Mpls VPN: Click To Edit Master Subtitle Style

Day 6
MPLS VPN
Click to edit Master subtitle style
Johnson Liu
[email protected] 2011 Dec. 15, 2011 All rights reserved. Juniper Networks, Inc.
| www.juniper.net www.juniper.net
|1
MPLS VPN
2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net
www.juniper.net
|2
What is VPN?
Corporate Headquarters
Intran et
Internet Remote Access
Branch Office
Mobile Users and Telecommuters
Extran et
l
Suppliers, Partners and Customers
Virtual private network:

A private network constructed over a shared infrastructure Virtual: Not a separate physical network Private: Separate addressing and routing Network: A collection of devices that communicate Constraints are keyrestricted connectivity is the goal
www.juniper.net
2011 Juniper Networks, Inc. All rights reserved.
|3
VPN components Customer Edge Routers

Customer Edge
VPN A CE PE CE CE PE P P
PE
CE
VPN A
VPN B
VPN B
Customer Edge (CE) routers

n n n
Located at customer premises Provide access to the service provider network Can use any access technology or routing protocol for the CE/PE connection
www.juniper.net
|4
VPN components Provider Edge Routers

Provider Edge
VPN A CE PE CE CE PE P PE CE VPN A
VPN B
VPN B
Provider Edge (PE) routers

n n
Maintain site-specific forwarding tables Exchange VPN routing information with other PE routers using MP-IBGP Use MPLS LSPs to forward VPN traffic
www.juniper.net
|5
VPN components Provider Routers

Provider Routers
PE CE VPN A
VPN A
CE PE
VPN B CE PE
CE
VPN B
Provider (P) routers

n n
Forward VPN data transparently over established LSPs Do not maintain VPN-specific routing information
www.juniper.net
|6
MPLS Layer 3 VPN
www.juniper.net
|7
VPN components VPN Sites

VPN Site
PE CE VPN A
VPN A
CE PE
VPN B CE PE
CE
VPN B
Each VPN site is mapped to a PE interface or sub-interface Routing information is stored in different tables for each site
www.juniper.net
|8
VPN Routing and Forwarding Tables (VRFs)

VPN A Site 1 A VRF table is created for each site connected to the PE CEA1 P P VPN A Site2 CEA2 OSPF PE 2 Routing CEB2 VPN A Site 3 VPN B Site2
VPN B Site 1
Static Routes PE 1 CEB1 RIP
PE 3
CEA3 E-BGP
VPN C Site 1
CEC1 VPN B Site3
CEB3 CEC2 VPN C Site 2
www.juniper.net
|9
VPN Routing and Forwarding (VRFs)

l
Each VRF is populated with:

n n
Only the VRF associated with a site is consulted for packets from that site
n
Routes received from directly connected CE sites associated with the VRF Routes received from other PE routers with acceptable BGP attributes Provides isolation between VPNs
www.juniper.net
| 10
Overlapping Address Spaces

10.2/16 CEA2 PE 2 CEB2 PE 3 P CEB1 CEB3 10.1/16 10.3/16 VPN B Site3 P CEA3 10.3/16 VPN A Site2 VPN B Site2
10.1/16 CEA1 P P
PE 1
10.2/16 VPN A Site 3
www.juniper.net
| 11
VPN-IPv4 Address Family

(8 bytes) Route Distinguisher (RD) Assigne Typ Administrat d e or number (2 (variable (variable bytes) length) length) 2 or 4 4 or 2 bytes bytes
l
Subscriber IPv4 prefix (4 bytes)
VPN-IPv4 address family

n n n n n
VPN-IPV4 addresses are distributed by MP-iBGP

n
New BGP-4 address family identifier Route Distinguisher (RD) + Subscriber IPv4 prefix Route distinguisher disambiguates IPv4 addresses Supports the private IP address space Allows SP to administer its own numbering space
VPN-IPV4 addresses are used only in the control plane

l
Uses Multiprotocol Extensions for BGP4 (RFC 2283)
www.juniper.net
| 12

8 Bytes Route Distinguisher (RD) Assigne Typ Administrat d e or number (2 (variab (variab bytes) le le length) length) Subscriber IPv4 prefix (4 bytes)
Assigned Number Field: number assigned by the identified authority for a particular purpose Administrator Field: identifies an assigned number authority 2 Byte Type Field: determines the lengths of the other two fields
l
n
Two values are defined for Type Field: 0 and 1

Type 0: Adm Field = 2 bytes, AN Field = 4 bytes

Type 1: Adm Field = 4 bytes, AN field = 2 bytes

Adm field must contain an Autonomous System Number (ASN) from IANA AN field is a number assigned by SP Adm field must contain an IP address assigned by IANA AN field is a number assigned by SP
Examples: 10458:22:10.1.0.0/16 or 1.1.1.1:33:10.1.0.0/16
www.juniper.net
| 13

l
Route distinguisher(RD) disambiguates( ) IPv4 addresses VPN-IPv4 routes

n n n
Ingress PE creates RD and IPv4 prefix of routes received from each CE VPN-IPv4 routes are exchanged between PE using MP-iBGP Egress PE converts VPN-IPv4 routes into IPv4 routes before inserting into sites routing table
VPN-IPv4 is used only in the control plane Data plane uses traditional IPv4 addressing
www.juniper.net
| 14
Using Route Distinguishers(RD)

10458:22:10.1/16
CEA2 VPN A Site2 10.2/16 VPN B Site2 10.2/16 PE 2 CEB2 PE 3 P CEB1 10.1/16 CEB3 P CEA3 VPN A Site 3 10.3/16
10.1/16 VPN A Site 1 CEA1
MP - iBGP
P P
PE 1 VPN B Site 1
10458:23:10.1/16
VPN B Site3 10.3/16
www.juniper.net
| 15
Operational Model Overview

VPN A Site 1 CEA2 CEA1 P PE 1 VPN B Site 1 P CEB1 P CEA3 P PE 2 PE 3 CEB2 VPN A Site 3 VPN A Site2 VPN B Site2
Control Flow
n n n
Data flow
n
Routing information exchange between CE and PE Routing information exchange between PEs LSP establishment between PEs (RSVP or LDP signaling) Forwarding user traffic
www.juniper.net
| 16
Route Distribution
l
Route distribution is controlled by BGP Extended Community attributes

n
Route Target(RT): identifies a set of sites to which a PE router distributes routes. EX: Just like a tag of a group of routes, using RT for route manipulation(import/export) between sites or VRFs.
VPN of Origin: identifies a set of sites and establishes the associated route as coming from one of the sites in that set. EX: Prevent backdoor between two CEs route propagation loop occurs
n
Site of Origin(SOO): identifies the specific site from which a PE router learns a route. EX: Prevent single or multiple CEs in the same site has dual-homing to PE route propagation loop occurs
n
www.juniper.net
| 17
Route Targets
l
Each VPN-IPv4 route advertised through MPIBGP is associated with a route target attribute
n
Export policies define what targets are associated with routes
Upon receipt of a VPN-IPv4 route, a PE router will decide whether to add that route to a VRF
n
Import policies define what routes will be added to a VRF
Route isolation between VRFs is accomplished through careful policy administration

n
Administrator determines the appropriate export and import target relationships
www.juniper.net
| 18
Exchange of Routing Information
Site 2
CPE1 CPE3
VRF
PE1
MP-iBGP session
VRF VRF
PE2
CPE2 CPE4
OSP F
Site 1
Site 1
VRF
Site 2
10.1.0.0/ 16
CE device advertises route to PE Router

n
Using traditional routing techniques (OSPF, BGP, etc)
www.juniper.net
| 19
Site 2
CPE1 CPE3
VRF
PE1
MP-iBGP session
VRF VRF
PE2
CPE2 CPE4
Site 1
Site 1
VRF
Site 2
OSPF
10458:23:10.1.0 .0/16
l
10.1.0.0/16
IPv4 address is added to the appropriate forwarding table PE router converts IPv4 address to VPN-IPv4 address VPN-IPv4 address is installed into the MP-BGP routing table
www.juniper.net
| 20
Site 2
CPE1 CPE3
VRF
PE1
MP-iBGP session
VRF VRF
PE2
CPE2 CPE4
Site 1
Site 1
VRF
Site 2
OSPF
10458:23:10.1.0 .0/16 RED VPN export

l
10.1.0.0/16
VPN-IPv4 address is associated with an export target

n
VPN RED
www.juniper.net
| 21

VPN BLUE import Site 2
CPE1
VRF
PE1
MP-iBGP session
VRF VRF
PE2
CPE2 CPE4
Site 1
Site 1
CPE3
VRF
MP-iBGP
Site 2
OSPF
VPN RED import
10458:23:10.1.0 .0/16 RED VPN export
10.1.0.0/16
l l
Each PE is configured with import targets Import target is used to selectively incorporate VPN-IPv4 routes into VRFs
n n
If import target matches target attribute in MP-IBGP message, route is incorporated into VRF Based on configured import policies, 10458:23:10.1.0.0/16 is incorporated in the RED VRF but not the BLUE VRF
www.juniper.net
| 22
Site 2
CPE1 CPE3
VRF
PE1
MP-iBGP session
VRF VRF
PE2
CPE2 CPE4
Site 1
Site 1
VRF
Site 2
RIP/OSPF/EBGP
10.1.0.0/16 Nexthop PE1

l
Each IPv4 route received in a VRF could be advertised to the sites associated with the VRF
n
Via RIP, OSPF, IS-IS or EBGP
www.juniper.net
| 23
MPLS L3 VPN Data Flow(1 of 7)

CPE-1 PE-1
VRF
Site 2
PE-2
VRF
CPE-2
Site 1 Site 2 10.1/16
CPE-3
CPE-4
VRF VRF
Site 1
LS P
The LSP must be in place before forwarding data across the MPLS backbone LSPs are signaled through LDP or RSVP
www.juniper.net
| 24

CPE1 CPE3 PE1 PE2 CPE2 CPE4
Site 2
Site 1 Site 2 10.1/16
VRF
VRF VRF
Site 1
VRF
IP 10.1.2.3
The CE performs a traditional IPv4 lookup and sends packets to the PE
www.juniper.net
| 25

CPE1 CPE3
PE-1 Lookup route in Red FT 2) Push BGP label (Z) 3) Push IGP label (Y)
Site 2
VRF
PE1
PE2
CPE2 CPE4
Site 1 Site 2 10.1/16
VRF VRF
Site 1
VRF
IP 10.1.2.3
The PE consults the appropriate VRF for the inbound interface Two labels are derived from the VRF route lookup and pushed onto the packet
www.juniper.net
| 26

CPE-1
PE-1 1) Lookup route in Red FT 2) Push BGP label (Z) 3) Push IGP label (Y)
Site 2
PE-1
VRF
PE-2
VRF
CPE-2
Site 1 Site 2 10.1/16
CPE-3
CPE-4
VRF
IGP label (Y) BGP label (Z) IP 10.1.2.3
Site 1
VRF
Packets are moved through the LSP using the two-level label stack
n
Outer IGP label

Inner BGP label

Identifies the LSP to egress PE router Derived from cores IGP and distributed by RSVP or LDP Identifies outgoing interface from egress PE to CE Derived from MP-IBGP update from egress PE
www.juniper.net
| 27

CPE-1 PE-1
VRF
Site 2
PE-2
VRF
CPE-2
Site 1 Site 2 10.1/16
CPE-3
CPE-4
VRF
IGP label (X) BGP label (Z) IP 10.1.2.3
Site 1
VRF
After packets exit the ingress PE, the outer label is used to traverse the LSP
n
P routers are not VPN-aware
www.juniper.net
| 28

CPE-1
Penultimate Hop Poping(PHP) top label
Site 2
PE-1
VRF
PE-2
VRF
CPE-2
Site 1 Site 2 10.1/16
CPE-3
CPE-4
VRF
BGP label (Z) IP 10.1.2.3
Site 1
VRF
The outer label is removed through penultimate hop popping (before reaching the egress PE)
www.juniper.net
| 29

CPE-1 PE-1
VRF
Site 2
PE-2
VRF
CPE-2
Site 1 Site 2 10.1/16
CPE-3
CPE-4
VRF VRF
Site 1
IP 10.1.2.3
The inner label is removed at the egress PE The native IPv4 packet is sent to the outbound interface associated with the label
www.juniper.net
| 30
MPLS Layer 2 VPN Point-to-Point

IETF Virtual Leased Line(VLL)/Virtual Private Wire Services(VPWS) MEF E-Line(Ethernet Line) EoMPLS(Ethernet over MPLS) Juniper Layer 2 Circuits(L2circuit)/Layer 2 VPN(L2vpn) Cisco AToM(Any Transport over MPLS) Click to edit Master subtitle style
www.juniper.net
| 31
JUNOS LDP Layer 2 Circuits: Overview
Defined in RFC 4447
Remote connections only No site IDs or route distinguishers; BGP not required PE-to-PE LDP sessions can be adjacent or extended LDP sessions can be tunneled over RSVP LSPs No VRF table/routing instance configuration
Uses LDP for signaling

Defines inner label as a virtual circuit label
www.juniper.net
| 32
JUNOS LDP Layer 2 circuit: Virtual Circuit Label Distribution

The PE router uses LDP to distribute a VC label for each Layer 2 circuit defined PE-1 advertises labels to PE-2 PE-2 uses these labels as the inner labels when forwarding traffic to PE-1
A VC label (FEC) is sent for every Layer 2 circuit CEA PE1 CEC
Site 1 VPNA Site 2 VPNB
CEB
P1
P2
LDP Session (Extended PE-1s Advertised Label ) PE-2s Inner Label
Site 3 VPNPEB 2 CED Site 4 VPNA
www.juniper.net
| 33
Provisioning the Core

CEA PE1
LDP Extended Session
CEB
P1
P2
LDP or RSVP LSPs (Bidirectional)
Site 3 VPNPEB 2 CED Site 4 VPNA
CEC
Provisioning the core:
LDP and optionally RSVP

LDP-signaled or RSVP-signaled LSPs must be established between PE routers LDP must be enabled on the PE router loopback interfaces for extended sessions
Single IGP routing domainBGP and RSVP not required MPLS must be enabled on PE and P router core interfaces
www.juniper.net
| 34
Provisioning the CE Device

CE-D's In Out Routing 10.0.0.0/8 TableVLAN 63
20.0.0.0/8 30.0.0.0/8
VLAN s 6 3 7 5 8 2
VLAN 75 VLAN 82
CED
Cor e
Local site provisioning:

Configure Layer 2 circuit IDsone for each remote CE device Configure Layer 2 parameters, like keepalives and MTUs Configure CE devices Layer 3 properties and routing protocols
www.juniper.net
| 35
Provisioning the PE Router
A LDP Layer 2 circuit is configured for each Layer 2 connection
Similar to CCC, but with label stacking

Remote neighbor Interface being connected Virtual circuit ID must be the same at both ends of the connection
Encapsulation is not configured under the l2circuit Interface must support CCC or TCC encapsulation

Interface configuration
Encapsulation method determines Layer 2 circuit encapsulation Configured Layer 2 parameters must be compatible with local CE device
www.juniper.net
| 36
Example LDP Layer 2 Circuit: Topology
Network characteristics:

IGP is single-area OSPF LDP is configured on P and PE routers
CE devices running OSPF Area 0 Full-mesh Layer 2 VPN between CE-A and CE-B
PE routers must run LDP on loopback interface
Ethernet encapsulation
Provider Site 1 Site 2 Core OSPF Area OSPF Area OSPF Area R 0 R R 0 0 . . . 3 . 1 . 2 . Site Site 1 10.0.10.0/2 1 172.22.210.0/2 2 2 1 172.22.212.0/2 10.0.10.0/2 2 2 1 4 4 P 4 CEP CEP 4 E lo0 lo0 A lo0 E lo0 B 192.168.1.1 192.168.11.1 192.168.1.3 192.168.11.2
2011 Juniper Networks, Inc. All rights reserved. www.juniper.net
| 37
Layer 2 VPN MultiPoint-to-MultiPoint Virtual Private LAN Service (VPLS)
MEF E-LAN(Ethernet Local Area Network)
www.juniper.net
| 38
Layer 2 Provider-Provisioned VPNs (Point-to-Point)

CE P P PE CE
Juniper Layer 2 VPNs and Layer 2 circuits offer point-to-point Ethernet, Frame Relay, ATM, PPP, or Cisco-HDLC service Administrator of PE router maps local circuit IDs to remote sites
www.juniper.net
VPN A Site 1 VPN A Site 3
VLA Ns VL CE AN
PE
VL AN CE
PE VL
VPN A Site 2 VPN A Site 4
AN
| 39
Virtual Private LAN Service (VPLS)

CE P P PE CE
VPN A Site 1 VPN A ToSite the 3
PE CE PE
CE
customer in a VPLS providers network appears to function as a single LAN segment
A Site 4 environment, the
VPN A Site 2 VPN
Administrator does not need to map local circuit IDs to remote sites

Acts similarly to a learning bridge
PE device learns MAC address from received Layer 2 frames MAC addresses are dynamically mapped to outbound | 40
www.juniper.net
References
Standards for VPLS:
RFC 4761
K. Kompella and Y. Rekhter, Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling Lasserre, V. Kompella, et. al., Virtual Private LAN Service (VPLS) Using Label Distribution Protocol (LDP) Signaling RFC 4761 uses M-BGP for signaling RFC 4762 uses LDP for signaling Juniper supports both
RFC 4762
Primary Difference:

www.juniper.net
| 41
Benefits of BGP Signaling
Benefits:
Auto-discovery
Provision VPNs as a whole versus building them circuit by circuit Meant to handle lots of routes Route reflectors/confederations for hierarchy Designed to work across autonomous systems
Scalable protocol

Mechanisms to provide all VPNs types via Multiprotocol BGP (MP-BGP, RFC 2858)
www.juniper.net
| 42
Different Device Roles in a VPLS

VPNA CEA PEVLA 1 N
A VL N
PE2 P P PE3 P P
CEC VLA N CED VLA N
VPNB
CEB
VPNA
Different device roles
VPNB
CE device:

PE routers:
Ethernet used at both ends of a VPN Maintain and exchange VPN-related information with other PE routers Performs MAC learning function Use MPLS LSPs to carry VPN traffic between PE routers Forward VPN traffic transparently over established LSPs Do not maintain VPN-specific forwarding information
www.juniper.net
P routers:

| 43
Provisioning the Local CE Device

CE-D's Routing In Out Table 10.0.0.0/8 VLAN 512
20.0.0.0/8 30.0.0.0/8 VLAN 513 VLAN 514 VLAN s 51 2 51 3 51 4
CED
Local site provisioning:

Cor e
Provider-facing interface must be Ethernet interface or Ethernet using VLANs List of VLANs: One for each VPLS VLANs independently numbered for each VPLS
No changes needed as VPN membership changes
VLAN IDs must be the same at both ends Unless new VLAN is wanted
Configuration of Layer 3 properties and routing protocols

www.juniper.net
| 44
BGP VPLS Route and Forwarding Tables

A VRF and a MAC table are created for each CE connected to the PE VPN A Site 1 VPN B Site 1 VPN A Site 2 VPN B Site 2 VPN A Site 3
CE A1 PE1 CE B1
CE A2 PE 2 CE B2 CE A3
PE 3
Each VPLS uses two tables
Routing Table (VRF)
Local label blocks and those blocks learned from remote PEs Used to forward layer 2 data and store learned MAC address for the VPLS
www.juniper.net
MAC table
| 45
Provisioning the Core

CEA PE1 CEC
CEB
P1 MP-BGP Session
P2
Site 2 VPNPE2 CE- B D Site 4 VPNA
Provisioning the core:
LSPs between PE routers must be preestablished

Can use either RSVP or LDP Can use LSPs for many services (for example, Internet, Layer 2 VPN, Layer 3 VPN)
Between PE routers, full-mesh MP-IBGP or use of RRs must be configured to support the sessions with l2-vpn family
www.juniper.net
| 46
BGP VPLS Label Distribution

VPLS label information is distributed for each VPN site to each participating PE routers VPN B Site 1 VPN A Site 1
CE1 CE3
PEVR 1 F VR F
MP-IBGP Session
PE2 VR F VR F
CE2 CE4
VPN B Site 2 VPN A Site 2
The PE routers distribute VPLS to label mapping information using MP-IBGP

BGP-based VPLS uses same NLRI as Layer 2 VPNs Instead of sending individual advertisements for each remote site, labels are advertised in blocks
Remote PE uses simple mathematics to determine outgoing label

www.juniper.net
| 47
Provisioning Customer Site on PE Router
PE Provisioning

VPLS routing instance Route Target BGP community Site ID: Unique value in the context of a VPLS Site range: Specifies total number of sites in the VPLS. The site range must be greater than the site identifier. Remote sites: Learned dynamically (described later)
The PE router forwards frames to the remote sites using the labels learned via MP-IBGP
Layer 2 encapsulation on VPN interfaces must be VPLS

www.juniper.net
| 48
Automatic Label Calculation

Note: Sites CE-A2 and CE-A3 are not shown. MPLS PE LSP -1 VPN CE- VR A1 F A VLA
Site 1
PE-1s NLRI for R- Site 1 RT Targe 1 Site t ID Range 8 Label 200 base 0 Label 1 Offset
2 0 0
PE -2
VR F
N 600
PE-1 configured for a VPLS called VPN A between Site 1 and 4 PE-2 computes transmit and receive VRF labels

Adverti sed using L2 VPN andAFI and PE-2 SAFI
MACs learned from remote site 1
N 600 PE-2s VPLS MAC FT for VPN A
CEA4 VLA
VPN A Site 4
PE-2s NLRI for R-Site 4 RT Targe Site 1 4 t ID Range 8 Label 100 base 0 Label 1 Offset
2 3
Oute r Tx 2 Labe l 0 0
Inne r Tx 20 Labe l 03
Rx La bel 10 00 10 10 01 02
Tx Label = Remote Base + Local Site ID Remote Offset Rx Label = Local Base + Remote Site ID Local
www.juniper.net
| 49
Updating VRFs (1 of 3)
Full Mesh IBGP Session s PE -2
VR F
VPN A Site 1
CEA1
VR F VLAN 600
CEVPN A A2 VLA Site 2

N
PE -1
CE-A3 l2vpn NLRI update RRT Site 3 Targe 1 Ran 4 ID t 100 Label ge Offs 1 0 Base et
PE -3
VR 600CEF VLA A3 VPN N Site 600
A 3
PE-1 receives BGP update from PE-3 for site 3
NLRI contains label block information that PE-3 has dedicated to the VPLS
www.juniper.net
| 50
CEA1 VR F VLA N 600 200
MPLS LSPs
PE -2
VR F
CEVPN A A2 VLA Site 2

N
VPN A Site 1
learned from remote site 2
Site 1s MAC MACs Forwarding Table
PE -1
300
Oute Inne r r Tx Tx 2 20 Labe Labe l l Label used to reach 100 3 3 0 00 Site 3 0 0 PE-1 updates its VRF with 0
PE -3 Assumes similar label 600 block advertisement has been received from PE-2
VR 600 CE-A3 F VLA VPN N
A Site 3
PE-1 computes outgoing label for traffic sent to Site 3
www.juniper.net
Import route target (RT1) for PE-1s VRF matches route target carried by the BGP route NLRI copies into bgp.l2vpn.0 and vpn-name.l2vpn.0 (local-site-id + remote-label-base remote-label-offset = 1000)
| 51
PE-3 NLRI
MPLS LSPs PE -2
VR F
VPN A Site 1
CEA1
VR F VLA N
learned from remote site 2
600 Site 1s MAC MACs Forwarding Table
2 0 3 PE0 0 -1 0
CEVPN A A2 Site 2 VLA

N
PE -3
VR 600 CEF VLA A3 VPN N 600
A Site 3
Oute r Tx 2 Labe l 0 3 0 0
Inne r 200 Tx Labe 0l

100 0
PE-1 obtains label by resolving PE3s host address through an RSVP or LDP LSP
www.juniper.net
Calculated during BGP recursive route lookup the outer
| 52
LDP VPLS Label Distribution

VPN B Site 1 VPN A Site 1
CE1 CE3
PE1
Extended LDP Session
A VC label (FEC) is sent for every VPLS CEVPN PE2 B 2 CE4
Site 2
PE-1s Advertised Label PE-2s Inner Label
VPN A Site 2
The PE routers distribute VPLS to label mapping information using LDP
For each VPLS you must configure a full mesh of LDP session between participating PE routers. PE-1 advertises labels to PE-2; PE-2 uses these labels as the inner labels when forwarding traffic to PE-1
www.juniper.net
| 53
Data Flow and MAC Learning (1 of 10)

MPLS LSPs PE -2 CEVPN A A2 VLA Site 2
N 600
VPN A Site 1
Ethernet Frame VLAN
CEA1
VLA N 600
2 0 3 PE0 0 -1 0
AR 600 SA DA P DA = ff:ff:ff:ff:f Re f:ff q = CESA
PE -3
VLA N 600
CEA3 VPN A Site 3
1.1. 1.1
CE-A1 A1s MACattempts
to ping CE-A3s interface
CE-A1 does not know the MAC address of 1.1.1.1, so CE-A1 must send ARP request
www.juniper.net
| 54

MPLS CE VPN Site P label Fra me label E VLA A (200) N P CE2 (2000) A1 - 600A Site E- 0 VPN VLA CE 3 2 VLA 2 N 2 1 MPLS A 0 - VPN N 0 P 600 600 Site Site Fra label A A 0 E me label 1 learns CE-A1s MAC from the frame and (300) 3 Site PE-1 (1000) 3 maps 3 Entry added to MAC table called vpn-name.vpls
that MAC address to VPLS interface for return traffic
Ingress PE router replicates and floods the frame to all sites (broadcast DA)
Forwarding lookup is performed in MAC table vpnname.vpls
www.juniper.net
| 55
PE router forwarding is based on the interface a packet is received on and its destination MAC address
MAC address learning:

Associates source MAC address with receiving port or remote PE router Qualified learning: Based on MAC address and VLAN tag Unqualified learning: Based on MAC address alone Broadcast/Unknown/Multicast destination MAC address: Forward to all ports and PE routers associated with the VPLS of the receiving interface Known destination MAC address (vpn-name.vpls): Unicast to associated interface or PE router
www.juniper.net
Flooding
| 56

MPLS Site label Fra me label (201) 2 (2000) 0
PE -1 3 1 0 MPLS Site 1 Fra PE -2 CEVPN A A2 Site 2 VLAN
600
VPN A Site 1
CEA1 VLAN 600
label me label (301) MPLS switching by (1000) the core LSRs in P routers are not VPN aware Outer label swapped at each LSR
PE -3
VLAN 600
CEA3 VPN A Site 3
www.juniper.net
| 57

Site Fra me label Penu (2000) PE ltima -2 te Hop Popp PE ing Site -3 label (1000)
Fra me
CEVPN A A2 Site 2 VLAN

600
VPN A Site 1
CEA1 VLAN 600
PE -1
VLAN 600
CEA3 VPN A Site 3
The outer label is removed through penultimate hop popping
www.juniper.net
| 58

AR 600 SA DA P P CE VPN VLAN A E Re 600 CEA1 - q A Site VPN CE VLAN 2 P VLAN 2 2 600 A - VPN 600 P E Site A DA EAR VLAN SAA 600 1 3 Site - P The egress PE 1 router does a label lookup in 3 3 Re mpls.0 q to find the corresponding next hop
VLAN
The label is popped by the egress PE router and sent to interface Allows egress routers to learn the CE-A1s MAC address from Ethernet frame (MAC-to-LSP mapping stored
www.juniper.net
| 59

AR P P CE VPN VLAN A E Re 600 CEA1 - q A Site VPN CE VLAN 2 P VLAN 2 2 600 A - VPN 600 P E Site A DA EAR VLAN SAA 600 1 3 Site - P 1 3 3 Re Because the frame is a broadcast frame, q

VLAN SA DA 600
both CE-A2 and CE-A3 analyze the contents

CE-A2 discards the frame CE-A3 responds with ARP reply
www.juniper.net
| 60

CE VPN P VLAN A E 600 CEA Site A1 VPN CE VLAN 2 P VLAN 2 2 600 MPLS A Site 1 Label - VPN 600 P E LSP Fra Site A A VLAN SA DA E me ARP 600 label Site 1 3 DA = CERep 1 A1s MAC 3 3 ly = CEPE-3 receives Ethernet frame from CE-A3 SA
A3s MAC and performs a lookup in vpn-name.vpls
Because it previously learned that CE-A1s MAC address is located at Site 1, PE-1 sends the Ethernet frame directly to PE-1 using MPLS encapsulation Flooding frame to all remote PE routers is not required when MAC address is learned and stored
www.juniper.net
| 61

Penu CE VPN P ltima VLAN A E 600 CEte A Site A1 VPN Hop CE VLAN 2 P 1 Label VLAN 2 2 600 Site A Popp - VPN 600 P E Fra Site ing A A me E 1 3 Site 1 PE-1 does a label lookup in mpls.0 to find 3 3
the corresponding next hop

The inner label is popped by the egress PE router and sent to VT interface Allows egress routers to learn the CE-A1s MAC address from Ethernet frame (MAC-to-LSP mapping stored in vpn-name.vpls) and then perform second lookup to forward frame out of the VPLS interface
www.juniper.net
| 62

CEA1 VLAN 600
P E Echo Requ1 Any future traffic ests longer must be flooded as in initial data flow Echo CE and PE routers have learned MAC addresses of both Replie CE devices s The vpn-name.vpls table on both PE-1 and PE-3 have dynamically installed forwarding entries for inbound and outbound traffic based on MAC addresses learned
www.juniper.net
VPN A Site 1
CE VPN P VLAN A E 600 A Site CE 2 VLAN 2 2 - VPN 600 P A A E 3 Site 3 3 between CE-A1 and CE-A3 no
| 63
Relieve PE1 of BUM Replication Duties

Replication with no CE VPN P Penultimate E VLA A N P Hop Popping CE2 A1 - 600A Site E- 0 VPN VLA CE 2 VLA 2 N 2 1 P2MP A 0 - VPN N P 600 Fra 600 Site me label A A E 1 (200) 3 Site P2MP LSPs can be used instead of unicast LSPs 3 to forward BUM(Broadcast/Unknown/Multicast) 3
traffic

Ingress PE no longer has to perform all of the replication of BUM traffic Can be used in BGP VPLS scenario only
P2MP LSP to VPLS mapping is performed with the readvertisement of an ingress PEs label blocks with the PMSI Tunnel attribute
www.juniper.net
| 64
Network Assumptions
PEs are fully meshed

MPLS LSPs established by LDP or RSVP Tunnels can also be GRE No PE forwards a packet from a remote PE router to another remote PE router Reduces need for Spanning Tree Protocol (STP) in provider network
Full mesh enables split-horizon behavior
PE routers perform MAC learning and flooding
But no PE router requests another PE router to flood or learn on its behalf

www.juniper.net
| 65
Potential Layer 2 Loops (1 of 2)
VPN A Site 1
CEA1
PE -2 PE -1
CEA2 VPN A Site 2
Redundant links between a CE and PE
Solutions

Configure active/backup links on PE-2 (BGP VPLS only) Configure LAG between PE-2 and CE-A2 Configure ERP between PE-2 and CE-A2 Run a spanning tree protocol between PE-2 and CE-A2
www.juniper.net
| 66
Potential Layer 2 Loops (2 of 2)

PE -2 VPN A Site 1
CEA1
PE -1
CEA2 VPN A Site 2 PE -3
Multihomed CE with two different PEs
Solutions

Configure multihoming and Local Preference on PE-2 and PE-3 (BGP VPLS only) Configure primary and backup neighbor (LDP VPLS only) Run a spanning tree protocol between PE-2, PE-3, and CE-A2
www.juniper.net
| 67
New Corporate Network
SP network looks like an Ethernet switch/hub/wir e
Intra-building connectivity via Ethernet lBroadcast domains (LANs) broken up by routers lExternal connectivity via VPLS just another Ethernet
l
www.juniper.net
| 68

Mpls VPN: Click To Edit Master Subtitle Style

Uploaded by

Copyright:

Available Formats

Mpls VPN: Click To Edit Master Subtitle Style

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mpls VPN: Click To Edit Master Subtitle Style

Uploaded by

Copyright:

Available Formats

Day 6

Click to edit Master subtitle style

Click to edit Master subtitle style

2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net

Mobile Users and Telecommuters

Suppliers, Partners and Customers

Virtual private network:

2011 Juniper Networks, Inc. All rights reserved.

VPN components Customer Edge Routers

Customer Edge (CE) routers

2011 Juniper Networks, Inc. All rights reserved.

VPN components Provider Edge Routers

Provider Edge (PE) routers

2011 Juniper Networks, Inc. All rights reserved.

VPN components Provider Routers

Provider (P) routers

2011 Juniper Networks, Inc. All rights reserved.

MPLS Layer 3 VPN

Click to edit Master subtitle style

2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net

VPN components VPN Sites

2011 Juniper Networks, Inc. All rights reserved.

VPN Routing and Forwarding Tables (VRFs)

Static Routes PE 1 CEB1 RIP

CEC1 VPN B Site3

CEB3 CEC2 VPN C Site 2

2011 Juniper Networks, Inc. All rights reserved.

VPN Routing and Forwarding (VRFs)

Each VRF is populated with:

2011 Juniper Networks, Inc. All rights reserved.

Overlapping Address Spaces

10.2/16 VPN A Site 3

2011 Juniper Networks, Inc. All rights reserved.

VPN-IPv4 Address Family

Subscriber IPv4 prefix (4 bytes)

VPN-IPv4 address family

VPN-IPV4 addresses are distributed by MP-iBGP

VPN-IPV4 addresses are used only in the control plane

Uses Multiprotocol Extensions for BGP4 (RFC 2283)

2011 Juniper Networks, Inc. All rights reserved.

VPN-IPv4 Address Family

Two values are defined for Type Field: 0 and 1

Type 1: Adm Field = 4 bytes, AN field = 2 bytes

Examples: 10458:22:10.1.0.0/16 or 1.1.1.1:33:10.1.0.0/16

2011 Juniper Networks, Inc. All rights reserved.

VPN-IPv4 Address Family

Route distinguisher(RD) disambiguates( ) IPv4 addresses VPN-IPv4 routes

2011 Juniper Networks, Inc. All rights reserved.

Using Route Distinguishers(RD)

10.1/16 VPN A Site 1 CEA1

VPN B Site3 10.3/16

2011 Juniper Networks, Inc. All rights reserved.

Operational Model Overview

2011 Juniper Networks, Inc. All rights reserved.

Route distribution is controlled by BGP Extended Community attributes

2011 Juniper Networks, Inc. All rights reserved.

Export policies define what targets are associated with routes

Import policies define what routes will be added to a VRF

Route isolation between VRFs is accomplished through careful policy administration