Summer Training Programme

MPLS VPN

Chapter 1

MPLS Overview
1.Introduction
The exponential growth of the Internet over the past several years has placed a tremendous strain on the service provider networks. Not only has there been an increase in the number of users but there has been a multifold increase in connection speeds, backbone traffic and newer applications. Initially ordinary data applications required only store and forward capability in a best effort manner. The newer applications like voice, multimedia traffic and real-time e-commerce applications are pushing towards higher bandwidth and better guarantees, irrespective of the dynamic changes or interruptions in the network. To honour the service level guarantees, the service providers not only have to provide large data pipes (which are also costlier), but also look for architectures which can provide & guarantee QoS guarantees and optimal performance with minimal increase in the cost of network resources. MPLS technology enables Service Providers to offer additional services for their customers, scale their current offerings, and exercise more control over their growing networks by using its traffic engineering capabilities. IP routing and MPLS In conventional IP forwarding, a particular router will typically consider two packets to be in the same FEC( Forwarding Equivalence Class) if there is some address prefix X in that router's routing tables such that X is the "longest match" for each packet's destination address. As the packet traverses the network, each hop in turn reexamines the packet and assigns it to a FEC. On the other hand, in MPLS, the assignment of a particular packet to a particular FEC is done just once, as the packet enters the network. The FEC to which the packet is assigned is encoded as a label. When a packet is forwarded to its next hop, the label is sent along with it. At subsequent hops, there is no further analysis of the packet's network layer header. Rather, the label is used as an index into a table which

specifies the next hop, and a new label. The old label is replaced with the new label, and the packet is forwarded to its next hop.

2.MPLS terminology
IP-based networks typically lack the quality-of-service features available in circuitbased networks, such as Frame Relay and ATM. MPLS brings the sophistication of a connection-oriented protocol to the connectionless IP world. Based on simple improvements in basic IP routing, MPLS brings performance enhancements and service creation capabilities to the network. MPLS stands for Multiprotocol Label Switching; multiprotocol because its techniques are applicable to ANY network layer protocol, of which IP is the most popular. Before explaining MPLS, here are some of the terms which are used extensively in MPLS jargon: 1. Forwarding Equivalence Class (FEC): a group of IP packets which are forwarded in the same manner (e.g., over the same path, with the same forwarding treatment). 2. MPLS header: The 32-bit MPLS header contains the following fields: i. The label field (20-bits) carries the actual value of the MPLS label. ii. The Class of Service (CoS) field (3-bits) can affect the queuing and discard algorithms applied to the packet as it is transmitted through the network. Since the CoS field has 3 bits, therefore 8 distinct service classes can be maintained. iii. The Stack (S) field (1-bit) supports a hierarchical label stack. Although MPLS supports a stack, the processing of a labeled packet is always based on the top label, without regard for the possibility that some of other labels may have been above it in the past, or that some number of other labels may be below it at present. Value 1 refers to the label of bottom layer. iv. The TTL (time-to-live) field (8-bits) provides conventional IP TTL functionality.

Fig. MPLS Header

3. The MPLS label is encapsulated in a standardized MPLS header that is inserted between the Layer 2 and IP headers.

Fig. L2, MPLS, L3 headers 4. MPLS label: is a short fixed length physically contiguous identifier which is used to identify a FEC, usually of local significance. 5. In the MPLS architecture, the device that participates the packet forwarding is called Label Switching Router (LSR). 6. Label Switched Path (LSP): The path through one or more LSRs at one level of the hierarchy which is followed by packets in a particular FEC.

3.MPLS Network Structure

As shown in Fig, the basic composing unit of MPLS network is LSR, and the network consisting of LSRs is called MPLS domain. The LSR that is located at the edge of the domain and connected with other customer network is called Label Edge Router (LER). The LSR located inside the domain is called core LSR. The labeled packets are transmitted along the LSP composed of a series of LSRs. Among them, the import LSR is called Ingress, and the export LSR is called Egress.

LSP Ingress

Egress core MP LS LSR MP LS LER

Fig. MPLS architecture

4. MPLS operations
Label push , label swap and label pop PUSH: A new label is pushed on top of the packet, effectively "encapsulating" the original IP packet in a layer of MPLS. SWAP: Every incoming label is replaced by a new outgoing label (As per the path to be followed) and the packet is forwarded along the path associated with the new label. POP: The label is removed from the packet effectively "de-encapsulating". If the popped label was the last on the label stack, the packet "leaves" the MPLS tunnel

Fig. MPLS operations Fig. Above shows the LSP,the path from source to destination for a data packet through an MPLS-enabled network. LSPs are unidirectional in nature. The LSP is usually derived from IGP routing information but can diverge from the IGP's preferred path to the destination. Fig. Shows the LSP for network 172.16.10.0/24 from R4 is R4R3-R2-R1. As shown in fig., the following process takes place in the data forwarding path from R4 to R1: 1. R4 receives a data packet for network 172.16.10.0 and identifies that the path to 5

the destination is MPLS enabled. Therefore, R4 forwards the packet to next-hop Router R3 after applying a label L3 (from downstream Router R3) on the packet and forwards the labeled packet to R3. 2. R3 receives the labeled packet with label L3 and swaps the label L3 with L2 and forwards the packet to R2. 3. R2 receives the labeled packet with label L2 and swaps the label L2 with L1 and forwards the packet to R1. 4. R1 is the border router between the IP and MPLS domains; therefore, R1 removes the labels on the data packet and forwards the IP packet to destination network 172.16.10.0.

5. MPLS Applications
MPLS-Based VPN For traditional VPN, the transmission of the data flow between private networks on the public packet switched network is usually realized via such tunneling protocols as GRE, L2TP and PPTP, and LSP itself is the tunnel on the public network. The realization of VPN using MPLS is of natural advantages. The MPLS-based VPN connects the geographically different branches of the private network by using LSP, forming a united network.

Fig .MPLS-based VPN

The basic structure of MPLS-based VPN is shown in Fig. CE is the customer edge device, and it may either be a router or a switch, or perhaps a host. PE is a service provider edge router, which is located on the edge of the backbone network. PE is responsible for managing VPN customers, establishing LSP connection between various PEs and route allocation among different branches of the same VPN.

MPLS-Based Traffic Engineering Network congestion is the main problem affecting the backbone network performance. Usually the network is congested due to insufficient network resources or unbalanced network resources, which causes partial congestion. Traffic engineering is used to solve the congestion due to unbalanced load. Through monitoring network traffic and load on network element dynamically, then adjusting traffic management parameters and routing parameters as well as resource constraining parameters in real time, traffic engineering optimizes the network resources and prevents the network congestion accordingly. The existing IGPs are all driven by the topology, and only the static connection of the network is taken into account. However, such dynamic status as bandwidth and traffic characteristics cannot be reflected. This is just the main reason resulting in unbalanced network load. MPLS, which is different from those of IGP, just satisfies the requirement of traffic engineering. MPLS supports the explicit LSP routing that is different from routing protocol path. Compared with traditional single IP packet forwarding, LSP is more convenient for management and maintenance. MPLS QoS QoS represents the set of techniques necessary to manage network bandwidth, delay, jitter, and packet loss. From a business perspective, it is essential to assure that the critical applications are guaranteed the network resources they need, despite varying network traffic load. Service providers offering MPLS VPN and traffic engineering (TE) services can now differentiate themselves by providing varying levels of QoS for different types of network traffic. For example, voice-over-IP (VoIP) traffic receives service with assured minimums of delay and bandwidth, while e-commerce traffic might receive a minimum bandwidth guarantee (but not a delay guarantee). DiffServ is one of the QoS architectures for IP networks defined by the IETF. Cisco IOS MPLS supports the IETF DiffServ architecture by making the rich set of Cisco QoS functions MPLS aware, and by enabling the features to act on the MPLS packets.

Chapter 2 MPLS VPN

1. VPN Overview
MPLS technology is being widely adopted by service providers worldwide to implement VPNs to connect geographically separated customer sites. The following session presents the terminology and operation of various devices in an MPLS network used to provide VPN services to customers. VPNs were originally introduced to enable service providers to use common physical infrastructure to implement emulated point-to-point links between customer sites. A customer network implemented with any VPN technology would contain distinct regions under the customer's control called the customer sites connected to each other via the service provider (SP) network. In traditional router-based networks, different sites belonging to the same customer were connected to each other using dedicated point-to-point links. The cost of implementation depended on the number of customer sites to be connected with these dedicated links. A full mesh of connected sites would consequently imply an exponential increase in the cost associated. Frame Relay and ATM were the first technologies widely adopted to implement VPNs. These networks consisted of various devices, belonging to either the customer or the service provider, that were components of the VPN solution. Generically, the VPN realm would consist of the following regions:

Customer network Consisted of the routers at the various customer sites. The routers connecting individual customers' sites to the service provider network were called customer edge (CE) routers. Provider network Used by the service provider to offer dedicated point-topoint links over infrastructure owned by the service provider. Service provider devices to which the CE routers were directly attached were called provider edge (PE) routers. In addition, the service provider network might consist of devices used for forwarding data in the SP backbone called provider (P) routers.

2. MPLS VPNs
Fig. below shows the MPLS VPN architecture.

Figure . MPLS VPN Network Architecture

In the MPLS VPN architecture, the edge routers carry customer routing information, providing optimal routing for traffic belonging to the customer for inter-site traffic. The MPLS-based VPN model also accommodates customers using overlapping address spaces, unlike the traditional peer-to-peer model in which optimal routing of customer traffic required the provider to assign IP addresses to each of its customers (or the customer to implement NAT) to avoid overlapping address spaces. MPLS VPN is an implementation of the peer-to-peer model; the MPLS VPN backbone and customer sites exchange Layer 3 customer routing information, and data is forwarded between customer sites using the MPLS-enabled SP IP backbone. The MPLS VPN domain, like the traditional VPN, consists of the customer network and the provider network. The MPLS VPN model is very similar to the dedicated PE router model in a peer-to-peer VPN implementation. However, instead of deploying a dedicated PE router per customer, customer traffic is isolated on the same PE router that provides connectivity into the service provider's network for multiple customers.

3.MPLS VPN components

The main components of MPLS VPN architecture are

Customer network, which is usually a customer-controlled domain consisting of devices or routers spanning multiple sites belonging to the customer. In fig., the customer network for Customer A consists of the routers CE1-A and CE2-A along with devices in the Customer A sites 1 and 2. CE routers, which are routers in the customer network that interface with the service provider network. In fig., the CE routers for Customer A are CE1-A and CE2-A, and the CE routers for Customer B are CE1-B and CE2-B. Provider network, which is the provider-controlled domain consisting of provider edge and provider core routers that connect sites belonging to the customer on a shared infrastructure. The provider network controls the traffic routing between sites belonging to a customer along with customer traffic isolation. In fig., the provider network consists of the routers PE1, PE2, P1, P2, P3, and P4. PE routers, which are routers in the provider network that interface or connect to the customer edge routers in the customer network. PE1 and PE2 are the provider edge routers in the MPLS VPN domain for customers A and B in fig. P routers, which are routers in the core of the provider network that interface with either other provider core routers or provider edge routers. Routers P1, P2, P3, and P4 are the provider routers in fig.

4. L3 and L2 MPLS VPNs

Layer 3 VPNs: With L3 VPNs the service provider participates in the customers Layer 3 routing. The customers CE router at each of his sites speaks a routing protocol such as BGP or OSPF to the providers PE router, and the IP prefixes advertised at each customer site are carried across the provider network. L3 VPNs are attractive to customers who want to leverage the service providers technical expertise to insure efficient site-to-site routing. Layer 2 VPNs: The provider interconnects the customer sites via the Layer 2 technology usually ATM, Frame Relay, or Ethernet of the customers choosing. The customer implements whatever Layer 3 protocol he wants to run, with no participation by the service provider at that level. L2 VPNs are attractive to customers who want complete control of their own routing; they are attractive to service providers because they can serve up whatever connectivity the customer wants simply by adding the appropriate interface in the PE router.

10

5. L3 MPLS VPN Routing Model

An MPLS VPN implementation is very similar to a dedicated router peer-to-peer model implementation. From a CE router's perspective, only IPv4 updates, as well as data, are forwarded to the PE router. The CE router does not need any specific configuration to enable it to be a part of a MPLS VPN domain. The only requirement on the CE router is a routing protocol (or a static/default route) that enables the router to exchange IPv4 routing information with the connected PE router. In the MPLS VPN implementation, the PE router performs multiple functions. The PE router must first be capable of isolating customer traffic if more than one customer is connected to the PE router. Each customer, therefore, is assigned an independent routing table similar to a dedicated PE router in the initial peer-to-peer discussion. Routing across the SP backbone is performed using a routing process in the global routing table. P routers provide label switching between provider edge routers and are unaware of VPN routes. CE routers in the customer network are not aware of the P routers and, thus, the internal topology of the SP network is transparent to the customer. Fig. below depicts the PE router's functionality. Figure. MPLS VPN routing model

The P routers are only responsible for label switching of packets. They do not carry VPN routes and do not participate in MPLS VPN routing. The PE routers exchange IPv4 routes with connected CE routers using individual routing protocol contexts. To enable scaling the network to large number of customer VPNs, multiprotocol BGP is configured between PE routers to carry customer routes.

11

VRF: Virtual Routing and Forwarding Table Customer isolation is achieved on the PE router by the use of virtual routing tables or instances, also called virtual routing and forwarding tables/instances (VRFs). In essence, it is similar to maintaining multiple dedicated routers for customers connecting into the provider network. The function of a VRF is similar to a global routing table, except that it contains all routes pertaining to a specific VPN versus the global routing table. The VRF also contains a VRF-specific CEF (Cisco Express Forwarding) forwarding table analogous to the global CEF table and defines the connectivity requirements and protocols for each customer site on a single PE router. The VRF defines routing protocol contexts that are part of a specific VPN as well as the interfaces on the local PE router that are part of a specific VPN and, hence, use the VRF. The interface that is part of the VRF must support CEF switching. The number of interfaces that can be bound to a VRF is only limited by the number of interfaces on the router, and a single interface (logical or physical) can be associated with only one VRF. The VRF contains an IP routing table analogous to the global IP routing table, a CEF table, list of interfaces that are part of the VRF, and a set of rules defining routing protocol exchange with attached CE routers (routing protocol contexts). In addition, the VRF also contains VPN identifiers as well as VPN membership information (RD and RT are covered in the next section). Fig. shows the function of a VRF on a PE router to implement customer routing isolation. Figure . VRF Implementation on PE Router

12

As shown in fig., Cisco IOS supports a variety of routing protocols as well as individual routing processes (OSPF, EIGRP, etc.) per router. However, for some routing protocols, such as RIP and BGP, IOS supports only a single instance of the routing protocol. Therefore, to implement per VRF routing using these protocols that are completely isolated from other VRFs, which might use the same PE-CE routing protocols, the concept of routing context was developed. Routing contexts were designed to support isolated copies of the same VPN PE-CE routing protocols. These routing contexts can be implemented as either separated processes, as in the case of OSPF, or as multiple instances of the same routing protocol (in BGP, RIP, etc.). If multiple instances of the same routing protocol are in use, each instance has its own set of parameters. Cisco IOS currently supports either RIPv2 (multiple contexts), EIGRP (multiple contexts), OSPFv2 (multiple processes), and BGPv4 (multiple contexts) as routing protocols that can be used per VRF to exchange customer routing information between CE and PE. Note that the VRF interfaces can be either logical or physical, but each interface can be assigned to only one VRF.

13

Chapter 3

FAQs
1.MPLS
Q What is Multi-Protocol Label Switching (MPLS)? A. MPLS is a packet-forwarding technology which uses labels to make data forwarding decisions. With MPLS, the Layer 3 header analysis is done just once (when the packet enters the MPLS domain). Label inspection drives subsequent packet forwarding. MPLS provides these beneficial applications:

Virtual Private Networking (VPN) Traffic Engineering (TE) Quality of Service (QoS)

Additionally, it decreases the forwarding overhead on the core routers. MPLS technologies are applicable to any network layer protocol. Q. What is a label? What is the structure of the label? A. A label is a short, four-byte, fixed-length, locally-significant identifier which is used to identify a Forwarding Equivalence Class (FEC). The label which is put on a particular packet represents the FEC to which that packet is assigned.

LabelLabel Value (Unstructured), 20 bits ExpExperimental Use, 3 bits; currently used as a Class of Service (CoS) field. SBottom of Stack, 1 bit TTLTime to Live, 8 bits

Q. Where will the label be imposed in a packet? A. The label is imposed between the data link layer (Layer 2) header and network layer (Layer 3) header. The top of the label stack appears first in

14

the packet, and the bottom appears last. The network layer packet immediately follows the last label in the label stack.

Q. What is a Forwarding Equivalence Class (FEC)? A. FEC is a group of IP packets which are forwarded in the same manner, over the same path, and with the same forwarding treatment. An FEC might correspond to a destination IP subnet, but it also might correspond to any traffic class that the Edge-LSR considers significant. Q. How does the LSR know which is the top label, bottom label, and a middle label of the label stack? A. The label immediately after the Layer 2 header is the top label, and the label with the S bit set to 1 is the bottom label. No application requires LSR to read/identify the middle labels. However, a label will be a middle label if it is not at the top of the stack and the S bit is set to 0.

2. MPLS VPN
Q What is IP VPN Service? VPN is an acronym for Virtual Private Network. An IP VPN Service offers exclusive and private interconnectivity using Internet protocol to computers or Local Area Networks (LANs) across the country. Q. How can the IP VPN service benefit businesses? Business companies can extend their LANs and computers at various locations across the country so as to interconnect them over an IP VPN thereby enabling online communication, which can enhance business efficiency. Q.Why do enterprises need VPN? Some of the important reasons why enterprises need VPN are: High Cost & Complexity of Private Networks on leased line deployment, maintenance, upgradation & expansion. These investments divert the main focus from the core business areas of the enterprise. Increasingly dispersed mobile workforce requires constant contact with the enterprise LAN. This is possible through Dial-VPN service, which is a small value added service over the VPN platform. Flexible reconfiguration allows instantaneous addition/deletion of connections

15

without any major investment. Rise in Internet based applications & continually evolving technology allows the enterprise to avail of several value-added services that will be offered by the Service Provider in future over the same IP network infrastructure in a cost effective manner. Examples are bandwidth on demand, VoIP, multicasting, & interactive applications. Yes, a dial customer can be provided access to a VPN through what is known as an L2TP (Layer 2 Tunneling protocol)tunnel. Q.How secure is IP VPN service? A VPN by itself is an isolated entity and therefore has no possibility of outside intrusion. The security in case of interconnection with other networks will be the customer's responsibility. Q. What are the two types of MPLS VPNs? What is the difference between them? Layer 2 VPNs and Layer 3 VPNs. In L2 VPN, the Customer routing information is not communicated to the Service Provider whereas in L3 VPN, the Customer Routing updates are sent to Provider router. Q. What alternatives are there for implementing VPNs over MPLS? There are multiple proposals for using MPLS to provision IP-based VPNs. One proposal (MPLS/BGP VPNs) enabled MPLS-VPNs via extensions to Border Gateway Protocol (BGP). In this approach, BGP propagates VPN-IPv4 information using the BGP multiprotocol extensions (MP-BGP) for handling these extended addresses. It propagates reachability information (VPN-IPv4 addresses) among Edge Label Switch Routers (Provider Edge router). The reachability information for a given VPN is propagated only to other members of that VPN. The BGP multiprotocol extensions identify the valid recipients for VPN routing information. All the members of the VPN learn routes to other members. Another proposal for using MPLS to create IP-VPN's is based on the idea of maintaining separate routing tables for various virtual private networks and does not involve BGP.

16