TCP/IP & VPN-IP Lintasarta

Pengenalan & Troubleshooting Jaringan

TCP/IP & VPN-IP Lintasarta
Lintasarta 2006

MPLS-VPN

Objectives

This chapter is designed to

enable you to perform the
following:

State the goals of MPLS VPN.

Describe MPLS VPN mechanisms.
Use the command line interface to
configure a VPN.

MPLS VPN Goals

Provide IP VPN service, on Layer 3 backbone
network.
Improve provisioning scalability for provider.
Support IP class of service mechanisms.
Support nonunique, private (RFC#1918)
addressing in customer networks.
Simplify routing configuration for customer.
Support more complex connectivity than
Layer 2 VPN:

Intranet
Extranet

VPN Model

C
Provider
Backbone

D
C

MPLS VPN Architecture

MPLS VPN combines the best features of
overlay VPN and peer-to-peer VPN
PE routers participate in customer routing,
guaranteeing optimum routing between sites and
easy provisioning
PE routers carry a separate set of routes for each
customer (similar to dedicated PE router
approach)
Customers can use overlapping addresses

MPLS VPN Terminology

Customer A Site 1
Remote Offices

CE-Router

Provider Network
Cust A S4
PE-Router

P-Router

PE-Router

Cust A S2

Cust B S2

Cust A S3

Cust B S3

Cust B S1

Cust B S4

Provider Edge (PE) Router

Architecture
Virtual Router for
Customer A

Global IP Router

Cust A S1

Cust A S2

Cust A S3

Virtual IP routing
table for Customer A

Virtual Router for

Customer B

Cust B S1
Virtual IP routing
table for Customer B

Global IP
Routing Table

P-Router

MPLS VPN architecture is very similar

to the dedicated PE router peer-to-peer
model, but the dedicated per-customer
routers are implemented as virtual
routing tables within the PE router.

PE-Router

Building VPNs with MPLS

Constrained distribution of routing information

Routes communicated only to routers that are
members of a VPN
VPN-IP addresses
Supports overlapping address spaces
MPLS
Labels used to define VPNs
Labels used to represent VPN-IP addresses
Peer model
Simplifies routing for end customers

Security Aspects
Controlled

route distribution

Equivalent to Frame Relay networks

VPN

ID cannot be spoofed
Options for additional security

IPSec or application-level encryption

MPLS VPN Architecture

Peer Routing Model

CE router is a routing peer of PE.

Contrast to overlay routing mode.
CEs are peers.
Benefit: simplified routing, more scalable.
Not a zero-sum game: provider routing complexity not
increased proportionately.

VPN B VPN A
VPN C
VPN C
VPN B
VPN A
VPN A
VPN B
VPN C
VPN C VPN B

Intranet
Extranet

Routing Across P-Network

What is best way for PE routers to exchange
customer routing information?

Cust A

Cust C

Cust B

PE-Router Y

P-Router

PE-Router Z

Provider Network

Cust C

1.
2.
3.

Run a dedicated IGP for each customer across P-network.

Run a single routing protocol that will carry all customer
routes inside the provider backbone.
Run a single routing protocol that will carry all customer
routes between PE routers.

Cust B

Cust A

Virtual Private Networks Redefined

With the support of complex VPN topologies,
the VPNs have to be redefined
A VPN is a collection of sites sharing common
routing information
A site can be part of different VPNs
A VPN can be seen as a community of interest
(Closed User Group CUG)
Complex VPN topologies are supported by multiple
virtual routing tables on the PE routers

VPN Topologies and Virtual Routing

Tables
A virtual routing table in a PE router can only
be used for sites with identical connectivity
requirements
Complex VPN topologies require more than
one virtual routing table per VPN
As each virtual routing table requires a distinct
RD value, the number of RDs in the MPLS VPN
network increases

MPLS VPN Routing Requirements

Customer routers (CE-routers) have to run
standard IP routing software
Provider core routers (P-routers) have no VPN
routes
Provider edge routers (PE-routers) have to
support MPLS VPN and Internet routing

MPLS VPN Routing PE Router View

MPLS VPN Backbone
CE-Router

CE-Router

MP-BGP

VPN Routing

VPN Routing
PE-Router

CE-Router

Core IGP

P-Router

Core IGP

PE-Router

CE-Router

PE-routers:
Exchange VPN routes with CE-routers via per-VPN routing protocols
Exchange core routes with P-routers and PE-routers via core IGP
Exchange VPNv4 routes with other PE-routers via MP-BGP sessions

PE Routing Tables
MPLS VPN Backbone
CE-Router

CE-Router

MP-BGP

VPN Routing

VPN Routing
PE-Router

CE-Router

Core IGP

P-Router

Core IGP

IPv4 BGP for Internet

PE-Router

CE-Router

PE-routers contain a number of routing tables:

Global routing table that contains core routes (filled with core IGP) and
Internet routes (filled with IPv4 BGP)
Virtual Routing and Forwarding (VRF) tables for sets of sites with
identical routing requirements
VRFs are filled with information from CE-routers and MP-BGP
information from other PE-routers

End-to-End Routing Information Flow

MPLS VPN Backbone
CE-Router

CE-Router

IPv4 update

CE-Router

MP-BGP update
PE-Router

P-Router

IPv4 update
PE-Router

CE-Router

PE-routers receive IPv4 routing updates from CE-routers and install them in the appropriate VRF table
PE-routers export VPN routes from VRF into MP-BGP and propagate them as VPNv4 routes into other PE-routers
IBGP full mesh is needed between PE-routers
Receiving PE-router imports incoming VPNv4 routes into the appropriate VRF based on route targets attached
to the routes
Routes installed in VRF are propagated to CE-routers

Packet Forwarding Across Backbone

(1 of 3)
MPLS VPN Backbone
IP

CE-Router

IP

Ingress-PE

CE-Router

P-Router

P-Router

Egress-PE
CE-Router

CE-Router

Q: How will PE-routers forward VPN packets across MPLS VPN backbone?
A: Just forward pure IP packets
Wrong Answer:
P-routers do not have VPN routes, packet is dropped on IP lookup.
How about using MPLS for packet propagation across backbone?

Packet Forwarding Across Backbone

(2 of 3)
MPLS VPN Backbone
IP

CE-Router

IP

Ingress-PE

L1

IP

P-Router

L2

IP

P-Router

L3

CE-Router

Egress-PE
CE-Router

CE-Router

Q: How will PE-routers forward VPN packets across MPLS VPN backbone?
A: Label VPN packets with LDP label for egress PE-router, forward labeled
packets across MPLS backbone.
Better Answer:
P-routers perform label switching, packet reaches egress PE-router.
However, egress PE-router does not know which VRF to use for packet
lookup packet is dropped.
How about using a label stack?

Packet Forwarding Across Backbone

(3 of 3)
MPLS VPN Backbone
IP

CE-Router

IP

CE-Router

L1

IP

L2

IP

L3

CE-Router

IP
Ingress-PE

P-Router

P-Router

Egress-PE
CE-Router

Q: How will PE-routers forward VPN packets across MPLS VPN backbone?
A: Label VPN packets with a label stack. Use LDP label for egress PE-router
as the top label, VPN label assigned by egress PE-router as the second label
in the stack.
Correct Answer:
P-routers perform label switching, packet reaches egress PE-router.
Egress PE-router performs lookup on the VPN label and forwards the packet
toward the CE-router.

VPN Label Propagation

MPLS VPN Backbone
CE-Router

CE-Router

Ingress-PE

P-Router

P-Router

Egress-PE
CE-Router

CE-Router

Q: How will the ingress PE-router get the second label in the label stack
from the egress PE-router?
A: Labels are propagated in MP-BGP VPNv4 routing updates.

VPN Label Propagation Step 1

MPLS VPN Backbone
CE-Router

CE-Router

Ingress-PE

P-Router

P-Router

Egress-PE
CE-Router

CE-Router

Step #1: VPN label is assigned to every VPN route by the egress PE-router
Egress-PE#show mpls forwarding-table vrf vrf1
Local

Outgoing

Prefix

Bytes tag

Outgoing

Next Hop

tag

tag or VC

or Tunnel Id

switched

interface

26

Aggregate

150.1.31.30/30[V] 0

37

Untagged

203.1.2.1/32[V]

Se0/2

point2point

38

Untagged

203.1.20.0/24[V]

Se0/2

point2point

VPN Label Propagation Step 2

MPLS VPN Backbone
CE-Router

CE-Router

Ingress-PE

P-Router

P-Router

Egress-PE
CE-Router

CE-Router

Step #2: VPN label is advertised to all other PE-routers in MP-BGP update.
Ingress-PE#show ip bgp vpnv4 all tags
Network

Next Hop

In tag/Out tag

Route Distinguisher: 100:1 (vrf1)

12.0.0.0
203.1.20.0

10.20.0.60

26/notag

10.20.0.60

26/notag

10.15.0.15

notag/38