Autumn 2010 philip.heimer@hh.se MULTIPROTOCOL LABEL SWITCHING (MPLS) AND MPLS VPNS
How Routers Forward Packets Process switching Hardly ever used today Router lookinginside the packet, at the ipaddress, comparingit toitsroutingtable. See what the next hop ip address is, eventually performing an arp lookup. Fast switching Firstpacket willbe process switched chancesarebigthattherewillbe morepackets going tothe same destination. So, most recent destinations are entered in the cache The router wonthavetolook at the routingtable, combiningipwithmac, for the subsequentpackets. Had some fallbacks, didnt support per packet load sharing (requires multiple cache entries). Topology-driven switching Cisco Express Forwarding(CEF) Eliminates the first packet problem Prebuilds the cache by making a copy of the routing table and creating the FIB Forwarding Information Moves all routes into the cache. Alsocreatesan adjacencytable thatpremapsall nexthops. The macaddressesarealsoaddedtothistable by consulting the arp cache. Adds the feature of per packet load sharing. DATA PR IP MAC
CEF Switching Overview
MPLS What is Multi Protocol Label Switching? CEF is the fundamental switching path for MPLS. Without CEF, MPLS forwarding does not occur. MPLS forwarding relies heavily on the IP routing table and the CEF architecture. Therefore, MPLS VPN relies on CEF because MPLS VPN depends on MPLS for successful operation. MPLS is a switching mechanism that assigns labels, or numbers, to packets and then uses those labels to forward packets. The labels are assigned at the edge of the MPLS network, and forwarding inside the MPLS network is based solely on labels. The content of the label may vary Destination network Level of Quality of Service The Label Distribution Protocol (LDP) is often used to establish MPLS and handle the labels. Tag Distribution Protocol (TDP) is a Cisco proprietary protocol managing the same thing. Its forwarding decisions is based on layer 2 labels.
The Label Labels DATA PR IP L2 L1 MAC(L2) LABEL EXP BS TTL 32 bits
MPLS Example Exchanging routes Assigning labels Sharing labels Building tables 20.0.0.0 /8 MPLS DOMAIN Router A NON-MPLS May be running IS-IS, BGP, OSPF etc. 20.0.0.0 =25 Router B NON-MPLS
MPLS Example - Z-router Z Routing Table Network Next Hop 20.0.0.0 Y 20.0.0.0 /8 Z LIB Network LSR Label 20.0.0.0 Local 35 20.0.0.0 Y 30 Router Y Label Z LFIB Action Next hop 35 30 Y MPLS DOMAIN Router A Router X 20.0.0.0 =30 20.0.0.0 =35 20.0.0.0 =25 20.0.0.0 = 45 Router Z Router B
Tables Routing Table Network Next Hop 20.0.0.0 Y 15.0.0.0 H 16.0.0.0 O Label Information Base LIB Network LSR Label 20.0.0.0 Local 35 20.0.0.0 Y 30 15.0.0.0 Local 36 15.0.0.0 Y 12 Label Forwarding Information Base LFIB Label Action Next hop 35 30 Y 40 untagged Y 50 pop B Forwarding Information Base FIB Network Next Hop Label 20.0.0.0 Y - 15.0.0.0 H - 16.0.0.0 O -
LIB FIB LFIB... FBI? Confused? ;-) LIB Label Information Base -whenever a labeled packet comes this table will be referred FIB Forwarding Information Base -whenever a nonlabeledpacket comes this table will be referred LFIB-Label Forwarding Information Base -Any route in the LFIB will also be in the LIB, but not the other way around. (FIB, along with the adjacency table is what comprises CEF.)
Functions of Label Switching Routers (LSRs) Control Plane Controls the routing information exchange and the label exchange between adjacent devices. Exchanges routing information via normal routing protocols Exchanges label information using Label Distribution Protocol (LDP) Sets up framework for how everything is going to be forwarded. Data Plane where the action occurs Also known as the forwarding plane, this plane controls forwarding based on either destination addresses or labels. L3 or L2 information Router becomes almost like a switch If there s no label, it will work as normal. (CEF) Takes care of label swapping replacing labels.
Control Plane Components Example
Label Switching Routers IP header MPLS header L2 header IP header L2 header IP header L2 header EDGE LSR LSR LSR EDGE LSR LSR forwarding packets Edge LSR primarily labels packets or removes them
Core router Primary purpose to switch labels
Edge LSR
MPLS Terminology MPLS, Multiprotocol Label Switching LDP (LabelDistribution Protocol) LSR (Label Switching Router) LSP (LabelSwitch Path)
Penultimate Hop Popping 15.0.0.0 = 20 Y LFIB Label Action Next hop 20 Pop Z Y <-15.0.0.0 = pop Z 15.0.0.0
Configuring Frame Mode MPLS
Configuring Frame Mode MPLS
Configuring Frame Mode MPLS
MPLS VPNS
Two traditional categories of VPNs Links / Virtual Circuits Overlay VPNs Point-to-Point Circuits between customer sites Virtual Links Layer 1, 2 Becomes expensive to buy virtual circuits for many sites Peer-to-Peer VPNs Service Provider becoming a part of your network Managing routing between parts of the organization Bringing our tables into their Private addresses from different customers will be a problem No NAT Customers will be using the same private addresses sometimes. ISP
MPLS VPNs - overview Provider is forwarding routes between the sites. Virtual Route Forwarding allows you to run Separate Routing tables and forwarding tables per customer. Eliminates the problem of using the same address-space since VRFs make them look like they are different routing tables. PE routers Provider Edge, like Edge LSR. P routers doing core business. Wont see any routes. Routing information packets are encapsulated using tags. Performed by PE routers. Customer one may tag it with a 1. PE routers remove tags and propagate routes out to the customer 1. P routers only forward those packets.
Route Distinguisher (tag) and Route Target Route distinguisher (RD) 64-bit tag identifies customer route advertisements May be any number the service provider chooses to use. Keeps customer routes unique Route Target (RT) Additional field to allow customers to participate in multiple VPNs. VRFs use the route target attribute to control the import and export of VPNv4 routes through ibgp. The route target is an extended BGP community that indicates which routes should be imported from MP-BGP into the VRF.
The problem with overlaping customer addresses BGP/MPLS VPN support a mechanism that converts nonunique IP addresses into globally unique addresses by combining the use of VPN-IPV4 address family with the deployment of Multiprotocol Extensions (MP- BGP)
VPN-IPv4 A VPN-IPv4 address is a 12-byte quantity composed of an 8-byte Route Distinguisher (RD) followed by a 4-byte IPv4 address prefix. Example RD1 (length) AS 1111 (SP) 1 10.0.0.0 RD2 AS 1111 (SP) 2 10.0.0.0
Multiprotocol BGP Extensions (MP-BGP) Conventional BGP4 was originally designed to carry routing information only for the IPv4 address family. Realizing this limitation, the IETF is standardizing the Multiprotocol Extensions for BGP4. The extensions allow BGP4 to carry routing information for multiple Network Layer protocols such as IPv6, IPX, VPN-IPv4 etc.
BGP/MPLS VPN can use up to three different types of BGP extended community attributes The route target attribute identifies a collection of sites (VRFs) to which a PE router distributes routes. A PE router uses this attribute to constrain the import of remote routes into its VRFs. The VPN-of-origin attribute The site-of-origin attribute
The MPLS part CE routers should not be MPLS VPN-aware; they should run standard IP routing software. PE routers must support MPLS VPN services and traditional Internet services. To make the MPLS VPN solution scalable, Customer EIGRP P routers must not carry VPN routes. Multi Protocol BGP within the SP RD RT P MPBGP MPLS PE PE Customer
The MPLS part The top label in the stack is the LDP label for normal frame forwarding in the MPLS network. This label guarantees that the packet will traverse the MPLS VPN backbone and arrive at the egress PE router. The second label in the stack identifies the egress PE router. This label tells the router howto forward the incoming VPN packet. The second label can point directly toward an outgoing interface. In this case, the egress PE router performs label lookup only on the VPN packet. The second label can also point to a VRF table. For this case, the egress PE router first performs a label lookup to find the target VRF table and then performs an IP lookup within the VRF table. When you are implementing MPLS VPN, you need to increase the MTU size to allow for two labels.
MPLS Virtual Private Networks Connectionless Service Centralized Service (Group of VPN users) Allowing multicast QoS Telephony support within a VPN Security Easy to Create Flexible Addressing
BGP/MPLS and IPSec VPNs compared Data Confidentiality IPSec VPNs provide data confidentiality through robust encryption algorithms. BGP/MPLS VPNs seek to ensure data confidentiality by defining a single path between physical sites on a service provider network. This prevents attackers from accessing transmitted data unless they place sniffers on the service provider network. Though BGP/MPLS minimizes the chance that data may be intercepted, IPSec provides for better data confidentiality through encryption. A third option is to use IPSec over BGP/MPLS VPNs. This option would certainly provide a very high degree of data confidentiality.
Recommended reading Metro Ethernet by Sam Halabi
Laboration 4.2 MPLS VPN GNS3 7200 Routers