Presentation is loading. Please wait.

Presentation is loading. Please wait.

MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,"— Presentation transcript:

1 MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE, P or core, CE or CPE –Customer site –Provider

2 How VPNs used to look Use Frame relay of ATM VCs to connect customers Over the provider’s FR or ATM network Good isolation of traffic –Separate FR DLCI or ATM VC to connect two customer sites –They all are called Virtual Circuits (VCs) This is a L2 VPN –All types of traffic can flow over the VCs –As long as their encapsulation is defined

3 Models The previous model is the “overlay” model –Provider gives customers p2p links between their sites –Customers run their own routing etc over them But they must know how to manage routing Routing can be sub-optimal if the connectivity between sites is not too good A full mesh is expensive –Provider does not know anything about customer’s network His life is simple –Can use multiple technologies for the VCs including IP tunnels GRE, IPSec

4 Peer-to-peer model –Customers and providers exchange routing information Their life is simple now –Provider can see information about the customer’s network Its operation is more complex –Routing between sites may be better now –Adding a new site is simple No need to configure multiple VCs between the new site and the existing sites –A CE connects to A dedicated PE –Expensive A PE shared with other customers –Risky, traffic may leak –All customers see the same address space No two customers can have the same address in their network

5 Intra-nets etc… Intra-net –Multiple sites belonging to the same customer/domain Extra-net –Sites that belong to different customers/domains Remote access –Remote users access the central network

6 Topologies Determined by the structure of the customer Hub-and-spoke –One/few central cite – hub –Has fewer VCs/cheaper –But routing is not too good –Extensions for redundancy Redundant connections to two hubs etc. Full + partial mesh –More paths Better routing Higher cost Hybrids between the above

7 Problems Overlay VPNs –Scaling and configuration is a problem Peer-to-peer –Risky, traffic may leak between customers In the shared PE In the shared IP address space in the backbone MPLS VPNs –Isolation similar to overlay VPNs –Scaling similar to peer-to-peer VPNs

8 VRF PEs have different Virtual Router Forwarding tables –One per VPN Contains customer routes –Routes from different VPNs do not get mixed up Different VPNs can have the same route PEs have one forwarding table for the backbone –Contains backbone (provider) routes Each incoming customer packet is routed based on the information of this customer’s VRF Each outgoing customer packet is also routed based on this VRF –There may be multiple PE links on the same VRF

9 Missing parts How will PEs learn routes from the remote VPN sites? How will be packets send to a destination in a remote site? –Backbone routers do not know anything about the VPN addresses How will PEs learn routes from the local customers?

10 Learning routes from remote PEs Need to learn all routes for all the remote sites of a VPN –Need to be added to the VRF for the VPN –Must talk to the remote PEs that have sites for the VPN How do the PEs exchange routes? –There can be a lot of routes Number of VPNs x number of routes/VPN IGP would not scale to these sizes Plus even P routers would have to see all these routes, not good

11 Use MP-BGP –not exactly what BGP is supposed to do but… –Use the multi-protocol capabilities of BGP Can carry IPv4, IPv6 prefixes And now… VPN routes –A VPN route is prefix + 64 bit route distinguisher (RD) RD is unique for each VPN RD + prefix is unique in the whole system –PEs talk to each other over iBGP All PEs need to talk to all other PEs –Full mesh of iBGP sessions between PEs But P routers do not have to see all these routes –Good scaling –And exchange VPN routes PEs eventually will find out all the remote routes for the VPNs they carry And the BGP next-hop which is the egress PE router

12 Good scaling P routes do not need to see the customer VPN routes –They forward packets towards the egress PE PEs need to maintain only routes for the VPN sizes they host

13 Packet transport Need to send a packet to a destination in a remote VPN site –The route in the VRF will contain the BGP next-hop The PE router for the remote site –Packet must be sent to this router Packet must be tunneled to the PE –When it arrives somehow it must reach the VRF that corresponds to the remote site Packet must contain some additional information for that Called a de-multiplexer –There are many options for the tunneling and the de- multiplexer GRE tunneling, L2TP, IPSec And MPLS

14 MPLS VPNs Each PE has an LSP to each other PE –Uses this LSP to reach the destination PE Each packet carries another MPLS label that is used to selected the right VRF –VPN label –Label stacking The VPN label is allocated by the egress PE –Advertised through MP-BGP –Ingress PEs store this label in their VRF together with the destination route Packets are forwarder over the backbone based on the outer label –P routers do not look at the VPN label

15 Complications How about extranets? –A site may belong to multiple VPNs –How do I control which routes does it learn? Use extended communities and import export policies –Each route in the MP-BGP messages is marked with a route target (RT) PEs are configured with import and export policies for these route targets –We can control which PEs will accept advertised routes –A site that belongs to two VPNs will be configured to import routes from both VPNs –Can build hub and spoke and other structures

16 Learning local customer routes Can run any routing protocol between the CE and the PE routes –Many options: BGP, OSPF, RIP –Even static routes –There is only one routing process running on the PE router Logically split into multiple ones One per VRF

17 OSPF between CE and PE There are no OSPF adjacencies between the PEs or between remote sites –Only OSPF adjacencies between a CE and its PE Two sites may belong to the same or different OSPF areas –Including area 0 –Boundary between areas could be on PE, CE, or inside the site If one site originates an OSPF route –This route has to appear on the remote sites –With the proper type The route may be an external route for example –The remote PE will originate the route into the remote site –The type of the route is signaled over MP-BGP

18 More problems Full mesh of MP-iBGP sessions between PEs –Very hard to add a new PE –Poor scalability Use route reflectors (RR) –More than one for redundancy May be inefficient –Advertises VPN routes to PEs that do not need them –They do not have any sites of a given VPN Filter based on route target at the RRs Even better filter at the source PEs

19 And more complexity Carrier of Carriers –ISP with ISP customers –Customers may or may not run MPLS Hierarchical VPNs –ISP with ISP customers that over VPN service Inter-provider VPNs –A customer needs VPN service from two different ISPs –More difficult than above –Routing information needs to be communicated between ISPs Multi-hop eBGP between customer sites

Download ppt "MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,"

Similar presentations

Virtual Links: VLANs and Tunneling

Virtual Links: VLANs and Tunneling
MPLS VPN.

MPLS VPN.
Use of BGP and MPLS VPNs: A Case Study

Use of BGP and MPLS VPNs: A Case Study
Identifying MPLS Applications

Identifying MPLS Applications
Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.24-1 MPLS VPN Technology Introducing the MPLS VPN Routing Model.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing the MPLS VPN Routing Model.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.24-1 MPLS VPN Technology Introducing MPLS VPN Architecture.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing MPLS VPN Architecture.
Deployment of MPLS VPN in Large ISP Networks

Deployment of MPLS VPN in Large ISP Networks
Routing Basics.

Routing Basics.
Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
Juniper Networks, Inc. Copyright © 2000 1 L2 MPLS VPNs Hector Avalos Technical Director-Southern Europe

Juniper Networks, Inc. Copyright © L2 MPLS VPNs Hector Avalos Technical Director-Southern Europe
Leading Edge Routing MPLS Enhancements to Support Layer 2 Transport Services Jeremy Brayley

Leading Edge Routing MPLS Enhancements to Support Layer 2 Transport Services Jeremy Brayley
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Technical Aspects of Peering Session 4. Overview Peering checklist/requirements Peering step by step Peering arrangements and options Exercises.

Technical Aspects of Peering Session 4. Overview Peering checklist/requirements Peering step by step Peering arrangements and options Exercises.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—4-1 MPLS VPN Technology Introducing VPNs.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—4-1 MPLS VPN Technology Introducing VPNs.
MPLS-VPN/BGP Approach Hari Rakotoranto Technical Marketing Engineer

MPLS-VPN/BGP Approach Hari Rakotoranto Technical Marketing Engineer
IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,

IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,
Best Practices for ISPs

Best Practices for ISPs
CS 672 1 Summer 2003 Lecture 14. CS 672 2 Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.

CS Summer 2003 Lecture 14. CS Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.
MPLS / VPN Connectivity between VPNs JET 2004/03/15.

MPLS / VPN Connectivity between VPNs JET 2004/03/15.

Similar presentations

Ads by Google