Bgp Mpls VPN Principle
Transcript of Bgp Mpls VPN Principle
-
8/13/2019 Bgp Mpls VPN Principle
1/41
HUAWEI TECHNOLOGIES CO., LTD.
www.huawei.com
HUAWEI Confidential
Security Level:
BGP MPLS VPN Principle
ISSUE 1.0
-
8/13/2019 Bgp Mpls VPN Principle
2/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 1
This course mainly introduce BGP MPLS VPN
principle and packet forwarding process.
-
8/13/2019 Bgp Mpls VPN Principle
3/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 2
Reference Material
VRP 3.30 /5.10operation guidecommand guide
Troubleshooting guide
-
8/13/2019 Bgp Mpls VPN Principle
4/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 3
After completion of this courseyou
should be
Understand BGP/MPLS VPN principle
Understand BGP/MPLS VPN
forwarding process
-
8/13/2019 Bgp Mpls VPN Principle
5/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 4
Chapter 1 BGP MPLS VPN Overview
Chapter 2 BGP MPLS VPN Routing Exchange
Chapter 3 BGP MPLS VPN Label Switching
-
8/13/2019 Bgp Mpls VPN Principle
6/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 5
VPN_A
VPN_A
VPN_B
10.3.0.0
10.1.0.0
11.5.0.0
CE
CE
CE
VPN_A
VPN_B
VPN_B
10.1.0.0
10.2.0.0
11.6.0.0
CE
PE
PECE
CE
VPN_A
10.2.0.0
CE
VPN_A
VPN_B
VPN_B
10.1.0.0
10.2.0.0
11.6.0.0
CE
PE
PECE
CE
VPN_A
10.2.0.0
CE
VPN_A
10.2.0.0
CE
iBGPsessions
P
P
P
P
P
E
PE
VPN Structure
CE (Custom Edge Router): The user equipment directly connected with the service provider.
PE (Provider Edge Router): The edge router on the backbone network, connected with CE and
mainly responsible for access of the VPN service.
P (Provider Router): The core router on the backbone network, mainly responsible for the routing
and fast forwarding functions.
-
8/13/2019 Bgp Mpls VPN Principle
7/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 6
Overlay VPNTunnel establish on CE
VPN_A
VPN_B
10.3.0.0
10.3.0.0
P
PE
PE CE
CEVPN_A
VPN_B
10.1.0.0
10.1.0.0
CE
PE
CE
P Network
GRE tunnel
GRE tunnel
Features
The tunnel establish on the CE, and exchange the routing information directly.
The service provider dont know the structure of the customs. E.g.GREIPSec
advantage
The address space of different customs can overlap, and with highest security.
disadvantage
The customers need build and maintenance VPN by themselves.
P
-
8/13/2019 Bgp Mpls VPN Principle
8/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 7
Overlay VPNTunnel establish on PE
Features
The tunnel is established on the PE. The private routing information exchange
between the PE, and the P equipment dont know the private routing information.
advantage
The service provider build and maintenance for the customers, and with higher
security.
disvantage
The address space of different VPN users cant overlap .If not ,it need many
ACL and policies.
VPN_A
VPN_B
11.3.0.0
10.3.0.0
P
PE
PE CE
CEVPN_A
VPN_B
11.1.0.0
10.1.0.0
CE
PE
CE
P NetworkGRE tunnel
GRE tunnel
P
-
8/13/2019 Bgp Mpls VPN Principle
9/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 8
Overlay VPN Nature
Actually Overlay VPN is the static VPN ,it is similar with the static route, and
have the same disadvantages
1. All configuration and deploy must complete manually .It will occur the N^2
problems .
2. It isnt fit for the real time change of the network
3. Meanwhileif the tunnel establish on the CE ,the customer must be build and
maintenance by themselves. But if the tunnel establish on the PE, it cant solve the
address conflict.
-
8/13/2019 Bgp Mpls VPN Principle
10/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 9
Peer-to-Peer VPN
To solve the problem, firstly, we must change the VPN deployment and routing
advertisement dynamically. Then PeertoPeer VPN is generated.
PeertoPeer refers to CEtoPE. The private routing information exchange
between CE and PE, then PE advertises the routes into the P-Networkafter that the
private routing information is transmitted to other PEs dynamically.
Because this VPN leaks the private routes into the public network, so we must be
control the route strictly. i.ewe must ensure the CEs belonging to the same VPN
only have the route of their VPN.
-
8/13/2019 Bgp Mpls VPN Principle
11/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 10
Peer to Peer VPN share PE
All the CEs belonging to different VPNs connect with the same PE. Run
different routing protocols between the CE and the PE.(or the same routing protocol,
but with different process ) .
Because the PE transmits the private routes into the public network, so we must
filter the routes firstly, then transmit these routes to the corresponding CEs.
Disadvantage
We must configure many ACLs on the PE to avoiding the communication
among different CEs connectted to the same PE.
VPN_A
VPN_B
10.3.0.0
11.3.0.0
P P
PE CE
CEVPN_A
VPN_B
10.1.0.0
11.1.0.0
CE
PE
CE
P Network
Private routes transmit on the public network
rip
ospf
ospf
isis
-
8/13/2019 Bgp Mpls VPN Principle
12/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 11
Peer-to-Peer VPNPrivate PE
VPN_A
VPN_B
10.3.0.0
11.3.0.0
P P
PE CE
CEVPN_A
VPN_B
10.1.0.0
11.1.0.0
CE
PE
CE
P Network
Private routes transmit on the public network
rip
rip
ospf
ospf
Every VPN has a private PE, then we can run any routing protocol between the
CE and PE. Run BGP between PE and P , and filter the routes using the attributes.
Advantageno need any ACL.
Disadvantage
The cost is too high.
PEPE
-
8/13/2019 Bgp Mpls VPN Principle
13/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 12
Peer-to-Peer VPN Nature
Although Peer-to-PeerVPN solve the static problem, but also has some defects:
Because of no tunnel technology, the private routes leak into the public network .Then
the security is very worse.
The CEs also can't share the same address space.
How to solve
-
8/13/2019 Bgp Mpls VPN Principle
14/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 13
Solution Scheme
Tunnel technology MPLSTo ensure the security, we must use the tunnel technology. Although there are
many tunnel technologies ,e.g GRE IPSec, but they cant suit the large network. LSP
of MPLS is established by dynamic LDP protocol, and it is the suitable tunnel.
Address conflict BGP The number of VPN routes is very huge. The BGP is the only routing protocol supporting the
huge routes
BGP is based on the TCP connection. It can establish the neighbor relationship between the
routers which dont connect with each other directly. So the P routers neednt have the
VPN routing information
BGP can support many optional attributes , and it can make the route transmitting easily.
-
8/13/2019 Bgp Mpls VPN Principle
15/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 14
Address Conflict Problem
Local routes conflicti.eThe same PE cant distinguish the same routes
from different VPNs .control plane
During the transmitting of the route, if there are two same routes transmitted
on the network, the receiver how to distinguishcontrol plane
After solving the route conflict, when the PE receives the IP packet to the
same destination address, how to know which VPN is transmitted to
forwarding plane
-
8/13/2019 Bgp Mpls VPN Principle
16/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 15
solution
To solve the local routes conflictwe can build the different routing table on the
same router , and different interfaces belongs to different routing table. This is equal
to say that the share PE simulates several private PEs.
Add the identifier into the route to distinguish the different VPNs during the routestransmitting .
Because we cant change the structure of IP packets, add the additional identifier
before the IP headerthen the PE can forward the packet according to the identifier.
-
8/13/2019 Bgp Mpls VPN Principle
17/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 16
1local routes conflict
PE
CE
VPN-A
VPN-A
CEVPN-B
Global Routing Table
VRF for VPN-
A
VRF for VPN-
B
VPN Routing Table
CE
IGP &/or
BGP
VRF
PE
CE
VPN-A
VPN-A
CEVPN-B Global Routing Table
CE
IGP &/or
BGPPE
P Private PE
-
8/13/2019 Bgp Mpls VPN Principle
18/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 17
VRF
VRF---VPN Routing & Forwarding Instance
VRF can be regarded as a virtual router, and act as a private PE.
This virtual router includes following elements
A independent routing table, including independent address
space.
A group interfaces belonging to the VRF.
A group routing protocol only using within the VRF.
Every PE maintenance one or several VRF and one public routing
table. Every VRF is independent.
What is the relationship between the VRF?
-
8/13/2019 Bgp Mpls VPN Principle
19/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 18
Relationship of VRF -------Route Target
Route Target attribute (RT) is one of the MBGP extension community
attributes
There are two types of RT, the values of the type field are 0x0002 or 0x0102.
TYPE(2 bytes Administrator Field Assigned Number Field
0x0002 AS number(2bytes) Assigned Number (4 bytes)
0x0102 IP address(4 bytes) Assigned Number(2 bytes)
RT structure:
-
8/13/2019 Bgp Mpls VPN Principle
20/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 19
Route Target
RT is used to control the advertisement of VPN routing information.
There are two sets of Route Target attributes: Export Targets and Import
Targets
Export Targets is added to the route in advertising local routes to
remote PE routers.
Import Targets is used to decide which routes can be imported into the
routing table of this Site in receiving routes from remote PE routers.
-
8/13/2019 Bgp Mpls VPN Principle
21/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 20
Application of RT
RT Export Target and import Target can be configured with several attributes
b
aim:a
ex:b
im:b
ex:a
im:a
ex:a
aim:a
ex:ac
b
im:a,c
ex:a,b
im:b
ex:c
aTrandition Mode
Hub-spoke mode
Extranet
-
8/13/2019 Bgp Mpls VPN Principle
22/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 21
2Address Conflict during the route transmitting
After we solve the local route conflict, then the address conflict during the route
transmitting is solved at the same way. We only need add a identifier into the route. Can
we use the RT as the identifier?
Theoretically, we can use it. But when the route is withdrawed, the route withdrawpacket of BGP dont bring the attribute (without RT). So we need define RD(Route
Distinguisher.
-
8/13/2019 Bgp Mpls VPN Principle
23/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 22
RD
TYPE (2-
byte)
Administrator Field Assigned
Number Field
0 2-byte ASN 4-byte assigned number
1 4-byte IP address 2-byte assigned
number
RD structure:
VPNV4 address structure:
Route Distinguisher (8 bytes) IPv4 address
VPNv4 address is used to transmit VPN routes among the PEs.RD is unique among the different VPNs. If the two VPNs have the same IP address, the
PE add the different RD to convert them into VPNV4 address. So it cant occur the
address conflict.
-
8/13/2019 Bgp Mpls VPN Principle
24/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 23
3Packet forward address conflict
Here nowthe first two problems have been solved. But if the remote PE
receives the IP packet to the same destination, but both the two VRFs have the same
route on the PE, which CE it will forward? We need add some information into the
packet.
we need a short identifier. This identifier is defined as the private Label
distributed by MP-BGP.
what is MP-BGP?
-
8/13/2019 Bgp Mpls VPN Principle
25/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 24
MBGP
MBGP (Multiprotocol Extensions for BGP-4 )
BGP-4 only supports IPv4, and is extended to MBGP to transfer the
route information of more protocols (IPv6, IPX,etc.).
To maintain compatibility, only two BGP attributes are added for
MBGP: MP_REACH_NLRI and MP_UNREACH_NLRI. The twoattributes can be used in the BGP Update message to notify or cancel
the network reachability information.
-
8/13/2019 Bgp Mpls VPN Principle
26/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 25
NLRINetwork Layer Reachability Information, include address family, private labeland RT )
Followed is RT list
MP_REACH_NLRIaddressfamily VPN-IPV4 address familynext-hop: PEs ipv4 addressusually is loopback addressNLRI:
lable 24 bitslike MPLS label but without TTL portionprefix RD:64bitIP prefix
Extended_Communities
RT1
Extended_CommunitiesRT2
Network Layer Reachability Information:
-
8/13/2019 Bgp Mpls VPN Principle
27/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 26
Concept Summary
VRFa virtual router on the PE, include special interfaces, a routing table, a routing
protocol, a RD and RT.
RTcontrol the routing information among the different VRFs. Actually, it is the
community attribute of BGP .
RDidentify the same route from different VPN.
Labelidentify the packet to the same destination of different VRF.SITEa VRF and the connected CE.
VPNa set of sites .
-
8/13/2019 Bgp Mpls VPN Principle
28/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 27
Chapter 1 BGP MPLS VPN Overview
Chapter 2 BGP MPLS VPN Routing Exchange
Chapter 3 BGP MPLS VPN Label Switching
-
8/13/2019 Bgp Mpls VPN Principle
29/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 28
Relationship Between PE and CE
PE and CE routers exchange information via the EBGP, RIP or static route. CE runs the
standard routing protocol.
PE maintains separate routing tables of the public network and private network.
Routing table of public network, including the routes of all PE and P routers, generated by
the backbone network IGP of VPN.
VRF (VPN routing & forwarding), including tables of routing & forwarding to one or multiple
directly connected CEs.
PE
C
PE
CE
CE
Site -2Site -2
Site -1Site -1
EBGP, RIP, Static
VPNA
VPNB
VRF for VPNA
VRF for VPNB
Global route
-
8/13/2019 Bgp Mpls VPN Principle
30/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 29
VRF Route Distribute Step 1:Importing VRF Routes
to MP-iBGP
Importing VRF route to MP-iBGP:
PE router converts the route (in the VRF routing table) received from CE into the VPN-V4 route; labels it with RD and RT based on the configuration;
changes the next hop as PE itself (loopback);
assigns the label based on the interface;
finally sends the MP-iBGP update packet to all PE neighbors.
PE
CE-1
MP-iBGP
PE
BGP, RIPv2 updatefor 149.27.2.0/24,NH=CE-1
VPN-v4 update:RD:1:27:149.27.2.0/24,Next-hop=PE-1RT=VPN-ALabel=(28)
CE-2
Beijing Shanghai
-
8/13/2019 Bgp Mpls VPN Principle
31/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 30
VRF Route Distribute Step 2:Importing Importing
MP-iBGP Routes to VRF
Each VRF has configurations of import route-target and export route-target.
When the transmitting PE sends MP-iBGP updates, the export attribute is attached in the packet.
When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge whether the received
export is equal to the import of the local VRF. If yes, it will be added to the corresponding VRF
routing table; otherwise, it will be discarded.
PE
CE-1
MP-iBGP
PEVPN-v4 update:RD:1:27:149.27.2.0/24,Next-hop=PE-1RT=VPN-ALabel=(28)
CE-2
PE receives the update packet,
converts VPN-v4 into the IPv4 address,and distributes it to VFR VPN-A
(RT=VPN-A) routing table, then
transmit it to CE with route protocol
between PE and CE.Beijing Shanghai
ip vrfVPN-B
vpn -target import VPN-A
-
8/13/2019 Bgp Mpls VPN Principle
32/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 31
Chapter 1 BGP MPLS VPN Overview
Chapter 2 BGP MPLS VPN Routing Exchange
Chapter 3 BGP MPLS VPN Label Switching
-
8/13/2019 Bgp Mpls VPN Principle
33/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 32
MPLS/VPN Label Distribution
P routerP router
In Label FEC Out Label
- 197.26.15.1/32 -
In Label FEC Out Label
41 197.26.15.1/32 POP
In Label FEC Out Label
197.26.15.1/32 41
Use labelimplicit-nullfor
destination 197.26.15.1/32
Use label41for destination
197.26.15.1/32
VPN-v4 update:
RD:1:27:149.27.2.0/24,
NH=197.26.15.1RT=VPN-A -
Label=
(
28)
PE-1
ShanghaiBeijing
149.27.2.0/24
-
-
8/13/2019 Bgp Mpls VPN Principle
34/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 33
MPLS/VPN Packet Forwarding-1
In Label FEC Out Label
- 197.26.15.1/32 41
149.27.2.27
PE-1
149.27.2.272841
VPN-A VRF
149.27.2.0/24,
NH=197.26.15.1
Label=(28)
ShanghaiBeijing
149.27.2.0/24
-
8/13/2019 Bgp Mpls VPN Principle
35/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 34
MPLS/VPN Packet Forwarding-1
In Label FEC Out Label
- 197.26.15.1/32 41
149.27.2.27
PE-1
149.27.2.272841
VPN-A VRF
149.27.2.0/24,
NH=197.26.15.1
Label=(28)
ShanghaiBeijing
149.27.2.0/24
-
8/13/2019 Bgp Mpls VPN Principle
36/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 35
MPLS/VPN Packet Forwarding-2
In Label FEC Out Label
41 197.26.15.1/32 POP
Beijing
149.27.2.27
PE-1
Shanghai
149.27.2.0/24
149.27.2.272841
VPN-A VRF
149.27.2.0/24,
NH=197.26.15.1
Label=(28)
149.27.2.2728
In Label FEC Out Label
28(V) 149.27.2.0/24 -
VPN-A VRF
149.27.2.0/24,
NH=beijing
149.27.2.27
-
8/13/2019 Bgp Mpls VPN Principle
37/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 36
Demo- Private Label Distribution
MPLS
PEA
PB
PEC
MP-BGP
IBGP Peer
CE A1 CE B1
CE A2 CE B2VPN-v4 update:RD:1:27:149.27.2.0/24,Next-hop=PE-CRT=VPN-A, Label=(28)
VPN-v4 update:
RD:1:27:149.27.2.0/24,
Next-hop=PE-C
RT=VPN-A, Label=(28)
BGP, OSPF, RIPv2 update
for 149.27.2.0/24,NH=PE-A
BGP, OSPF, RIPv2 update
for 149.27.2.0/24,NH=CE-
A2
149.27.2.0/24IN 28 NH: CE A2
149.27.2.0/24
Out 28 NH: PE-C
-
8/13/2019 Bgp Mpls VPN Principle
38/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 37
Demo- Public Label Distribution
The loopback IP address of PE-C is 1.1.1.1/32
MPLS
PEAPB
PEC
20
1.1.1.1/32
1.1.1.1/32
1.1.1.1/32
IGP
IGPIn 20 out 3
3out 20149.27.2.0/24
Out 28 NH: PE-C
149.27.2.0/24IN 28 NH: CEA2
-
8/13/2019 Bgp Mpls VPN Principle
39/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 38
Demo- Packet Forwarding
MPLS
PEA
PB
PECCE A1 CE B1
CE A2 CE B2
Ping 149.27.2.1
20 28
31.1.1.1/32 out 20
1.1.1.1/32In 20 out 3
1.1.1.1/32
149.27.2.0/24IN 28 NH: CE A2
149.27.2.0/24
Out 28 NH: PEC
BGP, OSPF, RIPv2 update
for 149.27.2.0/24,NH=PE-A
-
8/13/2019 Bgp Mpls VPN Principle
40/41
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential Page 39
VPN Classification
MPLS L3 VPN Label Distribution
MPLS L3 VPN Forwarding Process
Summary
-
8/13/2019 Bgp Mpls VPN Principle
41/41
www.huawei.com