200 likes | 426 Views
Lecture 14. MPLS VPN Architecture. MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS VPN is based on L3 peer model. The main building blocks of MPLS VPNs are:
E N D
MPLS VPN Architecture • MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS VPN is based on L3 peer model. • The main building blocks of MPLS VPNs are: • Customer Site – collection of LANs or subnets. A site can be viewed as the basic unit of connectivity in MPLS VPN. • Customer Edge (CE)Router – a router that connects to a PE router. • Provide Edge (PE)Router – a provider router that connects to a CE router. • Provider Router (P) – a provider router which is not connected to CE router.
VPN-IPv4 Address • Customers routes learned via PE-CE routing exchanges are advertised using iBGP between PE-PE routers. • Problem – Customer addresses are not unique (i.e., different VPN customers may use same IPv4 addresses). However, BGP requires addresses to be globally unique. • Solution – Define a new address family called VPN-IPv4 address to uniquely identify customer addresses within VPN backbone. • VPN-IPv4 address is 12 byte long. • First 8 bytes are known as Route Distinguisher (RD) • Last 8 bytes are the IPv4 address
Route Distinguisher (RD) • RD is used for making an IPv4 address globally unique. • An RD consists of a 2 byte type field, anadministrator field (2 or 4 byte), and an assigned number field (4 or 2 byte). For example, • When type field value is 0, administrator field is 2 byte and contains AS number of the enterprise, and the assigned number field represent a number from numbering space assigned to the enterprise by IANA. • When type field value is 1, administrator field is 4 byte and contains IP address of the enterprise, and the assigned number field represent contains a number from numbering space assigned to the enterprise by IANA.
Route Distinguisher (RD) • When a PE router learns the addresses from attached CE routers, it distributes this information to other PE routers that are connected to CE routers belong to the same VPN. (Why?) • However, before PE can that , it first needs to translates IPv4 address to VPN-IPv4 address family. • To perform IPv4 to VPN-IPv4 address mapping, PE needs to know what RD to attach. This information is configured on the PE router. • For example, each VRF is configured with the default RD information. • The VPN-IPv4 address is advertised via BGP-4 multiprotocol extensions defined in RFC 2858 (e.g., AFI=1, SAFI =…)
VRF • A PE router can be connected to CE routers from different VPNs. • To have per VPN segregation of routing information and avoid erroneous forwarding packets from one VPN to another, PE maintains per VPN table. • The association between a VRF and its attached set of interfaces (sub-interfaces) is determined through configuration.
Populating VRF • VRF can be populated by routing information from two sources: • Routes learned from associated CE(s) • Routes learned from another PE (i.e., VPN-IPv4 address) • CE routes are always eligible for inclusion into the associated VRF. • PE routes are eligible for inclusion into a VRF, iff, • Route Target (RT) attribute of the received route matches the one or more (pre-configured) Import Targets of the VRF. • When a packet from a CE router is received, the selection of the correct VRF is based on the interface or sub-interface on which the packet was received.
Controlled Distribution of Customer Routes • To control the flow of routing information (which in turn determines the data flow), routes are filtered based on BGP extended attributes. • When a PE learns a CE route, it associates one or more target VPN attributes with the route. • A route target (RT) uniquely identifies a VPN or set of VPNs to which this route should be distributed.
BGP Extended Attribute • BGP Extended Attribute is a transitive optional attribute (Type Code=16). • Each VPN-IPv4 address can be assigned with an Extended Community attribute. • The Extended Community attribute contains a set of extended communities (see draft-ietf-idr-bgp-ext-communities-05.txt) • Each extended community is 8 byte long (64 bits) and is encoded as: • Type Field (1 or 2 byte) • Value Field (7 or 6 byte)
BGP Extended Communities • In MPLS VPN, BGP extended communities are used are use for the controlled distribution of routing information and filtering. • The commonly used BGP extended communities are: • Route Target (RT) Community • Route Origin Community • Route Target community identifies routers may receive the associated route. • Route Origin community identifies one or more routers who injected the route into BGP
0x02 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Sub-Type | Global Administrator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global Administrator (cont.) | Local Administrator | +-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0x00, 0x01, or 0x 02 Route Target (RT) Community Route Target Community: The Route Target Community identifies one or more routers that may receive a set of routes (that carry this Community) carried by BGP. This is transitive across the Autonomous system boundary. Global/Local Administrator Field: Type field = 0x00 or 0x02 means, Local Administrator sub-field contains a number from a numbering space Global Administrator subfieldcontains AS number of the enterprise Type field = 0x01 means, Local Administrator sub-field contains a number from a numberingspace Global Administrator subfield contains IP address of the enterprise.
Route Origin Community 0x03 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Sub-Type | Global Administrator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global Administrator (cont.) | Local Administrator | +-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0x00, 0x01, or 0x 02 Route Origin Community: The Route Origin Community identifies one or more routers that inject a set of routes (that carry this Community) into BGP. This is transitive across the Autonomous system boundary. Global/Local Administrator Field: Type field = 0x00 or 0x02 means, Local Administrator sub-field contains a number from a numbering space Global Administrator subfieldcontains AS number of the enterprise Type field = 0x01 means, Local Administrator sub-field contains a number from a numberingspace Global Administrator subfield contains IP address of the enterprise.
Route Target based Filtering • Every CE router has one or more RT community attributes. Similarly, each VRF on the PE router is associated with one or more RT community attributes. • When a PE router learns a VPN-IPv4 route from another PE router, it installs this route into only those VRFs that have matching import Route Target communities. • Similarly, a PE advertises a learned route to a CE only if there is a common RT attribute between route and the CE router.
Route Target Based Filtering • In summary, MPLS VPN uses BGP extended communities attributes to control the flow of routing information by applying route filtering. • If route distribution is to be restricted within its intranet (i.e., within same VPN), a single RT community is associated with the route. • If extranet or inter-VPN routing is desired, additional RT communities should be associated with the route.
MPLS VPN Packet Forwarding
MPLS VPN Packet Forwarding • Label Stack is used for packet forwarding • Top label indicates BGP Next-Hop • Second level label indicates outgoing interface or VRF • MPLS nodes forward packets based on top label • any subsequent labels are ignored • Penultimate Hop Popping procedures used one hop prior to egress PE router
MPLS VPN Packet Forwarding • As a packet from CE router arrives, PE router performs a IP address lookup in the associated VRF to determine the egress PE router.Typically, there are number of intermediate P routers between an ingress and egress PE router. • Problem - In contrast with PE routers, P routers do not keep routing information about VPN (i.e., customer ) routes. If we were to forward a packet from PE to PE, the intermediate P routers won’t know how to forward this packet based on destination IP address. • Solution – establish LSP between PE routers to forward VPN packets across the P routers. Once an egress PE router is known, we use LSP to forward VPN packets across the P routers.
MPLS VPN Packet Forwarding • The PE to PE label switched path is established using LDP. • In order to label switched the VPN packet along the LSP, PE router attaches a label stack. • The top label (signaled via LDP) is used to forward packet across the P routers. That is, P router forward the packet based on top label. • The bottom label is used to select outgoing interface or VRF in the egress PE router. • The egress PE router advertises the bottom label and the associated VPN-IPv4 route via BGP .
MPLS VPN Example Operation (see class notes)