You've reached the end of your free preview.
Want to read all 261 pages?
Unformatted text preview: CloudEngine 12800&12800E Series Switches
Configuration Guide - VPN 2 2 BGP/MPLS IP VPN Configuration BGP/MPLS IP VPN Configuration About This Chapter
This chapter describes how to configure BGP/MPLS IP VPN. BGP/MPLS IP VPN enables
enterprises to implement secure interconnection between its headquarters and branches.
2.1 Overview of BGP/MPLS IP VPN
2.2 Understanding BGP/MPLS IP VPN
2.3 Application Scenarios for BGP/MPLS IP VPN
2.4 Summary of BGP/MPLS IP VPN Configuration Tasks
2.5 Licensing Requirements and Limitations for BGP/MPLS IP VPN
2.6 Default Settings for BGP/MPLS IP VPN
2.7 Configuring Basic BGP/MPLS IP VPN Functions
2.8 Configuring the Hub and Spoke
2.9 Configuring Inter-AS VPN Option A
2.10 Configuring Inter-AS VPN Option B
2.11 Configuring Inter-AS VPN Option C
2.12 Configuring an MCE Device
2.13 Configuring Route Reflection to Optimize the VPN Backbone Layer
2.14 Configuring Route Reflection to Optimize the VPN Access Layer
2.15 Configuring Load Balancing Among IPv4 VPN Routes on the Backbone Network
2.16 Configuring IPv4 Route Import Between Instances
2.17 Configuring IP FRR for VPN Routes
2.18 Configuring VPN FRR
2.19 Configuring VPN GR Helper
Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 75 CloudEngine 12800&12800E Series Switches
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration 2.20 Configuring and Applying a Tunnel Policy
2.21 Connecting a VPN to the Internet
2.22 Maintaining BGP/MPLS IP VPN
2.23 Configuration Examples for BGP/MPLS IP VPN 2.1 Overview of BGP/MPLS IP VPN
Definition
A BGP/MPLS IP VPN is a Layer 3 virtual private network (L3VPN). It uses the Border
Gateway Protocol (BGP) to advertise VPN routes and uses Multiprotocol Label Switching
(MPLS) to forward VPN packets on backbone networks. Internet Protocol (IP) in BGP/MPLS
IP VPN indicates IP packets carried by the VPN.
Figure 2-1 shows the BGP/MPLS IP VPN model.
Figure 2-1 BGP/MPLS IP VPN model
CE
VPN 1
Site IP/MPLS
Backbone
P
CE P VPN 2
Site
PE PE
P P PE
CE CE VPN 1
Site VPN 2
Site The BGP/MPLS IP VPN model consists of the following entities:
l Customer Edge (CE): a device that is deployed at the edge of a customer network and
has interfaces directly connected to the service provider (SP) network. A CE device can
be a router, a switch, or a host. Generally, CE devices do not detect VPNs and do not
need to support MPLS. l Provider Edge (PE): a device that is deployed at the edge of an SP network and directly
connected to one or more CE devices. On an MPLS network, PE devices process all
VPN services and must have high performance. l Provider (P): a backbone device that is deployed on an SP network and is not directly
connected to CE devices. P devices only need to provide basic MPLS forwarding
capabilities and do not maintain VPN information. PE and P devices are managed by SPs. CE devices are managed by customers unless SPs are
authorized to manage them.
Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 76 CloudEngine 12800&12800E Series Switches
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration One PE device can connect to one or more CE devices. One CE device can connect to one or
more PE devices of the same or different SPs. Purpose
A traditional VPN sets up full-mesh tunnels or permanent virtual circuits (PVCs) between all
sites to forward VPN data. This method makes networks difficult to maintain and expand.
When a new site is added to an established VPN, a network administrator must modify the
configuration of all edge nodes connected to this site.
A BGP/MPLS IP VPN uses a peer model that enables SPs and customers to exchange routing
information. The SPs are responsible for forwarding data of customers, without requiring
customer participation. A BGP/MPLS IP VPN is more scalable and more easier to manage
than a traditional VPN. When a new site is added, a network administrator only needs to
modify the configuration of the edge nodes serving the new site.
BGP/MPLS IP VPN supports overlapping address spaces and overlapping VPNs. This
enables VPNs to be flexibly deployed and expanded. In addition, BGP/MPLS IP VPN
supports MPLS quality of service (QoS) and MPLS Traffic Engineering (TE). These
advantages allow IP network carriers to provide a wide range of value-added services, and
have resulted in BGP/MPLS IP VPN being widely used. 2.2 Understanding BGP/MPLS IP VPN
2.2.1 Basic Concepts of BGP/MPLS IP VPN
Site
In VPN technology, a site is an important concept. The following describes the different
aspects of a site:
l A site is a group of IP systems with IP connectivity that does not require the use of SP
networks.
Figure 2-2 shows an example of three sites. The left side of the figure shows two sites:
the headquarters network of company X in city A is a site, and the branch network of
company X in city B is another site. IP devices can communicate within each site
without using the carrier network. Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 77 CloudEngine 12800&12800E Series Switches
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration Figure 2-2 Sites
Two sites One site Site A
CE
Carrier's
network Site X
CE Headquarters
of X company
in City A Carrier's
network Headquarters
of X company
in City A CE
Branch of X
company in
City B l Router
Site B Branch of X
company in
City B Sites are configured based on topologies between devices but not their geographic
locations. However, in most cases, devices in a site are geographically adjacent to each
other. Two geographically separated IP systems can also compose a site if they are
connected through leased lines and can communicate without the use of the carrier
network.
On the right of Figure 2-2, the branch network in city B connects to the headquarters
network in city A through leased lines but not a carrier network. The branch network and
the headquarters network compose a site. l The devices in a site may belong to multiple VPNs. That is, a site may belong to more
than one VPN.
As shown in Figure 2-3, the decision-making department of company X in city A (Site
A) is allowed to communicate with the R&D department in city B (Site B) and the
financial department in city C (Site C). Site B and Site C are not allowed to
communicate with each other. In this case, two VPNs, VPN1 and VPN2, can be
established. Site A and Site B belong to VPN1; Site A and Site C belong to VPN2. Site
A belongs to two VPNs. Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 78 CloudEngine 12800&12800E Series Switches
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration Figure 2-3 One site belonging to multiple VPNs City A
VPN 1
X Company
Decision-making
department
Site A City B
CE CE Site B X Company
R&D
department VPN 2
City C Site C l X Company
Financial
department Carrier's
network
CE A site connects to a carrier network through CE devices and a site may have more than
one CE device. However, a CE device belongs to only one site.
CE devices are selected according to sites:
If a site is a host, the host is the CE device of the site.
If a site is a subnet, switches are used as CE devices.
If a site has multiple subnets, routers are used as CE devices.
Sites connected to the same carrier network can be grouped into different sets using
policies. Only sites that belong to the same set (for example, a VPN) can communicate
with each other through the carrier network. Address Space Overlapping
As a private network, each VPN manages an address space. Address spaces of different VPNs
may overlap. For example, if both VPN1 and VPN2 use addresses on the network segment
10.110.10.0/24, their address spaces overlap.
VPNs can use overlapping address spaces in the following situations:
l Two VPNs do not cover the same site. l Two VPNs cover the same site, but devices in the site do not need to communicate with
devices using overlapping address spaces in the VPNs. VPN Instance
In BGP/MPLS IP VPN implementation, routes of different VPNs are isolated by VPN
instances.
A PE device establishes and maintains a VPN instance for each directly connected site. A
VPN instance contains VPN member interfaces and routes of the corresponding site.
Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 79 CloudEngine 12800&12800E Series Switches
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration Specifically, information in a VPN instance includes the IP routing table, label forwarding
table, interface bound to the VPN instance, and VPN instance management information. VPN
instance management information includes the route distinguisher (RD), route filtering policy,
and member interface list of the VPN instance.
The relationships between VPNs, sites, and VPN instances are as follows:
l A VPN consists of multiple sites. A site may belong to multiple VPNs. l A site is associated with a VPN instance on a PE device. A VPN instance integrates VPN
members and routing policies of associated sites. Multiple sites compose a VPN based
on rules of the VPN instance. l VPN instances are not mapped to VPNs on a one-to-one basis, whereas VPN instances
are mapped to sites on a one-to-one basis. A VPN instance is also called a VPN routing and forwarding table (VRF). A PE device has
multiple routing and forwarding tables, including a public routing and forwarding table and
one or more VRFs. Figure 2-4 shows VPN instances.
Figure 2-4 VPN instances Site1 CE VPN1
VPN1
VPN-instance
VPN2
VPN-instance
VPN2 Site2 IP/MPLS
PE Backbone
Public
forwarding table CE A public routing and forwarding table and a VRF differ in the following aspects:
l A public routing table contains IPv4 routes of all the PE and P devices. The routes are
static routes or dynamic routes generated by routing protocols on the backbone network. l A VPN routing table contains routes of all sites that belong to a VPN instance. The
routes are obtained through the exchange of VPN routing information between PE
devices or between CE and PE devices. l Information in a public forwarding table is extracted from the public routing table
according to route management policies, whereas information in a VPN forwarding table
is extracted from the corresponding VPN routing table.
VPN instances on a PE device are independent of each other and maintain a VRF
independent of the public routing and forwarding table.
Each VPN instance can be considered as a virtual device that maintains an independent
address space and connects to VPNs through interfaces. Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 80 CloudEngine 12800&12800E Series Switches
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration RD and VPN-IPv4 Address
Traditional BGP cannot process VPN routes with overlapping address spaces. For example,
VPN1 and VPN2 use addresses on the network segment 10.110.10.0/24, and they each
advertise a route to this network segment. The local PE device can identify routes based on
VPN instances. However, when the routes are advertised to the remote PE device, BGP
selects only one of the two routes. This is because load balancing is not performed between
routes of different VPNs. Therefore, the other route is lost.
To address the preceding issue, PE devices use Multiprotocol Extensions for BGP-4 (MPBGP) to advertise VPN routes and use the VPN-IPv4 address.
A VPN-IPv4 address has 12 bytes. The first eight bytes represent the RD, and the last four
bytes represent the IPv4 address prefix, as shown in Figure 2-5.
Figure 2-5 VPN-IPv4 address
Route Distinguisher ( 8-Byte )
Type Field
( 2-Byte ) Assigned
Administrator
Number Subfield
Subfield IPv4 Address Prefix
( 4-Byte ) RDs distinguish IPv4 prefixes with the same address space. IPv4 addresses with RDs are
VPN-IPv4 addresses (VPNv4 addresses). After receiving IPv4 routes from a CE device, a PE
device converts the routes into globally unique VPN-IPv4 routes and advertises them on the
public network.
The format of RDs enables SPs to allocate RDs independently. When a CE device is dualhomed to PE devices, the RD must be globally unique to ensure correct routing. As shown in
Figure 2-6, a CE device is dual-homed to PE1 and PE2. PE1 also functions as a route
reflector (RR).
Figure 2-6 Networking diagram of CE dual-homing
RR CE
VPN site PE1 10.1.1.1/8 PE3 IP/MPLS
Backbone
PE2 PE1 is an edge device of the backbone network and advertises a VPN-IPv4 route with the
IPv4 prefix 10.1.1.1/8 to PE3. As PE1 functions as an RR, it also reflects a VPN-IPv4 route
with the IPv4 prefix 10.1.1.1/8 from PE2 to PE3.
l Issue 05 (2019-03-05) If the VPN has the same RD on PE1 and PE2, PE3 retains only one VPN-IPv4 route to
10.1.1.1/8 (PE3 -> PE1 -> CE) because the two routes have the same destination address.
Copyright © Huawei Technologies Co., Ltd. 81 CloudEngine 12800&12800E Series Switches
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration l If the direct link between PE1 and CE becomes faulty, PE3 deletes the VPN-IPv4 route
to 10.1.1.1/8. As a result, VPN data destined for 10.1.1.1/8 cannot be forwarded to the
destination. However, PE3 has another route to 10.1.1.1/8, PE3 -> PE1 -> PE2 -> CE. l If the VPN has different RDs on PE1 and PE2, the VPN-IPv4 routes to 10.1.1.1/8
received by PE3 from PE1 have different destination addresses. Therefore, PE3 stores
both VPN-IPv4 routes. If any link between PE1 and CE becomes faulty, PE3 deletes the
corresponding route and reserves the other one. This ensures that data destined for
10.1.1.1/8 can continue to be correctly forwarded. VPN Target
A VPN target, also called the route target (RT), is a BGP extended community attribute. BGP/
MPLS IP VPN uses VPN targets to control VPN route advertisement.
A VPN instance is associated with one or more VPN target attributes. VPN target attributes
are classified into the following types:
l Export target: After learning IPv4 routes from directly connected sites, a PE device
converts the routes to VPN-IPv4 routes and sets the export target attribute for them. The
export target attribute is advertised with the routes as a BGP extended community
attribute. l Import target: After receiving VPN-IPv4 routes from other PE devices, a PE device
checks the export target attribute of the routes. If the export target is the same as the
import target of a VPN instance on the local PE device, the local PE device adds the
route to the VPN routing table. BGP/MPLS IP VPN uses VPN targets to control advertisement and receiving of VPN routes
between sites. VPN export targets are independent of import targets. An export target and an
import target can be configured with multiple values to implement flexible VPN access
control and VPN networking.
For example, if the import target of a VPN instance contains 100:1, 200:1, and 300:1, any
route with the export target being 100:1, 200:1, or 300:1 is added to the routing table of the
VPN instance. 2.2.2 BGP/MPLS IP VPN Fundamentals
This section describes BGP/MPLS IP VPN fundamentals:
l VPN Label Distribution l VPN Route Cross l Public Network Tunnel Iteration l VPN Route Selection Rules l Route Advertisement in BGP/MPLS IP VPN l Packet Forwarding in BGP/MPLS IP VPN VPN Label Distribution
Before advertising private routes to other PE devices on the backbone network through MPBGP, a PE device must distribute MPLS labels (VPN label) to the private routes. Packets
transmitted over the backbone network carry MPLS labels.
A PE device distributes MPLS labels in either of the following ways:
Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 82 CloudEngine 12800&12800E Series Switches
Configuration Guide - VPN l 2 BGP/MPLS IP VPN Configuration One label per route
Each route in a VRF is assigned one label. If a network contains a large number of
routes, the Incoming Label Map (ILM) must maintain a large number of entries. In this
case, the device capacity must be large enough to accommodate all entries. l One label per instance
Each VPN instance is assigned one label. All the routes of a VPN instance share the
same label, conserving label resources. VPN Route Cross
The routes exchanged between two PE devices through MP-BGP are VPNv4 routes. A PE
device checks received VPNv4 routes and drops the following routes:
l VPNv4 routes with unreachable next hops l VPNv4 routes received from an RR with the cluster_id of the PE device in the
cluster_list l VPNv4 routes that are denied by the BGP routing policy The PE device matches the remaining routes with the import targets of local VPN instances.
The matching process is called VPN route cross.
Some routes sent from local CE devices belong to different VPNs. The PE device also
matches these routes with the import targets of local VPN instances if these routes have
reachable next hops or can be iterated. The matching process is called local VPN route cross.
For example, CE1 resides in a site of VPN1, and CE2 resides in a site of VPN2. Both CE1
and CE2 connect to PE1. When PE1 receives routes of VPN1 from CE1, PE1 also matches
the routes with the import target of the instance of VPN2.
NOTE To correctly forward a packet, a BGP-enabled device must discover a directly reachable address,
through which the packet can be forwarded to the next hop in the routing table. The route to the directly
reachable address is called a dependent route. This name is given because BGP guides packet
forwarding based on the route. The process of discovering a dependent route based on the next-hop
address is called route iteration. Public Network Tunnel Iteration
To transmit traffic of private networks across a public network, tunnels need to be established
on the public network. After VPN route cross is complete, PE devices perform route iteration
based on destination IPv4 prefixes to discover the appropriate tunnels (except for local cross
routes). Tunnel iteration is then performed. The routes are injected into the VPN routing table
only after tunnel iteration succeeds. The process of iterating routes to corresponding tunnels is
called tunnel iteration.
After tunnel iteration succeeds, tunnel IDs are reserved for subsequent packet forwarding. A
tunnel ID identifies a tunnel. In VPN packet forwarding, the PE devices search for tunnels
based on tunnel IDs. VPN Route Selection Rules
Not all the cross routes processed by tunnel iteration are injected into VPN routing tables.
Similarly, not all the routes received from the local CE devices nor all the local cross routes
are injected into VPN routing tables.
Issue 05 (2019-03-05) Copyright © Huawei Technologies Co., Ltd. 83 CloudEngine 12800&12800E Series Switches
Configuration Guide - VPN 2 BGP/MPLS IP VPN Configuration When multiple routes to the same destination are available and load balancing is not
configured, a PE device selects one route based on the following rules:
l If a route received from a local CE device and a cross route are destined to the same
destination, the PE device selects the route received from the local CE device. l If a local cross route and a cross route received from another PE device are destined for
the same destination, the PE device selects the local cross route. When multiple routes to the same destination are available and load balancing is configured,
the PE device selects one route based on the following rules:
l If one route from a local CE device and multiple cross routes exist, the PE device selects
the route from the local CE device. l The PE device performs load balancing between the routes from the local CE device or
between the cross routes. The PE device does not perform load balancing between the
routes from the local CE device and the cross routes. l The AS_Path attributes of the routes participating in load balancing must be the same. Route Advertisement in BGP/MPLS IP VPN
In basic BGP/MPLS IP VPN applications, CE and PE devices are responsible for advertising
VPN routes. Conversely, P devices only need to maintain routes of the backbone network
without knowing VPN routes. Generally, PE devices maintain all VPN routes.
VPN routes are advertised from ...
View
Full Document
- Spring '12
- FarhanZaidi
