Layer-3 VPNs

Page Links: Overview, Overlap, Operation

Overview

  • RFC 2547bis → RFC 4364
  • In order to build reachability information regarding customer networks, the PE routers exchange routes with the CE routers (typically via BGP).
  • These routes propagate to other PE routers in th same VPN via BGP.
  • The P routers never learn these customer routes as they just need to label switch packet.
  • The PE routers will advertise routes learnt from other PE routers within that VPN to any CE routers directly connected in that VPN.
  • Goals:
    • support globally unique addresses at the customer.
    • support private non-unique (i.e. overlapping) addresses at the customer.
    • support overlapping VPNs (i.e. one site belonging to more than one VPN).

Overlapping Addresses

  • Solved using Virtual Routing & Forwarding (VRF) tables.
  • One VRF per VPN (i.e. per site connected to the PE → unique VPN sites).
  • Overlapping VPN site has its own VRF consisting of routes from all member VPNs.
  • To identify overlapping routes (any routes), an 8 octet RD is prepended to each prefix:
    • 8 octet RD + 4 octet IP = 12 octet address → VPN-IPv4 address family.
    • MP-BGP is used to carry VPN-IPv4 addresses.
  • To prevent a PE router from accepting routes of VPNs that it doesn't carry, BGP extended communities are used.  The attribute Route Target (RT) is included with the advertised routes.  This unique value indicates which VPN the route belongs to, and must match the RT of one of its configured VPNs for the route to be accepted.

Operation

  • When advertising a VPN-IPv4 route, the PE also includes an MPLS label (representing the route) in the BGP message and sets the BGP NEXT HOP to itself.
  • The provider network is MPLS enabled, and any PE should be able to reach any other PE via an LSP (which is created by LDP or RSVP).
  • A PE will encapsulate an IP packet in two MPLS labels:
    • the outer one for the LSP leading to the BGP NEXT HOP.
    • the inner one for the destination (learnt via BGP from the peer).
  • The egress PE pops the outer label, looks at the inner label (which uniquely identifies the destination), and it is the popped before forwarding to the CE router.
 Layer 2 Header
Label 1
(for the LSP)
Label 2
(for the destination network)
IP packet

ą
Robert Larsen,
19 Jan 2010, 18:23
ċ
MPLSLayer3VPNs.vsd
(1630k)
Robert Larsen,
19 Jan 2010, 18:23