MPLS Part 2 MPLS -VPN

CIS 186 ISCW Rick Graziani Fall 2007

MPLS VPN Architecture

To understand MPLS-VPN it is important to understand the problem.

2

Rick Graziani [email protected]

VPN Architecture

MPLS VPNs are a Layer 3 WAN solution to an age-old Layer 2 WAN

problem. To provide any-to-any connectivity among sites in a cost efficient manner. With MPLS you can have a Layer 3 fully meshed network. More flexibility in architecting WAN solutions.

Rick Graziani [email protected]

VPN Architecture

VPN makes us think privacy and security.

Most people think IPsec VPN has a wide reaching term. VPNs allow the use of a shared infrastructure offered by a serve provider to implement private networks. Degree of security is subjective up to negotiation. Does not necessary mean confidentiality and/or integrity. Note: Best practice is to include IPsec over an MPLS VPN network, but this is not required to have an MPLS VPN network.
4

Rick Graziani [email protected]

VPN Taxonomy

Overlay VPNsService providers provide virtual point-to-point links. Peer-to-peer VPNsService providers participate in the customer
routing.
Rick Graziani [email protected] 5

Traditional or Overlay VPNs

Traditional or Overlay VPN

The WAN solution for several decades Based on a Layer 2 overlay model Service provider sells permanent virtual circuits (PVC) or switched virtual circuits (SVC)
Rick Graziani [email protected] 6

Layer 1 Overlay

Layer 1 VPN Sold by service providers in the form of Layer 1 circuits

ISDN Digital Service hierarchy (DS0, DS1, etc.) SONET (Synchronous Optical Network)
Rick Graziani [email protected] 7

Layer 2 Overlay

Layer 2 VPN Most IT people think of traditional WAN service

X.25 Frame Relay ATM Leaves higher-level services to the customers discretion Hub-and-spoke topology is common Routing updates sent over VCs Disadvantage: Hub is a single point of failure, using dial backup
8

Rick Graziani [email protected]

Layer 3 Overlay VPNs

Router A

Router B

Router C

Router D

Traditional WAN connectivity entails the configuration of Layer 3

manually to send routing information over WAN circuits. No real Layer 3 capability to adapt to changes. Each circuit is still a point-to-point connection. While Layer 3 protocols may flow across the links, the links are not Layer 3 aware.
9

Rick Graziani [email protected]

Peer-to-Peer VPNs

Service provider takes a more active role in routing operations of its

customer base. SP maintains customer routing information in separate routing instance within its network. The CE router exchanges routing information, not with the far-end CE router, but the local PE router.

Rick Graziani [email protected]

10

Peer-to-Peer VPNs

Peer-to-peer VPN mean the connection to and sharing of routing

information with the SP facilities. Allows the WAN to be Layer 3 aware rather than just a Layer 3 transport. The next-hop addresses are those of the PE router. Once the routes are learned by the PE, they are redistributed into the providers BGP table.

Rick Graziani [email protected]

11

Peer-to-Peer VPNs

Although the local loop has not changed, the essence of the network
has. The provider is now part of the customer routing infrastructure. The network is more flexible and resilient because it is an extension of the customers routing infrastructure. Each customers routing information is kept securely separate from every other customers routing information.
12

Rick Graziani [email protected]

VPN Drawbacks

Chief benefit is also greatest drawback provider is involved in

customer routing process. Customer must place additional trust in the SP to properly configure and maintain their routing infrastructure. True Redundancy: At critical sites with redundant routers care should be taken to ensure that both circuits do not end up on the same PE router. No routing loops: Also, necessary to ensure that routes advertised via one circuit are not redistributed out to the PE and then back in via the redundant circuit to the CE.
13

Rick Graziani [email protected]

MPLS VPN Terminology

C Network The customer-controlled network. CE Router The customer edge router (aka CPE), which connects to
a PE router. P network The service provider-controlled network comprised of core routers providing transport across the provider backbone but carrying no customer routing information. P router A service provider MPLS core or backbone router with no customer-facing interfaces and carrying no VPN routes. PE router A provider edge MPLS router containing customer-facing interface(s) and connecting to CE router(s) for the purpose of customer routing information exchange. Label-Switched Path (LSP) The pathway established for use by a label-switched packet through a P network in transit to a particular destination.

Rick Graziani [email protected]

14

MPLS VPN Terminology

Penultimate hop pop (PHP) The final P router in the P network
pops the label prior to the arrival at the egress PE router. Route distinguisher (RD) A 64 bit identifier prepended to an IPv4 address to make it a globally unique VPNv4 address. Route target (RT) An atribute appended to a VPNv4 BGP route to indicate VPN membership. Virtual routing and forwarding (VRF) table A customer specific routing table instance.

Rick Graziani [email protected]

15

CE Router Architecture

CE router is a router.
Runs an IGP (OSPF, EIGRP, IS-IS, etc.) Not MPLS aware Does not participate in MPLS

Rick Graziani [email protected]

16

PE Router

PE router
Similar to a typical PoP Relatively high end router (Cisco 7200VXR) Each customer is assigned its own RD and VRF table dedicated to maintaining routing information Routing across backbone is performed by another routing process using a global IP routing table. Single router but runs multiple instances of a routing protocol (IGP) one for each customer. Multiple instances of IGP are redistributed into global routing table.
Rick Graziani [email protected] 17

PE Router

Virtual routing and forwarding (VRF) table A customer specific

routing table instance. Provides isolation between customer routers. Information from VRF still exchanged between PE routers. A routing protocol is needed that will allow the transport of all customer routes across the P network while allowing the continued independence of each customers address space. (MP-BGP)
Rick Graziani [email protected] 18

PE Router

A single routing protocol is used between PE routers to exchange

customer routes without the involvement of the P routers. (MP-BGP and BGP) The PE routers that connect to a given customer network will be peered to each other and routes will be exchanged. This means the number of routing protocols between PE routers need not increase in proportion to the number of customers served. This also keeps the customer routes of the P routers. They only need to know about routing within the provider network
19

Rick Graziani [email protected]

PE Router

BGP the only real protocol of choice for the provider - scalability. Very large routing tables
Number of prefixes advertised by each customer P network routes BGP neighbor relationships are configured between PE routers directly so that prefixes can be exchanged for a given customer. The global IP routing table in the P network need not actually carry any of the actual customer routes.
20

Rick Graziani [email protected]

P Router

P Router
Do not carry VPN routes Provide transport for traffic between PEs Run IGP Carry only P network routing information in their routing tables Interface with PE routers to facilitate the transport of BGP peering information to remote PE routers. Participate in LDP
Rick Graziani [email protected] 21

MPLS-VPN Technology MPLS VPN Connection Model

P PE VPN Backbone IGP P P P PE

MP-iBGP Session

PE Routers Edge routers Use MPLS with P routers Uses IP with CE routers Connects to both CE and P routers Distribute VPN information through MP-BGP to other PE router with VPN-IPv4 addresses, extended community, label

P Routers

P routers are in the core of the MPLS cloud P routers do not need to run BGP and doesnt need to have any VPN knowledge Forward packets by looking at labels P and PE routers share a common IGP
22

Rick Graziani [email protected]

MPLS-VPN Technology Separate Routing Tables at PE

VPN 2

CE PE

EBGP, OSPF, RIPv2, Static CE VPN 1

MPLS Backbone IGP (OSPF, ISIS)

VRF Routing Table Routing (RIB) and forwarding table (CEF) associated with one or more directly connected sites (CEs) The routes the PE receives from CE routers are installed in the appropriate VRF routing table(s)

The Global Routing Table Populated by the IGP within MPLS backbone

blue VRF routing table or green VRF routing table

Rick Graziani [email protected] 23

MPLS-VPN Technology Virtual Routing and Forwarding Instance (1)

VPN 2 CE VRF Green PE EBGP, OSPF, RIPv2, Static CE VPN 1 VRF Blue

MPLS Backbone IGP (OSPF, ISIS)

Whats a VRF ? Associates to one or more interfaces on PE

Privatize an interface i.e., coloring of the interface

Has its own routing table and forwarding table (CEF) VRF has its own instance for the routing protocol
(static, RIP, BGP, EIGRP, OSPF)

CE router runs standard routing software

Rick Graziani [email protected]

24

MPLS-VPN Technology Virtual Routing and Forwarding Instance (2)

CE VPN 2 PE EBGP, OSPF, RIPv2, Static CE MPLS Backbone IGP (OSPF, ISIS)

VPN 1

PE installs the routes, learned from CE routers,

in the appropriate VRF routing table(s) PE installs the IGP (backbone) routes in the global routing table VPN customers can use overlapping IP addresses

Rick Graziani [email protected]

25

Propagation of Routing Information Across the P-Network

Question:

How will PE routers exchange customer routing information?

Rick Graziani [email protected]

26

Propagation of Routing Information Across the P-Network

Question:

How will PE routers exchange customer routing information?

Answer #1: Run a dedicated Interior Gateway Protocol (IGP) for each customer across the P-network.

Rick Graziani [email protected]

27

Propagation of Routing Information Across the P-Network

Question:

How will PE routers exchange customer routing information?

Answer #1: Run a dedicated Interior Gateway Protocol (IGP) for each customer across the P-network.
This is the wrong answer for the following reasons: The solution does not scale. P routers carry all customer routes.
Rick Graziani [email protected] 28

Propagation of Routing Information Across the P-Network (Cont.)

Question:

How will PE routers exchange customer routing information?

Rick Graziani [email protected]

29

Propagation of Routing Information Across the P-Network (Cont.)

Question:

How will PE routers exchange customer routing information?

Answer #2: Run a single routing protocol that will carry all customer routes inside the provider backbone.

Rick Graziani [email protected]

30

Propagation of Routing Information Across the P-Network (Cont.)

Question:

How will PE routers exchange customer routing information?

Answer #2: Run a single routing protocol that will carry all customer routes inside the provider backbone.
Better answer, but still not good enough: P routers carry all customer routes.
Rick Graziani [email protected] 31

Propagation of Routing Information Across the P-Network (Cont.)

Question:

How will PE routers exchange customer routing information?

Rick Graziani [email protected]

32

Propagation of Routing Information Across the P-Network (Cont.)

Question: How will PE routers exchange customer routing information? Answer #3: Run a single routing protocol that will carry all customer routes
between PE routers. Use MPLS labels to exchange packets between PE routers.

Rick Graziani [email protected]

33

Propagation of Routing Information Across the P-Network (Cont.)

Question: How will PE routers exchange customer routing information? Answer #3: Run a single routing protocol that will carry all customer routes
between PE routers. Use MPLS labels to exchange packets between PE routers. The best answer:

P routers do not carry customer routes; the solution is scalable.

Rick Graziani [email protected] 34

Propagation Routing Information Across the P-Network (Cont.)

Question: Which protocol can be used to carry customer routes between PE routers?

Rick Graziani [email protected]

35

Propagation Routing Information Across the P-Network (Cont.)

Question: Which protocol can be used to carry customer routes between PE routers? Answer: The number of customer routes can be very large. BGP is the only routing protocol that can scale to a very large number of routes.

Rick Graziani [email protected]

36

Propagation Routing Information Across the P-Network (Cont.)

Question: Which protocol can be used to carry customer routes between PE routers? Answer: The number of customer routes can be very large. BGP is the only routing protocol that can scale to a very large number of routes.

Conclusion: BGP is used to exchange customer routes directly between PE routers.

Rick Graziani [email protected] 37

Propagation of Routing Information Across the P-Network (Cont.)

Question: How will information about the overlapping subnets of two customers be propagated via a single routing protocol?

Rick Graziani [email protected]

38

Propagation of Routing Information Across the P-Network (Cont.)

Question: How will information about the overlapping subnets of two customers be propagated via a single routing protocol? Answer: Extend the customer addresses to make them unique.

Rick Graziani [email protected]

39

Route Distinguishers

The 64-bit route distinguisher (RD) is prepended (front) to an IPv4

address to make it globally unique. Allows for multiple customers (if not all) to use RFC 1918 addresses. The resulting address is a VPNv4 address. VPNv4 addresses are exchanged between PE routers via BGP. BGP that supports address families other than IPv4 addresses is called Multiprotocol BGP (MP-BGP). Creates a 96 bit address
40

Rick Graziani [email protected]

MPLS-VPN Technology: Control Plane

Lets Discuss: Route Distinguisher (RD); VPNv4 route Route Target (RT) Label
Rick Graziani [email protected] 41

MPLS VPN Control Plane MP-BGP Update Components: VPNv4 Address

To convert an IPv4 address into a VPNv4 address,

RD is appended to the IPv4 address i.e. 1:1:10.1.1.0 Makes the customers IPv4 route globally unique

Each VRF must be configured with an RD at the PE

RD is what that defines the VRF

Although not necessary, having the same RD throughout a VPN is

better for operational efficiency.
Rick Graziani [email protected] 42

MPLS VPN Control Plane MP-BGP Update Components: Route-Target

Route-target (RT): Identifies the VRF for the received VPNv4 prefix. It
is an 8-byte extended community (a BGP attribute) Each VRF is configured with RT(s) at the PE RT helps to color the prefix

Rick Graziani [email protected]

43

MPLS VPN Control Plane:

Putting It All Together
Site 1
10.1.1.0/24

3
CE1 PE1

MP-iBGP Update: RD:10.1.1.0 Next-Hop=PE-1 RT=Green, Label=100

Site 2 CE2

10.1.1.0/24 Next-Hop=CE-1

PE2

MPLS Backbone

1. PE1 receives an IPv4 update (eBGP,OSPF,EIGRP) 2. PE1 translates it into VPNv4 address
Assigns an RT per VRF configuration Rewrites next-hop attribute to itself Assigns a label based on VRF and/or interface

3. PE1 sends MP-iBGP update to other PE routers

Rick Graziani [email protected] 44

MPLS VPN Control Plane:

Putting It All Together
Site 1
10.1.1.0/24
MP-iBGP Update: RD:10.1.1.0 Next-Hop=PE-1 RT=Green, Label=100 10.1.1.0/24 Next-Hop=PE-2

3
CE1 PE1

Site 2

CE2 P P PE2

10.1.1.0/24 Next-Hop=CE-1

MPLS Backbone

4. PE2 receives and checks whether the RT=green is locally configured 5.

within any VRF, if yes, then PE2 translates VPNv4 prefix back into IPv4 prefix,
Installs the prefix into the VRF routing table Updates the VRF CEF table with label=100 for 10.1.1.0/24 Advertise this IPv4 prefix to CE2 (EBGP, OSPF, EIGRP)
45

Rick Graziani [email protected]

MPLS-VPN Technology:
Forwarding Plane
Site 1
10.1.1.0/24

Site 2 CE1 P
10.1.1.1

CE2
P PE2
10.1.1.1 10.1.1.1

PE1
100

P
10.1.1.1 25

50

100

100

10.1.1.1

PE2 imposes TWO labels for each packet going to the

VPN destination 10.1.1.1 The top label is LDP learned and derived from an IGP route
Represents LSP to PE address (exit point of a VPN route)

The second label (100) is learned via MP-BGP

Corresponds to the VPN address

Rick Graziani [email protected]

46

Outline
Overview VPN Packet Forwarding Across an MPLS VPN Backbone VPN Penultimate Hop Popping VPN Label Propagation MPLS VPN and Label Propagation MPLS VPN and Packet Forwarding

Rick Graziani [email protected]

VPN Packet Forwarding Across an MPLS VPN Backbone

Question:

How will the PE routers forward the VPN packets across the MPLS VPN backbone? Answer #1: They will label the VPN packets with an LDP label for the egress PE router and forward the labeled packets across the MPLS backbone.

Rick Graziani [email protected]

48

VPN Packet Forwarding Across an MPLS VPN Backbone

Question:

How will the PE routers forward the VPN packets across the MPLS VPN backbone? Answer #1: They will label the VPN packets with an LDP label for the egress PE router and forward the labeled packets across the MPLS backbone. Results: The P routers perform the label switching, and the packet reaches the egress PE router. However, the egress PE router does not know which VRF to use for packet switching, so the packet is dropped. (Remember, customers may be using RFC 1918 addresses.) How about using a label stack?
Rick Graziani [email protected] 49

VPN Packet Forwarding Across an MPLS VPN Backbone (Cont.)

Question:

How will the PE routers forward the VPN packets across the MPLS VPN backbone? Answer #2: They will label the VPN packets with a label stack, using: 1. the LDP label for the egress PE router as the top label, and 2. the VPN label assigned by the egress PE router as the second label in the stack.

Rick Graziani [email protected]

50

VPN Packet Forwarding Across an MPLS VPN Backbone (Cont.)

Question:

How will the PE routers forward the VPN packets across the MPLS VPN backbone? Answer #2: They will label the VPN packets with a label stack, using: 1. the LDP label for the egress PE router as the top label, and 2. the VPN label assigned by the egress PE router as the second label in the stack. Result: The P routers perform label switching, and the packet reaches the egress PE router. The egress PE router performs a lookup on the VPN label and forwards the packet toward the CE router.
Rick Graziani [email protected] 51

VPN Penultimate Hop Popping

Penultimate hop popping on the LDP label can be performed on the last P router. The egress PE router performs label lookup only on the VPN label, resulting in faster and simpler label lookup. IP lookup is performed only oncein the ingress PE router.
Rick Graziani [email protected] 52

VPN Label in MP-iBGP update

8 Bytes

4 Bytes

8 Bytes 100:5 Route-Target

3 Bytes

100:1 RD VPNv4

10.1.1.0 IPv4

286

Label

MP-IBGP update with RD, RT, and Label

Rick Graziani [email protected]

53

Example

1. CE red1 advertises the 192.168.4.0/24 prefix to PE A. A CE can use static or dynamic routing (RIP, eBGP, or OSPF) to exchange routes with a PE. CE red1 runs eBGP. CE green2 uses RIPv2. 2. PE A imports the prefixes announced by the CE into the route table for this VPN. If other interfaces on the same PE belong to the same VPN, routes are announced to the local peers. Each VPN has its own routing table.
Rick Graziani [email protected] 54

Example

3. PE A uses iBGP to announce reachability for each of its attached customer sites. PE A has one iBGP session with PE C for the red VPN and another with PE D for the green VPN. PE C imports the routes into the routing table used for the red VPN, PE D imports the routes for the green VPN. The PEs are in a full iBGP mesh and each can run many different VPNs.
Rick Graziani [email protected] 55

Example

4. PE C announces the 192.168.4.0 route to CE red2 using RIPv2. A show ip route command on CE red2 will show 192.168.4.0/24 with a next hop of 192.168.2.1, which is the address of PE C. Similarly, CE red1 has an entry for 192.168.3.0 with a next hop of 192.168.1.2. PE As routing table for the red VPN has an entry for 192.168.4.0 through 192.168.1.1 and another entry for 191.168.3.0 with a next hop that points to PE C. This is where the MPLS-VPN magic occurs. PE C announces itself as the next hop for the 192.168.3.0 route. Because this is a BGP route, PE A will use another lookup to find the route and, this time, the next hop will be 10.0.0.2, which is the LSR.
Rick Graziani [email protected] 56

Example

5. When traffic must go between sites, the CE forwards IP packets to the PE as it would to any other router. Packet going from CE green1 to CE green2, following this sequence: a. PE A identifies the next hop (PE D) for this packet as a BGP neighbor. b. PE A first imposes a label 22, that will identify the VPN routing table to PE D. This label was advertised by the neighbor, PE D, during the exchange of BGP prefixes. which happened some time before the preceding step.
Rick Graziani [email protected] 57

Example

c. The packet must now travel across the MPLS network, so PE A imposes another label 96, that identifies the next-hop LSR on the IGP path to PE D. This label was advertised by the downstream LSR (LSR B) from 10.0.0.2. d. Each LSR in the core swaps labels and forwards the packet as normal toward PE D. The penultimate hop pops the outer label. There is only one hop to the egress LSR, so LSR B removes the outer label.
Rick Graziani [email protected] 58

Example

e. PE D uses the remaining label 22, to: Identify which VPN routing table to use for the packet, and Pops the label from the packet f. PE D does an IP lookup in the VPN routing table to: Find the outgoing interface and Forwards the IP packet to CE green2, which will route it to its destination.
Rick Graziani [email protected] 59

The Procedure to Configure MPLS

Configure CEF. Configure MPLS on a frame mode interface. (Optional) Configure the MTU size in label switching.

Rick Graziani [email protected]

60

Step 1: Configure CEF

To enable MPLS, you must first configure CEF: Configure CEF: Enable CEF switching to create the FIB table. Enable CEF switching on all core interfaces. Configure MPLS on a frame mode interface. (Optional) Configure the MTU size in label switching.

Rick Graziani [email protected]

61

Commands for Configuring CEF

Router(config)#

ip cef [distributed]

Starts CEF switching and creates the FIB table The distributed keyword configures distributed CEF (running on VIP or line cards) All CEF-capable interfaces run CEF switching

Router(config-if)#

ip route-cache cef

Enables CEF switching on an interface Usually not needed

Rick Graziani [email protected] 62

Using the ip cef [distributed] Parameter

The optional [distributed] parameter enables dCEF. This distributes the CEF information to the line cards and the line cards perform express forwarding. Consider the following: CEF is enabled by default only on these platforms: Cisco 7100 series router Cisco 7200 series router Cisco 7500 series Internet router Distributed CEF is enabled on the Cisco 6500 series router. Distributed CEF is enabled on the Cisco 12000 series Internet router.
63

Rick Graziani [email protected]

Monitoring IP CEF
Router#

show ip cef detail

Displays a summary of the FIB

Router#show ip cef detail IP CEF with switching (Table Version 6), flags=0x0 6 routes, 0 reresolve, 0 unresolved (0 old, 0 new) 9 leaves, 11 nodes, 12556 bytes, 9 inserts, 0 invalidations 0 load sharing elements, 0 bytes, 0 references 2 CEF resets, 0 revisions of existing leaves refcounts: 543 leaf, 544 node Adjacency Table has 4 adjacencies 0.0.0.0/32, version 0, receive 192.168.3.1/32, version 3, cached adjacency to Serial0/0.10 0 packets, 0 bytes tag information set local tag: 28 fast tag rewrite with Se0/0.10, point2point, tags imposed: {28} via 192.168.3.10, Serial0/0.10, 0 dependencies next hop 192.168.3.10, Serial0/0.10 valid cached adjacency tag rewrite with Se0/0.10, point2point, tags imposed: {28}

Rick Graziani [email protected]

64

Using show ip cef Parameters

Parameter Unresolved Summary Network Description (Optional) Displays unresolved FIB entries (Optional) Displays a summary of the FIB (Optional) Displays the FIB entry for the specified destination network (Optional) Displays the FIB entry for the specified destination network and mask (Optional) Displays the FIB entries for all the specific destinations (Optional) Displays detailed FIB entry information (Optional) Lists the interface type and number for which to display FIB entries
65

Mask

Longer-prefixes

Detail type number

Rick Graziani [email protected]

Step 2: Configure MPLS on Frame Mode Interface

Configure CEF. Configure MPLS on a frame mode interface: Enable label switching on a frame mode interface. Start LDP or TDP label distribution protocol. (Optional) Configure the MTU size in label switching.

Rick Graziani [email protected]

66

Commands for Configuring MPLS on a Frame Mode Interface

Router(config-if)#

mpls ip

Enables label switching on a frame mode interface Starts LDP on the interface

Router(config-if)#

mpls label protocol [tdp | ldp | both]

Starts selected label distribution protocol on the specified interface

Rick Graziani [email protected]

67

Configuring MPLS on a Frame Mode Interface: Example 1

Rick Graziani [email protected]

68

Configuring MPLS on a Frame Mode Interface: Example 2

Rick Graziani [email protected]

69

Step 3: Configure the MTU Size in Label Switching

Configure CEF. Configure MPLS on a frame mode interface. Configure the MTU size in label switching:
Increase MTU on LAN interfaces.

Rick Graziani [email protected]

70

Commands for Configuring MTU Size

Router(config-if)#

mpls mtu bytes

Label switching increases the MTU requirements on an interface because of additional label header. Interface MTU is automatically increased on WAN interfaces; IP MTU is automatically decreased on LAN interfaces. Label-switching MTU can be increased on LAN interfaces (resulting in jumbo frames) to prevent IP fragmentation.

Rick Graziani [email protected]

71

Configuring Label Switching MTU

Rick Graziani [email protected]

72

MPLS Part 2 MPLS -VPN

CIS 186 ISCW Rick Graziani Fall 2007