Mpls l3 VPN Principle

Internal
ODC010003 MPLS L3
VPN Principle
ISSUE 1.4
HUAWEI TECHNOLOGIES CO., LTD.
www.huawei.com
All rights reserved
This slides will introduce MPLS L3 VPN

system structure, label distribution, data
forwarding and typical application.
All rights reserved
Page 2
Upon completion this course, you will be able to:

Describe VPN Classification
Describe MPLS L3 VPN Concept
Describe Label Distribution and Data
Forwarding
Describe MPLS L3 VPN Typical
Application
All rights reserved
Page 3
Chapter 1 VPN Classification

Chapter 2 MPLS L3 VPN Principle
All rights reserved
Page 4
VPN Classification
VPN: Virtual Private Network
VPN
IP-VPN
CPE-Based VPN
VLL
MPLS/BGP VPN
Network-Based VPN
VPRN
VPLS
VPDN
VR-VPN
All rights reserved
Page 5
VPN Tunnel
Tunnel: It is a technology that uses a type of protocol to transmit another type
of protocol. Mainly the tunnel protocol serves to implement this function. The
tunnel technology involves three types of protocols: tunneling protocol, bearer
protocol under the tunnel protocol, and the protocol borne on the tunnel
protocol.
All rights reserved
Page 6
VPN Type (1)

Virtual Leased Line (VLL): It provides point-to-point connection service
between two pieces of CPE equipment for the user via the edge node of the
operator.
Virtual Private Dial Network (VPDN): The remote user dials to the public IP
network via PSTN/ISDN, and the data packet passes through the public
network via a tunnel for the destination network.
All rights reserved
Page 7
VPN Type (2)

Virtual Private LAN Segments (VPLS): VPLS is a virtual
method to establish LAN via the public IP resources. The

networking is based on the MAC layer forwarding, and it is
completely transparent to the network layer protocol. It is a L2
VPN.
Virtual Private Routed Network (VPRN): VPRN is defined as a
kind of emulation for multi-site wide area route network

services via the public IP network, and the data packet of VPN
is forwarded at the network layer.
All rights reserved
Page 8
Example: Constructing VPN via GRE Tunnel

10.0.0.0/24
10.0.1.2/24
10.0.1.1/24
GRE tunnel
129.0.0.2/30
129.0.0.1/30
129.0.1.1/30
129.0.2.1/30
Public IP
network
Rt1
129.0.1.2/30
10.0.0.0/24
129.0.2.2/30
HQ1
129.0.3.1/30
Rt2
GRE tunnel
129.0.3.2/30
10.0.1.1/24
10.0.1.2/24
HQ2
To construct such a network, just make configuration on the access router of
each network.
It is unnecessary for the operator network to know the internal route of VPN.
Different VPNs can employ the same address space.
The forwarding efficiency is low.
All rights reserved
Page 9
Exercise-1
1. Which VPN technologies belong to layer 3 VPN (
A GRE
B L2TP
C BGP/MPLS
D VPLS
All rights reserved
Page 10
Chapter 1 VPN Classification

Chapter 2 MPLS L3 VPN Principle
All rights reserved
Page 11
MPLS VPN Network Structure

VPN_A
10.2.0.0
iBGP sessions
CE
CE
VPN_B
10.2.0.0 CE
VPN_A
11.6.0.0
CE
VPN_B
10.1.0.0 CE
PE
PE
PE
PE
VPN_A
11.5.0.0
CE
CE
VPN_A
10.1.0.0
VPN_B
10.3.0.0
CE (Custom Edge Router): The user equipment directly connected with the service
provider.
PE (Provider Edge Router): The edge router on the backbone network, connected with CE
and mainly responsible for access of the VPN service.

P (Provider Router): The core router on the backbone network, mainly responsible for the
routing and fast forwarding functions.

All rights reserved
Page 12
Question
One PE connect with several CEs which belong to different VPNs,
as VPNs may have overlapping address space, how to identify

each VPNs information?
All rights reserved
Page 13
Relationship Between PE and CE

C
CE
VPNA
Site - 1
PE
VRF for VPNA
EBGP, RIP, Static

CE
VPNB
Global route
VRF for VPNB
Site - 2
PE and CE routers exchange information via the EBGP, RIP or static route. CE runs the
standard routing protocol.

PE maintains separate routing tables of the public network and private network.
Routing table of public network, including the routes of all PE and P routers, generated by
the backbone network IGP of VPN.
VRF (VPN routing & forwarding), including tables of routing & forwarding to one or multiple
directly connected CEs.
All rights reserved
Page 14
VRF Detail
VRF can be regarded as a virtual router
PE maintains a separate forwarding table for each site.
Each site has a unique VRF.
If (and only if) two sites have identical forwarding table, they share a VRF.
The interface/sub-interface connected with CE is mapped to VRF.
The routes in VRF will be distributed to the sites (usually connected on other PEs)
belonging to the same VPN.
All rights reserved
Page 15
Distribution of VRF Routes
P Router
CE Router
PE
Site
PE
CE Router
iBGP
Site
The PE router distributes the local VPN route information via the backbone
network. the transmitting via BGP

Question: PE and PE set up IBGP session and exchange routing information, while
some VPN may have the same private IP address space, when BGP transfer the
routing information on the public network, there get address overlapping problem,
how to solve it?
All rights reserved
Page 16
VPNv4 and IPv4 Address Families

VPNV4 address structure:
Route Distinguisher (8 bytes)
IPv4 address
RD structure:
TYPE (2byte)
0
1
Administrator Field
2-byte ASN
4-byte assigned number
4-byte IP address
Assigned Number
Field
2-byte assigned number
All rights reserved
Page 17
Question
PE and PE set up IBGP session and exchange routing
information by BGP, by adding RD prefix , now the VPNs

address is VPNv4 address family, BGP-4 only supports IPv4
,BGP cant recognise such routing information, how to solve it?
All rights reserved
Page 18
MBGP
MBGP (Multiprotocol Extensions for BGP-4 )
BGP-4 only supports IPv4, and is extended to MBGP to

transfer the route information of more protocols (IPv6,
IPX,etc.).
To maintain compatibility, only two BGP attributes are
added for MBGP: MP_REACH_NLRI and
MP_UNREACH_NLRI. The two attributes can be used in
the BGP Update message to notify or cancel the network
reachability information.
All rights reserved
Page 19
MBGP: MP_REACH_NLRI
All rights reserved
Page 20
MBGP: MP_UNREACH_NLRI
Used for withdrawing one or multiple unfeasible routes

An UPDATE packet that contains the MP_UNREACH_NLRI
does not carry any other path attributes
All rights reserved
Page 21
Question
When PE received the routing information from other PEs
carried by MBGP, PE how to separate the routing information

which belongs to different VPN?
Remember RD? Can we use it?
All rights reserved
Page 22
Route Target
Route Target attribute (RT) is one of the MBGP extension community
attributes
There are two types of RT, the values of the type field are 0x0002 or
0x0102.
RT structure:
TYPE(2 bytes
0x0002
0x0102
Administrator Field
AS number(2bytes)
Assigned Number Field

Assigned Number (4 bytes)
IP address(4 bytes)
All rights reserved
Assigned Number(2 bytes)
Page 23
Route Target
RT is used to separate VPN routing information advertisement
There are two sets of Route Target attributes: Export Targets
and Import Targets

Export Targets is added to the route received from a
direct-connected Site in advertising local routes to remote
PE routers.
Import Targets is used to decide which routes can be
imported into the routing table of this Site in receiving
routes from remote PE routers.
All rights reserved
Page 24
Typical Network Topology-1

Each site only belongs to one VPN: Intranet
site10
site1
site3
site20
site3
0
site2
All rights reserved
Page 25
Typical Network Topology-2

Site may belongs to multiple VPNs: Extranet
site4
site1
Intranet
site5
site2
site3
Extranet
All rights reserved
Page 26
Application of RT
RT Export Target and import Target can be configured with several attributes
im:b
ex:a
im:a
ex:b
Trandition Mode
a
Hub-spoke mode
im:a
ex:a
im:b
ex:c
im:a,c
ex:a,b
b
Extranet
im:a
ex:a
All rights reserved
Page 27
Function of RT
VPN A
SITE -1
MPLS/VPN Backbone
Site-1routes RT=VPN A
Site-2routes RT=VPN B
Site-3routes RT=VPN A
Site-4routes RT=VPN B
MP-iBGP
VPN A
SITE -3
P Router
SITE -2
Site1-routes
Site3-routes
VPN B
Site2-routes
Site4-routes
VPNA
Site1-routes
Site3-routes
VPNB
Site2-routes
Site4-routes
All rights reserved
VPNA
SITE -4
VPN B
VPNB
Page 28
Question
After the completion of exchanging routing information between PEs,
now site3 want to access site1, the right PE look for the VRF table
and find out the nexthop left PE, forward the packet to the left PE
using MPLS. When the packet arrived the left PE, the public MPLS
label is removed, which VPN the packet belongs to? And how to get
the correct nexthop?
VPN A
VPN A
SITESITE-1
SITESITE-3
P Router
SITESITE-2
VPN B
Site1-routes
Site3-routes
VPNA
Site1-routes
Site3-routes
VPNA
Site2-routes
Site4-routes
VPNB
Site2-routes
Site4-routes
VPNB
All rights reserved
SITESITE-4
VPN B
Page 29
Network Layer Reachability Information:
Multiple labels can be attached. The first 20 bits of each label refer to the label
domain, while of the last 4 bits, the first three refer to the EXP domain and the last one
indicates whether it is the stack base.
Note that this label must be assigned by the LSR referred to in the Next-Hop of the
MP_REACH_NLRI attribute.
There are two methods to cancel the route information (meanwhile to release label
binding).
Re-distribute a different route (and a new Label) for the same destination.
Use the Withdraw message to include the destination in MP_UNREACH_NLRI.
All rights reserved
Page 30
Network Layer Reachability Information:

NLRI Network Layer Reachability Information, include address family,
private label and RT )

MP_REACH_NLRI
address family
VPN-IPV4 address family
next-hop:
PEs ipv4 address usually is loopback address
NLRI:
lable
24 bits like MPLS label but without TTL portion
prefix
RD:64bit IP prefix
Followed is RT list
Extended_Communities RT1
Extended_Communities RT2
All rights reserved
Page 31
VRF Route Distribute Step 1:Importing VRF Routes to

MP-iBGP
MP-iBGP
PE
BGP, RIPv2 update
for 149.27.2.0/24,NH=CE-1
PE
VPN-v4 update:
RD:1:27:149.27.2.0/24,
Next-hop=PE-1
RT=VPN-A
Label=( 28)
CE-2
CE-1
Shanghai
Beijing
Importing VRF route to MP-iBGP: PE router converts the route (in the VRF
routing table) received from CE into the VPN-V4 route; labels it with RD and
RT based on the configuration; changes the next hop as PE itself
(loopback); assigns the label based on the interface; finally sends the MPiBGP update packet to all PE neighbors.
All rights reserved
Page 32
VRF Route Distribute Step 2: Importing MP-iBGP

Routes to VRF
MP-iBGP
PE
VPN-v4 update:
RD:1:27:149.27.2.0/24,
Next-hop=PE-1
RT=VPN -A
Label=(28)
PE
ip vrf VPN-B
vpn -target import VPN-A
PE receives the update packet, converts

VPN-v4 into the IPv4 address, and
distributes it to VFR VPN-A (RT=VPN-A)
routing table, then transmit it to CE with
route protocol between PE and CE.
CE-1
Beijing
CE-2
Shanghai
Each VRF has configurations of import route-target and export route-target.

When the transmitting PE sends MP-iBGP updates, the export attribute is attached in
the packet.
When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge whether
the received export is equal to the import of the local VRF. If yes, it will be added to the
corresponding VRF routing table; otherwise, it will be discarded.
All rights reserved
Page 33
Basic Intranet Model
VPN A
SITE -1
MPLS/VPN Backbone
SiteSite-1 & Site -2 routes
RT=VPN -A
VPN A
SiteSite-3 & SiteSite-4 routes

RT=VPN -A
MP-iBGP
SITE -3
P Router
SITE -2
VPN A
SiteSite-1 routes
SiteSite-2 routes
SiteSite-3 routes
SiteSite-4 routes
SiteSite-1 routes
SiteSite-2 routes
SiteSite-3 routes
SiteSite-4 routes
All rights reserved
Page 34
SITE -4
VPN A
MPLS/VPN Label Distribution

In Label
-
FEC
197.26.15.1/32
Out Label
-
In Label
41
FEC
Out Label
In Label
FEC
197.26.15.1/32
197.26.15.1/32 POP
Out Label
41
PE-1
P router
Use labelimplicit-null for
Use label 41for destination
destination 197.26.15.1/32
Beijing
149.27.2.0/24
197.26.15.1/32
VPN-v4 update:
RD:1:27 :149.27.2.0/24,
NH= 197.26.15.1
RT=VPN-A
Label= 28)
(
All rights reserved
Shanghai
Page 35
MPLS/VPN Packet Forwarding-1

In Label
-
FEC
Out Label
197.26.15.1/32
41
VPN-A VRF
149.27.2.0/24,
NH=197.26.15.1
Label=(28)
PE-1
41
28
149.27.2.27
149.27.2.27
Beijing
Shanghai
149.27.2.0/24
All rights reserved
Page 36
MPLS/VPN Packet Forwarding-2
In Label
28(V)
FEC
149.27.2.0/24
VPN-A VRF
149.27.2.0/24,
NH=beijing
Out Label
In Label
FEC
Out Label
41
197.26.15.1/32
POP
VPN-A VRF
149.27.2.0/24,
NH=197.26.15.1
Label=(28)
PE-1
149.27.2.27
28
149.27.2.27
41
28
149.27.2.27
Beijing
Shanghai
149.27.2.0/24
149.27.2.27
All rights reserved
Page 37
Demo- Private Label Distribution

MP-BGP
IBGP Peer
149.27.2.0/24
Out 28
CE B2
CE A2
VPN-v4 update:
RD:1:27:149.27.2.0/24,
Next-hop=PE-C
RT=VPN-A, Label=(28)
PE
A
NH: PE-C
MPLS
BGP, OSPF, RIPv2 update
for 149.27.2.0/24,NH=PE-A

for 149.27.2.0/24,NH=CE-A2
PB
IN 28
CE A1
PE
C
CE B1
All rights reserved
Page 38
149.27.2.0/24
NH: CE A2
VPN-v4 update:
RD:1:27:149.27.2.0/24,
Next-hop=PE-C
RT=VPN-A, Label=(28)
Demo- Public Label Distribution

The loopback IP address of PE-C is 1.1.1.1/32
20
PE
A
1.1.1.1/32
149.27.2.0/24
out 20
Out 28
MPLS
IGP
NH: PE-C
3
PB
In 20 1.1.1.1/32 out 3
IGP
PE
C
1.1.1.1/32
IN 28
All rights reserved
149.27.2.0/24
Page 39
NH: CE A2
Demo- Packet Forwarding

20
CE A2
28
CE B2
PE
A
1.1.1.1/32 out 20
149.27.2.0/24
Out 28
MPLS
NH: PEC

for 149.27.2.0/24,NH=PE-A
PB
In 20 1.1.1.1/32 out 3
Ping 149.27.2.1
CE A1
PE
1.1.1.1/32
C
CE B1
IN 28
All rights reserved
149.27.2.0/24
Page 40
NH: CE A2
Exercise-2
1. Describe the structure of RD and RT
2. Describe the procedure of VRF route distribution
3. Describe the procedure of VPN packet forwarding
All rights reserved
Page 41
Summary
VPN Classification
MPLS L3 VPN Label Distribution
MPLS L3 VPN Forwarding Process
All rights reserved
Page 42
Thank You
www.huawei.com

Mpls l3 VPN Principle

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mpls l3 VPN Principle

Uploaded by

Copyright:

Available Formats

Internal

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

This slides will introduce MPLS L3 VPN

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Upon completion this course, you will be able to:

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Chapter 1 VPN Classification

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

VPN Type (1)

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

VPN Type (2)

method to establish LAN via the public IP resources. The

Virtual Private Routed Network (VPRN): VPRN is defined as a

kind of emulation for multi-site wide area route network

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Example: Constructing VPN via GRE Tunnel

To construct such a network, just make configuration on the access router of

All rights reserved

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Chapter 1 VPN Classification

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

MPLS VPN Network Structure

and mainly responsible for access of the VPN service.

routing and fast forwarding functions.

All rights reserved

as VPNs may have overlapping address space, how to identify

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Relationship Between PE and CE

EBGP, RIP, Static

standard routing protocol.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PE maintains a separate forwarding table for each site.

Each site has a unique VRF.

The interface/sub-interface connected with CE is mapped to VRF.

belonging to the same VPN.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Distribution of VRF Routes

network. the transmitting via BGP

All rights reserved

VPNv4 and IPv4 Address Families

4-byte assigned number

HUAWEI TECHNOLOGIES CO., LTD.

2-byte assigned number

All rights reserved

information by BGP, by adding RD prefix , now the VPNs

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

BGP-4 only supports IPv4, and is extended to MBGP to

HUAWEI TECHNOLOGIES CO., LTD.