1 / 20

Routing Services: MPLS, VPNs

Routing Services: MPLS, VPNs. Nick Feamster CS 7260 February 15, 2006. Administrivia. Problem Set 2 is out, due 2/24 4 problems: 1 Data streaming, 2 scriptroute, 1 Netflow Try to test out the scriptroute installation early, in case there are problems.

weylin
Download Presentation

Routing Services: MPLS, VPNs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Routing Services: MPLS, VPNs Nick FeamsterCS 7260February 15, 2006

  2. Administrivia • Problem Set 2 is out, due 2/24 • 4 problems: 1 Data streaming, 2 scriptroute, 1 Netflow • Try to test out the scriptroute installation early, in case there are problems. • Fewer, shorter problems, but more scripting/coding • Scriptroute scripts are in Ruby…come to office hours if you need help with the language • Last problem is not that hard. Most could probably be done with grep/awk as a last resort.

  3. MPLS Overview • Main idea: Virtual circuit • Packets forwarded based only on circuit identifier Source 1 Destination Source 2 Router can forward traffic to the same destination on different interfaces/paths.

  4. Circuit Abstraction: Label Swapping D • Label-switched paths (LSPs): Paths are “named” by the label at the path’s entry point • At each hop, label determines: • Outgoing interface • New label to attach • Label distribution protocol: responsible for disseminating signalling information 2 A 1 Tag Out New 3 A 2 D

  5. Layer 3 Virtual Private Networks • Private communications over a public network • A set of sites that are allowed to communicate with each other • Defined by a set of administrative policies • determine both connectivity and QoS among sites • established by VPN customers • One way to implement: BGP/MPLS VPN mechanisms (RFC 2547)

  6. Building Private Networks • Separate physical network • Good security properties • Expensive! • Secure VPNs • Encryption of entire network stack between endpoints • Layer 2 Tunneling Protocol (L2TP) • “PPP over IP” • No encryption • Layer 3 VPNs Privacy and interconnectivity (not confidentiality, integrity, etc.)

  7. Layer 2 vs. Layer 3 VPNs • Layer 2 VPNs can carry traffic for many different protocols, whereas Layer 3 is “IP only” • More complicated to provision a Layer 2 VPN • Layer 3 VPNs: potentially more flexibility, fewer configuration headaches

  8. VPN A/Site 2 10.2/16 VPN B/Site 1 10.2/16 CEA2 CE1B1 10.1/16 CEB2 VPN B/Site 2 P1 PE2 CE2B1 P2 PE1 PE3 CEA3 CEA1 P3 10.3/16 CEB3 10.1/16 VPN A/Site 3 10.4/16 VPN A/Site 1 VPN B/Site 3 Layer 3 BGP/MPLS VPNs • Isolation: Multiple logical networks over a single, shared physical infrastructure • Tunneling:Keeping routes out of the core BGP to exchange routes MPLS to forward traffic

  9. High-Level Overview of Operation • IP packets arrive at PE • Destination IP address is looked up in forwarding table • Datagram sent to customer’s network using tunneling (i.e., an MPLS label-switched path)

  10. BGP/MPLS VPN key components • Forwarding in the core:MPLS • Distributing routes between PEs:BGP • Isolation:Keeping different VPNs from routing traffic over one another • Constrained distribution of routing information • Multiple “virtual” forwarding tables • Unique addresses: VPN-IP4 Address extension

  11. Layer 3 VPNs “Vanilla” Layer 3 VPNs: All customer routes in the core Site 2 Site 1 CORE IBGP EBGP BGP/MPLS VPNs: BGP between PEs; MPLS in the core LDP LDP LDP Site 1 Site 2 P MPLS CORE P PE PE

  12. Problems Introduced by Layer 3 VPNs • Overlapping address space in forwarding table • Solution:Virtual routing and forwarding table (“VRF”) • Overlapping address space in BGP routes • Solution:“Route distinguisher”--- 8-byte VPN-specific identifier prepended to each IP address • Typically, one route distinguisher per VPN • New VPN-IP address family • Routes carried with multi-protocol BGP • Filtering routes from routes not at that site • Route target: basically a special BGP community value

  13. Virtual Routing and Forwarding • Separate tables per customer at each router Customer 1 10.0.1.0/24 10.0.1.0/24RD: Green Customer 1 Customer 2 10.0.1.0/24 Customer 2 10.0.1.0/24RD: Blue

  14. Site 2 Site 1 Site 3 Routing: Constraining Distribution • Performed by Service Provider using route filtering based on BGP Extended Community attribute • BGP Community is attached by ingress PE route filtering based on BGP Community is performed by egress PE BGP Static route, RIP, etc. RD:10.0.1.0/24Route target: GreenNext-hop: A A 10.0.1.0/24

  15. BGP/MPLS VPN Routing in Cisco IOS Customer A Customer B ip vrf Customer_A rd 100:110 route-target export 100:1000 route-target import 100:1000 ! ip vrf Customer_B rd 100:120 route-target export 100:2000 route-target import 100:2000

  16. Forwarding • PE and P routers have BGP next-hop reachability through the backbone IGP • Labels are distributed through LDP (hop-by-hop) corresponding to BGP Next-Hops • Two-Label Stack is used for packet forwarding • Top label indicates Next-Hop (interior label) • Second level label indicates outgoing interface or VRF (exterior label) Corresponds to VRF/interface at exit Corresponds to LSP ofBGP next-hop (PE) Layer 2 Header Label1 Label2 IP Datagram

  17. Forwarding in BGP/MPLS VPNs • Step 1: Packet arrives at incoming interface • Site VRF determines BGP next-hop and Label #2 Label2 IP Datagram • Step 2: BGP next-hop lookup, add corresponding LSP (also at site VRF) Label1 Label2 IP Datagram

  18. Scalability Problems • Lots of customers leads to explosion of routing tables • How to ensure that no single router needs to carry state for all customers?

  19. Other Uses for MPLS/Tunneling • Reducing state in network core • Internal routers no longer need paths for every destination • Traffic engineering • Can shift traffic based on virtual circuits, not just destination prefixes

  20. Open Research Questions • Static configuration analysis for enforcing isolation and other security policies • Easier, in some sense, since security (reachability) policies are likely easier to encode

More Related