1. MPLS VPN principle and configuration
1. MPLS VPN definition
BGP/MPLS IP VPN networks are generally built by operators, and VPN users purchase VPN services to implement routing transmission and data interoperability between user networks. MPLS VPN uses BGP to publish VPN routes on the operator's backbone network (IP network), and uses MPLS to forward VPN packets on the operator's backbone network. BGP/MPLS IP VPN, also referred to as MPLS VPN, is a common L3VPN (Layer 3 VPN) technology.
2. MPLS VPN network architecture
The MPLS VPN network architecture consists of three parts: CE (Customer Edge), PE (Provider Edge) and P (Provider), where PE and P are operator equipment, and CE is MPLS VPN user equipment. The site is the user of MPLS VPN and consists of CE and other user equipment.
3. MPLS VPN technical architecture
MPLS VPN is not a single VPN technology. It is a comprehensive solution that combines multiple technologies. It mainly includes the following technologies: MP-BGP: Responsible for transmitting intra-site routing information between PEs.
LDP: Responsible for establishing tunnels between PEs
VRF: Responsible for VPN user management of PE. Static routing, IGP, BGP: Responsible for the exchange of routing information between PE and CE.
4. Why choose MPLS VPN?
For VPN customers: The existence of VPN is not "perceived", and there is no need to deploy and maintain VPN, which reduces the difficulty and cost of enterprise operation and maintenance. It is generally deployed on the operator's MPLS VPN private network and has certain security guarantees.
For operators: MPLS adds a connection-oriented control plane to the connectionless IP network, adding management and operation methods to the IP network. Supports overlapping address spaces, overlapping VPNs, flexible networking methods, and good scalability. It can easily support MPLS TE to reasonably regulate existing network resources and save operator costs to the greatest extent.
5. Overview of MPLS VPN route publishing
If you want to realize communication between different sites of the same VPN, you first need to complete the routing interaction between different sites. In a basic MPLS VPN network, the release of VPN routing information involves CE and PE. The P router only maintains the routing of the backbone network and does not need to know any VPN routing information. The publishing process of VPN routing information includes three parts: local CE to ingress PE, ingress PE to egress PE, egress PE to remote CE.
6、RD
PE receives IPv4 address prefixes from CEs in different VPNs, and locally distinguishes these address prefixes based on VPN instance configuration. However, the VPN instance is only a local concept, and the PE cannot pass the VPN instance information to the peer PE, so there is a RD (Route Distinguisher, route identifier). RD is 8 bytes long and is used to distinguish IPv4 prefixes that use the same address space. After receiving the IPv4 route from the CE, the PE adds RD before the IPv4 prefix and converts it into a globally unique VPN-IPv4 route.
7、MP-BGP
In order to correctly handle VPN routing, MPLS VPN uses MP-BGP specified in RFC2858 (Multiprotocol Extensions for BGP-4), which is the multi-protocol extension of BGP-4. MP-BGP uses address families to distinguish different network layer protocols. It can support not only the traditional IPv4 address family, but also other address families (such as VPN-IPv4 address family, IPv6 address family, etc.). MP-BGP adds two new path attributes: MP_REACH_NLRI: Multiprotocol Reachable NLRI, multi-protocol reachable NLRI. Used to publish reachable routes and next hop information. MP_UNREACH_NLRI: Multiprotocol Unreachable NLRI, multi-protocol unreachable NLRI. Used to withdraw unreachable routes.
8、RT
On the PE, each VPN instance will be bound to one or more VPN Target attributes. There are two types of VPN Target attributes: Export Target (ERT): After the local PE learns IPv4 routes from the directly connected site, it converts them into VPN IPv4 routes. , and add the Export Target attribute to these routes. The Export Target attribute is published with the route as an extended community attribute of BGP. Import Target (IRT): When a PE receives VPN-IPv4 routes advertised by other PEs, it checks its Export Target attribute. When this attribute matches the Import Target of a VPN instance on the PE, the PE adds the route to the routing table of the VPN instance.
2. MPLS experiment
1. Experimental requirements
1.
There are two companies on the experimental simulation network, Company A and Company B. It is necessary to realize that the same company can pass the ISP
For mutual access through the network, different companies cannot access each other. This requirement is achieved through MPLS VPN.
2.
Complete the basic IP address configuration, create a loopback interface LP0 on each router, and set the address to XXXX,X
Number the router (for example: R1 address is 1.1.1.1), and configure the physical interface address of the router according to the topology.
3.
Create loopback100:172.16.1.1 on R1. Create loopback100:172.16.2.1 on R7.
Create loopback100:172.16.1.1 on R2. Create loopback100:172.16.2.1 on R6.
These loopback interfaces are used to simulate intra-site network segments.
4.
AS500 is a public network, and the IGP protocol uses the OSPF protocol to enable network interoperability.
5.
Within AS500, R3 and R5 use the loopback 0 interface to establish a VPNV4 neighbor relationship.
ipv4 neighbor relationship
6.
Enable MPLS protocol on AS500 and use LDP protocol to distribute labels.
7.
Only the same company in the network can access each other
i. Company A
1. R3 creates a VRF with a name of 1, RD: 1:1, and outbound RT of 1:7
2. R5 creates a VRF with a name of 7, RD: 7:7, and outbound RT of 7:1.
3. Establish BGP neighbor relationships between PE and CE devices, and establish MP-BGP neighbor relationships between PE devices.
to complete routing delivery.
4. Correctly advertise the route on the device so that company A can communicate with each other.
ii. Company B
1. R3 creates a VRF with a name of 2, RD: 2:2, and outbound RT of 2:6.
2. R5 creates a VRF with a name of 6, RD: 6:6, and outbound RT of 6:2
3. Establish OSPF neighbor relationship between PE and CE devices
4. Correctly advertise the route on the device so that company B can communicate with each other.
2. Experimental topology
3. Configuration ideas and verification results
R1
[Huawei] sysname R1
[R1] interface g0/0/0
[R1-GigabitEthernet0/0/0] ip add 192.168.13.1 24
[R1-GigabitEthernet0/0/0] interface LoopBack 0
[R1-LoopBack0] ip add 1.1.1.1 32
[R1-LoopBack0] interface LoopBack 100
[R1-LoopBack100] ip add 172.16.1.1 32
R2
[Huawei] sysname R2
[R2] interface g0/0/0
[R2-GigabitEthernet0/0/0] ip add 192.168.23.2 24
[R2-GigabitEthernet0/0/0] interface LoopBack 0
[R2-LoopBack0] ip add 2.2.2.2 32
[R2-LoopBack0] interface LoopBack 100
[R2-LoopBack100] ip add 172.16.1.1 32
R3
[Huawei] sysname R3
[R3] interface g0/0/2
[R3-GigabitEthernet0/0/2] ip address 34.1.1.3 24
[R3-GigabitEthernet0/0/2] interface lo 0
[R3-LoopBack0] ip add 3.3.3.3 32
R4
[Huawei] sysname R4
[R4] interface g0/0/0
[R4-GigabitEthernet0/0/0] ip add 34.1.1.4 24
[R4-GigabitEthernet0/0/0] interface g0/0/1
[R4-GigabitEthernet0/0/1] ip add 45.1.1.4 24
[R4-GigabitEthernet0/0/1] interface lo 0
[R4-LoopBack0] ip add 4.4.4.4 24
R5
[Huawei] system R5
[R5] interface g0/0/0
[R5-GigabitEthernet0/0/0] ip add 45.1.1.5 24
[R5-GigabitEthernet0/0/0] interface lo0
[R5-LoopBack0] ip add 5.5.5.5 32
R6
[Huawei] system R6
[R6] interface g0/0/0
[R6-GigabitEthernet0/0/0] ip add 192.168.56.6 24
[R6-GigabitEthernet0/0/0] interface lo0
[R6-LoopBack0] ip add 6.6.6.6 32
[R6-LoopBack0] interface lo100
[R6-LoopBack100] ip add 172.16.2.1 32
R7
[Huawei] system R7
[R7] interface g0/0/0
[R7-GigabitEthernet0/0/0] ip add 192.168.57.7 24
[R7-GigabitEthernet0/0/0] interface lo0
[R7-LoopBack0] ip add 7.7.7.7 32
[R7-LoopBack0] interface lo100
[R7-LoopBack100] ip add 172.16.2.1 32
3.2 Configure ospf in AS500
R3
[R3] ospf 1 router-id 3.3.3.3
[R3-ospf-1] area 0
[R3-ospf-1-area-0.0.0.0] network 34.1.1.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
R4
[R4] ospf 1 router-id 4.4.4.4
[R4-ospf-1] area 0
[R4-ospf-1-area-0.0.0.0] network 34.1.1.4 0.0.0.0
[R4-ospf-1-area-0.0.0.0] network 45.1.1.4 0.0.0.0
[R4-ospf-1-area-0.0.0.0] network 4.4.4.4 0.0.0.0
R5
[R5] ospf 1 router-id 5.5.5.5
[R5-ospf-1] area 0
[R5-ospf-1-area-0.0.0.0] network 45.1.1.5 0.0.0.0
[R5-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0
R3
can learn all loopback interface routes
3.3 Configuring BGP in AS500
R3
[R3] bgp 500
[R3-bgp] router-id 3.3.3.3
[R3-bgp] undo default ipv4-unicast
[R3-bgp] peer 5.5.5.5 as-number 500
[R3-bgp] peer 5.5.5.5 connect-interface LoopBack0
[R3-bgp] ipv4-family vpnv4
[R3-bgp-af-vpnv4] peer 5.5.5.5 enable
R5
[R5] bgp 500
[R5-bgp] router-id 5.5.5.5
[R5-bgp] undo default ipv4-unicast
[R5-bgp] peer 3.3.3.3 as-number 500
[R5-bgp] peer 3.3.3.3 connect-interface
LoopBack0
[R5-bgp] ipv4-family vpnv4
[R5-bgp-af-vpnv4] peer 3.3.3.3 enable
R3
and
R5
establish
VPNV4
neighbor relationship
3.4 Configure MPLS LDP on R3, R4, and R5
R3
[R3] mpls lsr-id 3.3.3.3
[R3] mpls
[R3-mpls] mpls ldp
[R3-mpls-ldp] interface g0/0/2
[R3-GigabitEthernet0/0/2]Mpls
[R3-GigabitEthernet0/0/2]Mpls ldp
R4
[R4] mpls lsr-id 4.4.4.4
[R4] mpls
[R4-mpls] mpls ldp
[R4-mpls-ldp] interface g0/0/0
[R4-GigabitEthernet0/0/0] Mpls
[R4-GigabitEthernet0/0/0] Mpls ldp
[R4-GigabitEthernet0/0/0] interface g0/0/1
[R4-GigabitEthernet0/0/1] Mpls
[R4-GigabitEthernet0/0/1] Mpls ldp
R5
[R5] mpls lsr-id 5.5.5.5
[R5] mpls
[R5-mpls] mpls ldp
[R5-mpls-ldp] interface g0/0/0
[R5-GigabitEthernet0/0/0]Mpls
[R5-GigabitEthernet0/0/1]Mpls ldp
LDP neighbors
can be viewed on
R4
3.5 Create VRF of company A on R3 and R5
R3
[R3] ip vpn-instance 1
[R3-vpn-instance-1] route-distinguisher 1:1
[R3-vpn-instance-1] vpn-target 1:7 export-extcommunity
[R3-vpn-instance-1] vpn-target 7:1 import-extcommunity
R5
[R5] ip vpn-instance 7
[R5-vpn-instance-7] route-distinguisher 7:7
[R5-vpn-instance-7] vpn-target 7:1 export-extcommunity
[R5-vpn-instance-7] vpn-target 1:7 import-extcommunity
3.6 Assign the interfaces of R3 and R5 to company A into the corresponding VRF
R3
[R3] interface g0/0/0
[R3-GigabitEthernet0/0/0] ip binding vpn-instance 1
[R3-GigabitEthernet0/0/0] ip address 192.168.13.3 24
R5
[R5] interface g0/0/1
[R5-GigabitEthernet0/0/1] ip binding vpn-instance 7
[R5-GigabitEthernet0/0/1] ip address 192.168.57.5 24
3.7 R1 and R3, R7 and R5 establish EBGP neighbor relationships, and R1 and
R7 announces the loopback 100 interface address
R1
[R1] bgp 100
[R1-bgp] peer 192.168.13.3 as-number 500
[R1-bgp] network 172.16.1.1 32
R3
[R3] bgp 500
[R3-bgp] ipv4-family vpn-instance 1
[R3-bgp-1] peer 192.168.13.1 as-number 100
R5
[R5] bgp 500
[R5-bgp] ipv4-family vpn-instance 7
[R5-bgp-7] peer 192.168.57.7 as-number 300
R7
[R7] bgp 300
[R7-bgp] peer 192.168.13.3 as-number 500
[R7-bgp] network 172.16.2.1 32
R1
and
R3
,
R5
and
R7
establish
EBGP
neighbor relationship
R1
learns
the route 172.16.2.1 announced by
R7
The loopback port of
R1 can communicate with the loopback port of
R7 , and
company A communicates successfully.
3.8 Create VRF of company B on R3 and R5
R3
[R3] ip vpn-instance 2
[R3-vpn-instance-2] route-distinguisher 2:2
[R3-vpn-instance-2] vpn-target 2:6export-extcommunity
[R3-vpn-instance-3] vpn-target 6:2 import-extcommunity
R5
[R5] ip vpn-instance 6
[R5-vpn-instance-6] route-distinguisher 6:6
[R5-vpn-instance-6] vpn-target 6:2 export-extcommunity
[R5-vpn-instance-6] vpn-target 2:6 import-extcommunity
3.9 Add the interfaces of R3 and R5 to company B into the corresponding VRF
R3
[R3] interface g0/0/1
[R3-GigabitEthernet0/0/1] ip binding vpn-instance 2
[R3-GigabitEthernet0/0/1] ip address 192.168.23.3 24
R5
[R5] interface g0/0/2
[R5-GigabitEthernet0/0/2] ip binding vpn-instance 6
[R5-GigabitEthernet0/0/2] ip address 192.168.56.5 24
3.10 R2 and R3, R6 and R5 establish ospf neighbor relationships, and R2 and
R6 announces the loopback 100 interface address
R2
[R2] ospf 1 router-id 2.2.2.2
[R2-ospf-1] area 0
[R2-ospf-1-area-0.0.0.0] network 172.16.1.1 0.0.0.0
[R2-ospf-1-area-0.0.0.0] network 192.168.23.2 0.0.0.0
R3
[R3] ospf 2 router-id 3.3.3.3 vpn-instance 2
[R3-ospf-2] area 0
[R3-ospf-2-area-0.0.0.0] network 192.168.23.3 0.0.0.0
R5
[R5] ospf 2 router-id 5.5.5.5 vpn-instance 6
[R5-ospf-2] area 0
[R5-ospf-2-area-0.0.0.0] network 192.168.56.5 0.0.0.0
R6
[R7] ospf 1 router-id 6.6.6.6
[R7-ospf-1] area 0
[R7-ospf-1-area-0.0.0.0] network 172.16.2.1 0.0.0.0
[R7-ospf-1-area-0.0.0.0] network 192.168.56.6 0.0.0.0
R1
and
R3
,
R5
and
R7
establish
ospf
neighbor relationship
3.11 Import OSPF and BGP routes to each other on R3 and R5
R3
[R3] bgp 500
[R3-bgp] ipv4-family vpn-instance 2
[R3-bgp-2] import-route ospf 2
[R3] ospf 2 vpn-instance 2
[R3-ospf-2] import-route bgp
R5
[R5] bgp 500
[R5-bgp] ipv4-family vpn-instance 6
[R5-bgp-6] import-route ospf 2
[R5] ospf 2 vpn-instance 6
[R5-ospf-2] import-route bgp
R2
learns
the route 172.6.2.1 announced by
R6