VPNs using BGP

Introduction

A VPN is a private network constructed within a public network infrastructure, such as the global Internet. In this chapter, the private network is an IP based network. BGP is the protocol that interconnects two or more VPNs across a public network. BGP has the necessary protocol extensions to piggy-backs the VPN information, and tells how traffic should be exchanged between VPNs.

See also

• RFC 2764: A Framework for IP Based Virtual Private Networks

With the increasing usage of overlay information (widely used in data centers, but also deployed by operators), BGP evolves and is able to carry tunneling information. The following BGP services can help to interconnect VPNs: L3VPN and EVPN. Those two services rely on encapsulation techniques when traffic enters or leaves the VPN. The VPN generally sits on a given L3VRF, and the backbone is located on the default L3VRF.

The chapters below respectively introduce L3VPN and EVPN services. Both services share some similarities, and an additional chapter explains the concepts used to control and distribute routing information among VPNs.

L3VPN service

L3VPN service is a VPN with an IP private network. The BGP L3VPN service tells traffic is exchanged with either MPLS labels or SRv6 encapsulation.

L3VPN MPLS service

In this chapter, the L3VPN BGP service exchanges MPLS labels which are used to encapsulate the IP traffic across the public network, and create the interconnection between VPNs. The encapsulation size is light compared to EVPN services. Using L3VPN requires to have an MPLS backbone or a GRE interface. The interconnection is achieved by creating route leaks.

See also

• MPLS Label Stack Encoding, RFC 3032.

• BGP/MPLS IP Virtual Private Networks, RFC 4364.

• L3VRF route leak, see L3VRF route leak.

A basic configuration relies on a network defined in a given L3VRF, and the public network available on default L3VRF. Mainly, an MPLS backbone has to be available on the public network. Finally, BGP services can be set up above.

The output below illustrates the routing table for connecting customer1 L3VRF to a remote network 10.101.11.0/24. The resulting route is a L3VRF route leak and indicates which labels to push to IP packet to reach the remote network. The resulting traffic is an MPLS packet with two labels. In this scenario, the setup requires that an MPLS backbone be available between the devices where the VPNs are attached.

rt1> show ipv4-routes l3vrf customer1
 Codes: K - kernel route, C - connected, S - static, R - RIP,
        O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
        T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
        F - PBR,
        > - selected route, * - FIB route

 VRF customer1:
 [..]
 B>  10.101.11.0/24 [200/0] via 9.9.9.9(vrf vrf0) (recursive), label 80, 00:05:01
   *                          via 6.6.6.3, eth0_0(vrf main), label 20/80, 00:05:01

When remote MPLS traffic is received, labels are popped. The resulting IP packet is routed into customer1 L3VRF. The command below dumps the pop action programmed by BGP. The nexthop attribute stands for the L3VRF interface and is the entry point to routing table of L3VRF instance.

rt1> show mpls-table
 Inbound Label  Type  Nexthop   Outbound Label
 -----------------------------------------------
 [..]
 80             BGP   customer1 -

The figure below depicts the MPLS encapsulation for forwarded packets going in and out of the L3VRF.

L3VPN mpls encapsulation illustration

L3VPN SRV6 service

In this chapter, the L3VPN BGP service exchanges SRv6 SID values which are used to encapsulate the IP traffic across the public network. The public network must be an IPv6 network, and all L3VPN traffic is encapsulated in an IPv6 header which has a segment routing header (SRH) extension. Like for MPLS, the interconnection is achieved by creating route leaks, like it is done for L3VPN MPLS service.

See also

• SRv6 packet format, see SRV6 SRH header.

• SRv6 SID definition, see SRV6 address.

• BGP Overlay Services Based on Segment Routing over IPv6, RFC 9252.

A basic configuration requires to define a locator on the router, so that the BGP service can pick up a SID value from that locator. The SID value must also be a routable IP address in the IPv6 core network. The output below illustrates the routing table for connecting green L3VRF to a remote 192.168.11.0/24 network. The resulting route is a L3VRF route leak and indicates that the 2001:db8:0:2:1:: SID value is used to encapsulate the inner IPv4 packet.

vsr> show ipv4-routes l3vrf green
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, A - Babel, D - SHARP, F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF green:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 16:17:26
C>* 192.168.10.0/24 is directly connected, eth1, 15:41:17
B>  192.168.11.0/24 [200/0] via 2001:db8:ffff::2 (vrf default) (recursive), label 16, seg6 2001:db8:0:2:1::, weight 1, 14:58:12
  *                           via fe80::ed1:12ff:feab:0, eth0 (vrf default), label 16, seg6 2001:db8:0:2:1::, weight 1, 14:58:12

When the remote SRv6 traffic is received, the IPv6 header is decapsulated, and the resulting IP packet is routed to the table number 10, which stands for the table identifier of the green L3VRF. The green attribute stands for the L3VRF interface and is the entry point to routing table of L3VRF instance.

vsr> show ipv6-routes
Codes: K - kernel route, C - connected, S - static, R - RIPng,
       O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
       A - Babel, D - SHARP, F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

[..]
B>* 2001:db8:0:1:1::/128 [20/0] is directly connected, green, seg6local End.DT4 table 10, weight 1, 16:18:13