March 29, 2024

Principle and Implementation of VPN Technology Based on MPLS

Abstract: Based on the principle and work of MPLS-based VPN technology, a network composition model of MPLS VPN based on BGP extension is presented. The devices and their functions in this model are also described. Finally, the technical advantages and application prospects of MPLS VPN are analyzed.

With the rapid development of the Internet, people have put forward higher requirements for their applications. However, the Internet lacks effective traffic and network bandwidth management methods, and the network often blocks. There is no guarantee of quality of service (QoS), and many applications are not able to handle current IP technologies such as voice and video. The emerging multi-protocol label switching technology (MPLS: MulTIProtocol Label Switching) is expected to solve this problem.

1 Introduction to VPN

VPN refers to the technology of establishing a proprietary data communication network in a public network by relying on ISPs and other NSPs. In a virtual private network, the connection between any two contacts does not have the end-to-end physical link required by the traditional private network, but is dynamically composed of resources of a certain public network. VPN technology uses seasonal authentication, access control, confidentiality, and data integrity to ensure the confidentiality, integrity, and availability of information during transmission. It is a private network that is safe, reliable, convenient and fast for the government and enterprises on the public Internet, and can save money. VPN technology is the best solution for WAN construction. It not only saves the construction and operation and maintenance costs of the WAN, but also has the advantages of low cost, easy management, low overhead, high flexibility and good confidentiality.

2 MPLS-based VPN technology

2.1 Basic Principles of MPLS

MPLS VPN refers to a virtual private network built on MPLS technology. It uses MPLS technology to build an enterprise IP private network on a public IP network to realize multi-service broadband connection such as data, voice, and image. And combined with differential services, traffic engineering and other related technologies to provide users with high quality services. MPLS VPN can provide powerful QoS capabilities while providing all the functions of the original VPN network. It has the characteristics of high reliability, high security, strong expansion capability, flexible control strategy and powerful management capabilities.

MPLS is a special forwarding mechanism that assigns tags to IP packets entering the network and forwards IP packets by exchanging tags. The tag exists as an alternative to the IP header in the network. Within the network, the path through which the packet passes is forwarded by the switch (not the IP header); when the packet is to exit the MPLS network, the packet is Unpack the package and continue to reach the destination according to the routing of the IP packet.

As shown in Figure 1, the MPLS network contains some basic elements. The node at the edge of the network is called the Label Edge Router (LER), and the core node of the network is called the Label Switching Router (LSR). The LER node provides high speed switching functionality in the network. The path between MPLS nodes is called Label Switched Path (LSP). An LSP can be thought of as a one-way tunnel through the network.

The workflow of MPLS can be divided into three aspects: the edge behavior of the network, the central behavior of the network, and how to establish a label switched path.

1. The edge behavior of the network

When an IP packet arrives at an LER, MPLS applies the tag for the first time. First, the LER analyzes the information of the IP header and distinguishes it according to its destination address and service level.

In LER, MPLS uses the concept of Forwarding Equivalence Class (FEC) to map incoming data streams onto an LSP. Simply put, FEC defines a set of packets that have the same process along the same path. This means that all FEC identical packages can be mapped to the same tag.

For each FEC, the LER establishes a separate LSP across the network to reach the destination. After the packet is assigned to an FEC, the LER can generate a tag for it based on the Label InformaTIon Base (LIB). The tag repository maps each FEC to the tag of the next hop of the LSP. If the next hop link is ATM, MPLS will use the VCI in the ATM VCC as a flag.

When forwarding a packet, the LER checks the FEC in the tag repository, then encapsulates the packet with the tag of the LSP and sends it out from the next interface specified by the tag repository.

2. The core behavior of the network

When a tagged packet arrives at the LSR, the LSR extracts the incoming tag and uses it as an index to look up the tag repository. After the LSR finds the relevant information, the outgoing token is taken out, and the outgoing token is replaced by the outgoing token, and the data packet is sent from the next hop interface described in the marking information base.

Finally, the packet arrives at the other end of the MPLS domain. At this point, the LER strips the encapsulated token and continues to deliver the packet to the destination according to the routing of the IP packet.

3. How to create a label switched path

There are two main ways to establish an LSP:

(1) "Hop by Hop" routing

A Hop-by-Hop LSP is part of all IP trees from the source site to a specific destination site. For these LSPs, MPLS mimics the destination-oriented way of IP forwarding packets to establish a set of trees.

From the perspective of traditional IP routing, each router along the way should check the destination address of the packet and select a suitable path to send the packet out. MPLS does not, although the packet is transmitted along the same path selected by the IP route, but its packet header is not checked from the beginning to the end of the entire path.

At each node, the MPLS generated tree is assigned a label for the next hop by level one level and is generated by exchanging tags with their peers. The exchange is done through the request of the Label DistribuTIon Protocol (LDP) and the corresponding message.

(2) Explicit routing

The main advantage of MPLS is that it can use traffic design to "boot" packets. MPLS allows the network's operators to determine an explicit routed LSP (ER-LSP) at the source node to specify the path that the packet will select. The ER-LSP establishes a direct end-to-end path from the source to the destination. MPLS establishes this path by embedding explicit routes into the information of the tag assignment protocol that restricts routes.

2.2 Basic MPLS VPN Implementation

As shown in Figure 2, the MPLS Layer 3 VPN based on BGP extension includes the following basic components:

PE: Provider Edge Router. The PE router exchanges routing information with the CE router using static routes, RIPv2, OSPF, or EBGP. Although the PE router maintains VPN routing information, it only needs to maintain VPN routes for those VPNs that are directly connected to it. Each PE router maintains a VRP (Virtual RouTIng Forwarding Table) for each site directly connected to it, and each client connection is mapped to a VRF. Learn local VPN routing information from the CE router. PE routers use IBGP to exchange VPN routing information with other routers. The PE router can protect the IBGP session to the route reflector as an alternative to a full mesh IBGP session. When MPLS is used to forward VPN data traffic in the provider backbone, the ingress PE router is used as the ingress MPLS, and the ingress and egress PE router is used as the outgoing LSR.

CE: Customer Edge (CE) devices allow customers to access a service provider network through a data link that connects one or more vendor edge (PE) routers. A CE device is an IP router that establishes adjacencies with directly connected PE routers. After establishing the adjacency, the CE router broadcasts the local VPN route of the site to the PE router and learns the remote VPN route from the PE router.

Prouter: Provider Router, the vendor router is any router in the provider network that is not connected to the CE device. When forwarding VPN data traffic between PE routers, the provider router acts as an MPLS connection LSR. Since the traffic is forwarded in the MPLS backbone with a two-layer tag stack, the provider router only needs to maintain the route to the provider PE router without maintaining the VPN routing information specific to each customer site.

RR: Route Reflector, BGP route reflector

ASBR: Automated System Border Router, an autonomous system border router that exchanges VPN routes with other autonomous systems when implementing VPNs across autonomous systems.

MP-BGP: Multi-protocol extended BGP, carrying IPv4/VPN routes carrying labels, including MP-IBGP and MP-EBGP.

PE-CE routing protocol: The user network route is transmitted between the PE and the CE. It can be static route, or RIP, OSPF, ISIS, or BGP.

LDP: Label distribution protocol, establishes best-effort LSPs between PEs. After P routers, all PEs and P routers need to be supported. RSVP-TE: Establish QoS-capable ER-LSPs between PEs when QoS is required for VPNs.

VRF: Virtual Routing Fowarding Table, which contains the routing table, forwarding table, interface (sub-interface), routing instance, and routing policy of the same site. On a PE, the physical port or logical port of the same VPN corresponds to a VRF. You can configure it through the command line or the network management tool. The main parameters include RD (Route Distinguish), Import Route-Targets, Export Route-Targets, and Interface. Interface) and so on.

VPN user site: Site is an isolated IP network in the VPN. Generally speaking, it does not pass the backbone network company headquarters and branches are specific examples of the site. A CE router is usually a router or switching device in a VPN Site. The Site is connected to the PE device through a separate physical port or logical port (usually a VLAN port).

After a user accesses an MPLS VPN, each site provides one or more CEs to connect to the PEs of the backbone network, and configures VRFs for the site on the PEs. The physical interfaces, logical interfaces, and even L2TP/IPSec tunnels of the PE-CEs are connected. Bind to the VRF, but not a multi-hop three-layer connection.

BGP extended MPLS VPN extended BGP NLRI IPv4 address, before which an 8-byte RD (Route Distinguisher) is added to mark the members of the VPN (Site). Each VRF can be configured with certain policies, which routing information can be received by the VPN, and which site routing information can be advertised. The PE performs route calculation based on the information advertised by the BGP extension, and generates a routing table of the related VPN.

Generally, PE-CEs exchange routing information through static routes, and can also use RIP, OSPF, BGP, and IS-IS. The static route can reduce the BGP routing of the backbone network caused by poor management of CEs. To provide stability of the backbone network.

MPLS BGP Layer 3 VPN is suitable for fixed Internet/Extranet users. Each Site can represent the headquarters/branch of the Internet/Extranet. An MPLS Layer 3 VPN requires only one physical or logical link between the CE and the PE. However, the PE device must save multiple routing tables. If a dynamic routing protocol is run between a CPE or a PE, the PE must also support multiple instances and have high performance requirements on PE. The BGP protocol needs to be run between the PE and the PE. The scalability is poor. Currently, one or more route reflectors can solve this problem. For a VPN in the same AS (Automated System) domain, you must establish a PE for the IBGP connection between the carriers and establish an IBGP connection with the route reflector.

MPLS BGP Layer 3 VPNs can implement VPN Internet access services by configuring static routes with Internet routes, and can provide VPN interconnections for carriers that belong to the same AS but have no backbone network. That is, the VPN network interconnection of the "operator's carrier" mode is provided.

2.3 Advantages of MPLS

1. High security. The Label Switched Path (LPS) of MPLS has similar security to FR and ATM VCC; MPLS VPN also integrates IPSEC encryption, and it also enables users to use the firewall, data encryption and other methods to further improve security.

2. Powerful scalability. First, the number of VPNs that the network can accommodate is large. Second, users of the same VPN can easily expand.

3. The ability to integrate business. MPLS VPN provides the ability to combine data, voice and video.

4. Flexible control strategy. Special control strategies can be developed to meet the special needs of different users and to realize value-added services.

5. Powerful management functions. Adopt centralized management, unified configuration of services and scheduling, reducing the burden on users.

6. Service Level Agreement (SLA). At present, differentiated services, traffic control and service levels are used to ensure certain traffic control, and broadband guarantees and higher quality of service guarantees can be provided in the future.

7. Save money for users.

MPLS is a new technology that combines the advantages of the link layer and the IP layer. On the MPLS network, not only VPN services but also QoS, TE, multicast, etc. can be deployed. As MPLS applications continue to heat up, support for MPLS is no longer an additional requirement, whether it is a product or a network. Although VPN is a new comprehensive network technology that has just emerged, it has already shown its strong vitality. In China, the network foundation is weak, and the government and enterprises have low demand for IP virtual private networks. However, it is believed that with the government's access to the Internet, especially under the promotion of e-commerce, the solution of basic MPLS IP virtual private network technology will not be available. Estimated market outlook.