l3vpn training course

8/22/2019 L3VPN Training Course

http://slidepdf.com/reader/full/l3vpn-training-course 1/26

http://www.ist-nobel.org/Nobel2/servlet/Nobel2.Main

Next Generation Optical Networks forBroadband European Leadership

Valerio MartiniThis tutorial is licensed under the Creative Commons

creativecommons.org/licenses/by-nc-sa/3.0/

Layer3 Virtual Private Network (L3VPN)

Training course



[email protected] tutorial is licensed under the Creative Commons


Summary

What is a VPN?

MPLS VPN (RFC4364). A choice

“Private” Instances of routing (VRFs Table)

Multi Protocol BGP

A MPLS Tunnel

A quick view on:

VPN Multi Domain

VPN QoS and Scalability





What is a VPN ?

A Virtual Private Network (VPN) is a private data network that

makes use of the public telecommunication infrastructure,

maintaining privacy and reservation through the use oftunneling protocols

Layer3 VPNs (L3VPN) are based on IP/MPLS networks (cfr. RFC4364 “BGP

MPLS/IP VPN”)

L3 VPN connectivity is provided across Service Provider’s networks L3 VPNs are based on IP address scheme and the relevant virtual connectivity is

based on the use of ad hoc forwarding table called VRF (VPN Routing and

Forwarding tables)

Backbone Routers (P-Routers) are unaware of the tunnel and VRF tables but are

aware of tunneling protocols

Service Provider routers (PE-Routers) are outsourced to corporate network WANs

(Sites) to establish L3 VPN





P

Provider Router

CE

Customer Edge Router

PE

Provider Edge Router

VPN Terminology

VPN 1

VPN 1

VPN 3

VPN 3VPN 2

VPN 3

VPN 1

VPN 2

GE

GE

FE

FE

BackboneBackbone

P





VPN Terminology

VPN 1

VPN 1

VPN 3

VPN 3VPN 2

VPN 3

VPN 1

VPN 2

GE

GE

FE

FE

BackboneBackbone

P

VPN area

Different Customer Sites

WAN of a corporate network (Site)

consists of a network systems

placed in geographic proximity

BackboneBGP - IP/MPLS - OSPF/(RSVP)





VPN Terminology

VPN 1

VPN 1

VPN 3

VPN 3VPN 2

VPN 3

VPN 1

VPN 2

GE

GE

FE

FE

BackboneBackbone

P

End System

An Attachment Circuit is usually

considered as a “Data Link” e.g., a

Fast Ethernet (FE) or GE Gigabit

Ethernet





VPN Taxonomy

A brief classification :

Type of customer side Virtual Tunnel

Layer 2 VPNs provide Layer 2 connectivity e.g., Native Ethernet LAN

Layer 3 VPNs provide Layer 3 connectivity e.g., based on Access IP Router

Type of VPN (in terms of end-point Location)

CE-based : VPNs are configured and maintained by customer

Provider network is VPN unaware

PE-based :

Network providers are responsible for VPN configuration and maintenance

Type of Architecture possible

VPN Layer 3 (e.g., IPsec)

VPN Layer 2 (e.g., VPLS, VPWS)





Layer2 Vs Layer3 VPN

Type of customer payload carried by the Virtual Tunnel

Layer3 VPN provides BGP IP/MPLS backbone connectivity: The Layer3 approach to create an IP/MPLS-based VPN offers a routed solution:

completely based on Ipv4 address scheme scalable

The DE FACTO standard is described in RFC4364 (February 2006)

Layer2 VPN provides a native Layer 2 backbone connectivity:

The Layer2 approach: offers an encapsulation methods to transport Layer 2 Frames Over MPLS Networks. It p:

provides a optimization between the Provider’s and Customer’s network allows PEs to offer services that are INDIPENDENT of Layer3 protocols

The RFC/Draft for describing the establishment of point-to-point connectivity in Layer2VPN is described in RFC 4906

VPLS provides an L2/L3 Hybrid connectivity: The Virtual Private LAN Service offers an hybrid connectivity based on:

Provider-Customer VLAN (Virtual LAN) association on access network

BGP IP/MPLS connectivity in the Backbone





CE Vs PE Based

Type of endpoint (Location) of the tunnel

VPN Customer Edges (CE) are maintained by Customers

Customer is responsible for its endpoint Routers maintenance Routing Protocol’s configuration VRF’s configuration its own security

For example: VPLS belongs natively to this category

VPN Provider Edge (PE) are maintained by Service Providers

Service Provider is responsible for all domain endpoints and must beable to

configure all Edge Routers maintain the router provide advanced services operate on point-to-point Security (IPsec PE-based)

For example: VPN L3 belongs natively to this categoryThe Customer network is completely VPN unaware





BGP IP/MPLS VPN. A choice

RFC4364 defines an emerging standard commonly named “MPLS VPN” or more exactly“BGP/MPLS IP VPN”

Service providers that offer Layer 3 VPN services can take advantage of new,

advanced features L3 VPN services allow businesses to outsource their current network core using a private IP-basedservice offering from an SP.

the most common deployment is an any-to-any topology where any customer device can connectdirectly to the L3 VPN.

Enterprise traffic entering the SP domain is then routed based on the information in the VRF tableand encapsulated with MPLS labels to ensure proper tunneling and de-multiplexing through the

core.

The main three steps for the establishment of a VPN over an IP/MPLSbackbone:

1. Routing Instance Configuration (VRFs Table and Policy)

2. BGP-MP (MultiProtocol) configuration (it carry VRFs table Among PEs) 3. MPLS Configuration





The Virtual Tunnel Connection is based on Ad-hoc forwarding table called VRF

The Address space used by VRF is composed by

IP Prefix Route Distinguisher (RD)

Different forwarding table are distinguished by

Route Target (RT)

Each VPN has its own address space A given address may denote different system in different VPN

A given address may denote same system in different VPN (unique address)

A new Address Space :

“Private” Instances of Routing (Step-1)

4Byte (Standard IP Prefix) 8Byte (Route Distinguisher (RD))

VPN - IPv4 FamilyVPN - IPv4 Family

Type Provider’s AS Assigned Number

+





IP MPLS

Backbone

IP MPLS

Backbone

VPN 1

VPN 1

VPN 2

VPN 1

VPN 3

VPN 3

VPN 3 VPN 2VPN 3

VPN 1

VPN 2

Key

Firewall

FEFE

FE - 1

FE - 2

FE

FE

FE FE

Full ScenarioFull Scenario






VRF

table

for

VPN

1

VRF

table

for

VPN

2

VRF

table

For

VPN

3

CERouting Tables

CERouting Tables

CERouting Tables

Enterprises Enterprises Enterprises Enterprises

MPLS

OSPF

RSVP

BGP-MP

Backbone

MPLS

OSPF

RSVP

BGP-MP

Backbone

OSPF

Domain

There are three methods to populate the VRF

•Statically (by manually configuration) or RIP

•OSPF

•BGP

Populate VRF TablesPopulate VRF Tables






1.Identify VPN

2.Select VRFentry forthis VPN

4.Attach VPNlabel info

VRFs Tables

CustomerNetwork

CustomerNetwork

CustomerNetwork

Backbone

IP MPLS

Label VPN

IP pkt

Label MPLS

Label VPNLabel MPLS

IP pkt

3.AttachMPLSlabel info

5.Send out

CustomerNetwork

•At Least a VRF Table for Each Attachment Circuit

•Eventually different VRF for each VPN

IP pkt

PE Router

Composes TheLabeled Frame

IP pkt

The Route Target

is used to distinguish

different VRF tables


Routing and ForwardingRouting and Forwarding





Label VPN IP

VPN SiteVPN Site

IP

IP

IP

PE COMPOSES

the packets

Label VPN IP

PE DECOMPOSES

the packets

IP MPLS

Backbone

IP MPLS

Backbone

IP

The Core Routers

Are Completely UNAWARE

of the label VPN -TAG


Label Switched PathLabel Switched Path





IP MPLS

Backbone

IP MPLS

Backbone

<routing-instances>

<instance><name>

vpn-ABC

</name>

<instance-type>

VRF</instance-type>

<interface>

fe-0/3/1.0

</interface>

<route-distinguisher>2.2.2.2:RD

</route-distinguisher>

</instance>

</routing-instances>

<routing-instances>

<instance><name>

vpn-ABC

</name>

<instance-type>

VRF</instance-type>

<interface>

fe-0/3/1.0

</interface>

<route-distinguisher>2.2.2.2:RD

</route-distinguisher>

</instance>

</routing-instances>

Config

FIRST

the name of routing instance

SECOND

the type of routing instance

THIRD

the name of Juniper physical interface

FOURTH

the VPN IPv4 family Address


Routers PE ConfigurationRouters PE Configuration





BGP Multi Protocol (Step-2)

IP MPLS

Backbone

IP MPLS

Backbone

VPN 1

VPN 1

VPN 2

VPN 1

VPN 3

VPN 3

VPN 3 VPN 2VPN 3

VPN 1

VPN 2

Key

Firewall

FEFE

FE - 1

FE - 2

FE

FE

FE FE






<bgp>

<local-address>

2.2.2.2

</local-address>

<local-as>

AS

</local-as>

<group>

<name>1-2-3</name>

<type>internal</type><neighbor>

<name>Edge-1</name>

<local-address>1.1.1.1</local-address>

<name>Edge-3</name>


<bgp>

<local-address>

2.2.2.2

</local-address>

<local-as>AS

</local-as>

<group>

<name>1-2-3</name>

<type>internal</type><neighbor>

<name>Edge-1</name>


<name>Edge-3</name>


VRFs Tables

areEXCHANGED

Config

FIRST

the name of the Local Address of PE

SECOND

the Autonomous System

THIRD

the name of BGP group

FOURTH

the List of the neighbors

RouterId = 3.3.3.3

BGP

Group A-B-C

Neighbour 2.2.2.2

Neighbour 1.1.1.1

RouterId = 2.2.2.2

BGPGroup A-B-C

Neighbour 1.1.1.1

Neighbour 3.3.3.3RouterId = 1.1.1.1

BGP

Group A-B-C

Neighbour 2.2.2.2

Neighbour 3.3.3.3







RouterId = 3.3.3.3

BGP

Group A-B-C

Neighbour 2.2.2.2

Neighbour 1.1.1.1

RouterId = 2.2.2.2

BGPGroup A-B-C

Neighbour 1.1.1.1

Neighbour 3.3.3.3RouterId = 1.1.1.1

BGP

Group A-B-C

Neighbour 2.2.2.2

Neighbour 3.3.3.3

Config

Route

REFLECTOR

• BGP is based over a full mesh refresh

•n(n-1)/2 Sessione.g., 10 Routers

10*(10-1)/2 = 45 BGP Sessions

• BGP with RR

•(n-1)+(n-1) Sessione.g., 10 Routers

9+9 = 18 BGP Sessions

Route REFLECTOR

RR is a Designated Router

VRFs Tables

areEXCHANGED

Routers Route-ReflectorRouters Route-Reflector






IP MPLS

Backbone

IP MPLS

Backbone

VPN 1

VPN 1

VPN 2

VPN 1

VPN 3

VPN 3

VPN 3VPN 2VPN 3

VPN 1

VPN 2

Key

Firewall

FEFE

FE - 1

FE - 2

FE

FE

FE FE

MPLS (LSP-tunnelling) (Step-3)






<mpls><label-switched-path>

<name>

to-A

</name>

<to>1.1.1.1

</to>

<bandwidth>

30m

</bandwidth><install>

10.20.12.0/24<active/>

</install>

</label-switched-path>

</mpls>

<mpls><label-switched-path>

<name>

to-A

</name>

<to>1.1.1.1

</to>

<bandwidth>

30m

</bandwidth>

<install>

10.20.12.0/24<active/>

</install>

</label-switched-path>

</mpls>

Core Router

VPN Site

VPN Site

VPN Site

CR 2

CR 3

CR 1

The FIRST

the name of the LSP

The SECONDthe Destination of LSP (EGRESS ROUTER)

The THIRD

the bandwidth reserved

The FOURTHthe set of IP activated

Config

MPLS (LSP-tunnelling) (Step-3)






Benefits

RFC4364 defines an emerging standard commonly named

“MPLS VPN” or more exactly “BGP/MPLS IP VPN”

VPNs use overlapping Address Spaces (VPN IPv4 Family)

Providers use existing protocols (BGP, RSVP, OSPF, MPLS)

Provider backbone’s routers do not need to have any VPN

routing information Providers can get good SLA and QoS support

Customers are UNAWARE of MPLS (all the work is done byService Provider)

Customers are UNAWARE of security policy

Customers are UNAWARE of connectivity and routing VPNmanagement





Drawback

RFC4364 defines an emerging standard commonly named

“MPLS VPN” or more exactly “BGP/MPLS IP VPN”

IP only—L3 VPNs transport only IPv4 traffic. Non-IP protocols need to be tunneled through some mechanism (such as

GRE) on the CE or C devices

The customer is dependent on the SP in regards to Layer

3 features and capabilities Layer 3-based convergence and QoS capabilities are also dependent on

the SP offering, and SLAs must be negotiated to manage theserequirements

Possible difficulties in integration —The difficulty of

integration from Layer 2 to Layer 3 peering varies greatlydepending on the SP offering. If the SP does not offer someservice, integration with a different routing protocol, such aseBGP, might require





VPN Multi-Domain

Two sites of a VPN are connected to a different AUTONOMUS SYSTEM (AS)

There are 2 methods to implement this features :

VRF-to-VRF

EBGP (External BGP)

IP MPLS

Backbone

IP MPLS

BackboneIP MPLS

Backbone

IP MPLS

Backbone

Directly Connection

Between PE

External BGP

Protocol

AS 1 AS 3

IP MPLS

Backbone

IP MPLSBackbone

AS 2





QoS and Scalability

The BGP/MPLS IP VPN provides Quality of Service (QoS):

MPLS reserves bandwidth using RSVP

Policy used in PE router grooms selected IP Address over a reserved LSP

The BGP/MPLS IP VPN presents a good scalability:

Route Reflector produces less BGP sessions

Two levels of labels keep P Routers free of all the VPN routing information

PE routers maintain routes information only for VPNs whose sites are directly connected





References

IANA Consideration (Internet Assigned Number Authority)

IANA has created a new registry for the “Route Distinguisher Type Field”

Rosen, E., Rekhter, Y., “BGP/MPLS IP Virtual Private Network”, RFC 4364

Mertz, C., “The Latest in Virtual Private Network, Part I&II”, IEEE InternetComputing, June 2004; available at http://computer.org/internet

Daugherty, B., and Mertz, C., “Multiprotocol Label Switching And IP, Part I”,IEEE Internet Computing, June 2005; available at http://computer.org/internet

JUNOS software documentation for M-series and T-series platforms,available at http://www.juniper.net/techpubs

l3vpn training course

Documents