L3VPN
description
Transcript of L3VPN
-
http://www.ist-nobel.org/Nobel2/servlet/Nobel2.Main
Next Generation Optical Networks for Broadband European Leadership
Valerio MartiniThis tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
Layer3 Virtual Private Network (L3VPN)
Training course
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
Summary
What is a VPN?
MPLS VPN (RFC4364). A choice
Private Instances of routing (VRFs Table)
Multi Protocol BGP
A MPLS Tunnel
A quick view on:VPN Multi Domain
VPN QoS and Scalability
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
What is a VPN ?
A Virtual Private Network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy and reservation through the use of tunneling protocols
Layer3 VPNs (L3VPN) are based on IP/MPLS networks (cfr. RFC4364 BGP MPLS/IP VPN)
L3 VPN connectivity is provided across Service Providers networks
L3 VPNs are based on IP address scheme and the relevant virtual connectivity is based on the use of ad hoc forwarding table called VRF (VPN Routing and Forwarding tables)
Backbone Routers (P-Routers) are unaware of the tunnel and VRF tables but are aware of tunneling protocols
Service Provider routers (PE-Routers) are outsourced to corporate network WANs (Sites) to establish L3 VPN
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
PProvider Router
CECustomer Edge Router
PEProvider Edge Router
VPN Terminology
VPN 1
VPN 1VPN 3
VPN 3VPN 2VPN 3
VPN 1
VPN 2
GEGE
FE
FE
BackboneBackbone
P
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
VPN Terminology
VPN 1
VPN 1VPN 3
VPN 3VPN 2VPN 3
VPN 1
VPN 2
GEGE
FE
FE
BackboneBackbone
P
VPN areaDifferent Customer Sites
WAN of a corporate network (Site) consists of a network systems placed in geographic proximity
BackboneBGP - IP/MPLS - OSPF/(RSVP)
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
VPN Terminology
VPN 1
VPN 1VPN 3
VPN 3VPN 2VPN 3
VPN 1
VPN 2
GEGE
FE
FE
BackboneBackbone
P
End System
An Attachment Circuit is usually considered as a Data Link e.g., a Fast Ethernet (FE) or GE Gigabit Ethernet
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
VPN Taxonomy
A brief classification :
Type of customer side Virtual Tunnel Layer 2 VPNs provide Layer 2 connectivity e.g., Nat ive Ethernet LAN Layer 3 VPNs provide Layer 3 connectivity e.g., bas ed on Access IP Router
Type of VPN (in terms of end-point Location) CE-based :
VPNs are configured and maintained by customer Provider network is VPN unaware
PE-based : Network providers are responsible for VPN configuration and maintenance
Type of Architecture possible
VPN Layer 3 (e.g., IPsec)
VPN Layer 2 (e.g., VPLS, VPWS)
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
Layer2 Vs Layer3 VPN
Type of customer payload carried by the Virtual Tunnel
Layer3 VPN provides BGP IP/MPLS backbone connectivity:The Layer3 approach to create an IP/MPLS-based VPN offers a routed solution:
completely based on Ipv4 address scheme scalable
The DE FACTO standard is described in RFC4364 (February 2006)
Layer2 VPN provides a native Layer 2 backbone connectivity:The Layer2 approach:
offers an encapsulation methods to transport Layer 2 Frames Over MPLS Networks. It p:
provides a optimization between the Providers and Customers network allows PEs to offer services that are INDIPENDENT of Layer3 protocols
The RFC/Draft for describing the establishment of point-to-point connectivity in Layer2 VPN is described in RFC 4906
VPLS provides an L2/L3 Hybrid connectivity:The Virtual Private LAN Service offers an hybrid con nectivity based on:
Provider-Customer VLAN (Virtual LAN) association on access network BGP IP/MPLS connectivity in the Backbone
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
CE Vs PE Based
Type of endpoint (Location) of the tunnel
VPN Customer Edges (CE) are maintained by CustomersCustomer is responsible for its endpoint Routers maintenance Routing Protocols configuration VRFs configuration its own security
For example: VPLS belongs natively to this category
VPN Provider Edge (PE) are maintained by Service Providers Service Provider is responsible for all domain endp oints and must be
able to configure all Edge Routers maintain the router provide advanced services operate on point-to-point Security (IPsec PE-based)
For example: VPN L3 belongs natively to this categoryThe Customer network is completely VPN unaware
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
BGP IP/MPLS VPN. A choice
RFC4364 defines an emerging standard commonly named MPLS VPN or more exactly BGP/MPLS IP VPN
Service providers that offer Layer 3 VPN services c an take advantage of new, advanced features
L3 VPN services allow businesses to outsource their current network core using a private IP-based service offering from an SP.
the most common deployment is an any-to-any topology where any customer device can connect directly to the L3 VPN.
Enterprise traffic entering the SP domain is then routed based on the information in the VRF table and encapsulated with MPLS labels to ensure proper tunneling and de-multiplexing through the core.
The main three steps for the establishment of a VPN over an IP/MPLS backbone:
1. Routing Instance Configuration (VRFs Table and Policy) 2. BGP-MP (MultiProtocol) configuration (it carry VRFs table Among PEs)3. MPLS Configuration
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
The Virtual Tunnel Connection is based on Ad-hoc fo rwarding table called VRF
The Address space used by VRF is composed by IP Prefix Route Distinguisher (RD)
Different forwarding table are distinguished by Route Target (RT)
Each VPN has its own address space A given address may denote different system in different VPN A given address may denote same system in different VPN (unique address)
A new Address Space :
Private Instances of Routing (Step-1)
4Byte (Standard IP Prefix) 8Byte (Route Distinguisher (RD))
VPN - IPv4 FamilyVPN - IPv4 Family
Type Providers AS Assigned Number
+
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
IP MPLSBackbone
IP MPLSBackbone
VPN 1
VPN 1
VPN 2
VPN 1VPN 3
VPN 3
VPN 3VPN 2VPN 3
VPN 1
VPN 2
Key
Firewall
FEFE
FE - 1
FE - 2
FE
FE
FE FE
Full Scenario Full Scenario
Private Instances of Routing (Step-1)
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
VRF tablefor
VPN1
VRF tablefor
VPN2
VRF tableFor
VPN3
CERouting Tables
CERouting Tables
CERouting Tables
EnterprisesEnterprisesEnterprisesEnterprises
MPLS OSPFRSVP
BGP-MPBackbone
MPLS OSPFRSVP
BGP-MPBackbone
OSPFDomain
There are three methods to populate the VRFStatically (by manually configuration) or RIPOSPFBGP
Populate VRF Tables Populate VRF Tables
Private Instances of Routing (Step-1)
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
1. Identify VPN
2. Select VRF entry for this VPN
4. Attach VPN label info
VRFs Tables
Customer Network
Customer Network
Customer Network
BackboneIP MPLS
Label VPN
IP pkt
Label MPLS
Label VPNLabel MPLS
IP pkt
3. Attach MPLS label info
5. Send out
Customer Network
At Least a VRF Table for Each Attachment Circuit Eventually different VRF for each VPN
IP pkt
PE Router Composes The Labeled Frame
IP pkt
The Route Target
is used to distinguish
different VRF tables
Private Instances of Routing (Step-1)
Routing and Forwarding Routing and Forwarding
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
Label VPN IP
VPN SiteVPN Site
IP
IP
IP
PE COMPOSES
the packets
Label VPN IP
PE DECOMPOSES
the packets
IP MPLSBackbone
IP MPLSBackbone
IP
The Core Routers
Are Completely UNAWARE
of the label VPN -TAG
Private Instances of Routing (Step-1)
Label Switched Path Label Switched Path
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
IP MPLSBackbone
IP MPLSBackbone
vpn-ABC
VRF
fe-0/3/1.0
2.2.2.2:RD
vpn-ABC
VRF
fe-0/3/1.0
2.2.2.2:RD
Config
FIRSTthe name of routing instance
SECONDthe type of routing instance
THIRDthe name of Juniper physical interface
FOURTHthe VPN IPv4 family Address
Private Instances of Routing (Step-1)
Routers PE Configuration Routers PE Configuration
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
BGP Multi Protocol (Step-2)
IP MPLSBackbone
IP MPLSBackbone
VPN 1
VPN 1
VPN 2
VPN 1VPN 3
VPN 3
VPN 3VPN 2VPN 3
VPN 1
VPN 2
Key
Firewall
FEFE
FE - 1
FE - 2
FE
FE
FE FE
Full Scenario Full Scenario
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
2.2.2.2
AS
1-2-3internal
Edge-11.1.1.1Edge-33.3.3.3
2.2.2.2
AS
1-2-3internal
Edge-11.1.1.1Edge-33.3.3.3
VRFs Tables are
EXCHANGED
Config
FIRSTthe name of the Local Address of PE
SECONDthe Autonomous System
THIRDthe name of BGP group
FOURTHthe List of the neighbors
RouterId = 3.3.3.3BGPGroup A-B-CNeighbour 2.2.2.2Neighbour 1.1.1.1
RouterId = 2.2.2.2BGP Group A-B-CNeighbour 1.1.1.1Neighbour 3.3.3.3RouterId = 1.1.1.1
BGPGroup A-B-CNeighbour 2.2.2.2Neighbour 3.3.3.3
Routers PE Configuration Routers PE Configuration
BGP Multi Protocol (Step-2)
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
RouterId = 3.3.3.3BGPGroup A-B-CNeighbour 2.2.2.2Neighbour 1.1.1.1
RouterId = 2.2.2.2BGP Group A-B-CNeighbour 1.1.1.1Neighbour 3.3.3.3RouterId = 1.1.1.1
BGPGroup A-B-CNeighbour 2.2.2.2Neighbour 3.3.3.3
Config
Route
REFLECTOR
BGP is based over a full mesh refresh
n(n-1)/2 Session
e.g., 10 Routers
10*(10-1)/2 = 45 BGP Sessions
BGP with RR
(n-1)+(n-1) Session
e.g., 10 Routers
9+9 = 18 BGP Sessions
Route REFLECTOR
RR is a Designated Router
VRFs Tables are
EXCHANGED
Routers Route-Reflector Routers Route-Reflector
BGP Multi Protocol (Step-2)
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
IP MPLSBackbone
IP MPLSBackbone
VPN 1
VPN 1
VPN 2
VPN 1VPN 3
VPN 3
VPN 3VPN 2VPN 3
VPN 1
VPN 2
Key
Firewall
FEFE
FE - 1
FE - 2
FE
FE
FE FE
MPLS (LSP-tunnelling) (Step-3)
Full Scenario Full Scenario
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
to-A
1.1.1.1
30m
10.20.12.0/24
to-A
1.1.1.1
30m
10.20.12.0/24
Core Router
VPN Site
VPN Site
VPN Site
CR 2
CR 3
CR 1
The FIRSTthe name of the LSP
The SECONDthe Destination of LSP (EGRESS ROUTER)
The THIRDthe bandwidth reserved
The FOURTHthe set of IP activated
Config
MPLS (LSP-tunnelling) (Step-3)
Routers PE Configuration Routers PE Configuration
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
Benefits
RFC4364 defines an emerging standard commonly named MPLS VPN or more exactly BGP/MPLS IP VPN
VPNs use overlapping Address Spaces (VPN IPv4 Family)
Providers use existing protocols (BGP, RSVP, OSPF, MPLS)
Provider backbones routers do not need to have any VPN routing information
Providers can get good SLA and QoS support
Customers are UNAWARE of MPLS (all the work is done by Service Provider)
Customers are UNAWARE of security policy Customers are UNAWARE of connectivity and routing VPN
management
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
Drawback
RFC4364 defines an emerging standard commonly named MPLS VPN or more exactly BGP/MPLS IP VPN
IP onlyL3 VPNs transport only IPv4 traffic. Non-IP protocols need to be tunneled through some mechanism (such as
GRE) on the CE or C devices
The customer is dependent on the SP in regards to L ayer 3 features and capabilities
Layer 3-based convergence and QoS capabilities are also dependent on the SP offering, and SLAs must be negotiated to manage these requirements
Possible difficulties in integration The difficulty of integration from Layer 2 to Layer 3 peering varies greatly depending on the SP offering. If the SP does not offer some service, integration with a different routing protocol, such as eBGP, might require
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
VPN Multi-Domain
Two sites of a VPN are connected to a different AUTONOMUS SYSTEM (AS)
There are 2 methods to implement this features : VRF-to-VRF
EBGP (External BGP)
IP MPLSBackbone
IP MPLSBackbone
IP MPLSBackbone
IP MPLSBackbone
Directly Connection
Between PE
External BGP
Protocol
AS 1 AS 3IP MPLSBackbone
IP MPLSBackbone
AS 2
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
QoS and Scalability
The BGP/MPLS IP VPN provides Quality of Service (QoS): MPLS reserves bandwidth using RSVP
Policy used in PE router grooms selected IP Address over a reserved LSP
The BGP/MPLS IP VPN presents a good scalability: Route Reflector produces less BGP sessions
Two levels of labels keep P Routers free of all the VPN routing information
PE routers maintain routes information only for VPNs whose sites are directly connected
-
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
References
IANA Consideration (Internet Assigned Number Authority) IANA has created a new registry for the Route Distinguisher Type Field
Rosen, E., Rekhter, Y., BGP/MPLS IP Virtual Private Network, RFC 4364
Mertz, C., The Latest in Virtual Private Network, Part I&II, IEEE Internet Computing, June 2004; available at http://computer.org/internet
Daugherty, B., and Mertz, C., Multiprotocol Label Switching And IP, Part I, IEEE Internet Computing, June 2005; available at http://computer.org/internet
JUNOS software documentation for M-series and T-series platforms, available at http://www.juniper.net/techpubs