BGP Mpls VPN Principle

Security Level:
BGP MPLS VPN Principle

ISSUE 1.0
www.huawei.com
HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI Confidential
This course mainly introduce BGP MPLS VPN
principle and packet forwarding process.
HUAWEI Confidential
Page 1
Reference Material
VRP 3.30 /5.10operation guidecommand guide
Troubleshooting guide
HUAWEI Confidential
Page 2
After completion of this courseyou
should be Understand BGP/MPLS VPN principle
Understand BGP/MPLS VPN forwarding process
HUAWEI Confidential
Page 3
Chapter 1 BGP MPLS VPN Overview Chapter 2 BGP MPLS VPN Routing Exchange Chapter 3 BGP MPLS VPN Label Switching
HUAWEI Confidential
Page 4
VPN Structure
VPN_A
10.2.0.0
CE
VPN_B
iBGP sessions
CE P
VPN_A
11.5.0.0
VPN_A
10.2.0.0 CE
VPN_A
PE
P P
PE
CE
10.1.0.0
11.6.0.0
VPN_B
CE PE
P P E CE
VPN_B
10.3.0.0
10.1.0.0 CE
CE (Custom Edge Router): The user equipment directly connected with the service provider. PE (Provider Edge Router): The edge router on the backbone network, connected with CE and mainly responsible for access of the VPN service. P (Provider Router): The core router on the backbone network, mainly responsible for the routing and fast forwarding functions.
HUAWEI Confidential
Page 5
Overlay VPNTunnel establish on CE

GRE tunnel
PE
VPN_A VPN_A
CE
10.3.0.0
10.1.0.0
VPN_B
CE PE
P P
10.1.0.0 CE
P-Network
GRE tunnel
PE
CE
VPN_B
10.3.0.0
Features The tunnel establish on the CE, and exchange the routing information directly. The service provider dont know the structure of the customs. E.g.GREIPSec advantage The address space of different customs can overlap, and with highest security.
disadvantage
The customers need build and maintenance VPN by themselves.
HUAWEI Confidential
Page 6
Overlay VPNTunnel establish on PE

GRE tunnel
PE
VPN_A VPN_A
CE
10.3.0.0
10.1.0.0
VPN_B
CE PE
P P
11.1.0.0 CE
P-Network
GRE tunnel
PE
CE
VPN_B
11.3.0.0
Features The tunnel is established on the PE. The private routing information exchange between the PE, and the P equipment dont know the private routing information. advantage The service provider build and maintenance for the customers, and with higher
security.
disvantage The address space of different VPN users cant overlap .If not ,it need many ACL and policies.
HUAWEI TECHNOLOGIES CO., LTD. HUAWEI Confidential
Page 7
Overlay VPN Nature

Actually Overlay VPN is the static VPN ,it is similar with the static route, and
have the same disadvantages

1. 2. All configuration and deploy must complete manually .It will occur the N^2 problems . It isnt fit for the real time change of the network
3.
Meanwhileif the tunnel establish on the CE ,the customer must be build and
maintenance by themselves. But if the tunnel establish on the PE, it cant solve the address conflict.
HUAWEI Confidential
Page 8
Peer-to-Peer VPN
To solve the problem, firstly, we must change the VPN deployment and routing advertisement dynamically. Then PeertoPeer VPN is generated.
PeertoPeer refers to CEtoPE. The private routing information exchange

between CE and PE, then PE advertises the routes into the P-Networkafter that the private routing information is transmitted to other PEs dynamically. Because this VPN leaks the private routes into the public network, so we must be
control the route strictly. i.ewe must ensure the CEs belonging to the same VPN
only have the route of their VPN.
HUAWEI Confidential
Page 9
Peer-to-Peer VPNshare PE
Private routes transmit on the public network
VPN_A
rip
VPN_A
CE P P PE
11.3.0.0
ospf
CE
11.1.0.0
VPN_B
10.1.0.0 CE
P-Network
PE
CE
VPN_B
10.3.0.0
ospf
isis
All the CEs belonging to different VPNs connect with the same PE. Run different routing protocols between the CE and the PE.(or the same routing protocol, but with different process ) . Because the PE transmits the private routes into the public network, so we must filter the routes firstly, then transmit these routes to the corresponding CEs.
Disadvantage
We must configure many ACLs on the PE to avoiding the communication among different CEs connectted to the same PE.
Page 10
Peer-to-Peer VPNPrivate PE
Private routes transmit on the public network
VPN_A
rip
VPN_A
CE PE PE P P PE PE
11.3.0.0
ospf
CE
VPN_B
11.1.0.0
VPN_B
CE
10.1.0.0 CE
P-Network
10.3.0.0
rip
ospf
Every VPN has a private PE, then we can run any routing protocol between the
CE and PE. Run BGP between PE and P , and filter the routes using the attributes.
Advantageno need any ACL. DisadvantageThe cost is too high.
HUAWEI Confidential
Page 11
Peer-to-Peer VPN Nature
Although Peer-to-Peer VPN solve the static problem, but also has some defects: Because of no tunnel technology, the private routes leak into the public network .Then the security is very worse. The CEs also can't share the same address space.
How to solve
HUAWEI Confidential
Page 12
Solution Scheme
Tunnel technologyMPLS
To ensure the security, we must use the tunnel technology. Although there are many tunnel technologies ,e.g GRE IPSec, but they cant suit the large network. LSP of MPLS is established by dynamic LDP protocol, and it is the suitable tunnel.
Address conflictBGP The number of VPN routes is very huge. The BGP is the only routing protocol supporting the huge routes BGP is based on the TCP connection. It can establish the neighbor relationship between the
routers which dont connect with each other directly. So the P routers neednt have the
VPN routing information BGP can support many optional attributes , and it can make the route transmitting easily.
HUAWEI Confidential
Page 13
Address Conflict Problem
Local routes conflicti.eThe same PE cant distinguish the same routes

from different VPNs .control plane
During the transmitting of the route, if there are two same routes transmitted on the network, the receiver how to distinguish control plane
After solving the route conflict, when the PE receives the IP packet to the
same destination address, how to know which VPN is transmitted to forwarding plane
HUAWEI Confidential
Page 14
solution
To solve the local routes conflictwe can build the different routing table on the
same router , and different interfaces belongs to different routing table. This is equal to say that the share PE simulates several private PEs.
Add the identifier into the route to distinguish the different VPNs during the routes
transmitting .
Because we cant change the structure of IP packets, add the additional identifier
before the IP headerthen the PE can forward the packet according to the identifier.
HUAWEI Confidential
Page 15
1local routes conflict

VPN-A
CE CE CE
PE PE
P
IGP &/or BGP
VPN-A
Private PE
VPN-B
Global Routing Table
VPN Routing Table

VPN-A
CE
PE
VPN-A
CE
VRF for VPNA VRF for VPNB
VRF
IGP &/or BGP
VPN-B
CE
Global Routing Table
HUAWEI Confidential
Page 16
VRF
VRF---VPN Routing & Forwarding Instance
VRF can be regarded as a virtual router, and act as a private PE.
This virtual router includes following elements A independent routing table, including independent address space. A group interfaces belonging to the VRF. A group routing protocol only using within the VRF.
Every PE maintenance one or several VRF and one public routing
table. Every VRF is independent.

What is the relationship between the VRF?
HUAWEI Confidential
Page 17
Relationship of VRF -------Route Target

Route Target attribute (RT) is one of the MBGP extension community
attributes
There are two types of RT, the values of the type field are 0x0002 or 0x0102.
RT structure:
TYPE(2 bytes 0x0002 0x0102 Administrator Field AS number(2bytes) IP address(4 bytes) Assigned Number Field Assigned Number (4 bytes) Assigned Number(2 bytes)
HUAWEI Confidential
Page 18
Route Target
RT is used to control the advertisement of VPN routing information. There are two sets of Route Target attributes: Export Targets and Import
Targets Export Targets is added to the route in advertising local routes to remote PE routers. Import Targets is used to decide which routes can be imported into the routing table of this Site in receiving routes from remote PE routers.
HUAWEI Confidential
Page 19
Application of RT
RT Export Target and import Target can be configured with several attributes
im:b ex:a
a
im:a ex:b
Trandition Mode
im:a ex:a
Hub-spoke mode
c im:b ex:c b
Extranet
im:a ex:a
im:a,c ex:a,b
HUAWEI Confidential
Page 20
2Address Conflict during the route transmitting

After we solve the local route conflict, then the address conflict during the route
transmitting is solved at the same way. We only need add a identifier into the route. Can we use the RT as the identifier? Theoretically, we can use it. But when the route is withdrawed, the route withdraw packet of BGP dont bring the attribute (without RT). So we need define RD(Route Distinguisher.
HUAWEI Confidential
Page 21
RD
RD structure:
TYPE (2byte) 0 1 Administrator Field 2-byte ASN Assigned Number Field
4-byte assigned number 2-byte assigned number
4-byte IP address
VPNV4 address structure:

Route Distinguisher (8 bytes) IPv4 address
VPNv4 address is used to transmit VPN routes among the PEs.
RD is unique among the different VPNs. If the two VPNs have the same IP address, the
PE add the different RD to convert them into VPNV4 address. So it cant occur the address conflict.
Page 22
3Packet forward address conflict

Here nowthe first two problems have been solved. But if the remote PE
receives the IP packet to the same destination, but both the two VRFs have the same route on the PE, which CE it will forward? We need add some information into the packet.
we need a short identifier. This identifier is defined as the private Label

distributed by MP-BGP.
what is MP-BGP?
HUAWEI Confidential
Page 23
MBGP
MBGP (Multiprotocol Extensions for BGP-4 )
BGP-4 only supports IPv4, and is extended to MBGP to transfer the route information of more protocols (IPv6, IPX,etc.). To maintain compatibility, only two BGP attributes are added for MBGP: MP_REACH_NLRI and MP_UNREACH_NLRI. The two attributes can be used in the BGP Update message to notify or cancel the network reachability information.
HUAWEI Confidential
Page 24
Network Layer Reachability Information:
NLRI Network Layer Reachability Information, include address family, private label and RT )
MP_REACH_NLRI addressfamily next-hop: NLRI: lable prefix 24 bitslike MPLS label but without TTL portion RD:64bitIP prefix VPN-IPV4 address family PEs ipv4 addressusually is loopback address
Followed is RT list
Extended_CommunitiesRT1 Extended_CommunitiesRT2
HUAWEI Confidential
Page 25
Concept Summary
VRFa virtual router on the PE, include special interfaces, a routing table, a routing protocol, a RD and RT. RTcontrol the routing information among the different VRFs. Actually, it is the community attribute of BGP . RDidentify the same route from different VPN. Labelidentify the packet to the same destination of different VRF. SITEa VRF and the connected CE. VPNa set of sites .
HUAWEI Confidential
Page 26
HUAWEI Confidential
Page 27
Relationship Between PE and CE

C CE
VPNA
Site - 1
PE PE EBGP, RIP, Static

VRF for VPNA
CE
VPNB
Global route VRF for VPNB Site - 2
PE and CE routers exchange information via the EBGP, RIP or static route. CE runs the standard routing protocol. PE maintains separate routing tables of the public network and private network. Routing table of public network, including the routes of all PE and P routers, generated by the backbone network IGP of VPN. VRF (VPN routing & forwarding), including tables of routing & forwarding to one or multiple directly connected CEs.
HUAWEI Confidential
Page 28
VRF Route Distribute Step 1:Importing VRF Routes to MP-iBGP

MP -iBGP PE
BGP, RIPv2 update for 149.27.2.0/24,NH=CE-1 VPN-v4 update: RD:1:27:149.27.2.0/24, Next-hop=PE-1 RT=VPN-A Label=( 28)
PE
CE -1
CE -2
Beijing
Shanghai
Importing VRF route to MP-iBGP:
PE router converts the route (in the VRF routing table) received from CE into the VPN-V4 route;
labels it with RD and RT based on the configuration; changes the next hop as PE itself (loopback); assigns the label based on the interface; finally sends the MP-iBGP update packet to all PE neighbors.
HUAWEI Confidential
Page 29
VRF Route Distribute Step 2:Importing Importing MP-iBGP Routes to VRF

MP -iBGP PE
VPN-v4 update: RD:1:27:149.27.2.0/24 , Next-hop=PE-1 RT=VPN-A Label=(28)
PE
ip vrf VPN-B vpn -target import VPN -A
CE -1
Beijing
PE receives the update packet, converts VPN-v4 into the IPv4 address, and distributes it to VFR VPN-A (RT=VPN-A) routing table, then transmit it to CE with route protocol between PE and CE.
CE -2
Shanghai
Each VRF has configurations of import route-target and export route-target. When the transmitting PE sends MP-iBGP updates, the export attribute is attached in the packet. When receiving MP-iBGP updates of VPN-IPv4, the receiving PE will judge whether the received export is equal to the import of the local VRF. If yes, it will be added to the corresponding VRF routing table; otherwise, it will be discarded.
HUAWEI Confidential
Page 30
HUAWEI Confidential
Page 31
MPLS/VPN Label Distribution

In Label FEC Out Label In Label 41 FEC Out Label In Label FEC 197.26.15.1/32 Out Label 41 197.26.15.1/32 197.26.15.1/32 POP
PE-1
P router
Use labelimplicit-null for destination 197.26.15.1/32 VPN -v4 update: RD:1:27 :149.27.2.0/24, NH= 197.26.15.1 RT=VPN-A Label= 28) ( Use label 41for destination 197.26.15.1/32
Beijing
149.27.2.0/24
Shanghai
HUAWEI Confidential
Page 32
MPLS/VPN Packet Forwarding-1
In Label -
FEC 197.26.15.1/32
Out Label 41
VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28)
PE-1
41 28 149.27.2.27
149.27.2.27
Beijing
149.27.2.0/24
Shanghai
HUAWEI Confidential
Page 33
In Label -
FEC 197.26.15.1/32
Out Label 41
VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28)
PE-1
41 28 149.27.2.27
149.27.2.27
Beijing
149.27.2.0/24
Shanghai
HUAWEI Confidential
Page 34
In Label 28(V)
FEC 149.27.2.0/24
Out Label -
In Label 41
FEC 197.26.15.1/32
Out Label POP VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28)
VPN-A VRF 149.27.2.0/24, NH=beijing
PE-1
28 149.27.2.27 41 28 149.27.2.27
149.27.2.27
149.27.2.27
Beijing
149.27.2.0/24
Shanghai
HUAWEI Confidential
Page 35
Demo- Private Label Distribution

MP-BGP IBGP Peer
VPN-v4 update: RD:1:27:149.27.2.0/24, Next-hop=PE-C RT=VPN-A, Label=(28) 149.27.2.0/2 4 Out 28 NH: PEC
CE A2
CE B2
PEA
BGP, OSPF, RIPv2 update for 149.27.2.0/24,NH=CEA2
MPLS
BGP, OSPF, RIPv2 update for 149.27.2.0/24,NH=PE-A
P B
IN 28
149.27.2.0/24
NH: CE A2
CE A1
CE B1
PEC
VPN-v4 update: RD:1:27:149.27.2.0/24, Next-hop=PE-C RT=VPN-A, Label=(28)
HUAWEI Confidential
Page 36
Demo- Public Label Distribution

The loopback IP address of PE-C is 1.1.1.1/32
20
MPLS
3 P B
In 20 1.1.1.1/32 out 3
PEA
1.1.1.1/32 out 20
149.27.2.0/2 4
IGP
Out 28 NH: PEC
IGP
PEC
1.1.1.1/32
IN 28 149.27.2.0/24
NH: CE A2
HUAWEI Confidential
Page 37
Demo- Packet Forwarding

20 28
CE A2
CE B2
PEA
1.1.1.1/32 out 20
149.27.2.0/2 4 Out 28 NH: PEC
MPLS
P B
BGP, OSPF, RIPv2 update for 149.27.2.0/24,NH=PE-A
Ping 149.27.2.1
In 20
1.1.1.1/32 out 3
CE A1
CE B1
IN 28
PEC
1.1.1.1/32
149.27.2.0/24 NH: CE A2
HUAWEI Confidential
Page 38
Summary
VPN Classification MPLS L3 VPN Label Distribution MPLS L3 VPN Forwarding Process
HUAWEI Confidential
Page 39

www.huawei.com

BGP Mpls VPN Principle

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BGP Mpls VPN Principle

Uploaded by

Copyright:

Available Formats

Security Level:

BGP MPLS VPN Principle

HUAWEI TECHNOLOGIES CO., LTD.

This course mainly introduce BGP MPLS VPN

principle and packet forwarding process.

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

After completion of this courseyou

should be Understand BGP/MPLS VPN principle

Understand BGP/MPLS VPN forwarding process

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

Overlay VPNTunnel establish on CE

HUAWEI TECHNOLOGIES CO., LTD.

Overlay VPNTunnel establish on PE

Overlay VPN Nature

have the same disadvantages

HUAWEI TECHNOLOGIES CO., LTD.

PeertoPeer refers to CEtoPE. The private routing information exchange

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

Peer-to-Peer VPN Nature

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

Address Conflict Problem

Local routes conflicti.eThe same PE cant distinguish the same routes

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

1local routes conflict

Global Routing Table

VPN Routing Table

VRF for VPNA VRF for VPNB

Global Routing Table

HUAWEI TECHNOLOGIES CO., LTD.

table. Every VRF is independent.

HUAWEI TECHNOLOGIES CO., LTD.

Relationship of VRF -------Route Target

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

2Address Conflict during the route transmitting

HUAWEI TECHNOLOGIES CO., LTD.

4-byte assigned number 2-byte assigned number

VPNV4 address structure:

VPNv4 address is used to transmit VPN routes among the PEs.

3Packet forward address conflict

we need a short identifier. This identifier is defined as the private Label

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

Network Layer Reachability Information:

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI TECHNOLOGIES CO., LTD.

Relationship Between PE and CE

PE PE EBGP, RIP, Static

Global route VRF for VPNB Site - 2

HUAWEI TECHNOLOGIES CO., LTD.

VRF Route Distribute Step 1:Importing VRF Routes to MP-iBGP

Importing VRF route to MP-iBGP:

HUAWEI TECHNOLOGIES CO., LTD.

VRF Route Distribute Step 2:Importing Importing MP-iBGP Routes to VRF

ip vrf VPN-B vpn -target import VPN -A