Home » MPLS » MPLS VPN Overview

MPLS VPN Overview

The MPLS VPN backbone and the customer sites exchange layer-3 customer routing information and packets are forwarded between multiple customer sites through the MPLS enabled backbone using the MPLS VPN services.

Components of MPLS VPN
1. Customer networks: under customer’s administrative domain
2. Provider network: Under Provider’s admin control and responsible for providing routing between various customer’s sites
3. CE Routers: Customer edge routers connecting the Provider MPLS network.
4. PE Routers: Provider MPLS edge router connecting to single or multiple customer CE routers.
5. P Routers: Provider MPLS backbone routers that interface with either other Provider backbone or PE routers.

MPLS based VPN accommodates for the overlapping IP address space between multiple customers by  isolating each customer’s traffic.

The CE routers only get the traditional IP traffic and no labeled packets are forwarded to the CE routers.CE routers do no need any MPLS configuration for connecting to the Provider  MPLS VPN network.

PE Router is the first place where the MPLS VPN implementation starts, the PE router is responsible for isolating customer traffic if multiple customers are connected to the PE router. This is done in PE router by assigning an independent routing table to each customer, which is as good as assigning a dedicated router to each customer. The rest of the Provider network (P routers), the routing is done using the global routing table where P routers provide label switching between provider edge router and they are unaware of the VPN routes. The entire process is transparent to the customer as the CE routers are not aware of the presence of the P routers and Provider network’s internal topology.

In the Provider network the P routers are only responsible for the label switching and they do not carry VPN routes and do no participate in the MPLS VPN routing.

VRF: Virtual Routing and Forwarding table

Customer traffic isolation is achieved in MPLS with the use the VRFs. Each VRF can be thought of as a dedicated router being assigned to each customer CE router.
1. VRF is similar to the global routing table except that it contains only all the routes for a specific VPN.
2. VRF also contains VRF-specific CEF forwarding table.
3. Any interface that is a part of VRF must support CEF.
4. An interface (logical or physical) can be assigned to only one VRF.

VRF Contains
1. IP routing table which is analogous to global IP routing table
2. A CEF table
3. A list of interfaces that are part of VRF
4. Set of rules defining routing protocol exchange with CE router.
5. VPN Identifiers and VPN membership information

Cisco IOS currently supports these routing protocols that can be used per VRF to exchange customer routing information between CE & PE routers.
RIPv2 (multiple contexts)
EIGRP (multiple contexts)
OSPFv2 (multiple processes)
BGPv4 (multiple contexts)

Route Distinguisher (RD)
The PE Router does the customer traffic isolation and has multiple VRFs one for each customer, and the customers can have overlapping addresses. The Customer routes have to go through the P (backbone) routers in the MPLS network  to the other end PE Router connecting to other customer sites and there has to be way to distinguish between these overlapping addresses. For example if Customer-X has 4 sites connecting through the Provider-M MPLS network and is using the IP address space 10.0.0.0/8. And also Customer-Y has 4 sites interconnecting through same Provider-M MPLS network and using the same private address space 10.0.0.0/8 then there has to be way to separate customer-X’s 10 network from customer-Y’s 10 network and to make sure that customer-x can only talk to its own sites and customer-y talks only to its own sites on the 10 network which they both have, without any mix up. The key is to distinguish customer X routes from Customer Y routes.

The PE router implements this feature using the RD per VRF.

RD is a 64-bit unique identifier that is prepended to the 32-bit IPv4 customer prefix learnt from the CE router.  Now even though there might be overlapping addresses from multiple customers, each customer prefix will become 96-bit unique address which can be transported between PE routers in the MPLS domain.

The unique RD is configured per VRF on the PE router, and the resulting address which is 96-bit long is called as VPN version 4 or VPNv4 address.

VPNv4 and the IPv4 addresses are exchanged between the PE routers in the MPLS domain for interconnecting the customer’s multiple sites.

RD Formats:
If the provider has a BGP AS number then AS-Number format can be used.
If the provider does not have a BGP ASN, then IP address format can be used.

Multiprotocol BGP (MP-BGP) is the protocol used to exchange the VPNv4 routes between the PE routers. MP-BGP is capable of carrying the 96-bit VPNv4 prefixes.
MP-BGP also assigns the VPN labels.

MP-BGP session between the PE routers in a single AS is called as MP-iBGP and follows the iBGP rules. MP-BGP session between PE routers in different BGP AS is called as MP-eBGP session.

Note: Packet forwarding in an MPLS VPN states that the router specified as the next hop in the incoming BGP update is the same router that assigns the VPN label.

PE Router must run IGP that provides NLRI information to the iBGP if both PE routers are in the same AS. Cisco supports both OSPF and IS-IS in MPLS networks.

Route Targets (RT)
RTs are additional identifiers used in the MPLS domain that identify the VPN membership of the routes learnt from particular site.
RT are implemented by the use of extended BGP communities in which the high order 16 bits of extended community are encoded with a value corresponding to the VPN membership of a specific site.
When a VPN route is learnt from a CE router and injected into VPNv4 BGP a list of VPN route target extended community attributes is associated with it. The export route target is appended to the customer prefix when it is converted to VPNv4 prefix and is used in identifying the VPN membership and is associated to each VRF. It is then propagated using the MP-BGP updates. Also import route target is associated with each VRF and identifies the VPNv4 routes to be imported in the VRF for a specific customer.

PE routers advertise RTs in BGP updates as BGP extended community attribute.
BGP extended Communities are 8 bytes long, to be used for a wide variety of purposes. MPLS uses the BGP extended community path attribute to encode one or more RT values and RT values follow the same exact format of RD.

Note: A particular prefix can have only one RD, but it can have one or more RTs assigned to it. RTs are used to determine into which VRFs a PE places iBGP-learned routes.

RT are defined with export RT and import RT
Example:
route-target export 65000:200
route-target import 65000:200

The import and export can be thought of as follows
Import: Redistribute the NLRI into VRF from BGP.
Export: Redistribute the NLRI into BGP from VRF.
Each VRF needs to import and export atleast one RT.

Overlapping VPNs.
In overlapping VPNs each VRF will need more than one RT to be imported and exported. Overlapping VPNs are used when a customer CE rotuers need to talk to CE routers of other customers which are in different VPNs. They may also occur when a provider in a cloud offers some services to many customers, where all customers’ CE routers need to connect to the same provider location. There might be other business needs which need the implementation of overlapping VPNs.

MPLS Control Plane and Data Plane Operations

Control Plane contains all Layer-3 routing information and the label assignment information. The Data Plane performs the packet forwarding of both labeled and IP packets to the next hop toward destination network.

CE Routers connect to PE Routers and can run routing protocols such as BGP, Static or IGP. In MPLS backbone only an IGP along with LDP is used between PE routers and between P routers, and only between the PE routers MP-BGP is implemented.

Control and Data Forwarding Example:

Control Plane:
1. Customer Router CE1 sends an IPv4 Update for the prefix 192.168.100.0/24 (start)
2. Provider Edge Router PE1 receives the update and transforms it into a VPNv4 address
PE1 assigns an RD of 1:111 to the Prefix
PE1 assigns and RT of 1:111 based on the VRF configuration.
PE1 then allocates VPNv4 Label of V1 to the update
PE1 next rewrites the next-hop address as its loopback address of 172.16.10.1
(Note: PE1’s loopback is reachable via IGP and LDP)
PE1 Also propagates its loopback address with the imp-null (pop)
3. Provider backbone Router P1 assigns a label of L1 to the PE1 loopback address and propagates it  to router P2
4. Provider backbone Router P2 allocates a label of L2 to PE1 loopback address and propagates it
to PE-2
5. PE-2 , the provider edge router connected to the second customer site receives the update from
downstream router P2.
6. PE1 and PE2 form relationship using the MP-BGP

Data Plane: (Packet Forwarding)

1. CE-2 sends an IP data packet with source 192.168.200.1 and Destination 192.168.100.1
2. PE2 receives the data packet and appends the VPN label V1 to it. It also appends the LDP
label L2 and forwards the packet to P2
3. P2 receives the packet and swaps the label value to L2
4. P1 receives the packet and pops the top label because it had received an imp-null from PE-2
(From previous control plane operation). The resulting packet with VPN label V1 is forwarded
to PE1
5. PE1 pops the VPN label and forwards the data packet to CE-1

The key is that the VPN label is not touched until it reaches the PE router towards the other end, rest all MPLS forwarding is done using IGP/LDP.

Incoming search terms for the article:

Leave a Reply