N-0

Confidential Information of Huawei. No Spreading Without Permission

 N-1

There are a number of different ways of handling this case, which we present in
order of increasing scalability.

Confidential Information of Huawei. No Spreading Without Permission

 N-2

Through the analyses for two different planes, you will be able to be aware of the
ideas hidden from the three solutions.

Confidential Information of Huawei. No Spreading Without Permission

 N-3

Confidential Information of Huawei. No Spreading Without Permission

 N-4

Confidential Information of Huawei. No Spreading Without Permission

 N-5

The SP's backbone consists of the PE routers, as well as other routers ("P routers")
that do not attach to CE devices. If every router in an SP's backbone had to maintain
routing information for all the VPNs supported by the SP, there would be severe
scalability problems; the number of sites that could be supported would be limited by
the amount of routing information that could be held in a single router. It is important
therefore that the routing information about a particular VPN only needs to be present
in the PE routers that attach to that VPN. In particular, the P routers do not need to
have ANY per-VPN routing information whatsoever. So just as the VPN owners do
not have a backbone or "virtual backbone" to administer, the SPs themselves do not
have a separate backbone or "virtual backbone" to administer for each VPN. Site-to-
site routing in the backbone is optimal (within the constraints of the policies used to
form the VPNs) and is not constrained in any way by an artificial "virtual topology" of
tunnels.

Confidential Information of Huawei. No Spreading Without Permission

 N-6

What if two sites of a VPN are connected to different Autonomous Systems (e.g.,
because the sites are connected to different SPs)? The PE routers attached to that
VPN will then not be able to maintain IBGP connections with each other, or with a
common route reflector. Rather, there needs to be some way to use EBGP to
distribute VPN-IPv4 addresses.
There are a number of different ways of handling this case, which we present in order
of increasing scalability.

Confidential Information of Huawei. No Spreading Without Permission

 N-7

VRF-to-VRF connections at the AS (Autonomous System) border routers.

EBGP redistribution of labeled VPN-IPv4 routes from AS to neighboring AS.
Multi-hop EBGP redistribution of labeled VPN-IPv4 routes between source and
destination ASes, with EBGP redistribution of labeled IPv4 routes from AS to
neighboring AS.

Confidential Information of Huawei. No Spreading Without Permission

 N-8

From now on, we’ll introduce the solutions one by one.

Confidential Information of Huawei. No Spreading Without Permission

 N-9

In this procedure, a PE router in one AS attaches directly to a PE router in another.

The two PE routers will be attached by multiple sub-interfaces, at least one for each
of the VPNs whose routes need to be passed from AS to AS. Each PE will treat the
other as if it were a CE router. That is, the PEs associate each such sub-interface
with a VRF, and use EBGP to distribute unlabeled IPv4 addresses to each other.
This is a procedure that "just works", and that does not require MPLS at the border
between ASes. However, it does not scale as well as the other procedures discussed
below.

Confidential Information of Huawei. No Spreading Without Permission

 N-10

Supposing we take one direction to explain the procedure of control plane, there is
the route to Client1 connected to CE1 within Site1.
1.PE1 allocates tunnel label T1 binding to the route to PE1 to P1
2.P1 reallocates tunnel label taking T2 binding to the route to PE1 to ASBR-PE1
3.Within other AS, ASBR-PE2 allocates tunnel label T3 binding to the route to ASBR-
PE2 to P2
4.P2 reallocates tunnel label taking T4 binding to the route to ASBR-PE2 to PE2
5.CE1 advertises the route to Client1 with next-hop toward itself to PE1
6.PE1 redistributes the route to Client1 into MP-BGP, making it VPNv4 with next-hop
toward itself and VPN label V1 and advertising it to ASBR-PE1
7.ASBR-PE1 translates VPNv4 into IPv4,advertising the route to Client1 with next-
hop toward itself to ASBR-PE2
8.ASBR-PE2 redistributes the route to Client1 into MP-BGP, making it VPNv4 with
next-hop toward itself and VPN label V2 and advertising it to PE2
9.PE2 translates VPNv4 into IPv4,advertising the route to Client1 with next-hop
toward itself to CE2

Confidential Information of Huawei. No Spreading Without Permission

 N-11

In the context, we take data plane into consideration, looking toward the opposite
direction.
1.CE2 sends the packet to the destination Client1 which is IP one without MPLS
encapsulation
2.PE2 receives the packet within VRF. Checking the association with the destination
Client, it finds out that there is VPN label V2 binding to the destination. So PE2 puts
the VPN label V2 onto the bottom of MPLS stack. Although the next-hop of the route
to Client1 is not directly connected, PE2 can look up the tunnel label assignment,
finding out that there is the tunnel label T4 corresponding to the route to the next-hop
ASBR-PE2. So, PE2 puts it onto the top of MPLS stack.
3.P2 swaps the top label to T3 which corresponds to the route to ASBR-PE2
4.ASBR-PE2 pulls out all labels, forwarding IP packet to ASBR-PE1 which is
associated with the VRF holding the route to Client1
5.The rest of steps takes the similar procedures introduced above because of the
symmetry of the topology but the value of the labels are changed.

Confidential Information of Huawei. No Spreading Without Permission

 N-12

From now on, we’ll introduce the solutions one by one.

Confidential Information of Huawei. No Spreading Without Permission

 N-13

In this procedure, the PE routers use IBGP to redistribute labeled VPN-IPv4 routes
either to an Autonomous System Border Router (ASBR), or to a route reflector of
which an ASBR is a client. The ASBR then uses EBGP to redistribute those labeled
VPN-IPv4 routes to an ASBR in another AS, which in turn distributes them to the PE
routers in that AS, or perhaps to another ASBR which in turn distributes them, and so
on.
When using this procedure, VPN-IPv4 routes should only be accepted on EBGP
connections at private peering points, as part of a trusted arrangement between SPs.
VPN-IPv4 routes should neither be distributed to nor accepted from the public Internet,
or from any BGP peers that are not trusted. An ASBR should never accept a labeled
packet from an EBGP peer unless it has actually distributed the top label to that peer.
If there are many VPNs having sites attached to different Autonomous Systems, there
does not need to be a single ASBR between those two ASes that holds all the routes
for all the VPNs; there can be multiple ASBRs, each of which holds only the routes for
a particular subset of the VPNs.
This procedure requires that there be a label switched path leading from a packet's
ingress PE to its egress PE. Hence the appropriate trust relationships must exist
between and among the set of ASes along the path. Also, there must be agreement
among the set of SPs as to which border routers need to receive routes with which
Route Targets.

Confidential Information of Huawei. No Spreading Without Permission

 N-14

Supposing we take one direction to explain the procedure of control plane, there is
the route to Client1 connected to CE1 within Site1.
1.PE1 allocates tunnel label T1 binding to the route to PE1 to P1
2.P1 reallocates tunnel label taking T2 binding to the route to PE1 to ASBR-PE1
3.Within other AS, ASBR-PE2 allocates tunnel label T3 binding to the route to ASBR-
PE2 to P2
4.P2 reallocates tunnel label taking T4 binding to the route to ASBR-PE2 to PE2
5.CE1 advertises the route to Client1 with next-hop toward itself to PE1
6.PE1 redistributes the route to Client1 into MP-BGP, making it VPNv4 with next-hop
toward itself and VPN label V1 and advertising it to ASBR-PE1
7.ASBR-PE1 connecting with ASBR-PE2 via MP-eBGP session advertises the
VPNv4 route to Client1 with changed next-hop toward itself to ASBR-PE2,
accompanying with the reallocated VPN label V2.
8.ASBR-PE2 advertises the VPNv4 route to Client1 with changed next-hop toward
itself to PE2, accompanying with the reallocated VPN label V3.
9.PE2 translates VPNv4 into IPv4,advertising the route to Client1 with next-hop
toward itself to CE2

Confidential Information of Huawei. No Spreading Without Permission

 N-15

In the context, we take data plane into consideration, looking toward the opposite
direction.
1.CE2 sends the packet to the destination Client1 which is IP one without MPLS
encapsulation
2.PE2 receives the packet within VRF. Checking the association with the destination
Client1, it finds out that there is VPN label V3 binding to the destination. So PE2 puts
the VPN label V3 onto the bottom of MPLS stack. Although the next-hop of the route
to Client1 is not directly connected, PE2 can look up the tunnel label assignment,
finding out that there is the tunnel label T4 corresponding to the route to the next-hop
ASBR-PE2. So, PE2 puts it onto the top of MPLS stack.
3.P2 swaps the top label to T3 which corresponds to the route to ASBR-PE2
4.ASBR-PE2 pulls out the top label, swapping the VPN label to V2 and forwarding the
packet to ASBR-PE1 which is its MP-eBGP peer advertising the route to Client1 to it.
5.ASBR-PE1 swaps the VPN label to V1 and puts the tunnel label T2 onto the top.
6.P1 swaps the top label to T1 and forwards to PE1
7.PE1 pulls out all the labels and forwards IP packet to the destination Client1 to CE1

Confidential Information of Huawei. No Spreading Without Permission

 N-16

From now on, we’ll introduce the solutions one by one.

Confidential Information of Huawei. No Spreading Without Permission

 N-17

In this procedure, VPN-IPv4 routes are neither maintained nor distributed by the
ASBRs. An ASBR must maintain labeled IPv4 /32 routes to the PE routers within its
AS. It uses EBGP to distribute these routes to other ASes. ASBRs in any transit
ASes will also have to use EBGP to pass along the labeled /32 routes. This results in
the creation of a label switched path from the ingress PE router to the egress PE
router. Now PE routers in different ASes can establish multi-hop EBGP connections
to each other, and can exchange VPN-IPv4 routes over those connections.
If the /32 routes for the PE routers are made known to the P routers of each AS,
everything works normally. If the /32 routes for the PE routers are NOT made known
to the P routers (other than the ASBRs), then this procedure requires a packet's
ingress PE to put a three-label stack on it. The bottom label is assigned by the
egress PE, corresponding to the packet's destination address in a particular VRF.
The middle label is assigned by the ASBR, corresponding to the /32 route to the
egress PE. The top label is assigned by the ingress PE's IGP Next Hop,
corresponding to the /32 route to the ASBR.
To improve scalability, one can have the multi-hop EBGP connections exist only
between a route reflector in one AS and a route reflector in another. (However, when
the route reflectors distribute routes over this connection, they do not modify the BGP
next hop attribute of the routes.) The actual PE routers would then only have
IBGP connections to the route reflectors in their own AS.

Note: For convenience, the illustration of the LSPs is in symmetry but that isn’t ture
when you forward check the procedures of control plane and data plane.

Confidential Information of Huawei. No Spreading Without Permission

 N-18

Supposing we take one direction to explain the procedure of control plane, there is
the route to Client1 connected to CE1 within Site1 and P1 and P2 do not know the
routes to PEs in other ASes.
1.PE1 allocates tunnel label T1 binding to the route to PE1 to P1
2.P1 reallocates tunnel label taking T2 binding to the route to PE1 to ASBR1
3.Within other AS, ASBR2 allocates tunnel label T3 binding to the route to ASBR2 to
P2
4.P2 reallocates tunnel label taking T4 binding to the route to ASBR2 to PE2
5.ASBR1 distribute the labeled route to PE1 accompanying with the next-hop toward
itself and BGP label B1 to ASBR2
6.ASBR2 advertises the labeled route to PE1 accompanying with the changed next-
hop toward itself and reallocated BGP label B2 to PE2

Note: Doing the similar procedures introduced above, here, we suppose that FEC:
PE2 and FEC:ASBR1 have been allocated Tunnel labels in their ASes and labeled
route to PE2 has been distributed to PE1.

7.PE1 and PE2 establish MP-eBGP peering.

8.CE1 advertises the route to Client1 with next-hop toward itself to PE1
9.PE1 redistributes the route to Client1 into MP-BGP, making it VPNv4 with next-hop
toward itself and VPN label V1 and advertising it to PE2
10.PE2 translates VPNv4 into IPv4,advertising the route to Client1 with next-hop
toward itself to CE2

Confidential Information of Huawei. No Spreading Without Permission

 N-19

In the context, we take data plane into consideration, looking toward the opposite
direction.
1.CE2 sends the packet to the destination Client1 which is IP one without MPLS
encapsulation
2.PE2 receives the packet within VRF. Checking the association with the destination
Client1, it finds out that there is VPN label V1 binding to the destination. So PE2 puts
the VPN label V1 onto the bottom of MPLS stack. The next-hop of the route to Client1
is not directly connected, which is PE1. And the route to PE1 has been allocated BGP
label B2 from ASBR2 so PE2 puts B2 onto the middle of the MPLS stack. Forward,
PE2 puts the tunnel label T4 corresponding to the route to ASBR2 onto the top of the
MPLS stack.
3.P2 swaps the top label to T3 which corresponds to the route to ASBR2
4.ASBR2 pulls out the top label, swapping the BGP label to B1 and forwarding the
packet to ASBR1 which is its eBGP peer advertising the labeled route to PE1 to it.
5.When ASBR1 receives the packet, it finds out that it needs being forwarded to PE1.
Routers within the same AS maintain the tunnel label binding to FEC:PE1, hence,
ASBR1 pulls out the BGP label B1 and puts tunnel label T2 onto the top, then
forwards it to P1.
6.P1 swaps the top label to T1 and forwards to PE1.
7.PE1 pulls out all the labels and forwards IP packet to the destination Client1 to CE1

Confidential Information of Huawei. No Spreading Without Permission

 N-20

Advantages:
VRF-to-VRF does not require MPLS at the border between ASes
Single-hop MP-eBGP scales well without additional interface resource for
connections between ASBRs.
Multiple-hop MP-eBGP scales the best without maintaining the VPN routes in
ASBRs which is backward to PEs themselves.
Disadvantages:
VRF-to-VRF needs additional interface resource for maintaining different VPN sites’
routes between ASBRs.
Single-hop MP-eBGP should still be capable of maintaining a large amount of VPN
routes when it is possible, which requires a good capacity.
Multiple-hop MP-eBGP needs the BGP speaker supporting to be capable of
advertising labeled IPv4 routes.

Confidential Information of Huawei. No Spreading Without Permission

 N-21

Confidential Information of Huawei. No Spreading Without Permission