MPLS-VPN/BGP Approach Hari Rakotoranto Technical Marketing Engineer
advertisement
MPLS-VPN/BGP Approach Hari Rakotoranto Technical Marketing Engineer hrakotor@cisco.com Agenda MPLS Business Perspective VPN Concept MPLS VPN Virtual Private Networking: A $24B Opportunity 25 6% 5% Barriers? VPNs Opportunity 20 15 10 54% 35% 5 0 1998 ATM/FR IP VPNs Managed Svcs Unrealized 1998 VPN Service Distribution Source: CIMI Corp. ATM/FR 2001 Managed Svcs 2004 IP VPNs Total WW VPN Service Revenues ($B) Business Perspective Businesses are building on IP Businesses need private IP services IP Intranet Remote Offices Telecommuters Mobile Users IP Extranet Customers Suppliers Partners Agenda MPLS Business Perspective VPN Concept MPLS VPN Virtual Private Networks Concepts NW’00 Paris © 2000, Cisco Systems, Inc. 6 Virtual Private Networks • A network infrastructure delivering private network services over a public infrastructure Certainly not a new concept VPN - Overlay Model Layer-3 Routing Adjacency Virtual Circuit CPE (CE) Device VPN Site Provider Edge (PE) device Provider Edge (PE) device Service Provider Network CPE (CE) Device VPN Site VPN - Overlay Model • Private trunks across a telco/SP shared infrastructure leased/dialup lines FR/ATM virtual circuits IP(GRE) tunnelling • Point-to-point solution between customer sites how to size inter-site circuit capacities ? full mesh requirement for optimal routing CPE routing adjacencies between sites VPN - Peer-to-Peer Model Layer-3 Routing Adjacency CPE (CE) Router VPN Site Provider Edge (PE) Router Provider Edge (PE) Router Service Provider Network CPE (CE) Router VPN Site VPN - Peer-to-Peer Model • Provider edge (PE) device exchanges routing information with CPE all customer routes carried within SP IGP simple routing scheme for VPN customer routing between sites is optimal circuit sizing no longer an issue • Private addressing is not an option • Addition of new site is simpler no overlay mesh to contend with The Solution: MPLS • A new paradigm that delivers the best of both worlds: Privacy of ATM, Frame Relay flexibility and scalability of IP • Foundation for IP business services flexible grouping of users and value-added services • Low cost managed IP services scales to large and small private networks • Based on RFC2547bis. Agenda MPLS Business Perspective VPN Concept MPLS VPN Basic Intranet Model VPN A VPN A SITE-1 Site-1 & Site-2 routes RT=VPN-A Site-3 & Site-4 routes RT=VPN-A SITE-3 MP-iBGP P Router SITE-2 VPN A MPLS/VPN Backbone Site-1 routes Site-2 routes Site-3 routes Site-4 routes Site-1 routes Site-2 routes Site-3 routes Site-4 routes SITE-4 VPN A MPLS VPN mechanisms VRF and Multiple Routing Instances Site-4 Logical view Site-1 VPN-C VPN-A Site-3 Site-2 VPN-B Multihop MP-iBGP P P PE VRF for site-1 Site-1 routes Site-2 routes Site-1 Routing view PE VRF for site-2 Site-1 routes Site-2 routes Site-3 routes Site-2 VRF for site-3 Site-2 routes Site-3 routes Site-4 routes Site-3 VRF for site-4 Site-3 routes Site-4 routes Site-4 MPLS VPN Connection Model P P PE-2 PE-1 VPN Backbone IGP BGP,RIPv2 update for Net1,Next-Hop=CE-1 Site-1 CE-1 P P VPN-IPv4 update is translated into IPv4 address (Net1) put into VRF green since RT=Green and advertised to CE-2 CE-2 Site-2 VPN-IPv4 update: RD:Net1, Next-hop=PE-1 SOO=Site1, RT=Green, Label=(intCE1) PE routers receive IPv4 updates (EBGP, RIPv2, OSPF, Static) PE routers translate into VPN-IPv4 Assign a SOO and RT based on configuration Re-write Next-Hop attribute Assign a label based on VRF and/or interface Send MP-iBGP update to all PE neighbors MPLS VPN Connection Model P P PE-2 PE-1 VPN Backbone IGP BGP,RIPv2 update for Net1,Next-Hop=CE-1 Site-1 CE-1 P P VPN-IPv4 update is translated into IPv4 address (Net1) put into VRF green since RT=Green and advertised to CE-2 CE-2 Site-2 VPN-IPv4 update: RD:Net1, Next-hop=PE-1 SOO=Site1, RT=Green, Label=(intCE1) Receiving PEs translate to IPv4 Insert the route into the VRF identified by the RT attribute (based on PE configuration) The label associated to the VPN-IPv4 address will be set on packet forwarded towards the destination MPLS/VPN Packet Forwarding MPLS/VPN Packet Forwarding In Label - FEC 197.26.15.1/32 Out Label - In Label FEC Out Label 41 197.26.15.1/32 POP In Label - FEC Out Label 197.26.15.1/32 41 PE-1 P router Use label implicit-null for destination 197.26.15.1/32 Paris 149.27.2.0/24 Use label 41 for destination 197.26.15.0/24 VPN-v4 update: RD:1:27:149.27.2.0/24, NH=197.26.15.1 SOO=Paris, RT=VPN-A, Label=(28) London • PE and P routers have BGP next-hop reachability through the backbone IGP • Labels are distributed through LDP corresponding to BGP NextHops or RSVP with Traffic Engineering MPLS/VPN Packet Forwarding In Label - FEC Out Label 197.26.15.1/32 41 VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28) PE-1 41 28 149.27.2.27 Paris 149.27.2.0/24 149.27.2.27 London • Ingress PE receives normal IP packets • PE router performs IP Longest Match from VPN FIB, finds iBGP next-hop and imposes a stack of labels <IGP, VPN> MPLS/VPN Packet Forwarding In Label 28(V) FEC Out Label In Label FEC Out Label 149.27.2.0/24 - 41 197.26.15.1/32 POP VPN-A VRF 149.27.2.0/24, NH=Paris VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28) PE-1 149.27.2.27 28 149.27.2.27 41 28 149.27.2.27 Paris 149.27.2.0/24 • 149.27.2.27 London Penultimate PE router removes the IGP label Penultimate Hop Popping procedures (implicit-null label) • Egress PE router uses the VPN label to select which VPN/CE to forward the packet to • VPN label is removed and the packet is routed toward the VPN site NW’00 Paris © 2000, Cisco Systems, Inc. 22
