Professional Documents
Culture Documents
Abstract __ This document describes IP-VPN fundamentals defined in RFC 2547Bis. This method provides Layer
3 VPN (IP/MPLS VPN) mainly to business customers over IP/MPLS backbone. The customer site is connected to
the backbone through routers: the customer edge router (CE) at the customer site and the provider edge router
(PE) at the network site. Both CE and PE routers can be attached to each other, or to end systems, in a variety
of different ways: PPP connections, ATM VCs, Frame Relay DLCIs, Ethernet interfaces, VLANs on Ethernet
interfaces, L2TP tunnels, IPSec tunnels. Sometimes a Layer 2 switch is physically attached to the PE router. In
this case the layer 2 switch is NOT the CE devise. The CE devises are the hosts and routers that communicate
with the PE router through the layer 2 switches (which are supposed transparent). Each CE router sends its
routes to the PE router. BGP is used to exchange routes of a particular VPN among the PE routers that are
attached to that VPN. Routes from different VPNs remain distinct and separate even if address spaces are
overlapping. All this aspects are discussed below.
Network
Network
2
The label (20 bits) is inserted between the layer BGP MPLS VPN
2 header and the layer 3 payload in the layer 2 It is a Peer-to-Peer (layer 3 VPN) defined by
frame as depicted in fig. (4). RFC 2547Bis. The architecture basically
Frame Relay (FR), Ethernet, and any other comprises an IP/MPLS backbone (provider
network technology. The propagation of an IP network such as STC) and the customers sites
packet across the MPLS backbone is performed as depicted in Fig.(7).
in three steps:
Customer Edge Device [2]
1. When an IP packet reaches the PE At each customer site, there are one or more
(Ingress Edge -LSR) it is immediately Customer Edge (CE) devices, each of which is
classified into a Forwarding Equivalence attached via a data link (e.g. PPP, Frame Relay,
Class (FEC), and it is labeled with the ATM, Ethernet, etc.) to one or more Provider
outgoing label stack corresponding to Edge (PE) routers.
the FEC (describing a group of IP
packets that are forwarded in the same In particular site the CE device may be:
manner, over the same path, with the 1. A single host
same forwarding treatment: layer 3 2. A switch (site has single subnet)
lookup in the forwarding table). 3. Router (in general)
2. At the core LSR the label in the inbound When the CE device is a router, it is a routing
packet is removed and replaced by the peer of the PE(s) to which it is attached, but not
outbound label corresponding to the a routing peer of CE routers at other sites.
same FEC (IP subnet). Routers at different sites do not exchange
3. When the (PE) at the end side (Egress information with each other.
Edge -LSR) receives the IP labeled Exclusively the SP administrates PE’s and P.
packet, it performs a label lookup, pops The customer manages the CE device.
the label and perform a layer 3 lookup
and forward the IP packet to the CE. Provider Edge Router
IP packet coming from CE 1 destined to customer Each PE router needs to maintain a number of
address 210.12.41.23 arrives at PE1 (Riyadh separate forwarding tables (called VRF VPN
POP router). This router does layer 3 lookup, Routing and Forwarding Table); and every site to
prepends label stack (52,21), and forward the which is attached the PE (via data link laye r: FR
packet toward Riyadh core router. There the PVC, ATM PVC, and VLAN) must be mapped to
router does label lookup, swaps top label (52,43) one of those forwarding table. Each PE
and forwards the packet toward the Jeddah core exchanges routing information with CE routers
router. The same process is repeated until the using static routing, RIPv2, OSPF, or EBGP.
packet reaches the correct destination Jeddah-1
POP router. The router pops the label, does After learning VRF tables from CEs, each PE
label lookup and forwards the packet toward the exchanges VPN routing information with other
CE2 to its final destination. PE routers in the autonomous System using
IBGP.
IP Packet Madinah
52 21 Core
Dest > 210.12.41.25 IP Packet IP Packet
Dest > 210.12.41.25
52 45 PE2 Dest > 210.12.41.25
IP Packet
Dest > 210.12.41.25 Jeddah 1
PE1 IP/MPLS CE2
Network POP
P E3
Riyadh Malaz Riyadh
CE1 POP Core Jeddah
IP Packet Core Jeddah 2
52 63 POP
Dest > 210.12.41.25
3
When a PE receives a packet from a particular 4.1 Routing Information Exchange – VRF
site, the correspondent forwarding table is Configuration
consulted in order to determine the route to take
The first step in provisioning a VPN service is to
by the packet. Only the routes leading to the
define and configure a VRF. PE1 is configured to
sites associated to common VPN populate the
associate VRF1 to CE 11 interface or sub-interface
forwarding table, which increases security and
(VC or VLAN). As seen before each CE is
allows overlapping address spaces between
different VPN. attached to PE (or PEs) using data link through
an interface or sub-interface over which the PE
The ingress PE and Egress PE routers are can learn routes from CE see fig. (7).
ingress LSR and egress LRS respectively.
1. When CE11 advertises route for prefix 10.1/16
to PE 1, PE 1 installs a local route to prefix
Provider Routers 10.1/16 in VRF1
Provider (P) routers constitute the IP/MPLS core 2. PE 1 selects MPLS label assigns it to the route
network. Their functions are as an MPLS transit (for next hop) and advertises the route to the
LSRs when forwarding VPN data traffic between PE 2, PE 3, and PE 4 using IBGP.
PE routers.
Site 32
CE32
Site 21
Site 22
CE21
P E5 CE22
Madinah
PE2
P1 P3 P4
CE11 P E1 Jed-1
STC IP/MPLS CE12
Riyadh Network
Site 11 Riyadh Jeddah Jed-2 Site12
P2
PE3
PE4
Dammam
CE14 CE23 CE13
CE31
Site 31 Site 13
Site 14 Site 23
4
This command creates VPN-A and VPN-B VRF In order to allow overlapping addresses between
tables. The VRFs are not fully provisioned yet. VPNs it is necessary to prepending route
Each VRF table must contain the routes and distinguisher to the IPv4 address to provide
associated labels. When you enter ip vrf vrf- VPN-IPv4 address in BGP extended community
name command. The router moves into the vrf see figure (8). VPN-IP addresses are distributed
configuration sub-mode, and all parameters by MP-iBGP. Tw o type field are defined type 0
(routes, import, and export target) can be and 1:
introduced:
8 Bytes Route Distinguisher
hostname Olaya PE
! Type Administrator Assig. Nb IP-Address
ip vrf VPN-A
>{Sub-mode to introduce parameters} Fig.(8): VPN-IPv4 address Format using distinguisher
ip vrf VPN-B
>{Sub-mode to introduce parameters}
hostname jeddah-1 PE § Type 0 :
! Administrator field = 2 Bytes
ip vrf VPN-A Assigned Number field = 4 Bytes
>{Sub-mode to introduce parameters}
ip vrf VPN-B The administrative field contains an
>{Sub-mode to introduce parameters} autonomous System Number (ASN) from
Etc… IANA (IANA: Internet Assigned Numbers
Authority)
4.2 VPN-IPv4 Address Family The assigned number field is a number
assigned by service provider.
BGP in its standard format can handle only
IPv4 routes. § Type 1
Administrator field = 4 Bytes
Assigned Number field = 2 Bytes
Site 32
10.2/16 CE
3
Site 21 VPN-C
10.1/16
CE2 Site 22
VPN-B 10.3/16
CE22
PE5 VRF VPN-B
Madinah
VRF
Site 11 VRF P E2
P1 P3 P4
10.1/16 CE11 VRF Site12
P E1 STC IP/MPLS VRF
VPN-A 10.3/16
Olaya Network Jeddah
Riyadh CE12 VPN-A
VRF P2 P E3
Dammam VRF
5
The assigned number field is a number assigned rd 155:46
by service provider !
hostname Jeddah-1
The structure of this value can be either ASN:nn !
or IP -address:nn. It is recommended to use the ip vrf VPN-A (SBANK)
ASN:nn rd 155:44
!
Extended IP Address Example: ip vrf VPN-B (SGE)
In the examples we have only one SP its ASN is rd 155:46
supposed to be defined (by the IANA) as 155. !
The SP assigns the value of the second portion hostname Jeddah-1
to each VPN customer (i.e., VPN-A [RD]=44, !
VPN-B [RD]=46, and VPN-C [RD]=45). ip vrf VPN-A (SBANK)
rd 155:44
VPN-A Site 11à Ext. IP add. 155:44:10.1.1/16
VPN-B Site 21à Ext. IP add. 155:46:10.1.1/16
VPN-C Site 31à Ext. IP add. 155:45:10.1.1/16 Site 32
By this way the VPN-IPv4 address become 10.2/16 V P N-C
distinct and an overlapping address space is not
a restriction. Madinah PE router CE32
receives two updates
for 10.1/16. But one Madinah
Route Distinguisher Configuration route is PE5
Each VRF needs to be associated to a route 155:44.10.1/16 and
the other is
distinguisher (RD). To configure the route 155:45.10.1/16. The
distinguisher for the VRF we use the command two routes are
vrf configuration and rd ASN:nn : distinct. P3
MP-iBGP Update P1 MP-iBGP Update
Riyadh (config)#ip vrf SBANK RD: 155:45 RD: 155:44
Riyadh (config-VRF)#rd 155:44 Sub net I 10.1/16 Sub net: 10.1/16
Riyadh (config)# From Riyadh PE Riyadh From Riyadh PE
6
in its PE router. A single unique route target VPN
community (i.e., RT 155:44) is configured for CE to PE Link Configuration
each VRF as import target and export target. 4.5 Association of interface to VRF
This route target is not assigned to any other
After defining all relevant VRFs on the PE router,
VRF outside the community.
we must indicate to the PE router, the mapping
between the interfaces and the VRF. Which
Assume SGE company VPN-B supports hub -
and-spoke VPN topology. It uses two globally interfaces deal with which VRF. More than one
unique route target (RT: hub, and RT: Spoke). interface can belong to the same VRF.
The hub site (SGE HQ) VRF is configured with Example: Association of interface to VRFs
route targ et = Hub, and import target= Spoke. It
means that the VRF at the SGE HQ site (Hub) Hostname Olaya
will permit to the spokes to import its routes with !
hub attribute, and imports all remote routes with interface serial0
spoke attribute. description ** interface to site 11**
The VRF at each spoke site (site 22,23 ) is ip vrf forwarding VPN-A site 11
configured with an export target=spoke and ip address 10.1.1…
import target=hub. In this way the hub site is !
allowed to import the routes and dropped by interface serial1
other spokes. The attribute import is assigned to description **interface to site 31**
the hub only. Example of configuration: ip vrf forwarding VPN-B site 31
ip address 10.1.2…
Riyadh PE router Configuration
Hostname Riyadh
! 5. Case Study:
ip vrf SBANK
rd 155:45 Assume that STC IP/MPLS backbone delivers
route-target export 155:45 VPN services to business customers such as
route-target import 155:45 SBANK, CGE, and Sogetel virtual companies
! (Figure 8). We assume that the service provider
ip vrf SGE (Hub) uses RSVP or LDP signaling to establish LSP
rd 155:46 (Paths) between PEs.
route-target export 155:46
route target import 155:46
Assume that STC IP/MPLS backbone delivers
!
VPN services to business customers such as
ip vrf Sogetel
SBANK, CGE, and Sogetel virtual companies
rd 155:44
see Figure (10). SGE VPN is Hub-and-Spoke
route-target export 155:44 topology. We assume the service provider uses
route target import 155:44
RSVP/LDP signaling to establish LSP (paths)
between PEs.
Dammam PE router Configuration
Hostname Dammam
!
ip vrf SBANK Company Sites Subnet
rd 155:45
route-target export 155:45 Riyadh 10.1/16
route-target import 155:45 Jeddah 1 10.3/16
SBANK
Jeddah 2 10.4/16
!
Dammam 10.5/16
ip vrf SGE (Spoke)
SGE Riyadh (Hub) 10.1/16
rd 155:46 Jeddah 1 (Spoke) 10.3/16
route-target export 155:46 Dammam (Spoke) 10.5/16
! Sogetel Riyadh 10.1/16
Madinah 10.2/16
4.4 Distribution of VPN Routing information
Table: Assigned IP Addresses
7
Fig. (10): IP/MPLS VPN Network
VPN-A sites 11, 12, 13, and 14
VPN-B sites 21, 22, and 23
VPN-C sites 31and 32
Sogetel B1
Site 32
SGE HQ
155:45.10.2/16
VPN-C SGE B2
Site 21 CE32
155:46.10.1/16Hub Site 22
MD P E5 155:46.10.3/16
VPN-B Spoke
CE21 VRF
11 CE22 VPN-B
SBANK HQ VRF
STC Network P E2
Site 11 VRF 55 Jed-1
155:44.10.1/16 CE 66 22 Site
11 VRF P E1 LSPs VRF CE12 155:45.10.3/16
VPN-A
77 VRF VPN-A
VRF RY
88 33 SBANK B3
PE3 Jed-2
44 DM
Site 31 CE31 VRF VRF Site 13
155:45.10.1/16 155:45.10.4/16
PE4
VPN-C CE13 VPN-A
CE14
Sogetel HQ Site 14 Spoke Site 23
155:46.10.5/16 SBANK B2
155:45.10.5/16
VPN-A CE23 VPN-B
SBANK B1 SGE B1
References
Glossary
PSTN: Public Switching Telephone Network
ATM : Asynchronous Transfer Mode PVC: Permanent Virtual Circuit
BGP : Border Gateway Protocol POP: Point of Presence
DSL: Digital Subscriber Network RD: Route Distinguisher
FEC: Forwarding Equivalence Class RSVP: Resource Reservation Protocol
LDP: Label Distribution Protocol SVC: Switched Virtual Network
LSR: Label Switching Router VRF: VPN Routing and Forwarding
LSP: Label Switched Path VLAN : Virtual Local Area Network
PSN: Packet switching Network VC: Virtual Circuit