Scribd Logo
Upload

Welcome to Scribd!

  • 264 views

    MPLS VPN

    Uploaded by

    Janek Podwala
    The document provides an overview of MPLS/BGP Virtual Private Networks (VPNs) and summarizes key VPN architectures including L2VPN pseudowires, Virtual Private LAN Services (VPLS), and L3VPN. It also describes fundamental VPN concepts such as route distinguishers, virtual routing and forwarding instances (VRFs), and route targets that are used to construct provider-based MPLS/BGP VPNs.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd

    MPLS VPN

    Uploaded by

    Janek Podwala
    264 views51 pages
    The document provides an overview of MPLS/BGP Virtual Private Networks (VPNs) and summarizes key VPN architectures including L2VPN pseudowires, Virtual Private LAN Services (VPLS), and L3VPN. It also describes fundamental VPN concepts such as route distinguishers, virtual routing and forwarding instances (VRFs), and route targets that are used to construct provider-based MPLS/BGP VPNs.

    Original Description:

    mpls vpn

    Original Title

    MPLS_VPN

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document provides an overview of MPLS/BGP Virtual Private Networks (VPNs) and summarizes key VPN architectures including L2VPN pseudowires, Virtual Private LAN Services (VPLS), and L3VPN. It also describes fundamental VPN concepts such as route distinguishers, virtual routing and forwarding instances (VRFs), and route targets that are used to construct provider-based MPLS/BGP VPNs.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    264 views51 pages

    MPLS VPN

    Uploaded by

    Janek Podwala
    The document provides an overview of MPLS/BGP Virtual Private Networks (VPNs) and summarizes key VPN architectures including L2VPN pseudowires, Virtual Private LAN Services (VPLS), and L3VPN. It also describes fundamental VPN concepts such as route distinguishers, virtual routing and forwarding instances (VRFs), and route targets that are used to construct provider-based MPLS/BGP VPNs.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 51

    DD2491 p2 2011

    MPLS/BGP VPNs

    Olof Hagsand KTH CSC

    Literature
    Practical BGP: Chapter 10
    MPLS repetition,
    see for example http://www.csc.kth.se/utbildning/kth/kurser/DD2490/ipro111/lectures/MPLS.pdf

    Reference:
    JunOS Cookbook: Chapter 14 and 15
    Junos software 10.1 VPNs Configuration Guide
    draft-kompella-ppvpn-l2vpn-03.txt, Layer 2 VPN Over Tunnels

    RFC 4364 bis (L3VPN)

    Motivation to VPN
    Companies and organizations wish to connect their local
    offices, collect data in an isolated network, or have personel
    working from their home or while travelling.
    Leased lines are expensive, it makes sense to use IP and
    the Internet.
    The motivation for VPNs is therefore primary economical

    VPN simple architecture


    Connect hosts to central server/LAN.

    Main
    LAN

    IP-network

    Point-to-point
    tunnels

    Generic VPN Architecture


    LAN

    LAN

    IP network

    Connect several LAN islands.

    LAN
    5

    Addressing and Security


    Public IP networks are public and have only one
    address domain.
    You may want to separate your private traffic from
    the global traffic (addressing)
    You may want to secure your traffic (encryption,
    authentication)
    Provider-based VPNs (peer)
    You trust your provider
    Guarantee resources
    Provider adds service more costly
    One provider / set of providers only

    Customer-based VPNs (overlay)


    Do it yourself using IPSEC tunneling
    Cheap solution
    Best effort
    Internet
    6

    Provider-based VPNs using MPLS & BGP


    There are several related variants including
    L2VPN pseudowires
    VPLS dynamic L2VPN
    L3VPN RFC 4364
    These solutions all use multiprotocol BGP, VRF (Virtual Routing and
    Forwarding), relays data with MPLS and have a BGP-free core.
    In fact, when you have set up your MPLS+BGP core network, you can
    mix these VPNs. You can therefore re-use your infra-structure.
    If you use RSVP you can also make traffic-engineering.
    There is no 'security' in Provider-based VPNs.

    Provider-based VPNs
    CE - Customer Edge
    PE - Provider Edge (BGP)
    P - Provider (no BGP)

    More than one customer: red and


    blue
    More than two sites per customer
    CE is either router or L2 device
    CE

    CE
    PE
    PE

    CE

    P
    P
    CE

    CE
    PE

    PE

    L2VPN Pseudowires
    (customer view)

    Provider network acts as a set of wires.


    Learning and spanning tree can be made
    by attaching learning bridges as CE:s to
    create a large LAN
    Note: several circuits per site
    (You need VLANs)

    L2VPN Pseduowires
    (customer view)

    Alternatively, routers can communicate


    back-to-back over an L2VPN
    (This is what we do in the lab.)

    10

    VPLS (Customer view)


    Provider network acts as a
    distributed switch
    Provider network performs
    learning (and spaning-tree)

    VPLS is dynamic
    L2VPN is static
    Note: only one circuit per site

    11

    L3VPN (Customer view)


    192.16.100.0/24

    Provider network acts as a distributed router.


    Customers must configure routing towards the provider,
    and LANs are separate IP subnetworks.

    AS 65100
    10.2.1.0/24

    10.1.1.0/24

    12

    L2VPN pseudo-wire
    Static, multipoint overlay solution
    Setup point-to-point L2 connections between every site in
    the VPN
    Pseudo-wires

    L2 frames are encapsulated using IP and MPLS


    Requires homogenous link-layers (a wire) but can
    transform between some link-layers
    BGP is used as a signalling protocol to setup VPN
    connections between customer sites.
    RSVP (or LDP) is used to setup the MPLS paths
    MPLS multistacking is used to keep provider's network free
    of customer routing information
    Encryption by other means, security by trusting the
    provider

    13

    L2VPN provider view


    Access circuits between CE/PE, typically VLAN tagged
    MPLS LSPs between PEs using RSVP
    BGP signals L2 circuits between sites
    CE
    Site 1

    CE

    Site 2

    PE

    P
    P

    PE
    PE

    pseudo-wires full
    mesh

    Site 3
    CE

    14

    Virtual Private LAN Services (VPLS)


    Dynamic, multipoint peer solution
    Backbone over IP
    Interconnects a switched L2 network
    MPLS is used together with BGP to create pseudo-wires
    between the LAN islands.
    The PE:s dynamically establish pseudo-wires
    Bridging (learning)
    Spanning-Tree
    The PE:s actively chooses which pseudo-wire to send each frame
    on

    MP-BGP is used for distributing mac adress learning


    Disadvantage (similar to L3VPN)
    Provider imports MAC learning tables into network

    15

    VPLS provider view


    PE:s establish and switches frames on pseudo-wires

    Site 1

    Site 2

    PE

    P
    P

    PE
    PE

    pseudo-wires full
    mesh

    Site 3

    16

    CE-PE issues
    Since CE-PE communication needs to distinguish between
    different circuits, it is common to use virtual connections, as
    CE-PE circuits, such as VLANs. You assign one VLAN per
    wire.
    There are many link-layers. You need to configure which
    encapsulation you use. We use 'ethernet-vlan', but it is
    possible to use other encapsulation types and translate
    between them using 'translational cross-connects'
    VPLS does not need VLANs, since only one connection is
    required, but there are still encapsulation issues

    17

    L2VPN CE-PE configuration


    CE side:
    fe-1/0/0 {
    vlan-tagging;
    unit 512 {
    Vlan-id 512; # vid and unit need not match
    family inet {
    address 10.10.11.1/30;
    }
    }
    }
    PE side: no IP address, configure encapsulation vlan-ccc

    18

    Constructing VPNs
    Before we go into details about configuring L2VPN, you
    need to understand some intrinsics about how VPNs are
    constructed.
    You need to understand:
    Route distinguisher
    VRFs
    Route targets

    These are fundamental in all MPLS/BGP VPNs


    But these are most easily understood using L3VPN but are
    used in all VPNs

    19

    L3VPN
    L3VPN is a peer-type and dynamic VPN using BGP and MPLS
    It connects IP-subnetworks belonging to the same private network.
    Each customer may use the same adress space, such as 1918 addresses
    Each customer site is modelled as a separate AS customer interior
    routing runs independently at each site
    An address conversion scheme makes each customer VPN route unique
    within the provider's network
    Multiple routing and forwarding tables are supported on each PE
    separating different customer routing information
    BGP is used as a signalling protocol to setup VPN connections between
    customer sites.
    RSVP (or LDP) is used to setup the MPLS paths
    MPLS multistacking is used to keep provider's network free of customer
    routing information
    Disadvantage: Provider imports customer routing tables
    Encryption by other means, security by trusting the provider

    20

    L3VPN example

    CE
    192.16.100.0/24

    192.16.100.0/24

    CE
    PE
    CE

    AS 65100

    PE
    10.2.1.0/24

    P
    P
    CE

    CE
    PE
    10.1.1.0/24

    PE
    10.1.1.0/24
    21

    CE to PE routing
    The local PE learns routes from the local customer CE
    Static routing, eBGP, RIP, or some other IGP
    Customer should be able to decide
    Often the customer wants a separate routing protocol for
    the CE-PE peering (eg. so OSPF link-state is not propagated
    to the provider)

    The PE router takes the routes and propagates them


    over the provider network to the remote PE:s
    The remote PE:s announce the client routes to matching
    remote CE sites
    The remote CE sites can then access the local CE

    22

    CE to PE routing (example)

    I
    192.16.100.0/24

    192.16.100.0/24

    H
    OSPF

    B
    static
    routing

    AS 65100

    (You can use


    different routing
    protocols)

    C
    F
    RIP
    eBGP

    G
    10.1.1.0/24

    E
    10.1.1.0/24
    23

    The Route Distinguisher

    24

    Overlapping addresses:
    Route Distinguisher
    How does a provider keep different client prefixes unique?
    Eg: Red and blue VPN both have 10.1.1.0/24
    A new address class is used, where a unique prefix is
    prepended to the VPN route
    This unique prefix is called a route distinguisher (RD)
    A new (L3VPN) route is written:
    <route distinguisher>::<IPv4addr>/<prefixlen>

    8 bytes

    Route Distinguisher

    4 bytes

    IPv4 address/site

    25

    Route Distinguisher format


    I T Type[Subtype]
    1 byte

    1 byte

    Data
    6-7 bytes

    The route distinguisher has the same format as the BGP


    extended community which is 8 bytes.
    Two variants Type 0 and Type 1
    Type 0
    Can be better to identify VPNs, or if many AS
    Type 1 used in the lab
    Easier to see the origin of the routes
    8 bytes

    4 bytes

    Route Distinguisher

    Type 0:

    2 bytes

    2 bytes

    4 bytes

    Type/Subtype

    AS#

    Number

    2 bytes

    Type 1:

    IPv4 address

    Type/Subtype

    4 bytes

    IP#

    IPv4 address
    2 bytes

    Number

    IPv4 address
    26

    Route distinguisher type 1


    Example
    192.30.200.3:1::192.16.100.0/24 announced by B

    You can see where the routes come from


    And you can see which VPN they belong to (1=blue, 2=red)

    I
    192.16.100.0/24

    192.16.100.0/24

    H
    B

    RD: 192.30.200.3:1

    RD: 192.30.200.4:2

    AS 65100

    D
    C
    F

    RD: 192.30.200.2:2

    G
    10.1.1.0/24

    RD: 192.30.200.1:1

    J
    10.1.1.0/24
    27

    Routing table example


    Example: Routing table in a PE router (prefix + nexthop)
    VPN-IPv4 address family (bgp.l3vpn in JunOS)

    192.30.200.3:1::192.168.100.0/24

    192.30.200.2:2::10.1.1.0/24

    192.30.200.1:1::10.1.1.0/24

    192.30.200.4:2::192.168.100.0/24

    IPv4 address family:

    192.30.200.3
    192.30.200.2
    192.30.200.1
    192.30.200.4

    28

    Operation
    A CE announces a prefix to a PE
    Eg 192.168.100.0/24 to B by H

    The PE prepends the route distinguisher and announces it to the other


    PE:s
    Eg 192.30.200.3:1::192.168.100.0/24

    The PEs receives the route, strips the route distinguisher and
    announces it to the local matching CE
    Eg 192.168.100.0/24 to J by E

    The CE network can reach 192.168.100.0/24


    See figure on next slide

    29

    Operation: announcing prefixes


    I
    192.16.100.0/24

    192.16.100.0/24

    H
    B

    RD: 192.30.200.3:1

    RD: 192.30.200.4:2

    AS 65100

    D
    C
    F

    RD: 192.30.200.2:2

    G
    10.1.1.0/24

    RD: 192.30.200.1:1

    J
    10.1.1.0/24

    30

    Virtual Routing and Forwarding

    31

    Virtual Routing and Forwarding - VRF


    A virtual router is a subset of a physical router.
    A virtual router has its own routing processes, routing tables,
    forwarding tables and its own interfaces,
    Typically interfaces of virtual routers are virtual (eg VLANs)
    The virtual routers are partitioned into several disjoint virtual
    routers.

    Virtual

    ...

    Physical

    32

    Routing instances in JunOS


    Routing Instance: main
    RIBs

    Routing Instance: other


    RIBs

    inet.0
    Routing protocol 3

    RIB
    inet.0

    IPv4 unicast routes

    inet6.0

    IPv6 unicast routes

    inet.1

    IPv4 multicast forwarding


    cache

    inet.2

    IPv4 multicast RPF table

    inet.3

    IPv4 routes learnt from MPLSTE path exploration

    bgp.l3vpn

    Example:
    main.inet.0
    __juniper_private1__.inet.0

    Logical routers, VPNs, virtual routers, etc, use


    routing instances.

    VPN-IPv4 routes

    mpls.0
    MPLS label-switch table

    33

    VRF in a PE
    Example: A router with two customers instances: VRF1 and VRF2.

    VRF table

    VRF1

    VRF1

    VRF_m
    ain

    VRF2

    VRF_m
    ain

    Local BGP table

    VRF2

    VRF table
    34

    Using MPLS and RSVP


    Establish LSP:s between border routers
    Use double stacking:

    outer tag: LSP PE<-->PE


    inner tag: VPN label

    Internal nodes (P-nodes) are only aware of outer tags (PE to PE)
    With RSVP you set up the outer tag

    and can also traffic engineer the LSP:s

    outer:
    LSP label

    inner:
    VPN label

    VRF1

    VRF1
    2

    23

    VRF_m
    ain

    VRF_m
    ain
    23

    VRF2

    VRF2
    35

    Route Target

    36

    VRF Importing and exporting


    You export and import routes between the VRF and the global routing
    domain by adding or stripping the route-distinguisher using export and
    import rules.
    The rules are expressed using route targets

    import

    192.168.100.0/24

    10.1.1.0/24
    192.168.100.0/24

    export

    RD: 192.30.200.3:1

    Local BGP Table:


    192.30.200.1:1::10.1.1.0/24
    192.30.200.3:1::192.168.100.0/24

    RD: 192.30.200.1:1

    10.1.1.0/24

    VRF:

    37

    Route target
    The purpose of the route target (RT) extended community is
    to tag the VPN-IPv4 routes with VPN information
    Rules are then based on route targets
    The route target has the same format as the routedistinguisher
    AS#:number (type 0) Used in lab
    IP#:number (type 1)

    The route target is used to color the routes


    In our example red and blue

    Example:
    RT 65100:100 - blue VPN
    RT 65100:3 - red VPN

    Typically, every VRF has a set of import and export rules


    Every export rule corresponds to tagging the announced VPNIPv4 route with a route target attribute
    Every import rule corresponds to matching targets with
    incoming route target attributes
    38

    Route target example: full mesh

    Tag the routes when exporting to BGP


    Import routes matching the target community
    Full mesh is default policy and can be accomplished in JunOS simply with
    set vrf-target target:<route target>

    I
    192.16.100.0/24

    192.16.100.0/24

    H
    B

    RD: 192.30.200.3:1
    import: 65100:100
    export: 65100:100

    RD: 192.30.200.4:2
    import: 65100:3
    export: 65100:3

    AS 65100

    D
    C
    F

    RD: 192.30.200.2:2
    import: 65100:3
    export: 65100:3

    10.1.1.0/24

    RD: 192.30.200.1:1
    import: 65100:100
    export: 65100:100

    E
    J

    10.1.1.0/24
    39

    Extranet
    The Extranet is defined between the upper two customer sites
    Note that the prefixes have been changed to be unique
    And the route targets are unique per PE

    I
    192.16.101.0/24

    192.16.102.0/24

    H
    B

    RD: 192.30.200.3:1
    import: 65100:12
    65100:21
    export: 65100:22

    AS 65100

    D
    C

    RD: 192.30.200.4:2
    import: 65100:11
    65100:22
    export: 65100:12

    F
    RD: 192.30.200.2:2
    import: 65100:12
    export: 65100:11

    RD: 192.30.200.1:1
    import: 65100:22
    export: 65100:21

    10.1.1.0/24

    10.1.1.0/24

    J
    40

    Hub-and-spoke VPN
    All traffic passes via a HUB
    Filtering / security purposes
    Note the two peerings at A
    I
    10.1.3.0/24

    10.1.4.0/24

    H
    B

    RD: 192.30.200.3:1
    import: 65100:200
    export: 65100:100

    AS 65100

    RD: 192.30.200.4:2
    import: 65100:200
    export: 65100:100

    C
    RD: 192.30.200.2:2
    export: 65100:200

    F
    A

    RD: 192.30.200.1:1
    import: 65100:200
    export: 65100:100

    import: 65100:100
    Filtering

    10.1.1.0/24

    iBGP

    J
    41

    L2VPN and L3VPN lab


    1)Build an MPLS backbone
    2)Configure L2VPN
    3)Configure L3VPN

    42

    MPLS backbone
    Backbone

    RTC1

    RTB3

    RTB4

    RTC2

    RTB1

    RTB2

    RTC3

    RTC4

    43

    L2VPN setup
    10.1.3.0/30
    VLANID: 514

    Provider Edge (PE)

    10.1.2.0/30
    10.1.1.0/30
    VLANID: 512 VLANID: 513

    .1 .2

    .1 .1

    .2

    .2
    Customer Edge (CE)

    RTD2

    RTA2

    RTE2

    44

    L2VPN configuration example


    routing-instances {
    L2VPN {
    description "experimental L2VPN";
    instance-type l2vpn;
    interface fe-0/0/0.512;
    route-distinguisher 192.168.4.2:10;
    vrf-target target:65000:10;
    protocols {
    l2vpn {
    encapsulation-type ethernet-vlan;
    no-control-word;
    site RED {
    site-identifier 1;
    interface fe-0/0/0.512 {
    remote-site-id 2;
    }
    }
    }
    }
    }
    }

    45

    L2VPN Junos show commands


    show
    show
    show
    show
    show
    show

    l2vpn connections [extensive]


    route protocol l2vpn
    route protocol bgp
    mpls lsp
    bgp summary
    route

    193.10.255.5:10:1:1/96

    *[L2VPN/170/101]02:45:38,metric21
    Indirect
    193.10.255.6:10:2:1/96
    *[BGP/170]01:36:41,localpref100,from193.10.255.6
    ASpath:I
    >viaso0/1/0.0,labelswitchedpathbtoc
    193.10.255.13:10:3:1/96
    *[BGP/170]01:38:11,localpref100,from193.10.255.13
    ASpath:I
    >viaso0/1/0.0,labelswitchedpathbtod
    46

    Configuring L2VPN
    Setup the backbone: ISIS, MPLS, RSVP, IBGP
    Enable 'l2vpn signaling' as bgp protocol family

    Setup CE-PE circuits (VLANs)


    Use Ethernet interface with units > 0
    Use VIDs>=512 (or use 'flexible' services)
    Set RFC1918 addresses on the VLANs

    Setup an l2vpn routing instance:


    Set route distinguisher
    <PE loopback>:<vpnid>

    Setup sites and setup LSPs by connecting remote sites


    Bind vlans to remote sites using vlanids

    Setup encapsulation
    'ethernet-vlan'

    Set no-control-word (used for other link-layers)


    Setup vpn import/export rules
    use vrf-target

    L2VPN routes:
    <RD>:<site>:1/96
    Example: 193.10.255.5:10:3:1/96
    47

    VPLS configuration example


    routing-instances {
    VPLS {
    instance-type vpls;
    interface ge-3/0/1.512;
    route-distinguisher 192.168.4.2:10;
    vrf-target target:65000:10;
    protocols {
    vpls {
    no-tunnel-services;
    site RTA {
    site-identifier 1;
    }
    }
    }
    }
    }

    48

    L3VPN setup
    Provider Edge (PE)
    .1
    10.1.2.0/30

    .1
    10.1.1.0/30

    .2

    .2

    .1
    10.1.3.0/30

    .2
    Customer Edge (CE)

    RTD3

    RTA3

    RTE3

    49

    L3VPN configuration example


    protocols {
    bgp {
    local-address 192.30.200.3;
    group internal {
    type internal;
    family inet-vpn unicast;
    neighbor 192.30.200.1;
    }
    }
    }
    routing-instances {
    VRF1_BLUE {
    instance-type vrf;
    interface fe-0/0/0.0;
    route-distinguisher 192.30.200.3:1;
    vrf-target target:65100:100;
    vrf-table-label;
    protocols {
    bgp {
    group siteB {
    type external;
    peer-as 1;
    neighbor 192.16.100.1; # H
    }
    }
    }
    }
    50

    LAB overview
    Backbone

    RTB3

    RTB4

    RTC1

    RTC2
    RTC2

    RTC2

    RTE4
    L3VPN #4

    L1VPN #1

    RTE2 RTE3
    L3VPN #3

    RTE1

    L2VPN #2

    RTA4
    L3VPN #4

    RTA2 RTA3
    L3VPN #3

    RTA1

    RTB2

    L2VPN #2

    L3VPN #3

    L2VPN #2

    L2VPN #1

    RTD4

    L2VPN #1

    RTD2 RTD3

    L3VPN #4

    RTD1

    RTB1

    51

    You might also like