Professional Documents
Culture Documents
BGP-MPLS VPNs
Olof Hagsand KTH/CSC
Literature
MPLS Advantages
Originally, the motivation was speed and cost.
But routers does IP lookup in hardware at very high speeds.
Current advantages:
VPNs
L2 networks
Why MPLS?
A BGP-free core
IP in IP
Alternatives
BGP
IGP + MPLS
AS
BGP
Send transit traffic via LSPs (src and dst outside the AS)
But still send internal traffic via IP (src or dst inside the AS)
A BGP-free core
Detection of failure
IGP re-route
Path protection
Local protection
To think about
Switchover latency
Over-reservation
C
E
MPLS in JunOS
See http://www.juniper.net/techpubs/software/junos/junos94/
swconfig-mpls-apps
Example:
Motivation to VPNs
VPN Architecture 1
Connect hosts to central
server/LAN.
Main
LAN
Internet
Point-to-point
tunnels
VPN Architecture 2
Connect several LAN islands.
LAN
LAN
Internet
LAN
Guarantee resources
Cheap solution
Best effort
Internet
L2VPN pseudowires
Provider-based VPNs
CE - Customer Edge
CE
PE
PE
CE
P
P
CE
CE
PE
PE
L3VPN
L3VPN
192.16.100.0/24
CE
CE
192.16.100.0/24
PE
AS 65100
PE
CE
10.2.1.0/24
P
P
CE
10.1.1.0/24
CE
PE
PE
10.1.1.0/24
AS 65100
10.2.1.0/24
10.1.1.0/24
CE to PE routing
CE to PE routing
I
192.16.100.0/24
192.16.100.0/24
OSPF
B
static
routing
AS 65100
C
F
G
10.1.1.0/24
eBGP
RIP
J
10.1.1.0/24
Overlapping addresses:
Route Distinguisher
<route distinguisher>::<IPv4addr>/<prefixlen>
8 bytes
Route Distinguisher
4 bytes
IPv4 address
Route Distinguisher
I T Type[Subtype]
1 byte
1 byte
Data
6-7 bytes
4 bytes
Route Distinguisher
2 bytes
Type 0:
Type/Subtype
2 bytes
Type 1:
Type/Subtype
2 bytes
IPv4 address
4 bytes
AS#
Number
4 bytes
IP#
IPv4 address
2 bytes
Number
IPv4 address
Example:
65100:3::192.16.100.0/24 announced by B
65100:4::192.16.100.0/24 announced by D
I
192.16.100.0/24
192.16.100.0/24
B
RD: 65100:3
AS 65100
RD: 65100:4
C
F
RD: 65100:2
G
10.1.1.0/24
RD: 65100:1
J
10.1.1.0/24
Example:
192.30.200.3:1::192.16.100.0/24 announced by B
And you can see which VPN they belong to (1=blue, 2=red)
I
192.16.100.0/24
192.16.100.0/24
B
RD: 192.30.200.3:1
AS 65100
RD: 192.30.200.4:2
C
F
RD: 192.30.200.2:2
G
10.1.1.0/24
RD: 192.30.200.1:1
J
10.1.1.0/24
192.30.200.2:2::10.1.1.0/24
192.30.200.1:1::10.1.1.0/24
192.30.200.4:2::192.168.100.0/24
Operation
A CE announces a prefix to a PE
Eg 192.30.200.3:1::192.168.100.0/24
Eg 192.168.100.0/24 to B by H
Eg 192.168.100.0/24 to J by E
19
2.
16
.1
192.16.100.0/24
H 00.0
/2
4
192.16.100.0/24
B
RD: 192.30.200.3:1
65100
1AS
92
19 .
2. 30
16 .2
.1 00 C
00 .3
.0 :1
/2 ::
4F
RD: 192.30.200.2:2
G
10.1.1.0/24
RD: 192.30.200.4:2
RD: 192.30.200.1:1
19
J
2
E .16
.1
00
.0
/2
4
10.1.1.0/24
Virtual
Physical
..
.
VRF in a PE
Example: A router with two customers instances: VRF1 and
VRF2.
VRF table
VRF1
VRF1
VRF_
main
VRF2
VRF_
main
Local BGP
table
VRF table
VRF2
192.168.100.0/24
10.1.1.0/24
192.168.100.0/24
export
192.30.200.3:1::192.168.100.0/24
RD: 192.30.200.3:1
RD: 192.30.200.1:1
10.1.1.0/24
VRF:
inet.0
Routing protocol
3
RI
B
inet.0
inet6.0
inet.1
IPv4 multicast
forwarding cache
inet.2
inet.3
bgp.l3vp
n
mpls.0
Example:
main.inet.0
__juniper_private1__.inet.0
BGP signaling
The NLRI is
inner:
VPN label
VRF1
VRF1
2
23
VRF_
main
VRF_
main
23
VRF2
VRF2
LSP label 20
Double push
Swap
Route
IP: dst10.1.1.23
Local routing
table
VRF
Local BGP
table
MPLS table
MPLS table
Local BGP
table
VRF
Local routing
table
MPLS Forwarding
E
J
Pop+route
Route target
AS#:number (type 0)
IP#:number (type 1)
Example:
192.16.100.0/24
B
RD: 192.30.200.3:1
RT: 65100:100
AS 65100
RD: 192.30.200.4:2
RT: 65100:3
C
F
RD: 192.30.200.2:2
RT: 65100:3
G
10.1.1.0/24
RD: 192.30.200.1:1
RT: 65100:100
10.1.1.0/24
192.16.100.0/24
192.16.100.0/24
B
RD: 192.30.200.3:1
import: 65100:100
export: 65100:100
AS 65100
RD: 192.30.200.4:2
import: 65100:3
export: 65100:3
F
RD: 192.30.200.2:2
import: 65100:3
export: 65100:3
10.1.1.0/24
RD: 192.30.200.1:1
import: 65100:100
export: 65100:100
10.1.1.0/24
Extranets
Hub-and-spoke
Extranet
192.16.101.0/24
192.16.102.0/24
B
RD: 192.30.200.3:1
import: 65100:12
65100:21
export: 65100:22
AS 65100
RD: 192.30.200.4:2
import: 65100:11
65100:22
export: 65100:12
F
RD: 192.30.200.2:2
import: 65100:12
export: 65100:11
10.1.1.0/24
RD: 192.30.200.1:1
import: 65100:22
export: 65100:21
10.1.1.0/24
Hub-and-spoke VPN
10.1.4.0/24
B
RD: 192.30.200.3:1
import: 65100:200
export: 65100:100
AS 65100
C
RD: 192.30.200.2:2
export: 65100:200
F
A
import: 65100:100
Filtering
iBGP
RD: 192.30.200.4:2
import: 65100:200
export: 65100:100
RD: 192.30.200.1:1
import: 65100:200
export: 65100:100
10.1.1.0/24
L3VPN Summary
Drawback:
Suppose each customer has its own full BGP routing table
(~200K routes)
IP
L2VPN pseudo-wire
Pseudo-wires
IP
CE
Site 1
PE
I
CE
Site 2
P
P
PE
PE
Site 3
CE
CE-PE issues
Configuring L2VPN
<PE loopback>:<vpnid>
Bind vlans to remote sites using vlanids
Setup encapsulation
'ethernet-vlan'
use vrf-target
Backbone over IP
STP
Customer
B
Customer
B
LAB backbone
Backbone
RTC1
RTB3
RTB4
RTC2
RTB1
RTB2
RTC3
RTC4
.2
RTD3
.1
10.1.1.0/30
.2
RTA3
.1
10.1.3.0/30
.2
Customer Edge (CE)
RTE3
10.1.3.0/30
VLANID: 514
10.1.1.0/30 10.1.2.0/30
VLANID: 512 VLANID: 513
.1 .2
.1 .1
.2
.2
Customer Edge (CE)
RTD2
RTA2
RTE2
LAB Netmap
Backbone
RTB3
RTB4
RTC1
RTC2
RTC2
RTA2 RTA3
RTC2
RTA4 RTE1
RTE2 RTE3
RTE4
L3VPN #4
L3VPN #3
L2VPN #2
L1VPN #1
L3VPN #4
L3VPN #3
RTA1
RTB2
L2VPN #2
L3VPN #3
L2VPN #2
L2VPN #1
RTD4
L2VPN #1
RTD2 RTD3
L3VPN #4
RTD1
RTB1