network design with latest vpn technologiesvpn 1 site 5 ipv4 route vpn 3 site 6 vpn 3 site 7...

NetworkWorld-Netzwerktage 2002- in Kooperation mit:

Network Design with latestVPN Technologies

Carsten RossenhövelManaging Director


Which VPN type fits the purpose?

Questions to identify:• What are the business goals?• Which applications will use the VPN?• What are the technical and security requirements?=> Check list is required to select the best kind of

VPN best fitting the requirements and purpose

Internet

SOHO

Branch Office

Teleworkers

Mobile WorkersCentral Office


VPN Business Goals

• Identify the primary business goalsbefore selecting a VPN implementation!

• Reduce the budget fornetwork connections?

• Enhance networksecurity?

• Outsource IT infrastructure?


VPN Application Areas

Important question:What will be theprimary use of the VPN?

• MAN/WAN Intranet(Branch office connectivity)

• Extranet(SOHO / Business partner access)

• Remote Access (Teleworkers, SOHOs)


Service ProviderNetwork

VPN Operations

Who is going to operate the VPN network?• Enterprise IT Department• Service Provider (outsourced)• Who owns the equipment?

Different technology options:ÿ SPs usually work with MPLS

or layer 2 technologiesÿ Enterprises usually use IPsec

CustomerEdge (CE)

Provider Edge (PE)

EnterpriseOffice


Applications used in the VPN

• IP Data only?

• Voice over IP?

• Layer 2 data (Ethernet Non-IP protocols, FrameRelay, ATM)?

ÿDifferent applications with differentQoS requirements:Guaranteed bandwidth, latency, jitter


Applications used in the VPN (2)

Source: Cisco Systems


Section II

Introduction toVPNs withMulti ProtocolLabel Switching


VPN Wish List• Different sites of multiple enterprises are

connected through a common provider backbone

• Use layer 3 backbone• Overlapping address spaces• Using private and public addresses• VPN isolation• Simple management• Scalability• Quality of Service

Site 1 ofenterprise 2


ProviderNetwork




VPN ModelsLayer 2 VPN model (“overlay”)

• Well-known from ATM, Frame Relay carrier networks• Customer interface at data link layer (ATM, Frame Relay,

Ethernet)• Private layer 2 trunks tunneled through MPLS network

Layer 3 VPN model (“peer”)

• Customer interface at IP layer• VPN isolation by tunneling through backbone• Backbone does not have information about customer IP

networks


Layer 2 VPN Benefits• Looks like legacy ATM, Frame Relay, ... service to

customers

• Transparent service for upper layers and privateaddresses

• Layer 3 multi-protocol support based on layer 2 service

• Overlay model isolates core from VPN routing

• No need to replace existing customer premisesequipment (ATM, Frame Relay, ...)

• Layer 2 over MPLS / IP may use extended backbonefacilities (fast reroute etc.), compared to pure layer 2VPN services provided with ATM and Frame Relay


Layer 3 VPN Benefits• Scalability for any-to-any connectivity• Support for private address space• Provides a fully routed IP network solution,

while the VPN routes are separated from corebackbone routing

• Meshing in the core network is theresponsibility of the service provider(customer not involved)

• May use MPLS / IP backbone facilities (fastreroute etc.)


MPLS VPNsStandards status of Multi Protocol Label Switching:• “Layer 3 VPN” RFC2547 (March 1999) widely

used• Informational RFC provided by Cisco Systems;

NOT an IETF standard• “Layer 2 VPN”: several competing IETF drafts;

beta status; first implementations seen in interoptests

• Not ready for customer network implementationyet


Introduction to RFC2547

CustomerEdge (CE)

Provider Edge (PE)

• CE, PE and P devices

• Administrative policy is used for VPN construction



CommonNetwork




Provider (P) device


RolesMPLS Edge Router (PE device)• Filters incoming user traffic, assigns to VPNs• Collects and populates private network forwarding tables• Establishes MPLS paths across the core for each VPN

edge-to-edge connectivity• Establishes logically single-hop VPN connections

between the VPN edges

MPLS Core Router (P device)• Does not implement VPN routing; just switches packet

streams according to their MPLS labels• enough information to transport data through the core


Per-site Forwarding Tables• How to manage large amounts of customer IP

addresses, potentially overlapping?

• Per-Site Forwarding Tables:Provider Edge routers havemultiple routing tables,one for each customer site

• Propagated by BGP routinginside the core

• VPNs are isolated from each other

PE

CE1

CE2

CE3

PE Routing tables

CE2CE3

CE1


VPN Route Distribution via BGPProblem:

• A BGP speaker can only install and distribute oneroute to a given address prefix. In MPLS, there aredifferent VPNs with overlapping address spaces

Solution:

• Create a new address family, adding a routedistinguisher to the IP address

Route Distinguisher (RD)

0 4 8 12 bytes

IPv4 AddressType Admin-

istratorAssignedNumber


The Target VPN Attribute• Is it sufficient to keep routes inside a single VPN?

Basically: Yes.

• In certain applications, routes need to be installedin selected foreign VPNs.

• Solution: Per-site forwarding tables are associatedwith one or more "Target VPN" attributes

• Allows selective route installation in appropriatePE forwarding tables only

• Target VPN attribute is carried in BGP


Target VPN Example• Task: Distribute Site 1 route to Extranet VPN1 (sites 1, 4, 5)

and to company-internal VPN2 (sites 2, 3)but not to VPN3

VPN 2Site 2

VPN 2Site 3

ProviderNetwork

VPN 1Site 1

VPN 1Site 4

VPN 1Site 5

IPv4 Route

VPN 3Site 6

VPN 3Site 7

converts IPv4 Route into VPN-IPv4, addsTarget VPN1 and Target VPN2 attributes

converts VPN-IPv4 into IPv4 route and distributeto Sites 3,4,5 because of Target attributes

distribute to Site 2because

of VPN2 Target attribute


VPN Route Distribution with BGP• Provider Edge router are attached to a common AS

(Autonomous System), running iBGP-MP• Backbone routers (P devices) do not participate in BGP!

• iBGP-MP = interior Border Gateway Protocol / Multi-Protocol Extensions

Private Network

Private Network

Private Network

AS

PE learns VPN routes and converts toVPN-IP address

MP-iBGP routing: exchanges64 bit “route distinguisher”


VPN Example – Labelling

MPLS Network

CE1

CE3 CE4

CE2LLIP

LIP

IP IP

IP

LLIP

LIP

IP IP

L

LIP

P1 P2

PE1 PE2

LLIP

LLIP

LLIP

LLIP

Label VPN ALabel VPN B

Label between PE1 and PE2


MPLS Layer 2 VPNs

• Provide point-to-point connections through anMPLS backbone

Provider Edge (PE)



CommonNetwork



Ethernet CustomerEdge (CE)

ATM CustomerEdge (CE)

Ethernet CustomerEdge (CE)

ATM CustomerEdge (CE)


MPLS Layer 2 VPNs (continued)

• Encoding already defined:How to map ATM cells and Ethernet framesinto IP packets

• Signalling not defined yet – how to managetunnels dynamically

• Point-to-multipoint / full mesh service notdefined yet – how to switch ATM or Ethernetpackets inside the MPLS network


Main VPN Features Checklist

ÿ� �ÿ� � �Suited for non-IP traffic

� � �ÿ� � �ÿBest suited for IP traffic

�� ÿService + Equipment pricing

�ÿÿ� �Large-scale manageability

� �� / ÿ� � �Provides Quality of Service

�ÿ�� Available from many carriers

� � ��ÿ� �Forwarding performance

� � �ÿ�ÿScale for many end points (meshed)

ÿÿ�� Interoperable with 3rd party products

�

MPLSLayer 3VPNs

�

MPLSLayer 2VPNs

� � �� Provides security (VPN isolation)

IPsecLayer 2(ATM /FR)


Section III – Service Levels

First step: Define Service Levels

ÿ Get in touch with company product managersto learn about their application requirements

ÿ Inspect applications running in the network,derive typical requirements

ÿ Verify budgets for network quality versusbudgets for application enhancements(maybe it’s cheaper to exchange the applicationthan enhance the network)


Applications used in VPNs (revisited)

Source: Cisco Systems


How to define Service Levels

• Negotiate Classes of Service (CoS, DiffServ):

VVoIP


Verify Service Level Agreements

SLAs should be monitoredand verified regularly:

• Has the network been reliable?

• Has network usage / applicationbehavior changed?

Monitoring usually done byservice provider – in addition,monitoring by customer usefulfor proactive management

PE

CE

DefineSLAs

VerifySLAs


Conclusion• Different types of VPNs

available on the markettoday

• Choose depending onapplication requirements

• Keep features andlimitations of differentalternatives in mind!


Thank you!

Für mehr Informationensteht unser Webserverzur Verfügung:

http://www.eantc.de/

network design with latest vpn technologiesvpn 1 site 5 ipv4 route vpn 3 site 6 vpn 3 site 7...

Documents