VPN
Virtual Private Networks provide users the ability to connect remote sites and having a private network over some shared infrastructure. IPsec VPNs provide data confidentiality, data authenticity and data integrity along with anti-replay mechanism. IPsec VPNs are often used in Hub-Spoke designs. In a full mesh topology they lack the scalability, because every time you add a site you need to change configuration on all existing sites. They are good for centralized companies relying on hub and spoke topologies as we mentioned before, but in a situation where you have lot’s of sites and you need to interconnect them they fall short.
BGP – MPLS Layer 3 VPN
BGP with MPLS L3 VPN can be looked at an alternative to IPsec VPNs for bigger and more complex designs. They don’t have a scalability issues like IPsec VPNs in full-mesh topologies and can easily connect multiple sites. Adding new sites requires change only on the Provider Edge (PE) device that connects to Customer router. Customer Edge (CE) router peers with the PE router. Keep in mind that CE router does not know about any VPNs going on. A VPN is formed between PE routers that are running Multiprotocol BGP-4 (MP-BGP). MP-BGP is distributing customer prefixes all along the provider’s network. Customer’s data is being transported in the service provider’s MPLS (Multiprotocol Label Switching) network based on labels. Traffic is passing through the Label-Switched Path (LSP), which is like a tunnel between PE routers.
Here it is important to know that using VRFs, MPLS and MP-BGP is ensuring that traffic from one VPN does not leak into the other VPN, while customers can still have the same private IP address space.
There’s lots more benefits regarding MPLS like the use of TE (Traffic Engineering) which basically allow us the prioritize and change the flow of traffic. Instead of classic IGP’s best path selection we can change the path using TE.
How MPLS header looks, in the MPLS header the inner and outer labels are inserted which we will mention later.
Terminology:
Customer Edge (CE) - a router that sits at the edge of customer site. Customer router advertises the route to the PE router via a routing protocol.
Provider Edge (PE) - a router that sits at the edge of provider’s network. PE installs the received routes from specific customer in a VRF and attached the VPN MPLS Label. There’s multiple VRFs running on PE router. Each customer is assigned its own VPN Routing and Forwarding Table. PE router also assigns the Route Distinguisher (RD) to every VRF. RD adds the 8-byte and turns the customer routes into a 12-byte VPNv4 address. RDs are used to distinguish between different Customers networks because they can use overlapping address space while they traverse the ISP’s network. Example of RD:
1
2
3
4
5
6
7
PE1(config)# ip vrf Customer1
PE1(config-vrf)# rd 65001:1
PE1(config-vrf)# route-target both 65001:1
PE1(config)# ip vrf Customer2
PE1(config-vrf)# rd 65001:2
PE1(config-vrf)# route-target both 65001:2
Under customer’s VRF on PE routers we also define the Route-Target (RT) BGP extended community which dictates which route’s should we import/export from particular VRF. In the above example we inserted the keyword „both“ , meaning import and export all routes from this VRF. We could have also used separate keyword „route-target import 65001:1“ , „route-target export 65001:1“.
Once PE router attaches the RD and MPLS label, it advertises the VPNv4 routes via MP-BGP. MP-BGP allows BGP to support address-families other than IPv4 such as VPN-IPV4. VPN-IPv4 addresses are used only in provider’s network. All PE routers then receive routes via BGP and then they filter them by looking at RT (Route-Target) value which is transported as a BGP extended community , and if some VRF is configured to import routes with that RT it will send those routes to that VRF. Other VRFs won’t be aware and won’t receive those routes.
You can use this to do the so called route leaking. For example you can import routes from Customer2 into Customer1 VRF table using this technique. Simply on Customer1 we can insert the command route-target import 65001:2 and we will have those routes in the Customer1 routing table.
Label Edge Router (LER) - In our case PE1 is the LER. LER routers on ingress performs the PUSH of the VPN label to MPLS header for customer traffic. VPN label is the inner label that is untouched by the P routers. The label is used to identify a correct next-hop on remote PE router (to which customer CE to route this). The remote PE router (in our case PE2) receives a packet containing a VPN label, performs a pop of the label and forwards customer traffic to the correct CE router.
VPN-IPv4 routes along with the inner VPN label and route-target are distributed by MP-BGP between the PE routers. The outer LSP label is learned via the LDP (Label Distribution Protocol).
Along with the inner VPN label, PE router stacks IP packet with the outer LSP (Label Switch Path) label. The LSP label has only local significance and gets swapped with a new label by every P router along the path. The last P router is a penultimate router for the LSP. It performs a pop of the LSP label and switches customer traffic to the PE router with the inner (VPN) label only. It performs the pop of the outer label because the PE router would need do 2 label lookups which we don’t want, cuz this is the end of MPLS path, there’s no more labels, only thing that is left is to forward traffic to correct CE device which we do by looking only at the VPN label. So he would look into outer MPLS label, and after that into the VPN label which is wrong, we do not need outer label. By doing ` Penultimate hop popping (PHP)` we eliminate the double table lookup.
Provider (P) - is Label Switching Router (LSR), it is not conneceted to any CE device, only to other P device or PE device. They do not contain VPNv4 routes, they only forward/routes them to other P and PE routers. P routers examine the outer LSP label and swap it with a new LSP label before forwarding the packet to neighbor. To be able to establish the BGP adjacency between PE routers, P and PE routers run IGP between themselves so PE routers can establish connectivity.
LDP (Label Distribution Protocol) - LDP enables LSRs to discover peers and to establish LDP sessions with those peers to exchange label binding information. MPLS LDP enables one LSR to inform another LSR of the label bindings it has made. Once a pair of routers communicate the LDP parameters, they establish a label-switched path (LSP).
In the next write up we will start to configure and show these features in play so it will be more clear, see you then!