MPLS-based Layer 2 VPNs
Transcript of MPLS-based Layer 2 VPNs
MPLS-basedLayer 2 VPNs
Kireeti KompellaJuniper Networks
17/01/01 Juniper Networks, Inc. Copyright © 2000 2
Agenda
! Introduction" Traditional Layer 2 VPNs" MPLS-based Layer 2 VPNs" Layer 3 VPNs
! Details" Provisioning" Transport" Carrying “non-address” information
17/01/01 Juniper Networks, Inc. Copyright © 2000 3
Co-Authors
! Service Providers" Javier Achirica" Ronald Bonica" Chris Liljenstolpe" Eduard Metz
! Vendors" Manoj Leelanivas" Chandramouli
Sargor" Vijay Srinivasan" Quaizar Vohra
17/01/01 Juniper Networks, Inc. Copyright © 2000 4
Traditional (Layer 2) VPNs
Router
Frame Relay/ATM Switch
17/01/01 Juniper Networks, Inc. Copyright © 2000 5
Traditional (Layer 2) VPNs
! Provider network technology dictated byVPN services" Frame switches? ATM switches?
! Provisioning – complex for provider! Topology dictated by cost rather than
traffic patterns! Multiple networks – adds to provider’s
administrative burden
17/01/01 Juniper Networks, Inc. Copyright © 2000 6
MPLS-Based Layer 2 VPNs
! Traditional Layer 2 VPN from customer’spoint-of-view" Layer 3 independent" Provider not responsible for routing
! MPLS transport in provider network" Isolation between edge and core technologies
! Auto-provisioning VPN! Single network architecture for both
Internet traffic and VPN traffic
17/01/01 Juniper Networks, Inc. Copyright © 2000 7
MPLS-Based Layer 2 VPNs
Router
PE 2
PE 4
PE 3
PE 1
CE G
CE BCE A
CE ECE D
CE C
CE F
17/01/01 Juniper Networks, Inc. Copyright © 2000 8
Privacy ≠ Security
! Encryption is a must if you want security! Where’s the weak point?! CE-to-CE
" Use IPSec!" Not “PP” VPN
! PE-to-PE" Per VPN" Per PE-to-PE session
17/01/01 Juniper Networks, Inc. Copyright © 2000 9
Layer 3 VPNs
! SP participates in customers’ routing" Out-sourced routing" Added SP responsibilities" Value-added service ~ cost structure
! BGP MPLS VPNs" QoS/CoS, Carrier of Carriers, inter-SP VPNs
! Virtual routers! Migration may take some work
17/01/01 Juniper Networks, Inc. Copyright © 2000 10
Provisioning the Network
! PE-to-PE MPLS LSPs" Key: signaling" LDP LSPs" RSVP-TE LSPs" LDP over RSVP tunneling
!Fully-meshed Traffic Engineered core!Edge-to-edge LDP LSPs
! Used for all services – IP, L2 VPNs, L3VPNs, differentiated services
! Provisioned independent of Layer 2 VPNs!
17/01/01 Juniper Networks, Inc. Copyright © 2000 11
Provisioning a VPN
! Key: signaling" Auto-discovery of members, auto-assignment
of inter-member circuits" Flexible VPN topology" Signaling using LDP or BGP
! O(N) configuration for the whole VPN" Could be more for complex topologies
! O(1) configuration to add a site" “Overprovision” DLCIs at customer sites
17/01/01 Juniper Networks, Inc. Copyright © 2000 12
Provisioning Customer Sites
! List of DLCIs, one for each other site, somespare (over-provisioning)
! DLCIs independently numbered at each site! LMI, inverse ARP and/or routing protocols
for auto-discovery and learning addresses! No changes as VPN membership changes
(until over-provisioning runs out)
17/01/01 Juniper Networks, Inc. Copyright © 2000 13
VPN Transport
Router
PE 2
PE 4
PE 3
PE 1
CE G
CE BCE A
CE ECE D
CE C
CE F
17/01/01 Juniper Networks, Inc. Copyright © 2000 14
VPN Transport
PE 1
CE B
CE A
L1’’/L2’’to PE4/CE E
77
CE list: - E - CDLCI list: 65, 77, 88, 94
dlci 94L1/L2 Label L2
to CE C
Label L2’to CE G
dlci 53
CE list: G DLCI list: 53, 66
L1’/L2’
Label L1’to PE 3
Label L1to PE 2
Label L1’’To PE 4
17/01/01 Juniper Networks, Inc. Copyright © 2000 15
Virtual Network
CE B
CE E
CE C
DLCI 77
DLCI 63
DLCI 111
DLCI 89
DLCI 101
DLCI 94
17/01/01 Juniper Networks, Inc. Copyright © 2000 16
Signaling
! Compact representation of mapping oflayer 2 address to inner label
! Signaling through either BGP or LDP! Arbitrary topologies possible; common
ones such as full mesh and hub-and-spokeeasy to configure
17/01/01 Juniper Networks, Inc. Copyright © 2000 17
Packet Format (1)
Packet format from customer:<dlci><UI><proto><layer 3 packet>
Remove DLCI; add two labelsPacket format in network: <MPLS encap><outer label><inner label> <UI><proto><layer 3 packet>In the example, outer label = L1, inner = L2
17/01/01 Juniper Networks, Inc. Copyright © 2000 18
Packet Format (2)
At destination PE: remove MPLS encap andlabel(s), add new DLCI to get:
<dlci’><UI><proto><layer 3 packet>
! Effectively, the SP network acts as a bigFrame Relay switch for this VPN
17/01/01 Juniper Networks, Inc. Copyright © 2000 19
“Non-address” Information
! What about F/B ECN, DE, C/R, …?" Use experimental bits to carry this info" Can’t squeeze 4 bits into 3, so use twice the
number of labels if needed
! Not for preferential treatment in the core!" For this, use MPLS with Diff-Serv" Different DLCIs mapped to different PE-to-PE
LSPs (L-LSPs) or different EXP bits (E-LSPs)" DE/not DE mapped to different EXP bits
17/01/01 Juniper Networks, Inc. Copyright © 2000 20
Summary
! MPLS-based Layer 2 VPNs identical toLayer 2 VPNs from customers’ perspective" Familiar paradigm" Easy to migrate
! Benefits" Single network infrastructure" Auto-provisioning" Layer 3 and routing independent
! Drawbacks" Layer 2 dependent
17/01/01 Juniper Networks, Inc. Copyright © 2000 21
Future Work
! MPLS as layer 2 to CE" CE needs to be MPLS-aware
! “Secure” MPLS! VLANs as layer 2 to CE! Carrier of carriers model, inter-SP VPNs! CoS support
http://www.juniper.net
Thank you!