Mpls10s07-mpls Vpn Technology
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Mpls10s07-mpls Vpn Technology as PDF for free.
More details
- Words: 6,497
- Pages: 108
Module 7
MPLS VPN Technology © 2001, Cisco Systems, Inc.
Objectives Upon completion of this lesson, you will be able to perform the following tasks: • Identify major Virtual Private network topologies, their characteristics and usage scenarios • Describe the differences between overlay VPN and peer-to-peer VPN • List major technologies supporting overlay VPNs and peer-to-peer VPNs • Position MPLS VPN in comparison with other peer-to-peer VPN implementations • Describe major architectural blocks of MPLS VPN
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-2
Introduction to Virtual Private Networks © 2001, Cisco Systems, Inc.
MPLS v1.0—7-3
Objectives Upon completion of this section, you will be able to perform the following tasks: • Describe the concept of VPN • Explain VPN terminology as defined by MPLS VPN architecture
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-4
Traditional Router-Based Networks Site A
Site B
Site C
Site D
Traditional router-based networks connect customer sites through routers connected via dedicated point-to-point links. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-5
Virtual Private Networks Virtual Circuit (VC) #1
PE Device Customer Site
Provider Core Device
Customer Premises Provider Edge Device Router (CPE) (Frame Relay Switch)
PE Device
CPE Router Other CPE Router Customer Routers Large Customer Site
Virtual Circuit (VC) #2
Service Provider Network
•Virtual Private Networks (VPNs) replace dedicated point-to-point links with emulated point-to-point links sharing common infrastructure. •Customers use VPNs primarily to reduce their operational costs.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-6
VPN Terminology
Customer Site
Large Customer Site
Provider network (P-network): the service provider infrastructure used to provide VPN services Customer network (C-network): the part of the network still under customer control Customer Site: a contiguous part of the customer network (can encompass many physical locations) © 2001, Cisco Systems, Inc.
MPLS v1.0—7-7
VPN Terminology
Customer Site
Large Customer Site
Service Provider Network
Provider edge (PE) device: the device in the P-network to which the CE devices are connected Provider (P) device: the device in the P-network with no customer connectivity © 2001, Cisco Systems, Inc.
Customer edge (CE) device: the device in the C-network that links to into P-network; also called customer premises equipment (CPE)
MPLS v1.0—7-8
VPN Terminology Specific to Switched WANs VC #1
PE Device Customer Site
CPE Router
P Device PE Device (Frame Relay switch)
PE Device
CPE Router Other Customer CPE Router Routers Large Customer Site
VC #2
Service Provider Network
Virtual Circuit (VC): emulated point-to-point link established across shared Layer 2 infrastructure • A permanent virtual circuit (PVC) is established through out-ofband means (network management) and is always active. • A switched virtual circuit (SVC) is established through CE-PE signaling on demand from the CE device. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-9
Summary
After completing this section, you should be able to perform the following tasks: • Describe the concept of VPN • Explain VPN terminology as defined by MPLS VPN architecture
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-10
Review Questions • Why are customers interested in Virtual Private Networks? • What is the main role of a VPN? • What is a C-network? • What is a customer site? • What is a CE-router? • What is a P-network? • What is the difference between a PE-device and a P-device? © 2001, Cisco Systems, Inc.
MPLS v1.0—7-11
Overlay and Peer-to-Peer VPN © 2001, Cisco Systems, Inc.
MPLS v1.0—7-12
Objectives Upon completion of this section, you will be able to perform the following tasks: • Describe the differences between overlay and peer-to-peer VPN • Describe the benefits and drawbacks of each VPN implementation option • List major technologies supporting overlay VPNs • Describe traditional peer-to-peer VPN implementation options © 2001, Cisco Systems, Inc.
MPLS v1.0—7-13
VPN Implementation Technologies VPN services can be offered based on two major paradigms: • Overlay VPNs, in which the service provider provides virtual point-to-point links between customer sites • Peer-to-Peer VPNS, in which the service provider participates in the customer routing
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-14
Overlay VPN Implementation (Frame Relay Example) VC #2
Customer Site
Customer Site
Router A Customer Site
Router C VC #1
PE Device (Frame Relay Switch)
Frame Relay Edge Switch
Router B
Customer Site
Router D Frame Relay Edge Switch
Frame Relay Edge Switch VC #3
Service Provider Network
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-15
Layer 3 Routing in Overlay VPN Implementation Router A
Router B
Router C
Router D
• Service provider infrastructure appears as point-to-point links to customer routes. • Routing protocols run directly between customer routers. • Service provider does not see customer routes and is responsible only for providing point-topoint transport of customer data. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-16
Overlay VPN Layer 1 Implementation IP PPP
ISDN
HDLC
E1, T1, DS0
SDH, SONET
This is the traditional TDM solution: Service provider establishes physical-layer connectivity between customer sites. Customer takes responsibility for all higher layers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-17
Overlay VPN Layer 2 Implementation
IP X.25
Frame Relay
ATM
This is the traditional switched WAN solution: Service provider establishes Layer 2 virtual circuits between customer sites. Customer takes responsibility for all higher layers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-18
Overlay VPN IP Tunneling IP Generic Route Encapsulation (GRE)
IP Security (IPSec) IP
VPN is implemented with IP-over-IP tunnels: Tunnels are established with GRE or IPSec. GRE is simpler (and quicker); IPSec provides authentication and security. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-19
Overlay VPN Layer 2 Forwarding IP PPP Layer 2 Tunnel Protocol (L2TP)
Layer 2 Forwarding Protocol (L2F Protocol)
Point-to-Point Tunneling Protocol (PPTP)
IP
VPN is implemented with PPP-over-IP tunnels: Usually used in access environments (dialup, digital subscriber line) © 2001, Cisco Systems, Inc.
MPLS v1.0—7-20
Peer-to-Peer VPN Concept Routing information is exchanged between CE and PE routers. Customer Site
Router A Customer Site
Service Provider Network
Customer Site
Router C PE Router
PE Router
Customer Site
Router D
Router B PE Router
PE Router
PE routers exchange customer routes through the core network. Finally, the customer routes propagated through the PE network are sent to other CE routers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-21
Peer-to-Peer VPN with Packet Filters Customer A Site #1
Service provider network Point of Presence (POP)
Customer A Site #2
Customer B Site #1
© 2001, Cisco Systems, Inc.
Shared Router
POP router carries all customer routes. Isolation between customers is achieved with packet filters on PE-CE interfaces.
MPLS v1.0—7-22
Peer-to-Peer VPN with Controlled Route Distribution Customer A Site #1
Service provider network Point of Presence (POP)
Customer A Site #2
The P-router contains all customer routes.
Uplink
PE Router Customer A P Router PE Router Customer B
Customer B Site #1
© 2001, Cisco Systems, Inc.
Each customer has a dedicated PE router that carries only its routes. Customer isolation is achieved through lack of routing information on the PE router.
MPLS v1.0—7-23
Benefits of Various VPN Implementations Overlay VPN:
Peer-to-peer VPN:
• Well-known and easy to implement.
• Guarantees optimum routing between customer sites.
• Service provider does not participate in customer routing. • Customer network and service provider network are well isolated.
© 2001, Cisco Systems, Inc.
• Easier to provision an additional VPN. • Only the sites are provisioned, not the links between them.
MPLS v1.0—7-24
Drawbacks of Various VPN Implementations Overlay VPN:
Peer-to-peer VPN:
• Implementing optimum routing requires full mesh of virtual circuits. • Virtual circuits have to be provisioned manually. • Bandwidth must be provisioned on a siteto-site basis. • Overlay VPNs always incur encapsulation overhead.
• Service provider participates in customer routing. • Service provider becomes responsible for customer convergence. • PE routers carry all routes from all customers. • Service provider needs detailed IP routing knowledge.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-25
Drawbacks of Traditional Peer-to-Peer VPNs Shared PE router: • All customers share the same (providerassigned or public) address space. • High maintenance costs are associated with packet filters. • Performance is lower — each packet has to pass a packet filter.
© 2001, Cisco Systems, Inc.
Dedicated PE router: • All customers share the same address space. • Each customer requires a dedicated router at each POP.
MPLS v1.0—7-26
VPN Taxonomy Virtual Networks Virtual Private Networks
Virtual Dialup Networks
Overlay VPN Layer 2 VPN X.25
Virtual LANs
Peer-to-Peer VPN
Layer 3 VPN
Access Lists (Shared Router)
GRE Split Routing (Dedicated Router)
Frame Relay IPSec ATM
© 2001, Cisco Systems, Inc.
MPLS VPN
MPLS v1.0—7-27
Summary After completing this section, you should be able to perform the following tasks: • Describe the differences between overlay and peer-to-peer VPN • Describe the benefits and drawbacks of each VPN implementation option • List major technologies supporting overlay VPNs • Describe traditional peer-to-peer VPN implementation options © 2001, Cisco Systems, Inc.
MPLS v1.0—7-28
Review Questions • What is an overlay VPN? • Which routing protocol runs between the customer and the service provider in an overlay VPN? • Which routers are routing protocol neighbors of a CE-router in overlay VPN? • List three IP-based overlay VPN technologies. • What is the major benefit of peer-to-peer VPN as compared to overlay VPN? • List two traditional peer-to-peer VPN implementations. • What is the drawback of all traditional peer-to© 2001, Cisco Systems, Inc.
MPLS v1.0—7-29
Major VPN Topologies
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-30
Objectives Upon completion of this section, you will be able to perform the following tasks: • Identify major VPN topologies • Describe the implications of using overlay VPN or peer-to-peer VPN approach with each topology • List sample usage scenarios for each topology
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-31
VPN Topology Categorization Overlay VPNs are categorized based on the topology of the virtual circuits: • (Redundant) Hub and spoke topology • Partial mesh topology • Full mesh topology • Multilevel topology—combines several levels of overlay VPN topologies © 2001, Cisco Systems, Inc.
MPLS v1.0—7-32
Overlay VPN Hub-and-Spoke Topology Remote Site (Spoke)
Central Site (Hub)
Remote Site (Spoke)
Central Site Router
Remote Site (Spoke)
Service Provider Network Remote Site (Spoke)
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-33
Overlay VPN Redundant Hub and Spoke Topology Remote Site (Spoke)
Central Site (Hub)
Redundant Central Site Router
Redundant Central Site Router
© 2001, Cisco Systems, Inc.
Service Provider Network
Remote Site (Spoke)
Remote Site (Spoke)
Remote Site (Spoke)
MPLS v1.0—7-34
Overlay VPN Partial Mesh
Guam
New York
Virtual circuits (Frame Relay DataMoscow Hong Kong Link Connection Identifier) Berlin
© 2001, Cisco Systems, Inc.
Sydney
MPLS v1.0—7-35
Overlay VPN Multilevel Hub-and-Spoke Distribution Site Remote Site (Spoke) Distribution-Layer Router
Central Site (Hub)
Redundant Central Site Router
Remote Site (Spoke)
Service Provider Network
Remote Site (Spoke)
Redundant Central Site Router
Distribution-layer router
Remote Site (Spoke)
Distribution site
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-36
VPN Business Categorization VPNs can be categorized on the business needs they fulfill: • Intranet VPN—connects sites within an organization. • Extranet VPN—connects different organizations in a secure way. • Access VPN — VPDN provides dialup access into a customer network.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-37
Extranet VPN—Overlay VPN Implementation Frame Relay VCs (DLCI)
GlobalMotors Firewall
Provider IP Backbone BoltsAndNuts Frame Relay Switch
Firewall
Frame Relay Switch
AirFilters Inc.
Firewall
© 2001, Cisco Systems, Inc.
Firewall
SuperBrakes Inc.
Frame Relay Switch
Frame Relay Switch
Firewall
MPLS v1.0—7-38
Extranet VPN—Peer-to-Peer VPN Implementation GlobalMotors
Provider IP Backbone BoltsAndNuts
PE Router
Firewall
PE Router
PE Router
AirFilters Inc.
Firewall
© 2001, Cisco Systems, Inc.
Firewall
SuperBrakes Inc.
PE Router
PE Router
Firewall
MPLS v1.0—7-39
VPN Connectivity Categorization VPNs can also be categorized by the connectivity required between sites: • Simple VPN—every site can communicate with every other site. • Overlapping VPN—some sites participate in more than one simple VPN. • Central Services VPN—all sites can communicate with central servers, but not with each other. • Managed Network—a dedicated VPN is established to manage CE routers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-40
Central Services Extranet Amsterdam
Service Provider Extranet Infrastructure
Customer A
VoIP Gateway
London
Customer B
VoIP Gateway
Paris
Customer C
VoIP Gateway
Service Provider Network
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-41
Central Services Extranet—Hybrid (Overlay + Peer-to-Peer) Implementation Amsterdam VoIP Gateway
Service Provider Extranet Infrastructure
PE Router
PE Router
Frame Relay Edge Switch
PE Router PE Router
VoIP Gateway
Service Provider Network
Customer B
Frame Relay Edge Switch
Paris
© 2001, Cisco Systems, Inc.
Customer A
PE Router
London VoIP Gateway
Frame Relay Infrastructure
Customer C Frame Relay Edge Switch
Frame Relay VC
MPLS v1.0—7-42
Managed Network Overlay VPN Implementation Service provider network
Central Site (Hub)
Remote Site (Spoke)
Remote Site (Spoke)
Redundant Central Site Router
Remote Site (Spoke) Redundant Central Site Router
Network Management Center
© 2001, Cisco Systems, Inc.
Dedicated virtual circuits are used for network management.
MPLS v1.0—7-43
Summary After completing this section, you should be able to perform the following tasks: • Identify major VPN topologies • Describe the implications of using overlay VPN or peer-to-peer VPN approach with each topology • List sample usage scenarios for each topology © 2001, Cisco Systems, Inc.
MPLS v1.0—7-44
Review Questions • What are the major Overlay VPN topologies? • Why would the customers prefer partial mesh over full mesh topology? • What is the difference between an Intranet and an Extranet? • What is the difference between a simple VPN and a Central Services VPN? • What are the connectivity requirements of a Central Services
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-45
MPLS VPN Architecture © 2001, Cisco Systems, Inc.
MPLS v1.0—7-46
Objectives Upon completion of this section, you will be able to perform the following tasks: • Describe the difference between traditional peer-to-peer models and MPLS VPN • List the benefits of MPLS VPN • Describe major architectural blocks of MPLS VPN • Explain the need for route distinguisher and route target © 2001, Cisco Systems, Inc.
MPLS v1.0—7-47
MPLS VPN Architecture MPLS VPN combines the best features of overlay VPN and peerto-peer VPN: • PE routers participate in customer routing, guaranteeing optimum routing between sites and easy provisioning. • PE routers carry a separate set of routes for each customer (similar to the dedicated PE router approach). • Customers can use overlapping addresses.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-48
MPLS VPN Terminology Customer A Site #1 Remote Office
Remote Office
Customer A Site #2
Customer A Site #3
Customer B Site #1
© 2001, Cisco Systems, Inc.
P-Network
Site #1 CE router
PE Router POP-X
P Router
Customer A Site #4
PE Router POP-Y
Customer B Site #2
Customer B Site #3
Customer B Site #4
MPLS v1.0—7-49
PE Router Architecture Virtual Router for Customer A
Global IP Router
Customer A Site #1
Customer A Site #2
Customer A Site #3
Customer B Site #1
Virtual IP Routing Table for Customer A
Global IP Routing Table
P Router
Virtual Router for MPLS VPN architecture is very similar Customer B to the dedicated PE router peer-to-peer model, but the dedicated per-customer routers are implemented as virtual routing tables within the PE router. Virtual IP Routing Table for Customer B
PE Router © 2001, Cisco Systems, Inc.
MPLS v1.0—7-50
Routing Information Propagation Across the PNetwork Customer A
Customer B
Customer C
PE Router X
IGP for Customer A
IGP for Customer A
IGP for Customer B
IGP for Customer B
IGP for Customer C
IGP for Customer C
P Router
P-Network
Customer B
PE Router Y
Customer C
Customer A
Q: How will PE routers exchange customer routing information? A1:
Run a dedicated Interior Gateway Protocol (IGP) for each customer across P-network.
Wrong answer: • The solution does not scale. • P routers carry all customer routers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-51
Routing Information Propagation Across the PNetwork (cont.) A dedicated routing protocol used to carry customer routes Customer A
Customer B
Customer C
Customer B
PE Router X
P Router
P-Network
PE Router Y
Customer C
Customer A
Q: How will PE routers exchange customer routing information?
:
Run a single routing protocol that will carry all customer routes inside the provider backbone. Better answer, but still not good enough: • P routers carry all customer routers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-52
Routing Information Propagation Across the PNetwork (cont.) A dedicated routing protocol used to carry customer routes between PE routers Customer A
Customer B
Customer C
Customer B
PE Router X
P Router
P-Network
PE Router Y
Customer C
Customer A
Q: How will PE routers exchange customer routing information?
3:
Run a single routing protocol that will carry all customer routes between PE routers. Use MPLS labels to exchange packets between PE routers.
he best answer: P routers do not carry customer routes; the solution is scalable. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-53
Routing Information Propagation Across the PNetwork (cont.) A dedicated routing protocol used to carry customer routes between PE routers Customer A
Customer B
Customer C
Customer B
PE Router X
P Router
P-Network
PE Router Y
Customer C
Customer A
: Which protocol can be used to carry customer routes between PE route
A: The number of customer routes can be very large. BGP is the only routing protocol that can scale to a very large number of routes.
onclusion: BGP is used to exchange customer routes directly between PE routers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-54
Routing Information Propagation Across the PNetwork (cont.) A dedicated routing protocol used to carry customer routes between PE routers Customer A
Customer B
Customer C
Customer B
PE Router X
P Router
P-Network
PE Router Y
Customer C
Customer A
Q: Customers can have overlapping address spaces. How will information about the same subnet of two customers be propagated via a single routing protocol? A: Customer addresses are extended with a 64-bit prefix (route distinguisher—RD) to make them unique. Unique 96-bit addresses are exchanged between PE routers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-55
Route Distinguisher • The RD is a 64-bit quantity prepended to an IP version 4 (IPv4) address to make it globally unique. • The resulting 96-bit address is called a VPNv4 address. • VPNv4 addresses are exchanged only via BGP between PE routers. • BGP that supports address families other than IPv4 addresses is called multiprotocol BGP (MP-BGP). © 2001, Cisco Systems, Inc.
MPLS v1.0—7-56
Route Distinguisher Usage in an MPLS VPN A 64-bit Route Distinguisher is prepended to the customer IPv4 prefix to make it globally unique, resulting in 96-bit VPNv4 prefix. A 96-bit VPNv4 prefix is propagated via BGP to the other PE router. P-Network Customer A
Customer A
PE 1
PE 2 Customer B
Customer B
The CE-router sends an IPv4 routing update to the PErouter. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-57
Route Distinguisher Usage in an MPLS VPN The RD is removed from the VPNv4 prefix, resulting in a 32bit IPv4 prefix.
P-Network Customer A
Customer A
PE 1 Customer B
PE 2 Customer B
The PE router sends the resulting IPv4 prefix to the CE router. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-58
Route Distinguisher Usage in an MPLS VPN • The RD has no special meaning—it is used only to make potentially overlapping IPv4 addresses globally unique. • Simple VPN topologies require one The RD per customer. • The RD could serve as a VPN identifier for simple VPN topologies, but this design could not support all topologies required by the customers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-59
Complex VPN—Sample VoIP Service Customer A Central Site
PE Router X
P Router
PE Router Y
Customer B Site 2
Customer A Site 1
Customer A Site 2
Customer B Central Site
VoIP Gateway
P-Network
VoIP Gateway
Customer B Site 1
equirements:
All sites of one customer need to communicate. Central sites of both customers need to communicate with VoIP gateway and other central sites. Other sites from different customers do not communicate with each othe © 2001, Cisco Systems, Inc.
MPLS v1.0—7-60
Sample VoIP Service Connectivity Requirements VOIP VPN Customer A Central Site A
Site A-1
Site A-2
POP-X VoIP Gateway POP-Y VoIP Gateway Customer B Central Site B
© 2001, Cisco Systems, Inc.
Site B-1
Site B-2
MPLS v1.0—7-61
Route Targets • Some sites have to participate in more than one VPN—RD cannot identify participation in more than one VPN. • A different method is needed in which a set of identifiers can be attached to a route. • RDs were introduced in the MPLS VPN architecture to support complex VPN topologies. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-62
What Are Route Targets? • Route targets (RTs) are additional attributes attached to VPNv4 BGP routes to indicate VPN membership. • Extended BGP communities are used to encode these attributes. • Extended communities carry the meaning of the attribute together with its value.
• Any number of RTs can be attached to a single route. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-63
How Do Route Targets Work? • Export RTs identifying VPN membership are appended to the customer route when it is converted into a VPNv4 route. • Each virtual routing table has a set of associated import RTs that select routes to be inserted into the virtual routing table. • Route targets usually identify VPN membership, but they can also be used in more complex scenarios.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-64
Virtual Private Networks Redefined With the support of complex VPN topologies, VPNs have to be redefined • A VPN is a collection of sites sharing common routing information. • A site can be part of different VPNs. • A VPN can be seen as a community of interest (closed user group— CUG).
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-65
Impact of Complex VPN Topologies on Virtual Routing Tables • A virtual routing table in a PE router can be used only for sites with identical connectivity requirements. • Complex VPN topologies require more than one virtual routing table per VPN. • As each virtual routing table requires a distinct RD value, the number of RDs in the MPLS VPN network increases.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-66
Sample VoIP Service Virtual Routing Tables Site A-1 and A-2 can share the same routing table.
VoiceIP VPN
Customer A Central Site A POP-X VoIP Gateway POP-Y VoIP Gateway Central Site B
Site B-1 and B-2 can share the same routing table. © 2001, Cisco Systems, Inc.
Site A-1
Site A-2
Central Site A needs its own routing table. Voice gateways can share routing tables. Central Site B needs its own routing table. Site B-1
Site B-2 Customer B MPLS v1.0—7-67
Benefits of MPLS VPN Technology MPLS VPN technology has all the benefits of peer-to-peer VPN technology: • Easy provisioning • Optimal routing
It also bypasses most drawbacks of traditional peer-to-peer VPN technologies: • RDs enable overlapping customer address spaces. • RTs enable topologies that were hard to implement with other VPN technologies.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-68
Summary After completing this section, you should be able to perform the following tasks: • Describe the difference between traditional peer-to-peer models and MPLS VPN • List the benefits of MPLS VPN • Describe major architectural blocks of MPLS VPN • Explain the need for route distinguishers and route targets
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-69
Review Questions • How does MPLS VPN support overlapping customer address spaces? • How are customer routes exchanged across the P-network? • What is a route distinguisher? • Why is the RD not usable as VPN identifier? • What is a route target? • Why were the route targets introduced in MPLS VPN architecture? • How are route targets used to build virtual routing tables in the PE routers? • What is the impact of complex VPN topologies on virtual routing tables in the PE routers? © 2001, Cisco Systems, Inc.
MPLS v1.0—7-70
MPLS VPN Routing Model © 2001, Cisco Systems, Inc.
MPLS v1.0—7-71
Objectives Upon completion of this section, you will be able to perform the following tasks: • Describe the routing model of MPLS VPN • Describe the MPLS VPN routing model from customer and provider perspectives • Identify the routing requirements of CErouters, PE-routers and P-routers © 2001, Cisco Systems, Inc.
MPLS v1.0—7-72
MPLS VPN Routing Requirements • Customer routers (CE routers) have to run standard IP routing software. • Provider core routers (P routers) have no VPN routes. • Provider edge routers (PE routers) have to support MPLS VPN and Internet routing.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-73
MPLS VPN Routing— CE Router Perspective MPLS VPN Backbone CE router PE router CE router
The CE routers run standard IP routing software and exchange routing updates with the PE router. • External BGP (EBGP), Open Shortest Path First (OSPF), RIP version 2 (RIPv2), and static routes are supported.
The PE router appears as another router in the © 2001, Cisco Systems, Inc.
MPLS v1.0—7-74
MPLS VPN Routing— Overall Customer Perspective BGP Backbone
PE router
CE router
Site IGP
PE router
Site IGP
Site IGP
To the customer, the PE routers appear as core routers connected via a BGP backbone. The usual BGP and IGP design rules apply. The P routers are hidden from the customer. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-75
MPLS VPN Routing— P Router Perspective MPLS VPN Backbone
PE router
P router
PE router
•P routers do not participate in MPLS VPN routing and do not carry VPN routes. •P routers run backbone IGP with the PE routers and exchange information about global subnets (core links and loopbacks).
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-76
MPLS VPN Routing— PE Router Perspective MPLS VPN Backbone MP-BGP
CE Router VPN Routing
PE Router
P Router
Core IGP
CE Router
CE Router VPN Routing
PE Router
Core IGP
CE Router
PE routers:
• Exchange VPN routes with CE routers via per-VPN routing protocols • Exchange core routes with P routers and PErouters via core IGP • Exchange VPNv4 routes with other PE routers via MP- IBGP sessions © 2001, Cisco Systems, Inc.
MPLS v1.0—7-77
MPLS VPN Support for Internet Routing MPLS VPN Backbone CE router
IPv4 BGP for Internet
PE Router
P Router
Core IGP
CE Router
CE Router
PE Router
Core IGP
CE Router
PE routers can run standard IPv4 BGP in the global routing table: • PE routers exchange Internet routes with other PE routers. • CE routers do not participate in Internet routing. • P routers do not need to participate in Internet routing.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-78
Routing Tables on PE Routers MPLS VPN Backbone VPN routing CE Router
MP-BGP
PE Router
P Router
Core IGP
CE Router
VPN routing CE Router
PE Router
Core IGP
IPv4 BGP for Internet
CE Router
PE routers contain a number of routing tables: • Global routing table that contains core routes (filled with core IGP) and Internet routes (filled with IPv4 BGP). • VRF tables for sets of sites with identical routing requirements. • VRFs filled with information from CE routers and MP-BGP information from other PE routers.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-79
MPLS VPN End-to-End Routing Information Flow (1/3) MPLS VPN Backbone CE Router
CE Router
IPv4 Update
PE Router
CE Router
P Router
PE Router CE Router
PE routers receive IPv4 routing updates from CE routers and install them in the appropriate VRF table.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-80
MPLS VPN End-to-End Routing Information Flow (2/3) MPLS VPN Backbone CE Router
CE Router
IPv4 Update
MP-BGP Update
PE Router
CE Router
P Router
PE Router CE Router
• PE routers export VPN routes from VRF tables into MP-BGP and propagate them as VPNv4 routes to other PE routers. • A full mesh of MP-IBGP sessions is needed between PE routers.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-81
MP-BGP Update An MP-BGP update contains: • VPNv4 address • Extended communities (route targets, optionally Site-ofOrigin, or SOO) • Label used for VPN packet forwarding • Any other BGP attribute (for example, AS path, local preference, multi-exit discriminator (MED), standard community) © 2001, Cisco Systems, Inc.
MPLS v1.0—7-82
MP-BGP Update— VPNv4 Address A VPN IPv4 address contains: • RD • 64 bits • Makes the IPv4 route globally unique • RD is configured in the PE for each VRF • RD may or may not be related to a site or a VPN • IPv4 address (32 bits) © 2001, Cisco Systems, Inc.
MPLS v1.0—7-83
MP-BGP Update— Extended Communities 64-bit attribute attached to a route Set of communities can be attached to a single route High-order 16 bits identify extended community type • RT: identifies the set of sites to which the route must be advertised • SOO: identifies the originating site • OSPF route type: identifies the linkstate advertisement (LSA) type of OSPF route redistributed into MP-BGP © 2001, Cisco Systems, Inc.
MPLS v1.0—7-84
Extended BGP Community Display Format Two display formats are supported: • <16bits type>::<32 bit number> -Uses registered AS number • <16bits type>::<16 bit number> -Uses registered IP address © 2001, Cisco Systems, Inc.
MPLS v1.0—7-85
MPLS VPN End-to-End Routing Information Flow (3/3) MPLS VPN Backbone CE Router
CE Router
MP-BGP Update PE Router CE Router
P Router
PE Router CE Router
• Receiving PE router imports incoming VPNv4 routes into the appropriate VRF based on route targets attached to the routes • Routes installed in VRF are propagated to CE routers
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-86
Route Distribution to CE Routers Route distribution to sites is driven by the SOO and RT EBGP communities. A route is installed in the site VRF that matches the RT attribute. • A PE router that connects sites belonging to multiple VPNs will install the route into the site VRF if the RT attribute contains one or more VPNs to which the site is associated.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-87
Summary After completing this section, you should be able to perform the following tasks: • Describe the routing model of MPLS VPN • Describe the MPLS VPN routing model from customer and provider perspective • Identify the routing requirements of CE-routers, PE-routers and P-routers © 2001, Cisco Systems, Inc.
MPLS v1.0—7-88
Review Questions • What is the impact of MPLS VPN on CErouters? • What is the customer’s perception of end-toend MPLS VPN routing? • What is the P-router perception of end-to-end MPLS VPN routing? • How many routing tables does a PE-router have? • How many routing tables reside on a Prouter? • Which routing protocols fill the global routing table of a PE-router? • Which routing protocols fill the Virtual
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-89
More Review Questions • How is the Internet routing supported by MPLS VPN architecture? • How is the VPN routing information exchanged between the PE-routers? • Which attributes are always present in a MP-BGP update? • Which attributes can be optionally present in a MP-BGP update? • Which BGP attributes drive the import of VPNv4 route into a VRF? • Which BGP attributes control the VPN route distribution toward CE-routers? © 2001, Cisco Systems, Inc.
MPLS v1.0—7-90
MPLS VPN Packet Forwarding © 2001, Cisco Systems, Inc.
MPLS v1.0—7-91
Objectives Upon completion of this section, you will be able to perform the following tasks: • Describe the MPLS VPN forwarding mechanisms • Describe the VPN and backbone label propagation • Explain the need for end-to-end LSP between PE routers • Explain the implications of BGP next-hop on MPLS VPN forwarding © 2001, Cisco Systems, Inc.
MPLS v1.0—7-92
VPN Packet Forwarding Across an MPLS VPN Backbone MPLS VPN Backbone CE Router IP
CE Router
CE Router
IP
Ingress PE Router
P Router
P Router
Egress PE Router
CE Router
Q: How will the PE routers forward the VPN packets across the MPLS VPN backbone? A1: They will forward pure IP packets.
Wrong answers: P routers do not have VPN routes; the packet is dropped on IP lookup. How about using MPLS for packet propagation across the backbone?
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-93
VPN Packet Forwarding Across an MPLS VPN Backbone MPLS VPN Backbone IP
CE Router IP
CE Router
Ingress PE Router
L1
IP
P Router
L2
IP
P Router
L3
CE Router Egress PE Router
CE Router
Q:
How will the PE routers forward the VPN packets across the MPLS VPN backbone? A2: They will label the VPN packets with a label distribution protocol (LDP) label for the egress PE router and forward the labeled packets across the MPLS backbone. Better answers: The P routers perform the label switching and the packet reaches the egress PE router. However, the egress PE router does not know which VRF to use for packet switching, so the packet is dropped. How about using a label stack? © 2001, Cisco Systems, Inc.
MPLS v1.0—7-94
VPN Packet Forwarding Across an MPLS VPN Backbone MPLS VPN Backbone CE Router IP
CE Router
IP
Ingress PE Router
V L1
IP
P Router
V L2
IP
P Router
V L3
Egress PE Router
CE Router IP
CE Router
: How will the PE routers forward the VPN packets across the MPLS VPN backbon 3: They will label the VPN packets with a label stack, using the LDP label for the egress PE router as the top label and the VPN label assigned by the egress PE router as the second label in the stack.
orrect answers:
The P routers perform label switching and the packet reaches the egress PE router. The egress PE router performs a lookup on the VPN label and forwards the packet toward the CE router. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-95
VPN Packet Forwarding— Penultimate Hop Popping MPLS VPN Backbone CE Router IP
CE Router
IP
Ingress PE Router
V L1
IP
P Router
V L2
IP
P Router
V
Egress PE Router
CE Router IP
CE Router
• Penultimate hop popping on the LDP label can be performed on the last P router.
The egress PE router performs label lookup only on the VPN label, resulting in faster and simpler label lookup.
• IP lookup is performed only once—in the ingress PE router. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-96
VPN Label Propagation MPLS VPN Backbone CE Router
CE Router
CE Router Ingress PE Router
P Router
P Router
Egress PE Router
CE Router
: How will the ingress PE router get the second label in the label stack from the egress PE router?
A: Labels are propagated in MP BGP VPNv4 routing updates.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-97
VPN Label Propagation MPLS VPN Backbone CE Router
CE Router
CE Router Ingress PE Router
P Router
P Router
Egress PE Router
CE Router
Step #1: A VPN label is assigned to every VPN route by the egress PE router. Egress-PE#show tag-switching forwarding vrf SiteA2 Local Outgoing Prefix Bytes tag Outgoing tag tag or VC or Tunnel Id switched interface 26 Aggregate 150.1.31.36/30[V] 0 37 Untagged 203.1.2.1/32[V] 0 Se1/0.20 38 Untagged 203.1.20.0/24[V] 0 Se1/0.20 © 2001, Cisco Systems, Inc.
Next Hop point2point point2point MPLS v1.0—7-98
VPN Label Propagation MPLS VPN Backbone CE Router
CE Router
CE Router Ingress PE Router
P Router
P Router
Egress PE Router
CE Router
Step #2: The VPN label is advertised to all other PE routers in an MP-BGP update. Ingress-PE#show ip bgp vpnv4 all tags Network Next Hop In tag/Out tag Route Distinguisher: 100:1 (vrf1) 12.0.0.0 10.20.0.60 26/notag 10.20.0.60 26/notag 203.1.20.0 10.15.0.15 notag/38 © 2001, Cisco Systems, Inc.
MPLS v1.0—7-99
VPN Label Propagation MPLS VPN Backbone CE Router
CE Router
CE Router Ingress PE Router
P Router
P Router
Egress PE Router
CE Router
Step #3: A label stack is built in VFR table. Ingress-PE#show ip cef vrf Vrf1 203.1.20.0 detail 203.1.20.0/24, version 57, cached adjacency to Serial1/0.2 0 packets, 0 bytes tag information set local tag: VPN-route-head fast tag rewrite with Se1/0.2, point2point, tags imposed: {26 38} via 192.168.3.103, 0 dependencies, recursive next hop 192.168.3.10, Serial1/0.2 via 192.168.3.103/32 valid cached adjacency tag rewrite with Se1/0.2, point2point, tags imposed: {26 38} © 2001, Cisco Systems, Inc.
MPLS v1.0—7-100
Effects of MPLS VPN Label Propagation The VPN label must be assigned by the BGP next hop. The BGP next hop should not be changed in the MP-IBGP update propagation. • Do not use next-hop-self on confederation boundaries. The PE router must be the BGP next hop. • Use next-hop-self on the PE router. The label must be reoriginated if the next hop is changed. • A new label is assigned every time the MP-BGP update crosses the AS boundary where the next hop is changed. • This functionality is supported by Cisco IOS © 2001, Cisco Systems, Inc.
MPLS v1.0—7-101
Effects of MPLS VPN Packet Forwarding The VPN label is understood only by the egress PE router. An end-to-end LSP tunnel is required between the ingress and egress PE routers. BGP next hops must not be announced as BGP routes. LDP labels are not assigned to BGP routes. BGP next hops announced in IGP must not be summarized in the core network. •
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-102
VPN Packet Forwarding with Summarization in the Core P router is faced with a VPN label it does not understand
P router performs penultimate hop popping MPLS VPN Backbone CE Router IP
CE Router
© 2001, Cisco Systems, Inc.
IP
Ingress PE Router
V L1
IP
P Router
V
CE Router
P Router Egress PE
P router summarizes PE CE-router loopback Penultimate hop popping is requested through LDP PE router builds a label stack and forwards labeled packet toward egress PE router MPLS v1.0—7-103
Summary After completing this section, you should be able to perform the following tasks: • Describe the MPLS VPN forwarding mechanisms • Describe the VPN and backbone label propagation • Explain the need for end-to-end LSP between PE routers • Explain the implications of BGP nexthop on MPLS VPN forwarding © 2001, Cisco Systems, Inc.
MPLS v1.0—7-104
Review Questions • How are VPN packets propagated across MPLS VPN backbone? • How can P-routers forward VPN packets if they don’t have VPN routes? • How is the VPN label propagated between PErouters? • Which router assigns the VPN label? • How is the VPN label used on other PE-routers? • What is the impact of changing BGP next-hop on MP-BGP update? • How are MP-BGP updates propagated across AS boundary? • What is the impact of BGP next-hop summarization in the network core?
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-105
Summary After completing this lesson, you should be able to perform the following tasks: • Identify major Virtual Private network topologies, their characteristics and usage scenarios • Describe the differences between overlay VPN and peer-to-peer VPN • List major technologies supporting overlay VPNs and peer-to-peer VPNs • Position MPLS VPN in comparison with other peer-to-peer VPN implementations • Describe major architectural blocks of MPLS VPN • Describe MPLS VPN routing model and packet
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-106
© 2000, Cisco Systems, Inc.
www.cisco.co
Chapter#-107
Blank for Pagination
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-108
MPLS VPN Technology © 2001, Cisco Systems, Inc.
Objectives Upon completion of this lesson, you will be able to perform the following tasks: • Identify major Virtual Private network topologies, their characteristics and usage scenarios • Describe the differences between overlay VPN and peer-to-peer VPN • List major technologies supporting overlay VPNs and peer-to-peer VPNs • Position MPLS VPN in comparison with other peer-to-peer VPN implementations • Describe major architectural blocks of MPLS VPN
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-2
Introduction to Virtual Private Networks © 2001, Cisco Systems, Inc.
MPLS v1.0—7-3
Objectives Upon completion of this section, you will be able to perform the following tasks: • Describe the concept of VPN • Explain VPN terminology as defined by MPLS VPN architecture
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-4
Traditional Router-Based Networks Site A
Site B
Site C
Site D
Traditional router-based networks connect customer sites through routers connected via dedicated point-to-point links. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-5
Virtual Private Networks Virtual Circuit (VC) #1
PE Device Customer Site
Provider Core Device
Customer Premises Provider Edge Device Router (CPE) (Frame Relay Switch)
PE Device
CPE Router Other CPE Router Customer Routers Large Customer Site
Virtual Circuit (VC) #2
Service Provider Network
•Virtual Private Networks (VPNs) replace dedicated point-to-point links with emulated point-to-point links sharing common infrastructure. •Customers use VPNs primarily to reduce their operational costs.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-6
VPN Terminology
Customer Site
Large Customer Site
Provider network (P-network): the service provider infrastructure used to provide VPN services Customer network (C-network): the part of the network still under customer control Customer Site: a contiguous part of the customer network (can encompass many physical locations) © 2001, Cisco Systems, Inc.
MPLS v1.0—7-7
VPN Terminology
Customer Site
Large Customer Site
Service Provider Network
Provider edge (PE) device: the device in the P-network to which the CE devices are connected Provider (P) device: the device in the P-network with no customer connectivity © 2001, Cisco Systems, Inc.
Customer edge (CE) device: the device in the C-network that links to into P-network; also called customer premises equipment (CPE)
MPLS v1.0—7-8
VPN Terminology Specific to Switched WANs VC #1
PE Device Customer Site
CPE Router
P Device PE Device (Frame Relay switch)
PE Device
CPE Router Other Customer CPE Router Routers Large Customer Site
VC #2
Service Provider Network
Virtual Circuit (VC): emulated point-to-point link established across shared Layer 2 infrastructure • A permanent virtual circuit (PVC) is established through out-ofband means (network management) and is always active. • A switched virtual circuit (SVC) is established through CE-PE signaling on demand from the CE device. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-9
Summary
After completing this section, you should be able to perform the following tasks: • Describe the concept of VPN • Explain VPN terminology as defined by MPLS VPN architecture
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-10
Review Questions • Why are customers interested in Virtual Private Networks? • What is the main role of a VPN? • What is a C-network? • What is a customer site? • What is a CE-router? • What is a P-network? • What is the difference between a PE-device and a P-device? © 2001, Cisco Systems, Inc.
MPLS v1.0—7-11
Overlay and Peer-to-Peer VPN © 2001, Cisco Systems, Inc.
MPLS v1.0—7-12
Objectives Upon completion of this section, you will be able to perform the following tasks: • Describe the differences between overlay and peer-to-peer VPN • Describe the benefits and drawbacks of each VPN implementation option • List major technologies supporting overlay VPNs • Describe traditional peer-to-peer VPN implementation options © 2001, Cisco Systems, Inc.
MPLS v1.0—7-13
VPN Implementation Technologies VPN services can be offered based on two major paradigms: • Overlay VPNs, in which the service provider provides virtual point-to-point links between customer sites • Peer-to-Peer VPNS, in which the service provider participates in the customer routing
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-14
Overlay VPN Implementation (Frame Relay Example) VC #2
Customer Site
Customer Site
Router A Customer Site
Router C VC #1
PE Device (Frame Relay Switch)
Frame Relay Edge Switch
Router B
Customer Site
Router D Frame Relay Edge Switch
Frame Relay Edge Switch VC #3
Service Provider Network
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-15
Layer 3 Routing in Overlay VPN Implementation Router A
Router B
Router C
Router D
• Service provider infrastructure appears as point-to-point links to customer routes. • Routing protocols run directly between customer routers. • Service provider does not see customer routes and is responsible only for providing point-topoint transport of customer data. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-16
Overlay VPN Layer 1 Implementation IP PPP
ISDN
HDLC
E1, T1, DS0
SDH, SONET
This is the traditional TDM solution: Service provider establishes physical-layer connectivity between customer sites. Customer takes responsibility for all higher layers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-17
Overlay VPN Layer 2 Implementation
IP X.25
Frame Relay
ATM
This is the traditional switched WAN solution: Service provider establishes Layer 2 virtual circuits between customer sites. Customer takes responsibility for all higher layers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-18
Overlay VPN IP Tunneling IP Generic Route Encapsulation (GRE)
IP Security (IPSec) IP
VPN is implemented with IP-over-IP tunnels: Tunnels are established with GRE or IPSec. GRE is simpler (and quicker); IPSec provides authentication and security. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-19
Overlay VPN Layer 2 Forwarding IP PPP Layer 2 Tunnel Protocol (L2TP)
Layer 2 Forwarding Protocol (L2F Protocol)
Point-to-Point Tunneling Protocol (PPTP)
IP
VPN is implemented with PPP-over-IP tunnels: Usually used in access environments (dialup, digital subscriber line) © 2001, Cisco Systems, Inc.
MPLS v1.0—7-20
Peer-to-Peer VPN Concept Routing information is exchanged between CE and PE routers. Customer Site
Router A Customer Site
Service Provider Network
Customer Site
Router C PE Router
PE Router
Customer Site
Router D
Router B PE Router
PE Router
PE routers exchange customer routes through the core network. Finally, the customer routes propagated through the PE network are sent to other CE routers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-21
Peer-to-Peer VPN with Packet Filters Customer A Site #1
Service provider network Point of Presence (POP)
Customer A Site #2
Customer B Site #1
© 2001, Cisco Systems, Inc.
Shared Router
POP router carries all customer routes. Isolation between customers is achieved with packet filters on PE-CE interfaces.
MPLS v1.0—7-22
Peer-to-Peer VPN with Controlled Route Distribution Customer A Site #1
Service provider network Point of Presence (POP)
Customer A Site #2
The P-router contains all customer routes.
Uplink
PE Router Customer A P Router PE Router Customer B
Customer B Site #1
© 2001, Cisco Systems, Inc.
Each customer has a dedicated PE router that carries only its routes. Customer isolation is achieved through lack of routing information on the PE router.
MPLS v1.0—7-23
Benefits of Various VPN Implementations Overlay VPN:
Peer-to-peer VPN:
• Well-known and easy to implement.
• Guarantees optimum routing between customer sites.
• Service provider does not participate in customer routing. • Customer network and service provider network are well isolated.
© 2001, Cisco Systems, Inc.
• Easier to provision an additional VPN. • Only the sites are provisioned, not the links between them.
MPLS v1.0—7-24
Drawbacks of Various VPN Implementations Overlay VPN:
Peer-to-peer VPN:
• Implementing optimum routing requires full mesh of virtual circuits. • Virtual circuits have to be provisioned manually. • Bandwidth must be provisioned on a siteto-site basis. • Overlay VPNs always incur encapsulation overhead.
• Service provider participates in customer routing. • Service provider becomes responsible for customer convergence. • PE routers carry all routes from all customers. • Service provider needs detailed IP routing knowledge.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-25
Drawbacks of Traditional Peer-to-Peer VPNs Shared PE router: • All customers share the same (providerassigned or public) address space. • High maintenance costs are associated with packet filters. • Performance is lower — each packet has to pass a packet filter.
© 2001, Cisco Systems, Inc.
Dedicated PE router: • All customers share the same address space. • Each customer requires a dedicated router at each POP.
MPLS v1.0—7-26
VPN Taxonomy Virtual Networks Virtual Private Networks
Virtual Dialup Networks
Overlay VPN Layer 2 VPN X.25
Virtual LANs
Peer-to-Peer VPN
Layer 3 VPN
Access Lists (Shared Router)
GRE Split Routing (Dedicated Router)
Frame Relay IPSec ATM
© 2001, Cisco Systems, Inc.
MPLS VPN
MPLS v1.0—7-27
Summary After completing this section, you should be able to perform the following tasks: • Describe the differences between overlay and peer-to-peer VPN • Describe the benefits and drawbacks of each VPN implementation option • List major technologies supporting overlay VPNs • Describe traditional peer-to-peer VPN implementation options © 2001, Cisco Systems, Inc.
MPLS v1.0—7-28
Review Questions • What is an overlay VPN? • Which routing protocol runs between the customer and the service provider in an overlay VPN? • Which routers are routing protocol neighbors of a CE-router in overlay VPN? • List three IP-based overlay VPN technologies. • What is the major benefit of peer-to-peer VPN as compared to overlay VPN? • List two traditional peer-to-peer VPN implementations. • What is the drawback of all traditional peer-to© 2001, Cisco Systems, Inc.
MPLS v1.0—7-29
Major VPN Topologies
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-30
Objectives Upon completion of this section, you will be able to perform the following tasks: • Identify major VPN topologies • Describe the implications of using overlay VPN or peer-to-peer VPN approach with each topology • List sample usage scenarios for each topology
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-31
VPN Topology Categorization Overlay VPNs are categorized based on the topology of the virtual circuits: • (Redundant) Hub and spoke topology • Partial mesh topology • Full mesh topology • Multilevel topology—combines several levels of overlay VPN topologies © 2001, Cisco Systems, Inc.
MPLS v1.0—7-32
Overlay VPN Hub-and-Spoke Topology Remote Site (Spoke)
Central Site (Hub)
Remote Site (Spoke)
Central Site Router
Remote Site (Spoke)
Service Provider Network Remote Site (Spoke)
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-33
Overlay VPN Redundant Hub and Spoke Topology Remote Site (Spoke)
Central Site (Hub)
Redundant Central Site Router
Redundant Central Site Router
© 2001, Cisco Systems, Inc.
Service Provider Network
Remote Site (Spoke)
Remote Site (Spoke)
Remote Site (Spoke)
MPLS v1.0—7-34
Overlay VPN Partial Mesh
Guam
New York
Virtual circuits (Frame Relay DataMoscow Hong Kong Link Connection Identifier) Berlin
© 2001, Cisco Systems, Inc.
Sydney
MPLS v1.0—7-35
Overlay VPN Multilevel Hub-and-Spoke Distribution Site Remote Site (Spoke) Distribution-Layer Router
Central Site (Hub)
Redundant Central Site Router
Remote Site (Spoke)
Service Provider Network
Remote Site (Spoke)
Redundant Central Site Router
Distribution-layer router
Remote Site (Spoke)
Distribution site
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-36
VPN Business Categorization VPNs can be categorized on the business needs they fulfill: • Intranet VPN—connects sites within an organization. • Extranet VPN—connects different organizations in a secure way. • Access VPN — VPDN provides dialup access into a customer network.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-37
Extranet VPN—Overlay VPN Implementation Frame Relay VCs (DLCI)
GlobalMotors Firewall
Provider IP Backbone BoltsAndNuts Frame Relay Switch
Firewall
Frame Relay Switch
AirFilters Inc.
Firewall
© 2001, Cisco Systems, Inc.
Firewall
SuperBrakes Inc.
Frame Relay Switch
Frame Relay Switch
Firewall
MPLS v1.0—7-38
Extranet VPN—Peer-to-Peer VPN Implementation GlobalMotors
Provider IP Backbone BoltsAndNuts
PE Router
Firewall
PE Router
PE Router
AirFilters Inc.
Firewall
© 2001, Cisco Systems, Inc.
Firewall
SuperBrakes Inc.
PE Router
PE Router
Firewall
MPLS v1.0—7-39
VPN Connectivity Categorization VPNs can also be categorized by the connectivity required between sites: • Simple VPN—every site can communicate with every other site. • Overlapping VPN—some sites participate in more than one simple VPN. • Central Services VPN—all sites can communicate with central servers, but not with each other. • Managed Network—a dedicated VPN is established to manage CE routers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-40
Central Services Extranet Amsterdam
Service Provider Extranet Infrastructure
Customer A
VoIP Gateway
London
Customer B
VoIP Gateway
Paris
Customer C
VoIP Gateway
Service Provider Network
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-41
Central Services Extranet—Hybrid (Overlay + Peer-to-Peer) Implementation Amsterdam VoIP Gateway
Service Provider Extranet Infrastructure
PE Router
PE Router
Frame Relay Edge Switch
PE Router PE Router
VoIP Gateway
Service Provider Network
Customer B
Frame Relay Edge Switch
Paris
© 2001, Cisco Systems, Inc.
Customer A
PE Router
London VoIP Gateway
Frame Relay Infrastructure
Customer C Frame Relay Edge Switch
Frame Relay VC
MPLS v1.0—7-42
Managed Network Overlay VPN Implementation Service provider network
Central Site (Hub)
Remote Site (Spoke)
Remote Site (Spoke)
Redundant Central Site Router
Remote Site (Spoke) Redundant Central Site Router
Network Management Center
© 2001, Cisco Systems, Inc.
Dedicated virtual circuits are used for network management.
MPLS v1.0—7-43
Summary After completing this section, you should be able to perform the following tasks: • Identify major VPN topologies • Describe the implications of using overlay VPN or peer-to-peer VPN approach with each topology • List sample usage scenarios for each topology © 2001, Cisco Systems, Inc.
MPLS v1.0—7-44
Review Questions • What are the major Overlay VPN topologies? • Why would the customers prefer partial mesh over full mesh topology? • What is the difference between an Intranet and an Extranet? • What is the difference between a simple VPN and a Central Services VPN? • What are the connectivity requirements of a Central Services
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-45
MPLS VPN Architecture © 2001, Cisco Systems, Inc.
MPLS v1.0—7-46
Objectives Upon completion of this section, you will be able to perform the following tasks: • Describe the difference between traditional peer-to-peer models and MPLS VPN • List the benefits of MPLS VPN • Describe major architectural blocks of MPLS VPN • Explain the need for route distinguisher and route target © 2001, Cisco Systems, Inc.
MPLS v1.0—7-47
MPLS VPN Architecture MPLS VPN combines the best features of overlay VPN and peerto-peer VPN: • PE routers participate in customer routing, guaranteeing optimum routing between sites and easy provisioning. • PE routers carry a separate set of routes for each customer (similar to the dedicated PE router approach). • Customers can use overlapping addresses.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-48
MPLS VPN Terminology Customer A Site #1 Remote Office
Remote Office
Customer A Site #2
Customer A Site #3
Customer B Site #1
© 2001, Cisco Systems, Inc.
P-Network
Site #1 CE router
PE Router POP-X
P Router
Customer A Site #4
PE Router POP-Y
Customer B Site #2
Customer B Site #3
Customer B Site #4
MPLS v1.0—7-49
PE Router Architecture Virtual Router for Customer A
Global IP Router
Customer A Site #1
Customer A Site #2
Customer A Site #3
Customer B Site #1
Virtual IP Routing Table for Customer A
Global IP Routing Table
P Router
Virtual Router for MPLS VPN architecture is very similar Customer B to the dedicated PE router peer-to-peer model, but the dedicated per-customer routers are implemented as virtual routing tables within the PE router. Virtual IP Routing Table for Customer B
PE Router © 2001, Cisco Systems, Inc.
MPLS v1.0—7-50
Routing Information Propagation Across the PNetwork Customer A
Customer B
Customer C
PE Router X
IGP for Customer A
IGP for Customer A
IGP for Customer B
IGP for Customer B
IGP for Customer C
IGP for Customer C
P Router
P-Network
Customer B
PE Router Y
Customer C
Customer A
Q: How will PE routers exchange customer routing information? A1:
Run a dedicated Interior Gateway Protocol (IGP) for each customer across P-network.
Wrong answer: • The solution does not scale. • P routers carry all customer routers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-51
Routing Information Propagation Across the PNetwork (cont.) A dedicated routing protocol used to carry customer routes Customer A
Customer B
Customer C
Customer B
PE Router X
P Router
P-Network
PE Router Y
Customer C
Customer A
Q: How will PE routers exchange customer routing information?
:
Run a single routing protocol that will carry all customer routes inside the provider backbone. Better answer, but still not good enough: • P routers carry all customer routers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-52
Routing Information Propagation Across the PNetwork (cont.) A dedicated routing protocol used to carry customer routes between PE routers Customer A
Customer B
Customer C
Customer B
PE Router X
P Router
P-Network
PE Router Y
Customer C
Customer A
Q: How will PE routers exchange customer routing information?
3:
Run a single routing protocol that will carry all customer routes between PE routers. Use MPLS labels to exchange packets between PE routers.
he best answer: P routers do not carry customer routes; the solution is scalable. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-53
Routing Information Propagation Across the PNetwork (cont.) A dedicated routing protocol used to carry customer routes between PE routers Customer A
Customer B
Customer C
Customer B
PE Router X
P Router
P-Network
PE Router Y
Customer C
Customer A
: Which protocol can be used to carry customer routes between PE route
A: The number of customer routes can be very large. BGP is the only routing protocol that can scale to a very large number of routes.
onclusion: BGP is used to exchange customer routes directly between PE routers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-54
Routing Information Propagation Across the PNetwork (cont.) A dedicated routing protocol used to carry customer routes between PE routers Customer A
Customer B
Customer C
Customer B
PE Router X
P Router
P-Network
PE Router Y
Customer C
Customer A
Q: Customers can have overlapping address spaces. How will information about the same subnet of two customers be propagated via a single routing protocol? A: Customer addresses are extended with a 64-bit prefix (route distinguisher—RD) to make them unique. Unique 96-bit addresses are exchanged between PE routers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-55
Route Distinguisher • The RD is a 64-bit quantity prepended to an IP version 4 (IPv4) address to make it globally unique. • The resulting 96-bit address is called a VPNv4 address. • VPNv4 addresses are exchanged only via BGP between PE routers. • BGP that supports address families other than IPv4 addresses is called multiprotocol BGP (MP-BGP). © 2001, Cisco Systems, Inc.
MPLS v1.0—7-56
Route Distinguisher Usage in an MPLS VPN A 64-bit Route Distinguisher is prepended to the customer IPv4 prefix to make it globally unique, resulting in 96-bit VPNv4 prefix. A 96-bit VPNv4 prefix is propagated via BGP to the other PE router. P-Network Customer A
Customer A
PE 1
PE 2 Customer B
Customer B
The CE-router sends an IPv4 routing update to the PErouter. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-57
Route Distinguisher Usage in an MPLS VPN The RD is removed from the VPNv4 prefix, resulting in a 32bit IPv4 prefix.
P-Network Customer A
Customer A
PE 1 Customer B
PE 2 Customer B
The PE router sends the resulting IPv4 prefix to the CE router. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-58
Route Distinguisher Usage in an MPLS VPN • The RD has no special meaning—it is used only to make potentially overlapping IPv4 addresses globally unique. • Simple VPN topologies require one The RD per customer. • The RD could serve as a VPN identifier for simple VPN topologies, but this design could not support all topologies required by the customers. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-59
Complex VPN—Sample VoIP Service Customer A Central Site
PE Router X
P Router
PE Router Y
Customer B Site 2
Customer A Site 1
Customer A Site 2
Customer B Central Site
VoIP Gateway
P-Network
VoIP Gateway
Customer B Site 1
equirements:
All sites of one customer need to communicate. Central sites of both customers need to communicate with VoIP gateway and other central sites. Other sites from different customers do not communicate with each othe © 2001, Cisco Systems, Inc.
MPLS v1.0—7-60
Sample VoIP Service Connectivity Requirements VOIP VPN Customer A Central Site A
Site A-1
Site A-2
POP-X VoIP Gateway POP-Y VoIP Gateway Customer B Central Site B
© 2001, Cisco Systems, Inc.
Site B-1
Site B-2
MPLS v1.0—7-61
Route Targets • Some sites have to participate in more than one VPN—RD cannot identify participation in more than one VPN. • A different method is needed in which a set of identifiers can be attached to a route. • RDs were introduced in the MPLS VPN architecture to support complex VPN topologies. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-62
What Are Route Targets? • Route targets (RTs) are additional attributes attached to VPNv4 BGP routes to indicate VPN membership. • Extended BGP communities are used to encode these attributes. • Extended communities carry the meaning of the attribute together with its value.
• Any number of RTs can be attached to a single route. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-63
How Do Route Targets Work? • Export RTs identifying VPN membership are appended to the customer route when it is converted into a VPNv4 route. • Each virtual routing table has a set of associated import RTs that select routes to be inserted into the virtual routing table. • Route targets usually identify VPN membership, but they can also be used in more complex scenarios.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-64
Virtual Private Networks Redefined With the support of complex VPN topologies, VPNs have to be redefined • A VPN is a collection of sites sharing common routing information. • A site can be part of different VPNs. • A VPN can be seen as a community of interest (closed user group— CUG).
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-65
Impact of Complex VPN Topologies on Virtual Routing Tables • A virtual routing table in a PE router can be used only for sites with identical connectivity requirements. • Complex VPN topologies require more than one virtual routing table per VPN. • As each virtual routing table requires a distinct RD value, the number of RDs in the MPLS VPN network increases.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-66
Sample VoIP Service Virtual Routing Tables Site A-1 and A-2 can share the same routing table.
VoiceIP VPN
Customer A Central Site A POP-X VoIP Gateway POP-Y VoIP Gateway Central Site B
Site B-1 and B-2 can share the same routing table. © 2001, Cisco Systems, Inc.
Site A-1
Site A-2
Central Site A needs its own routing table. Voice gateways can share routing tables. Central Site B needs its own routing table. Site B-1
Site B-2 Customer B MPLS v1.0—7-67
Benefits of MPLS VPN Technology MPLS VPN technology has all the benefits of peer-to-peer VPN technology: • Easy provisioning • Optimal routing
It also bypasses most drawbacks of traditional peer-to-peer VPN technologies: • RDs enable overlapping customer address spaces. • RTs enable topologies that were hard to implement with other VPN technologies.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-68
Summary After completing this section, you should be able to perform the following tasks: • Describe the difference between traditional peer-to-peer models and MPLS VPN • List the benefits of MPLS VPN • Describe major architectural blocks of MPLS VPN • Explain the need for route distinguishers and route targets
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-69
Review Questions • How does MPLS VPN support overlapping customer address spaces? • How are customer routes exchanged across the P-network? • What is a route distinguisher? • Why is the RD not usable as VPN identifier? • What is a route target? • Why were the route targets introduced in MPLS VPN architecture? • How are route targets used to build virtual routing tables in the PE routers? • What is the impact of complex VPN topologies on virtual routing tables in the PE routers? © 2001, Cisco Systems, Inc.
MPLS v1.0—7-70
MPLS VPN Routing Model © 2001, Cisco Systems, Inc.
MPLS v1.0—7-71
Objectives Upon completion of this section, you will be able to perform the following tasks: • Describe the routing model of MPLS VPN • Describe the MPLS VPN routing model from customer and provider perspectives • Identify the routing requirements of CErouters, PE-routers and P-routers © 2001, Cisco Systems, Inc.
MPLS v1.0—7-72
MPLS VPN Routing Requirements • Customer routers (CE routers) have to run standard IP routing software. • Provider core routers (P routers) have no VPN routes. • Provider edge routers (PE routers) have to support MPLS VPN and Internet routing.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-73
MPLS VPN Routing— CE Router Perspective MPLS VPN Backbone CE router PE router CE router
The CE routers run standard IP routing software and exchange routing updates with the PE router. • External BGP (EBGP), Open Shortest Path First (OSPF), RIP version 2 (RIPv2), and static routes are supported.
The PE router appears as another router in the © 2001, Cisco Systems, Inc.
MPLS v1.0—7-74
MPLS VPN Routing— Overall Customer Perspective BGP Backbone
PE router
CE router
Site IGP
PE router
Site IGP
Site IGP
To the customer, the PE routers appear as core routers connected via a BGP backbone. The usual BGP and IGP design rules apply. The P routers are hidden from the customer. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-75
MPLS VPN Routing— P Router Perspective MPLS VPN Backbone
PE router
P router
PE router
•P routers do not participate in MPLS VPN routing and do not carry VPN routes. •P routers run backbone IGP with the PE routers and exchange information about global subnets (core links and loopbacks).
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-76
MPLS VPN Routing— PE Router Perspective MPLS VPN Backbone MP-BGP
CE Router VPN Routing
PE Router
P Router
Core IGP
CE Router
CE Router VPN Routing
PE Router
Core IGP
CE Router
PE routers:
• Exchange VPN routes with CE routers via per-VPN routing protocols • Exchange core routes with P routers and PErouters via core IGP • Exchange VPNv4 routes with other PE routers via MP- IBGP sessions © 2001, Cisco Systems, Inc.
MPLS v1.0—7-77
MPLS VPN Support for Internet Routing MPLS VPN Backbone CE router
IPv4 BGP for Internet
PE Router
P Router
Core IGP
CE Router
CE Router
PE Router
Core IGP
CE Router
PE routers can run standard IPv4 BGP in the global routing table: • PE routers exchange Internet routes with other PE routers. • CE routers do not participate in Internet routing. • P routers do not need to participate in Internet routing.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-78
Routing Tables on PE Routers MPLS VPN Backbone VPN routing CE Router
MP-BGP
PE Router
P Router
Core IGP
CE Router
VPN routing CE Router
PE Router
Core IGP
IPv4 BGP for Internet
CE Router
PE routers contain a number of routing tables: • Global routing table that contains core routes (filled with core IGP) and Internet routes (filled with IPv4 BGP). • VRF tables for sets of sites with identical routing requirements. • VRFs filled with information from CE routers and MP-BGP information from other PE routers.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-79
MPLS VPN End-to-End Routing Information Flow (1/3) MPLS VPN Backbone CE Router
CE Router
IPv4 Update
PE Router
CE Router
P Router
PE Router CE Router
PE routers receive IPv4 routing updates from CE routers and install them in the appropriate VRF table.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-80
MPLS VPN End-to-End Routing Information Flow (2/3) MPLS VPN Backbone CE Router
CE Router
IPv4 Update
MP-BGP Update
PE Router
CE Router
P Router
PE Router CE Router
• PE routers export VPN routes from VRF tables into MP-BGP and propagate them as VPNv4 routes to other PE routers. • A full mesh of MP-IBGP sessions is needed between PE routers.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-81
MP-BGP Update An MP-BGP update contains: • VPNv4 address • Extended communities (route targets, optionally Site-ofOrigin, or SOO) • Label used for VPN packet forwarding • Any other BGP attribute (for example, AS path, local preference, multi-exit discriminator (MED), standard community) © 2001, Cisco Systems, Inc.
MPLS v1.0—7-82
MP-BGP Update— VPNv4 Address A VPN IPv4 address contains: • RD • 64 bits • Makes the IPv4 route globally unique • RD is configured in the PE for each VRF • RD may or may not be related to a site or a VPN • IPv4 address (32 bits) © 2001, Cisco Systems, Inc.
MPLS v1.0—7-83
MP-BGP Update— Extended Communities 64-bit attribute attached to a route Set of communities can be attached to a single route High-order 16 bits identify extended community type • RT: identifies the set of sites to which the route must be advertised • SOO: identifies the originating site • OSPF route type: identifies the linkstate advertisement (LSA) type of OSPF route redistributed into MP-BGP © 2001, Cisco Systems, Inc.
MPLS v1.0—7-84
Extended BGP Community Display Format Two display formats are supported: • <16bits type>:
MPLS v1.0—7-85
MPLS VPN End-to-End Routing Information Flow (3/3) MPLS VPN Backbone CE Router
CE Router
MP-BGP Update PE Router CE Router
P Router
PE Router CE Router
• Receiving PE router imports incoming VPNv4 routes into the appropriate VRF based on route targets attached to the routes • Routes installed in VRF are propagated to CE routers
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-86
Route Distribution to CE Routers Route distribution to sites is driven by the SOO and RT EBGP communities. A route is installed in the site VRF that matches the RT attribute. • A PE router that connects sites belonging to multiple VPNs will install the route into the site VRF if the RT attribute contains one or more VPNs to which the site is associated.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-87
Summary After completing this section, you should be able to perform the following tasks: • Describe the routing model of MPLS VPN • Describe the MPLS VPN routing model from customer and provider perspective • Identify the routing requirements of CE-routers, PE-routers and P-routers © 2001, Cisco Systems, Inc.
MPLS v1.0—7-88
Review Questions • What is the impact of MPLS VPN on CErouters? • What is the customer’s perception of end-toend MPLS VPN routing? • What is the P-router perception of end-to-end MPLS VPN routing? • How many routing tables does a PE-router have? • How many routing tables reside on a Prouter? • Which routing protocols fill the global routing table of a PE-router? • Which routing protocols fill the Virtual
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-89
More Review Questions • How is the Internet routing supported by MPLS VPN architecture? • How is the VPN routing information exchanged between the PE-routers? • Which attributes are always present in a MP-BGP update? • Which attributes can be optionally present in a MP-BGP update? • Which BGP attributes drive the import of VPNv4 route into a VRF? • Which BGP attributes control the VPN route distribution toward CE-routers? © 2001, Cisco Systems, Inc.
MPLS v1.0—7-90
MPLS VPN Packet Forwarding © 2001, Cisco Systems, Inc.
MPLS v1.0—7-91
Objectives Upon completion of this section, you will be able to perform the following tasks: • Describe the MPLS VPN forwarding mechanisms • Describe the VPN and backbone label propagation • Explain the need for end-to-end LSP between PE routers • Explain the implications of BGP next-hop on MPLS VPN forwarding © 2001, Cisco Systems, Inc.
MPLS v1.0—7-92
VPN Packet Forwarding Across an MPLS VPN Backbone MPLS VPN Backbone CE Router IP
CE Router
CE Router
IP
Ingress PE Router
P Router
P Router
Egress PE Router
CE Router
Q: How will the PE routers forward the VPN packets across the MPLS VPN backbone? A1: They will forward pure IP packets.
Wrong answers: P routers do not have VPN routes; the packet is dropped on IP lookup. How about using MPLS for packet propagation across the backbone?
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-93
VPN Packet Forwarding Across an MPLS VPN Backbone MPLS VPN Backbone IP
CE Router IP
CE Router
Ingress PE Router
L1
IP
P Router
L2
IP
P Router
L3
CE Router Egress PE Router
CE Router
Q:
How will the PE routers forward the VPN packets across the MPLS VPN backbone? A2: They will label the VPN packets with a label distribution protocol (LDP) label for the egress PE router and forward the labeled packets across the MPLS backbone. Better answers: The P routers perform the label switching and the packet reaches the egress PE router. However, the egress PE router does not know which VRF to use for packet switching, so the packet is dropped. How about using a label stack? © 2001, Cisco Systems, Inc.
MPLS v1.0—7-94
VPN Packet Forwarding Across an MPLS VPN Backbone MPLS VPN Backbone CE Router IP
CE Router
IP
Ingress PE Router
V L1
IP
P Router
V L2
IP
P Router
V L3
Egress PE Router
CE Router IP
CE Router
: How will the PE routers forward the VPN packets across the MPLS VPN backbon 3: They will label the VPN packets with a label stack, using the LDP label for the egress PE router as the top label and the VPN label assigned by the egress PE router as the second label in the stack.
orrect answers:
The P routers perform label switching and the packet reaches the egress PE router. The egress PE router performs a lookup on the VPN label and forwards the packet toward the CE router. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-95
VPN Packet Forwarding— Penultimate Hop Popping MPLS VPN Backbone CE Router IP
CE Router
IP
Ingress PE Router
V L1
IP
P Router
V L2
IP
P Router
V
Egress PE Router
CE Router IP
CE Router
• Penultimate hop popping on the LDP label can be performed on the last P router.
The egress PE router performs label lookup only on the VPN label, resulting in faster and simpler label lookup.
• IP lookup is performed only once—in the ingress PE router. © 2001, Cisco Systems, Inc.
MPLS v1.0—7-96
VPN Label Propagation MPLS VPN Backbone CE Router
CE Router
CE Router Ingress PE Router
P Router
P Router
Egress PE Router
CE Router
: How will the ingress PE router get the second label in the label stack from the egress PE router?
A: Labels are propagated in MP BGP VPNv4 routing updates.
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-97
VPN Label Propagation MPLS VPN Backbone CE Router
CE Router
CE Router Ingress PE Router
P Router
P Router
Egress PE Router
CE Router
Step #1: A VPN label is assigned to every VPN route by the egress PE router. Egress-PE#show tag-switching forwarding vrf SiteA2 Local Outgoing Prefix Bytes tag Outgoing tag tag or VC or Tunnel Id switched interface 26 Aggregate 150.1.31.36/30[V] 0 37 Untagged 203.1.2.1/32[V] 0 Se1/0.20 38 Untagged 203.1.20.0/24[V] 0 Se1/0.20 © 2001, Cisco Systems, Inc.
Next Hop point2point point2point MPLS v1.0—7-98
VPN Label Propagation MPLS VPN Backbone CE Router
CE Router
CE Router Ingress PE Router
P Router
P Router
Egress PE Router
CE Router
Step #2: The VPN label is advertised to all other PE routers in an MP-BGP update. Ingress-PE#show ip bgp vpnv4 all tags Network Next Hop In tag/Out tag Route Distinguisher: 100:1 (vrf1) 12.0.0.0 10.20.0.60 26/notag 10.20.0.60 26/notag 203.1.20.0 10.15.0.15 notag/38 © 2001, Cisco Systems, Inc.
MPLS v1.0—7-99
VPN Label Propagation MPLS VPN Backbone CE Router
CE Router
CE Router Ingress PE Router
P Router
P Router
Egress PE Router
CE Router
Step #3: A label stack is built in VFR table. Ingress-PE#show ip cef vrf Vrf1 203.1.20.0 detail 203.1.20.0/24, version 57, cached adjacency to Serial1/0.2 0 packets, 0 bytes tag information set local tag: VPN-route-head fast tag rewrite with Se1/0.2, point2point, tags imposed: {26 38} via 192.168.3.103, 0 dependencies, recursive next hop 192.168.3.10, Serial1/0.2 via 192.168.3.103/32 valid cached adjacency tag rewrite with Se1/0.2, point2point, tags imposed: {26 38} © 2001, Cisco Systems, Inc.
MPLS v1.0—7-100
Effects of MPLS VPN Label Propagation The VPN label must be assigned by the BGP next hop. The BGP next hop should not be changed in the MP-IBGP update propagation. • Do not use next-hop-self on confederation boundaries. The PE router must be the BGP next hop. • Use next-hop-self on the PE router. The label must be reoriginated if the next hop is changed. • A new label is assigned every time the MP-BGP update crosses the AS boundary where the next hop is changed. • This functionality is supported by Cisco IOS © 2001, Cisco Systems, Inc.
MPLS v1.0—7-101
Effects of MPLS VPN Packet Forwarding The VPN label is understood only by the egress PE router. An end-to-end LSP tunnel is required between the ingress and egress PE routers. BGP next hops must not be announced as BGP routes. LDP labels are not assigned to BGP routes. BGP next hops announced in IGP must not be summarized in the core network. •
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-102
VPN Packet Forwarding with Summarization in the Core P router is faced with a VPN label it does not understand
P router performs penultimate hop popping MPLS VPN Backbone CE Router IP
CE Router
© 2001, Cisco Systems, Inc.
IP
Ingress PE Router
V L1
IP
P Router
V
CE Router
P Router Egress PE
P router summarizes PE CE-router loopback Penultimate hop popping is requested through LDP PE router builds a label stack and forwards labeled packet toward egress PE router MPLS v1.0—7-103
Summary After completing this section, you should be able to perform the following tasks: • Describe the MPLS VPN forwarding mechanisms • Describe the VPN and backbone label propagation • Explain the need for end-to-end LSP between PE routers • Explain the implications of BGP nexthop on MPLS VPN forwarding © 2001, Cisco Systems, Inc.
MPLS v1.0—7-104
Review Questions • How are VPN packets propagated across MPLS VPN backbone? • How can P-routers forward VPN packets if they don’t have VPN routes? • How is the VPN label propagated between PErouters? • Which router assigns the VPN label? • How is the VPN label used on other PE-routers? • What is the impact of changing BGP next-hop on MP-BGP update? • How are MP-BGP updates propagated across AS boundary? • What is the impact of BGP next-hop summarization in the network core?
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-105
Summary After completing this lesson, you should be able to perform the following tasks: • Identify major Virtual Private network topologies, their characteristics and usage scenarios • Describe the differences between overlay VPN and peer-to-peer VPN • List major technologies supporting overlay VPNs and peer-to-peer VPNs • Position MPLS VPN in comparison with other peer-to-peer VPN implementations • Describe major architectural blocks of MPLS VPN • Describe MPLS VPN routing model and packet
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-106
© 2000, Cisco Systems, Inc.
www.cisco.co
Chapter#-107
Blank for Pagination
© 2001, Cisco Systems, Inc.
MPLS v1.0—7-108
