Introduction to MPLS VPN

Introduction to MPLS VPN

MPLS VPN, or MPLS Virtual Private Networks, is the most popular and widespread implementation of MPLS technology. Many service providers that have run MPLS VPN for years are now looking at interconnecting their network to the MPLS VPN networks of other service providers to improve the scalability and ease of operation of their network. This is where Inter-Autonomous MPLS VPN and Carrier’s Carrier (CsC) come into the picture.

Before reading this article, make sure you are familiar with “Peer-to-Peer VPN Model Versus Overlay VPN Model” and “Optimal Traffic Flow” concepts.

Architectural Overview of MPLS VPN

To achieve MPLS VPN, you need some basic building blocks on the PE routers. These building blocks are the following: VRF, route distinguisher (RD), route targets (RT), route propagation through MP-BGP, and forwarding of labeled packets.

Virtual Routing Forwarding (VRF)

A virtual routing/forwarding (VRF) is a VPN routing and forwarding instance. It is the name for the combination of the VPN routing table, the VRF Cisco Express Forwarding (CEF) table, and the associated IP routing protocols on the PE router. A PE router has a VRF instance for each attached VPN. Look at the figure below to see that a PE router holds the global IP routing table, but also a VRF routing table per VPN connected to the PE.

VRFs on a PE Router

Because the routing should be separate and private for each customer (VPN) on a PE router, each VPN should have its own routing table. This private routing table is called the VRF routing table. The interface on the PE router toward the CE router can belong to only one VRF. As such, all IP packets received on the VRF interface are unambiguously identified as belonging to that VRF.

Because there is a separate routing table per VPN, there is a separate CEF table per VPN to forward these packets on the PE router. This is the VRF CEF table. As with the global routing table and the global CEF table, the VRF CEF table is derived from the VRF routing table. You create the VRF on the PE router with the ip vrf command. You use the ip vrf forwarding command to assign PE-CE interfaces on the PE router to a VRF.

You can assign an interface to only one VRF, but you can assign several interfaces to the same VRF. The PE router then automatically creates a VRF routing table and CEF table. In the case that you need to assign more than one VRF to a single interface, you must configure sub-interface in CE and PE routers and assign each sub-interface to a different VPNs.

Route Distinguisher (RD)

The VPN prefixes are propagated across the MPLS VPN network by Multiprotocol BGP (MPBGP). The problem is that when BGP carries these IPv4 prefixes across the service provider network, they must be unique. If the customers had overlapping IP addressing, the routing would be wrong. To solve this problem, the concept of RDs was conceived to make IPv4 prefixes unique.

An RD is a 64-bit field used to make the VRF prefixes unique when MP-BGP carries them. The RD does not indicate which VRF the prefix belongs to. The function of the RD is not that of a VPN identifier, because some more complex VPN scenarios might require more than one RD per VPN. Each VRF instance on the PE router must have one RD assigned to it.

This 64-bit value can have two formats: ASN:nn or IP-address:nn, where nn represents a number. The most commonly used format is ASN:nn, where ASN stands for autonomous system number. Usually, the service provider uses ASN:nn, where ASN is the autonomous system number that the Internet Assigned Numbers Authority (IANA) assigns to the service provider and nn is the number that the service provider uniquely assigns to the VRF.

The combination of the RD with the IPv4 prefix provides a vpnv4 prefix, of which the address is 96 bits long. The mask is 32 bits long, just as it is for an IPv4 prefix. If you take an IPv4 prefix and an RD 1:1, the vpnv4 prefix becomes 1:1:

Route Targets (RT)

If RDs were just used to indicate the VPN, communication between sites of different VPNs would be problematic. A site of Company A would not be able to talk to a site of Company B because the RDs would not match. The concept of having sites of Company A being able to talk to sites of Company B is called extranet VPN. The communication between sites is controlled by another MPLS VPN feature called RTs.

An RT is a BGP extended community that indicates which routes should be imported from MPBGP into the VRF. Exporting an RT means that the exported vpnv4 route receives an additional BGP extended community—this is the RT—as configured under ip vrf on the PE router, when the route is redistributed from the VRF routing table into MP-BGP.

Importing an RT means that the received vpnv4 route from MP-BGP is checked for a matching extended community—this is the route target—with the ones in the configuration. If the result is a match, the prefix is put into the VRF routing table as an IPv4 route. If a match does not occur, the prefix is rejected. The command to configure RTs for a VRF is route-target {import | export | both} route-target-extcommunity. The keyword both indicates both import and export.

The figure below shows that the RTs control which routes are imported into which VRFs from the remote PE routers and with which RTs the vpnv4 routes are exported toward the remote PE routers. More than one RT might be attached to the vpnv4 route. For the import into the VRF to be permitted, only one RT from the vpnv4 route needs to be matched with the configuration of the imported RTs under the ip vrf section on the PE router.

When configuring a VRF with several sites that belong to one VPN, without having to communicate to sites belonging to another VPN, you just need to configure one RT to be imported and exported on all the PE routers with a site belonging to that VRF. This is the simple case of an intranet. When you have sites belonging to one VPN that need to be able to communicate with sites from another VPN (the extranet case), pay attention to the way to configure the RTs correctly. The figure below shows sample network with the RTs.

Obviously, Site A and Site B from the VRF cust-one should be able to communicate with each other. The same holds true for Sites A and B of the VRF cust-two. The RT that VPN cust-one uses is 1:1. The RT that VPN cust-two uses is 1:2. Now imagine that Site A only of VRF cust one needs to talk to Site A only of VRF cust-two. This is perfectly possible and is determined by configuring the RTs accordingly. The RT 100:1 is imported and exported for Site A of vrf cust one and cust two on PE1 and PE2 to achieve this. This is called an extranet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.