Summary of PE router Learning

Source: Internet
Author: User

At present, PE routers are widely used. They are one type of VPN routers. So I have studied the explanations and principles of PE routers and will share them with you here, I hope it will be useful to you. VPNVirtual Private Network (VPNVirtual Private Network) is a virtual Private Network based on public networks. It uses tunneling, encryption, and other technologies to provide users with a sense of direct connection to the Private LAN.

Introduction to MPLS VPN

MPLSMulti-Protocol Label Switch (MPLSMulti) is a new generation of IP backbone network switching standard proposed by IETF. It is an integrated IP Over ATM technology. It integrates the flexibility of IP routing technology and the simplicity of ATM switching technology. It introduces MPLS connection-oriented attributes to unconnected IP networks and provides label switching services similar to virtual circuits.

Mpls vpn has three types of routers: CE router, PE router, and P router. Among them, the CE router is a client router that provides users with a connection to the PE router; the PE router is the operator's edge router, that is, the Label Edge Router LER In the MPLS network ), it processes the VPN data from the CE router or the label exchange path LSP according to the stored route information and forwards the data. It is also responsible for exchanging route information with other PE routers; P router is the main router of the carrier network, that is, the label exchange router LSR In the MPLS network. It transparently forwards the VPN data according to the outer label of the group, the P router only maintains the route information to the PE router, rather than the VPN-related route information. Based on whether the PE router participates in the customer's route, mpls vpn is divided into Layer3 mpls vpn and Layer2 mpls vpn. Layer3 mpls vpn follows the RFC2547bis standard, uses BGP to distribute route information between PE routers, and uses MPLS technology to transmit data between VPN sites, which is also called BGP/mpls vpn.

Several important concepts in BGP/MPLS VPN

1. VRF

One of the security measures of BGP/mpls vpn is route isolation and information isolation. It is implemented through the VPN route Forwarding VPN Routing & Forwarding: VRF) Table and LSP in MPLS. There are multiple VRF tables on the PE router. These VRF tables correspond to one or more sub-interfaces on the PE router, used to store the route information of the VPN to which these subinterfaces belong. Generally, the VRF table only contains the route information of one VPN, but when the sub-interface belongs to multiple VPNs, the corresponding VRF table contains the routing information of all VPNs to which the sub-interface belongs. Each VRF table has two attributes: Route Distinguisher: RD) and Route Target: RT.

2. RD

The IP address planning in the VPN is self-developed by the customer. Therefore, the customer may choose the private address defined in RFC1918 as their site address or use the same address domain for different VPNs, that is, address overlap. One of the consequences of address overlapping is that BGP cannot distinguish overlapping routes from different VPNs, resulting in a site being inaccessible. To solve this problem, BGP/mpls vpn not only uses multiple VRF tables on the PE router, but also introduces the concept of RD. RD is globally unique. By using an eight-byte RD as an extension of an IPv4 address prefix, an ununique IPv4 address is converted to a unique VPN-IPv4 address. The VPN-IPv4 address is invisible to client devices and is only used for distribution of routing information on backbone networks.

The RD and VRF tables have a one-to-one relationship. Generally, for sub-interfaces of the same VPN on different PE routers, allocate the same RD to the corresponding VRF table. In other words, is to assign a unique RD for each VPN. However, for overlapping VPNs, that is, when a site belongs to multiple VPNs, because a sub-interface on the PE router belongs to multiple VPNs, the VRF table corresponding to this sub-interface can only be allocated with one RD, so that multiple VPNs share one RD.

3. RT

RT is similar to the extended group attribute in BGP for routing information distribution. It is divided into Import RT and Export RT for the Import and Export policies of route information respectively. When exporting a VPN route from the VRF table, use Export RT to mark the VPN route. When importing a VPN route to the VRF table, only the routes marked with RT that match any Import rt in the vrf table will be imported to the VRF table. RT allows the PE router to only include the VPN route directly connected to it, instead of all the VPN routes of the whole network, thus saving the resources of the PE router and improving the network scalability. RT is globally unique and can only be used by one VPN. Through reasonable configuration of Import RT and Export RT, the carrier can build VPN of different topology types, such as overlapping VPN and Hub-and-spoke VPN.

Architecture of BGP/MPLS VPN

1. BGP/MPLS VPN

Architecture

The architecture is mainly divided into data plane and control plane. The data plane defines the VPN data forwarding process; the control plane defines the LSP establishment and the VPN route information distribution process. Here, we will mainly discuss the data forwarding process and route information distribution process.

2. Data Forwarding Process

The VPN data transmitted in the MPLS network adopts the two-layer label stack structure: External labels, also known as tunnel labels) and internal labels, also known as VPN labels. They correspond to two layers of routes respectively: domain Routing and VPN routing. Intra-Domain Routing (LSP) is established by PE routers and P routers by running the Label Distribution Protocol: LDP) or Resource Reservation Protocol: RSVP, the label forwarding table is used for the switch of the outer label of the VPN group. A VPN route is established between PE routers by running MP-iBGP. This protocol distributes VPN labels across the P router of the backbone network to form a VPN route. In addition to the VRF table, there is also an MPLS route table on the PE router. This table is used to store the relationship between the VPN label and the sub-interface, providing a basis for data forwarding between the egress PE router and the CE router.

The specific data forwarding process is as follows: after the CE router sends a VPN group to the entry PE router through a sub-interface, the PE router searches for the VRF table corresponding to the sub-interface, obtain the VPN label, the initial outer label, and the output interface to the egress PE router from the VRF table. When the VPN group is tagged with two layers, the first P router is sent to the corresponding LSP through the output interface. In the backbone network, the P router redirects to the VPN group based on the outer label until the last P router pops up the outer label and forwards the group containing only the VPN label to the egress PE router. The egress PE router searches for the MPLS route table based on the VPN label to obtain the corresponding output interface. After the VPN label pops up, it sends the VPN group to the correct CE router through this interface, the entire data forwarding process is realized. In particular, when the egress PE router and the ingress PE router are the same vro, the PE router directly forwards the received VPN group to the destination CE router without any processing.

3. Route information distribution process

In mpls vpn, because the two-layer label stack structure is used, the P router does not participate in the interaction of VPN route information, the customer router knows the network topology information of a VPN through the routing interaction between Ce and PE routers.

1) CE-PE routers use static/default routing, igpr12002, OSPF dynamic routing protocols, or the establishment of EBGP connections to exchange routing information. When the entry PE router receives route information from the CE Router from a sub-interface, in addition to importing the route to the corresponding VRF table, the PE router also assigns a VPN label for the route. This VPN label is used to identify the subinterface that receives route information. Therefore, the route information received from the same subinterface is assigned the same VPN label, the PE router can forward the received VPN group to the appropriate sub-interface.

(2) PE-PE through the use of MP-iBGP routing information exchange. The PE router ensures that route information is distributed to all PE routers by maintaining the iBGP mesh connection or using route reflectors. When the entry PE router distributes route information, it will also carry the RD of the route's VRF table, which converts the IPv4 address of the route to the VPN-IPv4 address. Specific route information that is distributed includes the VPN-IPv4 address prefix for the route, the next hop BGP is the VPN-IPv4 address of the entry PE router where RD = 0) the VPN label assigned to the route and the Export rt in the vrf table of the route. This routing information is known as the VPN-IPv4 routing information with labels. When the egress PE router receives the route information, it will view the RT of the route, if RT matches any of its VRF table Import RT, it will be stored in the VPN-IPv4.RIB table. After selecting a route, convert the VPN-IPv4 address in the optimal route to an IPv4 address, that is, remove the RD from the address and import it to the corresponding VRF table.

Implementation of mpls vpn over networks of multiple carriers

If a customer's MPLS/VPN network spans networks of multiple carriers, if it is assumed that the address domains used by the carrier do not overlap, the following solutions can be used: ① To distribute IPv4 routing information with labels, establish EBGP connection on the edge router; ② to distribute the VPN-IPv4 routing information with labels, establishes multi-hop EBGP connections between PE routers of different carriers. It is worth noting that this EBGP solution for different carriers is also applicable to one carrier with multiple AS values.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.