Presentation is loading. Please wait.

Presentation is loading. Please wait.

Juniper Networks, Inc. Copyright © 2000 1 L2 MPLS VPNs Hector Avalos Technical Director-Southern Europe

Similar presentations


Presentation on theme: "Juniper Networks, Inc. Copyright © 2000 1 L2 MPLS VPNs Hector Avalos Technical Director-Southern Europe"— Presentation transcript:

1 Juniper Networks, Inc. Copyright © 2000 1 L2 MPLS VPNs Hector Avalos Technical Director-Southern Europe havalos@juniper.net

2 Juniper Networks, Inc. Copyright © 2000 2 Agenda: L2 MPLS VPNs  VPNs Overview  Provider-provisioned L2 MPLS VPNs  Taxonomy  Operational Model  Conclusion

3 Juniper Networks, Inc. Copyright © 2000 3 What is a VPN?  A private network constructed over a shared infrastructure  Virtual: not a separate physical network  Private: separate addressing and routing  Network: a collection of devices that communicate  Policies are key—global connectivity is not the goal Shared Infrastructure Shared Infrastructure Mobile Users and Telecommuters Remote Access Branch Office Corporate Headquarters Suppliers, Partners and Customers Intranet Extranet

4 Juniper Networks, Inc. Copyright © 2000 4 Deploying VPNs in the 1990s  Operational model  PVCs overlay the shared infrastructure (ATM/Frame Relay)  Routing occurs at customer premise  Benefits  Mature technologies  Relatively “secure”  Service commitments (bandwidth, availability, and more)  Limitations  Scalability, provisioning and management  Not a fully integrated IP solution Provider Frame Relay Network CPE DLCI FR Switch DLCI FR Switch

5 Juniper Networks, Inc. Copyright © 2000 5 Traditional (Layer 2) VPNs Router Frame Relay/ ATM Switch

6 Juniper Networks, Inc. Copyright © 2000 6 Improving Traditional Layer 2 VPNs  Decouple edge (customer-facing) technology from core technology  Have a single network infrastructure for all desired services  Internet  L3 MPLS VPNs  L2 MPLS VPNs  Simplify provisioning  Appropriate signaling mechanisms for VPN auto- provisioning

7 Juniper Networks, Inc. Copyright © 2000 7 VPN Classification Model  Customer-managed VPN solutions (CPE-VPNs)  Layer 2: L2TP and PPTP  Layer 3: IPSec  Provider-provisioned VPN solutions (PP-VPNs)  Layer 3: MPLS-Based VPNs (RFC 2547bis)  Layer 3: Non-MPLS-Based VPNs (Virtual Routers)  Layer2: MPLS VPNs PE CPE Subscriber Site 3 PP-VPN Subscriber Site 2 CPE PE VPN Tunnel CPE PE CPE CPE-VPN VPN Tunnel Subscriber Site 1 Subscriber Site 3 Subscriber Site 2 VPN Tunnel VPN Tunnel Subscriber Site 1

8 Juniper Networks, Inc. Copyright © 2000 8 PP-VPNs: Layer 2 Classification  Service Provider delivers Layer 2 circuit IDs (DLCI, VPI/VCI, 802.1q vlan) to the customer  One for each reachable site  Customer maps their own routing architecture to the circuit mesh  Provider router maps the circuit ID to a Label Switched Path (LSP) to traverse the provider core  Customer routes are transparent to provider routers  Provider-provisioned L2 MPLS VPN Internet drafts  draft-kompella-mpls-l2vpn-02.txt  draft-martini-l2circuit-encap-mpls-01.txt

9 Juniper Networks, Inc. Copyright © 2000 9 Agenda: L2 MPLS VPNs  Overview of VPNs  Provider-provisioned L2 MPLS VPNs  Taxonomy  Operational Model  Conclusion

10 Juniper Networks, Inc. Copyright © 2000 10 Customer Edge Routers  Customer Edge (CE) routers  Router or switch device located at customer premises providing access to the service provider network  Layer 2 (FR, ATM, Ethernet) and Layer 3 (IP, IPX, SNA …) independence of the service provider network  CEs within a VPN, uses the same L2 technology to access the service provider network  Requires a sub-interface per CE it needs to interconnect to within the VPN  Maintains routing adjacencies with other CEs within the VPN CE P P PECE Customer Edge CE PE VPN A VPN B PE ATM FR ATM FR VPN Site

11 Juniper Networks, Inc. Copyright © 2000 11 Provider Edge Routers  Provider Edge (PE) routers  Maintain site-specific VPN Forwarding Tables  Exchange VPN Connection Tables with other PE routers using MP-IBGP or LDP  Use MPLS LSPs to forward VPN traffic CE P P PECE PE VPN A VPN B PE Provider Edge ATM FR ATM FR

12 Juniper Networks, Inc. Copyright © 2000 12 CE P P PECE PE VPN A VPN B PE Provider Routers  Provider (P) routers  Forward data traffic transparently over established LSPs  Do not maintain VPN-specific forwarding information Provider Routers ATM FR ATM FR

13 Juniper Networks, Inc. Copyright © 2000 13 VPN Forwarding Tables (VFT) P P P PE 2 VPN A Site 3 VPN A Site 1 VPN B Site2 VPN B Site 1 PE 1 PE 3 VPN A Site2 CE–A1 CE–B1 CE–A3 CE–A2 CE–B2 P A VFT is created for each site connected to the PE OSPF ATM  Each VFT is populated with:  The forwarding information provisioned for the local CE sites  VPN Connection Tables received from other PEs via iBGP or LDP

14 Juniper Networks, Inc. Copyright © 2000 14 Site 1 Site 2 Site 1 Site 2 VPN Connection Tables (VCT) PE-2 CE-4 PE-1 CE-2 CE-1 VFT  The VCT is a subset of information hold by the VFT  VCTs are distributed by the PEs via iBGP or LDP A VCT is distributed for each VPN site to PEs MP-iBGP session / LDP

15 Juniper Networks, Inc. Copyright © 2000 15 L2 VPN Provisioning  Provisioning the network  Provisioning the CEs  Provisioning the VPN (PEs)  VPN Connection Table Distribution Assumption: access technology is Frame Relay (other cases are similar)

16 Juniper Networks, Inc. Copyright © 2000 16 Provisioning the Network P P P PE 2 VPN A Site 3 VPN A Site 1 VPN B Site2 VPN B Site 1 PE 1 PE 3 VPN A Site2 CE–A1 CE–B1 CE–A3 CE–A2 CE–B2 P OSPF ATM  PE-to-PE LSPs pre-established via  RSVP-TE  LDP  LDP over RSPV-TE tunneling  LSPs used for many services: IP, L2 VPN, L3 VPN, …  Provisioned independent of Layer 2 VPNs

17 Juniper Networks, Inc. Copyright © 2000 17 Provisioning Customer Sites  List of DLCIs: one for each site, some spare for over-provisioning  DLCIs independently numbered at each site  LMI, inverse ARP and/or routing protocols for auto-discovery and learning addresses  No changes as VPN membership changes  Until over-provisioning runs out CE-4 DLCIs 63 75 82 94 CE-4 Routing Table InOut DLCI 63 10/8 DLCI 7520/8 DLCI 8230/8 DLCI 94-

18 Juniper Networks, Inc. Copyright © 2000 18 Provisioning CE’s at the PE  A VFT is provisioned at each PE for each CE  VPN-ID : unique value within the service provider network  CE-ID : unique value in the context of a VPN  CE Range : maximum number of CEs that it can connect to  Sub-interface list : set of local sub-interface IDs assigned for the CE-PE connection CE 4 VFT VPN ID CE ID RED VPN 4 CE Range 4 Sub-int IDs 63 75 82 94

19 Juniper Networks, Inc. Copyright © 2000 19 Provisioning CE’s at the PE  A VFT is provisioned at each PE for each CE  VPN-ID : unique value within the service provider network  CE-ID : unique value in the context of a VPN  CE Range : maximum number of CEs that it can connect to  Sub-interface list : set of local sub-interface IDs assigned for the CE-PE connection  Label-base : Label assigned to the first sub-interface ID  The PE reserves N contiguous labels, where N is the CE Range CE 4 VFT VPN ID CE ID RED VPN 4 CE Range 1000 4 Label Base Sub-int IDs 63 75 82 94 CE 4 VCT

20 Juniper Networks, Inc. Copyright © 2000 20 Site 1 Site 2 Site 1 Site 2 Provisioning CE’s at the PE PE-2 CE-4 PE-1 CE-2 CE-1 VFT CE 4 VFT VPN ID CE ID RED VPN 4 CE Range Label base 4 Sub-int IDs 63 75 82 94 1000 1001 1002 1003 Label used by CE 1 to reach CE 4 1001 Label used by CE 2 to reach CE 4 1002 Label used by CE 0 to reach CE 4 1000 FR CE 4 ‘s DLCI to CE 0 63 CE 4 ‘s DLCI to CE 1 75 CE 4 ‘s DLCI to CE 2 82 CE 4 ‘s DLCI to CE 3 94  PE-2 is configured with the CE4 VFT Label used by CE 3 to reach CE 4 1003

21 Juniper Networks, Inc. Copyright © 2000 21 Distributing VCTs  Key: signalling using LDP or MP-iBGP  Auto-discovery of members  Auto-assignment of inter-member circuits  Flexible VPN topology  O(N) configuration for the whole VPN  Could be more for complex topologies  O(1) configuration to add a site  “Overprovision” DLCIs (sub-interfaces) at customer sites

22 Juniper Networks, Inc. Copyright © 2000 22 Site 1 Site 2 Site 1 Site 2 Distributing VCTs  PE-1 accepts PE-2’s CE 4 VCT PE-2 CE-4 PE-1 CE-2 CE-1 VFT FR Label used by CE 2 to reach CE 4 1002 MP-iBGP session / LDP CE 4 VCT update VPN ID CE ID RED VPN 4 CE Range Label base 4 1000 CE 4 VCT update VPN ID CE ID RED VPN 4 CE Range Label base 4 1000

23 Juniper Networks, Inc. Copyright © 2000 23 Site 1 Site 2 Site 1 Site 2 Updating VFTs  PE-1 update its CE 2 VFT PE-2 CE-4 PE-1 CE-2 CE-1 VFT FR DLCI 82 FR DLCI 414 CE 2 VFT CE ID Inner Label Sub-int IDs Label used to reach CE 4 1002 107 209 265 414 1 2 3 4 5020 7500 9350

24 Juniper Networks, Inc. Copyright © 2000 24 Site 1 Site 2 Site 1 Site 2 Updating VFTs  PE-1 update its CE 2 VFT PE-2 CE-4 PE-1 CE-2 CE-1 VFT CE 2 VFT CE ID Inner Label Sub-int IDs LSP to PE-2 500 107 209 265 414 1 2 3 4 5020 7500 9350 1002 Outer Label FR DLCI 82 FR DLCI 414

25 Juniper Networks, Inc. Copyright © 2000 25 Site 1 Site 2 Site 1 Site 2 Data Flow  The CE-2 sends packets to the PE via the DLCI which connects to CE-4 (414) PE-2 CE-4 PE-1 CE-2 CE-1 VFT DLCI 82 DLCI 414 packet DLCI 414

26 Juniper Networks, Inc. Copyright © 2000 26 Site 1 Site 2 Site 1 Site 2 Data Flow  The DLCI number is removed by the ingress PE  Two labels are derived from the VFT sub-interface lookup and “pushed” onto the packet  Outer IGP label  Identifies the LSP to egress PE router  Derived from core’s IGP and distributed by RSVP or LDP  Inner site label  Identifies outgoing sub-interface from egress PE to CE  Derived from MP-IBGP/LDP VCT distributed by egress PE PE-2 CP-4 PE-1 CE-2 CE-1 PE-1 1) Lookup DLCI in Red VFT 2) Push VPN label (1002) 3) Push IGP label (500) VFT DLCI 82 Packet site label (1002) IGP label (500)

27 Juniper Networks, Inc. Copyright © 2000 27 Site 1 Site 2 10.1/16 Site 1 Site 2 Data Flow  After packets exit the ingress PE, the outer label is used to traverse the LSP  P routers are not VPN-aware PE-2 CPE-4 PE-1 CE-2 CE-1 VFT Packet site label (1002) IGP label (z) DLCI 82 DLCI 414

28 Juniper Networks, Inc. Copyright © 2000 28 Site 1 Site 2 10.1/16 Site 1 Site 2 Data Flow  The outer label is removed through penultimate hop popping (before reaching the egress PE) PE-2 CE-4 PE-1 CE-2 CE-1 Penultimate Pop top label VFT Packet site label (1002) DLCI 82 DLCI 414

29 Juniper Networks, Inc. Copyright © 2000 29 Site 1 Site 2 Site 1 Site 2 Data Flow  The inner label is removed at the egress PE  The egress PE does a label lookup to find the corresponding DLCI value  The native Frame Relay packet is sent to the corresponding outbound sub-interface PE-2 CE-4 PE-1 CE-2 CE-1 VFT DLCI 82 DLCI 414 packet DLCI 82

30 Juniper Networks, Inc. Copyright © 2000 30 VPN Topologies  Arbitrary topologies are possible:  full mesh  hub-and-spoke  BGP communities are used to configure VPN topologies when using BGP signaling  “Connectivity” parameter serves similar purpose in LDP signaling

31 Juniper Networks, Inc. Copyright © 2000 31 Conclusions

32 Juniper Networks, Inc. Copyright © 2000 32 A Range of VPN Solutions  Each customer has different  Security requirements  Staff expertise  Tolerance for outsourcing  Customer networks vary by size and traffic volume  Providers also have different preferences concerning  Extensive policy management  Inclusion of customer routes in backbone routers  Approaches to managed service

33 Juniper Networks, Inc. Copyright © 2000 33 MPLS-Based Layer 2 VPNs  MPLS-based Layer 2 VPNs are identical to Layer 2 VPNs from customers’ perspective  Familiar paradigm  Layer 3 independent  Provider not responsible for routing  No hacks for OSPF  Rely on SP only for connectivity  MPLS transport in provider network  Decouples edge and core Layer 2 technologies  Multiple services over single infrastructure  Single network architecture for both Internet and VPN services  Label stacking  Provision once, and use same LSP for multiple purposes  Auto-provisioning VPN

34 Juniper Networks, Inc. Copyright © 2000 34 MPLS-based Layer 2 VPNs: Advantages  Subscriber  Outsourced WAN infrastructure  Easy migration from existing Layer 2 fabric  Can maintain routing control, or opt for managed service  Supports any Layer 3 protocol  Supports multicast  Provider  Complements RFC 2547bis  Operates over the same core, using the same outer LSP  Existing Frame Relay and ATM VPNs can be collapsed onto a single IP/MPLS infrastructure  Label stacking allows multiple services over a single LSP  No scalability problems associated with storing numerous customer VPN routes  Simpler than the extensive policy-based configuration used with 2547

35 Juniper Networks, Inc. Copyright © 2000 35 MPLS-based Layer 2 VPNs: Disadvantages  Circuit type (ATM/FR) to each VPN site must be uniform  Managed network service required for provider revenue opportunity  Customer must have routing expertise (or opt for managed service)

36 Juniper Networks, Inc. Copyright © 2000 36 Layer 2 MPLS-based VPNs Application  Customer profile  High degree of IP expertise  Desire to control their own routing infrastructure  Prefer to outsource tunneling  Large number of users and sites  Provider profile  MPLS deployed in the core  Migrating an existing ATM or Frame Relay network  Offers CPE managed service, or  Provisions only the layer 2 circuits at a premium cost  Layer 2 MPLS-based VPNs are ideal for this customer profile

37 Juniper Networks, Inc. Copyright © 2000 37 http://www.juniper.net Thank you!


Download ppt "Juniper Networks, Inc. Copyright © 2000 1 L2 MPLS VPNs Hector Avalos Technical Director-Southern Europe"

Similar presentations


Ads by Google