Mpls vpn Technical Principles ZZ

Source: Internet
Author: User
Tags comparable
1. Significance of MPLS  
Traditional IP data forwarding is based on the hop-by-hop mode. Each router that forwards data needs to find the route table based on the destination IP address of the IP address header to obtain the next hop egress, this is a tedious and inefficient task, mainly because of two reasons: 1. Some route queries must perform multiple searches on the route table, which is called recursive search; 2. Because route matching follows the longest Match Principle, almost all vro switching engines must be implemented using software, the exchange engine implemented by software cannot compete with the switch engine implemented by hardware on the ATM switch in terms of efficiency.
  
The demand for Internet applications is increasing today, and the demand for bandwidth and latency is also increasing. To improve forwarding efficiency, vro manufacturers have done a lot of improvement work, such as Cisco providing the CEF (Cisco Express Forwarding) function on the vro and modifying the route table search algorithm. However, these patches cannot completely solve the problems currently faced by the Internet.
  
IP and ATM were once two opposite technologies. Each IP device manufacturer and ATM device manufacturer tried to eat each other and wanted IP addresses to dominate the world, or the ATM family was the only one! However, the fusion of the two technologies is the birth of the Multi-Protocol Label Switching technology! The combination of MPLS technology and IP technology, simple signaling, and efficient ATM switching engine advantages!
  
   2. Implementation Details of MPLS Technology   
2.1 tag Structure
  
The implementation of MPLS technology by IP equipment and ATM equipment manufacturers is based on their own original, for IP equipment vendors, it modifies the specification that the original IP package is directly encapsulated in the L2 link frame, instead, a label is inserted between the two-layer and three-layer headers, while the ATM device manufacturer uses the concept of VPI/VCI on the original ATM switch, the label is used to replace VPI/CVI. Of course, the signaling control part of the ATM switch must be modified, and the routing protocol is introduced, the ATM exchange uses the routing protocol to exchange layer-3 routing information with other devices.
  
Label structure:
  
  The label field of 20 bits is used to indicate the label value. Because the label is fixed length, you can analyze the label of a vro to forward data packets. This is the biggest advantage of label exchange, the Fixed Length Label means that data forwarding can be implemented using hardware. This hardware forwarding method is much more efficient than the longest matching forwarding method that must be implemented using software!
  
3-bit exp is used to implement QoS
  
The 1-bit value indicates whether the tag stack is complete. For VPN, TE and other applications, more than two tags are inserted between the Layer 2 and Layer 3 headers to form the tag stack.
  
The 8-bit TTL value is used to prevent data from forming loops on the Internet.
  
In this way, the complete layer-2 frame with tags becomes the following form:
  
  In the ATM Cell mode, the cell structure is as follows:
  
    
2.2 architecture of LSR Equipment
  
Through modification, the router that supports label switching is LSR (Label Switch Router), and the ATM switch that supports MPLS is generally called atm-LSR.
  
The architecture of the LSR device is as follows:
  
  The architecture of LSR is divided into two parts:
  
1. Control Plane)
  
The function of this module is to exchange layer-3 routing information with other LSR to establish a route table, and to exchange the binding information of labels to the route, so as to create the label information table (LIB) label information table. At the same time, forwarding information table (FIB) and label forwarding information table (lfib) are generated based on the route table and Lib. The control plane is also known as the routing engine module!
  
2. Data plane)
  
The data plane function is mainly to forward IP packets and label packets based on the FIB table and lfib table generated by the control plane.
  
The routing protocols used in the control plane can use any of the previous methods, such as OSPF, Rip, and BGP. The main function of these protocols is to exchange routing information with other devices, generate a route table. This is the basis for implementing tag exchange. A new protocol-LDP is imported into the control plane to generate a local label for each route entry in the local route table and generate a lib table, then, the route entry and the local label are bound to the neighbor LSR, and the route entry and label helper notified by the neighbor LSR are received in the Lib table. Finally, when the network route converges, generates fib and lfib tables based on the information of the route table and Lib table. The label distribution mode is described as follows.
  
2.3 tag allocation and distribution
  
As described above, MPLS technology is a combination of IP technology and ATM technology. Implementing label generation and distribution on LSR and ATM-LSR is a bit different.
  
2.3.1 label allocation and distribution in Packet Mode
  
In the MPLS network that implements the packet mode, the downstream LSR independently generates the binding of Route entries and labels and actively distributes them out.
  
  For example, LDP is enabled on all lsrs. Take the LSR-B as an example, it has obtained the route of network X through the routing protocol, once the LDP protocol is started, the LSR-B immediately finds the route table, if the route of the X network is learned by the IGP routing protocol, in the Lib table, a local label 25 is generated for the route to the X network. Because of the LDP Neighbor Relationship Between the LSR-B and LSR-a, LSR-C and LSR-E, so the downstream LSR-B will take the initiative to send this X = 25 route entry and tag binding to all neighbors! LSR-a, LSR-E, the LSR-C will put the binding of this route entry and the label to the local lib table, combined with the local route table, in the FIB table, generate the "Network Address-> outbound tag" entry for the X network, and generate the "inbound tag-> outbound tag" entry for the X network in the lfib. This applies to all lsrs. The final result shows that all lsrs In the MPLS network are dynamically balanced among route tables, lib tables, FIB tables, and lfib tables.
  
If the LSR-A receives the data to go to the X network segment, because the LSR-A is at the edge of the MPLS network, you must find the FIB table, dock the received IP package, do label insert operation. For the LSR-B, The LSR-C is purely an analysis of the label package, the Baotou label is converted in the forwarding label package. When the data reaches the LSR-D, the edge LSR removes the label in the label package and forwards the restored IP package! For example:
  
  2.3.2 label allocation and distribution in cell Mode
  
In cell mode, downstream ATM-LSR receives the upstream ATM-LSR label Binding Request, downstream controlled allocation label, passive upstream distribution label. For example
  
  The most upstream LSR-A initiates a tag request for network X to the ATM-LSR-B, The ATM-LSR-B sends a request to the ATM-LSR-C, and finally the request arrives at the LSR-D, The LSR-D generates a local tag for the network x 1/37, the label tells the ATM-LSR-C that C does the same operation step by step to reach LSR-. Finally, an LSP (Label Switch path) from A-> B-> C-> D is generated ). In this way, if a receives data from the X Network, a splits the IP data packet into cells with tags and sends them to B through the ATM interface, next, B and C will simply forward ATM cells. After D is reached, the cells will be combined into IP data packets and sent to network X.
  
If you want to build an MPLS network with an ATM switch as the core, you must set a router at the edge of the ATM network. The reason is that the ATM Switch only forwards cells and cannot process IP packets of users. Of course, the above mentioned that to Implement MPLS functions on an ATM switch, the routing protocol must be added to the signaling control part of the ATM switch, and the routing information package is usually in the IP packet, such as rip, OSPF, BGP, and other routing protocols. To ensure that the routing information transmitted in the form of IP packets can be transmitted between the ATM switches, the ATM switch uses a dedicated out-of-band connection channel or in-band management VC.
  
2.4 special application of BGP protocol in MPLS networks
  
When LSR assigns tags Based on the route table, it only assigns tags to route entries obtained from the IGP protocol. Why? This is of special significance! See:
  
  Start MPLS switching throughout the transit. Ensure that the CIDR blocks between isp2 and the LSR-Border2 are published to the IGP routing protocol within the transit as, the same requirements are imposed on the CIDR blocks between isp1 and the LSR-Border2. As mentioned above, when LSR assigns labels to route entries, it only assigns labels to Routes learned from IGP, and network 1.2.3.4 is released to the IGP routing protocol in transit, it is certain that core1 is available at border1 to tell it about label 23 on the 1.2.3.4 network. LSR-Border1, the formation of ibgp Neighbor Relationship Between the LSR-Border2, through the BGP protocol, the LSR-Border2 from the isp2 learned 10.0.0.0/8 this route to the LSR-Border1, the next hop address of this route is 1.2.3.4, in this way, let the LSR-Border1 know to send data to the network 10.0.0.0/8, first to the data sent to the network 1.2.3.4. 1.2.3.4 is bound with Tag 23. Therefore, when generating the FIB table, a tag 23 is also bound to the segment 10.0.0.0/8. In this way, if data is transmitted from isp1 through transit as to isp2, the 23 tag will be inserted to the IP package at border1, And the generated tag package will be forwarded to core1, core1 only needs to analyze the label header and forward the label package! Because the core router of the transit as does not need to run the BGP protocol, the core router of the MPLS network does not know the route of the external user, which reduces the route table of the core router and improves the search efficiency. As you can see, because the IP address header is tagged, It is not analyzed on the core router, even if the IP address header contains a private IP address like 10.0.0.1, it will also be forwarded normally because only the tag is analyzed. This is what service providers are pursuing when providing VPN services. Of course, this must be repeated. LSP cannot be disconnected throughout the entire transit as. If it is disconnected, the label package will be restored to an IP package, and the core router will not include the user route, resulting in packet loss.
  
The role of BGP in MPLS networks opens the door for VPN services, but we should also be aware that the two basic requirements of VPN services are 1. users can independently plan IP addresses. 2. security is very important! See:
  

The above two VPN instances, pe1 (PE = provider edge device) are connected to CE1 (Ce = Customer edge device) and, however, if the IP address range 10.1.2.0/8 is the same as that of CE1 and S3. if you do not modify the pe1 router, pe1 can only consider that the data sent to 10.1.2.0/8 is either output from S0, either From S1. In this case, if CE1 is not CE1, or SSPS, the data sent from pe1 to the 10.1.2.0/8 network segment will not be received!
  
If you do not modify the bgp4 protocol, the route updates on the 10.1.1.0/8 network sent by Pe2 and pe3 to pe1 are comparable. pe1 will eventually select a route, it is assumed that Pe2 or pe3 is a necessary router for sending data to 10.1.1.0/8. In this way, if the host in the 10.1.2.0/8 segment of CE1 sends data to the host in the 10.1.1.0/8 segment, the data may be sent to the IP address range in the 10.1.1.0/8 segment of Ce4, this results in data leakage.
  
Therefore, to enable LSR to provide MPLS-based VPN services, you must modify these devices.

3. MPLS-based VPN implementation  
3.1 History of VPN
  
VPN service is a concept that has been proposed for a long time. However, in the past, the telecom provider provided VPN as a covered VPN service on the transmission network. Telecom operators do not care about leased lines, what routing protocols are used at the upper layer, and how routes are routed. The advantage of using this leased line to build a VPN is security, but the price is expensive, causing serious waste of line resources.
  
Later, with the full deployment of IP networks, telecom service providers had to provide cheaper VPN services, namely, layer-3 VPN services, under the pressure of competition. By providing an IP platform for users, users can use the Encapsulation Format of IP over IP to tunnel over the Internet, and also provide encryption and other means.
  
Provides security protection. The number of VPN users on the current network is huge! However, this type of VPN service is not very satisfactory because of a lot of encryption work and the low forwarding efficiency of traditional Routers Based on the destination IP address headers.
  
The emergence of MPLS technology and the improvement of BGP protocol have seen another dawn of VPN implementation.
  
3.2 MPLS/VPN Architecture
  
3.2.1 PE router transformation and VRF Import
  
To enable the PE router to distinguish the VPN user route sent from the local interface, a large number of virtual routers are created on the PE router. Each virtual router has its own route table and forwarding table, these route tables and forwarding tables are collectively referred to as VRF (VPN routing and forwarding instances ). A vrf defines a VPN member connected to a PE router. The VRF includes the IP route table, IP Forwarding Table (also known as the CEF table), the interface set and routing protocol parameters of the CEF table, and the route import and export rules.
  
Two important VPN-related parameters defined in VRF are RD (route distinguisher) and RT (route target ). Rd and RT are both 64 bits in length.
  

  With a vro, you can isolate the routes between different VPN users and solve the problem of overlapping IP address spaces between different VPNs.
  
3.2.2 release of MP-BGP protocol for VPN user Routing
  
The normal bgp4 Protocol can only transmit IPv4 routes. Because different VPN users have overlapping address spaces, you must modify the BGP protocol. The biggest advantage of BGP is its good scalability. You can define new attributes on the basis of the original, and modify BGP to extend bgp4 to MP-BGP. When the VPN user route is transferred between the neighbors of the MP-IBGP, the RD mark is marked, so that the IPv4 route sent by the VPN user is changed to vpnv4 route, so as to ensure that the VPN user route to the peer PE, the peer PE can be divided into overlapping address spaces but different VPN user routes. Example:
  
Configure VRF parameters on pe1, Pe2, and pe3, respectively. For vpn1, RD = 6500: 1, rT = 100, RD = 6500: 2, and RT = 100:2. All VRF instances can import and export the defined RT at the same time.
     Taking Pe2 as an example, Pe2 obtains the route for 10.1.1.0/8 sent from Ce4 from interface S0, and Pe2 places the route in the IP route table under the jurisdiction of VRF related to S0, and assign the local label of the route. Note that the label is unique locally. Re-publish the routes in the IP route table under the jurisdiction of VRF to the BGP table. At this time, by referring to the RD and RT parameters in the VRF table, the normal IPv4 route is changed to the vpnv4 route, for example, 10.1.1.0/8 is changed to 6500: 1: 10.1.1.0/8, and the exported (export) rt value and the local label value of the route are all added to the route entry. Through a MP-IBGP session, Pe2 sends pe1 for this vpnv4 route, pe1 receives two routes for 10.1.1.0/8, one of which is sent from pe3, because of the difference in RD, as a result, the two routes are not comparable. After receiving the two routes, the MP-BGP removes the RD value of the vpn4 route to restore the original IPv4 route, and according to the allowed import (import) of each VRF Configuration) to the route table and Cef table under the jurisdiction of each VRF. That is to say, the route with 10.1.1.0/8 Rt = 100is routed to the route table and Cef table managed by vrf1, 10.1.1.0/8 with RT = 100:2 is routed to the route table and Cef table under vrf2. Through the routing protocol between Ce and PE, PE advertises the contents of Route tables under different VRF jurisdictions to their respective associated ce.
  
Currently, only four routing protocols are supported between PE and Ce: BGP, OSPF, rip2, or static routing.
  
3.2.3 label group forwarding in MPLS/VPN
  
With the MP-BGP Protocol each VPN user router to learn the correct route, now look at how to forward user data.
     1. CE1 receives the IP packet sent to 10.1.1.1, queries the route table, and sends the IP packet to pe1.
  
2. After receiving the IP packet from the S1 port, pe1 queries the corresponding CEF table based on the VRF of S1, and the packet is tagged with 8. Note that the label is transmitted through the MP-BGP protocol. Pe1 continues to query the global CEF table. If you know that you want to send data to 10.1.1.1, you must first send the data to Pe2, and then to send the data to Pe2, you must enter tag 2 notified by P1. Therefore, the IP package is tagged with two tags.
  
3. After P1 receives the label package, it analyzes the top-level label, changes the top-level label to 4, and continues sending the P2.
  
4. P2 performs the same operation as P1. Due to the last relay pop-up mechanism, P2 removes tag 4 and directly sends the Pe2 packet with only one tag.
  
5. after receiving the label package, Pe2 analyzes the label header. Because this label 8 is generated locally and is unique locally, therefore, it is easy for Pe2 to find out that the label package with label 8 should remove the label, restore the original appearance of the IP package, and issue the package from Port S1.
  
6. After CE2 obtains the IP data packet, it searches for the route and sends the data to the 10.1.1.0/8 network segment.
  
   4. MPLS/VPN configuration instance    To provide VPN services, the service provider must enable the label switching function on the network, that is, to upgrade the previous data network to an MPLS network. Then, configure the PE in six steps:
  
1. Define and configure VRF
  
2. Define and configure Rd
  
3. Define RT and configure the Import and Export Policies
  
4. Configure MP-BGP protocols
  
5. Configure the routing protocol from PE to CE
  
6. Configure the CE-connected interface to associate it with the previously defined VRF.
  
CE1, CE2, and S3. pe3 and SSPS use the rip2 protocol, and Pe2 and CE2 use the BGP protocol. OSPF is used throughout as 6500.
  
The pe3 configuration is as follows:
  
Ip cef ---- enable the CEF forwarding function
  
Ip vrf red ---- define a VRF named Red
  
Description for red user VPN
  
Rd 6500: 1 ---- define the RD value as 6500: 1
  
Route-Target Export 6500: 1 ---- define an Export Policy
  
Route-target import 6500: 1 --- define an Import Policy
  
Router rip ---- Configure route protocol rip2 from pe3 to S3.
  
Version 2
  
!
  
Address-family IPv4 VRF red
  
Version 2
  
Redistribute BGP 6500 metric 1 --- route learned by BGP from rip2,
  
Network 192.168.1.0 allows the client to learn other routes in the same VPN.
  
No auto-Summary
  
Exit-address-family
  
Router BGP 6500 --- configure the BGP protocol
  
No Synchronization
  
No BGP default ipv4-unicast
  
BGP log-neighbor-Changes
  
Neighbor 192.168.168.2 remote-as 6500 --- establish a neighbor relationship with Pe2
  
Neighbor 192.168.168.2 Update-source loopback0
  
No auto-Summary
  
!
  
Address-family IPv4 VRF red ---- configure the IPv4 address family for the VPN user
  
The routes in the route table under the jurisdiction of redistribute rip metric 1 VRF red are newly released to the BGP protocol.
  
No auto-Summary
  
No Synchronization
  
Exit-address-family
  
!
  
Address-family vpnv4-relationship between the specific configuration and Pe2, so that pe3 and Pe2 can exchange vpnv4 routes
  
Neighbor 192.168.168.2 activate
  
Neighbor 192.168.168.2 send-community both
  
No auto-Summary
  
Exit-address-family
  
Interface ethernet0/1 ----- configure the interface for connecting to S3.
  
Ip vrf forwarding red ----- associate this interface with the previously defined VRF red
  
IP address 192.168.1.17 255.255.255.252
  
Interface ethernet0/0 --- the configuration contacts the interface on 7206
  
IP address 192.168.1.10 255.255.255.252
  
Half-duplex
  
Tag-switching IP --- enable tag switching on this interface
  
!
  
The configuration on Pe2 is as follows:
  
Ip cef ---- enable the CEF forwarding function
  
Ip vrf red ---- define a VRF named Red
  
Description for red user VPN
  
Rd 6500: 1 ---- define the RD value as 6500: 1
  
Route-Target Export 6500: 1 ---- define an Export Policy
  
Route-target import 6500: 1 --- define an Import Policy
  
!
  
Simultaneously upload the attachment router BGP 6500 ---? BGP protocol preparation
  
No Synchronization
  
No BGP default ipv4-unicast
  
BGP log-neighbor-Changes
  
Neighbor 192.168.168.4 remote-as 6500
  
Neighbor 192.168.168.4 Update-source loopback0
  
Neighbor 192.168.168.4 next-hop-Self-this must be configured when the routing protocol between PE-CE is BGP.
  
No auto-Summary
  
!
  
Address-family IPv4 VRF red
  
Neighbor 10.10.40.1 remote-as 6504 -- configure the Routing Protocol BGP between and CE2
  
Neighbor 10.10.40.1 activate
  
No auto-Summary
  
No Synchronization
  
Exit-address-family
  
!
  
Address-family vpnv4
  
Neighbor 192.168.168.4 activate -- MP-IBGP Neighbor Relationship between activation and pe3
  
Neighbor 192.168.168.4 send-community both
  
No auto-Summary
  
Exit-address-family
  
!
  
Interface serial1/0 --- configure the interface connecting to CE2
  
Ip vrf forwarding red -- associate this interface with VRF red
  
IP address 10.10.40.2 255.255.255.252
  
Interface ethernet0/1 -- configure interfaces connected to 7206
  
IP address 192.168.1.13 255.255.255.252
  
Half-duplex
  
Tag-switching IP -- enable tag switching on this interface
  
Interface serial1/1 --- configure the interface connecting to pe1
  
Bandwidx 1544
  
IP address 10.10.30.2 255.255.255.252
  
Encapsulation PPP
  
Tag-switching IP -- enable MPLS switching on this interface
  
   5. Summary   
The above configuration shows the configuration of implementing VPN in a single as. Of course, the access points of VPN users are usually in a large region, so it is often necessary to provide VPN services across. This configuration is more complex and requires the cooperation of telecom operators.
  
MPLS is a new technology that combines the advantages of the link layer and IP layer. MPLS networks not only provide VPN services, but also support QoS, Te, multicast, and other services.
  
At present, China Netcom is already providing MPLS-based VPN services on a large scale, and other operators, such as China Telecom, are also catching up. Soon, like www technology, MPLS technology will affect all aspects of our lives!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.