MPLS-VPN
mind Mapping
· MPLS VPN origin
· VPN terminology
1. The origin of MPLS VPN
The advantages of MPLS in increasing the speed of data forwarding are gradually weakened, but its characteristics of supporting multiple layers of label nesting and separation of transfer control within the device make it widely used in emerging applications such as VPN.
Traditional VPN has some inherent defects, which leads Many requirements cannot be met during customer networking. MPLS VPN integrates the traditional two VPN models together and promotes the development of VPN
2. VPN-specific terminology
Client's network equipment
· RTA, RTB, RTF, RTG and the operator's network connection equipment is called CE (Customer Edge, customer edge) equipment
Operator's network equipment
· RTC and RTE, equipment directly necklace with customer equipment, known as PE (Provider Edge, operator edge) equipment
· RTD, backbone equipment in the operator's network, known as P (Provider) equipment
3. MP-BGP technology (multi-protocol BGP)
1. Definition: Open the VPNV4 address family under BGP, MP-BGP is used to exchange private network routes in the MPLS network
2. The difference between BGP protocol and MP-BGP
· Message format
BGP update message includes the following three parts
(1) Unfeasible Routes: previously sent routing information is no longer valid
(2) Path Attribute: routing information Attributes are information used by BGP for routing control and decision-making, such as LocalPriority attributes, MED attributes, etc.
(3) NRLI: routing information, consisting of one or more IPV4 address prefixes
The difference between the MP-BGP protocol and the BGP protocol is that the routing update information has been changed. The specific changes include the following three parts
(1) The MP_Reach_Nrli attribute is used to replace the NLRI and Next-Hop attributes in the original BGP update message
(2) The MP_UNREACH_NRLI attribute replaces the Withdrawn Routers in the original BGP update message
(3) A new extended community attribute Extended_Communities is added to the BGP attributes section
Note: The address prefix of the network passed in MP_Reach_NRLI is the VPNV4 address (RD + ipv4 address), and it also carries the MPLS internal label corresponding to the IPV4 address
. The reason for choosing BGP as the auxiliary protocol:
(1) A large amount of routing information can be transmitted
(2 ) BGP community attributes can be extended
4. The problems in traditional VLAN solved by MPLS
The problem solved by MPLS is mainly the problem of overlapping address spaces
. 1. The problem of local routing conflicts
Problem description:
In order to reduce costs, operators will not configure a PE device for each customer separately, and only multiple users can share a PE. At this time, such a problem may occur. If two users have the same network segment, how does the PE device distinguish between these network segments from different customers?
Solution:
Use VRF (Virtual Routing and Forwarding) technology to separate overlapping routing instances . Each VPN route is placed in its own VPN Routing Table and is isolated from each other.
2. How to distinguish conflicting routes during network transmission
Problem description:
Although the customer's routing table is isolated, when the PE device needs to transmit routing information to the peer PE device, how to identify the routing information?
Solution:
Add a new parameter. RD is used to distinguish conflicting private network routes . What is needed is the VPNV4 address family in MP-BGP. RD and IPV4 address form a new identifier-VPNV4 address
3. How to distinguish which route is imported into the correct VPN routing table by the receiving routing end
Problem description: The
receiving end may receive routes from the same private network of different VPNs. Although RD is used as the distinction, RD is only used Because the sending end identifies the outgoing route, RD only makes sense in the local router, and it cannot make the far end import the appropriate route into the corresponding VPN routing table.
Solution:
Use the extended attributes of MP-BGP, route-tag, RT is composed of two parts, one is the inbound RT, the other is the outbound RT, the outbound RT of the sending end must be the same as the inbound RT of the receiving end to pass the route To the opposite end
4. The problem of searching for conflicting routes during data forwarding
Problem description: When an
IP packet reaches the MPLS network boundary, because the packet does not carry any identifier, the PE does not know which VPN routing table to look for to find the correct destination address
Solution:
Use MPLS label nesting. After the packet enters the PE, the first thing to check is the VRF table. Add an MPLS header according to the corresponding routing item in the VRF (the route to the peer VPN intranet in the VRF table) and the LFIB table. Department, this is the intranet MPLS header, which is the MPLS header used to communicate with the remote private network. After encapsulating the internal MPLS, check the public network routing table, and encapsulate the second MPLS header according to the public network LFIB table. Transmit on the public network, and finally reach the PE. After reaching the PE, the external label bounces off. After checking, the internal label bounces off. Check the corresponding VRF table, and then transfer the data according to the VRF table.
VRF, RD, RT, Label analysis
VRF: VPN established for different examples of separate routing tables, isolated from the client effect
RD: used to identify routing and local addresses IPV4 address issued VPNV4 configuration, the effective local
RT: with To identify which routing entries to receive
Label: used for data routing
V. Analysis of the working process of MPLS
The working process of MPLS can be divided into two parts
· The transmission process of MPLS VPN route
· The forwarding process of MPLS VPN data
1. Route exchange process Route exchange
between
CE and PE CE and PE can exchange routing protocols through static routes, or through dynamic routing protocols (RIP, OSPF, etc.)-build VRF routing table
VPN routes are injected into
the IPV4 routes in the MP-BGP VRF. RD, RT, and labels are added to form the VPN-IPV4 routes into the MP-BGP routing table. The routes are exchanged between PE devices through the MP-BGP protocol information
The process of MP-BGP route injection into VPN
After receiving the VPNV4 route sent by the peer PE, the PE checks the extended community attribute of the route and compares the Export Target value carried with the Import Target value of the local VPN. If the values are the same, the route is imported into the VPN Routing table for correct import of routes
6. MPLS-VPN configuration
Configuration ideas
· Build an MPLS environment
· Configure peer relationship between PE-PE
· Create CRF
on PE · Route interaction on PE-CE side
1.
Prerequisites for configuring MP-BGP between PE and PE router : IGP support
· MP-BGP neighbor configuration Neighbor
remote-as in routing mode
· Configure BGP VPNv4 address family
Address-family vpnv4 in routing mode Enter vpnv4 address family
Neighbor active in address family mode By default, it only transmits IPV4 routing information. This command allows VPNV4 routes to be advertised in
address family mode. Extended attributes can be transferred in BGP-VPN4 mode, which is not transferred by default
· View VPNV4 about routing in
privileged mode do show bgp vpnv4 unicast all
2. Define VRF on the PE router
· Create and enter
ip vrf in VRF global configuration mode
· Set
rd 1: 100 in RD VRF mode
· Set
route-target both 1: 100 in RT VRF mode
· Add interface to VRF in
interface mode ip vrf forwarding
· Configure IP address—You must add the IP address after adding to the VRF, otherwise it will be the global address
ip address in interface mode
· Ping client host on PE
Ping vrf in privileged mode
· View vrf routing table
show ip route vrf in privileged mode
3. Route interaction between PE and CE
· Configure vrf static route
ip route vrf in global configuration mode
· Redistribution in vrf mode
Address-family ipv4 vrf in routing mode Enter VRF mode
redistribute connect | static in VRF mode
· Configure RIPV2 to redistribute into BGP for interactive
routing operations in VRF mode address-family ipv4 vrf in routing mode
network
no auto-summary in VRF mode
· Redistribution of RIP into BGP
into vrf routing mode address-family ipv4 vrf
redistribution under VRF mode redistribute rip
· Redistribution of BGP into RIP
into vrf routing mode address-family ipv4 vrf
redistribution under VRF mode redistribute bgp metric
7. MPLS VPN advanced configuration examples and ideas
1. When there are too many PEs in the ISP domain, manually configuring the BGP relationship for each PE is too cumbersome. You can use route reflectors to configure with peer groups.
Configuration Notes:
(1 ) In VPNV4 mode, enable the reflection function of the router and configure it so as not to reflect IPV4 information
2. Filter the RT
configuration extended attribute list on RR
Global mode ip execommunity-list {permit | deny} {rt}
VPNG4 address mode bgp rr-group
3. Configure inbound mapping and outbound mapping
Whether users can communicate is completely controlled by RT, and RD allows BGP to distinguish user routing entries. VRF allows PE routers to distinguish between different customers.
Import map and export map can be used to import or export VRF routes conditionally.
Import map is essentially filtering after all the routes are in hand, not RT filtering, which can be used in VPNV4 routing table, see entry, but will not go into VRF
Export map is mainly aimed at RT, RT values can change out announcements, such as would have been 1: 1 may be changed to another value
configuration steps and commands Import map export map configuration route-map match ip address set extcommunity rt 1: 200 in
VRF mode
4. When the routing protocol of the CE is OSPF, it
will create a super backbone area to connect itself
. If the process numbers of the PEs on both ends are different, the routes imported at both ends are displayed as external routes
. O routing
· OSPF anti-loop mechanism
tag tag,
5. CE's routing protocol is BGP
· Rewrite the autonomous system number neighbor as-override
