l.cittadini, m.cola, g.di battista

Transcription

1 MPLS VPN l.cittadini, m.cola, g.di battista

2 motivations

3 customer s problem a customer (e.g., private company, public administration, etc.) has several geographically distributed sites and would like to connect them into a unique IP network ideally it would like to have wires connecting its sites

4 provider s target a provider owns a network infrastructure with many distributed PoPs (Points of Presence) and would like to exploit it to offer IP level connectivity services to its customers it would like to sell virtual wires (where IP packets can flow) to its customers

5 Customer provider and customers Torino PoP Milano PoP Customer / /4 provider s network / /4 Customer Roma PoP Customer

6 customer s constraints keep the addressing unchanged isolation from different customer's traffic quality of service

7 provider s constraints low configuration and maintenance costs no performance penalties performance in the backbone should only depend performance in the backbone should only depend on traffic, not on the number of supported VPNs or on the number of supported sites

8 vendor s targets sell many routers possibly expensive carrier-grade machines move the focus from old (and already over- sold) ATM & ATM-like technologies to new (and with a growing market) technologies

9 meeting point between customers, providers, and vendors VPN Virtual Private Network: behaves like a physical private network, but it's virtual implemented with MPLS Multi Protocol Label Switching (swapping): highly scalable, protocol-agnostic, data-carrying mechanism

10 MPLS

11 MPLS in a nutshell MPLS vs OSI picture from wikipedia

12 MPLS in a nutshell MPLS packet encapsulates transported packets with an MPLS header, containing one or more labels (label stack) each label stack entry contains 4 fields: label value (0 bits) traffic class field for QoS and ECN -Explicit Congestion Notification ( bits) bottom of stack flag ( bit) ttl (8 bits)

13 Customer Torino PoP /0 Milano PoP /0 Customer / /4 VPN /4 an interconnection scenario AS / /0 VPN /4 Customer Roma PoP Customer

14 CE - customer edge routers Customer Customer Torino PoP Milano PoP / /4 VPN VPN /4 Customer Roma PoP /4 Customer

15 PE provider edge routers Customer Customer Torino PoP Milano PoP / /4 VPN VPN /4 Customer Roma PoP /4 Customer

16 P provider routers Customer Customer Torino PoP Milano PoP / /4 VPN VPN /4 Customer Roma PoP /4 Customer

17 how to checkmate VPNs in three moves: () make PEs reachable each other using IP, () use BGP for announcing customer prefixes, and () use MPLS for tunnels inside the backbone

18 st move IP reachability of the PE s the first thing to do is to assign an IP loopback address to each PE and to ensure IP reachability among PEs in the backbone ignore all the other issues inside backbone use addresses that are not announced outside (e.g. private addresses) loopback addresses are propagated by an IGP OSPF, IS-IS,.

19 loopbacks of PEs Customer / Torino PoP / Milano PoP Customer / /0 AS / /0 Customer Roma PoP / Customer

20 a tempting solution implement VPNs using IP-in-IP tunnels (or similar technologies) between PEs loopbacks drawbacks difficult to configure quadratic number of configurations hence, this solution is discarded

21 nd move use BGP to announce customer prefixes MP-BGP, a variation of BGP, is used each PE establishes an ibgp peering with all other PEs usage of route reflectors for scaling customer s networks are announced within the peerings

22 Customer Torino PoP /0 BGP peerings Milano PoP /0 Customer / /4 VPN /4 hey guys, to reach /4 of Customer and /4 of /0 Customer send traffic to me AS /8 VPN /4 Customer Roma PoP Customer

23 rd move use MPLS for tunnels an IP packet of a customer, coming from a CE, is encapsulated from the PE near to the source into an MPLS packet the PE near to the source sends the packet to the PE (loopback) near to the destination the IP packet traverses the backbone into an MPLS envelope

24 MPLS labels and VPN s two labels are used the internal one denotes the VPN: it is used in a way similar to the VLAN tags of IEEE 80.Q remains unchanged for the entire travel of the packet from origin PE to destination PE the external one is used for label swapping is, in general, changed at each hop of the travel from PE to PE a first pop from the stack is done at the penultimate router

25 how to find a route to loopbacks? who constructs the label-swapping data plane of MPLS? in other words: in which way a P or a PE knows which is the correct path to the target PE (loopback)? LDP Label Distribution Protocol is in charge of this

26 LDP LDP constructs the label switched paths (LSPs) to reach each PE loopback by simply importing this information from the IP data plane remeber st move: the IP data plane knows how remeber st move: the IP data plane knows how to reach loopbacks it has been setup by an IGP

27 terminology and details

28 data-and control-planes to understand how MPLS operates, let s review the mate-in- st move: IP data-plane build IP routing tables(ospf, IS-IS, static ) ensure reachability of PEs loopback interfaces nd move: BGP control-plane ensure that VPN prefixes are distributed among PEs rd move: MPLS data-plane build label switching tables(lfibs) with LDP ensure availability of LSPs(Label Switched Paths) that connecteachpairofpes

29 Customer Torino PoP /0 Milano PoP /0 Customer / /4 VPN /4 move #: IP data-plane / / AS / /0 VPN /4 Customer Roma PoP / Customer

30 move #: IP data-plane / / Torino PoP Milano PoP / /0 AS /8 LER>show ip route Codes: C connected, O OSPF [..] C / Lo0 O / via 80..., GE/0 O / via 80..., GE/0 [..] /0 Roma PoP / Goal: ensure connectivityofpes loopback interfaces

31 move #: IP data-plane / / Torino PoP Milano PoP / /0 AS /8 LSR>show ip route Codes: C connected, O OSPF [..] O / via , GE/0 O / via , GE/0 O / via , GE/0 [..] /0 Roma PoP / Goal: ensure connectivityofpes loopback interfaces

32 move #: IP data-plane / / Torino PoP Milano PoP / /0 AS / /0 OSPF weight: 500 Roma PoP /

33 IP data-plane: observations IP data-planemustensurereachabilityofpes loopback interfaces otherprefixes(e.g., point-to-pointlinks) are useless for MPLS buttheycan beusedforotherpurposes, e.g., network management (telnet, ssh, SNMP, ) anyigp (OSPF, IS-IS) can do the job staticroutescan do the job too, buttheydo not handle network dynamics e.g., link failures

34 Customer Torino PoP /0 Milano PoP /0 Customer / /4 VPN /4 move #: BGP control-plane / / AS / /0 VPN /4 Customer Roma PoP / Customer

35 Customer move #: BGP control-plane / / Torino PoP Milano PoP Customer / /4 VPN AS /8 LER>show ipbgpvpnv4 all Network NextHop LocPrf Route Distinguisher: 00:(VPN) *>i Route Distinguisher: 00:(VPN) *>i VPN /4 Customer Roma PoP / /4 Customer

36 multiple routing tables on PEs PEs need to distinguish each VPN there might be overlapping address space! solution: multiple (virtual) routing tables each customer port on PE is associated with a particular routing table at provisioning time ports on PE could be logical e.g. VLANs

37 Virtual Routing and Forwarding (VRF) VRF - Virtual Routing and Forwarding allows a router to have multiple forwarding tables eachtableiscalleda VRF instance each PE maintains multiple VRF instances one per set of directly attached sites with common VPN membership each VRF instance contains: routes received from directly connected CE s of the sites associated with the VRF instance routes received from other PEs (via BGP)

38 VPN-IP addresses VPN-IP address = Route Distinguisher (RD) + IP address RD = Type + Provider s Autonomous System Number + Assigned Number no two VPNs have the same RD convert non-unique IP addresses into unique VPN-IP addresses avoids conflicts if customers have overlapping address spaces

39 Customer Torino PoP /0 Milano PoP /0 Customer / /4 VPN /4 move #: MPLS data-plane / / AS / /0 VPN /4 Customer Roma PoP / Customer

40 move #: MPLS data-plane / / Torino PoP Milano PoP / /0 AS /8 LER>show mpls forwarding-table In Out Prefix Iface [..] / GE/0 [..] /0 Roma PoP /

41 move #: MPLS data-plane / / Torino PoP Milano PoP /0 AS / /0 Roma PoP / /0 LSR>show mpls forwarding-table In Out Prefix Iface [..] / GE/0 [..]

42 move #: MPLS data-plane / / Torino PoP Milano PoP / /0 AS /8 LSR>show mpls forwarding-table In Out Prefix Iface [..] 0 Pop / GE/0 [..] /0 Roma PoP /

43 label spaces a LSR can receivethe sameincominglabelfrom multiple incoming interfaces whatcan happenin thatcase? forwardingisbasedonlyon the label labels are unique router-wide (out_iface, out_label) = f(in_label) per-platform label space forwardingisbasedon the labeland the interface which received the packet labels may be not unique router-wide (out_iface, out_label) = f(in_iface, in_label) per-interface label space

44 label spaces: which one? whichlabelspaceisused? it depends on the implementation sometimes it also depends on the interface notconfigurable example: Cisco IOS LC-ATM interfaces use per-interface label space other interfaces use per-platform label space example: JunOS AAL5 ATM interfaces use per-interface label space other interfaces use per-platform label space

45 putting it all together a hostofcustomer in Romesendsa packet, destined to (located in Milan) LER receivesthe packetfromce addsa MPLS labeltomarkitasbelongingtovpn LER looksin itsbgp tableforvpn finds next-hop (LER s loopback) LER looksin itslfib for finds label 0, interface GE/0 LER addsanothermpls label(0) and forwards the packet on GE/0

46 Example / / Torino PoP Milano PoP Customer /0 AS / / / /4 VPN /4 Roma PoP / IP Customer

47 Example / / Torino PoP Milano PoP Customer /0 look up VPN::dstaddrin AS 00 BGP table /8 next-hop = LER /0 Roma PoP VPN IP / /4 VPN / / Customer

48 Example / / Torino PoP Milano PoP Customer /0 AS /8 look up in LFIB label= 0 interface = GE/ /0 Roma PoP VPN IP / /4 VPN / / Customer

49 Example / / Torino PoP Milano PoP Customer /0 AS / /0 Roma PoP VPN IP / /4 VPN / / Customer

50 Example / / Torino PoP Milano PoP Customer /0 AS / / /0 VPN IP /4 VPN /4 Roma PoP / Customer

51 Example / / Torino PoP Milano PoP Customer /0 VPN IP AS / / / /4 VPN /4 Roma PoP / Customer

52 Example / / Torino PoP Milano PoP Customer /0 AS / /0 VPN IP / /4 VPN /4 Roma PoP / Customer

53 Example / / Torino PoP Milano PoP IPCustomer /0 AS / / / /4 VPN /4 Roma PoP / Customer

54 MPLS data-plane: observations MPLS data-plane must establish LSPs between PEs loopback interfaces each Label Switching Router (LSR) uses its table to swap the top MPLS labeland forwardthe packet tothe nexthop the penultimaterouter (LSR in the example) popsthe tag thisway the nexthop (PE) willonlyseethe underlying VPN label the PE usesthe VPN labeltodistinguishamong different VPNs

55 does a Route Distinguisher suffice? Route Distinguisher (RD) helps with overlapping address spaces it makes every customer prefix unique it usually indicates the VPN sometimes sites need to be connected with a VPN topology which is not a mesh if RDs were just used to indicate the VPN, this would not be possible

56 complex VPN topologies Considerthisnetwork ellipse=site, rectangle=vpn Torino Milano Roma VPN Bari

57 Route Target MPLS offersa flexibletool: RouteTarget (RT) RT isanextendedcommunity in MP-BGP itcan beusedtoindicate whichroutesshouldbe imported/exported into which VRF instance supports complex VPN topologies common strategy assigna RD foreachsite assigna RT foreachvpn configure PE routers to import routes with specific route targets

58 Route Target -example Route Distinguishers: Torino RD 00: Milano RD 00: Roma RD 00: Bari RD 00:4 Route Targets: VPN => 00:000 VPN => 00:000 VPN => 00:000 Torino Roma VPN Bari Milano

59 Route Target -example PE at Torino ip vrf sitetorino rd 00: route-target import 00:000 route target export 00:000 PE at Roma ip vrf siteroma rd 00: route-target import 00:000 route target export 00:000 route-target import 00:000 route target export 00:000 route-target import 00:000 route target export 00:000 Torino Roma VPN Bari Milano

60 configuration configuring a LSR is straightforward: hostname LSR mpls label protocol ldp interface Loopback0 ip address interface GigabitEthernet/0 ip address mpls ip interface GigabitEthernet/0 ip address mpls ip..... router ospf 0 network area 0

61 configuration configuring a PE router is a bit more tricky main building blocks move#: loopback interface + speak IGP on non- customer ports move #: speak MPLS and LDP on non-customer ports, move #: full mesh of ibgp peerings move #4: map customer ports to VRF instances

62 configuration, step example: LER configuration hostname LER speak IGP (in this example, OSPF) router ospf 0 network area 0 configure loopback interface interface Loopback0 ip address

63 configuration, step use LDP to distribute MPLS labels mpls label protocol ldp speak MPLS on non-customer ports interface GigabitEthernet/0 ip address mpls ip

64 configuration, step setup ibgp peerings with other PEs router bgp 00 neighbor remote-as 00 neighbor update-source Loopback0 neighbor remote-as 00 neighbor update-source Loopback0! address-family vpnv4 neighbor activate neighbor send-community both neighbor activate neighbor send-community both exit-address-family activateisneededforthe vpnv4 address-family, otherwiserouteswon t beexchangedbydefault send-community both is needed to enable standard and extended communities

65 configuration, step 4 map customer ports to VRF instances interface GigabitEthernet/0 ip vrf forwarding VPN ip address interface GigabitEthernet/0 ip vrf forwarding VPN ip address definerdsand RTsforeachVRF instance ip vrf VPN rd 00: route-target export 00:000 route-target import 00:000 ip vrf VPN rd 00: route-target export 00:000 route-target import 00:000

66 configuration, step 4 (continued) announcevpn prefixesin BGP router bgp 00 address-family ipv4 vrf VPN redistribute connected exit-address-family! address-family ipv4 vrf VPN redistribute connected exit-address-family

67 MP-BGP in the wild Route Target LabelStack: advertisesthe VPN label VPN-IP addr

68 summary

69 low configuration and maintenance costs CE - customer edge routers don't need any special configuration; connected to a PE router via IP (e.g. with a point-to-point connection) PE - provider edge routers simple configuration that depends only on the sites of the VPN s that are adjaceny to the PE P provider routers simple configuration that does not depend on the deployed VPN s

70 forwarding efficiency PEs and Ps forward packet only depending on the labels, that, in turn, depend only on the loopbacks of the PEs the forwarding tables in the backbone contain only one entry for each loopback much less than one entry for each customer prefix

71 qos exploit traffic class field for enforcing QoS tos field of packets is encapsulated inside the MPLS envelope and hence is not accessible while the packet is traversing the backbone tos field is copied in the qos bits of MPLS label (named EXP bits) at the PE

72 internet many customers will also require Internet access aswellasvpn access more thanoneway tomakethiswork (rfc464) CE announces0/0tope worksevenifthe customerhasanotherisp forinternet Internet packets are forwarded natively(i.e., no MPLS) PEsleakInternet routesin eachvrf a possible alternative 0/0isassociatedwitha specificrt, VPNsneeding Internet access import it

73 caveats

74 MTU careful with the MTU inside the backbone eachmpls labeltakes4 bytes risk of fragmentation high impact on performance IEEE 80. standard mandates support for one of 500 bytes MTU 504 bytes MTU (Q-tag) 98 bytes MTU ( envelope frame) in practice, itisa matterof implementation hw support nowadaysmostosesdo PMTU discovery, so havinganethernet MTU of49 bytes(allowing MPLS labels) isnota big issue PPPoEalsohasa MTU of49 bytes didyoueverhaveproblems?

75 TTL IP TTL fieldisencapsulatedin anmpls envelope, hence not accessible from LSRs howdo wepreventinfinite loopsin MPLS? recallmpls labelhasitsownttl field whenthe PE encapsulatesthe IP packet, itcopiesthe TTL valuein the newlyaddedmpls label LSRsdecrementthe TTL in the label whenthe labelispopped, the TTL iscopiedontothe next label whenthe bottom-of-stacklabelispopped, the TTL is copiedontothe IP field