The necessary knowledge about MPLS-VPN.

images
Cisco News
The necessary knowledge about MPLS-VPN.

As the rapid development of technology, MPLS-VPN is a vital part of Networking. SPOTO is committed to technology and various Cisco certification. The following is some important points of the MPLS.

Session 1 VPN classification

The VPN concept is very broad, and one sentence is summarized as a technique for transmitting private data using public network lines.

First, the traditional VPN classification:

1. Overlay VPN: You can use the private IP address defined by RFC1918, and duplicate IP addresses can be used between sites. ISP does not participate.

2, peer to peer VPN: cannot use the same IP address space, need to establish a route between the ISP and the customer

An overlay is divided into L2 layer and L3 layer, and peer-to-peer itself is the L3 layer.

The VPNL2 layer has frame-relay, ATM, x.25, etc., and the L3 layer represents GRE, IPSec, and the like.

L2 layer VPN: requires routing entries for the user site in the ISP route.

L3 layer VPN: ISP is transparent, all encapsulation and encryption are completed at both ends of the user, and the ISP does not need any configuration. Because the internet itself uses the IP protocol to transmit data, the IP layer VPN does not require isp to do the L2 layer encapsulation technology.

Disadvantages of traditional VPN: the high cost of L2 layer, the high difficulty of service quality, unstable L3 layer, VPN must be on the same network segment, and service quality is difficult

Session 2 MPLS-VPN

First, MPLS-VPN

  MPLS-VPN is based on the BGP protocol and is a 2.5layer technology. The difference between the VPN of the MPLS and the traditional VPN is that the shortcomings of the above-mentioned VPN can be solved, and the transmission rate of the MPLS is greatly improved, and the maintenance is simple.

1. MPLS-VPN uses the virtual routing table to implement a VPN. It is summarized that the same (virtual) routing table is shared by the sites in the same VPN, and is classified into the same VPN. Similar to the concept of VLAN, each VPN is equivalent to a VLAN.

2. The ISP border device in the MPLS-VPN becomes the PE router, the ISP internal router becomes the P router, and the user border device becomes the CE router.

Second, VRF

1. VRF: VPN routing forwarding table, virtualize multIPle VRF routers, and divide the physical interface into these VRF virtual routers to provide MPLS-VPN. Each VRF table is a VRF virtual router, which is equivalent to a customer site. Collection.

2. routing context: VRF this virtual routing table must also be associated with the physical routing table (VPN target network, next hop address, etc., through the BGP address family to associate the VRF with the route) to complete the routing address, Explain here, that is to say, this PE router runs MPLS-VPN, there are multIPle VPNs (VRF tables), why is it necessary to associate VRF with real routes? Because your PE router runs MPLS-VPN, it is now MPLS-VPN that is addressed by the VRF, rather than the physical routing table. Therefore, when some routing protocols declare the network, they must go to the VRF. Go, and declare these routes (through the BGP address family) to the VRFs of these VPNs (because the interface running the routing protocol has been assigned to the VRF, it is not a physical interface, and it cannot be declared in the physical route. )) Otherwise, this VPN does not know how to go, but the physical route only needs to ensure the connectivity of the isp network. You don't need to know how the VPN network goes.

In a routing process, you can have both VRF announcements and associated routing protocols BGP-4, RIPV2.

In OSPF, only one OSPF process can be advertised and associated with a VRF. That is, IP OSPF 1 can only be used by one VRF to announce an associate.

3. The routing entries received by each VRF virtual router from its own interface (divided from the physical interface of the real router) will be placed in the VRF routing table to which it belongs, which means that the VRFA virtual router will not receive it. The route is placed in the VRF virtual routing table of the VRFB virtual router to implement isolation between different VRF tables, so that different VRF routes (VPNs) can use the same IP address.

4. The announcement and association of the above VRF complete the collection of routes and the creation of a VRF routing table. Now we need VRF to pass the data out. At this time, we need to use BGP multi-protocol version MP-BGP. Why use MP-BGP? As shown in the figure:

MP-BGP can only let the PE routers at both ends of the ISP know the customer network, and the central P router does not need to know the customer's route. It is necessary to ensure the internal interworking of the isp (using IGP, usually ISIS).

Third, RD, RT, SOO

1, RD route Distinguishers route specifier (64bit)

       The VRF distinguishes the overlapping address spaces and identifies the IP address entries in different VRFs. The PE identifies which VRF (customer) these same IP addresses are from based on the RD. For example, PE connects two customer sites: site1 and site2. There are 192.168.1.0/24 networks in the VPN network of two different clients. How to distinguish the 192.168.1.0/24 IP addresses of these two clients requires RD. To make an identity, so that the PE router can distinguish which VRF (client) the current address of 192.168.1.0/24 is.

Therefore, the MPLS VPNV4 routing entry is: RD+IPv4 is 64+32=96bit, and only BGP can carry such a large routing entry.

RD is used in VRF, a VRF RD identifier (a customer RD identifier), and only valid for local PE!

RD is placed in the routing entry, the format is "AS number: any number", such as 1:1, 100:1, 2:2

2. RT, route target routing target: set into two directions

 Divided into import inbound direction: what kind of route this VRF receives.

 And explore outbound: the label that is redistributed from this VRF to the route in MP-BGP.

That is to say, the import inbound label of the receiving PE should be consistent with the explore outgoing label of the sending PE to ensure that the VRF to which the VPN route belongs is consistent. Figure:

     The route in the VRF is expressed as RD:IP: RT. As shown in the figure, the two client VPNs connected to the left PE are 1.0 and 2.0 respectively. Suppose the RD is set to 1.0 for 1:1 and 3.0 for 2:2. RT export settings. The 1.0 network corresponds to 1:1 and the 3.0 network corresponds to 2:2. Then, in the PE router, the routing entries of the two clients 1.0 and 3.0 are represented as 1:1 192.168.1.0 1:1 and 2:2 192.168.3.0 2:2, and the RT import of the peer PE is set to 1:1. Network, and 2:2 corresponds to the 4.0 network, then when the right PE receives the RT export 1:1 route, it knows to share a VRF routing table with the 2.0 network, and the RT export is 2:2 and 4.0. The network shares a VRF routing table. Thus, customer A's 1.0 and 2.0 form a VPN, and customer B's 3.0 and 4.0 form a VPN. Of course, between the P router and the PE router, IGP and MPLS_IP are required to ensure real-route interworking. (RD is a local attribute, there is no meaning here)

  Each VRF has two directions, import, and export. The receiving PE uses the value of the export carried by the received MPLS-VPN route to match the value of the import set in its own VRF to determine which received route should be placed. VRF virtual routing table.

RT is placed inside the BGP extension properties, not (like RD) in routing entries.

3. SOO, site of Origin site origin attribute

Session 3 MPLS-VPN implementation process

First, the control plan layer routing process

 For example, the PE router and the CE router use the IGP protocol. The PE redistributes the CE and 1.0 network routes of the CE into its own MP-iBGP (the redistributed routes are distinguished by RD), and then establishes the PE and P. The BGP network forms a route, and then reaches the peer PE according to the RD of the different VPNV4 routes. Because the peer PE also has the IGP route of the redistributed CE, the routing of the control plane is reached.

Second, the data plan

 Assume that PE1 is on the left and PE2 on the right. When data from the 1.0 network wants to go to the 2.0 network, use the data plan to forward.

 First, the PE router will judge whether to find the VRF according to the port that receives the data (the port connecting the CE client has been assigned to the VRF), and when the data is found from the VRF interface, it is selected according to the RD to select which VRF-LFIB information of the VRF. The library to forward data. At this time, the routing entries (1.0 network, 3.0 network) of the CE that are redistributed to the BGP routes of the PE routers are marked with a layered label, and then the MPLS label information sent by the LDP neighbors (the other PE) will go to the neighbors. The BGP physical route of the PE is tagged. This tag is sent by PE2 to PE1 to tell PE1 which tag and next hop address to use on PE2. This tag is on the upper layer of the redistributed route label and then passed through BGP. Go to the peer PE, and then perform the second-to-last hop pop-up to pop the BGP label of the physical route. When the peer PE receives the data, there is only one IGP route label redistributed into the BGP route, and then there is MPLS running. According to this label, it can be determined which VRF table the data packet looks for, thereby determining which interface to forward from, and completing the data layer transmission.

Simply put Label 1: All routes that are redistributed into BGP have a

         Label 2: The label of the MPLS-IP network (ordinary MPLS running on BGP) itself, on the upper layer of label 1.

After the LDP neighbor, PE is reached, the MPLS will pop the top label 2 and set the bottom stack of the lower label 1 to 1, indicating that it is the bottommost label of the label stack, and the bottom label is the PE. Determine which VRF tag to look for, so MPLS-VPN uses a 2-layer tag.




Cisco Pass Report View More >

CCIE RS Written
Oct 20, 2019
CCIE RS Written
CCIE Data Center Written
Oct 19, 2019
CCIE Data Center Written
CCIE Security Written
Oct 19, 2019
CCIE Security Written
CCIE Security Written
Oct 19, 2019
CCIE Security Written
CCIE Security Written
Oct 19, 2019
CCIE Security Written
CCIE RS Written
Oct 19, 2019
CCIE RS Written
CCIE Security Written
Oct 18, 2019
CCIE Security Written
CCIE Security Written
Oct 18, 2019
CCIE Security Written
CCIE Security Written
Oct 18, 2019
CCIE Security Written
CCIE RS Written
Oct 18, 2019
CCIE RS Written