📄 rfc2547.txt
字号:
RFC 2547 BGP/MPLS VPNs March 1999
In essence, a Target VPN attribute identifies a set of sites.
Associating a particular Target VPN attribute with a route allows
that route to be placed in the per-site forwarding tables that are
used for routing traffic which is received from the corresponding
sites.
There is a set of Target VPNs that a PE router attaches to a route
received from site S. And there is a set of Target VPNs that a PE
router uses to determine whether a route received from another PE
router could be placed in the forwarding table associated with site
S. The two sets are distinct, and need not be the same.
The function performed by the Target VPN attribute is similar to that
performed by the BGP Communities Attribute. However, the format of
the latter is inadequate, since it allows only a two-byte numbering
space. It would be fairly straightforward to extend the BGP
Communities Attribute to provide a larger numbering space. It should
also be possible to structure the format, similar to what we have
described for RDs (see section 4.1), so that a type field defines the
length of an administrator field, and the remainder of the attribute
is a number from the specified administrator's numbering space.
When a BGP speaker has received two routes to the same VPN-IPv4
prefix, it chooses one, according to the BGP rules for route
preference.
Note that a route can only have one RD, but it can have multiple
Target VPNs. In BGP, scalability is improved if one has a single
route with multiple attributes, as opposed to multiple routes. One
could eliminate the Target VPN attribute by creating more routes
(i.e., using more RDs), but the scaling properties would be less
favorable.
How does a PE determine which Target VPN attributes to associate with
a given route? There are a number of different possible ways. The
PE might be configured to associate all routes that lead to a
particular site with a particular Target VPN. Or the PE might be
configured to associate certain routes leading to a particular site
with one Target VPN, and certain with another. Or the CE router,
when it distributes these routes to the PE (see section 6), might
specify one or more Target VPNs for each route. The latter method
shifts the control of the mechanisms used to implement the VPN
policies from the SP to the customer. If this method is used, it may
still be desirable to have the PE eliminate any Target VPNs that,
according to its own configuration, are not allowed, and/or to add in
some Target VPNs that according to its own configuration are
mandatory.
Rosen & Rekhter Informational [Page 11]
RFC 2547 BGP/MPLS VPNs March 1999
It might be more accurate, if less suggestive, to call this attribute
the "Route Target" attribute instead of the "VPN Target" attribute.
It really identifies only a set of sites which will be able to use
the route, without prejudice to whether those sites constitute what
might intuitively be called a VPN.
4.2.2. Route Distribution Among PEs by BGP
If two sites of a VPN attach to PEs which are in the same Autonomous
System, the PEs can distribute VPN-IPv4 routes to each other by means
of an IBGP connection between them. Alternatively, each can have an
IBGP connection to a route reflector.
If two sites of VPN are in different Autonomous Systems (e.g.,
because they are connected to different SPs), then a PE router will
need to use IBGP to redistribute VPN-IPv4 routes either to an
Autonomous System Border Router (ASBR), or to a route reflector of
which an ASBR is a client. The ASBR will then need to use EBGP to
redistribute those routes to an ASBR in another AS. This allows one
to connect different VPN sites to different Service Providers.
However, VPN-IPv4 routes should only be accepted on EBGP connections
at private peering points, as part of a trusted arrangement between
SPs. VPN-IPv4 routes should neither be distributed to nor accepted
from the public Internet.
If there are many VPNs having sites attached to different Autonomous
Systems, there does not need to be a single ASBR between those two
ASes which holds all the routes for all the VPNs; there can be
multiple ASBRs, each of which holds only the routes for a particular
subset of the VPNs.
When a PE router distributes a VPN-IPv4 route via BGP, it uses its
own address as the "BGP next hop". It also assigns and distributes
an MPLS label. (Essentially, PE routers distribute not VPN-IPv4
routes, but Labeled VPN-IPv4 routes. Cf. [8]) When the PE processes a
received packet that has this label at the top of the stack, the PE
will pop the stack, and send the packet directly to the site from to
which the route leads. This will usually mean that it just sends the
packet to the CE router from which it learned the route. The label
may also determine the data link encapsulation.
In most cases, the label assigned by a PE will cause the packet to be
sent directly to a CE, and the PE which receives the labeled packet
will not look up the packet's destination address in any forwarding
table. However, it is also possible for the PE to assign a label
which implicitly identifies a particular forwarding table. In this
case, the PE receiving a packet that label would look up the packet's
destination address in one of its forwarding tables. While this can
Rosen & Rekhter Informational [Page 12]
RFC 2547 BGP/MPLS VPNs March 1999
be very useful in certain circumstances, we do not consider it
further in this paper.
Note that the MPLS label that is distributed in this way is only
usable if there is a label switched path between the router that
installs a route and the BGP next hop of that route. We do not make
any assumption about the procedure used to set up that label switched
path. It may be set up on a pre-established basis, or it may be set
up when a route which would need it is installed. It may be a "best
effort" route, or it may be a traffic engineered route. Between a
particular PE router and its BGP next hop for a particular route
there may be one LSP, or there may be several, perhaps with different
QoS characteristics. All that matters for the VPN architecture is
that some label switched path between the router and its BGP next hop
exists.
All the usual techniques for using route reflectors [2] to improve
scalability, e.g., route reflector hierarchies, are available. If
route reflectors are used, there is no need to have any one route
reflector know all the VPN-IPv4 routes for all the VPNs supported by
the backbone. One can have separate route reflectors, which do not
communicate with each other, each of which supports a subset of the
total set of VPNs.
If a given PE router is not attached to any of the Target VPNs of a
particular route, it should not receive that route; the other PE or
route reflector which is distributing routes to it should apply
outbound filtering to avoid sending it unnecessary routes. Of
course, if a PE router receives a route via BGP, and that PE is not
attached to any of the route's target VPNs, the PE should apply
inbound filtering to the route, neither installing nor redistributing
it.
A router which is not attached to any VPN, i.e., a P router, never
installs any VPN-IPv4 routes at all.
These distribution rules ensure that there is no one box which needs
to know all the VPN-IPv4 routes that are supported over the backbone.
As a result, the total number of such routes that can be supported
over the backbone is not bound by the capacity of any single device,
and therefore can increase virtually without bound.
4.2.3. The VPN of Origin Attribute
A VPN-IPv4 route may be optionally associated with a VPN of Origin
attribute. This attribute uniquely identifies a set of sites, and
identifies the corresponding route as having come from one of the
sites in that set. Typical uses of this attribute might be to
Rosen & Rekhter Informational [Page 13]
RFC 2547 BGP/MPLS VPNs March 1999
identify the enterprise which owns the site where the route leads, or
to identify the site's intranet. However, other uses are also
possible. This attribute could be encoded as an extended BGP
communities attribute.
In situations in which it is necessary to identify the source of a
route, it is this attribute, not the RD, which must be used. This
attribute may be used when "constructing" VPNs, as described below.
It might be more accurate, if less suggestive, to call this attribute
the "Route Origin" attribute instead of the "VPN of Origin"
attribute. It really identifies the route only has having come from
one of a particular set of sites, without prejudice as to whether
that particular set of sites really constitutes a VPN.
4.2.4. Building VPNs using Target and Origin Attributes
By setting up the Target VPN and VPN of Origin attributes properly,
one can construct different kinds of VPNs.
Suppose it is desired to create a Closed User Group (CUG) which
contains a particular set of sites. This can be done by creating a
particular Target VPN attribute value to represent the CUG. This
value then needs to be associated with the per-site forwarding tables
for each site in the CUG, and it needs to be associated with every
route learned from a site in the CUG. Any route which has this
Target VPN attribute will need to be redistributed so that it reaches
every PE router attached to one of the sites in the CUG.
Alternatively, suppose one desired, for whatever reason, to create a
"hub and spoke" kind of VPN. This could be done by the use of two
Target Attribute values, one meaning "Hub" and one meaning "Spoke".
Then routes from the spokes could be distributed to the hub, without
causing routes from the hub to be distributed to the spokes.
Suppose one has a number of sites which are in an intranet and an
extranet, as well as a number of sites which are in the intranet
only. Then there may be both intranet and extranet routes which have
a Target VPN identifying the entire set of sites. The sites which
are to have intranet routes only can filter out all routes with the
"wrong" VPN of Origin.
These two attributes allow great flexibility in allowing one to
control the distribution of routing information among various sets of
sites, which in turn provides great flexibility in constructing VPNs.
Rosen & Rekhter Informational [Page 14]
RFC 2547 BGP/MPLS VPNs March 1999
5. Forwarding Across the Backbone
If the intermediate routes in the backbone do not have any
information about the routes to the VPNs, how are packets forwarded
from one VPN site to another?
This is done by means of MPLS with a two-level label stack.
PE routers (and ASBRs which redistribute VPN-IPv4 addresses) need to
insert /32 address prefixes for themselves into the IGP routing
tables of the backbone. This enables MPLS, at each node in the
backbone network, to assign a label corresponding to the route to
each PE router. (Certain procedures for setting up label switched
paths in the backbone may not require the presence of the /32 address
prefixes.)
When a PE receives a packet from a CE device, it chooses a particular
per-site forwarding table in which to look up the packet's
destination address. Assume that a match is found.
If the packet is destined for a CE device attached to this same PE,
the packet is sent directly to that CE device.
If the packet is not destined for a CE device attached to this same
PE, the packet's "BGP Next Hop" is found, as well as the label which
that BGP next hop assigned for the packet's destination address. This
label is pushed onto the packet's label stack, and becomes the bottom
label. Then the PE looks up the IGP route to the BGP Next Hop, and
thus determines the IGP next hop, as well as the label assigned to
the address of the BGP next hop by the IGP next hop. This label gets
pushed on as the packet's top label, and the packet is then forwarded
to the IGP next hop. (If the BGP next hop is the same as the IGP
next hop, the second label may not need to be pushed on, however.)
At this point, MPLS will carry the packet across the backbone and
into the appropriate CE device. That is, all forwarding decisions by
P routers and PE routers are now made by means of MPLS, and the
packet's IP header is not looked at again until the packet reaches
the CE device. The final PE router will pop the last label from the
MPLS label stack before sending the packet to the CE device, thus the
CE device will just see an ordinary IP packet. (Though see section 8
for some discussion of the case where the CE desires to received
labeled packets.)
When a packet enters the backbone from a particular site via a
particular PE router, the packet's route is determined by the
contents of the forwarding table which that PE router associated with
that site. The forwarding tables of the PE router where the packet
Rosen & Rekhter Informational [Page 15]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -