next generation optical networks for broadband european...

http://www.ist-nobel.org/Nobel2/servlet/Nobel2.Main

Next Generation Optical Networks for Broadband European Leadership

Valerio MartiniThis tutorial is licensed under the Creative Commons

creativecommons.org/licenses/by-nc-sa/3.0/

Layer3 Virtual Private Network (L3VPN)�

Training course

[email protected] tutorial is licensed under the Creative Commons


Summary

�What is a VPN?

� MPLS VPN (RFC4364). A choice

� “Private” Instances of routing (VRFs Table)�

� Multi Protocol BGP

� A MPLS Tunnel

� A quick view on:�VPN Multi Domain

�VPN QoS and Scalability



What is a VPN ?

A Virtual Private Network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy and reservation through the use of tunneling protocols

� Layer3 VPNs (L3VPN) are based on IP/MPLS networks (cfr. RFC4364 “BGP MPLS/IP VPN”)�

� L3 VPN connectivity is provided across Service Provider’s networks

� L3 VPNs are based on IP address scheme and the relevant virtual connectivity is based on the use of ad hoc forwarding table called VRF (VPN Routing and Forwarding tables)�

� Backbone Routers (P-Routers) are unaware of the tunnel and VRF tables but are aware of tunneling protocols

� Service Provider routers (PE-Routers) are outsourced to corporate network WANs (Sites) to establish L3 VPN



PProvider Router

CECustomer Edge Router

PEProvider Edge Router

VPN Terminology

VPN 1

VPN 1VPN 3

VPN 3VPN 2VPN 3

VPN 1

VPN 2

GEGE

FE

FE

BackboneBackbone

P



VPN Terminology

VPN 1

VPN 1VPN 3

VPN 3VPN 2VPN 3

VPN 1

VPN 2

GEGE

FE

FE

BackboneBackbone

P

VPN areaDifferent Customer Sites

WAN of a corporate network (Site) consists of a network systems placed in geographic proximity

BackboneBGP - IP/MPLS - OSPF/(RSVP)�



VPN Terminology

VPN 1

VPN 1VPN 3

VPN 3VPN 2VPN 3

VPN 1

VPN 2

GEGE

FE

FE

BackboneBackbone

P

End System

An Attachment Circuit is usually considered as a “Data Link” e.g., a Fast Ethernet (FE) or GE Gigabit Ethernet



VPN Taxonomy

A brief classification :

Type of customer side Virtual Tunnel� Layer 2 VPNs provide Layer 2 connectivity e.g., Nat ive Ethernet LAN� Layer 3 VPNs provide Layer 3 connectivity e.g., bas ed on Access IP Router

Type of VPN (in terms of end-point Location) � CE-based :

� VPNs are configured and maintained by customer � Provider network is VPN unaware

� PE-based :� Network providers are responsible for VPN configuration and maintenance

Type of Architecture possible

� VPN Layer 3 (e.g., IPsec)�

� VPN Layer 2 (e.g., VPLS, VPWS) �



Layer2 Vs Layer3 VPN

Type of customer payload carried by the Virtual Tunnel

Layer3 VPN provides BGP IP/MPLS backbone connectivity:The Layer3 approach to create an IP/MPLS-based VPN offers a routed solution:

� completely based on Ipv4 address scheme� scalable

The DE FACTO standard is described in RFC4364 (February 2006)�

Layer2 VPN provides a native Layer 2 backbone connectivity:The Layer2 approach:

� offers an encapsulation methods to transport Layer 2 Frames Over MPLS Networks. It p:

� provides a optimization between the Provider’s and Customer’s network� allows PEs to offer services that are INDIPENDENT of Layer3 protocols

The RFC/Draft for describing the establishment of point-to-point connectivity in Layer2 VPN is described in RFC 4906

VPLS provides an L2/L3 Hybrid connectivity:The Virtual Private LAN Service offers an hybrid con nectivity based on:

� Provider-Customer VLAN (Virtual LAN) association on access network� BGP IP/MPLS connectivity in the Backbone



CE Vs PE Based

Type of endpoint (Location) of the tunnel

VPN Customer Edges (CE) are maintained by CustomersCustomer is responsible for � its endpoint � Routers maintenance� Routing Protocol’s configuration � VRF’s configuration� its own security

For example: VPLS belongs natively to this category

VPN Provider Edge (PE) are maintained by Service Providers Service Provider is responsible for all domain endp oints and must be

able to� configure all Edge Routers� maintain the router� provide advanced services� operate on point-to-point Security (IPsec PE-based)�

For example: VPN L3 belongs natively to this categoryThe Customer network is completely VPN unaware



BGP IP/MPLS VPN. A choice

RFC4364 defines an emerging standard commonly named “MPLS VPN” or more exactly “BGP/MPLS IP VPN”

Service providers that offer Layer 3 VPN services c an take advantage of new, advanced features

� L3 VPN services allow businesses to outsource their current network core using a private IP-based service offering from an SP.

� the most common deployment is an any-to-any topology where any customer device can connect directly to the L3 VPN.

� Enterprise traffic entering the SP domain is then routed based on the information in the VRF table and encapsulated with MPLS labels to ensure proper tunneling and de-multiplexing through the core.

The main three steps for the establishment of a VPN over an IP/MPLS backbone:

1. Routing Instance Configuration (VRFs Table and Policy) �2. BGP-MP (MultiProtocol) configuration (it carry VRFs table Among PEs)�3. MPLS Configuration



The Virtual Tunnel Connection is based on Ad-hoc fo rwarding table called VRF

The Address space used by VRF is composed by� IP Prefix� Route Distinguisher (RD)�

Different forwarding table are distinguished by� Route Target (RT)�

Each VPN has its own address space� A given address may denote different system in different VPN � A given address may denote same system in different VPN (unique address)�

A new Address Space :

“Private” Instances of Routing (Step-1)�

4Byte (Standard IP Prefix)� 8Byte (Route Distinguisher (RD)) �

VPN - IPv4 FamilyVPN - IPv4 Family

Type Provider’s AS Assigned Number

+



IP MPLSBackbone

IP MPLSBackbone

VPN 1

VPN 1

VPN 2

VPN 1VPN 3

VPN 3

VPN 3VPN 2VPN 3

VPN 1

VPN 2

Key

Firewall

FEFE

FE - 1

FE - 2

FE

FE

FE FE

Full Scenario Full Scenario




VRF tablefor

VPN1

VRF tablefor

VPN2

VRF tableFor

VPN3

CERouting Tables

CERouting Tables

CERouting Tables

EnterprisesEnterprisesEnterprisesEnterprises

MPLS OSPFRSVP

BGP-MPBackbone

MPLS OSPFRSVP

BGP-MPBackbone

OSPFDomain

There are three methods to populate the VRF•Statically (by manually configuration) or RIP•OSPF•BGP

Populate VRF Tables Populate VRF Tables




1. Identify VPN

2. Select VRF entry for this VPN

4. Attach VPN label info

VRFs Tables

Customer Network

Customer Network

Customer Network

BackboneIP MPLS

Label VPN

IP pkt

Label MPLS

Label VPNLabel MPLS

IP pkt

3. Attach MPLS label info

5. Send out

Customer Network

•At Least a VRF Table for Each Attachment Circuit •Eventually different VRF for each VPN

IP pkt

PE Router Composes The Labeled Frame

IP pkt

The Route Target

is used to distinguish

different VRF tables


Routing and Forwarding Routing and Forwarding



Label VPN IP

VPN SiteVPN Site

IP

IP

IP

PE COMPOSES

the packets

Label VPN IP

PE DECOMPOSES

the packets

IP MPLSBackbone

IP MPLSBackbone

IP

The Core Routers

Are Completely UNAWARE

of the label VPN -TAG


Label Switched Path Label Switched Path



IP MPLSBackbone

IP MPLSBackbone

<routing-instances><instance><name>vpn-ABC</name><instance-type>VRF</instance-type><interface>fe-0/3/1.0</interface><route-distinguisher>2.2.2.2:RD</route-distinguisher></instance></routing-instances>

<routing-instances><instance><name>vpn-ABC</name><instance-type>VRF</instance-type><interface>fe-0/3/1.0</interface><route-distinguisher>2.2.2.2:RD</route-distinguisher></instance></routing-instances>

Config

FIRSTthe name of routing instance

SECONDthe type of routing instance

THIRDthe name of Juniper physical interface

FOURTHthe VPN IPv4 family Address


Routers PE Configuration Routers PE Configuration



BGP Multi Protocol (Step-2)�

IP MPLSBackbone

IP MPLSBackbone

VPN 1

VPN 1

VPN 2

VPN 1VPN 3

VPN 3

VPN 3VPN 2VPN 3

VPN 1

VPN 2

Key

Firewall

FEFE

FE - 1

FE - 2

FE

FE

FE FE




<bgp><local-address>2.2.2.2</local-address><local-as>AS</local-as><group><name>1-2-3</name><type>internal</type><neighbor><name>Edge-1</name><local-address>1.1.1.1</local-address><name>Edge-3</name><local-address>3.3.3.3</local-address>

<bgp><local-address>2.2.2.2</local-address><local-as>AS</local-as><group><name>1-2-3</name><type>internal</type><neighbor><name>Edge-1</name><local-address>1.1.1.1</local-address><name>Edge-3</name><local-address>3.3.3.3</local-address>

VRFs Tables are

EXCHANGED

Config

FIRSTthe name of the Local Address of PE

SECONDthe Autonomous System

THIRDthe name of BGP group

FOURTHthe List of the neighbors

RouterId = 3.3.3.3BGPGroup A-B-CNeighbour 2.2.2.2Neighbour 1.1.1.1

RouterId = 2.2.2.2BGP Group A-B-CNeighbour 1.1.1.1Neighbour 3.3.3.3RouterId = 1.1.1.1

BGPGroup A-B-CNeighbour 2.2.2.2Neighbour 3.3.3.3





RouterId = 3.3.3.3BGPGroup A-B-CNeighbour 2.2.2.2Neighbour 1.1.1.1

RouterId = 2.2.2.2BGP Group A-B-CNeighbour 1.1.1.1Neighbour 3.3.3.3RouterId = 1.1.1.1

BGPGroup A-B-CNeighbour 2.2.2.2Neighbour 3.3.3.3

Config

Route

REFLECTOR

• BGP is based over a full mesh refresh

•n(n-1)/2 Session

e.g., 10 Routers

10*(10-1)/2 = 45 BGP Sessions

• BGP with RR

•(n-1)+(n-1) Session

e.g., 10 Routers

9+9 = 18 BGP Sessions

Route REFLECTOR

RR is a Designated Router

VRFs Tables are

EXCHANGED

Routers Route-Reflector Routers Route-Reflector




IP MPLSBackbone

IP MPLSBackbone

VPN 1

VPN 1

VPN 2

VPN 1VPN 3

VPN 3

VPN 3VPN 2VPN 3

VPN 1

VPN 2

Key

Firewall

FEFE

FE - 1

FE - 2

FE

FE

FE FE

MPLS (LSP-tunnelling) (Step-3)�




<mpls><label-switched-path><name>to-A</name><to>1.1.1.1</to><bandwidth>30m</bandwidth><install>10.20.12.0/24<active/></install></label-switched-path></mpls>

<mpls><label-switched-path><name>to-A</name><to>1.1.1.1</to><bandwidth>30m</bandwidth><install>10.20.12.0/24<active/></install></label-switched-path></mpls>

Core Router

VPN Site

VPN Site

VPN Site

CR 2

CR 3

CR 1

The FIRSTthe name of the LSP

The SECONDthe Destination of LSP (EGRESS ROUTER)�

The THIRDthe bandwidth reserved

The FOURTHthe set of IP activated

Config

MPLS (LSP-tunnelling) (Step-3)�




Benefits


� VPNs use overlapping Address Spaces (VPN IPv4 Family) �

� Providers use existing protocols (BGP, RSVP, OSPF, MPLS)�

� Provider backbone’s routers do not need to have any VPN routing information

� Providers can get good SLA and QoS support

� Customers are UNAWARE of MPLS (all the work is done by Service Provider)�

� Customers are UNAWARE of security policy� Customers are UNAWARE of connectivity and routing VPN

management



Drawback


� IP only—L3 VPNs transport only IPv4 traffic. � Non-IP protocols need to be tunneled through some mechanism (such as

GRE) on the CE or C devices

� The customer is dependent on the SP in regards to L ayer 3 features and capabilities

� Layer 3-based convergence and QoS capabilities are also dependent on the SP offering, and SLAs must be negotiated to manage these requirements

� Possible difficulties in integration —The difficulty of integration from Layer 2 to Layer 3 peering varies greatly depending on the SP offering. If the SP does not offer some service, integration with a different routing protocol, such as eBGP, might require



VPN Multi-Domain

Two sites of a VPN are connected to a different AUTONOMUS SYSTEM (AS)�

There are 2 methods to implement this features :� VRF-to-VRF

� EBGP (External BGP)�

IP MPLSBackbone

IP MPLSBackbone

IP MPLSBackbone

IP MPLSBackbone

Directly Connection

Between PE

External BGP

Protocol

AS 1 AS 3IP MPLSBackbone

IP MPLSBackbone

AS 2



QoS and Scalability

The BGP/MPLS IP VPN provides Quality of Service (QoS):� MPLS reserves bandwidth using RSVP

� Policy used in PE router grooms selected IP Address over a reserved LSP

The BGP/MPLS IP VPN presents a good scalability:� Route Reflector produces less BGP sessions

� Two levels of labels keep P Routers free of all the VPN routing information

� PE routers maintain routes information only for VPNs whose sites are directly connected



References

� IANA Consideration (Internet Assigned Number Authority) �� IANA has created a new registry for the “Route Distinguisher Type Field”

� Rosen, E., Rekhter, Y., “BGP/MPLS IP Virtual Private Network”, RFC 4364

� Mertz, C., “The Latest in Virtual Private Network, Part I&II”, IEEE Internet Computing, June 2004; available at http://computer.org/internet

� Daugherty, B., and Mertz, C., “Multiprotocol Label Switching And IP, Part I”, IEEE Internet Computing, June 2005; available at http://computer.org/internet

� JUNOS software documentation for M-series and T-series platforms, available at http://www.juniper.net/techpubs

next generation optical networks for broadband european...

Documents