Documente Academic
Documente Profesional
Documente Cultură
ISSUE 2.0
VPN Classification
VPN IP-VPN
CPE-Based VPN
Network-Based VPN
VLL
VPRN
VPDN
VPLS
MPLS/BGP VPN
VR-VPN
IP-VPN: Service emulation implemented for dedicated line services (such as remote dial-up and DDN) of dedicated LAN equipment via the IP facilities (including the public Internet and private IP backbone network, etc.).
Network-Based IP-VPN: It refers to the case where the VPN-related maintenance is contracted out to the operator (the user is also allowed to
perform certain service management and control) and the functional features
are implemented at the network side equipment in the centralized way.
Tunnel: It is a technology that uses a type of protocol to transmit another type of protocol. Mainly the tunnel protocol serves to implement this function.
Virtual Leased Line (VLL): It provides point-to-point connection service between two pieces of CPE equipment for the user via the edge node of the operator.
Virtual Private Dial Network (VPDN): The remote user dials to the public IP network via PSTN/ISDN, and the data packet passes through the public network via a tunnel for the destination network. Virtual Private LAN Segments (VPLS): VPLS is a virtual method to establish LAN via the public IP resources. The networking is based on the
Virtual Private Routed Network (VPRN): VPRN is defined as a kind of emulation for multi-site wide area route network services via the public IP network, and the data packet of VPN is forwarded at the network layer.
10.0.1.1/24
129.0.0.2/30 129.0.0.1/30
GRE tunnel
129.0.2.2/30 129.0.2.1/30
HQ1
129.0.3.1/30
129.0.1.1/30
129.0.1.2/30
10.0.0.0/24
129.0.3.2/30
10.0.1.1/24
10.0.1.2/24
HQ2
To construct such a network, just make configuration on the access router of each network.
It is unnecessary for the operator network to know the internal route of VPN. Different VPNs can employ the same address space. The forwarding efficiency is low.
10.2.0.0 CE
VPN_B
iBGP sessions
CE P P
VPN_A
11.5.0.0
VPN_A
10.2.0.0 CE
VPN_A
PE
PE
CE
10.1.0.0
11.6.0.0
VPN_B
CE PE
P PE CE
VPN_B
10.3.0.0
10.1.0.0 CE
CE (Custom Edge): The user equipment directly connected with the service provider.
PE (Provider Edge Router): The edge router on the backbone network, connected with CE and mainly responsible for access of the VPN service.
P (Provider Router): The core router on the backbone network, mainly responsible
Network Topology-1
site10
site1
site3
site20
site30
site2
Network Topology-2
site4 site1
Intranet
site5
stie2
stie3
Extranet
In this network structure, service providers provide VPN services for users,
who do not feel existence of the public network as if they have separate network resources.
P router is only responsible for data transmission inside the backbone network, unnecessary to know existence of VPN. However, it must be able to support and enable the MPLS protocol.
implemented on PE.
Network configuration is simple. The existing routing protocol can be directly used without any change. MPLS VPN network features good expandability. VPN with QOS and TE can be implemented.
VPNA
Site
-1
CE
VPNB
PE and CE routers exchange information via the EBGP, RIP and static route. CE runs the standard routing protocol.
PE maintains separate routing tables of the public network and private network.
Routing table of public network, including the routes of all PE and P routers, generated by the backbone network IGP of VPN.
VRF (VPN routing & forwarding), including tables of routing & forwarding to one or multiple directly connected CEs. VRF can be bound with any types of interfaces. If the directly
connected sites belong to the same VPN, these interfaces can use the same VRF.
VRF
It is associated with some interfaces and has a forwarding table based on these interfaces. A set of rules is available to control import of the route into VPN or export of the route from VPN. The route can be redistributed to the routing table (static route, RIP instance, BGP) via some routing protocols. VRF is configured on PE and exchange the route with CE. The route independently exists in the VRF routing table (routing table of the private network).
PE maintains a separate forwarding table for each site. Each site has a unique VRF. If (and only if) two sites have identical forwarding table, they share a VRF. The interface/sub-interface connected with CE is mapped to VRF. The routes in VRF will be distributed to the sites (usually connected on other PEs) belonging to the same VPN.
P Router
CE Router PE PE CE Router
Site
MP-iBGP
Site
The PE router distributes the local VPN route information via the MPLS/VPN backbone network.
The transmitting PE exports the local VRF routes via MP-iBGP (with the export-target attribute).
MBGP
BGP-4 only supports IPv4, and is extended to MBGP to transfer the route information of more protocols (IPv6, IPX,etc.).
MBGP: MP_REACH_NLRI
MBGP: MP_UNREACH_NLRI
The label mapping information is carried in the MP_REACH_NLRI attribute. Address Family Identifier and Subsequent Address Family Identifier are used together to indicate the address family that the reachability information, notified by this attribute, belongs to. AFI as 1 and SAFI as 128 indicate that the subsequently notified information will be the VPN-IPV4 reachability information and the bound MPLS tag.
Length of Nexthop Network Address and Network Address of Nexthop refer to the next hop of the route information. The rule to determine the next hop obeys the usual next hop rule of BGP.
To enable different VPNs to use the same address space, a new address family, i.e. VPNv4, is introduced. The original standard address family is called IPv4.
VPNv4 address family mainly serves to transfer VPN routes between PE routers.
RD is unique among different VPNs. If two VPNs use the same IP address, PE router will add different RDs for them and convert the address into a unique VPN-v4 address without causing conflict of the address space. The standard route received by PE from CE is the IPv4 route. To import VRF routing tables and distribute them to other routers, a RD is needed. It is suggested that the RDs of the same VPN be configured the same.
MPLS/VPN RD
RD structure:
TYPE (2-byte) Administrator Field
Assigned Number Field
2-byte ASN
4-byte IP address
RD format:
16-bit Autonomous System Number (ASN): 32-bit user-defined number, e.g. 100:1 32-bit IP address: 16-bit customized number, e.g. 172.1.1.1:1
Usually, each site is assigned with a unique RD, which is the identifier of VRF. Difference between the routing table of public network and the routing table of private network:
The routing table of public network is generated by the IGP routes, which may include the BGP-4 (IPv4) route, but not the VPN route. VRF routing table includes the specific VPN routes. It may include the routes redistributed from MP-iBGP route to VRF, or the route obtained from CE by the vrf route instance.
Multiple labels can be attached. The first 20 bits of each label refer to the label domain, while of the last 4 bits, the first three refer to the EXP domain
Note that this label must be assigned by the LSR referred to in the NextHop of the MP_REACH_NLRI attribute.
Re-distribute a different route (and a new Label) for the same destination. Use the Withdraw message to include the destination in MP_UNREACH_NLRI.
PE
CE-1
CE-2
Beijing
Shanghai
the VRF routing table) received from CE into the VPN-V4 route;
labels it with RD and RT based on the configuration; changes the next hop as PE itself (loopback); assigns the label based on the interface; finally sends the MP-iBGP update packet to all PE neighbors.
MP-iBGP
PE
VPN-v4 update: RD:1:27:149.27.2.0/24, Next-hop=PE-1 RT=VPN -A, Label=(28)
PE
CE-1
Beijing
PE receives the update packet, converts VPN-v4 into the IPv4 address, and distributes it to VFR VPN-A (RT=VPN-A) routing table, then broadcasts it to CE.
CE-2
Shanghai
When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge whether the received export is equal to the import of the local VRF. If yes, it will be
VPN A
MPLS/VPN Backbone
Site -1 & Site -2 routes RT=VPN -A Site -3 & Site -4 routes RT=VPN -A
VPN A
SITE -1
SITE -3
MP-iBGP
P Router
SITE -2
VPN A
SITE -4
VPN A
FEC
197.26.15.1/32
Out Label
-
In Label
41
FEC
197.26.15.1/32
Out Label
POP
In Label
-
FEC
197.26.15.1/32
Out Label
41
PE-1
P router
Use label implicit-null for destination 197.26.15.1/32 Use label 41 for destination 197.26.15.0/24
Beijing
149.27.2.0/24
Shanghai
PE and P routers are provided with the reachability to the next hop of bgp via the backbone network IGP.
Run IGP and LDP to distribute the label and establish LSP, and obtain the LSP channel to the next
hop of BGP.
The label stack is for packet forwarding. The external layer label indicates how to reach the next hop of BGP, and the internal layer label indicates the outgoing interface of the packet or the home VRF (home VPN).
MPLS node forwarding is based on the external layer label regardless of the internal layer label.
PE-1
Beijing
149.27.2.0/24
Shanghai
When the ingress PE receives an ordinary IP packet from CE, PE adds it to the corresponding VPN forwarding table based on the VRF to which the ingress interface belongs, and searches for the next hop and label.
FEC
149.27.2.0/24
Out Label
-
In Label
41
FEC
197.26.15.1/32
Out Label
POP VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28)
PE-1
149.27.2.27 28 149.27.2.27 41 28 149.27.2.27
149.27.2.27
Beijing
149.27.2.0/24
Shanghai
The second last hop router pops up the external layer label and sends it to the egress PE according to the next hop.
The egress PE router judges the CE that the packet will go to based on the internal layer label.
Pop up the internal layer label and forward the packet to the destination CE as an ordinary IP packet.
VPN-B
PE
ASBR
ASBR
PE
VPN-B
PE
MP EBGP
PE
Site2
VPN-A
Site4
VPN-A
Site1
Site3
VPN-B
AS100
PE
PE/CE
PE/CE
PE
VPN-B
AS200
PE
CE
30 20 172.1.1.1
172.1.1.1
10 18 172.1.1.1
172.1.1.1
PE
172.1.1.1
Site2
172.1.1.0/24
VPN-A
Site4
VRF to VRF
VPN-A
PE
MPLS LDP
300
PE MP-EBGP
30 100 172.1.1.1
PE
10 200 172.1.1.1
MPLS LDP
200
MP-IBGP
CE
172.1.1.1
PE
172.1.1.1
MP-IBGP
AS100
AS200
CE
Site1172.1.1.0/24
Site2
VPN-A
VPN-A
In MPLS VPN, some sites require access to the Internet. To access the Internet, the following conditions must be met:
Route is available to access the Internet. Any place of the Internet site is reachable.
Internet PE-IG
MP-BGP 192.168.1.2
PE
Serial0
PE
ip route-static 171.68.0.0 255.255.0.0 Serial0 Site-1 Network 171.68.0.0/16 Site-2 ip route-static vpn-instance VPN-A 0.0.0.0 0.0.0.0 192.168.1.1 public
192.168.1.1
Internet
PE-IG
192.168.1.2
PE PE
Serial0
IP packet D=huawei.c om
192.168.1.1
Internet
PE-IG
192.168.1.2
PE PE
Serial0.1
Serial0.2
IP packet D=huawei.c om
Serial0.1 Site-1
Serial0.2 CE routing table Site-2 routes ----> Serial0.1 Internet routes ---> Serial0.2
Summary