1.03k likes | 1.5k Views
MPLS VPN Configurations Khalid Raza. Agenda. Introduction to VPNs concepts VPN definitions Types of VPNs (Overlay/Peer) Comparison between Overlay and Peer model Benefits for MPLS VPNs. Agenda. Idea behind VRF, RD, RT Route propagation in MP-BGP Routing between PE-CE
E N D
MPLS VPN Configurations Khalid Raza
Agenda • Introduction to VPNs concepts • VPN definitions • Types of VPNs (Overlay/Peer) • Comparison between Overlay and Peer model • Benefits for MPLS VPNs
Agenda • Idea behind VRF, RD, RT • Route propagation in MP-BGP • Routing between PE-CE • MPLS Packet Forwarding
Agenda • MPLS configuration • VRF • MP-BGP • PE-CE configuration • Advance configuration
Agenda • MPLS topologies • VPN connectivity • Design considerations • Deployment strategies
VPN/MPLS Concepts • VPN • Concept is to use the service providers shared resources connecting multiple customer sites • Technologies such as X.25, Frame-relay which use virtual circuits to establish end-to-end connection using shared service of the provider infrastructure • This statistical sharing of resources enables the service provider to offer low cost services to the end user
VPN Terminology • Provider Network (P-Network) • The backbone under control of a Service Provider • Customer Network (C-Network) • Network under customer control • CE router • Customer Edge router. Part of the C-network and interfaces to a PE router
VPN Terminology • Site • Set of (sub)networks part of the C-network and co-located • A site is connected to the VPN backbone through one or more PE/CE links • PE router • Provider Edge router. Part of the P-Network and interfaces to CE routers • P router • Provider (core) router, without knowledge of VPN
VPN Terminology Provider core (P) device VPN Site CPE (CE) Device CPE (CE) Device Provider Edge (PE) device Provider Edge (PE) device VPN Site Service Provider Network
Types of VPNs • VPN services are offered in two major ways • Overlay Model where the service provider provides the virtual connections between sites • Peer model where the service provider participates in the layer routing of the customer
VPN Overlay Model • Service provider network is a connection of point-to-point links • Routing within the customer network is transparent to the service provider network • Service provider is responsible purely for data transport between customer sites
VPN Overlay Model • Layer 1 implementation (IP, HDLC, PPP (customer) - provider gives bit pipes only • Layer 2 implementation - service provider responsible for L2 VC via ATM, Frame-relay
VPN Overlay Model Virtual Circuit Layer-3 Routing Adjacency CPE (CE) Device CPE (CE) Device Provider Edge (PE) device Provider Edge (PE) device VPN Site VPN Site Service Provider Network
VPN Peer Model • Both provider and customer network use same network protocol • CE and PE routers have a routing adjacency at each site • All provider routers hold the full routing information about all customer networks • Private addresses are not allowed • May use the virtual router capability • Multiple routing and forwarding tables based on Customer Networks
VPN Peer-to-Peer Model Layer-3 Routing Adjacency Layer-3 Routing Adjacency CPE (CE) Router CPE (CE) Router Provider Edge (PE) Router Provider Edge (PE) Router VPN Site VPN Site Service Provider Network
VPN Peer Model • Peer model used two types of approach • Shared router • Dedicated router
VPN Peer Model • Shared router • Where a common router was used, extensive packet filtering is used on the PE router to isolate customer • Service provider allocated addresses out of its space to the customer and managed the packet filter to ensure same customer reachability, and isolation between customers. • High maintenance cost associated with packet filters • Performance impact due to packet filtering
Peer-to-Peer Model Shared Router Approach PE Routing Table VPN-A routes VPN-B routes VPN-C routes VPN-A CE interface Serial0/1 description ** interface to VPN-A customer ip address 192.168.61.6 255.255.255.252 ip access-group VPN-A in ip access-group VPN-A out ! interface Serial0/2 description ** interface to VPN-B customer ip address 192.168.61.9 255.255.255.252 ip access-group VPN-B in ip access-group VPN-B out ! interface Serial0/3 description ** interface to VPN-C customer ip address 192.168.62.6 255.255.255.252 ip access-group VPN-C in ip access-group VPN-C out Paris PE VPN-B CE London VPN-C CE Munich Shared router approach with complex filters
VPN Peer Model • Dedicated router • Customer isolation is achieved via dedicated routers connected to customer • POP edge router filter routing updates between different provider edge routers • Route filtering is achieved via BGP Communities • Not cost effective
Peer-to-Peer Model Dedicated Router Approach router bgp 111 neighbor 10.13.1.2 remote-as 111 neighbor 10.13.1.2 route-reflector-client neighbor 10.13.1.2 route-map VPN-A out ! route-map VPN-A permit 10 match community-list 75 ! ip community-list 75 permit 111:1 VPN-A CE Paris VPN-B P Router VPN-A CE VPN-A PE Brussels VPN-A routes ONLY VPN-B CE P Routing Table VPN-A routes (community 111:1) VPN-B routes (community 111:2) VPN-B PE London Dedicated router approach expensive to deploy
Comparison Between the Two Models • Overlay Model • Easy to implement • No knowledge of customer routing • Isolation between the two network • Peer Model • Optimal routing • Easy to provision additional VPNs through site provisioning - no need for link provisioning
Comparison Between the Two Models • Overlay Model • Optimal routing between sites requires full mesh • Bandwidth provisioning • Virtual circuits have to be manually configured • Peer Model • Customer convergence is depended on SP routing convergence • Lot of routes with the provider networks causes scalability problems
Benefits of MPLS VPNs • Best of both worlds • PE participates in routing so you can achieve optimal routing between sites • PE isolates customer routing information like dedicated router solution • Overlapping addresses are permitted between customers
Benefits of MPLS VPNs • PE router is subdivided into virtual routers • Similar to the dedicated router approach • Each customer is assigned independent routing tables • IOS does this isolation through the concept of VRF (Virtual Routing and Forwarding)
Benefits of MPLS VPNs VPN Routing Table VPN-A CE Paris PE VRF for VPN-A VPN-A CE IGP &/or BGP London VRF for VPN-B VPN-B CE Munich Global Routing Table Multiple routing & forwarding instances (VRFs) provide the separation
Problem • How to propagate routing across the network between the PE devices? • We need a routing protocol that will transport the customer routes across the provider network • Need to maintain the independency of customers routing and address space
Easy and Lazy Answer • Run multiple routing protocols, one each for customer • But PE routers will have to run large number of routing instances • Poor P router will have to carry all the VPN routes • P routers still will run into overlapping address problem unless you configure all the vrfs on the PE router • Does not scale
Better Solution • Run a routing protocol that can exchange the routing updates only between PE routers • P router is protected from customer routes
But how to do it ? • Use BGP to pass the routing information between PE devices • Use MPLS labels to exchange packets between next-hops (PE routers) • Extend BGP to be able to handle overlapping addresses
VPN Routing & Forwarding Instance (VRF) • PE routers maintain separate routing tables • Global routing table • contains all PE and P routes (perhaps BGP) • populated by the VPN backbone IGP • VRF (VPN routing & forwarding) • routing & forwarding table associated with one or more directly connected sites (CE routers) • VRF is associated with any type of interface, whether logical or physical (e.g. sub/virtual/tunnel) • interfaces may share the same VRF if the connected sites share the same routing information
VPN Routing & Forwarding Instance (VRF) VPN Routing Table VPN-A CE Paris PE VRF for VPN-A VPN-A CE IGP &/or BGP London VRF for VPN-B VPN-B CE Munich Global Routing Table Multiple routing & forwarding instances (VRFs) provide the separation
MPLS/VPN Connectivity Model • Private addressing in multiple VPNs no longer an issue • provided that members of a VPN do not use the same address range VPN A London Paris Munich 10.2.1.0/24 10.3.3.0/24 10.2.12.0/24 10.4.12.0/24 Address space for VPN A and B must be unique Milan Brussels Vienna VPN B 10.2.1.0/24 10.22.12.0/24 VPN C
VPN Routing & Forwarding Instance (VRF) • VRF can be thought of as a virtual router with the following structures: • forwarding table based on CEF • a set of interfaces that use the derived forwarding table • rules to control import/export of routes from/into the VPN routing table • set of routing protocols/peers which inject information into the VPN routing table (including static routing) • router variables associated with the routing protocol used to populate the VPN routing table
CE PE CE Site-2 Site-1 VRF Route Population • VRF is populated locally through PE and CE routing protocol exchange • RIP Version 2, OSPF, BGP-4 & Static routing • Separate routing context for each VRF • routing protocol context (BGP-4 & RIP V2) • separate process (OSPF) • EBGP,OSPF, RIPv2,Static
Local VRF Route Population VPN-A CE Paris VRF for VPN-A PE VPN-A Which routing protocol context or process ? Global CE London VRF for VPN-B VPN-B CE Munich Local VRF population driven by routing protocol context or process (OSPF)
VRF Route Distribution • PE routers distribute local VPN information across the MPLS/VPN backbone • through the use of MP-BGP & redistribution from VRF • receiving PE imports routes into attached VRFs P Router CE Router PE PE CE Router MP-BGP VPN Site VPN Site MPLS/VPN Backbone
Concept of RD • If customers have overlapping address, BGP will treat them is single prefix • Extend the prefix with a 64-bit prefix (route-distinguisher) • Now, with 32 bit IP address and 64 bit RD, the two overlapping IP address are unique
Concept of RD • 32 bit IP prefix is the IPv4 address • With 64 bit RD, it is now extended to 96 bit and is now VPNv4 address • This address is exchanged only between the PE routers via BGP • This is carried in Multi-Protocol BGP
Concept of RD VPN-A PE router converts it into a 96 bit VPNv4 prefix CE PE1 PE2 MPLS/VPN Backbone VPN-B MP-BGP CE VPN-B BGP Table Routes from VPN-A Routes from VPN-B Munich CE router sends 32 bit IPv4 prefix
Processing of RD • RD is propagated between the PE routers • RD is removed by the receiving PE routers • CE router receives just the IPv4 prefixes
Usage of RD • RD is only used to extend the IP prefix such that overlapping address are unique • Simple VPN topologies require single RD per customer • In some cases multiple RDs may be required
Can RD be the VPN Identifier? • Yes - it could be a VPN identifier • Complex topologies require another component for VPN topologies other than RD, just like communities are more flexible.
Concept of RT • Sites that have to participate in more than one VPN- RD is not sufficient • You need another way of deciding the membership • RT was introduced to support complex topologies such that separation and grouping is easier
Concept of RT • RT is extended BGP communities, attached to VPNv4 address • Give more flexibility to the VPN membership • Any number of RT can be attached to a route • Extended communities are 64 bit values
Concept of RT • RTs are either exported or imported • Export route target are attached to the route the moment it is converted from IPv4 to VPNv4 • Import RT is used to decide the routes that would be imported into the VPN
Routing Within MPLS VPN • Pass IPv4 to the customer routers • No VPN routes within the MPLS core (P routers) • P routers run IGP and global BGP (if needed) • Provider Edge router carries connected VPN routes and Internet routes
Routing P-router Perspective • Runs IGP with all the P and PE routers in the network • No MPLS VPN routing information • Very simple view of the network
Routing PE-router Perspective • Exchanges IPv4 routes with CE router • Exchange VPNv4 routes with other PE routers • Run common IGP with P router and also internet BGP with P routers (if needed)
Routing Table on PE Router • PE router has to maintain number of routing tables • Global routing table (IGP, Internet routes) • VRF routing information for VPNs connected • VRF routing is populated via CE and other PE routes
PE to PE Route Information Flow • PE router creates VPNv4 update • Adds extended community attribute (RT, SOO) • All other BGP attributes • Received route is imported into appropriate VRF according to RT values • Routes installed into VRF are propagated to CE routers