There are many reasons why these technologies are not widely used it and I will touch on some of them in appropriate sections, but major reasons are (in)security and relative complexity. Since these technologies are in their nature oriented towards network service providers and they tend not to like complexity and especially trusting other networks, it's easily understood why there are not many applications in real life.
The foundation for this text is laid out in RFC 4364, section 10.
The RFC details three different ways in which two (or more) carriers can interconnect their networks in order to provide end-to-end VPN service for their customer(s). These are widely known as "Option A", "Option B" and "Option C". Of course, some of these can be implemented in several ways and I will point that out in due time. However, I would like to immediately split "Option C" into "Option C-1" and "Option C-2".
In this post, I will provide very brief overview over these options and in subsequent posts, explain them in more detail.
"Option A", sometimes also known as back-to-back VRF is by far the simplest solution. Essentially, Carrier 1 will connect to Customer site 1 from a PE router and create VRF. Similarly, Carrier 2 will connect to Customer site 2 from their PE router and create VRF. PE-CE routing is not really relevant and can be anything. Interconnection between carriers will be implemented using dedicated interface (or a subinterface if more such VPN's are delivered) in their respective VRF's. Like I mentioned, this is the simplest and possibly the most common form. There are virtually no security or complex implications, as two carriers can treat each other as just another customer connection. Refer to the diagram below for illustration.
"Option B" is slightly more complex and requires "MPLS interconnection" between service providers. I.e. border routers (dubbed, as one may expect, Autonomous System Border Routers - ASBR) need to exchange labels for given prefixes. These prefixes are Loopback interfaces of PE nodes that VPN is connected to. Labels are usually exchanged using BGP (bgp send-label), which automatically enables MPLS forwarding on the interface. I will visit this in more detail later. What happens within single AS is interesting. Sometimes, these routes are redistributed in IGP and sometimes, iBGP is used for label distribution. Diagram below illustrates this variant.
"Option C" is, probably, the most complex of the three. Labels are not exchanged between ASBR's using direct BGP session, but there is MPLS forwarding on the link. Usually using LDP, but other options (RSVP) can be used. PE's, of course, need to know about each other's labels, so it's important that they exchange their labels. This can be done directly between two PE's in what I call "Option C-1", or alternatively, eBGP session between route reflectors can be used. The important thing to note here is that in order for this solution to work, one aspect of BGP needs to be "adapted". In a case of eBGP session, next-hop attribute on received prefixes is replaced with the IP address of the BGP neighbor. This is perfectly fine for IP forwarding, but it will break MPLS. In this case, eBGP session needs to leave next-hop as-is, or as Cisco says, "bgp next-hop-unchanged". I will address this in the implementation post. For now, consult the diagrams below for "Option C-1" and "Option C-2", respectively.
This was a horrible week for me. I've been working on upgrading backbone network and was hit hard with several 7600 bugs. I spent 5 hours sleeping and the rest either talking to or waiting for TAC. She may even have left me, but if She hasn't, that must mean that She truly loves me. I haven't seen her for a while... I hope She's still there when I finally go home.
1 comments:
Hi Marko,
here another network geek at the other end of the line ;-). Just preparing for the recert.
Excellent overview you have written. And it almost answers one question I have: With option B, an EBPG VPNIPv4 session is configured, in your drawing that is R2 to R5 ing Fa0/0.102. Unfotunately you did not post any sample IOS configuration. So I take http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_vpn_connect_asbr.html#wp1056728, configuration of EBGP1, the interface to EBGP2:
interface ATM1/0.1 point-to-point
description Lowell
ip address aa.0.0.1 255.255.255.252
pvc 1/100
!
There is no tag-switching ip on the interface. But to transport the customer VPN, it needs to talk MPLS over that interface. You write it would be "automatically enabled". And next-hop self seems to be part of the secret.
So questions:
1. Are the frames/packets transported MPLS encapsulated between R2 and R5 (sounds like a void question: They have to, otherwise you end in difficulties for overlapping IPs for different VPNs).
2. What means "automatically enables"? How does the router know it is this interface? What about ebgp multihop and "dull" routers in between? Does it still transport non-tagged frames?
3. If I know the labels that the router is using and inject a nice hand-crafted MPLS-tagged packet with a label suitable to a VRF on that specific router into one of the non-MPLS interfaces, will it forward corresponding to the VRF? Can I leak packets into the VRF?
Thanks,
Fritz
Post a Comment