Virtual Private Networks A network infrastructure delivering private network services over a public infrastructure Certainly not a new concept
Service Provider Network Provider Edge (PE) device VPN Site VPN - Overlay Model CPE (CE) Device Virtual Circuit Layer-3 Routing Adjacency
VPN - Overlay Model Private trunks across a telco/SP shared infrastructure leased/dialup lines FR/ATM virtual circuits IP(GRE) tunnelling Point-to-point solution between customer sites how to size inter-site circuit capacities ? full mesh requirement for optimal routing CPE routing adjacencies between sites
Service Provider Network Provider Edge (PE) Router VPN Site CPE (CE) Router Layer-3 Routing Adjacency VPN - Peer-to-Peer Model
Provider edge (PE) device exchanges routing information with CPE all customer routes carried within SP IGP simple routing scheme for VPN customer routing between sites is optimal circuit sizing no longer an issue Private addressing is not an option Addition of new site is simpler no overlay mesh to contend with
The Solution: MPLS A new paradigm that delivers the best of both worlds: Privacy of ATM, Frame Relay flexibility and scalability of IP IP business servicesFoundation for IP business services flexible grouping of users and value-added services Low cost managed IP servicesLow cost managed IP services scales to large and small private networks Based on RFC2547bis.
Agenda MPLS Business Perspective VPN Concept MPLS VPN
MPLS VPN mechanisms VRF and Multiple Routing Instances Site-1Site-2Site-3Site-4 Logical view Routing view VRF for site-1 Site-1 routes Site-2 routes VRF for site-4 Site-3 routes Site-4 routes VRF for site-2 Site-1 routes Site-2 routes Site-3 routes VRF for site-3 Site-2 routes Site-3 routes Site-4 routes Site-1 Site-3 Site-4 Site-2 VPN-A VPN-C VPN-B PE PP Multihop MP-iBGP
MPLS VPN Connection Model PE-1 VPN Backbone IGP PE-2 P P P P PE routers receive IPv4 updates (EBGP, RIPv2, OSPF, Static) PE routers translate into VPN-IPv4 Assign a SOO and RT based on configuration Re-write Next-Hop attribute Assign a label based on VRF and/or interface Send MP-iBGP update to all PE neighbors BGP,RIPv2 update for Net1,Next-Hop=CE-1 VPN-IPv4 update: RD:Net1, Next-hop=PE-1 SOO=Site1, RT=Green, Label=(intCE1) CE-1 Site-2 VPN-IPv4 update is translated into IPv4 address (Net1) put into VRF green since RT=Green and advertised to CE-2 Site-1 CE-2
MPLS VPN Connection Model Receiving PEs translate to IPv4 Insert the route into the VRF identified by the RT attribute (based on PE configuration) The label associated to the VPN-IPv4 address will be set on packet forwarded towards the destination PE-1 VPN Backbone IGP PE-2 P P P P BGP,RIPv2 update for Net1,Next-Hop=CE-1 VPN-IPv4 update: RD:Net1, Next-hop=PE-1 SOO=Site1, RT=Green, Label=(intCE1) CE-1 Site-2 VPN-IPv4 update is translated into IPv4 address (Net1) put into VRF green since RT=Green and advertised to CE-2 Site-1 CE-2
P router In Label FEC Out Label - 126.96.36.199/32 - In Label FEC Out Label 41 188.8.131.52/32 POP In Label FEC Out Label - 184.108.40.206/32 41 MPLS/VPN Packet Forwarding Paris Use label implicit-null for destination 220.127.116.11/32 Use label 41 for destination 18.104.22.168/24 VPN-v4 update: RD:1:27:22.214.171.124/24, NH=126.96.36.199 SOO=Paris, RT=VPN-A, Label=(28) PE-1 London PE and P routers have BGP next-hop reachability through the backbone IGP Labels are distributed through LDP corresponding to BGP Next- Hops or RSVP with Traffic Engineering 188.8.131.52/24
In Label FEC Out Label - 184.108.40.206/32 41 MPLS/VPN Packet Forwarding Paris 220.127.116.11 PE-1 London 18.104.22.168/24 Ingress PE receives normal IP packets PE router performs IP Longest Match from VPN FIB, finds iBGP next-hop and imposes a stack of labels 22.214.171.1242841 VPN-A VRF 126.96.36.199/24, NH=188.8.131.52 Label=(28)
In Label FEC Out Label 41 184.108.40.206/32 POP MPLS/VPN Packet Forwarding Paris 220.127.116.11 PE-1 London 18.104.22.168/24 22.214.171.1242841 VPN-A VRF 126.96.36.199/24, NH=188.8.131.52 Label=(28) 184.108.40.20628 In Label FEC Out Label 28(V) 220.127.116.11/24 - VPN-A VRF 18.104.22.168/24, NH=Paris 22.214.171.124 Penultimate PE router removes the IGP label Penultimate Hop Popping procedures (implicit-null label) Egress PE router uses the VPN label to select which VPN/CE to forward the packet to VPN label is removed and the packet is routed toward the VPN site
Your consent to our cookies if you continue to use this website.