The Ubiquitous MPLS Virtual Private Network in Life

I. Introduction

VN (Virtual Private Network) provides users with a dedicated tunnel for sending data on the public network, providing security and specialization.

Related concepts

CE (Custom Edge): User equipment directly connected to the service provider. Under normal circumstances, CE does not "sense" the existence of VN, and does not need to support MPLS.
PE (Provider Edge Router): Refers to the edge router on the backbone network, which is connected to the CE and is mainly responsible for the access of VPN services. In the MPLS network, all processing of the VN takes place on the PE, which requires higher PE performance.
P (Provider Router): Refers to the core router on the backbone network, which mainly completes routing and fast forwarding functions. The P device only needs to have basic MPLS forwarding capabilities and does not maintain VN information.

VN classification:

1. Overlay VN mode: The
service provider only provides logical dedicated channel user edge routers to directly exchange user routing information.
L2 VN: Realize
L3 VN through FR (Frame Relay) and ATM, etc._Layer 2 WAN technology : Realize
2, Peer-to-Peer VN through three-layer tunnel technology GRE, IPsec :

Exchange user routing information between the user router and the service provider router.

According to the type of routing information exchange, it is divided into:

It can be simply understood as: Overlay VN is statically specified, and Peer-to-Peer is dynamically generated.

Reason

The essence of Overlay VN is a kind of "static" VN, which is like static routing, so it has defects similar to static routing:

• All configuration and deployment need to be done manually. If a new node is added to a customer's VN, the following tasks need to be completed:

  1. Establish tunnels and related routes with all existing N nodes on this newly added node.
  2. For the existing N nodes, a tunnel and related routes need to be established between each node and the newly added node. If the number of customer sites is N, the total number required for optimal routing is N(N-1)/2 circuits.

• Because it is a "static" VN, it cannot reflect the real-time changes of the network. Moreover, if the tunnel is established on the CE, it must be maintained by the user. If it is established on the PE, the address conflict problem cannot be resolved.

When frame relay or ATM provides customers with a virtual private network, the supplier does not participate in the customer's routing. The service provider is only responsible for providing customers with virtual point-to-point links used to transport customer data. Therefore, the service provider will only provide customers with virtual circuit connections at layer 2. This implementation is called the overlay model.

Aiming at the drawbacks of the superposition model, a peer-to-peer model was developed. In the peer-to-peer model, routing information is exchanged between customers and service providers, and customer data is transmitted and optimized through the core of the service provider. The customer's routing information is advertised between the service provider network (P and PE router) and the customer network (CE router). Therefore, the peer-to-peer mode does not need to establish a virtual circuit.

MPLS VN is based on a peer-to-peer model. Compared with traditional VN, MPLS VN is easier to expand and manage. When adding a new site, you only need to modify the configuration of the edge node that provides the site's services.

MPLS VN supports overlapping address spaces, overlapping VNs, flexible networking, good scalability, and can easily support MPLS TE. It has become an important means for IP network operators to provide value-added services, and it has been increasingly used .

2. Principle description

basic concepts

• VRF
  VRF (Virtual Routing and Forwarding) virtual routing and forwarding table: Each VRF can be understood as a virtual logical router. Each router that supports VRF can create multiple VRFs. The routing table of this router is composed of global routing tables and VRF The routing table is composed.

  By default, VRFs and between VRFs and the main router are logically isolated. A PE router allocates multiple VRFs to connect different customer devices to achieve the isolation requirements of different customer network information under the same PE.

  The information in VRF includes: IP routing table, label forwarding table, interface bound with VRF, and management information of VRF. The management information of VRF includes RD (Route Distinguisher), route filtering strategy, member interface list, etc.

• RD
  RD (route distinguisher): Locally effective , and its role is to solve the problem of address space overlap.

RD format

TYPE (2 bytes)	Administrator Field	Assigned Number Field
0x0002	2-byte AS number	4-byte allocation number
0x0102	4-byte IP address	2-byte allocation number

Configure RD

• The RD value on each VRF of each router is unique
• All IPv4 routing prefixes learned from this VRF will be inserted before the IPv4 routing prefix
• The RD value configured by the VRF becomes the VNv4 routing prefix

When the CE IPv4 route enters the global VNv4 address cluster, an 8-byte RD is added in front of the 32-bit IPv4 route to become the VNv4 route prefix (12 bytes). Even if the customer CE routes overlap, it can By adding a unique RD, a unique VNv4 routing prefix is ​​formed to solve the advertising problem of overlapping customer routes.

Address space overlap

A VN is a private network. Different VNs independently manage their own address ranges, which are also called address spaces. The address spaces of different VNs may overlap within a certain range. For example, VRF1 and VRF2 both use 10.110.10.0/24 network segment addresses, which results in address spaces overlapping.

• RT
  RT (Route Target), the role of RT: advertise the VNv4 prefix received on the PE to the correct CE device.

RT, as the extended community attribute of BGP, has the following two formats. When the type field is 0x0002 or 0x0102, it means RT

TYPE (2 bytes)	Administrator Field	Assigned Number Field
0x0002	2-byte AS number	4-byte allocation number
0x0102	4-byte IP address	2-byte allocation number

Each VRF is associated with one or more VPN Target attributes. There are two types of VPN Target attributes:

• Export Target: After the local PE learns IPv4 routes from the directly connected CE, it converts to VN-IPv4 routes and sets the Export Target attributes for these routes. The Export Target attribute is advertised with routes as an extended community attribute of BGP.
• Import Target: PE checks its Export Target attribute when it receives VN-IPv4 routes advertised by other PEs. When this attribute matches the Import Target of a certain VRF on the PE, the PE adds the route to the VRF.

3. MPLS VPN data forwarding

This part of the content is reproduced from the original article of the CSDN blogger "Cao Shihong's Blog"
Original link: https://blog.csdn.net/qq_38265137/article/details/80503475

Private network label distribution

Before PE advertises private network routes to other related PEs in the backbone network through MP-BGP, it needs to allocate MPLS labels (private network labels) for private network routes. When the data packet is transmitted on the backbone network, it carries the private network label.

There are two methods for assigning private network labels on PEs:

• Route-based MPLS label distribution: Assign a label (one label per route) to each route in the VN routing table. The disadvantage of this method is that when the number of routes is relatively large, the number of entries that need to be maintained in the incoming label map (ILM) of the device will also increase, thereby increasing the requirements for device capacity.
• VRF-based MPLS label distribution: Assign a label to the entire VRF, and all routes in the VRF share a label. The advantage of using this allocation method is to save tags.

Private network routing cross:

The routes propagated through MP-BGP between two PEs are VNv4 routes. When receiving the VNv4 route, the PE first performs the following processing:

• Check whether its next hop is reachable. If the next hop is unreachable, the route is discarded.
• For the VNv4 route sent by the RR, if the cluster_list of the received route contains its own cluster_id, the route is discarded.
• Perform BGP routing policy filtering. If it fails, the route is discarded.

After that, the PE matches the routes that are not discarded with the Import Target attributes of the local VRFs. The process of matching the VNv4 route with the Import VN-Target of the local VRF is called private network route crossover .

There are special routes on the PE, that is, the routes from the local CE that belong to different VNs. For this kind of route, if its next hop is directly reachable or iterable successfully, the PE will also match it with the Import Target attributes of other local VN instances. This process is called local crossover .
For example: CE1 belongs to VRF1, CE2 belongs to VRF2, and CE1 and CE2 are connected to PE1 at the same time. When PE1 receives the route of VN1 from CE1, it will also match the Import Target attribute of the VRF corresponding to VN2.

Public network tunnel iteration:

In order to pass the private network traffic to the other end through the public network, a public network tunnel is required to carry this private network traffic. Therefore, after the private network route crossover is completed, it is necessary to perform route iteration based on the destination IPv4 prefix to find the appropriate tunnel (except for the local crossover route); only the tunnel iteration succeeds, the route is put into the corresponding VRF routing table. The process of iterating a route to a corresponding tunnel is called tunnel iteration.

After the tunnel is iterated successfully, the tunnel ID (Tunnel ID) is reserved for subsequent packet forwarding. Tunnel ID is used to uniquely identify a tunnel. When VPN packets are forwarded, the corresponding tunnel is searched according to the Tunnel ID, and then sent out from the tunnel.

Selection rules for private network routing:

Not all routes after route crossing and tunnel iteration are put into the VRF routing table. Not all routes and local cross routes received from the local CE are put into the VRF routing table.

For multiple routes to the same destination address, if route load sharing is not performed, select one of them according to the following rules:

• At the same time, a route received directly from the CE and a route with the same destination address after a successful crossover exists, and the route received from the CE is preferred.
• At the same time, there are local cross-routes and routes with the same destination address received from other PEs and successfully crossed, so local cross-routes are preferred.
  (Local best)

For multiple routes to the same destination address, if the load sharing of routes is performed, then:

• The route received from the local CE is preferred. When there is only one route received from the local CE and there are multiple cross routes, only the route received from the local CE is selected.
• It is only shared between the routes received from the local CE or only between the cross routes, and not between the routes received by the local CE and the cross routes.
  The AS_PATH attributes for load sharing must be identical.

Routing release (heavy!):

In the basic MPLS VPN networking, the release of VPN routing information involves CE and PE. The P device only maintains the routes of the backbone network and does not need to know any VPN routing information. PE equipment generally maintains all VPN routes.

The VN routing information publishing process includes three parts: local CE to ingress PE, ingress PE to egress PE, and egress PE to remote CE. After completing these three parts, a reachable route is established between the local CE and the remote CE, and the VN routing information can be published on the backbone network.

The three parts are introduced separately below.

1. Routing information exchange from local CE to ingress PE

   After the CE establishes a neighbor or peer relationship with the directly connected PE, it advertises the IPv4 route of the site to the PE. Static routing, RIP (Routing Information Protocol), OSPF (Open Shortest Path First), IS-IS (Intermediate System to Intermediate System), or BGP (Border Gateway Protocol) can be used between CE and PE. No matter which routing protocol is used, the standard IPv4 routes that CE advertises to PE are standard IPv4 routes .

2. Routing information exchange from ingress PE to egress PE

   1. After PE learns VPN routing information from CE, it stores it in VRF. At the same time, RD is added to these standard IPv4 routes to form VN-IPv4 routes.
   2. The ingress PE advertises the VN-IPv4 route to the egress PE through the MP-BGP Update message. The Update message carries Export VPN Target attributes and MPLS labels.
   3. After receiving the VN-IPv4 route, the egress PE performs route cross, tunnel iteration, and route optimization when the next hop is reachable, and decides whether to add the route to the VRF routing table. For the routes added to the VPN routing table, the local PE reserves the following information for subsequent use in forwarding packets:
      • MPLS label value carried in MP-BGP Update message
      • Tunnel ID

3. Routing information exchange from egress PE to remote CE

   There are many ways for the remote CE to learn VN routes from the egress PE, including static routing, RIP, OSPF, IS-IS, and BGP, which are the same as the routing information exchange from the local CE to the ingress PE. I won't repeat them here. It is worth noting that the routes advertised by the egress PE to the remote CE are ordinary IPv4 routes.

The following figure shows (using BGP between PE and CE, and the public network tunnel is LSP) as an example to illustrate the process of sending a route from CE2 to CE1.

1. Import IGP (Interior Gateway Protocol) routes under the CE2 BGP IPv4 unicast address family.
2. CE2 advertises the route to the Egress PE along with the EBGP Update message. The Egress PE receives the Update message from the interface connected to CE2, converts the route into a VN IPv4 route, and adds it to the corresponding VRF routing table.
3. The Egress PE assigns an MPLS label to the route, and adds the label and VPN IPv4 routing information to the NLRI field in the MP-IBGP Update message, the Export-RT attribute is added to the extended community attribute field of the MP-BGP Update message, and the Update message is added Send it to Ingress PE.
4. The Ingress PE performs route crossover on this route. If the crossover is successful, iterate the tunnel according to the routing destination IPv4 address to find a suitable tunnel. If the iteration is successful, the Tunnel ID and label of the tunnel are retained, and the route is added to the VRF routing table.
5. The Ingress PE advertises the route to CE1 through a BGP Update message. At this time, the route is an ordinary IPv4 route .
6. After CE1 receives the route, it adds the route to the BGP routing table. By importing BGP routes into IGP, CE1 can add this route to the IGP routing table.

MPLS VN packet forwarding (heavy!):

In basic MPLS VN applications (excluding cross-domain scenarios), VPN packet forwarding uses two-layer labeling:

• The first layer (public network) labels are distributed by LDP, and the labels are exchanged inside the backbone network to indicate an LSP from the PE to the peer PE. VPN packets can use this layer of labels to reach the peer PE along the LSP ;
• The second layer (private network) label is allocated by MP-BGP and used when it arrives at the CE from the peer PE, indicating which site the packet should be sent to, or more specifically, which CE it reaches. In this way, the peer PE can find the interface for forwarding the message according to the inner label .

The following figure illustrates the forwarding process of MPLS VN packets as an example. The following figure shows the process of CE1 sending packets to CE2. Among them, IL stands for inner label, and OL stands for outer label.

1. CE1 sends a VN message.
2. After the Ingress PE receives VPN packets from the interface bound to the VN instance, perform the following operations:
   1. First find the forwarding table corresponding to the VN according to the RD of the bound VRF.
   2. Match the destination IPv4 prefix and find the corresponding Tunnel ID.
   3. Tag the message with the corresponding label (IL), and find the tunnel based on the Tunnel-ID.
   4. Send the message out of the tunnel. In this example, the tunnel is an LSP, and the public network (outer layer) MPLS label header (O-L1) is marked.

Then, the message carries two layers of MPLS labels across the backbone network. Each P device in the backbone network performs outer label switching on the message.

3. The egress PE receives the message carrying the two-layer label and hands it to the MPLS protocol for processing. The MPLS protocol will remove the outer label (the last outer label in this example is O-L2, but if the penultimate hop pop is applied, this label will be popped one hop before reaching the Egress PE, and the Egress PE can only receive Message with inner label).

4. At this time, Egress PE can see the inner label, find that the label is at the bottom of the stack, and peel off the inner label.

5. The egress PE sends the packet to CE2 from the corresponding outgoing interface. At this time, the message is a pure IP message.

In this way, the message is successfully transmitted from CE1 to CE2. CE2 transmits the packet to the destination according to the normal IP forwarding process.

Four, common problems

1. How to isolate the CE equipment of different customers of the same PE equipment? ——VRF
2. How to maintain routing information between PE equipment and CE equipment?-RT value
3. How to transfer customer private routes on the public network? ——MP-BGP transfer VPNV4 routing implementation
4. How to allow overlapping customer private routes?-RD value
5. How to forward customer data on the public network (solve routing black holes)? ——Label delivery