Basic Principles of MPLS/VPN and Its configuration in ZXR10

 

 

MPLS description

MPLS (multi-protocollabelswitch) is the latest development in Internet core multi-layer switching computing. MPLS combines the IP routing of the label switching and control parts of the forwarding part to accelerate forwarding. Additionally, MPLS can run on any link layer technology, which simplifies the conversion to the next generation optical Internet based on SONET/WDM and IP/WDM structures. Here, we will mainly describe the generation process of the label forwarding table and how the IP packet is forwarded through MPLS.

MPLS Label Stack Header

Figure 1 MPLS Label Stack Header

 

The 32-bit MPLS stack header consists of the following areas (1 ):

The tag area carrying the actual MPLS flag value (20 bits );

CoS region (3-bit), used for queuing and discarding algorithms applied to groups when groups pass through the network;

Stack region (S Region, 1-bit), used to support marking stack sequences;

The TTL area (8 bits) provides the traditional IPTTL function.

Tag Forwarding Table Generation Process

1. Route tables are generated through routing protocols or static routes between routers.

Figure 2 route tables are generated through routing protocols or static routes between Routers

 

As shown in 2, if OSPF is run between routers A, B, C, and D on the way, router A learns the route of router D CIDR Block 211.91.168.0/24.

2. the router running MPLS assigns labels to the routes in the route table.

Figure 3 vrompls running MPLS assigns labels to the routes in the route table

 

Figure 3A, B, C, and D routers have routes in the 211.91.168.0/24 CIDR block. Assume that all routers have run the MPLS protocol, each vro assigns a label to the route.

3. Use the LDP/RSVP protocol to find its MPLS neighbor.

Assume that the LDP protocol is enabled on each router interface. Through LDP protocol, router A knows that router B is its MPLS neighbor, router B knows that router A and router C are its MPLS neighbor, and router C knows that router B and router D are its MPLS neighbor, the MPLS neighbor of D is C.

4. Advertise the tagged route to its MPLS neighbor.

Each vro advertises its tagged route to its MPLS neighbor, regardless of whether the route label has been learned from its neighbor. As shown in figure 4, the labels of Route 211.91.168.0/24 on each vro are displayed.

Figure 4 labels of vrouters

 

5. the router adds the label advertised by the next hop router to its forwarding table. Generally, in actual applications, the router forwards IP packets whose destination is not a local IP address to the next hop. Therefore, in MPLS, the router only adds the label advertised by the next hop router to its forwarding table. For 211.91.168.0/24, the corresponding forwarding 5 is shown.

Figure 5 The vro adds the label advertised by the next hop router to its forwarding table

 

IP packet forwarding in MPLS networks

1. The MPLS entry router looks for the route table based on the destination address.

For example, assume that an IP address of 211.91.168.0/24 arrives at router. In this case, vroa A searches for its route table and finds that the next hop of the route is vrob B.

2. label the IP package and forward it to the next hop router.

In the preceding example, vroa A tags the IP address 211.91.168.0/24 and forwards it to vro B.

3. Find the forwarding table of the next hop router, replace the label, and continue forwarding.

In the above example, when a tagged IP packet arrives at router B, the router no longer searches for the route table based on the destination address, but searches for the tag Forwarding Table Based on the tag. The outbound label from A corresponds to the inbound label of B, that is, the label advertised by B to. Router B replaces the inbound label with the outbound label through the label replacement, that is, label 20 is replaced with label 30, and then forwarded to the next hop router C. The C router also performs tag switching and sends an IP packet with the tag 40 to the D router.

4. Find the forwarding table of the egress router and find it is the destination network. A label is displayed and sent to the corresponding port for processing.

In the preceding example, vrod D searches for the label forwarding table and finds that the IP package destination is itself. The label is displayed. The tag exchange process ends.

Implementation of VPN in MPLS

RFC2547bis defines a mechanism that allows service providers to use their IP backbone networks to provide VPN services to users. RFC2547bis is also called BGP/MPLSVPN Because BGP is used to publish VPN route information in the provider's backbone network, and MPLS is used to forward the VPN service from one VPN site to another. First, the Common Terms used in mpls vpn are described, and then the basic principles and common networking of mpls vpn are introduced.

Common Terms in MPLS/VPN

PE router: Also known as the provider's edge router. The router is responsible for the access from the client network to the provider network.

P router: Also known as the Provider Router. A p router is a router that does not connect to any CE device in the provider's network.

CE router: Also known as the user's edge device. The CE router connects to one or more provider edge (PE) routers to provide users with access to service providers.

VPN-IPV4 address: VPN users usually use private addresses to plan their own networks. When different VPN users plan using the same private address, the Routing Query problem occurs.

Route differentiation RD: the first 8 bytes of the VPN-Ipv4 address, used to distinguish the same private address in different VPNs.

Route destination RT: RT is one of the extended community attributes in the MP-BGP. The routing target attribute defines the set of sites (VRF) that the PE router publishes routes. The PE router uses this attribute to constrain the input remote route to its VRF.

VPN route forwarding table (VRF): Each PE router maintains a VRF for its directly connected site. Each user link is mapped to a specific VRF. Each VRF is associated with a port of the PE router.

Implementation of VPN in MPLS network

Network Topology description

Assume that a service provider has an IP backbone network that provides BGP/MPLSVPN services for different enterprises. The Network has three PE routers connected to four different user sites.

Figure 6 Network Topology

 

In Figure 6, CE1 and c4belong to the same VPN1, and CE2 and CE4 belong to the same VPN2. Any Host in Site 1 (CE1) can communicate with any host in Site 3 (E3. Any Host in Site 2 (CE2) can communicate with any host in Site 4 (CE4.

Routing Learning Process

Before a user site can forward the VPN service to a remote site, the VPN route information must be forwarded from each user site to another user site through the backbone network. The PE router learns the route from its directly connected CE router. The ingress PE publishes the route to the egress PE through the backbone network, and the egress PE router publishes the route to CE.

Tag forwarding process

In the network, only the PE and P routers run the label forwarding protocol,

In Figure 6, CE1 and SSPS belong to the same VPN. When the CE1 customer needs to send information to the SSPs:

The CE1 router looks for the route table and sends the data packet to the PE1 router;

PE1 router found that CE1 belongs to VRF1, find VRF1 table, find the destination address next hop for MP-BGP peer router PE2;

When the PE1 router finds the route table, the next hop of the direct connection to the peer PE2 is the P1 router;

Assign a label to the packet and forward the packet to the P1 router;

This packet is forwarded through the intermediate P router label to reach PE2;

The PE2 pop-up tag. Search for the VRF1 route and forward the packet to S3;

Reach the customer of S3.

Typical MPLS/VPN networking

MESH Mode

Figure 7 typical networking Diagram

 

MESH is a common VPN service, which is the most basic requirement of the customer for VPN.

Basic VPN services require the same VPN customers to communicate with each other, while different VPN customers cannot communicate with each other. As shown in figure 7, VPN1 communicates with each other, while VPN2 does not.

HUB-SPOKE Mode

For major customers of many subsidiaries, common VPN services may not be able to meet their needs. Generally, the head office may need to monitor communications between subsidiaries and be able to communicate directly with subsidiaries. This requires sub-company communications must pass through the company's transit.

Figure 8 HUB-SPOKE Mode

 

As shown in Figure 8 of a typical networking diagram, the company can directly communicate with subsidiary 1 and subsidiary 2, while subsidiary 1 and subsidiary 2 must communicate with each other through the headquarters, in this way, the company can monitor communications between subsidiaries. The PE-3 is the HUB router, The PE-1 and the PE-2 is the SPOKE router.

INTERNET access

VPN customers use private IP addresses to communicate with each other. They can plan their own internal networks, but they may also need to be connected to the INTERNET.

Figure 9 INTERNET access

 

As shown in Figure 9, the INTERNET service can be completed by providing NAT on a gateway of VPN1 to convert private IP addresses to public IP addresses.

Configure MPLS/VPN in ZXR10

Steps for configuring MPLS/VPN in ZXR10

Currently, the most common applications of MPLS/VPN in ZXR10 are T64E/T128, T32C/T64C, and other high-end router products. In the E Series, common boards supporting MPLS/VPN of T64E/T128 include eight port FEI boards, two port GEI interface boards, four port POS3 interface boards, and E1 interface boards. Common boards supporting MPLS/VPN in Series C include GEI boards and POS interface boards.

For T64E/T128, to configure MPLS/VPN services, you must use a version later than V1.2 or a platform version. For C series routers, you must use a version later than ros9302. The main steps for configuring MPLS/VPN services in ZXR10 are as follows.

1. Define a VPN name or a VPN Forwarding Table (VRF) name on the PE router. The name can be 1 to 16 characters in length. Note that this name is only valid locally and will be used when an interface is bound to a VPN.

2. Define the route identifier (RD) and route destination (RT) for the VRF and define an import and export policy that will be used in the MP-BGP to differentiate different VPNs.

3. Define the association between the specified interface and VRF. If the IP address is configured in advance for this interface, you need to delete the original IP address, define the association, and then configure the IP address.

4. Define VRF routes. Static Routing can be defined between the PE router and the CE router, or dynamic routing protocol can be run.

5. Configure the MPBGP protocol. After the PE router learns the VRF route from the CE router, it must run the MPBGP protocol to notify other PES. To configure the MPBGP Protocol, follow these steps:

(1) In BGP routing configuration mode, use the neighbor command to specify the PE peer, which must be an IBGP peer;

(2) enter the BGP address-familaryvpnv4 address mode, activate the peer;

(3) for different VRF, route (direct connection, static, OSPF, and ISIS) to MPBGP for redistribution.

MPSL/VPN configuration instance

The following uses a networking instance to describe the application of MPLS/VPN services in ZXR10. The instance describes the independent networking configuration of the eseries router.

Figure 10 independent networking configuration of E series routers

 

In figure 10, CE1 and CE2 are in the same VPN, CE1's loopback address is 100.1.1.1/24, and CE2's loopback address is 200.1.1.1/24, you need to be able to learn from each other the peer loopback route. The BGP protocol is run between CE1 and PE1, And the OSPF protocol is run between CE2 and pe2.