BGP MPLS IP VPN - Summary based on RFC 4364
IP VPN Overview
- CE sends routes to PE
- PE employs BGP to exchange the routes of a particular VPN among the PE routers that are attached to that VPN
- Routes from different VPNs remain distinct and separate, even if two VPNs have an overlapping address space
- BGP distributes the VPN route along with MPLS label for that route
- Transport could be of MPLS LSP or IP GRE
- Sites connected by backbone.
- Backbone is a private infrastructure build and maintained by service providers. This could span across countries.
- Two sites have IP connectivity if some VPN has both sites
- Site could be part of more than one VPN . Owners of the site : customers
- Backbone network contains PE and P routers. Owned by service providers
- Customers obtain VPN service from service providers
- Two VPN may have overlapping address space
VPN Routing and Forwarding (VRF)
- AC can be attached with one or more VRF via config. Simple case one AC attached to one VRF.
- AC attached to VRF is called VRF attachment circuit
- AC not associated with any VRF -> default forwarding table [public routes]
- AC associated with VRF -> VRF table [private routes]
- Communication (via PE routers) is prevented between any pair of VPN sites that have no VPN in common
Controlling Route Distribution
| PE1 | PE2 |
|---|---|
|
|
VPN-IPv4 Address Family
- PE routers use BGP to distribute VPN routes to each other using VPN-IPv4 address family
- Each VPN to have its own address space, which means that a given address may denote different systems in different VPNs
IP VPN Label Allocation
| Method | Egress PE |
|---|---|
| Label Per VRF | IP destination looked in VRF routing table to find egress AC (attachment circuit) |
| Label Per AC | Route the packet based on label lookup.ARP lookup needed for datalink encap |
| Label Per Route | Route the packet based on label lookup Flexible incase of egress AC changes (no need of new label for the route) |
Route Distribution Among PEs by BGP
- PE1 learns site route R
- PE1 advertise VPN-IPV4 route to PE2 via BGP.
- Uses its own address as nexthop
- Assign label to route R
- PE2 installs route R in its VRF
- PE2 receives packet to remote destination R.
- Identify the VRF using incoming AC and lookup destination IP
- Encapsulate the IP packet with transport MPLS label and VPN route label
- Forward to PE1
- At PE1
- Remove transport MPLS label
- Identify VRF using VPN label also remove VPN label
- Lookup IP destination in VRF and forward to egress AC
Route Target (RT) Attribute
- Route Target is a BGP attribute associated with VPN route
- VPN-IPv4 route associated with one or more RT
- Export Targets : Route received from site S attached with RTs in a VRF
- Import Targets: Determine route from PE accepted in VRF or not
Mesh VPN Vs Hub and Spoke VPN
RD vs RT
| Route Distinguisher | Route Target |
|---|---|
| Uniquely identifies routes within a VPN | Controls the import and export of routes between VPNs |
| Ensures that routes from different VPNs with overlapping IP addresses remain distinct within the MPLS network | Determines which routes should be imported or exported into a specific VPN based on matching RT values |
| VPN-IPv4 NLRI | Extended community |
How PEs Learn Routes from CEs
How CEs Learn Routes from PEs
- PE distribute a default route to CE (OR)
- CE can simply configured with default route pointing to PE (OR)
- PE distribute VRF route to CE. If the site of origin matches with CE’s site then that route should not be distributed to CE.
Site of Origin
This attribute is needed in some cases to ensure that a route learned from a particular site via a particular PE/CE connection is not distributed back to the site through a different PE/CE connection.
This attribute is needed in some cases to ensure that a route learned from a particular site via a particular PE/CE connection is not distributed back to the site through a different PE/CE connection.
Multi-AS backbone
Option 1: VRF-to-VRF connections at the ASBR
- PE1 and PE2 are ASBR with eBGP
- PE1 and PE2 has multiple sub interfaces (1 for each VPN)
- PE1 treat PE2 as CE role. PE2 treat PE1 as CE
- Each PE distribute route via eBGP unlabeled routes
Option 2: eBGP VPN-IPv4 route from AS to AS
- PE1 and PE2 are ASBR with eBGP
- PE1 and PE2 connected by single interface
- PEs treat each other as another PE in the backbone
- Each PE distribute route via eBGP VPN-IPv4 labeled routes
Option 3: eBGP multihop VPN-IPv4 route
- ASBR PE no need to maintain and distribute VPN-IPv4 routes
- PE1 maintain list of /32 PE routes in AS 100. PE2 maintain list of /32 routes in AS 200
- Both distribute these routes each other
- PE3 and PE4 are in different AS. They form eBGP multihop peering
- PE3 and PE4 distribute route via eBGP VPN-IPv4 labeled routes
- PE3 to PE4 has multi AS MPLS LSP for transport
Accessing the Internet from a VPN
Using Non-VRF interface
- Some site in the VPN get internet access via internet gateway which is attached to non VRF interface.
- PE router use default forwarding table to route internet traffic
- Site have internet access distribute default route to connected PE
- PE in turn distribute the routes to other PEs. So that other sites can reach internet.
- No route leak between VRF and default VRF needed.
Using VRF interface
- Site access via VRF interface.
- PE search IP destination first in VRF forwarding table if there is no match then it will search in default forwarding table.
- If match found in default forwarding table packet forwarded to internet.
- Some of the VRF route need exported to internet forwarding table
What Next ?
- Read the RFC
- Learn practical configuration example
- Learn the practical VPN design
Comments
Post a Comment