MPLS VPN Technology Basics
Mitrabh Shukla
National IP Manager
�Agenda
VPN Concepts
Terminology
VPN Connection model
Forwarding Example
VPN Topologies
For internal use
2
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�What is an MPLS-VPN?
An IP network infrastructure delivering private network services
over a public infrastructure
Use a layer 3 backbone
Scalability, easy provisioning
Global as well as non-unique private address space
QoS
Controlled access
Easy configuration for customers
For internal use
3
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�VPN Models
There are two basic types of design models that deliver VPN
functionality
Overlay Model
Peer Model
For internal use
4
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�The Overlay model
Private trunks over a TELCO/SP shared infrastructure
Leased/Dialup lines
FR/ATM circuits
IP (GRE) tunnelling
Transparency between provider and customer networks
Optimal routing requires full mesh over over backbone
For internal use
5
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�The Peer model
Both provider and customer network use same network
protocol and control plane
CE and PE routers have routing adjacency at each site
All provider routers hold the full routing information about all
customer networks
Private addresses are not allowed
May use the virtual router capability
Multiple routing and forwarding tables based on Customer
Networks
For internal use
6
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�MPLS-VPN = True Peer model
MPLS-VPN is similar in operation to peer model
Provider Edge routers receive and hold routing information
only about VPNs directly connected
Reduces the amount of routing information a PE router will
store
Routing information is proportional to the number of VPNs
a router is attached to
MPLS is used within the backbone to switch packets (no
need of full routing)
For internal use
7
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�MPLS VPN Connection Model
A VPN is a collection of sites sharing a common routing
information (routing table)
A site can be part of different VPNs
A VPN has to be seen as a community of interest (or
Closed User Group)
Multiple Routing/Forwarding instances (VRF) on PE
For internal use
8
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�MPLS VPN Connection Model
Site-4
Site-1
VPN-C
VPN-A
Site-3
Site-2
VPN-B
A site belonging to different VPNs may or MAY NOT be
used as a transit point between VPNs
If two or more VPNs have a common site, address space
must be unique among these VPNs
For internal use
9
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�MPLS VPN Connection Model
The VPN backbone is composed by MPLS LSRs
PE routers (edge LSRs)
P routers (core LSRs)
The customer router connecting to the VPN backbone is
called the Customer Edge (CE)
PE routers are faced to CE routers and distribute VPN
information through MP-BGP to other PE routers
VPN-IPv4 addresses, Extended Community, Label
P routers do not run MP-BGP and do not have any VPN
knowledge
For internal use
10
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�MPLS VPN Components
CE
PE
ELSR
P
LSR
PE
LSR
LSR
For internal use
11
Nokia Siemens Networks
LSR
P Network
(Provider Control)
MPLS / Mitrabh Shukla
ELSR
ELSR
ELSR
C Network
(Customer Control)
CE
C Network
(Customer Control)
�PE-CE Routing
CE1
PE
CE2
PE-CE routing
PE and CE routers exchange routing information through eBGP,
Static, OSPF, ISIS, RIP, EIGRP
The CE router runs standard routing software, not aware it is
connected to a VPN network
For internal use
12
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�PE-CE routing protocols
Static/BGP are the most scalable
Single PE router can support 100s or 1000s of CE routers
BGP is the most flexible
Particularly for multi-homing but not popular with Enterprise
Very useful if Enterprise requires Internet routes
Use the others to meet customer requirements
OSPF popular with Enterprises but sucks up processes
EIGRP not popular with Service Providers (Cisco
proprietary)
IS-IS less prevalent in Enterprise environments
RIPv2 provides very simple functionality
For internal use
13
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�Routing Protocol Contexts
Routing
processes
BGP
RIP
Static
Routing processes run within
specific routing contexts
Routing
contexts
BGP
1
BGP
BGP
RIP
RIP
Populate specific VPN routing
table and FIBs (VRF)
Interfaces are assigned to VRFs
VRF Routing
tables
VRF Forwarding
tables
For internal use
14
Nokia Siemens Networks
VRF
VRF
VRF
Site A
Site B
Site C
MPLS / Mitrabh Shukla
�OSPF and Single Routing Instances
Routing
processes
OSPF
OSPF
OSPF
With OSPF there is a single
process per VRF
Routing
contexts
Same for IS-IS
No routing contexts
VRF Routing
tables
VRF Forwarding
tables
For internal use
15
Nokia Siemens Networks
VRF
Site A
VRF
Site B
MPLS / Mitrabh Shukla
VRF
Site C
Prior to 12.0(27)S and 12.3(4)T
maximum of 28 processes
allowed
�Routing Tables
CE1
VRF
PE
CE2
PE-CE routing
VPN Backbone IGP (OSPF, ISIS)
Global Routing Table
PE routers maintain separate routing tables
Global Routing Table
All the PE and P routes populated by the VPN backbone IGP (ISIS or
OSPF)
VPN Routing and Forwarding Tables (VRF)
Routing and Forwarding table associated with one or more directly
connected sites (CEs)
VRF are associated to (sub/virtual/tunnel) interfaces
Interfaces may share the same VRF if the connected sites may share the
same routing information
For internal use
16
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�IGP and label distribution in the backbone
CE1
P1
PE1
P2
CE3
PE2
CE2
CE4
LFIB for PE-1
LFIB for P1
LFIB for P2
LFIB for PE2
Dest
Next Hop
IN
OUT
Dest
Next Hop
IN
OUT
Dest
Next Hop
IN
OUT
Dest
Next Hop
IN
OUT
PE2
P1
17
50
PE2
P2
50
34
PE2
P1
34
POP
P1
P2
44
38
P2
P1
18
65
P2
E0/2
65
POP
P1
E0/1
38
POP
P2
P2
36
65
P1
S0/0
19
POP
PE1
S3/0
67
POP
PE1
P1
39
67
PE1
P2
18
39
All routers (P and PE) run an IGP and label distribution
protocol
Each P and PE router has routes for the backbone nodes
and a label is associated to each route
MPLS forwarding is used within the core
For internal use
17
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�VPN Routing and Forwarding Table
CE1
PE1
P1
P2
CE2
PE2
CE3
CE4
MP-iBGP session
Multiple routing tables (VRFs) are used on PEs
Each VRF contain customer routes
Customer addresses can overlap
VPNs are isolated
Multi-Protocol BGP (MP-BGP) is used to propagate these
addresses + labels between PE routers only
For internal use
18
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�MPLS VPN Requirements
CE1
PE1
P1
P2
CE2
PE2
CE3
CE4
MP-iBGP session
VPN services allow
Customers to use the overlapping address space
Isolate customer VPNs Intranets
Join VPNs - Extranets
MPLS-VPN backbone MUST
Distinguish between customer addresses
Forward packets to the correct destination
For internal use
19
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�VPN Address Overlap
CE1
PE1
P1
P2
CE2
PE2
CE3
CE4
MP-iBGP session
BGP propagates ONE route per destination
Standard path selection rules are used
What if two customers use the same address?
BGP will propagate only one route - PROBLEM !!!
Therefore MP-BGP must DISTINGUISH between
customer addresses
For internal use
20
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�VPN Address Overlap
CE1
PE1
P1
P2
CE2
PE2
CE3
CE4
MP-iBGP session
When PE router receives VPN routes from MP-BGP how
do we know what VRF to place route in?
How do we distinguish overlapping addresses between
two VPNs
For internal use
21
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�Route-Target and Route-Distinguisher
update X
CE1
update X
P1
PE1
P2
PE2
CE2
CE3
CE4
x
MP-iBGP session
update X
update X
VPN-IPv4 update:
RD1:X, Next-hop=PE1
RT=RED, Label=10
VPN-IPv4 update:
RD2:X, Next-hop=PE1
RT=ORANGE, Label=12
VPN-IPv4 updates are
translated into IPv4
address and inserted into
the VRF corresponding to
the RT value
MP-BGP prepends an Route Distinguisher (RD) to each
VPN route in order to make it unique
MP-BGP assign a Route-Target (RT) to each VPN route to
identify VPN it belongs to (or CUG)
Route-Target is the colour of the route
For internal use
22
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�Route Propagation through MP-BGP
update X
CE1
update X
P1
PE1
P2
PE2
CE2
CE3
CE4
x
MP-iBGP session
update X
update X
VPN-IPv4 update:
RD1:X, Next-hop=PE1
RT=RED, Label=10
VPN-IPv4 update:
RD2:X, Next-hop=PE1
RT=ORANGE, Label=12
VPN-IPv4 updates are
translated into IPv4
address and inserted into
the VRF corresponding to
the RT value
When a PE router receives an MP-BGP VPN route:
It checks the route-target value to VRF route-targets
If match then route is inserted into appropriate VRF
The label associated with the VPN route is stored and
used to send packets towards the destination
For internal use
23
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�Multi-Protocol BGP
Propagates VPN routing information
Customer routes held in VPN Routing and Forwarding tables
(VRFs)
Only runs on Provider Edge
P routers are not aware of VPNs only labels
PEs are fully meshed
Using Route Reflectors or direct peerings between PE routers
For internal use
24
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�MPLS VPN Protocols
OSPF/IS-IS
Used as IGP provides reachability between all Label
Switch Routers (PE <-> P <-> PE)
TDP/LDP
Distributes label information for IP destinations in core
MP-BGP4
Used to distribute VPN routing information between PEs
RIPv2/BGP/OSPF/eiGRP/ISIS/Static
Can be used to route between PE and CE
For internal use
25
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�VPN Components
VRF Tables
Hold customer routes at PE
Route-Distinguisher
Allows MP-BGP to distinguish between identical
customer routes that are in different VPNs
Route-Targets
Used to import and export routes between different VRF
tables (creates Intranets and Extranets)
Route-maps
Allows finer granularity and control of importing
exporting routes between VRFs instead of just using
route-target
For internal use
26
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�MPLS VPN Operation
CE
= RT?
RD +
RD +
VPN labels, RTs
PE
P
RR
Si
RD +
CE
PE
PE
RD +
RD +
VPN labels, RTs
Import routes into VRF if route-targets match (export = import)
Customer routes placed into separate VRF tables at each PE
IGP (OSPF,ISIS) used to establish reachability to destination networks.
Label Distribution Protocol establishes mappings to IGP addresses
CE-PE dynamic routing (or static) populate the VRF routing tables
MP-BGP between PE router to distribute routes between VPNs
For internal use
27
Nokia Siemens Networks
MPLS / Mitrabh Shukla
CE
Si
RR
PE
= RT?
CE
�MPLS VPN Label Stack
There are at least two labels when using MPLS-VPN
The first label is distributed by TDP/LDP
Derived from an IGP route
Corresponds to a PE address (VPN egress point)
PE addresses are MP-BGP next-hops of VPN routes
The second label is distributed MP-BGP
Corresponds to the actual VPN route
Identifies the PE outgoing interface or routing table
L2 Header
For internal use
28
Nokia Siemens Networks
Label 1
Label 2
L3 Header
Frame, e.g. HDLC, PPP, Ethernet
MPLS / Mitrabh Shukla
Data
�MPLS VPN Forwarding
Example
CE
CE
PE
PE
P
CE
Si
P
CE
Si
PE
PE
Swap IGP Label
(From LFIB)
POP IGP Label
(Pentultimate Hop)
Push VPN Label
(Red Route)
For internal use
29
Nokia Siemens Networks
Push IGP Label
(Green PE Router)
MPLS / Mitrabh Shukla
Pop VPN Label
(Red Route)
�Basic Intranet Full Mesh
Finance
Site 3
VLAN 205
F FF
FF F
Finance
Site 1
Finance
Site 2
MPLS Core
F FF
FF F
F FF
FF F
VRF
Each site has of all other sites (same VPN)
CE can be router or switch
MP-BGP VPNv4 updates propagated between PEs
Routing is optimal in the backbone
No site is used as central point for connectivity
For internal use
30
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�Basic Extranet Partial Mesh
Engineering
Site B (EB)
DA
DA EB
E DA
EB
E
EA
E
EB
E EA
E
Engineering
Site A (EA)
E E
Design
Site A (DA)
MPLS Core
Design
Site B (DB)
D
D
D D
VRF
EB
EB D EB
D
D
D D
Basic Extranet
Routes can be imported directly into corresponding VRF
NAT may be necessary if Enterprise have overlapping addressing
Import granularity can be very fine
Single host address can be imported as Extranet route
For internal use
31
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�Branch to HQ Hub and Spoke
Bank
Branch 3
BGP/OSPF/RIP
routing
VRF
Spoke OUT
S3 S1h
X S2h
S3
S2h
S1h S3h
S1 S2 S3
X
MPLS Core
Bank
Branch 2
S2
Optional
Firewall
NAT to X
Hub IN
S2 S1h
X S3h
VRF
BGP/OSPF/RIP
routing
S1 S2h
X S3h
Central
HQ
VRF
Bank
Branch 1
S1
Forces all branches through the Central HQ
Spokes cannot communicate directly
Appropriate security screening can be applied
Firewalls can be used with NAT to ensure correct return path
For internal use
32
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�Per Group Internet Access
Legal
VRF
L L L
L D3
D3
Internet
Legal Only
Internet
Legal/Sales &
Marketing Backup
Internet
Sales and
Marketing
Gateway 3
Sales
S
S
S
S D1
MPLS Core
S M
D2
Gateway 2
Marketing
M M
M D
S M1
DI
Gateway 1
Choose appropriate Internet Gateway per group requirements
Use other gateways as backup in case of failure
Gateways can provide different service attributes/levels
Speed of access
Type of Content accessed
Address translation
if required
MPLS / Mitrabh Shukla
For internal use
33
Nokia Siemens Networks
�VPN with Internet
This example uses default route only to access Internet
If customer addresses are RFC1983 then NAT must be done
Can be done at Internet Gateway or at customer edge
Another model could use default route pointing to gateway in
the global table
This assumes that customer uses registered address
space
For internal use
34
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�Enterprise Disaster Recovery
Backup Data Centre
(LOCALPREF=50)
CC
S1 C
S2 C C S3
Site 1
Site 2
CC
S1 C
S2 C C S3
VRF
S1 C
CC
Primary Data Centre
(LOCALPREF=100)
Site 3
MPLS Core
S3 C
CC
S2 C
CC
Disaster recovery can be provided to each site in the Enterprise
If Primary site fails, Backup site takes over with no intervention
Virtualisation/Mirroring takes place between Primary/Secondary
For internal use
35
Nokia Siemens Networks
MPLS / Mitrabh Shukla
�Carrier Supporting Carrier
BBB B
POP 2
AS100
P1
P2 P3
iBGP session
iBGP session
BBB B
P1
P2 P3
VRF
P1
P2 P3
Import/Export IGP
routes
MPLS Core
POP 1
AS100
iBGP session
For internal use
36
Nokia Siemens Networks
P1
P2 P3
MPLS / Mitrabh Shukla
P1
P2 P3
P1
P2 P3
POP 3
AS100
BBB B
�ISP Backup
Interne
t
Backup Gateway
BGP Routes in
Internet Gateway
Loopback is L1
Interne
t
Internet Gateway
Primary Internet Path
Loopback is L2
Tier 3 ISP
T L1T T
B BB B
AS
17897
VRF
T T L2
T L1 D
BGP Routes from Internet
Gateway
For internal use
37
Nokia Siemens Networks
MPLS / Mitrabh Shukla
T TL2
T L1 D
MPLS Core
VRF
VRF
T TL2
T L1D
T L2T T
BBB B
AS
12701
Loopback is L1
