Key concepts of BGP/MPLS VPN

BGP/MPLSVPN Concept 1: VRF

One of the security measures of BGP/MPLSVPN is routing isolation and information isolation. It is implemented through the VPN route Forwarding (VPNRouting & Forwarding: VRF) Table and LSP in MPLS. On a PE router, there are multiple BGP/MPLSVPN concepts 1: VRF tables, which correspond to one or more sub-interfaces on the PE router, used to store the route information of the VPN to which these subinterfaces belong.

Generally, the VRF table only contains the route information of one VPN, but when the sub-interface belongs to multiple VPNs, the corresponding VRF table contains the routing information of all VPNs to which the sub-interface belongs. Each VRF table has two attributes: RouteDistinguisher: RD and RouteTarget: RT.

BGP/MPLSVPN concept 2: RD

The IP address planning in the VPN is self-developed by the customer. Therefore, the customer may choose the private address defined in RFC1918 as their site address or use the same address domain for different VPNs, that is, address overlap. One of the consequences of address overlapping is that BGP cannot distinguish overlapping routes from different VPNs, resulting in a site being inaccessible.

To solve this problem, BGP/MPLSVPN not only uses multiple VRF tables on the PE router, but also introduces the concept of RD. RD is globally unique, by extending the eight-byte BGP/MPLSVPN concept 2: RD as an IPv4 address prefix, the non-unique IPv4 address is converted to a unique VPN-IPv4 address. The VPN-IPv4 address is invisible to client devices and is only used for distribution of routing information on backbone networks.

The RD and VRF tables have a one-to-one relationship. Generally, for sub-interfaces of the same VPN on different PE routers, allocate the same RD to the corresponding VRF table. In other words, is to assign a unique RD for each VPN. However, for overlapping VPNs, that is, when a site belongs to multiple VPNs, because a sub-interface on the PE router belongs to multiple VPNs, the VRF table corresponding to this sub-interface can only be allocated with one RD, so that multiple VPNs share one RD.

BGP/MPLSVPN concept 3: RT

RT is similar to the extended group attribute in BGP for routing information distribution. It is divided into ImportRT and ExportRT for the import and export policies of route information respectively. When exporting a VPN route from the VRF table, use ExportRT to mark the VPN route;

When you import a VPN route to the VRF table, only the route marked with RT that matches any ImportRT in the vrf table will be imported to the VRF table. RT allows the PE router to only include the VPN route directly connected to it, instead of all the VPN routes of the whole network, thus saving the resources of the PE router and improving the network scalability.

RT is globally unique and can only be used by one VPN. Through reasonable configuration of ImportRT and ExportRT, carriers can build VPN of different topology types, such as overlapping VPN and Hub-and-spokeVPN.

Edit recommendations]