Detailed explanation of MPLS VPN

Enterprise 2023-12-17 16:05:02 views: null

Before understanding MPLS VPN, you must first understand MPLS.

Before understanding MPLS, let's review MAC address-based switching and IP address-based routing and forwarding.

(The previous article mainly introduces switching based on mac address, routing and forwarding based on IP address, and detailed explanation of MPLS)

(The next article is mainly about the network structure, composition principle, access method, why to use MPLS VPN, advantages and application scenarios of MPLS VPN)

1. Traditional mac address-based switching and IP address-based routing and forwarding

1.1. Switching based on mac address (layer 2)

The switching layer is to learn the mac address based on issuing arp, form a comparison table of mac addresses and interfaces, and then switch hop by hop based on the mac address table.

1.2. Routing and forwarding based on IP address (layer 3)

1. When the router receives the data packet, it first decapsulates it and restores it to a data frame. At this time, the router checks the destination address of the mac address in the data packet header. If it is the address of the interface that receives the data, then continue to decapsulate it. If not, then throw away.

2. The router continues to decapsulate the source IP and destination IP. If the router analyzes that the destination IP is not the IP of its own interface, the router will take the destination IP into its own routing table and use the longest matching principle. If there is no match, then throw away.

3. If the routing table matches, it will be sent to the corresponding interface according to the routing table. At this time, the third-layer data packet must be pressed into the second-layer frame header before sending. If it is Ethernet, the next step is required. The destination mac is jumping, and there is no destination mac that is startling. It needs to send an arp request to the destination mac, then encapsulate it, and then forward it to the next router.

Traditional IP routing is also hop-by-hop forwarding.

1.3. What is the difference between Layer 3 forwarding and Layer 2 switching?

Layer 3 is called forwarding, and forwarding is performed by searching for relevant table entries through the Layer 3 header (IP).

The second layer is called exchange, which is based on the search for related table entries in the second layer header (mac).

1.4. Which is faster, Layer 2 switching or Layer 3 forwarding?

The switching must be fast, because the switch directly forwards 0101 into a frame. It only needs to be switched in one step without decapsulation.

When the router decapsulates, it first decomposes it into a frame, compares it with the destination MAC, then decomposes it into an IP, looks up the routing table, and finally forwards it according to the table entry, then encapsulates the layer 2 MAC, and finally forwards it, which is relatively resource-intensive.

So the second floor is faster than the third floor.

2. Detailed explanation of MPLS

2.1. The full name of MPLS is Multi-protocol label switching.

Multi-protocol: refers to supporting three-layer protocols, such as IPv4, IPv6, IPX, etc.;

Label switching: Adding a label stack in front of the carried packets and forwarding based on labels.

2.2. MPLS encapsulation structure

picture

Between the MPLS data IP header and MAC header, there is a data layer 2.5 protocol.

2.3. Introduction to MPLS

MPLS is a new forwarding mechanism. Data is forwarded using label information in the MPLS network;

MPLS labels are based on IP routing and CEF switching.

2.4. Introduction to MPLS principles

picture

1. The router runs the IGP routing protocol and maintains the RIB table and CEF table. All routers run OSPF routing and only look at the network segment 30.0.0.0/24 in the figure.

picture

2. The router runs Label Distribution Protocol LDP and maintains the LIB table; LDP maintains its own neighbor relationships and binds a local label to all routing prefixes.

As shown in the figure, R3 binds the local route prefix of 30.0.0.0/24 with label 30 and advertises it to its LDP neighbor R2;

R2 adds local label 20 to the prefix of 30.0.0.0/24, and records the label 30 assigned by R3 to 30.0.0.0/24 in its own LIB table. At the same time, R2 advertises the local label 20 assigned to 30.0.0.0/24 to R1;

The local label assigned by R1 to 30.0.0.0/24 is 10, and the label information advertised by R2 to R1 is recorded.

picture

3. When the router updates the CEF table, it also maintains the LFIB table. The LFIB table is composed of the LIB table and the CEF table.

2.5. MPLS architecture

Control layer: exchange layer 3 routing information (such as OSPF/ISIS/BGP, etc.) and labels (LDP)

         IGP populates RIB table

         LDP fills the label for the prefix to form the LIB table

Key points at the control level:

       routing protocol

       ip routing table (RIB)

       label exchange protocol(LDP)

Data level: forwarding data based on tags

Key points at the control level:

        ip forwording table (FIB)

       label forwarding table (LFIB)

Principle analysis: The IGP protocol generates a RIB table, and the LDP protocol generates a LIB table, so that LDP adds a label to the routing prefix to form an LFIB table (LDP will generate a local LIB, and then advertise it to its neighbors through LDP, thus forming an LFIB table) .

2.6. Device roles in MPLS networks

The device roles in the MPLS network are just to distinguish different device roles, and they are mainly divided into three types:

1. Inbound LSR; (label seitch routing)

2. Outbound LSR;

3. LSR in the link.

Based on the above figure, R1 is the inbound LSR, R2 is the LSR in the link, and R3 is the outbound LSR.

2.7. Summary of MPLS advantages

* Using MPLS can avoid hop-by-hop forwarding of IP routing, reduce in-depth analysis of data packets, and establish a layer 2 fast forwarding path with the help of labels, so that data can be forwarded quickly along a pre-established path;

* The data packet then undergoes a Layer 3 lookup at the ingress router of the MPLS network, and the subsequent LSR only performs a simple label exchange action without further analysis of Layer 3 information;

* Each LSR must establish LIB (Label Information Base) and LFIB (Label Forwarding Information Base) before data forwarding. When the LSR receives a labeled data frame, it searches the label in the data frame in the LFIB table, and then performs actions such as pushing, popping, exchanging, and removing the label according to the relevant actions indicated in the LFIB table.

3. Detailed explanation of MPLS VPN

3.1. MPLS VPN network structure

picture

P: (Provider) Operator network equipment other than PE in the operator network

PE: (Provider Edge) edge network device that connects the operator's network and the customer (user) network

CE: (Customer Edge) The edge network device that connects the customer (user) network and the operator's network

Operator is just a general term and does not necessarily have to be the three major operators.

3.2. MPLS VPN access method

The access method mainly refers to the connection method between CE and PE.

1. Direct link access (direct connection) - POS/GE/FE and other interfaces are directly connected;

2. VLAN TRUNK mode access;

3. Layer 2 tunnel access - L2TP/PPPoE, etc.;

4. Layer 3 tunnel access - GRE/IPsec, etc.;

Access protocol supports IGP or BGP

IGP supports static routing, RIP, OSPF, ISIS, etc.

BGP supports EBGP.

The only difference between IGP and BGP is that IGP needs to redistribute IPv4 routes into MP-BGP, but EBGP directly has the redistribution function (statically written into the VRF).

3.3. Composition principle of MPLS VPN

1. The network architecture of MPLS VPN is completed by the operator. In this architecture, the operator provides VPN services to users, and users are unaware of the existence of the operator's network.

2. For the P device, it does not know the existence of VPN, because the P device is only responsible for data transmission within MPLS. As long as it supports the MPLS protocol.

3. All VPN construction, connection and management for user networks are performed on the PE.

4. Look at the user's network (CE) from the perspective of PE. CE is actually a site. A CE can contain multiple sites, and one or more sites form a VPN.

5. Communication between CE and CE is completed through the VPN tunnel between PE and PE of the intermediate operator.

6. Any two VPNs without a common site can use overlapping address spaces, which all depend on the VRF on the PE.

3.4. VRF, RD, RT, MP-iBGP, vpnv4 routing, dual labels (inner and outer layers) in MPLS VPN

1. VRF: virtual routing forwarding is an example of VPN routing and forwarding. Each independent VRF has an independent routing table. The virtual description is to virtualize multiple routing tables on a router, and each table is isolated from each other. In fact, a VRF instance can be used as a router, but it is virtualized on a real router.

2. RD: route distinguisher (route distinguish) to solve the problem of address conflict. In fact, it is to add a 64bit field to IPv4 to ensure that the IPv4 address remains globally unique after entering the PE.

3. RT: Route target is an extended group attribute of BGP. It is divided into export target and import target. It can be understood as the door of the VRF routing table. The route out carries the export attribute, and the route in compares the import attribute.

4. MP-iBGP: Routing information and private network label allocation are exchanged between PE and PE. The private network label is randomly generated (private network label at the control plane).

5. vpnv4 routing: RD + IPv4 routing = vpnv4 routing.

6. Double labels: Both inner and outer labels are put on the data forwarding level. The inner label is mainly used to distinguish which VRF the data packet belongs to. The outer label is mainly used to forward the data packet within the domain (the outer label and the next hop). The addresses of the egress PE routers are closely related).

3.5. Principles of MPLS VPN (control plane and forwarding plane)

picture

LDP protocol: distributes outer labels between PE-P and P-P, and establishes a tunnel LSP from the ingress PE to the egress PE.

MP-BGP protocol: The ingress PE and egress PE exchange VPN routes and are used to establish VPN labels.

PE: Receive user IP packets, identify the VPN, select the VRF table corresponding to the VPN, find the next hop exit of the VPN, add the inner label of the VPN, find the exit of the next hop PE, and add the outer label.

Important: MPLS tunnels contain two layers of labels, the outer label is the tunnel LSP label, and the inner label is the VPN label.

Routing update (control plane): IGP or EBGP can be used to advertise pure IPv4 routes between CE and PE. When the PE vrf receives the route, the IPv4 route is injected into the vrf routing table, the IPv4 route is redistributed into MP-BGP, and RD and RT (export) are added. The backbone network PE and PE are connected through MP-BGP. IBGP advertises vpnv4 routes with labels and RTs (including IPv4 addresses, route discriminators RD, route target RTs, VPN labels, and next-hop PE addresses). When reaching the peer PE, it is known through the RT (import) of the peer PE. Which VRF should the route be injected into? Then the peer PE removes attributes such as RD, RT, and labels, and advertises the ipv4 route to the peer CE.

Data forwarding (data level): When the CE router forwards a VPN packet to the ingress PE router, the PE router looks for the VRF corresponding to the VPN, and obtains a VPN label and the address of the next-hop egress PE router from the VRF. The VPN label is as The inner label is placed on the VPN group. According to the address of the next-hop egress PE router, the label of the intra-domain route that should be placed on the PE router can be found in the global routing table, that is, the outer label. It is also the VPN group that is marked with two labels. Layer label. The backbone P router forwards VPN packets based on the outer label. At the last P router (note that it is a P router, not a PE), the outer label pops up, leaving only the inner label in the VPN packet (this process is called sub-last Pop-up mechanism), and then the VPN packet is sent to the egress PE router. After the egress PE router finds the corresponding exit based on the inner label, it deletes the inner label on the VPN packet and forwards the VPN packet without the label to the correct CE router. The CE router forwards the packet to the correct router based on its own routing table. destination.

Key distinctions:

1. Two routing tables on the PE: VRF routing table and global routing table

The VRF routing table and the global routing table are stored on the PE respectively. The VRF routing table stores VPN routes, and the global routing table stores the operator's intra-domain routes.

2. Outer label exchange

All PE routers and P routers run intra-domain routing of the backbone network (OSPF or ISIS, etc.). The generated routing table will trigger the establishment of LSP in the backbone network (topology-driven mode). LSP is established through signaling protocols such as LDP or RSVP, resulting in The label forwarding table is used to exchange the outer labels of VPN packets (that is, during data forwarding, when the PE receives the data packet from the CE, the VRF labels the data packet with the inner VPN label and obtains the next hop egress PE The address of the router. The outer label is forwarded based on this address. Therefore, this next hop address is the link between intra-domain routing and VPN routing).

3.6. MPLS VPN analysis

3.6.1. Implementation goals of MPLS VPN

1. The tunnel is established between PE and PE, and users do not need to maintain their own VPN tunnels;

2. The deployment and route publishing of VPN tunnels become dynamic.

3.6.2. Problems solved by MPLS VPN

1. Provide a way to dynamically establish tunnels;

2. Solve the problem of different VPNs sharing the same address space.

3.6.3. Benefits of using BGP to transmit VPN routes

VPN routing information can be passed directly between PEs, and the P router does not contain any VPN routing information.

3.7. MPLS VPN application scenarios

1. IP bearer networks built by the three major operators: For example, China Unicom's A network and B network all use MPLS VPN architecture to carry large customer services, fixed-line transmission services, Baoshitong, video surveillance, 114/116 business, self-operated business, Internet business, etc.

2. The WANs of large OTT and cloud vendors all use MPLS VPN architecture, such as Alibaba Cloud's WAN.

3. Government departments such as state-owned enterprises have different business systems. The data between the systems are isolated from each other. At the same time, each business system has a need for mutual access, so MPLS VPN architecture technology is used to achieve isolation and mutual access. visit;

4. The metropolitan area networks of secondary ISP operators and secondary IDC operators all adopt MPLS VPN architecture.

Guess you like

Origin blog.csdn.net/weixin_68261415/article/details/134374762
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com