Download presentation
Presentation is loading. Please wait.
Published byKatrina Tapp Modified over 9 years ago
1
Juniper Networks, Inc. Copyright © 2000 1 L2 MPLS VPNs Hector Avalos Technical Director-Southern Europe havalos@juniper.net
2
Juniper Networks, Inc. Copyright © 2000 2 Agenda: L2 MPLS VPNs VPNs Overview Provider-provisioned L2 MPLS VPNs Taxonomy Operational Model Conclusion
3
Juniper Networks, Inc. Copyright © 2000 3 What is a VPN? A private network constructed over a shared infrastructure Virtual: not a separate physical network Private: separate addressing and routing Network: a collection of devices that communicate Policies are key—global connectivity is not the goal Shared Infrastructure Shared Infrastructure Mobile Users and Telecommuters Remote Access Branch Office Corporate Headquarters Suppliers, Partners and Customers Intranet Extranet
4
Juniper Networks, Inc. Copyright © 2000 4 Deploying VPNs in the 1990s Operational model PVCs overlay the shared infrastructure (ATM/Frame Relay) Routing occurs at customer premise Benefits Mature technologies Relatively “secure” Service commitments (bandwidth, availability, and more) Limitations Scalability, provisioning and management Not a fully integrated IP solution Provider Frame Relay Network CPE DLCI FR Switch DLCI FR Switch
5
Juniper Networks, Inc. Copyright © 2000 5 Traditional (Layer 2) VPNs Router Frame Relay/ ATM Switch
6
Juniper Networks, Inc. Copyright © 2000 6 Improving Traditional Layer 2 VPNs Decouple edge (customer-facing) technology from core technology Have a single network infrastructure for all desired services Internet L3 MPLS VPNs L2 MPLS VPNs Simplify provisioning Appropriate signaling mechanisms for VPN auto- provisioning
7
Juniper Networks, Inc. Copyright © 2000 7 VPN Classification Model Customer-managed VPN solutions (CPE-VPNs) Layer 2: L2TP and PPTP Layer 3: IPSec Provider-provisioned VPN solutions (PP-VPNs) Layer 3: MPLS-Based VPNs (RFC 2547bis) Layer 3: Non-MPLS-Based VPNs (Virtual Routers) Layer2: MPLS VPNs PE CPE Subscriber Site 3 PP-VPN Subscriber Site 2 CPE PE VPN Tunnel CPE PE CPE CPE-VPN VPN Tunnel Subscriber Site 1 Subscriber Site 3 Subscriber Site 2 VPN Tunnel VPN Tunnel Subscriber Site 1
8
Juniper Networks, Inc. Copyright © 2000 8 PP-VPNs: Layer 2 Classification Service Provider delivers Layer 2 circuit IDs (DLCI, VPI/VCI, 802.1q vlan) to the customer One for each reachable site Customer maps their own routing architecture to the circuit mesh Provider router maps the circuit ID to a Label Switched Path (LSP) to traverse the provider core Customer routes are transparent to provider routers Provider-provisioned L2 MPLS VPN Internet drafts draft-kompella-mpls-l2vpn-02.txt draft-martini-l2circuit-encap-mpls-01.txt
9
Juniper Networks, Inc. Copyright © 2000 9 Agenda: L2 MPLS VPNs Overview of VPNs Provider-provisioned L2 MPLS VPNs Taxonomy Operational Model Conclusion
10
Juniper Networks, Inc. Copyright © 2000 10 Customer Edge Routers Customer Edge (CE) routers Router or switch device located at customer premises providing access to the service provider network Layer 2 (FR, ATM, Ethernet) and Layer 3 (IP, IPX, SNA …) independence of the service provider network CEs within a VPN, uses the same L2 technology to access the service provider network Requires a sub-interface per CE it needs to interconnect to within the VPN Maintains routing adjacencies with other CEs within the VPN CE P P PECE Customer Edge CE PE VPN A VPN B PE ATM FR ATM FR VPN Site
11
Juniper Networks, Inc. Copyright © 2000 11 Provider Edge Routers Provider Edge (PE) routers Maintain site-specific VPN Forwarding Tables Exchange VPN Connection Tables with other PE routers using MP-IBGP or LDP Use MPLS LSPs to forward VPN traffic CE P P PECE PE VPN A VPN B PE Provider Edge ATM FR ATM FR
12
Juniper Networks, Inc. Copyright © 2000 12 CE P P PECE PE VPN A VPN B PE Provider Routers Provider (P) routers Forward data traffic transparently over established LSPs Do not maintain VPN-specific forwarding information Provider Routers ATM FR ATM FR
13
Juniper Networks, Inc. Copyright © 2000 13 VPN Forwarding Tables (VFT) P P P PE 2 VPN A Site 3 VPN A Site 1 VPN B Site2 VPN B Site 1 PE 1 PE 3 VPN A Site2 CE–A1 CE–B1 CE–A3 CE–A2 CE–B2 P A VFT is created for each site connected to the PE OSPF ATM Each VFT is populated with: The forwarding information provisioned for the local CE sites VPN Connection Tables received from other PEs via iBGP or LDP
14
Juniper Networks, Inc. Copyright © 2000 14 Site 1 Site 2 Site 1 Site 2 VPN Connection Tables (VCT) PE-2 CE-4 PE-1 CE-2 CE-1 VFT The VCT is a subset of information hold by the VFT VCTs are distributed by the PEs via iBGP or LDP A VCT is distributed for each VPN site to PEs MP-iBGP session / LDP
15
Juniper Networks, Inc. Copyright © 2000 15 L2 VPN Provisioning Provisioning the network Provisioning the CEs Provisioning the VPN (PEs) VPN Connection Table Distribution Assumption: access technology is Frame Relay (other cases are similar)
16
Juniper Networks, Inc. Copyright © 2000 16 Provisioning the Network P P P PE 2 VPN A Site 3 VPN A Site 1 VPN B Site2 VPN B Site 1 PE 1 PE 3 VPN A Site2 CE–A1 CE–B1 CE–A3 CE–A2 CE–B2 P OSPF ATM PE-to-PE LSPs pre-established via RSVP-TE LDP LDP over RSPV-TE tunneling LSPs used for many services: IP, L2 VPN, L3 VPN, … Provisioned independent of Layer 2 VPNs
17
Juniper Networks, Inc. Copyright © 2000 17 Provisioning Customer Sites List of DLCIs: one for each site, some spare for over-provisioning DLCIs independently numbered at each site LMI, inverse ARP and/or routing protocols for auto-discovery and learning addresses No changes as VPN membership changes Until over-provisioning runs out CE-4 DLCIs 63 75 82 94 CE-4 Routing Table InOut DLCI 63 10/8 DLCI 7520/8 DLCI 8230/8 DLCI 94-
18
Juniper Networks, Inc. Copyright © 2000 18 Provisioning CE’s at the PE A VFT is provisioned at each PE for each CE VPN-ID : unique value within the service provider network CE-ID : unique value in the context of a VPN CE Range : maximum number of CEs that it can connect to Sub-interface list : set of local sub-interface IDs assigned for the CE-PE connection CE 4 VFT VPN ID CE ID RED VPN 4 CE Range 4 Sub-int IDs 63 75 82 94
19
Juniper Networks, Inc. Copyright © 2000 19 Provisioning CE’s at the PE A VFT is provisioned at each PE for each CE VPN-ID : unique value within the service provider network CE-ID : unique value in the context of a VPN CE Range : maximum number of CEs that it can connect to Sub-interface list : set of local sub-interface IDs assigned for the CE-PE connection Label-base : Label assigned to the first sub-interface ID The PE reserves N contiguous labels, where N is the CE Range CE 4 VFT VPN ID CE ID RED VPN 4 CE Range 1000 4 Label Base Sub-int IDs 63 75 82 94 CE 4 VCT
20
Juniper Networks, Inc. Copyright © 2000 20 Site 1 Site 2 Site 1 Site 2 Provisioning CE’s at the PE PE-2 CE-4 PE-1 CE-2 CE-1 VFT CE 4 VFT VPN ID CE ID RED VPN 4 CE Range Label base 4 Sub-int IDs 63 75 82 94 1000 1001 1002 1003 Label used by CE 1 to reach CE 4 1001 Label used by CE 2 to reach CE 4 1002 Label used by CE 0 to reach CE 4 1000 FR CE 4 ‘s DLCI to CE 0 63 CE 4 ‘s DLCI to CE 1 75 CE 4 ‘s DLCI to CE 2 82 CE 4 ‘s DLCI to CE 3 94 PE-2 is configured with the CE4 VFT Label used by CE 3 to reach CE 4 1003
21
Juniper Networks, Inc. Copyright © 2000 21 Distributing VCTs Key: signalling using LDP or MP-iBGP Auto-discovery of members Auto-assignment of inter-member circuits Flexible VPN topology O(N) configuration for the whole VPN Could be more for complex topologies O(1) configuration to add a site “Overprovision” DLCIs (sub-interfaces) at customer sites
22
Juniper Networks, Inc. Copyright © 2000 22 Site 1 Site 2 Site 1 Site 2 Distributing VCTs PE-1 accepts PE-2’s CE 4 VCT PE-2 CE-4 PE-1 CE-2 CE-1 VFT FR Label used by CE 2 to reach CE 4 1002 MP-iBGP session / LDP CE 4 VCT update VPN ID CE ID RED VPN 4 CE Range Label base 4 1000 CE 4 VCT update VPN ID CE ID RED VPN 4 CE Range Label base 4 1000
23
Juniper Networks, Inc. Copyright © 2000 23 Site 1 Site 2 Site 1 Site 2 Updating VFTs PE-1 update its CE 2 VFT PE-2 CE-4 PE-1 CE-2 CE-1 VFT FR DLCI 82 FR DLCI 414 CE 2 VFT CE ID Inner Label Sub-int IDs Label used to reach CE 4 1002 107 209 265 414 1 2 3 4 5020 7500 9350
24
Juniper Networks, Inc. Copyright © 2000 24 Site 1 Site 2 Site 1 Site 2 Updating VFTs PE-1 update its CE 2 VFT PE-2 CE-4 PE-1 CE-2 CE-1 VFT CE 2 VFT CE ID Inner Label Sub-int IDs LSP to PE-2 500 107 209 265 414 1 2 3 4 5020 7500 9350 1002 Outer Label FR DLCI 82 FR DLCI 414
25
Juniper Networks, Inc. Copyright © 2000 25 Site 1 Site 2 Site 1 Site 2 Data Flow The CE-2 sends packets to the PE via the DLCI which connects to CE-4 (414) PE-2 CE-4 PE-1 CE-2 CE-1 VFT DLCI 82 DLCI 414 packet DLCI 414
26
Juniper Networks, Inc. Copyright © 2000 26 Site 1 Site 2 Site 1 Site 2 Data Flow The DLCI number is removed by the ingress PE Two labels are derived from the VFT sub-interface lookup and “pushed” onto the packet Outer IGP label Identifies the LSP to egress PE router Derived from core’s IGP and distributed by RSVP or LDP Inner site label Identifies outgoing sub-interface from egress PE to CE Derived from MP-IBGP/LDP VCT distributed by egress PE PE-2 CP-4 PE-1 CE-2 CE-1 PE-1 1) Lookup DLCI in Red VFT 2) Push VPN label (1002) 3) Push IGP label (500) VFT DLCI 82 Packet site label (1002) IGP label (500)
27
Juniper Networks, Inc. Copyright © 2000 27 Site 1 Site 2 10.1/16 Site 1 Site 2 Data Flow After packets exit the ingress PE, the outer label is used to traverse the LSP P routers are not VPN-aware PE-2 CPE-4 PE-1 CE-2 CE-1 VFT Packet site label (1002) IGP label (z) DLCI 82 DLCI 414
28
Juniper Networks, Inc. Copyright © 2000 28 Site 1 Site 2 10.1/16 Site 1 Site 2 Data Flow The outer label is removed through penultimate hop popping (before reaching the egress PE) PE-2 CE-4 PE-1 CE-2 CE-1 Penultimate Pop top label VFT Packet site label (1002) DLCI 82 DLCI 414
29
Juniper Networks, Inc. Copyright © 2000 29 Site 1 Site 2 Site 1 Site 2 Data Flow The inner label is removed at the egress PE The egress PE does a label lookup to find the corresponding DLCI value The native Frame Relay packet is sent to the corresponding outbound sub-interface PE-2 CE-4 PE-1 CE-2 CE-1 VFT DLCI 82 DLCI 414 packet DLCI 82
30
Juniper Networks, Inc. Copyright © 2000 30 VPN Topologies Arbitrary topologies are possible: full mesh hub-and-spoke BGP communities are used to configure VPN topologies when using BGP signaling “Connectivity” parameter serves similar purpose in LDP signaling
31
Juniper Networks, Inc. Copyright © 2000 31 Conclusions
32
Juniper Networks, Inc. Copyright © 2000 32 A Range of VPN Solutions Each customer has different Security requirements Staff expertise Tolerance for outsourcing Customer networks vary by size and traffic volume Providers also have different preferences concerning Extensive policy management Inclusion of customer routes in backbone routers Approaches to managed service
33
Juniper Networks, Inc. Copyright © 2000 33 MPLS-Based Layer 2 VPNs MPLS-based Layer 2 VPNs are identical to Layer 2 VPNs from customers’ perspective Familiar paradigm Layer 3 independent Provider not responsible for routing No hacks for OSPF Rely on SP only for connectivity MPLS transport in provider network Decouples edge and core Layer 2 technologies Multiple services over single infrastructure Single network architecture for both Internet and VPN services Label stacking Provision once, and use same LSP for multiple purposes Auto-provisioning VPN
34
Juniper Networks, Inc. Copyright © 2000 34 MPLS-based Layer 2 VPNs: Advantages Subscriber Outsourced WAN infrastructure Easy migration from existing Layer 2 fabric Can maintain routing control, or opt for managed service Supports any Layer 3 protocol Supports multicast Provider Complements RFC 2547bis Operates over the same core, using the same outer LSP Existing Frame Relay and ATM VPNs can be collapsed onto a single IP/MPLS infrastructure Label stacking allows multiple services over a single LSP No scalability problems associated with storing numerous customer VPN routes Simpler than the extensive policy-based configuration used with 2547
35
Juniper Networks, Inc. Copyright © 2000 35 MPLS-based Layer 2 VPNs: Disadvantages Circuit type (ATM/FR) to each VPN site must be uniform Managed network service required for provider revenue opportunity Customer must have routing expertise (or opt for managed service)
36
Juniper Networks, Inc. Copyright © 2000 36 Layer 2 MPLS-based VPNs Application Customer profile High degree of IP expertise Desire to control their own routing infrastructure Prefer to outsource tunneling Large number of users and sites Provider profile MPLS deployed in the core Migrating an existing ATM or Frame Relay network Offers CPE managed service, or Provisions only the layer 2 circuits at a premium cost Layer 2 MPLS-based VPNs are ideal for this customer profile
37
Juniper Networks, Inc. Copyright © 2000 37 http://www.juniper.net Thank you!
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.