1、,MPLS VPN基本概念,MPLS v2.11-1,概述,MPLS VPN术语? MPLS VPN 中PE路由器的体系架构? 三个问题 PE路由器如何交换用户的路由信息 PE用什么协议来承载用户路由 如何处理用户路由重叠的问题 三个重要概念 VRF RD RT 省网规范,MPLS VPN Architecture:术语,PE Router Architecture,如何在运营商的网络中广播客户路由,Question: How will PE routers exchange customer routing information? Answer #1: Run a dedicated IG
2、P for each customer across the P-network.This is the wrong answer for the following reasons: The solution does not scale. P routers carry all customer routes.,如何在运营商的网络中广播客户路由,Question: How will PE routers exchange customer routing information? Answer #2: Run a single routing protocol that will carr
3、y all customer routes inside the provider backbone. Better answer, but still not good enough: P routers carry all customer routes.,如何在运营商的网络中广播客户路由,Question: How will PE routers exchange customer routing information? Answer #3: Run a single routing protocol that will carry all customer routes betwee
4、n PE routers. Use MPLS labels to exchange packets between PE routers. The best answer: P routers do not carry customer routes; the solution is scalable.,如何在运营商的网络中广播客户路由,Question: Which protocol can be used to carry customer routes between PE routers? Answer: The number of customer routes can be ver
5、y large. BGP is the only routing protocol that can scale to a very large number of routes.Conclusion: BGP is used to exchange customer routes directly between PE routers.,如何处理客户地址重叠的问题?,Question: How will information about the overlapping subnetworks of two customers be propagated via a single routi
6、ng protocol? Answer: Extend the customer addresses to make them unique.,VRF,VRF-VPN路由转发实例(VPN Routing & Forwarding Instance)每一个VRF可以看作虚拟的路由器,好像是一台专用的PE设备。该虚拟路由器包括如下元素:一张独立的路由表,当然也包括了独立的地址空间。 一组归属于这个VRF的接口的集合。 一组只用于本VRF的路由协议。对于每个PE,可以维护一个或多个VRF,同时维护一个公网的路由表(也叫全局路由表),多个VRF实例相互分离独立。 其实实现VRF并不困难,关键在于如何在
7、PE上使用特定的策略规则来协调各VRF和全局路由表之间的关系。,RT,使用了BGP的community属性。把community扩展了一下,并且起了一个新名字:RT(Route Target)。,扩展的community有如下两种格式:其中type字段为0x0002或者0x0102时表示RT。,RT的本质,RT的本质是每个VRF表达自己的路由取舍及喜好的方式。可以分为两部分:Export Target与import Target;前者表示了我发出的路由的属性,而后者表示了我对那些路由感兴趣。例如: SITE-A:我发的路由是红色的,我也只接收红色的路由。 SITE-B:我发的路由是红色的,我也
8、只接收红色的路由。 SITE-C:我发的路由是黑色的,我也只接收黑色的路由。 SITE-D:我发的路由是黑色的,我也只接收黑色的路由。 这样,SITEA与SITE-B中就只有自己和对方的路由,两者实现了互访。同理SITEC与SITE-D也一样。这时我们就可以把SITE-A与SITEB称为VPN-A,而把SITE-C与SITE-D称为VPN-B。,RT的灵活应用,由于每个RT Export Target与import Target都可以配置多个属性,例如:我对红色或者蓝色的路由都感兴趣。接收时是“或”操作,红色的、蓝色的以及同时具备两种颜色的路由都会被接受。所以就可以实现非常灵活的VPN访问控制
9、。,RD(Route Distinguisher),在成功的解决了本地路由冲突的问题之后,路由在网络中传递时的冲突问题就迎刃而解了。只要在发布路由时加上一个标识即可。,既然路由发布时已经携带了RT,可否就使用RT作为标识呢?,理论上讲,肯定是可以的。但RT不是一个简单的数字,通常是一个列表,而且他是一种路由属性,不是与IP前缀放在一起的,这样在比较的时候不好操作。所以还是另外定义一个东西比较好,这个东东就叫做 RD。他的格式与RT基本上一样。,RD的本质,在IPv4地址加上RD之后,就变成VPN-IPv4地址族了。 理论上可以为每个VRF配置一个RD,但要保证这个RD全球唯一。通常建议为每个V
10、PN都配置相同的RD。如果两个VRF中存在相同的地址,但是RD不同,则两个VRF一定不能互访,间接互访也不成。RD并不会影响不同VRF之间的路由选择以及VPN的形成,这些事情由RT搞定。PE从CE接收的标准的路由是IPv4路由,如果需要发布给其他的PE路由器,此时需要为这条路由附加一个RD。VPN-IPv4地址仅用于服务供应商网络内部。在PE发布路由时添加,在PE接收路由后放在本地路由表中,用来与后来接收到的路由进行比较 。CE不知道使用的是VPN-IPv4地址。在其穿越供应商骨干时,在VPN数据流量的包头中没有携带VPN-IPv4地址。,三个概念总结,VRF:在一台PE上虚拟出来的一个路由器
11、,包括一些特定的接口,一张路由表,一个路由协议,一个RD和一组RT规则。RT:表明了一个VRF的路由喜好,通过他可以实现不同VRF之间的路由互通。他的本质就是BGP的community属性。RD:为了防止一台PE接收到远端PE发来的不同VRF的相同路由时不知所措,而加在路由前面的特殊信息。在PE发布路由时加上,在远端PE接收到路由后放在本地路由表中,用来与后来接收到的路由进行比较。,省网RD/RT规划,本规范要求各地市在业务开展中,RD 采用的格式为:ASN:。其中ASN 必须各地市自己的AS 号码,对于VPN业务的RD,采用以下具体要求:省公司VPN业务RD: 64920:XXX IPTV业
12、务 RD:64920:999 (全省统一规划) NGN 业务RD: 655XX:10YYY (655XX为地市城域网AS号,YYY为PE Loopback地址最后一段的数字)各城域网VPN业务的RD: 655XX:11ZZZ(655XX为地市城域网AS号,ZZZ为各地市根据自己的VPN发展情况自行规定,取值从001-999,每开设一个VPN业务,在PE上设定一个统一的RD)例:如果沈阳城域网的一个PE的loopback为123.189.224.32,承载NGN信令的VPN,规划该PE所使用RD规划为65500:10032。,省网RD/RT规划,通常情况下RT与RD使用相同的参数进行标记。在需要
13、VPN之间配置各种路由策略时,对RT的export和import参数可由各地市针对需求分别进行灵活配置。省公司VPN业务的RT由省公司统一设置。, 2004 Cisco Systems, Inc. All rights reserved.,MPLS VPN 包转发,MPLS v2.14-19,Outline,PE如何转发VPN包穿越骨干网? PHP工作方式? PE如何得到VPN的标签? What are the Effects of MPLS VPNs on Label Propagation? What are the Effects of MPLS VPNs on Packet Forwa
14、rding? Lesson Summary,PE如何转发VPN包穿越骨干网?,Question: How will the PE routers forward the VPN packets across the MPLS VPN backbone?,However, the egress PE router does not know which VRF to use for packet switching, so the packet is dropped. How about using a label stack?,Answer #1: The PE routers will la
15、bel the VPN packets with an LDP label for the egress PE router and forward the labeled packets across the MPLS backbone.,Results: The P routers perform the label switching, and the packet reaches the egress PE router.,PE如何转发VPN包穿越骨干网?,Question: How will the PE routers forward the VPN packets across
16、the MPLS VPN backbone?,Result: The P routers perform label switching, and the packet reaches the egress PE router. The egress PE router performs a lookup on the VPN label and forwards the packet toward the CE router.,Answer #2: The PE routers will label the VPN packets with a label stack, using the
17、LDP label for the egress PE router as the top label, and the VPN label assigned by the egress PE router as the second label in the stack.,VPN Penultimate Hop Popping,Penultimate hop popping on the LDP label can be performed on the last P router. The egress PE router performs label lookup only on the
18、 VPN label, resulting in faster and simpler label lookup. IP lookup is performed only oncein the ingress PE router.,VPN Label Propagation,Question: How will the ingress PE router get the second label in the label stack from the egress PE router?,Answer: Labels are propagated in MP-BGP VPNv4 routing
19、updates.,Step 1: A VPN label is assigned to every VPN route by the egress PE router.,VPN Label Propagation (Cont.),Step 2: The VPN label is advertised to all other PE routers in an MP-BGP update.,Step 3: A label stack is built in the VFR table.,概述,PE routers forward packets across the MPLS VPN backb
20、one using label stacking. The last P router in the LSP tunnel pops the LDP label, and the PE router receives a labeled packet that contains only the VPN label. Labels are propagated between PE routers using MP-BGP. LDP labels are not assigned to BGP routes.,配置MPLS VPN, 2004 Cisco Systems, Inc. All r
21、ights reserved.,1) 配置VRF,MPLS v2.15-27,VRF 配置任务,VRF configuration tasks: Create a VRF table. Assign RD to the VRF. Specify export and import route targets. Assign interfaces to VRFs.,ip vrf name,Router(config)#,This command creates a new VRF or enters configuration of an existing VRF. VRF names are
22、case-sensitive. VRF is not operational unless you configure RD. VRF names have only local significance.,rd route-distinguisher,Router(config-vrf)#,This command assigns a route distinguisher to a VRF. You can use ASN:nn or A.B.C.D:nn format for RD. Each VRF in a PE router has to have a unique RD.,Cre
23、ating VRF Tables and Assigning RDs,route-target export RT,Router(config-vrf)#,Specifies an RT to be attached to every route exported from this VRF to MP-BGP. Allows specification of many export RTsall to be attached to every exported route.,route-target import RT,Router(config-vrf)#,Specifies an RT
24、to be used as an import filteronly routes matching the RT are imported into the VRF. Allows specification of many import RTsany route where at least one RT attached to the route matches any import RT is imported into the VRF. Because of implementation issues, at least one export route target must al
25、so be an import route target of the same VRF in Cisco IOS Release 12.0 T.,Specifying Export and Import RTs,route-target both RT,Router(config-vrf)#,In cases where the export RT matches the import RT, use this form of the route-target command.,Sample router configuration for simple customer VPN:,Spec
26、ifying Export and Import RTs (Cont.),ip vrf Customer_ABCrd 12703:15route-target export 12703:15route-target import 12703:15,ip vrf forwarding vrf-name,Router(config-if)#,This command associates an interface with the specified VRF. The existing IP address is removed from the interface when interface
27、is put into VRFthe IP address must be reconfigured. CEF switching must be enabled on the interface.,ip cef ! interface serial 0/0ip vrf forwarding Customer_ABCip address 10.0.0.1 255.255.255.252,Sample router configuration:,Assigning an Interface to VRF Table,MPLS VPN Network Example,The network sup
28、ports two VPN customers. Customer A runs RIP and BGP with the service provider; customer B uses only RIP. Both customers use network 10.0.0.0.,MPLS VPN Network Example (Cont.), 2004 Cisco Systems, Inc. All rights reserved.,2) 配置MP-BGP,MPLS v2.15-35,配置 BGP Address Families,The BGP process in an MPLS
29、VPN-enabled router performs three separate tasks: Global BGP routes (Internet routing) are exchanged as in traditional BGP setup. VPNv4 prefixes are exchanged through MP-BGP. VPN routes are exchanged with CE routers through per-VRF EBGP sessions. Address families (routing protocol contexts) are used
30、 to configure these three tasks in the same BGP process.,router bgp as-number,Router(config)#,Selects global BGP routing process.,address-family vpnv4,Router(config-router)#,Selects configuration of VPNv4 prefix exchanges under MP-BGP sessions.,address-family ipv4 vrf vrf-name,Router(config-router)#
31、,Selects configuration of per-VRF PE-CE参数,Configuring BGP Address Families (Cont.),Configuring MP-BGP,MPLS VPN MP-BGP configuration steps: Configure MP-BGP neighbor under BGP routing process. Configure BGP address family VPNv4. Activate configured BGP neighbor for VPNv4 route exchange. Specify addit
32、ional parameters for VPNv4 route exchange (filters, next hops, and so on).,router bgp as-numberneighbor ip-address remote-as as-numberneighbor ip-address update-source loopback-type interface number,Router(config)#,All MP-BGP neighbors have to be configured under global BGP routing configuration. MP
33、-IBGP sessions have to run between loopback interfaces.,address-family vpnv4,Router(config-router)#,This command starts configuration of MP-BGP routing for VPNv4 route exchange. The parameters that apply only to MP-BGP exchange of VPNv4 routes between already configured IBGP neighbors are configured
34、 under this address family.,Configuring MP-IBGP,neighbor ip-address activate,Router(config-router-af)#,The BGP neighbor defined under BGP router configuration has to be activated for VPNv4 route exchange.,neighbor ip-address next-hop-self,Router(config-router-af)#,The next-hop-self keyword can be co
35、nfigured on the MP-IBGP session for MPLS VPN configuration if EBGP is being run with a CE neighbor.,Configuring MP-IBGP (Cont.),neighbor ip-address send-community extended | both,Router(config-router-af)#,This command configures propagation of standard and extended BGP communities attached to VPNv4
36、prefixes. Default value: only extended communities are sent. Usage guidelines: Extended BGP communities attached to VPNv4 prefixes have to be exchanged between MP-BGP neighbors for proper MPLS VPN operation. To propagate standard BGP communities between MP-BGP neighbors, use the both option.,MP-BGP
37、Community Propagation,MP-BGP BGP Community Propagation (Cont.),no bgp default ipv4-unicast,Router(config-router)#,The exchange of IPv4 routes between BGP neighbors is enabled by defaultevery configured neighbor will also receive IPv4 routes. This command disables the default exchange of IPv4 routesn
38、eighbors that need to receive IPv4 routes have to be activated for IPv4 route exchange. Use this command when the same router carries Internet and VPNv4 routes and you do not want to propagate Internet routes to some PE neighbors.,Disabling IPv4 Route Exchange,Neighbor 172.16.32.14 receives only Int
39、ernet routes. Neighbor 172.16.32.15 receives only VPNv4 routes. Neighbor 172.16.32.27 receives Internet and VPNv4 routes.,router bgp 12703no bgp default ipv4-unicastneighbor 172.16.32.14 remote-as 12703neighbor 172.16.32.15 remote-as 12703neighbor 172.16.32.27 remote-as 12703 ! Activate IPv4 route e
40、xchangeneighbor 172.16.32.14 activateneighbor 172.16.32.27 activate ! Step#2 VPNv4 route exchangeaddress-family vpnv4neighbor 172.16.32.15 activateneighbor 172.16.32.27 activate,Disabling IPv4 Route Exchange (Cont.),router bgp as-numberaddress-family ipv4 vrf vrf-name. Non-BGP redistribution .,Route
41、r(config)#,Select the per-VRF BGP context with the address-family command. Configure CE EBGP neighbors in VRF context, not in global BGP configuration. All non-BGP per-VRF routes have to be redistributed into per-VRF BGP context to be propagated by MP-BGP to other PE routers.,Configuring the VRF Rou
42、ting Context Within BGP, 2004 Cisco Systems, Inc. All rights reserved.,配置PE and CE Routers,MPLS v2.15-46,Static Routes,ip route vrf name static route parameters,Router(config)#,This command configures per-VRF static routes. The route is entered in the VRF table. You must always specify the outgoing
43、interface, even if you specify the next hop.,Sample router configuration:,ip route vrf Customer_ABC 10.0.0.0 255.0.0.0 10.250.0.2 serial 0/0 ! router bgp 12703address-family ipv4 vrf Customer_ABCredistribute static,BGP,neighbor ip-address maximum-prefix maximum threshold warning-only,Router(config-r
44、outer-af)#,Controls how many prefixes can be received from a neighbor Optional threshold parameter specifies the percentage where a warning message is logged (default is 75 percent) Optional warning-only keyword specifies the action on exceeding the maximum number (default is to drop peering),Limiti
45、ng the Number of Prefixes Received from a BGP Neighbor,Limiting the Total Number of VRF Routes,The customer wants to reuse the same AS number on several sites: CE-BGP-A1 announces network 10.1.0.0/16 to PE-Site-X. The prefix announced by CE-BGP-A1 is propagated to PE-Site-Y as an internal route thro
46、ugh MP-BGP. PE-Site-Y prepends AS 115 to the AS path and propagates the prefix to CE-BGP-A2. CE-BGP-A2 drops the update because AS 213 is already in the AS path.,AS-Override: The Issue,AS-Override: Example,PE-Site-Y replaces AS 213 with AS 115 in the AS path, prepends another copy of AS115 to the AS
47、 path, and propagates the prefix.,PE-Site-Y replaces all occurrences of AS 213 with AS 115 in the AS path, prepends another copy of AS 115 to the AS path, and propagates the prefix.,AS-Override: AS-Path Prepending, 2004 Cisco Systems, Inc. All rights reserved.,Monitoring MPLS VPN,MPLS v2.15-54,show
48、ip vrf,Router#,Displays the list of all VRFs configured in the router.,show ip vrf detail,Router#,Displays detailed VRF configuration.,show ip vrf interfaces,Router#,Displays interfaces associated with VRFs.,Monitoring VRFs,Monitoring VRFs: show ip vrf,Router#show ip vrfName Default RD InterfacesSit
49、eA2 103:30 Serial1/0.20SiteB 103:11 Serial1/0.100SiteX 103:20 Ethernet0/0 Router#,Monitoring VRFs: show ip vrf detail,Router#show ip vrf detail VRF SiteA2; default RD 103:30Interfaces:Serial1/0.20Connected addresses are not in global routing tableNo Export VPN route-target communitiesImport VPN rout
50、e-target communitiesRT:103:10No import route-mapExport route-map: A2 VRF SiteB; default RD 103:11Interfaces:Serial1/0.100Connected addresses are not in global routing tableExport VPN route-target communitiesRT:103:11Import VPN route-target communitiesRT:103:11 RT:103:20No import route-mapNo export route-map,
