Sunteți pe pagina 1din 108

Module 7

MPLS VPN
Technology
© 2001, Cisco Systems, Inc.
Objectives

Upon completion of this lesson, you


will be able to perform the following
tasks:
• Identify major Virtual Private network
topologies, their characteristics and usage
scenarios
• Describe the differences between overlay
VPN and peer-to-peer VPN
• List major technologies supporting overlay
VPNs and peer-to-peer VPNs
• Position MPLS VPN in comparison with
other peer-to-peer VPN implementations
• Describe major architectural blocks of
MPLS VPN
© 2001, Cisco Systems, Inc. MPLS v1.0—7-2
Introduction to
Virtual Private
Networks

© 2001, Cisco Systems, Inc. MPLS v1.0—7-3


Objectives

Upon completion of this section,


you will be able to perform the
following tasks:
• Describe the concept of VPN
• Explain VPN terminology as defined by
MPLS VPN architecture

© 2001, Cisco Systems, Inc. MPLS v1.0—7-4


Traditional Router-Based
Networks
Site B
Site A

Site C

Site D

Traditional router-based networks


connect customer sites through routers
connected via dedicated point-to-point
links.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-5
Virtual Private Networks

Virtual Circuit (VC) #1

PE Device
CPE Router
Customer Site
Provider Core
Device Other
CPE Router Customer
Customer Premises Provider Edge Device PE Device Routers
Router (CPE) (Frame Relay Switch) Large Customer Site

Virtual Circuit (VC) #2


Service Provider Network

•Virtual Private Networks (VPNs) replace


dedicated point-to-point links with emulated
point-to-point links sharing common
infrastructure.
•Customers use VPNs primarily to reduce their
operational costs.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-6
VPN Terminology

Customer Site

Large Customer Site

Provider network (P-network): the


service provider infrastructure
used to provide VPN services
Customer network (C-network): the part
of the network still under customer
control
Customer Site: a contiguous part of the
customer network (can encompass many
physical locations)
© 2001, Cisco Systems, Inc. MPLS v1.0—7-7
VPN Terminology

Customer Site

Large Customer Site


Service Provider Network

Provider edge (PE) device: the


device in the P-network to which
the CE devices are connected

Provider (P) device: the Customer edge (CE) device: the


device in the P-network device in the C-network that links to
with no customer into P-network; also called customer
connectivity premises equipment (CPE)

© 2001, Cisco Systems, Inc. MPLS v1.0—7-8


VPN Terminology
Specific to Switched WANs
VC #1

PE Device
CPE Router
Customer Site
P
Device Other
CPE Router Customer
CPE PE Device PE Device Routers
Router (Frame Relay switch) Large Customer Site

VC #2
Service Provider Network
Virtual Circuit (VC): emulated
point-to-point link established
across shared Layer 2
infrastructure
• A permanent virtual circuit (PVC) is established through out-of-
band means (network management) and is always active.
• A switched virtual circuit (SVC) is established through CE-PE
signaling on demand from the CE device.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-9
Summary

After completing this section, you


should be able to perform the
following tasks:
• Describe the concept of VPN
• Explain VPN terminology as defined by
MPLS VPN architecture

© 2001, Cisco Systems, Inc. MPLS v1.0—7-10


Review Questions

• Why are customers interested in


Virtual
Private Networks?
• What is the main role of a VPN?
• What is a C-network?
• What is a customer site?
• What is a CE-router?
• What is a P-network?
• What is the difference between a
PE-device and a P-device?
© 2001, Cisco Systems, Inc. MPLS v1.0—7-11
Overlay and
Peer-to-Peer VPN

© 2001, Cisco Systems, Inc. MPLS v1.0—7-12


Objectives

Upon completion of this section,


you will be able to perform the
following tasks:
• Describe the differences between
overlay and peer-to-peer VPN
• Describe the benefits and drawbacks
of each VPN implementation option
• List major technologies supporting
overlay VPNs
• Describe traditional peer-to-peer VPN
implementation options
© 2001, Cisco Systems, Inc. MPLS v1.0—7-13
VPN Implementation
Technologies

VPN services can be offered based


on two major paradigms:
• Overlay VPNs, in which the service
provider provides virtual point-to-point
links between customer sites
• Peer-to-Peer VPNS, in which the
service provider participates in the
customer routing

© 2001, Cisco Systems, Inc. MPLS v1.0—7-14


Overlay VPN Implementation
(Frame Relay Example)

Customer Site VC #2 Customer Site

Router A Router C
PE Device Frame Relay
VC #1 (Frame Relay Switch) Edge Switch
Customer Site Customer Site

Router B Router D
Frame Relay Frame Relay
Edge Switch Edge Switch
VC #3

Service Provider Network

© 2001, Cisco Systems, Inc. MPLS v1.0—7-15


Layer 3 Routing in Overlay
VPN Implementation

Router A

Router B Router C Router D

• Service provider infrastructure appears as


point-to-point links to customer routes.
• Routing protocols run directly between
customer routers.
• Service provider does not see customer routes
and is responsible only for providing point-to-
point transport of customer data.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-16
Overlay VPN
Layer 1 Implementation

IP

PPP HDLC

ISDN E1, T1, DS0 SDH, SONET

This is the traditional TDM solution:


Service provider establishes physical-layer
connectivity between customer sites.
Customer takes responsibility for all higher
layers.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-17
Overlay VPN
Layer 2 Implementation

IP

X.25 Frame Relay ATM

This is the traditional switched WAN


solution:
Service provider establishes Layer 2 virtual
circuits between customer sites.
Customer takes responsibility for all higher
layers.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-18
Overlay VPN
IP Tunneling

IP

Generic Route
IP Security (IPSec)
Encapsulation (GRE)

IP

VPN is implemented with IP-over-IP


tunnels:
Tunnels are established with GRE or
IPSec.
GRE is simpler (and quicker); IPSec
provides authentication and security.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-19
Overlay VPN
Layer 2 Forwarding

IP

PPP

Layer 2
Point-to-Point
Layer 2 Tunnel Forwarding
Tunneling Protocol
Protocol (L2TP) Protocol (L2F
(PPTP)
Protocol)
IP

VPN is implemented with PPP-over-IP


tunnels:
Usually used in access environments (dialup,
digital subscriber line)
© 2001, Cisco Systems, Inc. MPLS v1.0—7-20
Peer-to-Peer VPN Concept
Routing information is exchanged
between CE and PE routers.
Service Provider Network Customer Site
Customer Site

Router A Router C
PE
PE Router
Router Customer Site
Customer Site

Router B Router D

PE Router PE Router

PE routers exchange
customer routes through
the core network.
Finally, the customer routes
propagated through the PE network
are sent to other CE routers.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-21


Peer-to-Peer VPN with
Packet Filters

Customer A Service provider network


Site #1
Point of Presence (POP)

Shared Router
Customer A
Site #2 POP router carries
all customer
routes.
Isolation between
customers is
Customer B achieved with packet
Site #1 filters on PE-CE
interfaces.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-22


Peer-to-Peer VPN with
Controlled Route Distribution

Customer A Service provider network The P-router contains


Site #1
all customer routes.
Point of Presence (POP)

Uplink
PE Router
Customer A Customer A
P Router
Site #2
PE Router
Customer B

Customer B
Site #1
Each customer has a
dedicated PE router
that carries only its
routes.
Customer isolation is
achieved through lack of
routing information on the
© 2001, Cisco Systems, Inc.
PE router. MPLS v1.0—7-23
Benefits of Various VPN
Implementations

Overlay VPN: Peer-to-peer VPN:


• Well-known and easy • Guarantees optimum
to implement. routing between
• Service provider does customer sites.
not participate in • Easier to provision an
customer routing. additional VPN.
• Customer network • Only the sites are
and service provider provisioned, not the
network are well links between them.
isolated.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-24


Drawbacks of Various VPN
Implementations
Overlay VPN: Peer-to-peer VPN:
• Implementing • Service provider
optimum routing participates in
requires full mesh of customer routing.
virtual circuits. • Service provider
• Virtual circuits have becomes responsible
to be provisioned for customer
manually. convergence.
• Bandwidth must be • PE routers carry all
provisioned on a site- routes from all
to-site basis. customers.
• Overlay VPNs always • Service provider
incur encapsulation needs detailed IP
overhead. routing knowledge.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-25
Drawbacks of Traditional
Peer-to-Peer VPNs
Shared PE router: Dedicated PE
• All customers share router:
the same (provider-
assigned or public) • All customers share
address space. the same address
space.
• High maintenance
costs are associated • Each customer
with packet filters. requires a dedicated
• Performance is lower router at each POP.
— each packet has to
pass a packet filter.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-26


VPN Taxonomy

Virtual Networks
Virtual Private Virtual Dialup Networks Virtual LANs
Networks

Overlay VPN Peer-to-Peer VPN

Layer 2 VPN Layer 3 VPN Access Lists


(Shared Router)
X.25
GRE
Split Routing
Frame Relay (Dedicated Router)
IPSec
ATM
MPLS VPN

© 2001, Cisco Systems, Inc. MPLS v1.0—7-27


Summary

After completing this section, you


should be able to perform the
following tasks:
• Describe the differences between
overlay and peer-to-peer VPN
• Describe the benefits and drawbacks
of each VPN implementation option
• List major technologies supporting
overlay VPNs
• Describe traditional peer-to-peer VPN
implementation options
© 2001, Cisco Systems, Inc. MPLS v1.0—7-28
Review Questions

• What is an overlay VPN?


• Which routing protocol runs between the
customer and the service provider in an overlay
VPN?
• Which routers are routing protocol neighbors of
a
CE-router in overlay VPN?
• List three IP-based overlay VPN technologies.
• What is the major benefit of peer-to-peer VPN
as compared to overlay VPN?
• List two traditional peer-to-peer VPN
implementations.
• What is the drawback of all traditional peer-to-
© 2001, Cisco Systems, Inc. MPLS v1.0—7-29
Major VPN
Topologies

© 2001, Cisco Systems, Inc. MPLS v1.0—7-30


Objectives

Upon completion of this section,


you will be able to perform the
following tasks:
• Identify major VPN topologies
• Describe the implications of using
overlay VPN or peer-to-peer VPN
approach with each topology
• List sample usage scenarios for each
topology

© 2001, Cisco Systems, Inc. MPLS v1.0—7-31


VPN Topology Categorization

Overlay VPNs are categorized


based on the topology of the virtual
circuits:
• (Redundant) Hub and spoke topology
• Partial mesh topology
• Full mesh topology
• Multilevel topology—combines several
levels of overlay VPN topologies

© 2001, Cisco Systems, Inc. MPLS v1.0—7-32


Overlay VPN
Hub-and-Spoke Topology
Remote Site (Spoke)

Central Site Remote Site (Spoke)


(Hub)

Central Site
Router Remote Site (Spoke)

Service Provider Network

Remote Site (Spoke)

© 2001, Cisco Systems, Inc. MPLS v1.0—7-33


Overlay VPN Redundant Hub
and Spoke Topology
Remote Site (Spoke)

Central Site
(Hub)
Service Provider Network Remote Site (Spoke)

Redundant
Central Site Remote Site (Spoke)
Router

Redundant
Remote Site (Spoke)
Central Site
Router

© 2001, Cisco Systems, Inc. MPLS v1.0—7-34


Overlay VPN
Partial Mesh

Guam New York

Virtual circuits (Frame Relay Data-


Moscow Link Connection Identifier) Hong Kong

Berlin Sydney

© 2001, Cisco Systems, Inc. MPLS v1.0—7-35


Overlay VPN Multilevel
Hub-and-Spoke
Distribution Site
Remote Site (Spoke)
Distribution-Layer
Router

Central Site (Hub) Remote Site (Spoke)

Redundant Central
Site Router
Service Provider Network Remote Site (Spoke)

Redundant Central
Site Router

Remote Site (Spoke)


Distribution-layer
router
Distribution site

© 2001, Cisco Systems, Inc. MPLS v1.0—7-36


VPN Business Categorization

VPNs can be categorized on the


business needs they fulfill:
• Intranet VPN—connects sites within
an organization.
• Extranet VPN—connects different
organizations in a secure way.
• Access VPN — VPDN provides dialup
access into a customer network.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-37


Extranet VPN—Overlay
VPN Implementation

Frame Relay VCs


(DLCI)

GlobalMotors Provider IP Backbone

Firewall BoltsAndNuts
Frame Relay
Switch
Firewall Firewall
Frame Relay
Switch

AirFilters Inc. SuperBrakes Inc.

Firewall Frame Relay Frame Relay Firewall


Switch Switch

© 2001, Cisco Systems, Inc. MPLS v1.0—7-38


Extranet VPN—Peer-to-Peer
VPN Implementation

GlobalMotors Provider IP Backbone

PE Router BoltsAndNuts

Firewall PE Router Firewall


PE Router

AirFilters Inc. SuperBrakes Inc.

Firewall PE Router PE Router Firewall

© 2001, Cisco Systems, Inc. MPLS v1.0—7-39


VPN Connectivity
Categorization

VPNs can also be categorized by


the connectivity required between
sites:
• Simple VPN—every site can communicate
with every other site.
• Overlapping VPN—some sites participate
in more than one simple VPN.
• Central Services VPN—all sites can
communicate with central servers, but
not with each other.
• Managed Network—a dedicated VPN is
established to manage CE routers.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-40
Central Services Extranet

Amsterdam Service Provider Extranet Customer A


Infrastructure

VoIP Gateway

London Customer B

VoIP Gateway

Paris Customer C

VoIP Gateway

Service Provider Network

© 2001, Cisco Systems, Inc. MPLS v1.0—7-41


Central Services Extranet—Hybrid
(Overlay + Peer-to-Peer)
Implementation

Amsterdam Service Provider Frame Customer A


Extranet Infrastructure Relay
Infrastructure
VoIP Gateway
PE Router

Frame Relay
PE Router Edge Switch
London Customer B

VoIP Gateway PE Router


Frame Relay
Edge Switch

Paris PE Router Customer C

PE Router Frame Relay


Edge Switch
VoIP Gateway

Service Provider Network Frame Relay VC

© 2001, Cisco Systems, Inc. MPLS v1.0—7-42


Managed Network
Overlay VPN Implementation
Service provider network Remote Site (Spoke)

Central Site (Hub) Remote Site (Spoke)

Redundant Central
Site Router
Remote Site (Spoke)

Redundant Central
Site Router

Dedicated virtual
circuits are used
Network Management Center for network
management.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-43


Summary

After completing this section, you


should be able to perform the following
tasks:
• Identify major VPN topologies
• Describe the implications of using
overlay VPN or peer-to-peer VPN
approach with each topology
• List sample usage scenarios for each
topology
© 2001, Cisco Systems, Inc. MPLS v1.0—7-44
Review Questions

• What are the major Overlay VPN


topologies?
• Why would the customers prefer
partial mesh over full mesh topology?
• What is the difference between an
Intranet and an Extranet?
• What is the difference between a
simple VPN and a Central Services
VPN?
• What are the connectivity
requirements of a Central Services
© 2001, Cisco Systems, Inc. MPLS v1.0—7-45
MPLS VPN
Architecture

© 2001, Cisco Systems, Inc. MPLS v1.0—7-46


Objectives

Upon completion of this section, you


will be able to perform the following
tasks:
• Describe the difference between
traditional peer-to-peer models and
MPLS VPN
• List the benefits of MPLS VPN
• Describe major architectural blocks of
MPLS VPN
• Explain the need for route
distinguisher and route target
© 2001, Cisco Systems, Inc. MPLS v1.0—7-47
MPLS VPN Architecture

MPLS VPN combines the best


features of overlay VPN and peer-
to-peer VPN:
• PE routers participate in customer
routing, guaranteeing optimum
routing between sites and easy
provisioning.
• PE routers carry a separate set of
routes for each customer (similar to
the dedicated PE router approach).
• Customers can use overlapping
addresses.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-48
MPLS VPN Terminology

Customer A
Site #1
Remote
Office

Site #1
P-Network Customer A
Remote CE router Site #4
Office

Customer B
Customer A PE Router P Router PE Router
Site #2
Site #2 POP-X POP-Y

Customer B
Customer A Site #3
Site #3

Customer B
Customer B Site #4
Site #1

© 2001, Cisco Systems, Inc. MPLS v1.0—7-49


PE Router Architecture

Virtual Router for Global IP Router


Customer A
Customer A
Site #1

Virtual IP Routing Global IP


P Router
Customer A Table for Customer A Routing Table
Site #2

Virtual Router for MPLS VPN architecture is very similar


Customer A Customer B to the dedicated PE router peer-to-peer
Site #3
model, but the dedicated per-customer
routers are implemented as virtual
Customer B routing tables within the PE router.
Virtual IP Routing
Site #1 Table for Customer B

PE Router

© 2001, Cisco Systems, Inc. MPLS v1.0—7-50


Routing Information
Propagation Across the P-
Network

IGP for Customer A IGP for Customer A

Customer A IGP for Customer B IGP for Customer B Customer B


IGP for Customer C IGP for Customer C

Customer B Customer C
PE Router X P Router PE Router Y

P-Network
Customer C Customer A

Q: How will PE routers exchange customer routing information?


A1: Run a dedicated Interior Gateway Protocol (IGP) for each
customer across P-network.
Wrong answer:
• The solution does not scale.
• P routers carry all customer routers.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-51
Routing Information
Propagation Across the P-
Network (cont.)
A dedicated routing protocol used
to carry customer routes
Customer A Customer B

Customer B Customer C
PE Router X P Router PE Router Y

P-Network
Customer C Customer A

Q: How will PE routers exchange customer routing information?


: Run a single routing protocol that will carry all customer routes
inside the provider backbone.
Better answer, but still not good enough:
• P routers carry all customer routers.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-52


Routing Information
Propagation Across the P-
Network (cont.)
A dedicated routing protocol used
to carry customer routes between PE routers
Customer A Customer B

Customer B Customer C
PE Router X P Router PE Router Y

P-Network
Customer C Customer A

Q: How will PE routers exchange customer routing information?


3: Run a single routing protocol that will carry all customer routes
between PE routers. Use MPLS labels to exchange packets between
PE routers.
he best answer:
P routers do not carry customer routes; the solution is scalable.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-53
Routing Information
Propagation Across the P-
Network (cont.)
A dedicated routing protocol used
to carry customer routes between PE routers
Customer A Customer B

Customer B Customer C
PE Router X P Router PE Router Y

P-Network
Customer C Customer A

: Which protocol can be used to carry customer routes between PE route


A: The number of customer routes can be very large. BGP is the only
routing protocol that can scale to a very large number of routes.

onclusion:
BGP is used to exchange customer routes directly between PE routers.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-54
Routing Information
Propagation Across the P-
Network (cont.)
A dedicated routing protocol used
to carry customer routes between PE routers
Customer A Customer B

Customer B Customer C
PE Router X P Router PE Router Y

P-Network
Customer C Customer A

Q: Customers can have overlapping address spaces. How will


information about the same subnet of two customers be
propagated via a single routing protocol?
A: Customer addresses are extended with a 64-bit prefix (route
distinguisher—RD) to make them unique. Unique 96-bit
addresses are exchanged between PE routers.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-55


Route Distinguisher

• The RD is a 64-bit quantity prepended to


an IP version 4 (IPv4) address to make
it globally unique.
• The resulting 96-bit address is called a
VPNv4 address.
• VPNv4 addresses are exchanged only
via BGP between PE routers.
• BGP that supports address families
other than IPv4 addresses is called
multiprotocol BGP (MP-BGP).

© 2001, Cisco Systems, Inc. MPLS v1.0—7-56


Route Distinguisher Usage in
an MPLS VPN
A 64-bit Route Distinguisher
is prepended to the
customer IPv4 prefix to
make it globally unique,
resulting in 96-bit VPNv4
prefix.
A 96-bit VPNv4 prefix is
propagated via BGP to the
P-Network other PE router.

Customer A Customer A

PE 1 PE 2
Customer B Customer B
The CE-router sends an IPv4
routing update to the PE-
router.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-57
Route Distinguisher Usage in
an MPLS VPN

The RD is removed from the


VPNv4 prefix, resulting in a 32-
bit IPv4 prefix.

P-Network
Customer A Customer A

PE 1 PE 2
Customer B Customer B
The PE router sends the
resulting IPv4 prefix to the
CE router.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-58
Route Distinguisher Usage in
an MPLS VPN

• The RD has no special meaning—it is


used only to make potentially
overlapping IPv4 addresses globally
unique.
• Simple VPN topologies require one The
RD per customer.
• The RD could serve as a VPN identifier
for simple VPN topologies, but this
design could not support all topologies
required by the customers.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-59
Complex VPN—Sample VoIP
Service

Customer A Customer A
Central Site PE Router X P Router PE Router Y Site 2

Customer B Customer B
Site 2 Central Site

Customer A VoIP VoIP Customer B


Site 1 Gateway P-Network Gateway Site 1

equirements:
All sites of one customer need to communicate.
Central sites of both customers need to communicate with VoIP gateway
and other central sites.
Other sites from different customers do not communicate with each othe

© 2001, Cisco Systems, Inc. MPLS v1.0—7-60


Sample VoIP Service
Connectivity Requirements

VOIP VPN

Customer A
Central Site A Site A-1 Site A-2

POP-X
VoIP
Gateway
POP-Y
VoIP
Gateway
Customer B
Central Site B Site B-1 Site B-2

© 2001, Cisco Systems, Inc. MPLS v1.0—7-61


Route Targets

• Some sites have to participate in more


than one VPN—RD cannot identify
participation in more than one VPN.
• A different method is needed in which a
set of identifiers can be attached to a
route.
• RDs were introduced in the MPLS VPN
architecture to support complex VPN
topologies.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-62


What Are Route Targets?

• Route targets (RTs) are additional


attributes attached to VPNv4 BGP
routes to indicate VPN membership.
• Extended BGP communities are used to
encode these attributes.
• Extended communities carry the meaning of
the attribute together with its value.
• Any number of RTs can be attached to a
single route.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-63


How Do Route Targets Work?

• Export RTs identifying VPN membership


are appended to the customer route
when it is converted into a VPNv4
route.
• Each virtual routing table has a set of
associated import RTs that select
routes to be inserted into the virtual
routing table.
• Route targets usually identify VPN
membership, but they can also be used
in more complex scenarios.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-64
Virtual Private Networks
Redefined

With the support of complex VPN


topologies, VPNs have to be
redefined
• A VPN is a collection of sites
sharing common routing
information.
• A site can be part of different
VPNs.
• A VPN can be seen as a community
of interest (closed user group—
CUG).
© 2001, Cisco Systems, Inc. MPLS v1.0—7-65
Impact of Complex VPN
Topologies on Virtual Routing
Tables

• A virtual routing table in a PE router can


be used only for sites with identical
connectivity requirements.
• Complex VPN topologies require more
than one virtual routing table per VPN.
• As each virtual routing table requires a
distinct RD value, the number of RDs in
the MPLS VPN network increases.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-66


Sample VoIP Service
Virtual Routing Tables
Site A-1 and A-2 can
share the same routing
VoiceIP VPN
table.
Customer A
Central Site A Site A-1 Site A-2
Central Site A needs
POP-X its own routing table.
VoIP
Gateway Voice gateways can
POP-Y share routing tables.
VoIP
Gateway Central Site B needs
its own routing table.

Central Site B Site B-1 Site B-2


Site B-1 and B-2 can
Customer B
share the same routing
table.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-67
Benefits of MPLS VPN
Technology

MPLS VPN technology has all the


benefits of
peer-to-peer VPN technology:
• Easy provisioning
• Optimal routing
It also bypasses most drawbacks of
traditional peer-to-peer VPN
technologies:
• RDs enable overlapping customer address
spaces.
• RTs enable topologies that were hard to
implement with other VPN technologies.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-68
Summary

After completing this section, you


should be able to perform the following
tasks:
• Describe the difference between
traditional peer-to-peer models and MPLS
VPN
• List the benefits of MPLS VPN
• Describe major architectural blocks of
MPLS VPN
• Explain the need for route distinguishers
and route targets
© 2001, Cisco Systems, Inc. MPLS v1.0—7-69
Review Questions

• How does MPLS VPN support overlapping


customer address spaces?
• How are customer routes exchanged across
the P-network?
• What is a route distinguisher?
• Why is the RD not usable as VPN identifier?
• What is a route target?
• Why were the route targets introduced in MPLS
VPN architecture?
• How are route targets used to build virtual
routing tables in the PE routers?
• What is the impact of complex VPN topologies
on virtual routing tables in the PE routers?
© 2001, Cisco Systems, Inc. MPLS v1.0—7-70
MPLS VPN Routing
Model

© 2001, Cisco Systems, Inc. MPLS v1.0—7-71


Objectives

Upon completion of this section, you


will be able to perform the following
tasks:
• Describe the routing model of MPLS
VPN
• Describe the MPLS VPN routing model
from customer and provider
perspectives
• Identify the routing requirements of CE-
routers, PE-routers and P-routers

© 2001, Cisco Systems, Inc. MPLS v1.0—7-72


MPLS VPN Routing
Requirements

• Customer routers (CE routers) have to


run standard IP routing software.
• Provider core routers (P routers) have
no VPN routes.
• Provider edge routers (PE routers) have
to support MPLS VPN and Internet
routing.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-73


MPLS VPN Routing—
CE Router Perspective

MPLS VPN Backbone


CE router

PE router
CE router

The CE routers run standard IP routing


software and exchange routing updates with
the PE router.
• External BGP (EBGP), Open Shortest Path First
(OSPF), RIP version 2 (RIPv2), and static routes
are supported.
The PE router appears as another router in the
© 2001, Cisco Systems, Inc. MPLS v1.0—7-74
MPLS VPN Routing—
Overall Customer
Perspective
BGP Backbone

PE router PE router

CE router
Site IGP Site IGP Site IGP

To the customer, the PE routers appear as core


routers connected via a BGP backbone.
The usual BGP and IGP design rules apply.
The P routers are hidden from the customer.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-75


MPLS VPN Routing—
P Router Perspective

MPLS VPN Backbone

PE router P router PE router

•P routers do not participate in MPLS VPN


routing and do not carry VPN routes.
•P routers run backbone IGP with the PE routers
and exchange information about global subnets
(core links and loopbacks).

© 2001, Cisco Systems, Inc. MPLS v1.0—7-76


MPLS VPN Routing—
PE Router Perspective
MPLS VPN Backbone
CE Router MP-BGP CE Router

VPN Routing VPN Routing


PE Router P Router PE Router
Core IGP Core IGP
CE Router CE Router

PE routers:
• Exchange VPN routes with CE routers via per-VPN
routing protocols
• Exchange core routes with P routers and PE-
routers via core IGP
• Exchange VPNv4 routes with other PE routers via
MP- IBGP sessions

© 2001, Cisco Systems, Inc. MPLS v1.0—7-77


MPLS VPN Support for
Internet Routing
MPLS VPN Backbone
CE router IPv4 BGP for Internet CE Router

PE Router P Router PE Router


Core IGP Core IGP
CE Router CE Router

PE routers can run standard IPv4 BGP in the global


routing table:
• PE routers exchange Internet routes with other PE
routers.
• CE routers do not participate in Internet routing.
• P routers do not need to participate in Internet routing.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-78


Routing Tables on PE Routers

MPLS VPN Backbone


VPN routing
CE Router MP-BGP VPN routing CE Router

PE Router P Router PE Router


Core IGP Core IGP
CE Router CE Router
IPv4 BGP for Internet

PE routers contain a number of routing tables:


• Global routing table that contains core routes (filled with
core IGP) and Internet routes (filled with IPv4 BGP).
• VRF tables for sets of sites with identical routing
requirements.
• VRFs filled with information from CE routers and MP-BGP
information from other PE routers.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-79


MPLS VPN End-to-End
Routing Information Flow
(1/3)
MPLS VPN Backbone
CE Router CE Router

IPv4 Update
PE Router P Router PE Router

CE Router CE Router

PE routers receive IPv4 routing updates


from CE routers and install them in the
appropriate VRF table.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-80


MPLS VPN End-to-End
Routing Information Flow
(2/3)
MPLS VPN Backbone
CE Router CE Router

IPv4 Update MP-BGP Update


PE Router P Router PE Router

CE Router CE Router

• PE routers export VPN routes from VRF tables


into MP-BGP and propagate them as VPNv4
routes to other PE routers.
• A full mesh of MP-IBGP sessions is needed
between PE routers.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-81


MP-BGP Update

An MP-BGP update contains:


• VPNv4 address
• Extended communities
(route targets, optionally Site-of-
Origin, or SOO)
• Label used for VPN packet forwarding
• Any other BGP attribute (for example,
AS path, local preference, multi-exit
discriminator (MED), standard
community)

© 2001, Cisco Systems, Inc. MPLS v1.0—7-82


MP-BGP Update—
VPNv4 Address

A VPN IPv4 address contains:


• RD
• 64 bits
• Makes the IPv4 route globally unique
• RD is configured in the PE for each
VRF
• RD may or may not be related to a site
or a VPN
• IPv4 address (32 bits)

© 2001, Cisco Systems, Inc. MPLS v1.0—7-83


MP-BGP Update—
Extended Communities
64-bit attribute attached to a route
Set of communities can be attached to a
single route
High-order 16 bits identify extended
community type
• RT: identifies the set of sites to which
the route must be advertised
• SOO: identifies the originating site
• OSPF route type: identifies the link-
state advertisement (LSA) type of OSPF
route redistributed into MP-BGP
© 2001, Cisco Systems, Inc. MPLS v1.0—7-84
Extended BGP Community
Display Format

Two display formats are


supported:
• <16bits type>:<ASN>:<32 bit
number>
-Uses registered AS number
• <16bits type>:<IP address>:<16
bit number>
-Uses registered IP address

© 2001, Cisco Systems, Inc. MPLS v1.0—7-85


MPLS VPN End-to-End
Routing Information Flow
(3/3)
MPLS VPN Backbone
CE Router CE Router

MP-BGP Update
PE Router P Router PE Router

CE Router CE Router

• Receiving PE router imports incoming VPNv4


routes into the appropriate VRF based on
route targets attached to the routes
• Routes installed in VRF are propagated to CE
routers

© 2001, Cisco Systems, Inc. MPLS v1.0—7-86


Route Distribution to
CE Routers

Route distribution to sites is driven


by the SOO and RT EBGP
communities.
A route is installed in the site VRF
that matches the RT attribute.
• A PE router that connects sites
belonging to multiple VPNs will
install the route into the site VRF if
the RT attribute contains one or
more VPNs to which the site is
associated.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-87
Summary

After completing this section, you


should be able to perform the following
tasks:
• Describe the routing model of MPLS
VPN
• Describe the MPLS VPN routing model
from customer and provider
perspective
• Identify the routing requirements of
CE-routers, PE-routers and P-routers
© 2001, Cisco Systems, Inc. MPLS v1.0—7-88
Review Questions

• What is the impact of MPLS VPN on CE-


routers?
• What is the customer’s perception of end-to-
end MPLS VPN routing?
• What is the P-router perception of end-to-end
MPLS VPN routing?
• How many routing tables does a PE-router
have?
• How many routing tables reside on a P-
router?
• Which routing protocols fill the global routing
table of a PE-router?
• Which routing protocols fill the Virtual
© 2001, Cisco Systems, Inc. MPLS v1.0—7-89
More Review Questions

• How is the Internet routing supported by


MPLS VPN architecture?
• How is the VPN routing information
exchanged between the PE-routers?
• Which attributes are always present in a
MP-BGP update?
• Which attributes can be optionally present
in a MP-BGP update?
• Which BGP attributes drive the import of
VPNv4 route into a VRF?
• Which BGP attributes control the VPN route
distribution toward CE-routers?
© 2001, Cisco Systems, Inc. MPLS v1.0—7-90
MPLS VPN Packet
Forwarding

© 2001, Cisco Systems, Inc. MPLS v1.0—7-91


Objectives

Upon completion of this section, you


will be able to perform the following
tasks:
• Describe the MPLS VPN forwarding
mechanisms
• Describe the VPN and backbone label
propagation
• Explain the need for end-to-end LSP
between PE routers
• Explain the implications of BGP next-hop
on MPLS VPN forwarding

© 2001, Cisco Systems, Inc. MPLS v1.0—7-92


VPN Packet Forwarding
Across an MPLS VPN
Backbone
MPLS VPN Backbone
CE Router IP CE Router

IP
Ingress PE P Router P Router Egress
Router PE
Router
CE Router CE Router

Q: How will the PE routers forward the VPN packets across the
MPLS VPN backbone?
A1: They will forward pure IP packets.

Wrong answers:
P routers do not have VPN routes; the packet is dropped on IP lookup.
How about using MPLS for packet propagation across the backbone?

© 2001, Cisco Systems, Inc. MPLS v1.0—7-93


VPN Packet Forwarding
Across an MPLS VPN
Backbone
MPLS VPN Backbone
IP L1 IP L2 IP L3
CE Router CE Router

IP
Ingress P Router P Router Egress
PE PE
Router Router
CE Router CE Router
Q: How will the PE routers forward the VPN packets across the MPLS
VPN backbone?
A2: They will label the VPN packets with a label distribution protocol (LDP)
label for the egress PE router and forward the labeled packets across
the MPLS backbone.
Better answers:
The P routers perform the label switching and the packet reaches the
egress PE router.
However, the egress PE router does not know which VRF to use for packet
switching, so the packet is dropped.
How about using a label stack?
© 2001, Cisco Systems, Inc. MPLS v1.0—7-94
VPN Packet Forwarding
Across an MPLS VPN
Backbone
MPLS VPN Backbone
IP V L1 IP V L2 IP V L3
CE Router CE Router
IP
IP
Ingress P Router P Router Egress
PE PE
Router Router
CE Router CE Router

: How will the PE routers forward the VPN packets across the MPLS VPN backbon
3: They will label the VPN packets with a label stack, using the LDP label for the
egress PE router as the top label and the VPN label assigned by the egress PE
router as the second label in the stack.

orrect answers:
The P routers perform label switching and the packet reaches the egress
PE router.
The egress PE router performs a lookup on the VPN label and forwards the packet
toward the CE router.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-95
VPN Packet Forwarding—
Penultimate Hop Popping
MPLS VPN Backbone
IP V L1 IP V L2 IP V
CE Router CE Router
IP
IP
Ingress P Router P Router Egress
PE PE
Router Router
CE Router CE Router

• Penultimate hop popping on the LDP label can be


performed on the last P router.
The egress PE router performs label lookup only on the
VPN label, resulting in faster and simpler label lookup.
• IP lookup is performed only once—in the ingress PE
router.
© 2001, Cisco Systems, Inc. MPLS v1.0—7-96
VPN Label Propagation

MPLS VPN Backbone


CE Router CE Router

Ingress P Router P Router Egress


PE PE
Router Router
CE Router CE Router

: How will the ingress PE router get the second label in the label stack
from the egress PE router?

A: Labels are propagated in MP BGP VPNv4 routing updates.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-97


VPN Label Propagation

MPLS VPN Backbone


CE Router CE Router

Ingress P Router P Router Egress


PE PE
Router Router
CE Router CE Router

Step #1: A VPN label is assigned to every VPN route by the egress
PE router.

Egress-PE#show tag-switching forwarding vrf SiteA2


Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
26 Aggregate 150.1.31.36/30[V] 0
37 Untagged 203.1.2.1/32[V] 0 Se1/0.20 point2point
38 Untagged 203.1.20.0/24[V] 0 Se1/0.20 point2point

© 2001, Cisco Systems, Inc. MPLS v1.0—7-98


VPN Label Propagation

MPLS VPN Backbone


CE Router CE Router

Ingress P Router P Router Egress


PE PE
Router Router
CE Router CE Router

Step #2: The VPN label is advertised to all other PE routers in an MP-BGP
update.

Ingress-PE#show ip bgp vpnv4 all tags


Network Next Hop In tag/Out tag
Route Distinguisher: 100:1 (vrf1)
12.0.0.0 10.20.0.60 26/notag
10.20.0.60 26/notag
203.1.20.0 10.15.0.15 notag/38

© 2001, Cisco Systems, Inc. MPLS v1.0—7-99


VPN Label Propagation

MPLS VPN Backbone


CE Router CE Router

Ingress P Router P Router Egress


PE PE
Router Router
CE Router CE Router

Step #3: A label stack is built in VFR table.


Ingress-PE#show ip cef vrf Vrf1 203.1.20.0 detail
203.1.20.0/24, version 57, cached adjacency to Serial1/0.2
0 packets, 0 bytes
tag information set
local tag: VPN-route-head
fast tag rewrite with Se1/0.2, point2point, tags imposed: {26 38}
via 192.168.3.103, 0 dependencies, recursive
next hop 192.168.3.10, Serial1/0.2 via 192.168.3.103/32
valid cached adjacency
tag rewrite with Se1/0.2, point2point, tags imposed: {26 38}

© 2001, Cisco Systems, Inc. MPLS v1.0—7-100


Effects of MPLS VPN Label
Propagation
The VPN label must be assigned by the BGP
next hop.
The BGP next hop should not be changed in the
MP-IBGP update propagation.
• Do not use next-hop-self on confederation
boundaries.
The PE router must be the BGP next hop.
• Use next-hop-self on the PE router.
The label must be reoriginated if the next hop is
changed.
• A new label is assigned every time the MP-BGP
update crosses the AS boundary where the next
hop is changed.
• This functionality is supported by Cisco IOS
© 2001, Cisco Systems, Inc. MPLS v1.0—7-101
Effects of MPLS VPN Packet
Forwarding

The VPN label is understood only by the


egress PE router.
An end-to-end LSP tunnel is required
between the ingress and egress PE
routers.
BGP next hops must not be announced
as BGP routes.
LDP labels are not assigned to BGP
routes.
BGP next hops announced in IGP must
not be summarized in the core network.

© 2001, Cisco Systems, Inc. MPLS v1.0—7-102
VPN Packet Forwarding
with Summarization in the Core
P router is faced with
P router performs a VPN label it does not
penultimate hop understand
popping
MPLS VPN Backbone
IP V L1 IP V
CE Router CE Router

IP
Ingress P Router P Router Egress PE
PE P router
Router summarizes PE
CE Router CE-router
loopback
Penultimate hop
popping is requested
through LDP
PE router builds a label stack and
forwards labeled packet toward
egress PE router
© 2001, Cisco Systems, Inc. MPLS v1.0—7-103
Summary

After completing this section, you


should be able to perform the
following tasks:
• Describe the MPLS VPN forwarding
mechanisms
• Describe the VPN and backbone label
propagation
• Explain the need for end-to-end LSP
between PE routers
• Explain the implications of BGP next-
hop on MPLS VPN forwarding
© 2001, Cisco Systems, Inc. MPLS v1.0—7-104
Review Questions

• How are VPN packets propagated across MPLS


VPN backbone?
• How can P-routers forward VPN packets if they
don’t have VPN routes?
• How is the VPN label propagated between PE-
routers?
• Which router assigns the VPN label?
• How is the VPN label used on other PE-routers?
• What is the impact of changing BGP next-hop
on MP-BGP update?
• How are MP-BGP updates propagated across
AS boundary?
• What is the impact of BGP next-hop
summarization in the network core?
© 2001, Cisco Systems, Inc. MPLS v1.0—7-105
Summary

After completing this lesson, you should be


able to perform the following tasks:
• Identify major Virtual Private network
topologies, their characteristics and usage
scenarios
• Describe the differences between overlay VPN
and peer-to-peer VPN
• List major technologies supporting overlay
VPNs and peer-to-peer VPNs
• Position MPLS VPN in comparison with other
peer-to-peer VPN implementations
• Describe major architectural blocks of MPLS
VPN
• Describe MPLS VPN routing model and packet
© 2001, Cisco Systems, Inc. MPLS v1.0—7-106
© 2000, Cisco Systems, Inc. www.cisco.co Chapter#-107
Blank for Pagination

© 2001, Cisco Systems, Inc. MPLS v1.0—7-108