Establishment of cross-origin VPN based on BGP protocol

When a VPN site spans multiple ISPs, the PE device needs to perform vpn route interaction between different as domains, thus forming a cross-domain VPN.

RFC 2547bis provides three cross-domain VPN solutions:

L VRF-to-VRF: Use sub-interfaces between asbrs to manage VPN routes, also known as Inter-Provider Option;

L EBGP Redistribution of labeled VPN-IPv4 routes: The ASBR publishes a label MP-EBGP route between, also known as Inter-Provider Option B;

L Multihop EBGP redistribution of labeled VPN-IPv4 routes: PE publishes a label MP-EBGP route between, also known as Inter-Provider Option C.

Ps: ASBR is the border route of the as domain.

There have been a lot of Introduction to cross-origin VPN establishment on the Internet. Here we just extract some descriptions in the H3C document, and mark it yourself:

1. Use sub-interfaces between ASBR to manage VPN routes

In this way, two as pe routers are directly connected, and the PE router is also the border router ASBR of the autonomous system.

As an ASBR, the PES are connected through multiple sub-interfaces. Both PES treat each other as their CE devices and use the traditional EBGP method to publish IPv4 routes to the peer end. The packet is used AS the VPN packet inside the AS, and the two-layer label forwarding mode is used; The ASBR adopts the common IP Forwarding mode.

Ideally, each cross-domain VPN corresponds to a pair of interfaces to exchange VPN routing information.

Figure 1 ASBR using subinterfaces to manage VPN routing networks

The advantage of implementing cross-origin VPN using sub-interfaces is that the implementation is simple: there is no need for special configuration for cross-origin between two PES serving as ASBR.

Poor Scalability: As an asbr pe, you need to manage all VPN routes and create a VPN instance for each VPN. This will cause the number of VPN-IPv4 routes on the PE to be too large. In addition, creating separate sub-interfaces for each VPN also increases the PE device requirements.

2. The ASBR publishes a label MP-EBGP route through the VPN-IPv4

In this way, two asbrs exchange the label MP-EBGP routes they receive from their respective as pe routers through the VPN-IPv4.

The route publishing process can be divided into the following steps:

(1) The PE in AS 100 first releases the label MP-IBGP route to the border router PE of AS 100 in VPN-IPv4 mode, or releases to the route reflectors of asbr pe reflection route;

(2) AS the asbr pe through the MP-EBGP routing label VPN-IPv4 to the pe as 200 (also AS 200 border router );

(3) ASBR peas 200 then routes the label MP-IBGP to the PE within AS 200 in VPN-IPv4 mode or to the route reflectors for the PE reflection routing.

This ASBR method requires special processing of the label VPN-IPv4 routing, which is also called the ASBR extension method.

Figure 2 ASBR through MP-EBGP release label VPN-IPv4 routing networking

In terms of scalability, publishing a label through a MP-EBGP VPN-IPv4 route is better than managing a VPN between asbrs through sub interfaces.

When using the MP-EBGP, pay attention:

ASBR does not perform VPN Target Filtering for the received VPN-IPv4 route, so the AS service providers of the exchange VPN-IPv4 route need to reach a trust agreement on this routing exchange;

VPN-IPv4 routing exchange only occurs between the private network peer, can not exchange with the public network VPN-IPv4 routing, and can not exchange with the MP-EBGP peer did not reach a trust protocol VPN-IPv4 routing.

3. publishing label MP-EBGP routing between PES via VPN-IPv4

Both of the above methods can meet the requirements of cross-domain VPN networking, but these two methods also need ASBR to participate in the maintenance and release of VPN-IPv4 routing. When a large number of VPN routes need to be exchanged for each AS, ASBR may become a bottleneck hindering further network expansion.

The scheme to solve the above scalability problem is: ASBR does not maintain or publish VPN-IPv4 routing, direct exchange between PES VPN-IPv4 routing.

The two asbrs release the label IPv4 route to the PE router in their AS through the MP-IBGP.

The VPN-IPv4 route is not saved on the ASBR, And the VPN-IPv4 route is not advertised between them.

The ASBR saves the label-based IPv4 route of the PE in the AS and notifies the peer of other. The ASBR in another autonomous system also advertises tagged IPv4 routing. In this way, an LSP is created between the entrance PE and the exit PE.

EBGP connections in Multihop mode are established between PES of different AS, and VPN-IPv4 routing is switched.

Figure 3 label MP-EBGP routing networking by Multi-hop VPN-IPv4 between PES

To improve scalability, you can specify a Route Reflector RR (Route Reflector) in each AS, where RR holds all VPN-IPv4 routes and exchanges VPN-IPv4 routing information with the PE of. Create a cross-domain VPNv4 connection between the RR of the two AS to advertise the VPN-IPv4 route. 10.

Figure 4 cross-region VPN OptionC with RR

Blog: http://blog.chinaunix.net/uid-26421509-id-3055889.html