Principles and construction of mpls vpn (1)

1 Overview

Traditional VPN is usually built on the ATM/DDN/FR network. With the large-scale deployment of the IP network and the decline of ATM technology applications, providing VPN services on IP networks is considered a very economical method. With the emergence of MPLS technology, MPLS-based VPN technology has developed rapidly and has been commercially available. According to the classification of ip vpn technology in RFC 2764, ip vpn can be divided into: VLLVirtual Leased Lines), vpd1_rtual Private Dial Networks), vpr1_rtual Private Routed Networks, and VPLSVirtual Private LAN Segment) four. Mpls vpn belongs to VPRN.
2. MPLS Router Structure 
The MPLS Router structure is different from the traditional router structure that only supports hop-by-hop routing. The label exchange router LSR in MPLS is shown in structure 1. The real line is the part of the traditional router, the dotted line IS added to the LSR. The lsr is divided into the routing module and the forwarding module. The routing protocols in the routing module can be OSPF or IS-IS, or they can be extended based on traffic engineering, MPLS signaling can be RSVP or CR-LDP. Label groups exchange tags Based on the label forwarding table in the forwarding module, and IP Forwarding Table is used for the layer-3 search of traditional hop-by-hop routing. MPLS generally adopts the topological driving mode, and the router establishes LSP Based on the route table items.
3. mpls vpn data forwarding process 
There are three vrouters in mpls vpn: P router, PE router, and CE router. The P router is the carrier's main router and is responsible for the exchange of outer labels of the VPN group. The PE router is the carrier's border router, which stores the VRF table and global route table, and the VRF stores the VPN route, the global routing table stores the carrier's intra-Domain Routing. The CE router is the client router, which is maintained by the customer. After the CE router forwards a VPN group to the ingress PE router, the PE router finds the VRF corresponding to the VPN and obtains a VPN label from the VRF and the address of the next hop egress PE router, the VPN label is used as the inner layer label on the VPN group. According to the address of the PE router at the next hop exit, you can find the routing label in the global routing table that should be placed on the PE router, that is, the outer label. Therefore, the VPN group is tagged with two layers. The P router of the backbone network forwards the VPN group according to the outer label. At the last P router, the outer label pops up, the VPN group only has the inner layer label. This process is called The Last-level pop-up mechanism), and the VPN group is then sent to the egress PE router. The egress PE router finds the corresponding egress according to the inner label, deletes the inner label on the VPN group, and forwards the non-label VPN group to the correct CE router, the CE router forwards the group to the correct destination based on its route table.
4 MP-iBGP Protocol
In the mpls vpn System Based on the MP-iBGP protocol, there are two layers of routing, that is, intra-Domain Routing and VPN routing. All PE routers and P routers need to run the intra-domain OSPF or IS-IS routes of the backbone network), the generated route table will trigger the establishment of the topological drive mode of the LSP in the backbone network ), LSP is established through signaling protocols such as CR-LDP or RSVP, and the resulting label forwarding table is used for the exchange of outer labels of the VPN group. A pe router runs the MP-iBGP Protocol. The Protocol distributes VPN labels across the trunk P routers to form a VPN route. a vpn route published by MP-iBGP contains the following information: IPv4 address, route identifier RD), route destination RT), VPN tag, and next hop PE address. RD is used to eliminate IPv4 address ambiguity and reuse IPv4 address; RT is used to control the import and export policies of VRF to control network connectivity and topology. The next hop PE address is the link between the intra-domain route and the VPN route, based on the next hop PE address obtained in VRF on the PE router, you can find the outer label that should be attached to the address in the global routing table.
Because the PE Routers running the MP-iBGP protocol must have a full-Network Session, because the routers running iBGP cannot forward the received iBGP route, this mechanism is used to avoid routing loops ), therefore, there is a scalability problem in large-scale network applications. The solution is to use Route reflectors or route domain federation, and route reflectors allow routers to forward received iBGP routes, to avoid full-mesh sessions, you can divide the routing domain into multiple regions using the routing domain association. In this way, only the vrouters in the region need to form a full-mesh connection, this reduces the number of iBGP vrouters in the domain. Of course, planning for cross-origin connections is required when routing domain Federation is used.
5. Concepts of VPN route forwarding instance VRF, route identifier RD, and route target RT

5.1 VPN route forwarding instance VRF)
The vpn ip route table and related vpn ip Forwarding Table are collectively referred to as VPN routing and forwarding instances. In extreme cases, you can assign a VRF to each site connected to the PE router to store the VPN route, however, sites connected to the same PE router can share a VRF if the following three conditions are met: 1) Each site belongs to the same VPN; 2) the route information is the same; 3) sites can communicate with each other directly. Generally, the port of each user on the PE router is associated with a specific VRF, the VPN group entered from this port will find its VPN label and the next hop egress PE router address based on the corresponding VRF. VRF isolates different VPNs.
5.2 route divider RD)
Because the number of VPNs is huge and many original VPN users do not want to modify their own IPv4 addresses, it is necessary to allow different VPN customers to use the same IPv4 address. For the same addresses in different VPNs, RD can be used to reuse IPv4 addresses. When the PE router advertises a route of the site through the MP-iBGP protocol, it will carry the RD of each route at the same time, that is, the IPv4 address to the VPN-IPv4 address, after receiving the route advertised by MP-iBGP, the PE router will view the RD of the route, and then convert the VPN-IPv4 address to an IPv4 address, removing the RD from the address, import it to the corresponding VRF. Because different VPNs are isolated by VRF, the same IPv4 address in different VPNs will be imported into different VRF instances. In the same VPN, the address must be unique. When multiple VPNs need to communicate with each other, such as a public site ), the address must be unique among multiple VPNs. In this case, multiple VPNs can only use the same RD.
5.3 route target RT)
RT is used to control the import and export policies of VRF to form various complex VPN topologies. A VPN may use more than one RT. the specific use of RT is closely related to the VPN topology. An RT can be used for a fully-mesh connected VPN. For a non-fully-mesh connected VPN, a VPN usually requires multiple RT instances. When exporting a VPN route from a PE, use RT to mark the VPN route. When importing a route to a VRF, you can use multiple RT, as long as there is a VPN route with the same RT as any RT in the import route, it will be imported into the VRF.