Thursday, April 12, 2012

MPLS VPN Data Plane


  • To support the forwarding of packets, 
    • ingress PEs need appropriate FIB entries, 
    • Ps & PEs needing appropriate LFIB entries
  • The outer label identifies the segments of the LSP between between the ingress PE & the egress PE,
    • but it doesn't identify how the egress PE should forward the packet.
  • The inner label identifies the egress PE's forwarding details, in particular the outgoing interface for the unlabeled packet.
  • Building the Inner (VPN) label:
    • The inner label called VPN label
    • VPN label must be allocated for each route added to each customer VRF.
    • More specifically, a CE will advertise routes to the PE, 
      • PE stores these routes in the corresponding customer's VRF
    • In order to prepare to forward packets to those customer subnets, 
      • the PE needs to allocate a new local label 
      • That local label contain the prefix & the route's next-hop ip address & outgoing interface  & stores this information in LFIB.
  • Steps in LSRs fill the FIB & LFIB when using MPLS VPNs
    • An unlabeled packet arrives on an interface assigned to VRF, 
      • which will cause ingress PE to use VRF's FB to make a forwarding decision.
    • At ingress PEs VRF, FIB shows the outgoing interface for destination ip &
      • Add a label stack with 2 labes
        • an inner label(having original destination IP address)
        • an outer label
      • Then ingress PE forwards the packet to next Ps
    • P uses the LFIB entry for incoming  label (outer label), swap this label.
at

MPLS VPN Configuration


  • Main steps in configuring MPLS VPN configuration:
    • Creating each VRF, RD, & RT, plus associating the customer-facing PE interfaces with the correct VRF
    • Configuring the IGP between PE & CE
    • Configuring mutual redistribution between the IGP & BGP
    • Configuring MP-BGP between PEs

















  • VPNs are configured only on PE routers only.
    • The customer routers no need to know about VPNs
    • P routers no need to know about the MPLS VPN features
  • VRFs allow PEs to store routes learned from various CEs, even if the prefixes overlap.
  • RD allows PEs to store routes as unique prefixes.
  • RT tells the PEs which routes should be added to each VRF
    • which provides greater control & ability to allow sites to be reachable from multiple VPNs.
  • VRF configuration on PE use the following commands:
    • Configure the VRF using command:
      • ip vrf <vrf-name>
    • Configure the RD under VRF sub-command using
      • rd <rd-value>
    • Configure the RT under VRF sub-command using
      • rt {import|export} <rt-value>
    • Associating an interface with the VRF under interface sub-command using
      • ip vrf forwarding <vrf-name>
  • Each VRF has:
    • One RD
    • At least one import & export routing tag.
  • If we give unique RD to every VRF, overlapping of prefixes will be overcomes.
  • Configuring the IGP between PE & CE:
    • Configure a routing protocol between PE & CE.
    • This allows the PE router to learn the customer routes & CE to learn the other customer routes learned by PE from other PE in the MPLS cloud.
    • Any IGP or even BGP can be used as the routing protocol.
    • Show Commands:
      • sh ip route vrf cust-A
        • shows connected route on PE router & router learned from CE.
  • Configuring Redistribution between PE-CE IGP & MP-BGP
    • PE have no ability to advertise these routes across the MPLS VPN cloud.
    • Then redistribute the IGP learned routes from CE into BGP table contain other CE routes learned from remaining PEs & vice-versa.
    • 2 methods to add new routes to BGP table are
      • Using network command
      • Redistribution
    • The BGP network command works well when adding small number of predictable prefixes.
    • The Redistribution process works best when 
      • the prefixes are not predictable
      • there may be many no.of prefixes,... etc.
    • So MPLS VPN BGP configurations uses the Redistribution process for adding new routes.
    • MPLS VPN mutual redistribution configuration requires specific VRF told by both IGP & BGP.
    • Redistribution command under the IGP & BGP process is
      •  address-family ipv4 vrf  <vrf-name>
  • Configuring MP-BGP between PFs
    • To configure each peer, commands used are in normal BGP in non-MPLS configurations & others occur inside a new VPNv4 address family.
    • Compare MPLS VPN BGP  & traditional BGP configuration. 
      • The PE neighbors are defined under the main BGP process, not for particular address family.
      • In MPLS VPN designs loopback is used as update source on the PE routers.
        • In that case, the neighbor update-source command is also under the mail BGP process.
      • The PE neighbors are then activated, using the neighbor activate command, under the VPNv4 address family process (address-family vpnv4).
      • BGP must be told to send the community PA (neighbor send-community) command, under the address-family vpnv4 command.
      • The VPNv4 address family does not refer to any particular VRF.
      • Thre is no need of iBGP neighbor per VRF on each remote VRF.




at

Loop Back Address in MPLS


  • Enable Loopback interfaces on all P & PE routers.
  • These loopback addresses must be in  the core IGP.
  • Establish MP-BGP sessions with these loopback addresses on all PE routers.
  • These loopback interfaces will be used & referred as BGP next-hop address which carries MPLS VPN traffic.
  • A BGP next-hop address must be an IGP route.

at
Subscribe to: Posts (Atom)