1 / 29

Lecture 6. L3 MPLS VPN

Lecture 6. L3 MPLS VPN. D. Moltchanov , TUT, Spring 2010. Outline. Unification by MPLS VPNs in IETF Problems of classic VPNs BGP/MPLS L3 VPN in detail Example Advantages and shortcomings. VPN in IETF: unification by MPLS. VPN in IETF: MPLS unification. VPN in IETF.

melissabrewer
Télécharger la présentation

Lecture 6. L3 MPLS VPN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 6. L3 MPLS VPN D. Moltchanov, TUT, Spring 2010

  2. Outline • Unification by MPLS • VPNs in IETF • Problems of classic VPNs • BGP/MPLS L3 VPN in detail • Example • Advantages and shortcomings

  3. VPNinIETF:unification by MPLS

  4. VPNinIETF:MPLS unification

  5. VPNinIETF • Standardization of VPNsinIETF • IETF model

  6. VPNBGP/MPLS • BGP/MPLS is also known as • VPN 2547, VPN MPLS 2547bis, VPN BGP/MPLS • Properties • Well-scaling solution • Huge number of VPNs can be supported • VPNsover multiple providers are possible • L3 solution: IP only! • General standards forVPN BGP/MPLS • IETF RFC 1918 • Private network addresses e.g. 192.168.X.X • draft-rosen-rfc2547bis • BGP/MPLSVPN • RFC 2658, year 2006 • Routing and control: BGP • Data transmission: MPLS

  7. Problem of classicVPNs: e.g. IPSec • Problems ofL2 VPN • IPSec tunnels • User’s equipment work with ISP’s equipment directly • A lot of connections (actually, mesh) • Alternative:hubs, but unreliable • Problems when user has a plenty of end points • Adding one more user’s point required a lot of configuration

  8. RFC 2547bis: characteristics • Network internetworking • CEandPE are peers • Adding new CE: only onePE is to be configured • PE:contains routes for directly connected VPNs only

  9. RFC 2547bis:quick look

  10. RFC 2547bis:principles • Separation of switching • A number of switching tables in PE • Each table is for certain user (certain VPN) • Ensures isolation between VPNs • Limited distribution of routing information by BGP • Not all PEs must receive all information • Only that having the target VPN cite attached • Filtering of routing info • If no target VPN attached BGP message is not processed • Reduced distribution of data • Not all cites receive all packets • Extension for IP address: used for control only • MPLS switching • ISP interior routers (P) are ‘simple’MPLSLSRs • Only border routers are aware of VPNs

  11. RFC 2547bis:communities and VRFs • Community: a certain VPN • Marking: number, color, etc. • Separation of switching • Several switching tables, one per community • Content of switching tables • Routes received fromattached CE • Routes received from remotePE • It is called ‘VPN routing and forwarding table’: VRF

  12. RFC 2547bis:setup phase • Step 1:RoutefromCE toPE • Static, dynamic • Step2: Exporting route to BGP message • VPN address, community, VPN label • Step3:Transporting control info in ISPs network • BGP is used for this purpose • Step4:Importing routes fromBGP at remotePEs • If there is cite belonging to the same VPN (e.g. green) • Step5: FromPEtoCE • Static, dynamic

  13. RFC 2547bis:problems • Overlapping addresses in VPNs • RFC 1918 is for all VPNs • 192.168 can be used in many VPNs • How to identify a certain cite at remote PE • More than one site of the same VPN can be attached • In MPLS we cannot use IP addresses for this puprose • How to filter BGP messages at remote PEs • e.g. if no ‘yellow’ VPN at remote PE, no need to process it

  14. RFC 2547bis:filtering BGP messages • Limited distribution of routing information • CEpasses routes to local PE • LocalPE • Marks routes based on community, e.g. green, xyzBank,… • BGP is used to distribute these routes to remote PE • RemotePE: • Filters (accepts/rejects) routes based on community

  15. RFC 2547bis:overlapping addresses • New type of the address • Aim:change non-unique addresses making them unique • IPaddress + 8 bytes ID • This is called route distinguisher (RD) • Should be different in a singleVPN • For example,RD=AS number +some number • Outgoing PE: convertingIP to RD:IP and use BGP to distribute • Incoming PE:converting fromRD:IPtoIP • VPNaddresses • Distributed in special BGP address family • MP-BGP • Used in ISP’s network only • Used for control only • Translated only in PEs • Not used for routes’ filtering! Communities are used for that!

  16. RFC 2547bis:how to route using VPN-IP? • We can use overlapping IP addresses • Indeed, we actually useVPN-IPaddresses • Problem:how to route based onVPN-IP? • VPN-IP addressesare used by routing protocol only • VPN-IP addressesare not carried in IP headers! • MPLSis the solution • Forwarding:separated (local switching tables) • Addresses:separated (only for control) • In contrast to IProuting and forwarding • At each hop we analyze packet headers • IPaddresses may indeed overlap

  17. RFC 2547bis:problem ofidentifyingVPN

  18. RFC 2547bis:solution • Why not to use VPN-IPs? • MPLS does not use IP for forwarding! • Solution: • There could be many networks within a single community! • Label is used to identify the next hop at remotePE • This is calledVPNlabel • VPNlabel is distributed byBGPtogether withVPN-IP • BGP ( Dest = RDy:x.x.x.x, Next Hop = PEz, Label = N) • Each IP packet in ISP’s networkhas 2 labels • LSPlabel: internal route for ISP • VPNlabel: external route for ISP • Just label stack is used • RemotePE • Removes the first label • Determines next node (CE) based on the next label

  19. RFC 2547bis:usingVPN label

  20. RFC 2547bis:RD,community, VPN label • Route Distinguisher (RD) • To identify cites of different VPNs with the same IP space • Community • For limited distribution of routing information (BGP filtering) • VPN label • To identify different CEs at remote PE that belong to the same community • Used at data transmission phase!

  21. RFC 2547bis:brief summary • Basic properties • Pnodes • Are not be aware of VPN routes • Should know how to forward to next hop • PEnodes • Support VPN routes • But only those which are directly connected • VPNs are allowed to have overlapping addresses • e.g. several CE in different VPNs may have 192.168.0.10

  22. Example: setting up LSP

  23. Example: BGP info about new site

  24. Example: filtering based on communities

  25. Example: VRFs

  26. Example: data transmission

  27. RFC 2547bis:scalability • Customer does not route • All functionality is provided by ISP • Adding one more CE toVPN • We need to configure only onePE (BGP!) • Does not depend on how many sites we have • PEnodes • Support routes for directly connected VPNs • P nodes • Are not aware of VPNs at all • Overlapping addresses can be used • Each provider is allowed to use its ownRD

  28. RFC 2547bis:advantages • Easy to use for ISPs • Only PEs should be configured • Everything overIP • Just a trend we have to follows • Compatibility • We can useit in ATM, Frame Relay or IPnetworks • Scalable approach • No need to change P routers • Reliable approach • MPLS: adaptive to changes in ISP’s network + traffic engineering

  29. RFC 2547bis:shortcomings • OnlyIP • Other protocols must be encapsulated • Joint routing • ISP should have knowledge of customer’s network • CEshould be a router • Sometimes expensive… • Complexity • Multiple dynamic routes in ISP’s network • The need for configuring CE together with ISP • This way ISP is aware of your topology…

More Related