No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 13

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
MCE Overview

MCE Overview

A Multi-VPN-Instance CE (MCE) is a CE that supports the multi-VPN-instance function.

Definition

A BGP/MPLS IP VPN is a Layer 3 Virtual Private Network (L3VPN). BGP/MPLS IP VPN uses the Border Gateway Protocol (BGP) to advertise VPN routes and the Multiprotocol Label Switching (MPLS) to forward VPN packets on backbone networks. IP means that IP packets are carried by the VPN.

Figure 9-15 shows the basic model of a BGP/MPLS IP VPN.

Figure 9-15 Model of a BGP/MPLS IP VPN

The BGP/MPLS IP VPN model consists of the following parts:

  • Customer Edge (CE): It is an edge device on a customer network, providing interfaces that are directly connected to the Service Provider (SP) network. A CE can be a router, a switch, or a host. Usually, a CE neither senses the VPN nor supports MPLS.

  • Provider Edge (PE): It is an edge device on an SP network. A PE is directly connected to the CE. On an MPLS network, PE devices process all VPN services. Therefore, the requirements on the performance of PE devices are rather high.

  • Provider (P): It is a backbone device on an SP network. A P is not directly connected to CE devices. Ps only need to possess basic MPLS forwarding capabilities and do not maintain information about a VPN.

PE and P devices are managed by SPs. CE devices are managed by users except that the users trust SPs with the management right.

A PE can access multiple CE devices. A CE can be connected to multiple PE devices of the same SP or of different SPs.

Basic Concepts of BGP/MPLS IP VPN

  • Site
    The concept of "site" is frequently mentioned in the VPN technology. The following describes a site from different aspects:
    • A site is a group of IP systems with IP connectivity that can be achieved independent of SP's networks.

    • Sites are demarcated based on the topology relationships between devices rather than the geographic positions of the devices although the devices in a site are geographically adjacent to each other in general.

    • The devices at a site may belong to multiple VPNs. In other words, a site may belong to more than one VPN.

    • A site is connected to an SP's network through the CE. A site may contain more than one CE, but a CE belongs to only one site.

    Sites connected to the same SP's network can be divided into different sets based on policies. Only sites that belong to the same set can access each other, and this set is a VPN.

  • Address space overlapping

    As a private network, a VPN independently manages an address realm, also called an address space.

    Address spaces of different VPNs may overlap. For example, if both VPN 1 and VPN 2 use addresses on the network segment 10.110.10.0/24, address space overlap occurs.

  • VPN instance

    In BGP/MPLS IP VPN implementation, routes of different VPNs are isolated by VPN instances.

    A PE device establishes and maintains a VPN instance for each directly connected site. A VPN instance contains VPN member interfaces and routes of the corresponding site. Specifically, information in a VPN instance includes the IP routing table, label forwarding table, interface bound to the VPN instance, and VPN instance management information. VPN instance management information includes the route distinguisher (RD), route filtering policy, and member interface list of the VPN instance.

    Figure 9-16 VPN instances

  • RD and VPN-IPv4 Address

    The traditional BGP cannot correctly handle the routes of VPNs with overlapping address spaces. For example, VPN1 and VPN2 use addresses on network segment 10.110.10.0/24 and they both advertise a route to this network segment. The local PE device can identify the routes based on VPN instances. However, when the routes are advertised to the remote PE device, BGP selects only one of the two routes because load balancing is not performed between routes of different VPNs. The other route is lost.

    To ensure that VPN routes of VPNs with overlapping address spaces are correctly processed, PE devices use MP-BGP to advertise VPN routes and use the VPN-IPv4 address to identify the routes.

    A VPN-IPv4 address consists of 12 bytes. The first eight bytes represent the RD, and the last four bytes stand for the IPv4 address prefix, as shown in Figure 9-17.

    Figure 9-17 VPN-IPv4 address structure

    RDs distinguish the IPv4 prefixes with the same address space. IPv4 addresses with RDs are VPN-IPv4 addresses (VPNv4 addresses). After receiving IPv4 routes from a CE device, a PE device converts the routes into globally unique VPN-IPv4 routes and advertises the routes on the public network.

    The RD format enables SPs to allocate RDs independently. When CE devices are dual-homed to PE devices, RD must be globally unique to ensure correct routing.

  • VPN target

    The VPN target, also called the route target (RT), is a 32-bit BGP extension community attribute. BGP/MPLS IP VPN uses the VPN target to control the advertisement of VPN routing information.

    A VPN instance is associated with one or more VPN target attributes, which are of the following types:

    • Export target: After learning the IPv4 routes from directly connected sites, a local PE converts the routes to VPN-IPv4 routes and sets the export target attribute for those routes. As the BGP extension community attribute, the export target attribute is advertised with the routes.

    • Import target: After receiving VPN-IPv4 routes from other PE devices, a PE checks the export target attribute of the routes. If the export target is identical with the import target of a VPN instance on the PE, the PE adds the route to the VPN routing table.

    In a BGP/MPLS IP VPN, VPN targets are used to control the advertisement and receipt of VPN routing information between sites. VPN export targets are independent of import targets. An export target and an import target can be configured with multiple values; in this manner, flexible VPN access control and diversified VPN networking schemes can be adopted.

    For example, if the import target of a VPN instance contains 100:1, 200:1, and 300:1, any route with the export target of 100:1, 200:1, or 300:1 is added to the routing table of the VPN instance.

Introduction to MCE Technology

BGP/MPLS IP VPN uses tunnels to transmit data of private networks on a public network. In the traditional BGP/MPLS IP VPN architecture, each VPN instance must use a CE device to connect to a PE device, as shown in Figure 9-15.

In may cases, a private network must be divided into multiple VPNs to realize fine-grained service management and enhance security. Services of users in different VPNs must be completely isolated. Deploying a CE device for each VPN increases the cost of device procurement and maintenance. If multiple VPNs share one CE device, data security cannot be ensured because all the VPNs use the same routing and forwarding table.

The MCE technology ensures data security between different VPNs while reducing network construction and maintenance costs. Figure 9-18 shows the MCE deployment.

Figure 9-18 Networking with an MCE device

An MCE device has some PE functions. By binding each VPN instance to a different interface, an MCE device creates and maintains an independent VRF for each VPN. This application is also called multi-VRF application. The MCE device isolates forwarding paths of different VPNs on a private network and advertises routes of each VPN to the peer PE device, ensuring that VPN packets are correctly transmitted on the public network.

Translation
Download
Updated: 2019-12-13

Document ID: EDOC1000041694

Views: 60777

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next