MPLS Implementation MPLS VPN

Describing MPLS VPN Technology

© 2006 Cisco Systems, Inc. All rights reserved.

Objectives
 Describe VPN implementation models.  Compare and contrast VPN overlay VPN models.  Describe the benefits and disadvantages of the overlay VPN implementation model.  Describe the benefits and disadvantages of the peer-topeer VPN implementation model.  Describe the features of the MPLS VPN architecture.  Describe routing in the MPLS VPN architecture.

© 2006 Cisco Systems, Inc. All rights reserved.

VPN Taxonomy

 Overlay VPNs—Service providers provide virtual point-to-point links.  Peer-to-peer VPNs—Service providers participate in the customer routing.
© 2006 Cisco Systems, Inc. All rights reserved.

VPN Terminology

Customer site

Large customer site

Provider Network (P-Network): the Service Provider infrastructure used to provide VPN services Customer Network (C-Network): the part of the network still under customer control Customer Site: a contiguous part of customer network (can encompass many physical locations)
© 2006 Cisco Systems, Inc. All rights reserved.

. All rights reserved. Inc. Also called Customer Premises Equipment (CPE) © 2006 Cisco Systems.VPN Terminology Customer site Large customer site Service Provider Network Provider Edge (PE) device: the device in the P-network to which the CE-devices are connected Provider core (P) device: the device in the P-network with no customer connectivity Customer Edge (CE) device: the device in the C-network with link into P-network.

Overlay VPNs  Layer 1 Overlay VPN Mentioned for historical reasons only. Inc. All rights reserved. ATM and SMDS SP is responsible for transport of Layer 2 frames Customer is responsible for all higher layers  Layer 3 Overlay VPN SP network is invisible to customer routers Uses IP tunneling SP provides point-to-point data transport between customer sites © 2006 Cisco Systems.25. Frame Relay.  Layer 2 Overlay VPN Traditional switched WAN Implmented with X. .

Inc.Layer 2 Overlay VPN Using Frame Relay © 2006 Cisco Systems. . All rights reserved.

Inc. All rights reserved. © 2006 Cisco Systems.Layer 3 Overlay VPNs Router A Router B Router C Router D  The service provider infrastructure appears as point-to-point links to customer routes. .  Routing protocols run directly between customer routers.  The service provider does not see customer routes and is responsible only for providing point-to-point transport of customer data.

All rights reserved. Inc. .Peer-to-Peer VPNs © 2006 Cisco Systems.

VCs have to be provisioned manually.Benefits and Disadvantages of the Overlay VPN Implementation Model  Benefits: Well-known and easy to implement. All rights reserved. Customer network and service provider network are wellisolated. Overlay VPNs always incur encapsulation overhead (IPsec or GRE). Service provider does not participate in customer routing. . Inc.  Disadvantages: Implementing optimum routing requires a full mesh of VCs. Bandwidth must be provisioned on a site-to-site basis. © 2006 Cisco Systems.

Easier to provision an additional VPN. All rights reserved.  Disadvantages: The service provider participates in customer routing. Only sites are provisioned. The service provider needs detailed IP routing knowledge. not links between them. Inc. © 2006 Cisco Systems. . The service provider becomes responsible for customer convergence. PE routers carry all routes from all customers.Benefits and Disadvantages of the Peer-toPeer VPN Implementation Model  Benefits: Guarantees optimum routing between customer sites.

 Dedicated PE router: All customers share the same address space. Inc. All rights reserved. .Non-SP Related Drawbacks of Peer-to-Peer VPNs  Shared PE router: All customers share the same (provider-assigned or public) address space. Each customer requires a dedicated router at each POP. High maintenance costs are associated with packet filters. Performance is lower—each packet has to pass a packet filter. © 2006 Cisco Systems.

Inc. PE routers carry a separate set of routes for each customer (similar to the dedicated PE router approach). All rights reserved. guaranteeing optimum routing between sites and easy provisioning.MPLS VPN Architecture  An MPLS VPN combines the best features of overlay VPN and a peer-to-peer VPN models: PE routers participate in customer routing. © 2006 Cisco Systems. . Customers can use overlapping addresses.

) © 2006 Cisco Systems. . Inc. All rights reserved.MPLS VPN Architecture (Cont.

All rights reserved.PE Router Architecture © 2006 Cisco Systems. Inc. .

Propagation of Routing Information Across the PNetwork © 2006 Cisco Systems. . All rights reserved. Inc.

© 2006 Cisco Systems. • P-routers carry all customer routers. Wrong answer: • The solution does not scale. Inc. All rights reserved.Routing Information Propagation Across PNetwork IGP for Customer A IGP for Customer A IGP for Customer B IGP for Customer C Customer A IGP for Customer B IGP for Customer C Customer B Customer B PE-Router-X P-Router PE-Router-Y Customer C P-Network Customer C Customer A Q: How will PE routers exchange customer routing information? A1: Run a dedicated IGP for each customer across P-network. .

.Routing Information Propagation Across PNetwork A dedicated routing protocol used to carry customer routes Customer A Customer B Customer B PE-Router-X P-Router PE-Router-Y Customer C P-Network Customer C Customer A Q: How will PE routers exchange customer routing information? A2: Run a single routing protocol that will carry all customer routes inside the provider backbone. All rights reserved. Better answer. but still not good enough • P-routers carry all customer routers. © 2006 Cisco Systems. Inc.

Inc. © 2006 Cisco Systems. .Routing Information Propagation Across PNetwork A dedicated routing protocol used to carry customer routes between PE routers Customer A Customer B Customer B PE-Router-X P-Router PE-Router-Y Customer C P-Network Customer C Customer A Q: How will PE routers exchange customer routing information? A3: Run a single routing protocol that will carry all customer routes between PE routers. Use MPLS labels to exchange packets between PE routers. All rights reserved. the solution is scalable. The best answer • P-routers do not carry customer routes.

All rights reserved. Conclusion: BGP is used to exchange customer routes directly between PE routers. BGP is the only routing protocol that can scale to a very large number of routes. . © 2006 Cisco Systems.Routing Information Propagation Across PNetwork A dedicated routing protocol used to carry customer routes between PE routers Customer A Customer B Customer B PE-Router-X P-Router PE-Router-Y Customer C P-Network Customer C Customer A Q: Which protocol can be used to carry customer routes between PE-routers? A: The number of customer routes can be very large. Inc.

 BGP is used to exchange customer routes directly between PE routers. © 2006 Cisco Systems. . BGP is the only routing protocol that can scale to such a number.Propagation of Routing Information Across the PNetwork  The number of customer routes can be very large. Inc. All rights reserved.

 VPNv4 addresses are exchanged between PE routers via BGP. Answer:  The 64-bit RD is prepended to an IPv4 address to make the address globally unique. All rights reserved. . © 2006 Cisco Systems. Inc.  The resulting address is a VPNv4 address.Route Distinguishers Question? How will information about the overlapping subnetworks of two customers be propagated via a single routing protocol? Extend the customer addresses to make them unique.  BGP that supports address families other than IPv4 addresses is called multiprotocol BGP (MPBGP).

Inc. All rights reserved. and 3 © 2006 Cisco Systems. 2. .Distinguishing Routes: Steps 1.

.Distinguishing Routes: Steps 4 and 5 © 2006 Cisco Systems. Inc. All rights reserved.

 The RD is used only to make potentially overlapping IPv4 addresses globally unique. . All rights reserved.  This design cannot support all topologies that are required by the customer. © 2006 Cisco Systems. Inc.Using RDs in an MPLS VPN  The RD has no special meaning.

VoIP Service on an MPLS VPN  Requirements: All sites of one customer need to communicate. All rights reserved. Central sites of both customers need to communicate with VoIP gateways and other central sites. Inc. © 2006 Cisco Systems. Other sites from different customers do not communicate with each other. .

.Connectivity Requirements for VoIP Service © 2006 Cisco Systems. All rights reserved. Inc.

All rights reserved.  RTs are additional attributes that attach to VPNv4 BGP routes to indicate VPN membership. © 2006 Cisco Systems.  RTs were introduced in the MPLS VPN architecture to support complex VPN topologies. .  The RD cannot identify participation in more than one VPN.Route Targets VPN 2 VPN 1 Site 2 Site 1 Site 4 Site 5 Site 3 VPN 3  Some sites participate in more than one VPN. Inc.

All rights reserved. .How Do RTs Work?  Export RTs: Identify VPN membership Append to the customer route when the route is converted into a VPNv4 route  Import RTs: Associate with each virtual routing table Select routes inserted into the virtual routing table © 2006 Cisco Systems. Inc.

© 2006 Cisco Systems. All rights reserved. Inc. Only PE routers need to support MPLS VPN services and Internet routing. P routers have no VPN routes.MPLS VPN Routing Criteria  Designers imposed these criteria on MPLS VPNs: CE routers can only run standard IP routing software. .

. All rights reserved.MPLS VPN Routing: CE Router Perspective  The CE routers run standard IP routing software and exchange routing updates with the PE router.  The PE router appears as another router in the Cnetwork. Inc. © 2006 Cisco Systems.

© 2006 Cisco Systems.PE-CE Routing Protocols  PE-CE routing protocols are configured for individual VRFs. All rights reserved. .  Supported protocols include BGP.  Routing configuration on the CE router has no VRF information. and EIGRP. Inc. RIP. static. OSPF.

Inc. the PE routers appear as core routers that are connected via a BGP backbone. .  The usual BGP and IGP design rules apply. All rights reserved. © 2006 Cisco Systems.  The P routers are hidden from the customer.MPLS VPN Routing: Overall Customer Perspective  To the customer.

. All rights reserved.MPLS VPN Routing: P Router Perspective  P routers perform as follows: Do not participate in MPLS VPN routing and do not carry VPN routes Run backbone IGP with the PE routers and exchange information about global subnetworks (core links and loopbacks) © 2006 Cisco Systems. Inc.

. Inc.MPLS VPN Routing: PE Router Perspective  PE routers exchange the following: VPN routes with CE routers via per-VPN routing protocols Core routes with P routers and PE routers via core IGP VPNv4 routes with other PE routers via MPBGP sessions © 2006 Cisco Systems. All rights reserved.

. All rights reserved.End-to-End Routing Information Flow © 2006 Cisco Systems. Inc.

All rights reserved.VPN Label Propagation MPLS VPN Backbone CE-router Ingress-PE CE-router P-router P-router Egress-PE CE-router CE-router Q: How will the ingress PE-router get the second label in the label stack from the egress PE-router? A: Labels are propagated in MP-BGP VPNv4 routing updates. © 2006 Cisco Systems. Inc. .

20.VPN Label Propagation MPLS VPN Backbone CE-router Ingress-PE CE-router P-router P-router Egress-PE CE-router CE-router Step #1: VPN label is assigned to every VPN route by the egress PE router Egress-PE#show tag-switching forwarding vrf SiteA2 Local Outgoing Prefix Bytes tag Outgoing tag tag or VC or Tunnel Id switched interface 26 Aggregate 150.1/32[V] 0 Se1/0.36/30[V] 0 37 Untagged 203.0/24[V] 0 Se1/0. All rights reserved.31.2.1.20 © 2006 Cisco Systems.20 38 Untagged 203.1. Next Hop point2point point2point .1. Inc.

Inc.20.20. All rights reserved.0 10.20.0 10.15.1.0.15 notag/38 © 2006 Cisco Systems.VPN Label Propagation MPLS VPN Backbone CE-router Ingress-PE CE-router P-router P-router Egress-PE CE-router CE-router Step #2: VPN label is advertised to all other PE-routers in MP-BGP update Ingress-PE#show ip bgp vpnv4 all tags Network Next Hop In tag/Out tag Route Distinguisher: 100:1 (vrf1) 12.60 26/notag 203.0.0. .60 26/notag 10.0.0.

Inc. version 57.20.3.3. . recursive next hop 192.168.VPN Label Propagation MPLS VPN Backbone CE-router Ingress-PE CE-router P-router P-router Egress-PE CE-router CE-router Step #3: Label stack is built in Virtual Forwarding table Ingress-PE#show ip cef vrf Vrf1 203.3.2 via 192.1. tags imposed: {26 38} via 192. tags imposed: {26 38} © 2006 Cisco Systems.1.20. cached adjacency to Serial1/0.103.103/32 valid cached adjacency tag rewrite with Se1/0. 0 bytes tag information set local tag: VPN-route-head fast tag rewrite with Se1/0.2.168.2 0 packets. Serial1/0.0/24. point2point. point2point. 0 dependencies. All rights reserved.2.0 detail 203.10.168.

 MPLS VPNs use a 64-bit prefix called the route distinguisher (RD) to convert non-unique 32-bit customer IPv4 addresses into 96-bit unique addresses that can be transported. containing one or more “labels. . © 2006 Cisco Systems.  The MPLS VPN architecture offers SPs a peer-to-peer VPN architecture that combines the best features of overlay VPNs with the best features of peer-to-peer VPNs.  MPLS works by prepending packets with an MPLS header.” This is called a label stack. Inc. There are two implementation models: overlay and peer-to-peer.Summary  VPNs allow you to use the shared infrastructure of a SP to implement your private networks. All rights reserved.

Sign up to vote on this title
UsefulNot useful