01-02 BGP MPLS IP VPN Configuration.pdf - CloudEngine 12800&12800E Series Switches Configuration Guide VPN 2 2 BGP\/MPLS IP VPN Configuration BGP\/MPLS IP

01-02 BGP MPLS IP VPN Configuration.pdf - CloudEngine...

This preview shows page 1 out of 261 pages.

You've reached the end of your free preview.

Want to read all 261 pages?

Unformatted text preview: CloudEngine 12800&12800E Series Switches Configuration Guide - VPN 2 2 BGP/MPLS IP VPN Configuration BGP/MPLS IP VPN Configuration About This Chapter This chapter describes how to configure BGP/MPLS IP VPN. BGP/MPLS IP VPN enables enterprises to implement secure interconnection between its headquarters and branches. 2.1 Overview of BGP/MPLS IP VPN 2.2 Understanding BGP/MPLS IP VPN 2.3 Application Scenarios for BGP/MPLS IP VPN 2.4 Summary of BGP/MPLS IP VPN Configuration Tasks 2.5 Licensing Requirements and Limitations for BGP/MPLS IP VPN 2.6 Default Settings for BGP/MPLS IP VPN 2.7 Configuring Basic BGP/MPLS IP VPN Functions 2.8 Configuring the Hub and Spoke 2.9 Configuring Inter-AS VPN Option A 2.10 Configuring Inter-AS VPN Option B 2.11 Configuring Inter-AS VPN Option C 2.12 Configuring an MCE Device 2.13 Configuring Route Reflection to Optimize the VPN Backbone Layer 2.14 Configuring Route Reflection to Optimize the VPN Access Layer 2.15 Configuring Load Balancing Among IPv4 VPN Routes on the Backbone Network 2.16 Configuring IPv4 Route Import Between Instances 2.17 Configuring IP FRR for VPN Routes 2.18 Configuring VPN FRR 2.19 Configuring VPN GR Helper Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 75 CloudEngine 12800&12800E Series Switches Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration 2.20 Configuring and Applying a Tunnel Policy 2.21 Connecting a VPN to the Internet 2.22 Maintaining BGP/MPLS IP VPN 2.23 Configuration Examples for BGP/MPLS IP VPN 2.1 Overview of BGP/MPLS IP VPN Definition A BGP/MPLS IP VPN is a Layer 3 virtual private network (L3VPN). It uses the Border Gateway Protocol (BGP) to advertise VPN routes and uses Multiprotocol Label Switching (MPLS) to forward VPN packets on backbone networks. Internet Protocol (IP) in BGP/MPLS IP VPN indicates IP packets carried by the VPN. Figure 2-1 shows the BGP/MPLS IP VPN model. Figure 2-1 BGP/MPLS IP VPN model CE VPN 1 Site IP/MPLS Backbone P CE P VPN 2 Site PE PE P P PE CE CE VPN 1 Site VPN 2 Site The BGP/MPLS IP VPN model consists of the following entities: l Customer Edge (CE): a device that is deployed at the edge of a customer network and has interfaces directly connected to the service provider (SP) network. A CE device can be a router, a switch, or a host. Generally, CE devices do not detect VPNs and do not need to support MPLS. l Provider Edge (PE): a device that is deployed at the edge of an SP network and directly connected to one or more CE devices. On an MPLS network, PE devices process all VPN services and must have high performance. l Provider (P): a backbone device that is deployed on an SP network and is not directly connected to CE devices. P devices only need to provide basic MPLS forwarding capabilities and do not maintain VPN information. PE and P devices are managed by SPs. CE devices are managed by customers unless SPs are authorized to manage them. Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 76 CloudEngine 12800&12800E Series Switches Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration One PE device can connect to one or more CE devices. One CE device can connect to one or more PE devices of the same or different SPs. Purpose A traditional VPN sets up full-mesh tunnels or permanent virtual circuits (PVCs) between all sites to forward VPN data. This method makes networks difficult to maintain and expand. When a new site is added to an established VPN, a network administrator must modify the configuration of all edge nodes connected to this site. A BGP/MPLS IP VPN uses a peer model that enables SPs and customers to exchange routing information. The SPs are responsible for forwarding data of customers, without requiring customer participation. A BGP/MPLS IP VPN is more scalable and more easier to manage than a traditional VPN. When a new site is added, a network administrator only needs to modify the configuration of the edge nodes serving the new site. BGP/MPLS IP VPN supports overlapping address spaces and overlapping VPNs. This enables VPNs to be flexibly deployed and expanded. In addition, BGP/MPLS IP VPN supports MPLS quality of service (QoS) and MPLS Traffic Engineering (TE). These advantages allow IP network carriers to provide a wide range of value-added services, and have resulted in BGP/MPLS IP VPN being widely used. 2.2 Understanding BGP/MPLS IP VPN 2.2.1 Basic Concepts of BGP/MPLS IP VPN Site In VPN technology, a site is an important concept. The following describes the different aspects of a site: l A site is a group of IP systems with IP connectivity that does not require the use of SP networks. Figure 2-2 shows an example of three sites. The left side of the figure shows two sites: the headquarters network of company X in city A is a site, and the branch network of company X in city B is another site. IP devices can communicate within each site without using the carrier network. Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 77 CloudEngine 12800&12800E Series Switches Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration Figure 2-2 Sites Two sites One site Site A CE Carrier's network Site X CE Headquarters of X company in City A Carrier's network Headquarters of X company in City A CE Branch of X company in City B l Router Site B Branch of X company in City B Sites are configured based on topologies between devices but not their geographic locations. However, in most cases, devices in a site are geographically adjacent to each other. Two geographically separated IP systems can also compose a site if they are connected through leased lines and can communicate without the use of the carrier network. On the right of Figure 2-2, the branch network in city B connects to the headquarters network in city A through leased lines but not a carrier network. The branch network and the headquarters network compose a site. l The devices in a site may belong to multiple VPNs. That is, a site may belong to more than one VPN. As shown in Figure 2-3, the decision-making department of company X in city A (Site A) is allowed to communicate with the R&D department in city B (Site B) and the financial department in city C (Site C). Site B and Site C are not allowed to communicate with each other. In this case, two VPNs, VPN1 and VPN2, can be established. Site A and Site B belong to VPN1; Site A and Site C belong to VPN2. Site A belongs to two VPNs. Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 78 CloudEngine 12800&12800E Series Switches Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration Figure 2-3 One site belonging to multiple VPNs City A VPN 1 X Company Decision-making department Site A City B CE CE Site B X Company R&D department VPN 2 City C Site C l X Company Financial department Carrier's network CE A site connects to a carrier network through CE devices and a site may have more than one CE device. However, a CE device belongs to only one site. CE devices are selected according to sites: If a site is a host, the host is the CE device of the site. If a site is a subnet, switches are used as CE devices. If a site has multiple subnets, routers are used as CE devices. Sites connected to the same carrier network can be grouped into different sets using policies. Only sites that belong to the same set (for example, a VPN) can communicate with each other through the carrier network. Address Space Overlapping As a private network, each VPN manages an address space. Address spaces of different VPNs may overlap. For example, if both VPN1 and VPN2 use addresses on the network segment 10.110.10.0/24, their address spaces overlap. VPNs can use overlapping address spaces in the following situations: l Two VPNs do not cover the same site. l Two VPNs cover the same site, but devices in the site do not need to communicate with devices using overlapping address spaces in the VPNs. VPN Instance In BGP/MPLS IP VPN implementation, routes of different VPNs are isolated by VPN instances. A PE device establishes and maintains a VPN instance for each directly connected site. A VPN instance contains VPN member interfaces and routes of the corresponding site. Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 79 CloudEngine 12800&12800E Series Switches Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration Specifically, information in a VPN instance includes the IP routing table, label forwarding table, interface bound to the VPN instance, and VPN instance management information. VPN instance management information includes the route distinguisher (RD), route filtering policy, and member interface list of the VPN instance. The relationships between VPNs, sites, and VPN instances are as follows: l A VPN consists of multiple sites. A site may belong to multiple VPNs. l A site is associated with a VPN instance on a PE device. A VPN instance integrates VPN members and routing policies of associated sites. Multiple sites compose a VPN based on rules of the VPN instance. l VPN instances are not mapped to VPNs on a one-to-one basis, whereas VPN instances are mapped to sites on a one-to-one basis. A VPN instance is also called a VPN routing and forwarding table (VRF). A PE device has multiple routing and forwarding tables, including a public routing and forwarding table and one or more VRFs. Figure 2-4 shows VPN instances. Figure 2-4 VPN instances Site1 CE VPN1 VPN1 VPN-instance VPN2 VPN-instance VPN2 Site2 IP/MPLS PE Backbone Public forwarding table CE A public routing and forwarding table and a VRF differ in the following aspects: l A public routing table contains IPv4 routes of all the PE and P devices. The routes are static routes or dynamic routes generated by routing protocols on the backbone network. l A VPN routing table contains routes of all sites that belong to a VPN instance. The routes are obtained through the exchange of VPN routing information between PE devices or between CE and PE devices. l Information in a public forwarding table is extracted from the public routing table according to route management policies, whereas information in a VPN forwarding table is extracted from the corresponding VPN routing table. VPN instances on a PE device are independent of each other and maintain a VRF independent of the public routing and forwarding table. Each VPN instance can be considered as a virtual device that maintains an independent address space and connects to VPNs through interfaces. Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 80 CloudEngine 12800&12800E Series Switches Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration RD and VPN-IPv4 Address Traditional BGP cannot process VPN routes with overlapping address spaces. For example, VPN1 and VPN2 use addresses on the network segment 10.110.10.0/24, and they each advertise a route to this network segment. The local PE device can identify routes based on VPN instances. However, when the routes are advertised to the remote PE device, BGP selects only one of the two routes. This is because load balancing is not performed between routes of different VPNs. Therefore, the other route is lost. To address the preceding issue, PE devices use Multiprotocol Extensions for BGP-4 (MPBGP) to advertise VPN routes and use the VPN-IPv4 address. A VPN-IPv4 address has 12 bytes. The first eight bytes represent the RD, and the last four bytes represent the IPv4 address prefix, as shown in Figure 2-5. Figure 2-5 VPN-IPv4 address Route Distinguisher ( 8-Byte ) Type Field ( 2-Byte ) Assigned Administrator Number Subfield Subfield IPv4 Address Prefix ( 4-Byte ) RDs distinguish IPv4 prefixes with the same address space. IPv4 addresses with RDs are VPN-IPv4 addresses (VPNv4 addresses). After receiving IPv4 routes from a CE device, a PE device converts the routes into globally unique VPN-IPv4 routes and advertises them on the public network. The format of RDs enables SPs to allocate RDs independently. When a CE device is dualhomed to PE devices, the RD must be globally unique to ensure correct routing. As shown in Figure 2-6, a CE device is dual-homed to PE1 and PE2. PE1 also functions as a route reflector (RR). Figure 2-6 Networking diagram of CE dual-homing RR CE VPN site PE1 10.1.1.1/8 PE3 IP/MPLS Backbone PE2 PE1 is an edge device of the backbone network and advertises a VPN-IPv4 route with the IPv4 prefix 10.1.1.1/8 to PE3. As PE1 functions as an RR, it also reflects a VPN-IPv4 route with the IPv4 prefix 10.1.1.1/8 from PE2 to PE3. l Issue 05 (2019-03-05) If the VPN has the same RD on PE1 and PE2, PE3 retains only one VPN-IPv4 route to 10.1.1.1/8 (PE3 -> PE1 -> CE) because the two routes have the same destination address. Copyright © Huawei Technologies Co., Ltd. 81 CloudEngine 12800&12800E Series Switches Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration l If the direct link between PE1 and CE becomes faulty, PE3 deletes the VPN-IPv4 route to 10.1.1.1/8. As a result, VPN data destined for 10.1.1.1/8 cannot be forwarded to the destination. However, PE3 has another route to 10.1.1.1/8, PE3 -> PE1 -> PE2 -> CE. l If the VPN has different RDs on PE1 and PE2, the VPN-IPv4 routes to 10.1.1.1/8 received by PE3 from PE1 have different destination addresses. Therefore, PE3 stores both VPN-IPv4 routes. If any link between PE1 and CE becomes faulty, PE3 deletes the corresponding route and reserves the other one. This ensures that data destined for 10.1.1.1/8 can continue to be correctly forwarded. VPN Target A VPN target, also called the route target (RT), is a BGP extended community attribute. BGP/ MPLS IP VPN uses VPN targets to control VPN route advertisement. A VPN instance is associated with one or more VPN target attributes. VPN target attributes are classified into the following types: l Export target: After learning IPv4 routes from directly connected sites, a PE device converts the routes to VPN-IPv4 routes and sets the export target attribute for them. The export target attribute is advertised with the routes as a BGP extended community attribute. l Import target: After receiving VPN-IPv4 routes from other PE devices, a PE device checks the export target attribute of the routes. If the export target is the same as the import target of a VPN instance on the local PE device, the local PE device adds the route to the VPN routing table. BGP/MPLS IP VPN uses VPN targets to control advertisement and receiving of VPN routes between sites. VPN export targets are independent of import targets. An export target and an import target can be configured with multiple values to implement flexible VPN access control and VPN networking. For example, if the import target of a VPN instance contains 100:1, 200:1, and 300:1, any route with the export target being 100:1, 200:1, or 300:1 is added to the routing table of the VPN instance. 2.2.2 BGP/MPLS IP VPN Fundamentals This section describes BGP/MPLS IP VPN fundamentals: l VPN Label Distribution l VPN Route Cross l Public Network Tunnel Iteration l VPN Route Selection Rules l Route Advertisement in BGP/MPLS IP VPN l Packet Forwarding in BGP/MPLS IP VPN VPN Label Distribution Before advertising private routes to other PE devices on the backbone network through MPBGP, a PE device must distribute MPLS labels (VPN label) to the private routes. Packets transmitted over the backbone network carry MPLS labels. A PE device distributes MPLS labels in either of the following ways: Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 82 CloudEngine 12800&12800E Series Switches Configuration Guide - VPN l 2 BGP/MPLS IP VPN Configuration One label per route Each route in a VRF is assigned one label. If a network contains a large number of routes, the Incoming Label Map (ILM) must maintain a large number of entries. In this case, the device capacity must be large enough to accommodate all entries. l One label per instance Each VPN instance is assigned one label. All the routes of a VPN instance share the same label, conserving label resources. VPN Route Cross The routes exchanged between two PE devices through MP-BGP are VPNv4 routes. A PE device checks received VPNv4 routes and drops the following routes: l VPNv4 routes with unreachable next hops l VPNv4 routes received from an RR with the cluster_id of the PE device in the cluster_list l VPNv4 routes that are denied by the BGP routing policy The PE device matches the remaining routes with the import targets of local VPN instances. The matching process is called VPN route cross. Some routes sent from local CE devices belong to different VPNs. The PE device also matches these routes with the import targets of local VPN instances if these routes have reachable next hops or can be iterated. The matching process is called local VPN route cross. For example, CE1 resides in a site of VPN1, and CE2 resides in a site of VPN2. Both CE1 and CE2 connect to PE1. When PE1 receives routes of VPN1 from CE1, PE1 also matches the routes with the import target of the instance of VPN2. NOTE To correctly forward a packet, a BGP-enabled device must discover a directly reachable address, through which the packet can be forwarded to the next hop in the routing table. The route to the directly reachable address is called a dependent route. This name is given because BGP guides packet forwarding based on the route. The process of discovering a dependent route based on the next-hop address is called route iteration. Public Network Tunnel Iteration To transmit traffic of private networks across a public network, tunnels need to be established on the public network. After VPN route cross is complete, PE devices perform route iteration based on destination IPv4 prefixes to discover the appropriate tunnels (except for local cross routes). Tunnel iteration is then performed. The routes are injected into the VPN routing table only after tunnel iteration succeeds. The process of iterating routes to corresponding tunnels is called tunnel iteration. After tunnel iteration succeeds, tunnel IDs are reserved for subsequent packet forwarding. A tunnel ID identifies a tunnel. In VPN packet forwarding, the PE devices search for tunnels based on tunnel IDs. VPN Route Selection Rules Not all the cross routes processed by tunnel iteration are injected into VPN routing tables. Similarly, not all the routes received from the local CE devices nor all the local cross routes are injected into VPN routing tables. Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 83 CloudEngine 12800&12800E Series Switches Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration When multiple routes to the same destination are available and load balancing is not configured, a PE device selects one route based on the following rules: l If a route received from a local CE device and a cross route are destined to the same destination, the PE device selects the route received from the local CE device. l If a local cross route and a cross route received from another PE device are destined for the same destination, the PE device selects the local cross route. When multiple routes to the same destination are available and load balancing is configured, the PE device selects one route based on the following rules: l If one route from a local CE device and multiple cross routes exist, the PE device selects the route from the local CE device. l The PE device performs load balancing between the routes from the local CE device or between the cross routes. The PE device does not perform load balancing between the routes from the local CE device and the cross routes. l The AS_Path attributes of the routes participating in load balancing must be the same. Route Advertisement in BGP/MPLS IP VPN In basic BGP/MPLS IP VPN applications, CE and PE devices are responsible for advertising VPN routes. Conversely, P devices only need to maintain routes of the backbone network without knowing VPN routes. Generally, PE devices maintain all VPN routes. VPN routes are advertised from ...
View Full Document

  • Spring '12
  • FarhanZaidi

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture