Professional Documents
Culture Documents
HUAWEI Confidential
HUAWEI Confidential
Page 1
Reference Material
VRP 3.30 /5.10operation guidecommand guide
Troubleshooting guide
HUAWEI Confidential
Page 2
HUAWEI Confidential
Page 3
Chapter 1 BGP MPLS VPN Overview Chapter 2 BGP MPLS VPN Routing Exchange Chapter 3 BGP MPLS VPN Label Switching
HUAWEI Confidential
Page 4
VPN Structure
VPN_A
10.2.0.0
CE
VPN_B
iBGP sessions
CE P
VPN_A
11.5.0.0
VPN_A
10.2.0.0 CE
VPN_A
PE
P P
PE
CE
10.1.0.0
11.6.0.0
VPN_B
CE PE
P P E CE
VPN_B
10.3.0.0
10.1.0.0 CE
CE (Custom Edge Router): The user equipment directly connected with the service provider. PE (Provider Edge Router): The edge router on the backbone network, connected with CE and mainly responsible for access of the VPN service. P (Provider Router): The core router on the backbone network, mainly responsible for the routing and fast forwarding functions.
HUAWEI Confidential
Page 5
CE
10.3.0.0
10.1.0.0
VPN_B
CE PE
P P
10.1.0.0 CE
P-Network
GRE tunnel
PE
CE
VPN_B
10.3.0.0
Features The tunnel establish on the CE, and exchange the routing information directly. The service provider dont know the structure of the customs. E.g.GREIPSec advantage The address space of different customs can overlap, and with highest security.
disadvantage
The customers need build and maintenance VPN by themselves.
HUAWEI Confidential
Page 6
CE
10.3.0.0
10.1.0.0
VPN_B
CE PE
P P
11.1.0.0 CE
P-Network
GRE tunnel
PE
CE
VPN_B
11.3.0.0
Features The tunnel is established on the PE. The private routing information exchange between the PE, and the P equipment dont know the private routing information. advantage The service provider build and maintenance for the customers, and with higher
security.
disvantage The address space of different VPN users cant overlap .If not ,it need many ACL and policies.
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential
Page 7
3.
Meanwhileif the tunnel establish on the CE ,the customer must be build and
maintenance by themselves. But if the tunnel establish on the PE, it cant solve the address conflict.
HUAWEI Confidential
Page 8
Peer-to-Peer VPN
To solve the problem, firstly, we must change the VPN deployment and routing advertisement dynamically. Then PeertoPeer VPN is generated.
control the route strictly. i.ewe must ensure the CEs belonging to the same VPN
only have the route of their VPN.
HUAWEI Confidential
Page 9
Peer-to-Peer VPNshare PE
Private routes transmit on the public network
VPN_A
rip
VPN_A
CE P P PE
11.3.0.0
ospf
CE
11.1.0.0
VPN_B
10.1.0.0 CE
P-Network
PE
CE
VPN_B
10.3.0.0
ospf
isis
All the CEs belonging to different VPNs connect with the same PE. Run different routing protocols between the CE and the PE.(or the same routing protocol, but with different process ) . Because the PE transmits the private routes into the public network, so we must filter the routes firstly, then transmit these routes to the corresponding CEs.
Disadvantage
We must configure many ACLs on the PE to avoiding the communication among different CEs connectted to the same PE.
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential
Page 10
Peer-to-Peer VPNPrivate PE
Private routes transmit on the public network
VPN_A
rip
VPN_A
CE PE PE P P PE PE
11.3.0.0
ospf
CE
VPN_B
11.1.0.0
VPN_B
CE
10.1.0.0 CE
P-Network
10.3.0.0
rip
ospf
Every VPN has a private PE, then we can run any routing protocol between the
CE and PE. Run BGP between PE and P , and filter the routes using the attributes.
Advantageno need any ACL. DisadvantageThe cost is too high.
HUAWEI Confidential
Page 11
Although Peer-to-Peer VPN solve the static problem, but also has some defects: Because of no tunnel technology, the private routes leak into the public network .Then the security is very worse. The CEs also can't share the same address space.
How to solve
HUAWEI Confidential
Page 12
Solution Scheme
Tunnel technologyMPLS
To ensure the security, we must use the tunnel technology. Although there are many tunnel technologies ,e.g GRE IPSec, but they cant suit the large network. LSP of MPLS is established by dynamic LDP protocol, and it is the suitable tunnel.
Address conflictBGP The number of VPN routes is very huge. The BGP is the only routing protocol supporting the huge routes BGP is based on the TCP connection. It can establish the neighbor relationship between the
routers which dont connect with each other directly. So the P routers neednt have the
VPN routing information BGP can support many optional attributes , and it can make the route transmitting easily.
HUAWEI Confidential
Page 13
During the transmitting of the route, if there are two same routes transmitted on the network, the receiver how to distinguish control plane
After solving the route conflict, when the PE receives the IP packet to the
same destination address, how to know which VPN is transmitted to forwarding plane
HUAWEI Confidential
Page 14
solution
To solve the local routes conflictwe can build the different routing table on the
same router , and different interfaces belongs to different routing table. This is equal to say that the share PE simulates several private PEs.
Add the identifier into the route to distinguish the different VPNs during the routes
transmitting .
Because we cant change the structure of IP packets, add the additional identifier
before the IP headerthen the PE can forward the packet according to the identifier.
HUAWEI Confidential
Page 15
CE CE CE
PE PE
P
IGP &/or BGP
VPN-A
Private PE
VPN-B
CE
PE
VPN-A
CE
VRF
IGP &/or BGP
VPN-B
CE
HUAWEI Confidential
Page 16
VRF
VRF---VPN Routing & Forwarding Instance
VRF can be regarded as a virtual router, and act as a private PE.
This virtual router includes following elements A independent routing table, including independent address space. A group interfaces belonging to the VRF. A group routing protocol only using within the VRF.
Every PE maintenance one or several VRF and one public routing
HUAWEI Confidential
Page 17
attributes
There are two types of RT, the values of the type field are 0x0002 or 0x0102.
RT structure:
TYPE(2 bytes 0x0002 0x0102 Administrator Field AS number(2bytes) IP address(4 bytes) Assigned Number Field Assigned Number (4 bytes) Assigned Number(2 bytes)
HUAWEI Confidential
Page 18
Route Target
RT is used to control the advertisement of VPN routing information. There are two sets of Route Target attributes: Export Targets and Import
Targets Export Targets is added to the route in advertising local routes to remote PE routers. Import Targets is used to decide which routes can be imported into the routing table of this Site in receiving routes from remote PE routers.
HUAWEI Confidential
Page 19
Application of RT
RT Export Target and import Target can be configured with several attributes
im:b ex:a
a
im:a ex:b
Trandition Mode
im:a ex:a
Hub-spoke mode
c im:b ex:c b
Extranet
im:a ex:a
im:a,c ex:a,b
HUAWEI Confidential
Page 20
HUAWEI Confidential
Page 21
RD
RD structure:
TYPE (2byte) 0 1 Administrator Field 2-byte ASN Assigned Number Field
4-byte IP address
RD is unique among the different VPNs. If the two VPNs have the same IP address, the
PE add the different RD to convert them into VPNV4 address. So it cant occur the address conflict.
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential
Page 22
what is MP-BGP?
HUAWEI Confidential
Page 23
MBGP
MBGP (Multiprotocol Extensions for BGP-4 )
BGP-4 only supports IPv4, and is extended to MBGP to transfer the route information of more protocols (IPv6, IPX,etc.). To maintain compatibility, only two BGP attributes are added for MBGP: MP_REACH_NLRI and MP_UNREACH_NLRI. The two attributes can be used in the BGP Update message to notify or cancel the network reachability information.
HUAWEI Confidential
Page 24
NLRI Network Layer Reachability Information, include address family, private label and RT )
MP_REACH_NLRI addressfamily next-hop: NLRI: lable prefix 24 bitslike MPLS label but without TTL portion RD:64bitIP prefix VPN-IPV4 address family PEs ipv4 addressusually is loopback address
Followed is RT list
Extended_CommunitiesRT1 Extended_CommunitiesRT2
HUAWEI Confidential
Page 25
Concept Summary
VRFa virtual router on the PE, include special interfaces, a routing table, a routing protocol, a RD and RT. RTcontrol the routing information among the different VRFs. Actually, it is the community attribute of BGP . RDidentify the same route from different VPN. Labelidentify the packet to the same destination of different VRF. SITEa VRF and the connected CE. VPNa set of sites .
HUAWEI Confidential
Page 26
Chapter 1 BGP MPLS VPN Overview Chapter 2 BGP MPLS VPN Routing Exchange Chapter 3 BGP MPLS VPN Label Switching
HUAWEI Confidential
Page 27
VPNA
Site - 1
CE
VPNB
PE and CE routers exchange information via the EBGP, RIP or static route. CE runs the standard routing protocol. PE maintains separate routing tables of the public network and private network. Routing table of public network, including the routes of all PE and P routers, generated by the backbone network IGP of VPN. VRF (VPN routing & forwarding), including tables of routing & forwarding to one or multiple directly connected CEs.
HUAWEI Confidential
Page 28
PE
CE -1
CE -2
Beijing
Shanghai
PE router converts the route (in the VRF routing table) received from CE into the VPN-V4 route;
labels it with RD and RT based on the configuration; changes the next hop as PE itself (loopback); assigns the label based on the interface; finally sends the MP-iBGP update packet to all PE neighbors.
HUAWEI Confidential
Page 29
PE
CE -1
Beijing
PE receives the update packet, converts VPN-v4 into the IPv4 address, and distributes it to VFR VPN-A (RT=VPN-A) routing table, then transmit it to CE with route protocol between PE and CE.
CE -2
Shanghai
Each VRF has configurations of import route-target and export route-target. When the transmitting PE sends MP-iBGP updates, the export attribute is attached in the packet. When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge whether the received export is equal to the import of the local VRF. If yes, it will be added to the corresponding VRF routing table; otherwise, it will be discarded.
HUAWEI Confidential
Page 30
Chapter 1 BGP MPLS VPN Overview Chapter 2 BGP MPLS VPN Routing Exchange Chapter 3 BGP MPLS VPN Label Switching
HUAWEI Confidential
Page 31
PE-1
P router
Use labelimplicit-null for destination 197.26.15.1/32 VPN -v4 update: RD:1:27 :149.27.2.0/24, NH= 197.26.15.1 RT=VPN-A Label= 28) ( Use label 41for destination 197.26.15.1/32
Beijing
149.27.2.0/24
Shanghai
HUAWEI Confidential
Page 32
In Label -
FEC 197.26.15.1/32
Out Label 41
VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28)
PE-1
41 28 149.27.2.27
149.27.2.27
Beijing
149.27.2.0/24
Shanghai
HUAWEI Confidential
Page 33
In Label -
FEC 197.26.15.1/32
Out Label 41
VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28)
PE-1
41 28 149.27.2.27
149.27.2.27
Beijing
149.27.2.0/24
Shanghai
HUAWEI Confidential
Page 34
In Label 28(V)
FEC 149.27.2.0/24
Out Label -
In Label 41
FEC 197.26.15.1/32
PE-1
28 149.27.2.27 41 28 149.27.2.27
149.27.2.27
149.27.2.27
Beijing
149.27.2.0/24
Shanghai
HUAWEI Confidential
Page 35
CE A2
CE B2
PEA
BGP, OSPF, RIPv2 update for 149.27.2.0/24,NH=CEA2
MPLS
BGP, OSPF, RIPv2 update for 149.27.2.0/24,NH=PE-A
P B
IN 28
149.27.2.0/24
NH: CE A2
CE A1
CE B1
PEC
HUAWEI Confidential
Page 36
20
MPLS
3 P B
In 20 1.1.1.1/32 out 3
PEA
1.1.1.1/32 out 20
149.27.2.0/2 4
IGP
IGP
PEC
1.1.1.1/32
IN 28 149.27.2.0/24
NH: CE A2
HUAWEI Confidential
Page 37
CE A2
CE B2
PEA
1.1.1.1/32 out 20
149.27.2.0/2 4 Out 28 NH: PEC
MPLS
P B
Ping 149.27.2.1
In 20
1.1.1.1/32 out 3
CE A1
CE B1
IN 28
PEC
1.1.1.1/32
149.27.2.0/24 NH: CE A2
HUAWEI Confidential
Page 38
Summary
VPN Classification MPLS L3 VPN Label Distribution MPLS L3 VPN Forwarding Process
HUAWEI Confidential
Page 39
www.huawei.com