CS 672 2 Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS VPN is based on L3 peer model. The main building blocks of MPLS VPNs are: Customer Site – collection of LANs or subnets. A site can be viewed as the basic unit of connectivity in MPLS VPN. Customer Edge (CE) Router – a router that connects to a PE router. Provide Edge (PE) Router – a provider router that connects to a CE router. Provider Router (P) – a provider router which is not connected to CE router.
CS 672 4 Summer 2003 VPN-IPv4 Address Customers routes learned via PE-CE routing exchanges are advertised using iBGP between PE-PE routers. Problem – Customer addresses are not unique (i.e., different VPN customers may use same IPv4 addresses). However, BGP requires addresses to be globally unique. Solution – Define a new address family called VPN-IPv4 address to uniquely identify customer addresses within VPN backbone. VPN-IPv4 address is 12 byte long. First 8 bytes are known as Route Distinguisher (RD) Last 8 bytes are the IPv4 address
CS 672 5 Summer 2003 Route Distinguisher (RD) RD is used for making an IPv4 address globally unique. An RD consists of a 2 byte type field, an administrator field (2 or 4 byte), and an assigned number field (4 or 2 byte). For example, When type field value is 0, administrator field is 2 byte and contains AS number of the enterprise, and the assigned number field represent a number from numbering space assigned to the enterprise by IANA. When type field value is 1, administrator field is 4 byte and contains IP address of the enterprise, and the assigned number field represent contains a number from numbering space assigned to the enterprise by IANA.
CS 672 6 Summer 2003 Route Distinguisher (RD) When a PE router learns the addresses from attached CE routers, it distributes this information to other PE routers that are connected to CE routers belong to the same VPN. (Why?) However, before PE can that, it first needs to translates IPv4 address to VPN-IPv4 address family. To perform IPv4 to VPN-IPv4 address mapping, PE needs to know what RD to attach. This information is configured on the PE router. For example, each VRF is configured with the default RD information. The VPN-IPv4 address is advertised via BGP-4 multiprotocol extensions defined in RFC 2858 (e.g., AFI=1, SAFI =…)
CS 672 7 Summer 2003 VRF A PE router can be connected to CE routers from different VPNs. To have per VPN segregation of routing information and avoid erroneous forwarding packets from one VPN to another, PE maintains per VPN table. The association between a VRF and its attached set of interfaces (sub- interfaces) is determined through configuration.
CS 672 8 Summer 2003 Populating VRF VRF can be populated by routing information from two sources: Routes learned from associated CE(s) Routes learned from another PE (i.e., VPN-IPv4 address) CE routes are always eligible for inclusion into the associated VRF. PE routes are eligible for inclusion into a VRF, iff, Route Target (RT) attribute of the received route matches the one or more (pre- configured) Import Targets of the VRF. When a packet from a CE router is received, the selection of the correct VRF is based on the interface or sub-interface on which the packet was received.
CS 672 9 Summer 2003 Controlled Distribution of Customer Routes To control the flow of routing information (which in turn determines the data flow), routes are filtered based on BGP extended attributes. When a PE learns a CE route, it associates one or more target VPN attributes with the route. A route target (RT) uniquely identifies a VPN or set of VPNs to which this route should be distributed.
CS 672 10 Summer 2003 BGP Extended Attribute BGP Extended Attribute is a transitive optional attribute (Type Code=16). Each VPN-IPv4 address can be assigned with an Extended Community attribute. The Extended Community attribute contains a set of extended communities (see draft-ietf-idr-bgp-ext-communities-05.txt) Each extended community is 8 byte long (64 bits) and is encoded as: Type Field (1 or 2 byte) Value Field (7 or 6 byte)
CS 672 11 Summer 2003 BGP Extended Communities In MPLS VPN, BGP extended communities are used are use for the controlled distribution of routing information and filtering. The commonly used BGP extended communities are: Route Target (RT) Community Route Origin Community Route Target community identifies routers may receive the associated route. Route Origin community identifies one or more routers who injected the route into BGP
CS 672 12 Summer 2003 Route Target (RT) Community Route Target Community: The Route Target Community identifies one or more routers that may receive a set of routes (that carry this Community) carried by BGP. This is transitive across the Autonomous system boundary. Global/Local Administrator Field: Type field = 0x00 or 0x02 means, Local Administrator sub-field contains a number from a numbering space Global Administrator subfield contains AS number of the enterprise Type field = 0x01 means, Local Administrator sub-field contains a number from a numbering space Global Administrator subfield contains IP address of the enterprise. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Sub-Type | Global Administrator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global Administrator (cont.) | Local Administrator | +-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0x00, 0x01, or 0x 02 0x02
CS 672 13 Summer 2003 Route Origin Community Route Origin Community: The Route Origin Community identifies one or more routers that inject a set of routes (that carry this Community) into BGP. This is transitive across the Autonomous system boundary. Global/Local Administrator Field: Type field = 0x00 or 0x02 means, Local Administrator sub-field contains a number from a numbering space Global Administrator subfield contains AS number of the enterprise Type field = 0x01 means, Local Administrator sub-field contains a number from a numbering space Global Administrator subfield contains IP address of the enterprise. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Sub-Type | Global Administrator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global Administrator (cont.) | Local Administrator | +-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0x00, 0x01, or 0x 02 0x03
CS 672 14 Summer 2003 Route Target based Filtering Every CE router has one or more RT community attributes. Similarly, each VRF on the PE router is associated with one or more RT community attributes. When a PE router learns a VPN-IPv4 route from another PE router, it installs this route into only those VRFs that have matching import Route Target communities. Similarly, a PE advertises a learned route to a CE only if there is a common RT attribute between route and the CE router.
CS 672 15 Summer 2003 Route Target Based Filtering In summary, MPLS VPN uses BGP extended communities attributes to control the flow of routing information by applying route filtering. If route distribution is to be restricted within its intranet (i.e., within same VPN), a single RT community is associated with the route. If extranet or inter-VPN routing is desired, additional RT communities should be associated with the route.
CS 672 17 Summer 2003 MPLS VPN Packet Forwarding Label Stack is used for packet forwarding Top label indicates BGP Next-Hop Second level label indicates outgoing interface or VRF MPLS nodes forward packets based on top label any subsequent labels are ignored Penultimate Hop Popping procedures used one hop prior to egress PE router
CS 672 18 Summer 2003 MPLS VPN Packet Forwarding As a packet from CE router arrives, PE router performs a IP address lookup in the associated VRF to determine the egress PE router.Typically, there are number of intermediate P routers between an ingress and egress PE router. Problem - In contrast with PE routers, P routers do not keep routing information about VPN (i.e., customer ) routes. If we were to forward a packet from PE to PE, the intermediate P routers won’t know how to forward this packet based on destination IP address. Solution – establish LSP between PE routers to forward VPN packets across the P routers. Once an egress PE router is known, we use LSP to forward VPN packets across the P routers.
CS 672 19 Summer 2003 MPLS VPN Packet Forwarding The PE to PE label switched path is established using LDP. In order to label switched the VPN packet along the LSP, PE router attaches a label stack. The top label (signaled via LDP) is used to forward packet across the P routers. That is, P router forward the packet based on top label. The bottom label is used to select outgoing interface or VRF in the egress PE router. The egress PE router advertises the bottom label and the associated VPN- IPv4 route via BGP.
CS 672 20 Summer 2003 MPLS VPN Example Operation ( see class notes )