network design with latest vpn technologiesvpn 1 site 5 ipv4 route vpn 3 site 6 vpn 3 site 7...
TRANSCRIPT
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Network Design with latestVPN Technologies
Carsten RossenhövelManaging Director
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Which VPN type fits the purpose?
Questions to identify:• What are the business goals?• Which applications will use the VPN?• What are the technical and security requirements?=> Check list is required to select the best kind of
VPN best fitting the requirements and purpose
Internet
SOHO
Branch Office
Teleworkers
Mobile WorkersCentral Office
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
VPN Business Goals
• Identify the primary business goalsbefore selecting a VPN implementation!
• Reduce the budget fornetwork connections?
• Enhance networksecurity?
• Outsource IT infrastructure?
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
VPN Application Areas
Important question:What will be theprimary use of the VPN?
• MAN/WAN Intranet(Branch office connectivity)
• Extranet(SOHO / Business partner access)
• Remote Access (Teleworkers, SOHOs)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Service ProviderNetwork
VPN Operations
Who is going to operate the VPN network?• Enterprise IT Department• Service Provider (outsourced)• Who owns the equipment?
Different technology options:ÿ SPs usually work with MPLS
or layer 2 technologiesÿ Enterprises usually use IPsec
CustomerEdge (CE)
Provider Edge (PE)
EnterpriseOffice
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Applications used in the VPN
• IP Data only?
• Voice over IP?
• Layer 2 data (Ethernet Non-IP protocols, FrameRelay, ATM)?
ÿDifferent applications with differentQoS requirements:Guaranteed bandwidth, latency, jitter
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Applications used in the VPN (2)
Source: Cisco Systems
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Section II
Introduction toVPNs withMulti ProtocolLabel Switching
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
VPN Wish List• Different sites of multiple enterprises are
connected through a common provider backbone
• Use layer 3 backbone• Overlapping address spaces• Using private and public addresses• VPN isolation• Simple management• Scalability• Quality of Service
Site 1 ofenterprise 2
Site 2 ofenterprise 2
ProviderNetwork
Site 1 ofenterprise 1
Site 2 ofenterprise 1
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
VPN ModelsLayer 2 VPN model (“overlay”)
• Well-known from ATM, Frame Relay carrier networks• Customer interface at data link layer (ATM, Frame Relay,
Ethernet)• Private layer 2 trunks tunneled through MPLS network
Layer 3 VPN model (“peer”)
• Customer interface at IP layer• VPN isolation by tunneling through backbone• Backbone does not have information about customer IP
networks
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Layer 2 VPN Benefits• Looks like legacy ATM, Frame Relay, ... service to
customers
• Transparent service for upper layers and privateaddresses
• Layer 3 multi-protocol support based on layer 2 service
• Overlay model isolates core from VPN routing
• No need to replace existing customer premisesequipment (ATM, Frame Relay, ...)
• Layer 2 over MPLS / IP may use extended backbonefacilities (fast reroute etc.), compared to pure layer 2VPN services provided with ATM and Frame Relay
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Layer 3 VPN Benefits• Scalability for any-to-any connectivity• Support for private address space• Provides a fully routed IP network solution,
while the VPN routes are separated from corebackbone routing
• Meshing in the core network is theresponsibility of the service provider(customer not involved)
• May use MPLS / IP backbone facilities (fastreroute etc.)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
MPLS VPNsStandards status of Multi Protocol Label Switching:• “Layer 3 VPN” RFC2547 (March 1999) widely
used• Informational RFC provided by Cisco Systems;
NOT an IETF standard• “Layer 2 VPN”: several competing IETF drafts;
beta status; first implementations seen in interoptests
• Not ready for customer network implementationyet
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Introduction to RFC2547
CustomerEdge (CE)
Provider Edge (PE)
• CE, PE and P devices
• Administrative policy is used for VPN construction
Site 1 ofenterprise 2
Site 2 ofenterprise 2
CommonNetwork
Site 1 ofenterprise 1
Site 2 ofenterprise 1
Site 3 ofenterprise 1
Provider (P) device
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
RolesMPLS Edge Router (PE device)• Filters incoming user traffic, assigns to VPNs• Collects and populates private network forwarding tables• Establishes MPLS paths across the core for each VPN
edge-to-edge connectivity• Establishes logically single-hop VPN connections
between the VPN edges
MPLS Core Router (P device)• Does not implement VPN routing; just switches packet
streams according to their MPLS labels• enough information to transport data through the core
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Per-site Forwarding Tables• How to manage large amounts of customer IP
addresses, potentially overlapping?
• Per-Site Forwarding Tables:Provider Edge routers havemultiple routing tables,one for each customer site
• Propagated by BGP routinginside the core
• VPNs are isolated from each other
PE
CE1
CE2
CE3
PE Routing tables
CE2CE3
CE1
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
VPN Route Distribution via BGPProblem:
• A BGP speaker can only install and distribute oneroute to a given address prefix. In MPLS, there aredifferent VPNs with overlapping address spaces
Solution:
• Create a new address family, adding a routedistinguisher to the IP address
Route Distinguisher (RD)
0 4 8 12 bytes
IPv4 AddressType Admin-
istratorAssignedNumber
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
The Target VPN Attribute• Is it sufficient to keep routes inside a single VPN?
Basically: Yes.
• In certain applications, routes need to be installedin selected foreign VPNs.
• Solution: Per-site forwarding tables are associatedwith one or more "Target VPN" attributes
• Allows selective route installation in appropriatePE forwarding tables only
• Target VPN attribute is carried in BGP
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Target VPN Example• Task: Distribute Site 1 route to Extranet VPN1 (sites 1, 4, 5)
and to company-internal VPN2 (sites 2, 3)but not to VPN3
VPN 2Site 2
VPN 2Site 3
ProviderNetwork
VPN 1Site 1
VPN 1Site 4
VPN 1Site 5
IPv4 Route
VPN 3Site 6
VPN 3Site 7
converts IPv4 Route into VPN-IPv4, addsTarget VPN1 and Target VPN2 attributes
converts VPN-IPv4 into IPv4 route and distributeto Sites 3,4,5 because of Target attributes
distribute to Site 2because
of VPN2 Target attribute
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
VPN Route Distribution with BGP• Provider Edge router are attached to a common AS
(Autonomous System), running iBGP-MP• Backbone routers (P devices) do not participate in BGP!
• iBGP-MP = interior Border Gateway Protocol / Multi-Protocol Extensions
Private Network
Private Network
Private Network
AS
PE learns VPN routes and converts toVPN-IP address
MP-iBGP routing: exchanges64 bit “route distinguisher”
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
VPN Example – Labelling
MPLS Network
CE1
CE3 CE4
CE2LLIP
LIP
IP IP
IP
LLIP
LIP
IP IP
L
LIP
P1 P2
PE1 PE2
LLIP
LLIP
LLIP
LLIP
Label VPN ALabel VPN B
Label between PE1 and PE2
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
MPLS Layer 2 VPNs
• Provide point-to-point connections through anMPLS backbone
Provider Edge (PE)
Site 1 ofenterprise 2
Site 2 ofenterprise 2
CommonNetwork
Site 1 ofenterprise 1
Site 3 ofenterprise 1
Ethernet CustomerEdge (CE)
ATM CustomerEdge (CE)
Ethernet CustomerEdge (CE)
ATM CustomerEdge (CE)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
MPLS Layer 2 VPNs (continued)
• Encoding already defined:How to map ATM cells and Ethernet framesinto IP packets
• Signalling not defined yet – how to managetunnels dynamically
• Point-to-multipoint / full mesh service notdefined yet – how to switch ATM or Ethernetpackets inside the MPLS network
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Main VPN Features Checklist
ÿ� �ÿ� � �Suited for non-IP traffic
� � �ÿ� � �ÿBest suited for IP traffic
��� �ÿService + Equipment pricing
�ÿÿ� �Large-scale manageability
� �� �� / ÿ� � �Provides Quality of Service
�ÿ�� � �Available from many carriers
� � ��ÿ� �Forwarding performance
� � �ÿ�ÿScale for many end points (meshed)
ÿÿ�� � �Interoperable with 3rd party products
�
MPLSLayer 3VPNs
�
MPLSLayer 2VPNs
� � �� �Provides security (VPN isolation)
IPsecLayer 2(ATM /FR)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Section III – Service Levels
First step: Define Service Levels
ÿ Get in touch with company product managersto learn about their application requirements
ÿ Inspect applications running in the network,derive typical requirements
ÿ Verify budgets for network quality versusbudgets for application enhancements(maybe it’s cheaper to exchange the applicationthan enhance the network)
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Applications used in VPNs (revisited)
Source: Cisco Systems
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
How to define Service Levels
• Negotiate Classes of Service (CoS, DiffServ):
VVoIP
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Verify Service Level Agreements
SLAs should be monitoredand verified regularly:
• Has the network been reliable?
• Has network usage / applicationbehavior changed?
Monitoring usually done byservice provider – in addition,monitoring by customer usefulfor proactive management
PE
CE
DefineSLAs
VerifySLAs
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Conclusion• Different types of VPNs
available on the markettoday
• Choose depending onapplication requirements
• Keep features andlimitations of differentalternatives in mind!
NetworkWorld-Netzwerktage 2002- in Kooperation mit:
Thank you!
Für mehr Informationensteht unser Webserverzur Verfügung:
http://www.eantc.de/