Professional Documents
Culture Documents
MPLS VPN
Chapter 1
MPLS Overview
1.Introduction
The exponential growth of the Internet over the past several years has placed a tremendous strain on the service provider networks. Not only has there been an increase in the number of users but there has been a multifold increase in connection speeds, backbone traffic and newer applications. Initially ordinary data applications required only store and forward capability in a best effort manner. The newer applications like voice, multimedia traffic and real-time e-commerce applications are pushing towards higher bandwidth and better guarantees, irrespective of the dynamic changes or interruptions in the network. To honour the service level guarantees, the service providers not only have to provide large data pipes (which are also costlier), but also look for architectures which can provide & guarantee QoS guarantees and optimal performance with minimal increase in the cost of network resources. MPLS technology enables Service Providers to offer additional services for their customers, scale their current offerings, and exercise more control over their growing networks by using its traffic engineering capabilities. IP routing and MPLS In conventional IP forwarding, a particular router will typically consider two packets to be in the same FEC( Forwarding Equivalence Class) if there is some address prefix X in that router's routing tables such that X is the "longest match" for each packet's destination address. As the packet traverses the network, each hop in turn reexamines the packet and assigns it to a FEC. On the other hand, in MPLS, the assignment of a particular packet to a particular FEC is done just once, as the packet enters the network. The FEC to which the packet is assigned is encoded as a label. When a packet is forwarded to its next hop, the label is sent along with it. At subsequent hops, there is no further analysis of the packet's network layer header. Rather, the label is used as an index into a table which
specifies the next hop, and a new label. The old label is replaced with the new label, and the packet is forwarded to its next hop.
2.MPLS terminology
IP-based networks typically lack the quality-of-service features available in circuitbased networks, such as Frame Relay and ATM. MPLS brings the sophistication of a connection-oriented protocol to the connectionless IP world. Based on simple improvements in basic IP routing, MPLS brings performance enhancements and service creation capabilities to the network. MPLS stands for Multiprotocol Label Switching; multiprotocol because its techniques are applicable to ANY network layer protocol, of which IP is the most popular. Before explaining MPLS, here are some of the terms which are used extensively in MPLS jargon: 1. Forwarding Equivalence Class (FEC): a group of IP packets which are forwarded in the same manner (e.g., over the same path, with the same forwarding treatment). 2. MPLS header: The 32-bit MPLS header contains the following fields: i. The label field (20-bits) carries the actual value of the MPLS label. ii. The Class of Service (CoS) field (3-bits) can affect the queuing and discard algorithms applied to the packet as it is transmitted through the network. Since the CoS field has 3 bits, therefore 8 distinct service classes can be maintained. iii. The Stack (S) field (1-bit) supports a hierarchical label stack. Although MPLS supports a stack, the processing of a labeled packet is always based on the top label, without regard for the possibility that some of other labels may have been above it in the past, or that some number of other labels may be below it at present. Value 1 refers to the label of bottom layer. iv. The TTL (time-to-live) field (8-bits) provides conventional IP TTL functionality.
3. The MPLS label is encapsulated in a standardized MPLS header that is inserted between the Layer 2 and IP headers.
Fig. L2, MPLS, L3 headers 4. MPLS label: is a short fixed length physically contiguous identifier which is used to identify a FEC, usually of local significance. 5. In the MPLS architecture, the device that participates the packet forwarding is called Label Switching Router (LSR). 6. Label Switched Path (LSP): The path through one or more LSRs at one level of the hierarchy which is followed by packets in a particular FEC.
LSP Ingress
4. MPLS operations
Label push , label swap and label pop PUSH: A new label is pushed on top of the packet, effectively "encapsulating" the original IP packet in a layer of MPLS. SWAP: Every incoming label is replaced by a new outgoing label (As per the path to be followed) and the packet is forwarded along the path associated with the new label. POP: The label is removed from the packet effectively "de-encapsulating". If the popped label was the last on the label stack, the packet "leaves" the MPLS tunnel
Fig. MPLS operations Fig. Above shows the LSP,the path from source to destination for a data packet through an MPLS-enabled network. LSPs are unidirectional in nature. The LSP is usually derived from IGP routing information but can diverge from the IGP's preferred path to the destination. Fig. Shows the LSP for network 172.16.10.0/24 from R4 is R4R3-R2-R1. As shown in fig., the following process takes place in the data forwarding path from R4 to R1: 1. R4 receives a data packet for network 172.16.10.0 and identifies that the path to 5
the destination is MPLS enabled. Therefore, R4 forwards the packet to next-hop Router R3 after applying a label L3 (from downstream Router R3) on the packet and forwards the labeled packet to R3. 2. R3 receives the labeled packet with label L3 and swaps the label L3 with L2 and forwards the packet to R2. 3. R2 receives the labeled packet with label L2 and swaps the label L2 with L1 and forwards the packet to R1. 4. R1 is the border router between the IP and MPLS domains; therefore, R1 removes the labels on the data packet and forwards the IP packet to destination network 172.16.10.0.
5. MPLS Applications
MPLS-Based VPN For traditional VPN, the transmission of the data flow between private networks on the public packet switched network is usually realized via such tunneling protocols as GRE, L2TP and PPTP, and LSP itself is the tunnel on the public network. The realization of VPN using MPLS is of natural advantages. The MPLS-based VPN connects the geographically different branches of the private network by using LSP, forming a united network.
The basic structure of MPLS-based VPN is shown in Fig. CE is the customer edge device, and it may either be a router or a switch, or perhaps a host. PE is a service provider edge router, which is located on the edge of the backbone network. PE is responsible for managing VPN customers, establishing LSP connection between various PEs and route allocation among different branches of the same VPN.
MPLS-Based Traffic Engineering Network congestion is the main problem affecting the backbone network performance. Usually the network is congested due to insufficient network resources or unbalanced network resources, which causes partial congestion. Traffic engineering is used to solve the congestion due to unbalanced load. Through monitoring network traffic and load on network element dynamically, then adjusting traffic management parameters and routing parameters as well as resource constraining parameters in real time, traffic engineering optimizes the network resources and prevents the network congestion accordingly. The existing IGPs are all driven by the topology, and only the static connection of the network is taken into account. However, such dynamic status as bandwidth and traffic characteristics cannot be reflected. This is just the main reason resulting in unbalanced network load. MPLS, which is different from those of IGP, just satisfies the requirement of traffic engineering. MPLS supports the explicit LSP routing that is different from routing protocol path. Compared with traditional single IP packet forwarding, LSP is more convenient for management and maintenance. MPLS QoS QoS represents the set of techniques necessary to manage network bandwidth, delay, jitter, and packet loss. From a business perspective, it is essential to assure that the critical applications are guaranteed the network resources they need, despite varying network traffic load. Service providers offering MPLS VPN and traffic engineering (TE) services can now differentiate themselves by providing varying levels of QoS for different types of network traffic. For example, voice-over-IP (VoIP) traffic receives service with assured minimums of delay and bandwidth, while e-commerce traffic might receive a minimum bandwidth guarantee (but not a delay guarantee). DiffServ is one of the QoS architectures for IP networks defined by the IETF. Cisco IOS MPLS supports the IETF DiffServ architecture by making the rich set of Cisco QoS functions MPLS aware, and by enabling the features to act on the MPLS packets.
Customer network Consisted of the routers at the various customer sites. The routers connecting individual customers' sites to the service provider network were called customer edge (CE) routers. Provider network Used by the service provider to offer dedicated point-topoint links over infrastructure owned by the service provider. Service provider devices to which the CE routers were directly attached were called provider edge (PE) routers. In addition, the service provider network might consist of devices used for forwarding data in the SP backbone called provider (P) routers.
2. MPLS VPNs
Fig. below shows the MPLS VPN architecture.
In the MPLS VPN architecture, the edge routers carry customer routing information, providing optimal routing for traffic belonging to the customer for inter-site traffic. The MPLS-based VPN model also accommodates customers using overlapping address spaces, unlike the traditional peer-to-peer model in which optimal routing of customer traffic required the provider to assign IP addresses to each of its customers (or the customer to implement NAT) to avoid overlapping address spaces. MPLS VPN is an implementation of the peer-to-peer model; the MPLS VPN backbone and customer sites exchange Layer 3 customer routing information, and data is forwarded between customer sites using the MPLS-enabled SP IP backbone. The MPLS VPN domain, like the traditional VPN, consists of the customer network and the provider network. The MPLS VPN model is very similar to the dedicated PE router model in a peer-to-peer VPN implementation. However, instead of deploying a dedicated PE router per customer, customer traffic is isolated on the same PE router that provides connectivity into the service provider's network for multiple customers.
Customer network, which is usually a customer-controlled domain consisting of devices or routers spanning multiple sites belonging to the customer. In fig., the customer network for Customer A consists of the routers CE1-A and CE2-A along with devices in the Customer A sites 1 and 2. CE routers, which are routers in the customer network that interface with the service provider network. In fig., the CE routers for Customer A are CE1-A and CE2-A, and the CE routers for Customer B are CE1-B and CE2-B. Provider network, which is the provider-controlled domain consisting of provider edge and provider core routers that connect sites belonging to the customer on a shared infrastructure. The provider network controls the traffic routing between sites belonging to a customer along with customer traffic isolation. In fig., the provider network consists of the routers PE1, PE2, P1, P2, P3, and P4. PE routers, which are routers in the provider network that interface or connect to the customer edge routers in the customer network. PE1 and PE2 are the provider edge routers in the MPLS VPN domain for customers A and B in fig. P routers, which are routers in the core of the provider network that interface with either other provider core routers or provider edge routers. Routers P1, P2, P3, and P4 are the provider routers in fig.
10
The P routers are only responsible for label switching of packets. They do not carry VPN routes and do not participate in MPLS VPN routing. The PE routers exchange IPv4 routes with connected CE routers using individual routing protocol contexts. To enable scaling the network to large number of customer VPNs, multiprotocol BGP is configured between PE routers to carry customer routes.
11
VRF: Virtual Routing and Forwarding Table Customer isolation is achieved on the PE router by the use of virtual routing tables or instances, also called virtual routing and forwarding tables/instances (VRFs). In essence, it is similar to maintaining multiple dedicated routers for customers connecting into the provider network. The function of a VRF is similar to a global routing table, except that it contains all routes pertaining to a specific VPN versus the global routing table. The VRF also contains a VRF-specific CEF (Cisco Express Forwarding) forwarding table analogous to the global CEF table and defines the connectivity requirements and protocols for each customer site on a single PE router. The VRF defines routing protocol contexts that are part of a specific VPN as well as the interfaces on the local PE router that are part of a specific VPN and, hence, use the VRF. The interface that is part of the VRF must support CEF switching. The number of interfaces that can be bound to a VRF is only limited by the number of interfaces on the router, and a single interface (logical or physical) can be associated with only one VRF. The VRF contains an IP routing table analogous to the global IP routing table, a CEF table, list of interfaces that are part of the VRF, and a set of rules defining routing protocol exchange with attached CE routers (routing protocol contexts). In addition, the VRF also contains VPN identifiers as well as VPN membership information (RD and RT are covered in the next section). Fig. shows the function of a VRF on a PE router to implement customer routing isolation. Figure . VRF Implementation on PE Router
12
As shown in fig., Cisco IOS supports a variety of routing protocols as well as individual routing processes (OSPF, EIGRP, etc.) per router. However, for some routing protocols, such as RIP and BGP, IOS supports only a single instance of the routing protocol. Therefore, to implement per VRF routing using these protocols that are completely isolated from other VRFs, which might use the same PE-CE routing protocols, the concept of routing context was developed. Routing contexts were designed to support isolated copies of the same VPN PE-CE routing protocols. These routing contexts can be implemented as either separated processes, as in the case of OSPF, or as multiple instances of the same routing protocol (in BGP, RIP, etc.). If multiple instances of the same routing protocol are in use, each instance has its own set of parameters. Cisco IOS currently supports either RIPv2 (multiple contexts), EIGRP (multiple contexts), OSPFv2 (multiple processes), and BGPv4 (multiple contexts) as routing protocols that can be used per VRF to exchange customer routing information between CE and PE. Note that the VRF interfaces can be either logical or physical, but each interface can be assigned to only one VRF.
13
Chapter 3
FAQs
1.MPLS
Q What is Multi-Protocol Label Switching (MPLS)? A. MPLS is a packet-forwarding technology which uses labels to make data forwarding decisions. With MPLS, the Layer 3 header analysis is done just once (when the packet enters the MPLS domain). Label inspection drives subsequent packet forwarding. MPLS provides these beneficial applications:
Virtual Private Networking (VPN) Traffic Engineering (TE) Quality of Service (QoS)
Additionally, it decreases the forwarding overhead on the core routers. MPLS technologies are applicable to any network layer protocol. Q. What is a label? What is the structure of the label? A. A label is a short, four-byte, fixed-length, locally-significant identifier which is used to identify a Forwarding Equivalence Class (FEC). The label which is put on a particular packet represents the FEC to which that packet is assigned.
LabelLabel Value (Unstructured), 20 bits ExpExperimental Use, 3 bits; currently used as a Class of Service (CoS) field. SBottom of Stack, 1 bit TTLTime to Live, 8 bits
Q. Where will the label be imposed in a packet? A. The label is imposed between the data link layer (Layer 2) header and network layer (Layer 3) header. The top of the label stack appears first in
14
the packet, and the bottom appears last. The network layer packet immediately follows the last label in the label stack.
Q. What is a Forwarding Equivalence Class (FEC)? A. FEC is a group of IP packets which are forwarded in the same manner, over the same path, and with the same forwarding treatment. An FEC might correspond to a destination IP subnet, but it also might correspond to any traffic class that the Edge-LSR considers significant. Q. How does the LSR know which is the top label, bottom label, and a middle label of the label stack? A. The label immediately after the Layer 2 header is the top label, and the label with the S bit set to 1 is the bottom label. No application requires LSR to read/identify the middle labels. However, a label will be a middle label if it is not at the top of the stack and the S bit is set to 0.
2. MPLS VPN
Q What is IP VPN Service? VPN is an acronym for Virtual Private Network. An IP VPN Service offers exclusive and private interconnectivity using Internet protocol to computers or Local Area Networks (LANs) across the country. Q. How can the IP VPN service benefit businesses? Business companies can extend their LANs and computers at various locations across the country so as to interconnect them over an IP VPN thereby enabling online communication, which can enhance business efficiency. Q.Why do enterprises need VPN? Some of the important reasons why enterprises need VPN are: High Cost & Complexity of Private Networks on leased line deployment, maintenance, upgradation & expansion. These investments divert the main focus from the core business areas of the enterprise. Increasingly dispersed mobile workforce requires constant contact with the enterprise LAN. This is possible through Dial-VPN service, which is a small value added service over the VPN platform. Flexible reconfiguration allows instantaneous addition/deletion of connections
15
without any major investment. Rise in Internet based applications & continually evolving technology allows the enterprise to avail of several value-added services that will be offered by the Service Provider in future over the same IP network infrastructure in a cost effective manner. Examples are bandwidth on demand, VoIP, multicasting, & interactive applications. Yes, a dial customer can be provided access to a VPN through what is known as an L2TP (Layer 2 Tunneling protocol)tunnel. Q.How secure is IP VPN service? A VPN by itself is an isolated entity and therefore has no possibility of outside intrusion. The security in case of interconnection with other networks will be the customer's responsibility. Q. What are the two types of MPLS VPNs? What is the difference between them? Layer 2 VPNs and Layer 3 VPNs. In L2 VPN, the Customer routing information is not communicated to the Service Provider whereas in L3 VPN, the Customer Routing updates are sent to Provider router. Q. What alternatives are there for implementing VPNs over MPLS? There are multiple proposals for using MPLS to provision IP-based VPNs. One proposal (MPLS/BGP VPNs) enabled MPLS-VPNs via extensions to Border Gateway Protocol (BGP). In this approach, BGP propagates VPN-IPv4 information using the BGP multiprotocol extensions (MP-BGP) for handling these extended addresses. It propagates reachability information (VPN-IPv4 addresses) among Edge Label Switch Routers (Provider Edge router). The reachability information for a given VPN is propagated only to other members of that VPN. The BGP multiprotocol extensions identify the valid recipients for VPN routing information. All the members of the VPN learn routes to other members. Another proposal for using MPLS to create IP-VPN's is based on the idea of maintaining separate routing tables for various virtual private networks and does not involve BGP.
16