Professional Documents
Culture Documents
Trivandrum
MPLS VPN
1
Chapter 1
MPLS Overview
1.Introduction
The exponential growth of the Internet over the past several years has placed a
tremendous strain on the service provider networks. Not only has there been an
increase in the number of users but there has been a multifold increase in connection
speeds, backbone traffic and newer applications. Initially ordinary data applications
required only store and forward capability in a best effort manner. The newer
applications like voice, multimedia traffic and real-time e-commerce applications are
pushing towards higher bandwidth and better guarantees, irrespective of the dynamic
changes or interruptions in the network.
To honour the service level guarantees, the service providers not only have to
provide large data pipes (which are also costlier), but also look for architectures
which can provide & guarantee QoS guarantees and optimal performance with
minimal increase in the cost of network resources.
MPLS technology enables Service Providers to offer additional services for their
customers, scale their current offerings, and exercise more control over their growing
networks by using its traffic engineering capabilities.
2
specifies the next hop, and a new label. The old label is replaced with the new label,
and the packet is forwarded to its next hop.
2.MPLS terminology
2. MPLS header: The 32-bit MPLS header contains the following fields:
i. The label field (20-bits) carries the actual value of the MPLS label.
ii. The Class of Service (CoS) field (3-bits) can affect the queuing and discard
algorithms applied to the packet as it is transmitted through the network. Since the
CoS field has 3 bits, therefore 8 distinct service classes can be maintained.
iii. The Stack (S) field (1-bit) supports a hierarchical label stack. Although MPLS
supports a stack, the processing of a labeled packet is always based on the top label,
without regard for the possibility that some of other labels may have been above it in
the past, or that some number of other labels may be below it at present. Value 1
refers to the label of bottom layer.
iv. The TTL (time-to-live) field (8-bits) provides conventional IP TTL functionality.
3
3. The MPLS label is encapsulated in a standardized MPLS header that is inserted
between the Layer 2 and IP headers.
4. MPLS label: is a short fixed length physically contiguous identifier which is used to
identify a FEC, usually of local significance.
5. In the MPLS architecture, the device that participates the packet forwarding is
called Label Switching Router (LSR).
6. Label Switched Path (LSP): The path through one or more LSRs at one level of the
hierarchy which is followed by packets in a particular FEC.
As shown in Fig, the basic composing unit of MPLS network is LSR, and the
network consisting of LSRs is called MPLS domain. The LSR that is located at the edge
of the domain and connected with other customer network is called Label Edge
Router (LER). The LSR located inside the domain is called core LSR. The labeled
packets are transmitted along the LSP composed of a series of LSRs. Among them, the
import LSR is called Ingress, and the export LSR is called Egress.
LSP
Ingress
Egress
MP LScore LSR
MP LSLER
4
4. MPLS operations
PUSH:
A new label is pushed on top of the packet, effectively "encapsulating" the original IP
packet in a layer of MPLS.
SWAP:
Every incoming label is replaced by a new outgoing label (As per the path to be
followed) and the packet is forwarded along the path associated with the new label.
POP:
The label is removed from the packet effectively "de-encapsulating". If the popped
label was the last on the label stack, the packet "leaves" the MPLS tunnel
Fig. Above shows the LSP,the path from source to destination for a data packet
through an MPLS-enabled network. LSPs are unidirectional in nature. The LSP is
usually derived from IGP routing information but can diverge from the IGP's preferred
path to the destination. Fig. Shows the LSP for network 172.16.10.0/24 from R4 is R4-
R3-R2-R1.
As shown in fig., the following process takes place in the data forwarding path from
R4 to R1:
1. R4 receives a data packet for network 172.16.10.0 and identifies that the path to
5
the destination is MPLS enabled. Therefore, R4 forwards the packet to next-hop
Router R3 after applying a label L3 (from downstream Router R3) on the packet
and forwards the labeled packet to R3.
2. R3 receives the labeled packet with label L3 and swaps the label L3 with L2 and
forwards the packet to R2.
3. R2 receives the labeled packet with label L2 and swaps the label L2 with L1 and
forwards the packet to R1.
4. R1 is the border router between the IP and MPLS domains; therefore, R1 removes
the labels on the data packet and forwards the IP packet to destination network
172.16.10.0.
5. MPLS Applications
MPLS-Based VPN
For traditional VPN, the transmission of the data flow between private
networks on the public packet switched network is usually realized via such
tunneling protocols as GRE, L2TP and PPTP, and LSP itself is the tunnel on the
public network. The realization of VPN using MPLS is of natural advantages. The
MPLS-based VPN connects the geographically different branches of the private
network by using LSP, forming a united network.
The basic structure of MPLS-based VPN is shown in Fig. CE is the customer edge
device, and it may either be a router or a switch, or perhaps a host. PE is a service
provider edge router, which is located on the edge of the backbone network. PE is
responsible for managing VPN customers, establishing LSP connection between
various PEs and route allocation among different branches of the same VPN.
6
MPLS-Based Traffic Engineering
The existing IGPs are all driven by the topology, and only the static connection
of the network is taken into account. However, such dynamic status as bandwidth
and traffic characteristics cannot be reflected. This is just the main reason
resulting in unbalanced network load. MPLS, which is different from those of IGP,
just satisfies the requirement of traffic engineering. MPLS supports the explicit LSP
routing that is different from routing protocol path. Compared with traditional
single IP packet forwarding, LSP is more convenient for management and
maintenance.
MPLS QoS
Service providers offering MPLS VPN and traffic engineering (TE) services can
now differentiate themselves by providing varying levels of QoS for different types
of network traffic. For example, voice-over-IP (VoIP) traffic receives service with
assured minimums of delay and bandwidth, while e-commerce traffic might receive
a minimum bandwidth guarantee (but not a delay guarantee). DiffServ is one of the
QoS architectures for IP networks defined by the IETF. Cisco IOS MPLS supports the
IETF DiffServ architecture by making the rich set of Cisco QoS functions MPLS
aware, and by enabling the features to act on the MPLS packets.
7
Chapter 2
MPLS VPN
1. VPN Overview
VPNs were originally introduced to enable service providers to use common physical
infrastructure to implement emulated point-to-point links between customer sites. A
customer network implemented with any VPN technology would contain distinct
regions under the customer's control called the customer sites connected to each
other via the service provider (SP) network. In traditional router-based networks,
different sites belonging to the same customer were connected to each other using
dedicated point-to-point links. The cost of implementation depended on the number
of customer sites to be connected with these dedicated links. A full mesh of
connected sites would consequently imply an exponential increase in the cost
associated.
Frame Relay and ATM were the first technologies widely adopted to implement VPNs.
These networks consisted of various devices, belonging to either the customer or the
service provider, that were components of the VPN solution. Generically, the VPN
realm would consist of the following regions:
8
2. MPLS VPNs
Fig. below shows the MPLS VPN architecture.
In the MPLS VPN architecture, the edge routers carry customer routing information,
providing optimal routing for traffic belonging to the customer for inter-site traffic.
The MPLS-based VPN model also accommodates customers using overlapping address
spaces, unlike the traditional peer-to-peer model in which optimal routing of
customer traffic required the provider to assign IP addresses to each of its customers
(or the customer to implement NAT) to avoid overlapping address spaces. MPLS VPN is
an implementation of the peer-to-peer model; the MPLS VPN backbone and customer
sites exchange Layer 3 customer routing information, and data is forwarded between
customer sites using the MPLS-enabled SP IP backbone.
The MPLS VPN domain, like the traditional VPN, consists of the customer network and
the provider network. The MPLS VPN model is very similar to the dedicated PE router
model in a peer-to-peer VPN implementation. However, instead of deploying a
dedicated PE router per customer, customer traffic is isolated on the same PE router
that provides connectivity into the service provider's network for multiple customers.
9
• Customer network, which is usually a customer-controlled domain consisting
of devices or routers spanning multiple sites belonging to the customer. In fig.,
the customer network for Customer A consists of the routers CE1-A and CE2-A
along with devices in the Customer A sites 1 and 2.
• CE routers, which are routers in the customer network that interface with the
service provider network. In fig., the CE routers for Customer A are CE1-A and
CE2-A, and the CE routers for Customer B are CE1-B and CE2-B.
• Provider network, which is the provider-controlled domain consisting of
provider edge and provider core routers that connect sites belonging to the
customer on a shared infrastructure. The provider network controls the traffic
routing between sites belonging to a customer along with customer traffic
isolation. In fig., the provider network consists of the routers PE1, PE2, P1, P2,
P3, and P4.
• PE routers, which are routers in the provider network that interface or
connect to the customer edge routers in the customer network. PE1 and PE2
are the provider edge routers in the MPLS VPN domain for customers A and B in
fig.
• P routers, which are routers in the core of the provider network that interface
with either other provider core routers or provider edge routers. Routers P1,
P2, P3, and P4 are the provider routers in fig.
Layer 3 VPNs: With L3 VPNs the service provider participates in the customer’s Layer
3 routing. The customer’s CE router at each of his sites speaks a routing protocol such
as BGP or OSPF to the provider’s PE router, and the IP prefixes advertised at each
customer site are carried across the provider network. L3 VPNs are attractive to
customers who want to leverage the service provider’s technical expertise to insure
efficient site-to-site routing.
Layer 2 VPNs: The provider interconnects the customer sites via the Layer 2
technology – usually ATM, Frame Relay, or Ethernet – of the customer’s choosing. The
customer implements whatever Layer 3 protocol he wants to run, with no
participation by the service provider at that level. L2 VPNs are attractive to
customers who want complete control of their own routing; they are attractive to
service providers because they can serve up whatever connectivity the customer
wants simply by adding the appropriate interface in the PE router.
10
5. L3 MPLS VPN Routing Model
In the MPLS VPN implementation, the PE router performs multiple functions. The PE
router must first be capable of isolating customer traffic if more than one customer is
connected to the PE router. Each customer, therefore, is assigned an independent
routing table similar to a dedicated PE router in the initial peer-to-peer discussion.
Routing across the SP backbone is performed using a routing process in the global
routing table. P routers provide label switching between provider edge routers and
are unaware of VPN routes. CE routers in the customer network are not aware of the
P routers and, thus, the internal topology of the SP network is transparent to the
customer. Fig. below depicts the PE router's functionality.
The P routers are only responsible for label switching of packets. They do not carry
VPN routes and do not participate in MPLS VPN routing. The PE routers exchange IPv4
routes with connected CE routers using individual routing protocol contexts. To
enable scaling the network to large number of customer VPNs, multiprotocol BGP is
configured between PE routers to carry customer routes.
11
VRF: Virtual Routing and Forwarding Table
Customer isolation is achieved on the PE router by the use of virtual routing tables or
instances, also called virtual routing and forwarding tables/instances (VRFs). In
essence, it is similar to maintaining multiple dedicated routers for customers
connecting into the provider network. The function of a VRF is similar to a global
routing table, except that it contains all routes pertaining to a specific VPN versus the
global routing table. The VRF also contains a VRF-specific CEF (Cisco Express
Forwarding) forwarding table analogous to the global CEF table and defines the
connectivity requirements and protocols for each customer site on a single PE router.
The VRF defines routing protocol contexts that are part of a specific VPN as well as
the interfaces on the local PE router that are part of a specific VPN and, hence, use
the VRF. The interface that is part of the VRF must support CEF switching. The
number of interfaces that can be bound to a VRF is only limited by the number of
interfaces on the router, and a single interface (logical or physical) can be associated
with only one VRF.
The VRF contains an IP routing table analogous to the global IP routing table, a CEF
table, list of interfaces that are part of the VRF, and a set of rules defining routing
protocol exchange with attached CE routers (routing protocol contexts). In addition,
the VRF also contains VPN identifiers as well as VPN membership information (RD and
RT are covered in the next section). Fig. shows the function of a VRF on a PE router to
implement customer routing isolation.
12
As shown in fig., Cisco IOS supports a variety of routing protocols as well as individual
routing processes (OSPF, EIGRP, etc.) per router. However, for some routing
protocols, such as RIP and BGP, IOS supports only a single instance of the routing
protocol. Therefore, to implement per VRF routing using these protocols that are
completely isolated from other VRFs, which might use the same PE-CE routing
protocols, the concept of routing context was developed.
Routing contexts were designed to support isolated copies of the same VPN PE-CE
routing protocols. These routing contexts can be implemented as either separated
processes, as in the case of OSPF, or as multiple instances of the same routing
protocol (in BGP, RIP, etc.). If multiple instances of the same routing protocol are in
use, each instance has its own set of parameters.
Cisco IOS currently supports either RIPv2 (multiple contexts), EIGRP (multiple
contexts), OSPFv2 (multiple processes), and BGPv4 (multiple contexts) as routing
protocols that can be used per VRF to exchange customer routing information
between CE and PE.
Note that the VRF interfaces can be either logical or physical, but each interface can
be assigned to only one VRF.
13
Chapter 3
FAQs
1.MPLS
A. The label is imposed between the data link layer (Layer 2) header
and network layer (Layer 3) header. The top of the label stack appears first in
14
the packet, and the bottom appears last. The network layer packet
immediately follows the last label in the label stack.
Q. How does the LSR know which is the top label, bottom label, and a middle
label of the label stack?
A. The label immediately after the Layer 2 header is the top label, and the label with
the S bit set to 1 is the bottom label. No application requires LSR to read/identify the
middle labels. However, a label will be a middle label if it is not at the top of the
stack and the S bit is set to 0.
2. MPLS VPN
15
without any major investment.
Rise in Internet based applications & continually evolving technology allows the
enterprise to avail of several value-added services that will be offered by the Service
Provider in future over the same IP network infrastructure in a cost effective
manner. Examples are bandwidth on demand, VoIP, multicasting, & interactive
applications.
Yes, a dial customer can be provided access to a VPN through what is known as an
L2TP (Layer 2 Tunneling protocol)tunnel.
Q.How secure is IP VPN service?
A VPN by itself is an isolated entity and therefore has no possibility of outside
intrusion. The security in case of interconnection with other networks will be the
customer's responsibility.
Q. What are the two types of MPLS VPNs? What is the difference between them?
Layer 2 VPNs and Layer 3 VPNs. In L2 VPN, the Customer routing information is not
communicated to the Service Provider whereas in L3 VPN, the Customer Routing
updates are sent to Provider router.
Another proposal for using MPLS to create IP-VPN's is based on the idea of
maintaining separate routing tables for various virtual private networks and does not
involve BGP.
16