350 likes | 526 Views
Lecture 6. L3 MPLS VPN. D. Moltchanov , TUT, Spring 2010. Outline. Unification by MPLS VPNs in IETF Problems of classic VPNs BGP/MPLS L3 VPN in detail Example Advantages and shortcomings. VPN in IETF: unification by MPLS. VPN in IETF: MPLS unification. VPN in IETF.
E N D
Lecture 6. L3 MPLS VPN D. Moltchanov, TUT, Spring 2010
Outline • Unification by MPLS • VPNs in IETF • Problems of classic VPNs • BGP/MPLS L3 VPN in detail • Example • Advantages and shortcomings
VPNinIETF • Standardization of VPNsinIETF • IETF model
VPNBGP/MPLS • BGP/MPLS is also known as • VPN 2547, VPN MPLS 2547bis, VPN BGP/MPLS • Properties • Well-scaling solution • Huge number of VPNs can be supported • VPNsover multiple providers are possible • L3 solution: IP only! • General standards forVPN BGP/MPLS • IETF RFC 1918 • Private network addresses e.g. 192.168.X.X • draft-rosen-rfc2547bis • BGP/MPLSVPN • RFC 2658, year 2006 • Routing and control: BGP • Data transmission: MPLS
Problem of classicVPNs: e.g. IPSec • Problems ofL2 VPN • IPSec tunnels • User’s equipment work with ISP’s equipment directly • A lot of connections (actually, mesh) • Alternative:hubs, but unreliable • Problems when user has a plenty of end points • Adding one more user’s point required a lot of configuration
RFC 2547bis: characteristics • Network internetworking • CEandPE are peers • Adding new CE: only onePE is to be configured • PE:contains routes for directly connected VPNs only
RFC 2547bis:principles • Separation of switching • A number of switching tables in PE • Each table is for certain user (certain VPN) • Ensures isolation between VPNs • Limited distribution of routing information by BGP • Not all PEs must receive all information • Only that having the target VPN cite attached • Filtering of routing info • If no target VPN attached BGP message is not processed • Reduced distribution of data • Not all cites receive all packets • Extension for IP address: used for control only • MPLS switching • ISP interior routers (P) are ‘simple’MPLSLSRs • Only border routers are aware of VPNs
RFC 2547bis:communities and VRFs • Community: a certain VPN • Marking: number, color, etc. • Separation of switching • Several switching tables, one per community • Content of switching tables • Routes received fromattached CE • Routes received from remotePE • It is called ‘VPN routing and forwarding table’: VRF
RFC 2547bis:setup phase • Step 1:RoutefromCE toPE • Static, dynamic • Step2: Exporting route to BGP message • VPN address, community, VPN label • Step3:Transporting control info in ISPs network • BGP is used for this purpose • Step4:Importing routes fromBGP at remotePEs • If there is cite belonging to the same VPN (e.g. green) • Step5: FromPEtoCE • Static, dynamic
RFC 2547bis:problems • Overlapping addresses in VPNs • RFC 1918 is for all VPNs • 192.168 can be used in many VPNs • How to identify a certain cite at remote PE • More than one site of the same VPN can be attached • In MPLS we cannot use IP addresses for this puprose • How to filter BGP messages at remote PEs • e.g. if no ‘yellow’ VPN at remote PE, no need to process it
RFC 2547bis:filtering BGP messages • Limited distribution of routing information • CEpasses routes to local PE • LocalPE • Marks routes based on community, e.g. green, xyzBank,… • BGP is used to distribute these routes to remote PE • RemotePE: • Filters (accepts/rejects) routes based on community
RFC 2547bis:overlapping addresses • New type of the address • Aim:change non-unique addresses making them unique • IPaddress + 8 bytes ID • This is called route distinguisher (RD) • Should be different in a singleVPN • For example,RD=AS number +some number • Outgoing PE: convertingIP to RD:IP and use BGP to distribute • Incoming PE:converting fromRD:IPtoIP • VPNaddresses • Distributed in special BGP address family • MP-BGP • Used in ISP’s network only • Used for control only • Translated only in PEs • Not used for routes’ filtering! Communities are used for that!
RFC 2547bis:how to route using VPN-IP? • We can use overlapping IP addresses • Indeed, we actually useVPN-IPaddresses • Problem:how to route based onVPN-IP? • VPN-IP addressesare used by routing protocol only • VPN-IP addressesare not carried in IP headers! • MPLSis the solution • Forwarding:separated (local switching tables) • Addresses:separated (only for control) • In contrast to IProuting and forwarding • At each hop we analyze packet headers • IPaddresses may indeed overlap
RFC 2547bis:solution • Why not to use VPN-IPs? • MPLS does not use IP for forwarding! • Solution: • There could be many networks within a single community! • Label is used to identify the next hop at remotePE • This is calledVPNlabel • VPNlabel is distributed byBGPtogether withVPN-IP • BGP ( Dest = RDy:x.x.x.x, Next Hop = PEz, Label = N) • Each IP packet in ISP’s networkhas 2 labels • LSPlabel: internal route for ISP • VPNlabel: external route for ISP • Just label stack is used • RemotePE • Removes the first label • Determines next node (CE) based on the next label
RFC 2547bis:RD,community, VPN label • Route Distinguisher (RD) • To identify cites of different VPNs with the same IP space • Community • For limited distribution of routing information (BGP filtering) • VPN label • To identify different CEs at remote PE that belong to the same community • Used at data transmission phase!
RFC 2547bis:brief summary • Basic properties • Pnodes • Are not be aware of VPN routes • Should know how to forward to next hop • PEnodes • Support VPN routes • But only those which are directly connected • VPNs are allowed to have overlapping addresses • e.g. several CE in different VPNs may have 192.168.0.10
RFC 2547bis:scalability • Customer does not route • All functionality is provided by ISP • Adding one more CE toVPN • We need to configure only onePE (BGP!) • Does not depend on how many sites we have • PEnodes • Support routes for directly connected VPNs • P nodes • Are not aware of VPNs at all • Overlapping addresses can be used • Each provider is allowed to use its ownRD
RFC 2547bis:advantages • Easy to use for ISPs • Only PEs should be configured • Everything overIP • Just a trend we have to follows • Compatibility • We can useit in ATM, Frame Relay or IPnetworks • Scalable approach • No need to change P routers • Reliable approach • MPLS: adaptive to changes in ISP’s network + traffic engineering
RFC 2547bis:shortcomings • OnlyIP • Other protocols must be encapsulated • Joint routing • ISP should have knowledge of customer’s network • CEshould be a router • Sometimes expensive… • Complexity • Multiple dynamic routes in ISP’s network • The need for configuring CE together with ISP • This way ISP is aware of your topology…