Multiprotocol Label Switching (MPLS) Petr Grygárek © 2005 Petr Grygarek, Advanced Computer Networks Technologies 1 • • Technology Basics Integrates label-based forwarding paradigm with network layer routing • label forwarding + label swapping similar to ATM/FR • switching tables constructed using IP routing protocol(s) Advantages: • improves the price/performance of network layer routing • • • MPLS switching algorithm might be simpler and faster than traditional IP routing Processor-intensive packet analysis and classification happens only once at the ingress edge But MPLS is not only a method to make routers much more faster • (slow lookup of huge IP routing tables etc.) • new routing services may be added without change to the forwarding paradigm • improves the scalability of the network layer • provides greater flexibility in the delivery of (new) routing services • • Multiple VRF-based VPNs (with address overlap), traffic-engineering,… integrates IP routing with VC-based networks (like ATM) © 2005 Petr Grygarek, Advanced Computer Networks Technologies 2 • • • • • • MPLS Operation in Brief (Frame Mode) Standard IP routing protocol used in MPLS routing domain • (OSPF, IS-IS, …) <IP prefix, label > mapping created by egress router • i.e. router at MPLS domain edge used as exit point for that IP prefix Label distribution protocols used to distribute label bindings for IP prefixes between adjacent neighbors • label has local significance Ingress LSR receives IP packets • Performs classification and assigns label • Forwards labeled packet to MPLS core Core LSRs switch labeled packets based on label value Egress router removes label before forwarding packet out of MPLS domain • performs normal L3 routing table lookup © 2005 Petr Grygarek, Advanced Computer Networks Technologies 3 MPLS position in OSI RM MPLS operates between link and network layer • Deals with L3 routing/addressing • Uses L2 labels for fast switching • Inherent labels of some L2 technologies • ATM VPI/VCI, Frame Relay DLCI, optical switching lambdas, … • Additional “shim” headers placed between L2 and L3 headers • it’s presence indicated in L2 header • Ethernet EtherType, PPP Protocol field, Frame Relay NLPID, • … 8847 – unicast, 8848 multicast © 2005 Petr Grygarek, Advanced Computer Networks Technologies 4 Label-based packet forwarding • • Packet marked with labels at ingress MPLS router • Allows to apply various rules to impose labels • Multiple labels can be imposed (label stack) • • • allows special applications (hierarchical MPLS forwarding) Packet quickly forwarded according to labels through MPLS core • • uses only label swapping, no IP routing IP routing information used only to build forwarding tables, not for actual (potentially slow) IP routing • • destination network prefix, QoS, policy routing (traffic engineering), VPNs, … labels imply both routes (IP destination prefixes) and service attributes (QoS, TE, VPN, …) label-switch paths determined by IP routing protocol • implementation of MPLS is only as good as underlying routing protocol Label removed at egress router and packet forwarded using standard L3 IP routing table lookup © 2005 Petr Grygarek, Advanced Computer Networks Technologies 5 Components of MPLS architecture • Forwarding Component (data plane) force” forwarding using label forwarding information • “brute base (LFIB) • Control Component (control plane) • Creates and updates label bindings (LFIB) • <IP_prefix, label> node has to participate in routing protocol (IGP or • MPLS static routing) static routing) • including ATM switches in MPLS cell-mode • Labels assignment is distributed to other MPLS peers • using some sort of label distribution protocol (LDP) Control and forwarding functions are separated © 2005 Petr Grygarek, Advanced Computer Networks Technologies 6 MPLS Devices Label-Switch Router (LSR) • Any router/switch participating on label assignment and distribution that supports label-based packet/cell switching LSR Classification • Core LSR (P-Provider) • Edge LSR (PE-Provider Edge) (Often the same kind of device, but configured differently) • Frame-mode LSR • MPLS-capable router with Ethernet interfaces • Cell-mode LSR • ATM switch with added functionality (control software) © 2005 Petr Grygarek, Advanced Computer Networks Technologies 7 Functions of Edge LSR • Any LSR on MPLS domain edge, i.e. with non-MPLS • neighboring devices Performs label imposition and disposition • Packets classified and label imposed • Classification based on routing and policy requirements • Traffic engineering, policy routing, QoS-based routing • Information of L3 (and above) headers inspected only once at edge of the MPLS domain © 2005 Petr Grygarek, Advanced Computer Networks Technologies 8 Forwarding Equivalence Class (FEC) • Packets classified into FECs at MPLS domain edge LSR • according unicast routing destinations, QoS class, VPN, multicast group, traffic-engineered traffic class, … • FEC is a class of packets to be MPLS-switched the same way © 2005 Petr Grygarek, Advanced Computer Networks Technologies 9 Label switching path (LSP) • Sequence of LSRs between ingress and egress (edge) LSRs • + sequence of assigned labels (local significance) • Unidirectional • For every forward equivalence class • May diverge from IGP shortest path • Path established by traffic engineering using explicit routing and label switching paths tunnels © 2005 Petr Grygarek, Advanced Computer Networks Technologies 10 Upstream and downstream neighbors • From perspective of some particular LSR • Related to particular destination (and FEC) • Routing protocol’s Next-hop address determines downstream neighbor Upstream neighbor is closer to data source whereas downstream neighbor is closer to the destination network © 2005 Petr Grygarek, Advanced Computer Networks Technologies 11 MPLS and IP routing interaction in LSR routing information exchange (routing protocol) Incoming unlabeled packets Incoming labeled packets IP routing process Outgoing unlabelled packets IP routing table MPLS Signalling protocol Control plane Label forwarding table Data plane © 2005 Petr Grygarek, Advanced Computer Networks Technologies label bindings exchange Outgoing labeled packets 12 Interaction of neighboring MPLS LSRs IP routing process Routing information exchange IP routing table MPLS Signalling Protocol Label forwarding table IP routing process IP routing table label bindings exchange Labeled packets © 2005 Petr Grygarek, Advanced Computer Networks Technologies MPLS Signalling Protocol Label forwarding table 13 Operation of edge LSR Resolving of recursive routes IP routing process IP routing table routing information exchange label bindings exchange MPLS Signalling protocol Incoming unlabeled packets Incoming labeled packets IP forwarding table Label disposition and L3 lookup Label forwarding table © 2005 Petr Grygarek, Advanced Computer Networks Technologies Outgoing unlabeled packets Outgoing labeled packets 14 Penultimate hop behavior Label at the top of label stack is removed not by egress routes at MPLS domain edge (as could be expected), but by it’s upstream neighbor (penultimate hop) • On egress router, packet could not be label-switched anyway • Egress router has to perform L3 lookup to find more specific route • commonly, egress router advertises single label for summary route • Disposition of label imposed by egress router’s upstream neighbor would introduce unnecessary overhead • For that reason, upstream neighbor of egress router always pops label and sends packet to egress router unlabeled • Egress LSR requests popping of label through label distribution protocol • advertises “implicit-null” label for particular FEC © 2005 Petr Grygarek, Advanced Computer Networks Technologies 15 Label and label stack • Label format (and length) dependent on L2 • technology Labels have local-link significance, each LSR creates it’s own label mappings • although not a rule, same label is often propagated from different links for the same prefix • Multiple labels may be imposed, forming the label stack • Label bottom indicated by “s” bit • Label stacking allows special MPLS applications (VPNs etc.) • Packet switching is always based on the label on the top of stack © 2005 Petr Grygarek, Advanced Computer Networks Technologies 16 MPLS header • Between L2 and L3 header • MPLS header presence indicated in EtherType/PPP Protocol ID/Frame Relay NLPID • 4 octets (32b) • 20 bits – label value • 3 bits Exp (experimental) – used for QoS today • 8 bits MPLS TTL (Time to Live) • 1 bit – “S bit” – indicates bottom of stack © 2005 Petr Grygarek, Advanced Computer Networks Technologies 17 Label Bindings Distribution © 2005 Petr Grygarek, Advanced Computer Networks Technologies 18 Label Distribution Protocol Functionality • Used to advertise <IP_prefix, label> bindings • Used to create Label Information Base (LIB) and Label Forwarding Information Base (LFIB) • LIB maintains all prefixes advertised by MPLS neighbors • LFIB maintains only prefixes advertised by next hops for individual routes • i.e. those actually used for label switching • next-hop determined by traditional IGP LFIB used for actual label switching, LIB maintains labels which may be useful if IGP routes change © 2005 Petr Grygarek, Advanced Computer Networks Technologies 19 Label Retention Modes • Liberal mode • LSR retains labels for FEC from all neighbors • Requires more memory and label space • Improves latency after IP routing paths change • Conservative mode • Only labels from next-hop for IP prefix are maintained • next-hop determined from IP routing protocol • Saves memory and label space © 2005 Petr Grygarek, Advanced Computer Networks Technologies 20 Label Distribution Modes • Independent LSP control • LSR binds labels to FECs and advertises them whether or not the LSR itself has received a label from it’s next-hop for that FEC • Most common in MPLS frame mode • Ordered LSP control • LSR only binds and advertises label for FEC if - it is the egress LSR for that FEC - it received a label binding from next-hop LSR © 2005 Petr Grygarek, Advanced Computer Networks Technologies 21 Protocols for Label Distribution • Label Distribution Protocol (LDP) – IETF standard • TCP port 646 • RSVP-TE • used for MPLS traffic engineering • BGP • implements MPLS VPNs (peer model) • PIM • • enables MPLS-based multicasts Tag Distribution Protocol (TDP) – Cisco proprietary, obsolete • LDP predecestor • TCP port 711 Label bindings are exchanged between neighboring routers • in special cases also between non-neighboring routers • “targeted LDP” session – e.g. MPLS-based pseudowire © 2005 Petr Grygarek, Advanced Computer Networks Technologies 22 Label Distribution Protocol (LDP): Message Types • Discovery messages (hellos) • UDP/646 • Used to discover and continually check for presence of LDP peers • Once a neighbor is discovered, LDP session is established over TCP/646 • messages to establish, maintain and terminate session • label mappings advertisement messages • create, modify, delete • • error notification message LDP Neighbor ID • Corresponding address must be reachable from LDP peer © 2005 Petr Grygarek, Advanced Computer Networks Technologies 23 Frame-mode and Cell-mode LSRs © 2005 Petr Grygarek, Advanced Computer Networks Technologies 24 Frame-mode LSRs • Frame/Packet processing devices • such as routers or Frame Relay switches • Labeled packets treated as L2 frames • Shim header between L2 and L3 header • Presence of MPLS header indicated in L2 header © 2005 Petr Grygarek, Advanced Computer Networks Technologies 25 Frame-mode Label Distribution • Unsolicited downstream • Labels distributed automatically to upstream neighbors • Downstream LSR advertises labels for particular FECs to the upstream neighbor • Independent control of label assignment assigned as soon as new IP prefix appears in IP routing table • Label (may be limited by ACL) • Mapping stored into LIB • LSR may send (switch) labeled packets to next hop even if nexthop itself does not have label for switching that FEC further • Liberal retention mode • All received label mappings are retained © 2005 Petr Grygarek, Advanced Computer Networks Technologies 26 Cell-mode LSRs ATM switches • LSRs switch cells, not packets • packets fragmented into cells • VPI/VCI used to carry labels • Additional piece of software needed to integrate ATM switches with IP routing (IGP) and implement label distribution protocols - Label Switch Controller • needed to provide label assignment and distribution and proper building of switching tables (ATM layer) © 2005 Petr Grygarek, Advanced Computer Networks Technologies 27 Problems with ATM Switches in IP Networks • ATM switches cannot perform IP lookup and label stack lookup • ATM switches cannot handle IP packets directly hop-by-hop • • Packets chopped into ATM cells VPI/VCI serves as label • Virtual circuits have to be created • Signalling between neighboring ATM switches is needed to dynamically create VCs • • • created dynamically for every FEC • • VPI=0, VCI=32, aal5snap encapsulation between ATM Edge LSR and ATM LSR and between two ATM LSRs ATM switching tables created according to signalling requests Additional ATM switch software required © 2005 Petr Grygarek, Advanced Computer Networks Technologies 28 Downstream on demand label assignment • • On-demand dynamic VC creation method Label request for particular prefix is sent by ingress LSR step-bystep to destination egress LSR along IGP shortest path • • Upstream LSRs request label to downstream neighbors Downstream LSRs respond with labels upon request • Labels assigned by all intermediate LSRs • LIB maintains only actually used labels • • Egress LSR creates label mapping Label mapping propagated back to the source • Uses conservative label retention mode • • because label request is sent to FEC’s next hop only Labels assigned only on demand • (initiated by ingress LSR) © 2005 Petr Grygarek, Advanced Computer Networks Technologies 29 Cell-mode Label Distribution Problem • Unsolicited Downstream method cannot be used • AAL5 cannot intermix cells of multiple packets Packet 5 In if In tag (prefix) Out if Out tag 1 100/5 150.10/16 3 101/4 2 100/7 150.10/16 3 101/4 5 1 Packet 7 7 ??? 5 7 2 3 4 4 4 4 © 2005 Petr Grygarek, Advanced Computer Networks Technologies 150.10.0.0/16 30 Cell-mode Label Assignment Principles • ATM-LSR assigns unique label (VPI/VCI pair) for every upstream neighbor • LSR requests downstream neighbor to give one label (VPI/VCI) per FEC and per incoming interface (upstream neighbor) • Separate VC created for every FEC from ingress LSR to egress edge LSR • Disadvantage: many separated VCs for single FEC © 2005 Petr Grygarek, Advanced Computer Networks Technologies 31 Cell-mode Label Distribution: Unique Labels for Upstream Neighbors Packet 5 In if In tag (prefix) Out if Out tag 1 100/5 150.10/16 3 101/4 2 100/7 150.10/16 3 101/6 5 5 1 Packet 7 7 7 2 3 4 6 4 6 © 2005 Petr Grygarek, Advanced Computer Networks Technologies 150.10.0.0/16 32 VC Merge Option • Single label can be allocated for FEC if ATM switch avoids intermixing of cells of packets of that FEC coming from different ingoing interfaces at the same time • LSR have to capture/buffer cells of incoming packets and send packets one after another at the outgoing interface • Saves label space, limits number of VCs • but requires additional processing at ATM-LSRs © 2005 Petr Grygarek, Advanced Computer Networks Technologies 33 VC Merge Operation Packet 5 In if In tag (prefix) Out if Out tag 1 100/5 150.10/16 3 101/4 2 100/7 150.10/16 3 101/4 5 5 1 Packet 7 7 7 2 3 4 4 4 4 © 2005 Petr Grygarek, Advanced Computer Networks Technologies 150.10.0.0/1 34 MPLS Operation - Summary 1. 2. 3. 4. 5. Standard routing protocols create routing table Label distribution protocol creates and distributes <IP-prefix, label> mappings Ingress edge LSR receives IP packet, classifies it and imposes label Core LSRs switch packets only using label switching without inspecting IP headers Egress edge LSR disposes label and forwards packet according to IP routing table © 2005 Petr Grygarek, Advanced Computer Networks Technologies 35 MPLS Applications IP header and forwarding decision decoupling allows for better flexibility and new applications © 2005 Petr Grygarek, Advanced Computer Networks Technologies 36 Some Popular MPLS Applications • BGP-Free core • 6PE/6VPE • Carrier Supporting Carrier • MPLS Traffic engineering • MPLS VPN • Integration of IP and ATM • or with other connection-oriented network © 2005 Petr Grygarek, Advanced Computer Networks Technologies 37 Integration of IP and ATM • IP routing tightly integrated with multipurpose ATM backbone using MPLS • ATM routing protocols like PNNI and signalling protocols for SVCs are not necessary • Eliminates complex technologies to map between IP and ATM routing information and addressing • no need for solutions like LANE, CLIP, NHRP and MPOA based on emulation of classical LAN/WAN technologies over ATM • ATM infrastructure may be fully utilized • not as with overlay model © 2005 Petr Grygarek, Advanced Computer Networks Technologies 38 BGP-Free Core • Design of transit AS without BGP running on transit • (internal) routers BGP sessions between PE routers only • full mesh or using route reflector(s) • P routers know only routes to networks in the core • including PE loopback interfaces • LDP creates LSPs into individual networks in the core • (including PEs' loopbacks) PEs' loopbacks are used as next hops of BGP routes passed between PE routers © 2005 Petr Grygarek, Advanced Computer Networks Technologies 39 6PE (1) • • • • • Interconnection of IPv6 islands over MPLS non-IPv6-aware core PE routers has to support both IPv6 and IPv4, but P routers do not need to be upgraded (can be MPLS + IPv4 only) Outer label identifies destination PE router (IPv4 BGP next hop), inner label identifies particular IPv6 route Inner label serves as 'index' into egress PE's IPv6 routing table IPv6 prefixes plus associated (inner) labels are passed between PE routers through MP-BGP (using TCP/IPv4) • Inner label needed because of PHP • Not unique per-route, but one of 16 reserved labels is chosen • single reserved value is not enough because of load balancing © 2005 Petr Grygarek, Advanced Computer Networks Technologies 40 6PE (2) • • • • • BGP Next Hop attribute is the IPv4-mapped IPv6 address of egress 6PE router Only LDP for IPv4 is required • LDP for IPv6 not implemented yet Does not support multicast traffic Only proposed standard – RFC 4798 (Cisco, 2007), but implemented by multiple vendors See http://www.netmode.ntua.gr/Presentations/6PE%20-%20IPv6%20ov for further details © 2005 Petr Grygarek, Advanced Computer Networks Technologies 41 6VPE • VRF-aware 6PE • Allows to build MPLS IPv6 VPNs on IPv4-only • MPLS core See http://sites.google.com/site/amitsciscozone/ho me/important-tips/mpls-wiki/6vpe-ipv6-overmpls-vpn for configuration example (Cisco) © 2005 Petr Grygarek, Advanced Computer Networks Technologies 42 Carrier Supporting Carrier (1) • Hierarchical application of label switching concept • A MPLS super-carrier provides connectivity between regions for others MPLS-based customer carriers • Concept of MPLS VPN in super-carrier networks • CSC-P, CSC-PE, CSC-CE • Customer carriers regions may also implement MPLS VPN • or be pure IP networks © 2005 Petr Grygarek, Advanced Computer Networks Technologies 43 Carrier Supporting Carrier (2) • Utilizes label stack with multiple labels • sub-carrier's labels are untouched during transport over super-carrier • Customer carriers do not exchange their customer's routes with super-carrier • Just loopback interfaces of PE routers © 2005 Petr Grygarek, Advanced Computer Networks Technologies 44 MPLS Traffic Engineering © 2005 Petr Grygarek, Advanced Computer Networks Technologies 45 MPLS TE Goals • Minimizes network congestion, improve • network performance Spreads flows to multiple paths • i.e. diverges them from “shortest” path calculated by IGP • More efficient network resource usage © 2005 Petr Grygarek, Advanced Computer Networks Technologies 46 MPLS TE Principle • Originating LSR (headend) sets up a TE LSP to terminating LSR (tailend) through a explicitly specified path • defined by sequence of intermediate LSRs • either strict or loose explicit route • LSP is calculated automatically using constraintbased routing or manually • using some sort of management tool in large networks © 2005 Petr Grygarek, Advanced Computer Networks Technologies 47 MPLS-TE Mechanisms • Link information distribution • Path computation • LSP signalling • RSVP-TE accomplishes label assignment during MPLS tunnel creation • signalling needed even if path calculation is performed manually • Selection of traffic that will take the TE-LSP • by QoS class or another policy routing criteria © 2005 Petr Grygarek, Advanced Computer Networks Technologies 48 Link Information Distribution • Utilizes extensions of OSPF or IS-IS to distribute links’ current states and attributes • OSPF LSA type 10 (opaque) • Maximum bandwidth, reservable bandwidth, available bandwidth, flags (aka attributes or colors), TE metric • Constraint-based routing • Takes into account links’ current states and attributes when • calculating routes “Constraint-based SPF” calculation excludes links that do not comply with required LSP parameters © 2005 Petr Grygarek, Advanced Computer Networks Technologies 49 RSVP Signalling • Resource reSerVation Protocol (RFC 2205) was • originally developed in connection with IntServ, but should be understood as completely independent signalling protocol Reserves resources for unidirectional (unicast/multicast) L4 flows • soft-state • May be used with MPLS/TE to signal DiffServ QoS PHB over the path © 2005 Petr Grygarek, Advanced Computer Networks Technologies 50 RSVP Messages • Message Header (message type) • Resv, Path, ResvConfirm, ResvTeardown PathTeardown, PathErr,ResvErr • Variable number of object of various classes • including sub-objects • Support for message authentication and integrity check © 2005 Petr Grygarek, Advanced Computer Networks Technologies 51 Basic RSVP Operation • PATH message travels from sender to receiver(s) • allows intermediate nodes to build soft-state information regarding particular session • includes flow characteristics (flowspec) • RESV message travels from receiver interested in resource reservation towards the sender • actually causes reservation of intermediate nodes' resources • provides labels to upstream routers • Soft state has to be periodically renewed © 2005 Petr Grygarek, Advanced Computer Networks Technologies 52 LSP Preemption • Support for creation of LSPs of different priorities with preemption option • setup and holding priority • setup priority is compared with holding priority of existing LSPs • 0 (best) – 7 (worst) • Preemption modes • Hard – just tears preempted LSP down • Soft – signalls pending preemption to the headend of existing LSP to give it an opportunity to reroute traffic © 2005 Petr Grygarek, Advanced Computer Networks Technologies 53 LSP Path Calculation in Multiarea Environment • Splitting network into multiple areas limits state • information flooding Headend specifies path to route LSP setup requests using list of ABRs • loose routing • Each ABR calculates and reserves path over connected area and requests another ABR on the path to take care of next section © 2005 Petr Grygarek, Advanced Computer Networks Technologies 54 Fast Reroute • In case of node or link failure, backup LSP may • • be automatically initiated (in tens of milliseconds) Fast Reroute option must be requested during LSP setup Global or Local restoration © 2005 Petr Grygarek, Advanced Computer Networks Technologies 55 Fast Reroute - Global restoration • New LSP is set up by headend • LSP failure is signalled to the headend by PathErr RSVP message • Headend has the most complete routing constraints information to establish a new LSP © 2005 Petr Grygarek, Advanced Computer Networks Technologies 56 Fast Reroute - Local restoration • • “Detour” LSP around failed link/node LSR that detected the failure (called Point of Local Repair) start to use alternative LSP • • Detour LSPs are manually preconfigured or precalculated dynamically by Point of Local Repair and pre-signalled “Detour” joins back the original LSP at the Merge Point • • i.e. at Next hop for link protection, Next Next hop for Node protection Facility Backup (commonly used) - double labeling is used on detour path • One-to-One backup • • • • external tag is dropped before packet enters Merge Point packets arrive to the Merge Point with the same label as they would if they came along original LSP does not use label stacking Each LSP has it’s own backup path © 2005 Petr Grygarek, Advanced Computer Networks Technologies 57 MPLS and Diffserv • LSR uses the same mechanism as traditional router to • implement different Per-Hop Behaviors (PHBs) 2 types of LSPs (may coexist on single network): • EXP-inferred LSPs (mostly used) • can transport multiple traffic classes simultaneously • EXP bits in shim header used to hold DSCP value • Map between EXP and PHB signaled during LSP setup • extension of LDP and RSVP (new TLV defined) • Label-inferred LSPs • can transport just one traffic class • Fixed mapping of <DSCP, EXP> to PHB standardized © 2005 Petr Grygarek, Advanced Computer Networks Technologies 58 Diffserv Tunneling over MPLS There are two markings of the packet (EXP, DSCP). There are different models to handle interaction between multiple markings. • Pipe model • transfers inside DSCP marking untouched • useful for interconnection of two Diffserv domains using MPLS • Uniform Model • makes LSP an extension of DiffServ domain © 2005 Petr Grygarek, Advanced Computer Networks Technologies 59 MPLS VPNs © 2005 Petr Grygarek, Advanced Computer Networks Technologies 60 VPN Implementation Options Solution to implement potentially overlapping address spaces of independent customers: • Overlay model • Infrastructure provides tunells between CPE routers • FR/ATM virtual circuits, IP tunnels (GRE, IPSec, …) • Peer-to-peer model edge router exchange routing information with customer • Provider edge router • Customer routes in service provider’s IGP • Need to solve VPN separation and overlapping customer addressing • traditionally by complicated filtering routing between customer sites through shared • Optimal infrastructure infrastructure • data don’t need to follow tunnel paths © 2005 Petr Grygarek, Advanced Computer Networks Technologies 61 MPLS VPN Basic Principles • • • • MPLS helps to separate traffic from different VPNs without usage of overlay model tunneling techniques Routes from different VPNs kept separated, multiple routing tables implemented at edge routers (one for each VPN) Uses MPLS label stack: outer label identifies egress edge router, inner label identifies VPN • single route in particular VPN To allow propagation of IP prefixes from all VPNs to the core, potentially overlapping addresses of separated VPNs is made unique with Route Distinguisher (different for every VPN) • • Those “IP-VPN” (VPNv4) addresses are propagated between PE routers using extended BGP (Multiprotocol BGP, MP-BGP) • New address family: VPNv4 address = RD + IPv4 address MP-BGP also distributes (inner) labels identifying particular route in target VRF at egress edge router (using BGP attributes) © 2005 Petr Grygarek, Advanced Computer Networks Technologies 62 MPLS VPN advantages • Integrates advantages of overlay and peer-topeer model • Overlay model advantages: • security and customer isolation • Peer-to-peer model advantages: • routing optimality • Simplicity of new CPEs addition © 2005 Petr Grygarek, Advanced Computer Networks Technologies 63 MPLS VPN Implementation • VPN defined as set of sites sharing the same routing information • Site may belong to multiple VPNs sites (from different VPNs) may be connected to the • Multiple same PE router routers maintains only routes for connected VPNs and • PE backbone routes needed to reach other PEs backbone routes needed to reach other PEs • • Increases scalability Decreases performance requirements of PE router • • Inner label identifies VPN Outer label identifies egress LSR router uses IP at customer network interface(s) and MPLS at • PE backbone interfaces • Backbone (P routers) uses only label switching • IGP routing protocol used only to establish optimal label switch paths • Utilizes MPLS label stack © 2005 Petr Grygarek, Advanced Computer Networks Technologies 64 Routing information exchange • P-P and P-PE routers • Using IGP • Needed to determine paths between PEs over MPLS backbone • PE-PE routers (non-adjacent) • Using MP-iBGP sessions • Needed to exchange routing information between routing tables for particular VPN (VRFs) • commonly between VRFs of the same VPN © 2005 Petr Grygarek, Advanced Computer Networks Technologies 65 Routing information in PE routers PE routers maintain multiple separated routing tables • Global routing table – filled with backbone routes (from IGP) • allows to reach other PE routers • VRF (VPN routing & forwarding) • Separate routing tables for individual VPNs • Every router interface assigned to a single VRF • VRF instance can be seen as virtual router © 2005 Petr Grygarek, Advanced Computer Networks Technologies 66 VPN routing and forwarding VPN A CE VPN A CE VRF A PE P MPLS domain VPN B CE VRF B VPN B CE VRF = virtual router VRF for VPN A VRF for VPN B © 2005 Petr Grygarek, Advanced Computer Networks Technologies 67 VRF usage VPN A CE VPN A CE packet VRF A VPN A CE VPN B CE VPN B CE PE P PE PE VRF B VPN B VPN A CE CE © 2005 Petr Grygarek, Advanced Computer Networks Technologies 68 MPLS VPN example TACHOV OSTRAVA 10.0.0.1/24 Customer A 10.0.1.1/24 e0 S0 I-PE Customer B 2.0.0.0/24 1.0.0.0/24 e1 .1 S1/1 S1/0 .2 G-P .1 MPLS Core 10.0.0.1/24 © 2005 Petr Grygarek, Advanced Computer Networks Technologies e0 Customer B S0 .2 J-PE e1 Customer A 10.0.2.1/24 69 VPN Route Distinguishing and Exchange Between PEs OSTRAVA TACHOV RD 100:1 RT 100:10 RD 100:2 RT 100:20 VRF CustomerB-J VRF CustomerA-I 10.0.0.1/24 10.0.1.1/24 MP-BGP Customer A S0 I-PE Customer B 2.0.0.0/24 1.0.0.0/24 e0 e1 10.0.0.1/24 lo0 .1 3.0.0.1/32 S1/1 S1/0 .2 G-P .1 MPLS Core IGP (OSPF, IS-IS, …) e0 Customer B S0 J-PE .2 lo0 3.0.0.2/32 VRF CustomerB-I RD 100:2 RT 100:20 © 2005 Petr Grygarek, Advanced Computer Networks Technologies e1 Customer A 10.0.2.1/24 VRF CustomerA-J RD 100:1 RT 100:10 70 PE-to-PE VPN Route Propagation • PE router exports information from VRF to MP-BGP • Multiprotocol (MP) iBGP session between PE routers over MPLS backbone (P routers) • • • • prefix uniqueness ensured using Route Distinguisher (64bit ID) VPN-V4 prefix = RD + IPv4 prefix Route exported with source VRF ID (route target) • • • Full mesh (route reflectors often used) Propagates VPNv4 routes BGP attributes identify site-of-origin and route target • routes imported into particular VRFs according to BGP Route Target attribute values Opposite PE router imports information from MP-BGP into VRF © 2005 Petr Grygarek, Advanced Computer Networks Technologies 71 MPLS VPN BGP attributes • Site of Origin (SOO) • Identifies site where the route originated from • avoids loops • Route Target • Identifies source VRF • Each VRF may configure which RT(s) it import © 2005 Petr Grygarek, Advanced Computer Networks Technologies 72 Customer route advertisement from PE router (MP-BGP) • PE router assigns RT, RD based on source VRF and • SOO PE router assigns VPN (MPLS) label • Identifies particular VPN route (in VPN site’s routing table) • Used as second label in the label stack • Top-of-stack label identify egress PE router • Route’s next-hop rewritten to advertising PE router • loopback interface MP-iBGP update sent to other PE routers © 2005 Petr Grygarek, Advanced Computer Networks Technologies 73 CE to PE routing information exchange • CE router always exchanges routes with VRF assigned to interface connecting that CE router • IGP (RIPv2,OSPF) • External BGP • Static routing or directly connected networks • Multiple instances of routing process (for every VRF) are running on PE router • or separated routing contexts in single routing process © 2005 Petr Grygarek, Advanced Computer Networks Technologies 74 Overlapping of VPNs Site (VRF) may belong to multiple VPNs provided that there is no addresses overlap • Useful for shared server farms, extranets, ISPs etc. • Multiple RT imports configured for particular VRF © 2005 Petr Grygarek, Advanced Computer Networks Technologies 75 Overlapping VPNs example OSTRAVA TACHOV RD 100:1 RT 100:11 VRF CustomerA-I RD 100:2 RT 100:22 VRF CustomerB-J 10.0.0.1/24 10.0.1.1/24 1.0.0.0/24 Customer A e0 S0 I-PE Customer B e1 lo0 .1 3.0.0.1/32 2.0.0.0/24 S1/1 S1/0 .2 G-P .1 10.0.0.1/24 VRF CustomerB-I RD 100:2 RT 100:21 © 2005 Petr Grygarek, Advanced Computer Networks Technologies e0 Customer B S0 J-PE .2 lo0 3.0.0.2/32 e1 Customer A 10.0.2.1/24 VRF CustomerA-J RD 100:1 RT 100::12 76