1 / 101

MPLS VPN Configurations Syed Mahfuzur Rahman

MPLS VPN Configurations Syed Mahfuzur Rahman. Agenda. Introduction to VPNs concepts VPN definitions Types of VPNs (Overlay/Peer) Comparison between Overlay and Peer model Benefits for MPLS VPNs. Agenda. Idea behind VRF, RD, RT Route propagation in MP-BGP Routing between PE-CE

judithconley
Download Presentation

MPLS VPN Configurations Syed Mahfuzur Rahman

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MPLS VPN Configurations Syed Mahfuzur Rahman

  2. Agenda • Introduction to VPNs concepts • VPN definitions • Types of VPNs (Overlay/Peer) • Comparison between Overlay and Peer model • Benefits for MPLS VPNs

  3. Agenda • Idea behind VRF, RD, RT • Route propagation in MP-BGP • Routing between PE-CE • MPLS Packet Forwarding

  4. Agenda • MPLS configuration • VRF • MP-BGP • PE-CE configuration • Advance configuration

  5. Agenda • MPLS topologies • VPN connectivity • Design considerations • Deployment strategies

  6. VPN/MPLS Concepts • VPN • Concept is to use the service providers shared resources connecting multiple customer sites • Technologies such as X.25, Frame-relay which use virtual circuits to establish end-to-end connection using shared service of the provider infrastructure • This statistical sharing of resources enables the service provider to offer low cost services to the end user

  7. VPN Terminology • Provider Network (P-Network) • The backbone under control of a Service Provider • Customer Network (C-Network) • Network under customer control • CE router • Customer Edge router. Part of the C-network and interfaces to a PE router

  8. VPN Terminology • Site • Set of (sub)networks part of the C-network and co-located • A site is connected to the VPN backbone through one or more PE/CE links • PE router • Provider Edge router. Part of the P-Network and interfaces to CE routers • P router • Provider (core) router, without knowledge of VPN

  9. VPN Terminology Provider core (P) device VPN Site CPE (CE) Device CPE (CE) Device Provider Edge (PE) device Provider Edge (PE) device VPN Site Service Provider Network

  10. Types of VPNs • VPN services are offered in two major ways • Overlay Model where the service provider provides the virtual connections between sites • Peer model where the service provider participates in the layer routing of the customer

  11. VPN Overlay Model • Service provider network is a connection of point-to-point links • Routing within the customer network is transparent to the service provider network • Service provider is responsible purely for data transport between customer sites

  12. VPN Overlay Model • Layer 1 implementation (IP, HDLC, PPP (customer) - provider gives bit pipes only • Layer 2 implementation - service provider responsible for L2 VC via ATM, Frame-relay

  13. VPN Overlay Model Virtual Circuit Layer-3 Routing Adjacency CPE (CE) Device CPE (CE) Device Provider Edge (PE) device Provider Edge (PE) device VPN Site VPN Site Service Provider Network

  14. VPN Peer Model • Both provider and customer network use same network protocol • CE and PE routers have a routing adjacency at each site • All provider routers hold the full routing information about all customer networks • Private addresses are not allowed • May use the virtual router capability • Multiple routing and forwarding tables based on Customer Networks

  15. VPN Peer-to-Peer Model Layer-3 Routing Adjacency Layer-3 Routing Adjacency CPE (CE) Router CPE (CE) Router Provider Edge (PE) Router Provider Edge (PE) Router VPN Site VPN Site Service Provider Network

  16. VPN Peer Model • Peer model used two types of approach • Shared router • Dedicated router

  17. VPN Peer Model • Shared router • Where a common router was used, extensive packet filtering is used on the PE router to isolate customer • Service provider allocated addresses out of its space to the customer and managed the packet filter to ensure same customer reachability, and isolation between customers. • High maintenance cost associated with packet filters • Performance impact due to packet filtering

  18. Peer-to-Peer Model Shared Router Approach PE Routing Table VPN-A routes VPN-B routes VPN-C routes VPN-A CE interface Serial0/1 description ** interface to VPN-A customer ip address 192.168.61.6 255.255.255.252 ip access-group VPN-A in ip access-group VPN-A out ! interface Serial0/2 description ** interface to VPN-B customer ip address 192.168.61.9 255.255.255.252 ip access-group VPN-B in ip access-group VPN-B out ! interface Serial0/3 description ** interface to VPN-C customer ip address 192.168.62.6 255.255.255.252 ip access-group VPN-C in ip access-group VPN-C out Paris PE VPN-B CE London VPN-C CE Munich Shared router approach with complex filters

  19. VPN Peer Model • Dedicated router • Customer isolation is achieved via dedicated routers connected to customer • POP edge router filter routing updates between different provider edge routers • Route filtering is achieved via BGP Communities • Not cost effective

  20. Peer-to-Peer Model Dedicated Router Approach router bgp 111 neighbor 10.13.1.2 remote-as 111 neighbor 10.13.1.2 route-reflector-client neighbor 10.13.1.2 route-map VPN-A out ! route-map VPN-A permit 10 match community-list 75 ! ip community-list 75 permit 111:1 VPN-A CE Paris VPN-B P Router VPN-A CE VPN-A PE Brussels VPN-A routes ONLY VPN-B CE P Routing Table VPN-A routes (community 111:1) VPN-B routes (community 111:2) VPN-B PE London Dedicated router approach expensive to deploy

  21. Comparison Between the Two Models • Overlay Model • Easy to implement • No knowledge of customer routing • Isolation between the two network • Peer Model • Optimal routing • Easy to provision additional VPNs through site provisioning - no need for link provisioning

  22. Comparison Between the Two Models • Overlay Model • Optimal routing between sites requires full mesh • Bandwidth provisioning • Virtual circuits have to be manually configured • Peer Model • Customer convergence is depended on SP routing convergence • Lot of routes with the provider networks causes scalability problems

  23. Benefits of MPLS VPNs • Best of both worlds • PE participates in routing so you can achieve optimal routing between sites • PE isolates customer routing information like dedicated router solution • Overlapping addresses are permitted between customers

  24. Benefits of MPLS VPNs • PE router is subdivided into virtual routers • Similar to the dedicated router approach • Each customer is assigned independent routing tables • IOS does this isolation through the concept of VRF (Virtual Routing and Forwarding)

  25. Benefits of MPLS VPNs VPN Routing Table VPN-A CE Paris PE VRF for VPN-A VPN-A CE IGP &/or BGP London VRF for VPN-B VPN-B CE Munich Global Routing Table Multiple routing & forwarding instances (VRFs) provide the separation

  26. Problem • How to propagate routing across the network between the PE devices? • We need a routing protocol that will transport the customer routes across the provider network • Need to maintain the independency of customers routing and address space

  27. Easy and Lazy Answer • Run multiple routing protocols, one each for customer • But PE routers will have to run large number of routing instances • Poor P router will have to carry all the VPN routes • P routers still will run into overlapping address problem unless you configure all the vrfs on the PE router • Does not scale

  28. Better Solution • Run a routing protocol that can exchange the routing updates only between PE routers • P router is protected from customer routes

  29. But how to do it ? • Use BGP to pass the routing information between PE devices • Use MPLS labels to exchange packets between next-hops (PE routers) • Extend BGP to be able to handle overlapping addresses

  30. VPN Routing & Forwarding Instance (VRF) • PE routers maintain separate routing tables • Global routing table • contains all PE and P routes (perhaps BGP) • populated by the VPN backbone IGP • VRF (VPN routing & forwarding) • routing & forwarding table associated with one or more directly connected sites (CE routers) • VRF is associated with any type of interface, whether logical or physical (e.g. sub/virtual/tunnel) • interfaces may share the same VRF if the connected sites share the same routing information

  31. VPN Routing & Forwarding Instance (VRF) VPN Routing Table VPN-A CE Paris PE VRF for VPN-A VPN-A CE IGP &/or BGP London VRF for VPN-B VPN-B CE Munich Global Routing Table Multiple routing & forwarding instances (VRFs) provide the separation

  32. MPLS/VPN Connectivity Model • Private addressing in multiple VPNs no longer an issue • provided that members of a VPN do not use the same address range VPN A London Paris Munich 10.2.1.0/24 10.3.3.0/24 10.2.12.0/24 10.4.12.0/24 Address space for VPN A and B must be unique Milan Brussels Vienna VPN B 10.2.1.0/24 10.22.12.0/24 VPN C

  33. VPN Routing & Forwarding Instance (VRF) • VRF can be thought of as a virtual router with the following structures: • forwarding table based on CEF • a set of interfaces that use the derived forwarding table • rules to control import/export of routes from/into the VPN routing table • set of routing protocols/peers which inject information into the VPN routing table (including static routing) • router variables associated with the routing protocol used to populate the VPN routing table

  34. CE PE CE Site-2 Site-1 VRF Route Population • VRF is populated locally through PE and CE routing protocol exchange • RIP Version 2, OSPF, BGP-4 & Static routing • Separate routing context for each VRF • routing protocol context (BGP-4 & RIP V2) • separate process (OSPF) • EBGP,OSPF, RIPv2,Static

  35. Local VRF Route Population VPN-A CE Paris VRF for VPN-A PE VPN-A Which routing protocol context or process ? Global CE London VRF for VPN-B VPN-B CE Munich Local VRF population driven by routing protocol context or process (OSPF)

  36. VRF Route Distribution • PE routers distribute local VPN information across the MPLS/VPN backbone • through the use of MP-BGP & redistribution from VRF • receiving PE imports routes into attached VRFs P Router CE Router PE PE CE Router MP-BGP VPN Site VPN Site MPLS/VPN Backbone

  37. Concept of RD • If customers have overlapping address, BGP will treat them is single prefix • Extend the prefix with a 64-bit prefix (route-distinguisher) • Now, with 32 bit IP address and 64 bit RD, the two overlapping IP address are unique

  38. Concept of RD • 32 bit IP prefix is the IPv4 address • With 64 bit RD, it is now extended to 96 bit and is now VPNv4 address • This address is exchanged only between the PE routers via BGP • This is carried in Multi-Protocol BGP

  39. Concept of RD VPN-A PE router converts it into a 96 bit VPNv4 prefix CE PE1 PE2 MPLS/VPN Backbone VPN-B MP-BGP CE VPN-B BGP Table Routes from VPN-A Routes from VPN-B Munich CE router sends 32 bit IPv4 prefix

  40. Processing of RD • RD is propagated between the PE routers • RD is removed by the receiving PE routers • CE router receives just the IPv4 prefixes

  41. Usage of RD • RD is only used to extend the IP prefix such that overlapping address are unique • Simple VPN topologies require single RD per customer • In some cases multiple RDs may be required

  42. Can RD be the VPN Identifier? • Yes - it could be a VPN identifier • Complex topologies require another component for VPN topologies other than RD, just like communities are more flexible.

  43. Concept of RT • Sites that have to participate in more than one VPN- RD is not sufficient • You need another way of deciding the membership • RT was introduced to support complex topologies such that separation and grouping is easier

  44. Concept of RT • RT is extended BGP communities, attached to VPNv4 address • Give more flexibility to the VPN membership • Any number of RT can be attached to a route • Extended communities are 64 bit values

  45. Concept of RT • RTs are either exported or imported • Export route target are attached to the route the moment it is converted from IPv4 to VPNv4 • Import RT is used to decide the routes that would be imported into the VPN

  46. Routing Within MPLS VPN • Pass IPv4 to the customer routers • No VPN routes within the MPLS core (P routers) • P routers run IGP and global BGP (if needed) • Provider Edge router carries connected VPN routes and Internet routes

  47. Routing P-router Perspective • Runs IGP with all the P and PE routers in the network • No MPLS VPN routing information • Very simple view of the network

  48. Routing PE-router Perspective • Exchanges IPv4 routes with CE router • Exchange VPNv4 routes with other PE routers • Run common IGP with P router and also internet BGP with P routers (if needed)

  49. Routing Table on PE Router • PE router has to maintain number of routing tables • Global routing table (IGP, Internet routes) • VRF routing information for VPNs connected • VRF routing is populated via CE and other PE routes

  50. PE to PE Route Information Flow • PE router creates VPNv4 update • Adds extended community attribute (RT, SOO) • All other BGP attributes • Received route is imported into appropriate VRF according to RT values • Routes installed into VRF are propagated to CE routers

More Related