facilitate future application and troubleshooting.
Summary
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com
www.huawei.com
Thank You
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com