46
CETTM MTNL 1 MPLS L3 VPN MPLS L3 VPN MODULE ID: TMPLL3V001

Mpls l3 VPN Tmpll3v001

Embed Size (px)

DESCRIPTION

ICAO

Citation preview

  • CETTM MTNL

    1MPLS L3 VPN

    MPLS L3 VPN

    MODULE ID: TMPLL3V001

  • CETTM MTNL

    2MPLS L3 VPN

    Topics Covered

    Introduction to VPN VPN Implementations VPN Classification MPLS Layer 3 VPN L3 VPN Forwarding Case Study

  • CETTM MTNL

    3MPLS L3 VPN

    VPN - VIRTUAL PRIVATE NETWORK

    Provides Secure Communications between internal networks over a public network

    Commonly used to connect company branch offices, business partners and company mobile users.

    VPN REQUIREMENTS

    Opaque Transport of data - even non IP protocols

    Security of data - avoid modification, spoofing, snooping

    QoS guarantee for bandwidth and latency

    What is a VPN

  • CETTM MTNL

    4MPLS L3 VPN

    Remote Access VPNs For Telecommuters , mobile users

    Site to Site VPNs For business Intranets, Extranets

    VPN Implementations

  • CETTM MTNL

    5MPLS L3 VPN

    Remote Access VPN

    POP

    POP

    Router

    Central site

    DSL cable

    TelecommuterMobile

    I nternet

    Remote Access Client

    Extension of classic DIAL

  • CETTM MTNL

    6MPLS L3 VPN

    Site-to-Site VPN

    POP Router

    Central site

    DSL cable

    Extranetconsumer-to- Business

    Internet

    Remote Site

    Extension of classic WAN

    IntranetBusiness -to- Business

  • CETTM MTNL

    7MPLS L3 VPN

    VPNs span across variety of Technologies & Topologies

    The Business problem a VPN is trying to SolveIntranet / Extranet / Remote

    The Layer at which the service provider exchanges the topology information with the customer

    Layer 2 / Layer 3By operation mode

    CPE Based / Network Provider BasedThe topology of the network

    Full Mesh / Partial MeshBy networking model

    VPDN / VLL / VPLS / VPRN

    VPN Classification

  • CETTM MTNL

    8MPLS L3 VPN

    Intranet VPN

    Each site only belongs to one VPN: Intranet

    Site A Site B

    Site C

    Site X

    Site Z Site Y

  • CETTM MTNL

    9MPLS L3 VPN

    Extranet VPN

    Site1

    Site4

    Site5

    Site 2 Site3

    Intranet

    ExtranetA Site may belong to multiple VPNs.

  • CETTM MTNL

    10MPLS L3 VPN

    VPN Classification

    CPE-Based VPN Network-Based VPN ( Provider VPN )

    VPRN VLL VPLS

    MPLS/BGP VPN

    IP-VPN

    VPN

    VR-VPN

  • CETTM MTNL

    11MPLS L3 VPN

    IP-VPN: Service emulation implemented for dedicated line services (such using the IP network (including the public Internet and private IP backbone network, etc.).

    Network-Based IP-VPN: It refers to the case where the VPN service is provided from Network built and operated by an operator (the user is also allowed to perform certain service management and control) and the functional features are implemented at the network side equipment in the centralized way.

    Tunnel: It is a technology that uses a type of protocol to transmit another type of protocol. Provides isolation between networks; protocols. The tunnel technology a tunneling protocol.

    VPN Classification -1

  • CETTM MTNL

    12MPLS L3 VPN

    Virtual Leased Line (VLL): It provides point-to-point connection service between two pieces of CPE equipment for the user.

    Virtual Private Dial Network (VPDN): The remote user dials to the public IP network via PSTN/ISDN, and the data packet passes through the public network via a tunnel for the destination network.

    Virtual Private LAN Service (VPLS): VPLS is a virtual method to establish LAN via the public IP resources. The networking is based on the MAC layer forwarding, and it is completely transparent to the network layer protocol.

    Virtual Private Routed Network (VPRN): VPRN is defined as a kind of emulation for multi-site wide area route network services via the public IP network, and the data packet of VPN is forwarded at the network layer.

    VPN Classification -2

  • CETTM MTNL

    13MPLS L3 VPN

    Constructing VPN via Tunnel

    10.0.1.1/24

    10.0.0.0/24

    10.0.0.0/24

    129.0.0.2/30129.0.0.1/30

    129.0.1.1/30

    129.0.1.2/30

    Public IP network

    129.0.2.2/30

    129.0.2.1/30

    129.0.3.1/30

    129.0.3.2/30

    GRE tunnel

    GRE tunnel

    10.0.1.1/24

    10.0.1.2/24

    10.0.1.2/24

    RT1 RT2

    HQ1

    HQ2

    CPE Based VPN

    Operator not involved in VPN setup The forwarding efficiency is low

  • CETTM MTNL

    14MPLS L3 VPN

    VPN Tunnels

    Mechanism of tunnel is to use one protocol to encapsulate packets of another protocol

    Some Tunnelling Protocols :

    PPTP - Point to Point Tunneling ProtocolL2TP - Layer 2 Tunnel ProtocolGRE - Generic Route EncapsulationIPSec - IP Security Protocol

    and in MPLS - LSP is the tunnel.

  • CETTM MTNL

    15MPLS L3 VPN

    MPLS VPN Network Structure

    Network based VPN : Also called as PPVPN ( Provider Provisioned VPN

    10.2.2.0 /2410.2.2.0 /24

    192.168.1.0 / 24192.168.1.0 / 24

    10.2.2.0 /2410.2.2.0 /24

    10.2.4.0 /2410.2.4.0 /24

    192.168.1.0 / 24 192.168.1.0 / 24

    10.2.6.0 /2410.2.6.0 /24

    MPLS VPN Domain

  • CETTM MTNL

    16MPLS L3 VPN

    VPN Terminology

    VPNs contain the following types of network devices Provider edge (PE) routers

    PE routers connect CE devices & support VPN and label functionality.

    Provider (P) routers are core of the provider's network & support MPLS Not connected to any customer site

    Customer edge (CE) devices CE devices are typically IP routers connected to PE

    routers The CE routers have no special configuration

    requirements for VPNs.

  • CETTM MTNL

    17MPLS L3 VPN

    Characteristics of MPLS VPN

    All the construction, connection and management work of VPN is implemented on PE.Network configuration is simple.The existing routing protocol can be directly used

    without any change.MPLS VPN network features good expandability.VPN with QOS and TE can be implemented.

  • CETTM MTNL

    18MPLS L3 VPN

    MPLS Based VPNs

    MPLS Based Layer 3 VPNs Providers router participates in customers layer 3 routing CPE routers advertise their routes to the provider Provider router manages VPN-specific routing tables,

    distributes routes to remote sites

    MPLS Based Layer 2 VPNs

    Provider delivers Layer 2 circuits to the customer, one for each remote site

    Customer maps their Layer 3 routing to the circuit mesh Customer routes are transparent to provider

  • CETTM MTNL

    19MPLS L3 VPN

    Layer 3 VPN Overview

    Layer 3 VPNs are based on RFC 2547bis A Layer 3 VPN is a set of sites spread across

    the public infrastructure and share common routing information

    their connectivity is controlled by a collection of policies

    Also known as BGP/MPLS VPNs because BGP is used to distribute VPN routing

    information (VPN Labels) across the provider's backbone and

    MPLS is used to forward VPN traffic across the backbone to remote VPN sites.

  • CETTM MTNL

    20MPLS L3 VPN

    MPLS Layer 3 VPN

    Blue VPN Site

    CEPP

    PECE

    CE

    CE

    PE VPN AVPN A

    VPN B

    VPN B

    PE

    Provider Edge (PE) Provider Routers (P)

    MPLS Core

    Red VPNCustomer EdgeRouter

    Customer Routes exchanged via MPLS networkCustomer Data transported over MPLS LSP

  • CETTM MTNL

    21MPLS L3 VPN

    P

    P

    P PE 2

    VPN ASite 3

    VPN ASite 1 VPN B

    Site2

    VPN BSite 1

    PE 1PE 3

    VPN ASite2

    CEA1

    CEB1 CEA3

    CEA2

    CEB2

    P

    VPN BSite3

    CEB3

    10.1/16

    10.3/16

    10.2/16

    10.3/16

    10.2/16

    10.1/16

    The sites within VPNA and VPNB use the same address spaces 10.1.0.0/16, 10.2.0.0/16, and 10.3.0.0/16 for their private networks.

    Overlapping Address Spaces

  • CETTM MTNL

    22MPLS L3 VPN

    Solution for Overlapping Addresses

    Route Distinguisher

    P

    P

    P PE 2

    VPN ASite 3

    VPN ASite 1 VPN B

    Site2

    VPN BSite 1

    PE 1PE 3

    VPN ASite2

    CEA1

    CEB1

    CEA3

    CEA2

    CEB2

    P

    VPN BSite3

    CEB3

    10.1/16

    10.3/16

    10.2/16

    10.3/16

    10.2/16

    10.1/16

    10458:22:10.1/1610458:23:10.1/16

    BGP

    Modify the IPv4 address

  • CETTM MTNL

    23MPLS L3 VPN

    VPN-IPv4 Address Family

    Route Distinguisher (RD) is prefixed to each address from a particular VPN site

    8 bytes for RD or VPN identifier disambiguates overlapping IPv4 addresses

    The new address family is called VPN-IPv4 Address family. These are distributed to other VPN sites using Multi Protocol- Border Gateway Protocol (MP-BGP)

    The original standard address family is IPv4. VPNv4 address family mainly serves to transfer VPN routes between PE routers.

    Route Distinguisher (8 bytes) IPv4 address

  • CETTM MTNL

    24MPLS L3 VPN

    MPLS/VPN RD

    RD format:

    16-bit Autonomous System Number (ASN): 32-bit user-defined number, e.g. 100:1 - Mostly used

    32-bit IP address: 16-bit customized number, e.g. 172.1.1.1:1

    4-byte assigned number

    2-byte assigned number4-byte IP address 1

    2-byte ASN0

    Assigned Number FieldAdministrator FieldTYPE (2-byte)

    RD structure:

  • CETTM MTNL

    25MPLS L3 VPN

    VPNv4 and IPv4 Address Family

    RD is unique among different VPNs which removes IP address conflicts and is the identifier of VRF

    Normally RD of a VPN is configured same at all sites.

    For Example :

    Route Received from CE Router : 10.1.1.0 /24 ( IPv4.0Address)

    Route Modified as : 10458:22:10.1.1.0/24 ( VPNv4.0 address )and announced to other VPN sites of same customer

    In this case 10458:22 is the RD

  • CETTM MTNL

    26MPLS L3 VPN

    Distribution of VPN-IPv4 Addresses

    The Border Gateway Protocol is modified to carry VPN-IPv4 routes in addition to normal IPv4 routes. MP-BGP (Multi Protocol BGP)

    To maintain compatibility, only two BGP attributes are added for MBGP : MP_REACH_NLRI and MP_UNREACH_NLRI.

    These two attributes are used in the BGP UPDATE message to notify or cancel the network reachability information

  • CETTM MTNL

    27MPLS L3 VPN

    Relationship Between PE and CE

    PEPE

    CE

    CE

    Site-2Site-2

    Site-1Site-1

    EBGP, RIP, Static

    VPNA

    VPNB

    VRF for VPNA

    VRF for VPNBGlobal route

    VRF - VPN Routing and Forwarding TableDifferent VRFs for different VPNs

  • CETTM MTNL

    28MPLS L3 VPN

    Relationship Between PE and CE

    PE and CE routers exchange information via the EBGP, RIP and Static route. CE runs the standard routing protocol.

    PE maintains separate routing tables of the public network and private network. Routing table of public network, includes the routes of all PE and P routers, generated by the backbone network IGP of VPN.

    VRF (VPN routing & forwarding), includes tables of routing & forwarding to one or multiple directly connected CEs. VRF can be bound with any types of interfaces. The PE router interface/sub-interface connected with CE is mapped to VPN.

    If the directly connected sites belong to the same VPN, these interfaces can use the same VRF.

  • CETTM MTNL

    29MPLS L3 VPN

    VPN Routing and Forwarding Table

    The PE router creates one VPN routing and forwarding(VRF) VRF table for each VPN that has a connection to a CErouter.

    VRF Provides isolation between VPNs The routes in VRF are distributed to other sites of the same

    VPN

    Each VRF is populated with: Routes received from directly connected CE routers that

    are associated with the VRF Routes received from PE routers (from other sites

    belong to same VPN)

  • CETTM MTNL

    30MPLS L3 VPN

    Distribution of VRF Routes

    PE PECE Router CE Router

    P Router

    Site SiteMP-iBGP

    The PE router distributes the local VPN route information via the MPLS/VPN backbone network.

    The transmitting PE exports the local VRF routes via MP-iBGP (with the export-target attribute).

    The receiving PE imports the route to the VRF where it belongs (with the matched import-target attribute).

    Route Targets

  • CETTM MTNL

    31MPLS L3 VPN

    Distributing MP-iBGP Routes to VRF

    Each VRF has configurations of import route-target and export route-target.

    When the transmitting PE sends MP-iBGP updates, the export attribute is attached in the packet.

    When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge whether the received export is equal to the import of the local VRF. If yes, it will be added to the corresponding VRF routing table; otherwise, it will be discarded.

  • CETTM MTNL

    32MPLS L3 VPN

    Importing VRF Routes to MP-iBGP

    BGP, RIPv2 updatefor 149.27.2.0/24, NH=CE

    PE1

    CE-1

    MP-iBGPPE2

    VPN- v4 update:RD:1:27: 149.27.2.0/24,

    Next-

    hop= PE-1 RT=VPN-ALabel=(28)

    CE-2

    Delhi Mumbai

    Importing VRF route to MP-iBGP: PE router converts the route (in the VRF routing table) received from CE into the VPN-V4 route; labels it with RD and RT based on the configuration; changes the next hop as PE itself (loopback); assigns the label based on the interface; finally sends the MP-iBGP update packet to all PE neighbors.

  • CETTM MTNL

    33MPLS L3 VPN

    Exporting MP-iBGP Routes to VRF

    -

    PE

    MP-I BGP

    PEVPN v4 update:RD:1:27:149.27.2.0/24RT=VPN ALabel=(28)

    CE-2

    PE receives the update packet, converts VPN-v4 into the IPv4 address, and distributes it to VFR VPN-A (RT=VPN-A) routing table, then broadcasts it to CE.

    Mumbai

    i p vrf VPN-B

    vpn-t arget i mport - VPNA

    CE1

    Del hi

  • CETTM MTNL

    34MPLS L3 VPN

    L3 VPN Operational Model

    Control Flow Exchange of Routes between CE and PE (Static/Default, RIP /

    OSPF /eBGP ) Exchange of Routes between PEs (MP-iBGP)

    Data flow Forwarding user traffic thru LSP established already between PE

    routers

    P

    P

    P

    PE 2

    VPN ASite 3

    VPN ASite 1 VPN B

    Site2

    VPN BSite 1

    PE 1

    PE 3

    VPN ASite2

    CEA1

    CEB1 CEA3

    CEA2

    CEB2

    P

  • CETTM MTNL

    35MPLS L3 VPN

    PE and P routers are reachable using IGP. Label Stack is used for packet forwarding The external layer label

    indicates how to reach the next hop, and the internal layer label indicates the outgoing interface of the packet of the home VRF (home VPN).

    MPLS node forwarding is based on the external layer label regardless of the internal layer label

    MPLS/VPN Label Distribution

  • CETTM MTNL

    36MPLS L3 VPN

    MPLS/VPN Packet Forwarding-1

    149.27.2.0/24

    In Label FEC Out Label- 197.26.15.1/32 41

    149.27.2.27

    PE -1149.27.2.272841

    VPN A VRF

    149.27.2.0/24,NH=197.26.15.1

    Label=(28)

    MumbaiDelhi

    When the ingress PE receives an ordinary IP packet from CE, PE adds it to the corresponding VPN forwarding table based on the VRF to which the ingress interface belongs, and searches for the next hop and label.

  • CETTM MTNL

    37MPLS L3 VPN

    MPLS/VPN Packet Forwarding-2

    In Label FEC Out Label41 197.26.15.1/32 POP

    Delhi

    149.27.2.27

    PE-1

    Mumbai

    149.27.2.2741 28

    VPN A VRF149.27.2.0/24,

    NH =197.26.15.1Label=(28)

    149.27.2.2728

    In Label FEC Out Label28(V)149.27.2.0/24 -

    VPN A VRF149.27.2.0/24 NH=Delhi

    149.27.2.27

    The second last hop router pops up the external layer label and sends it to the egress PEaccording to the next hop.

    The egress PE router judges the CE that the packet will go to based on the internal layer label.

    Pop up the internal layer label and forward the packet to the destination CE as an ordinary IPpacket.

  • CETTM MTNL

    38MPLS L3 VPN

    Typical Data Flow in L3 VPN

    Site 2(10.1/16)Site 1

    Site 1Site 2

    PE-2CE-4

    PE-1

    CE-2

    CE-3

    CE-1

    VRFVRF

    VRFVRF

    PE-1 1. Lookup route in Red VRF2. Push VPN Inner label (Z)3. Push IGP label (U)4. Forward to P-1

    IP 10.1.2.3

    BGP label (Z)IGP label (U)

    P-1 P-2

    P-1 1. Lookup MPLS table2. Swap IGP label U with V 3. Forward to P-2

    IP 10.1.2.3

    BGP label (Z)IGP label (V)

    P-2 1. Lookup MPLS table2. Pop the IGP label V3. Forward to PE-2

    IP 10.1.2.3

    BGP label (Z)

    PE-2 1. Lookup route in Red VRF2. Pop VPN Inner Label (Z)3. Forward native IP pkt to CE-4

    IP 10.1.2.3

    IP 10.1.2.3

  • CETTM MTNL

    39MPLS L3 VPN

    Layer 3 - Basic Intranet Model

    P RouterP Router

    MPLS/VPN Backbone

    MP-iBGP

    Site site-3 &site 4 routesRT=VPN-A RT=VPN-A

    Site site1 & site 2 routes VPN A

    VPN A

    VPN A

    VPN A Site site-1 routessite site-2 routessite site-3 routessite site-4 routes

    Site site-1 routessite site-2 routessite site-3 routessite site-4 routes

    RT=VPN-A RT=VPN-A Site - 1

    Site-2

    Site-3

    Site-4

  • CETTM MTNL

    40MPLS L3 VPN

    Internet Access from MPLS VPN

    Ways to set-up Internet Access from a VPNBy Packet leaking between a VRF and Global

    Routing TableBy separate sub-interface which is not placed in any

    VRFBy having a separate Internet VPN

  • CETTM MTNL

    41MPLS L3 VPN

    A public address is assigned to an Internet/VPN customer

    A global static route for an assigned address block is configured on the PE router

    The static route has to be redistributed into BGP to provide full connectivity to the customer

    A default route toward a global Internet exit point is installed in the customer VRF

    This default route is used to forward packets to unknown destinations (Internet) into the global address space

    A single label (IGP Label) is used for packets forwarded towards the global nexthop

    Internet Access by Packet Leaking

  • CETTM MTNL

    42MPLS L3 VPN

    Internet Access by Packet Leaking

    PE

    PE

    Internet

    Site-1

    PE-IG

    Site-2

    Network 171.68.0.0/16

    Serial0

    192.168.1.1

    192.168.1.2

    ip route-static 171.68.0.0 255.255.0.0 Serial0

    ip route-static vpn-instance VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 public

    BGP-4

    MP-BGP

  • CETTM MTNL

    43MPLS L3 VPN

    PE

    PE

    Internet

    Site-1

    PE-IG

    Site-2

    Network 171.68.0.0/16

    Serial0

    192.168.1.1

    192.168.1.2

    Site-2 VRF0.0.0.0/0 192.168.1.1 (public)Site-1 routesSite-2 routes

    Global Table and LFIB192.168.1.1/32 Label=3192.168.1.2/32 Label=5...

    IP packetD=yahoo.com

    Label = 3

    IP packetD=yahoo.com

    IP packetD=yahoo.com

    Configure the Static Default Route-PE

    Internet Access by Packet Leaking

  • CETTM MTNL

    44MPLS L3 VPN

    Internet Access by Separate Sub-interface

    Requires separate physical links or separate sub-interfaces

    Traditional Internet access implementation model

    Maximum design flexibility; Internet access is totally independent from MPLS VPN

    Specific WAN encapsulation required

    PE may be required to carry full internet routing which is risky

  • CETTM MTNL

    45MPLS L3 VPN

    Internet Access by Separate Sub-interface

    PE

    PE

    Internet

    Site-1

    PE-IG

    Site-2Network 171.68.0.0/16

    Serial0.1

    192.168.1.1

    192.168.1.2

    Serial0.2

    Serial0.1

    Serial0.2CE routing table

    Site-2 routes ----> Serial0.1Internet routes ---> Serial0.2

    IP packetD=yahoo.com

    PE Global TableInternet routes ---> 192.168.1.1192.168.1.1, Label=3

    Label = 3

    IP packetD=yahoo.com

    IP packetD=yahoo.com

    Configure the Sub-interface

  • CETTM MTNL

    46MPLS L3 VPN

    Summarizing VPN

    VPN classifications CPE / Network Based

    Intranet and Extranet VPNs

    MPLS L3 VPN - Configurations and forwarding process VPNv4, RD, RT

    MPLS does not provide all security requirements for VPN . It has to be complemented with other solutions

    Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46