1 / 20

Lecture 14

Lecture 14. MPLS VPN Architecture. MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS VPN is based on L3 peer model. The main building blocks of MPLS VPNs are:

aden
Download Presentation

Lecture 14

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lecture 14

  2. MPLS VPN Architecture • MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS VPN is based on L3 peer model. • The main building blocks of MPLS VPNs are: • Customer Site – collection of LANs or subnets. A site can be viewed as the basic unit of connectivity in MPLS VPN. • Customer Edge (CE)Router – a router that connects to a PE router. • Provide Edge (PE)Router – a provider router that connects to a CE router. • Provider Router (P) – a provider router which is not connected to CE router.

  3. MPLS VPN Architecture Enablers

  4. VPN-IPv4 Address • Customers routes learned via PE-CE routing exchanges are advertised using iBGP between PE-PE routers. • Problem – Customer addresses are not unique (i.e., different VPN customers may use same IPv4 addresses). However, BGP requires addresses to be globally unique. • Solution – Define a new address family called VPN-IPv4 address to uniquely identify customer addresses within VPN backbone. • VPN-IPv4 address is 12 byte long. • First 8 bytes are known as Route Distinguisher (RD) • Last 8 bytes are the IPv4 address

  5. Route Distinguisher (RD) • RD is used for making an IPv4 address globally unique. • An RD consists of a 2 byte type field, anadministrator field (2 or 4 byte), and an assigned number field (4 or 2 byte). For example, • When type field value is 0, administrator field is 2 byte and contains AS number of the enterprise, and the assigned number field represent a number from numbering space assigned to the enterprise by IANA. • When type field value is 1, administrator field is 4 byte and contains IP address of the enterprise, and the assigned number field represent contains a number from numbering space assigned to the enterprise by IANA.

  6. Route Distinguisher (RD) • When a PE router learns the addresses from attached CE routers, it distributes this information to other PE routers that are connected to CE routers belong to the same VPN. (Why?) • However, before PE can that , it first needs to translates IPv4 address to VPN-IPv4 address family. • To perform IPv4 to VPN-IPv4 address mapping, PE needs to know what RD to attach. This information is configured on the PE router. • For example, each VRF is configured with the default RD information. • The VPN-IPv4 address is advertised via BGP-4 multiprotocol extensions defined in RFC 2858 (e.g., AFI=1, SAFI =…)

  7. VRF • A PE router can be connected to CE routers from different VPNs. • To have per VPN segregation of routing information and avoid erroneous forwarding packets from one VPN to another, PE maintains per VPN table. • The association between a VRF and its attached set of interfaces (sub-interfaces) is determined through configuration.

  8. Populating VRF • VRF can be populated by routing information from two sources: • Routes learned from associated CE(s) • Routes learned from another PE (i.e., VPN-IPv4 address) • CE routes are always eligible for inclusion into the associated VRF. • PE routes are eligible for inclusion into a VRF, iff, • Route Target (RT) attribute of the received route matches the one or more (pre-configured) Import Targets of the VRF. • When a packet from a CE router is received, the selection of the correct VRF is based on the interface or sub-interface on which the packet was received.

  9. Controlled Distribution of Customer Routes • To control the flow of routing information (which in turn determines the data flow), routes are filtered based on BGP extended attributes. • When a PE learns a CE route, it associates one or more target VPN attributes with the route. • A route target (RT) uniquely identifies a VPN or set of VPNs to which this route should be distributed.

  10. BGP Extended Attribute • BGP Extended Attribute is a transitive optional attribute (Type Code=16). • Each VPN-IPv4 address can be assigned with an Extended Community attribute. • The Extended Community attribute contains a set of extended communities (see draft-ietf-idr-bgp-ext-communities-05.txt) • Each extended community is 8 byte long (64 bits) and is encoded as: • Type Field (1 or 2 byte) • Value Field (7 or 6 byte)

  11. BGP Extended Communities • In MPLS VPN, BGP extended communities are used are use for the controlled distribution of routing information and filtering. • The commonly used BGP extended communities are: • Route Target (RT) Community • Route Origin Community • Route Target community identifies routers may receive the associated route. • Route Origin community identifies one or more routers who injected the route into BGP

  12. 0x02 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Sub-Type | Global Administrator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global Administrator (cont.) | Local Administrator | +-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0x00, 0x01, or 0x 02 Route Target (RT) Community Route Target Community: The Route Target Community identifies one or more routers that may receive a set of routes (that carry this Community) carried by BGP. This is transitive across the Autonomous system boundary. Global/Local Administrator Field: Type field = 0x00 or 0x02 means, Local Administrator sub-field contains a number from a numbering space Global Administrator subfieldcontains AS number of the enterprise Type field = 0x01 means, Local Administrator sub-field contains a number from a numberingspace Global Administrator subfield contains IP address of the enterprise.

  13. Route Origin Community 0x03 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Sub-Type | Global Administrator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global Administrator (cont.) | Local Administrator | +-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0x00, 0x01, or 0x 02 Route Origin Community: The Route Origin Community identifies one or more routers that inject a set of routes (that carry this Community) into BGP. This is transitive across the Autonomous system boundary. Global/Local Administrator Field: Type field = 0x00 or 0x02 means, Local Administrator sub-field contains a number from a numbering space Global Administrator subfieldcontains AS number of the enterprise Type field = 0x01 means, Local Administrator sub-field contains a number from a numberingspace Global Administrator subfield contains IP address of the enterprise.

  14. Route Target based Filtering • Every CE router has one or more RT community attributes. Similarly, each VRF on the PE router is associated with one or more RT community attributes. • When a PE router learns a VPN-IPv4 route from another PE router, it installs this route into only those VRFs that have matching import Route Target communities. • Similarly, a PE advertises a learned route to a CE only if there is a common RT attribute between route and the CE router.

  15. Route Target Based Filtering • In summary, MPLS VPN uses BGP extended communities attributes to control the flow of routing information by applying route filtering. • If route distribution is to be restricted within its intranet (i.e., within same VPN), a single RT community is associated with the route. • If extranet or inter-VPN routing is desired, additional RT communities should be associated with the route.

  16. MPLS VPN Packet Forwarding

  17. MPLS VPN Packet Forwarding • Label Stack is used for packet forwarding • Top label indicates BGP Next-Hop • Second level label indicates outgoing interface or VRF • MPLS nodes forward packets based on top label • any subsequent labels are ignored • Penultimate Hop Popping procedures used one hop prior to egress PE router

  18. MPLS VPN Packet Forwarding • As a packet from CE router arrives, PE router performs a IP address lookup in the associated VRF to determine the egress PE router.Typically, there are number of intermediate P routers between an ingress and egress PE router. • Problem - In contrast with PE routers, P routers do not keep routing information about VPN (i.e., customer ) routes. If we were to forward a packet from PE to PE, the intermediate P routers won’t know how to forward this packet based on destination IP address. • Solution – establish LSP between PE routers to forward VPN packets across the P routers. Once an egress PE router is known, we use LSP to forward VPN packets across the P routers.

  19. MPLS VPN Packet Forwarding • The PE to PE label switched path is established using LDP. • In order to label switched the VPN packet along the LSP, PE router attaches a label stack. • The top label (signaled via LDP) is used to forward packet across the P routers. That is, P router forward the packet based on top label. • The bottom label is used to select outgoing interface or VRF in the egress PE router. • The egress PE router advertises the bottom label and the associated VPN-IPv4 route via BGP .

  20. MPLS VPN Example Operation (see class notes)

More Related