In a continuation of our MPLS deep-dive series, Nick Russo, Russ White, Jordan Martin, and Eyvonne Sharp return to discuss some of the operational considerations when using MPLS VPNs.
We would like to thank Core BTS for sponsoring this episode of Network Collective. Core BTS focuses on partnering with your company to deliver technical solutions that enhance and drive your business. If you’re looking for a partner to help your technology teams take the next step, you can reach out to Core BTS by emailing them here.
We also would also like to thank Cumulus Networks for sponsoring this episode of Network Collective. Cumulus is bringing S.O.U.L. back to the network. Simple. Open. Untethered. Linux. For more information about how you can bring S.O.U.L. to your network, head on over to https://cumulusnetworks.com/networkcollectivehassoul. There you can find out how Cumulus Networks can help you build a datacenter as efficient and as flexible as the worlds largest data centers and try Cumulus technology absolutely free.
- When enterprise use the term “MPLS”, SP provided VPNS is often what they mean
- Generally means a private WAN service, L2 or L3VPN
- Quick packet walk (L3VPN only)
- CE sends IP packet to ingress PE
- Ingress PE performs lookup in FIB
- Ingress PE pushes labels in the order in which route recursion occurs
- Ingress PE sends to core
- Core routers lookup in LFIB for label swaps
- Egress PE receives from core
- Assuming PHP, egress PE consults LFIB
- Action is to remove all labels and send to CE
- Overlapping routes in L3VPNs using RD. Makes routes unique, and can be used to engineer HA at the edge (unique RD == copies of same route)
- Suppose there are 2 egress PEs which learn the same route. It would be good if the ingress PE could learn the route from both ASBRs. If RRs are in use, this might be harder since RRs hide topology. Unique RD means the RRs will keep routes separate, and advertise both to ingress PE
- Enable BGP prefix independent convergence (PIC) edge to install both routes, one as primary, one as repair
- L3VPN advantages
- Massively scalable L3VPNs, easy extranet/central services support
- Trivial to add new sites to existing VPNs, or make changes
- Media independent
- L2VPN advantages
- No routing exchange with customer
- Easier for customer to change things (non-IP, IPv6, multicast, etc)
- Other handy uses
- Internet VPN: for ISPs, there are obvious security advantages to putting the internet in a VPN. It’s easy to import to customers, and ensures the internet can never attack the core. Tradeoff is more state (memory consumed) due to RD and if multiple VRFs on a PE need internet, lots of route duplication. Compare this to route leaking from global table, which is more efficiently, but complex and less secure.
- Scrubbing center: A central site where all traffic must traverse can be engineered by making a CE a transit site. Work the RTs appropriately.
- Half-duplex VRF: Similar to example above, two access sites need to route via a central site to talk laterally (upstream and downstream VRF defined). Somewhat analogous to private VLANs.
- Multi-VRF per customer: To provide multi-tenancy for one customer, virtualize the PE-CE link (VLANs, DLCIs, GRE tunnels with varying keys, etc) with different VRFs. Customer can break out the VRFs as needed.
Danger Storm Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License