Selecting MPLS VPN Services - GBV
Transcript of Selecting MPLS VPN Services - GBV
Selecting MPLS VPN Services
Chris Lewis
Steve Pickavance
Contributions by:
Monique Morrow
John Monaghan
Craig Huegen
Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA
ix
Contents Introduction xxii
Part I Business Analysis and Requirements of IP/MPLS VPN 3
Chapter 1 Assessing Enterprise Legacy WANs and IPA/PN Migration 5
Current State of Enterprise Networks 5
Evolutionary Change of Enterprise Networks 7
Acme, a Global Manufacturer 10 Acme's Global Span 10 Business Desires of Acme's Management 10 Acme's IT Applications Base 10 Acme's IT Communications Infrastructure 11
Acme's Intranet: Backbone WAN 12 Acme's Intranet: Regional WANs 12
New WAN Technologies for Consideration by Acme 13 Layer 3 IP/MPLS VPN Services 13
IP/MPLS VPN Service Topologies and Provisioning 14 IP/MPLS VPN: A Foundation for Network Services 16 IP/MPLS VPN Transparency 16 IP/MPLS VPN Network Management and SLAs 16 Enterprise Vendor Management Approach 17 Extranet Integration in IP/MPLS VPN Networks 18
Layer 2 IP/MPLS VPN Services 18 VPWS 18 VPLS 21
Convergence Services 22 Internet Access 22 Mobile Access and Teleworker Access 22 Voice Services: Service Provider Hosted PSTN Gateway 22 Voice Services: Service Provider Hosted IP Telephony 23
Summary 23
Chapter 2 Assessing Service Provider WAN Offerings 27
Enterprise/Service Provider Relationship and Interface 27
Investigation Required in Selecting a Service Provider 28 Coverage, Access, and IP 28 Financial Strength of the Service Provider 29 Convergence 30
X
Transparency 31 IP Version 6 35 Provider Cooperation/Tiered Arrangements 38 Enhanced Service-Level Agreement 39 Customer Edge Router Management 40
Service Management 41
Customer Reports and SLA Validation 41
Summary 42
Chapter 3 Analyzing Service Requirements 45
Application/Bandwidth Requirements 45
Backup and Resiliency 51
Enterprise Segmentation Requirements 53 Mapping VLANs to VPNs in the Campus 55
Access Technologies 56 Frame Relay 57 ATM 57 Dedicated Circuit from CE to PE ATM PVC from CE to PE 59 Frame Relay PVC from CE to PE Metro Ethernet 60
QoS Requirements 62 Bandwidth 62 Packet Delay and Jitter 63 Packet Loss 63 Enterprise Loss, Latency, and Jitter Requirements 64 QoS at Layer 2 65
Subscriber Network QoS Design 68 Baseline New Applications 68 Develop the Network 68
Security Requirements 70 Topological and Network Design Considerations 71 SP-Managed VPNs 72
Multiprovider Considerations 73
Extranets 74
Case Study: Analyzing Service Requirements for Acme, Inc. 75 Layer 2 Description 76 Existing Customer Characteristics That Are Required in the New Network 76
58
60
DefenseCo's Backbone Is a Single Autonomous System 77 Reasons for Migrating to MPLS 77 Evaluation Testing Phase 78 Routing Convergence 79 Jitter and Delay 79 Congestion, QoS, and Load Testing 80
First Scenario 81 Second Scenario 81 Third Scenario 81 Subjective Measures 82
Vendor Knowledge and Technical Performance 83 Evaluation Tools 83 TTCP 84 Lessons Learned 85 Transition and Implementation Concerns and Issues 86 Post-Transition Results 86
Summary 87
References 88
Part II Deployment Guidelines 91
Chapter 4 IP Routing with IP/MPLS VPNs 93
Introduction to Routing for the Enterprise MPLS VPN 93 Implementing Routing Protocols 95 Network Topology 95 Addressing and Route Summarization 96 Route Selection 98 Convergence 99 Network Scalability 99 Memory 100 CPU 100 Security 102
Plaintext Password Authentication 102 MD5 Authentication 102
Site Typifying WAN Access: Impact on Topology 103 Site Type: Topology 104 WAN Connectivity Standards 107 Site Type A Attached Sites: Dual CE and Dual PE 108 Site Type B/3 Dual-Attached Site-Single CE, Dual PE 110 Site Type B/3 Dual-Attached Site-Single CE, Single PE 110 Site Type D Single-Attached Site—Single CE with Backup 111 Convergence: Optimized Recovery 112
XII
IPAddressing 113 Routing Between the Enterprise and the Service Provider 113 Using EIGRP Between the CE and PE 114 How EIGRP MPLS VPN PE-to-CE Works 114 PE Router: Non-EIGRP-Originated Routes 115 PE Router: EIGRP-Originated Internal Routes 116 PE Router: EIGRP-Originated External Routes 116 Multiple VRF Support 117 Extended Communities Defined for EIGRP VPNv4 117 Metrie Propagation 117 Configuring EIGRP for CE-to-PE Operation 118 Using BGP Between the CE and PE 119 Securing CE-PE Peer Sessions 120 Improving BGP Convergence 121
Case Study: BGP and EIGRP Deployment in Acme, Inc. 122 Small Site—Single-Homed, No Backup 122 Medium Site—Single-Homed with Backup 124 Medium Site—Single CE Dual-Homed to a Single PE 126 Large Site-Dual-Homed (Dual CE, Dual PE) 128 Load Sharing Across Multiple Connections 130 Very Large Site/Data Center—Dual Service Provider MPLS VPN 131 Site Typifying Site Type A Failures 134 Solutions Assessment 134
Summary 135
References 136 Cisco Press 136
Chapter 5 Implementing Quality of Service 139
Introduction to QoS 139 Building a QoS Policy: Framework Considerations 141
QoS Tool Chest: Understanding the Mechanisms 143 Classes of Service 143
IP ToS 145 Hardware Queuing 146 Software Queuing 146 QoS Mechanisms Defined 146 Pulling It Together: Build the Trust 152
Building the Policy Framework 154 Classification and Marking of Traffic 154 TrustedEdge 154
Device Trust 155 Application Trust 155 CoSandDSCP 156 Strategy for Classifying Voice Bearer Traffic 156 QoS on Backup WAN Connections 156 Shaping/Policing Strategy 157 Queuing/Link Efficiency Strategy 158
IP/VPN QoS Strategy 160 Approaches for QoS Transparency Requirements for the Service Provider Network 161
Uniform Mode 162 PipeMode 163 Short-Pipe Mode 163
QoS CoS Requirements for the SP Network 163 WRED Implementations 163
Identification of Traffic 165 What Would Constitute This Real-Time Traffic ? 165
QoS Requirements for Voice, Video, and Data 167 QoS Requirements for Voice 167
Sample Calculation 168 QoS Requirements for Video 169 QoS Requirements for Data 170
The LAN Edge: L2 Configurations 171 Classifying Voice on the WAN Edge 174 Classifying Video on the WAN Edge 175 Classifying Data on the WAN Edge 176
Case Study: QoS in the Acme, Inc. Network 179 QoS for Low-Speed Links: 64 kbps to 1024 kbps 180
Slow-Speed (768-kbps) Leased-Line Recommendation: Use MLP LFI and cRTP 181
QoS Reporting 181
Summary 182
References 183
Multicast in an MPLS VPN 187
Introduction to Multicast for the Enterprise MPLS VPN 187 Multicast Considerations 188
Mechanics of IP Multicast 190 RPF 190
RPF Check 191 Source Trees Versus Shared Trees 191 Protocol-Independent Multicast 192
PIM Dense Mode 192 PIM Sparse Mode 192 Bidirectional PIM (Bidir-PIM) 193
Interdomain Multicast Protocols 194 Multiprotocol Border Gateway Protocol 194 Multicast Source Discovery Protocol 195
Source-Specific Multicast 195 Multicast Addressing 196 Administratively Scoped Addresses 197 Deploying the IP Multicast Service 198 Default PIM Interface Configuration Mode 200 Host Signaling 200 Sourcing 202
Multicast Deployment Models 203 Any-Source Multicast 203 Source-Specific Multicast 204 Enabling SSM 206
Multicast in an MPLS VPN Environment: Transparency 207 Multicast Routing Inside the VPN 208
Case Study: Implementing Multicast over MPLS for Acme 210 Multicast Addressing 210 Multicast Address Management 212 Predeployment Considerations 212 MVPN Configuration Needs on the CE 213 BoundaryACL 214 Positioning of Multicast Boundaries 215 Configuration to Apply a Boundary Access List 216 RateLimiting 218
Rate-Limiting Configuration 219 MVPN Deployment Plan 219 Preproduction User Test Sequence 220
What Happens When There Is No MVPN Support? 224 Other Considerations and Challenges 225
Summary 226
References 227
Enterprise Security in an MPLS VPN Environment 229
Setting the Playing Field 230
Comparing MPLS VPN Security to Frame Relay Networks 234 Security Concerns Specific to MPLS VPNs 236
Issues for Enterprises to Resolve When Connecting at Layer 3 to Provider Networks 244
History of IP Network Attacks 244 Strong Password Protection 245 Preparing for an Attack 245 Identifying an Attack 246 Initial Precautions 247
Receiving ACLs 247 Infrastructure ACLs 248
Basic Attack Mitigation 250
Basic Security Techniques 253 Remote-Triggered Black-Hole Filtering 253 Loose uRPF for Source-Based Filtering 255 Strict uRPF and Source Address Validation 256 Sinkholes and Anycast Sinkholes 258 Backscatter Traceback 259 Cisco Guard 262
Distributed DoS, Botnets, and Worms 263 Anatomy of a DDoS Attack 264 Botnets 266 Worm Mitigation 268
Case Study Selections 270
Summary 270
References 271 Comparing MPLS VPN to Frame Relay Security 271 ACL Information 271 Miscellaneous Security Tools 271 Cisco Reference for MPLS Technology and Operation 271 Cisco Reference for Cisco Express Forwarding 272 Public Online ISP Security Bootcamp 272 Tutorials, Workshops, and Bootcamps 272 Original Backscatter Traceback and Customer-Triggered Remote-Triggered Black-Hole Techniques 272
xvi
Source for Good Papers on Internet Technologies and Security 272 Security Work Definitions 272 NANOG SP Security Seminars and Talks 272 Birds of a Feather and General Security Discussion Sessions at NANOG 274
Chapter 8 MPLS VPN Network Management 277
The Enterprise: Evaluating Service Provider Management Capabilities 279 Provisioning 279 SLA Monitoring 280 Fault Management 281
Handling Reported Faults 281 Passive Fault Management 282
Reporting 288 Root Cause Analysis 289
The Enterprise: Managing the VPN 289 Planning 290 Ordering 291 Provisioning 291
CE Provisioning 292 CE Management Access 293 Acceptance Testing 297
Monitoring 298 Optimization 299
The Service Provider: How to Meet and Exceed Customer Expectations 300 Provisioning 300
Zero-Touch Deployment 300 PE Configuration 302
Fault Monitoring 302 MPLS-Related MIBs 302 Resource Monitoring 304
OAM and Troubleshooting 306 Proactive Monitoring in Detail 306 Performance Problems 319
Fault Management 320 Proactive Fault Management 320 Reactive Fault Management 326
SLA Monitoring 327 Accuracy 327 Probe Metrie Support 328 QoS Support 329 Specialized Voice Probes 330 Threshold Breach Notification 330
Reporting 331
XVII
Summary 332
References 333
Chapter 9 Off-Net Access to the VPN 335
Remote Access 335 Dial Access via RAS 336
RAS Configuration 338 Dial Access via L2TP 339
L2TP Components 340 L2TP Call Procedure 340 Connecting L2TP Solutions to VRFs 341
DSL Considerations 345 Cable Considerations 347
IPsec Access 347 GRE + IPsec on the CPE 350
Designing for GRE Resiliency 352 Configuring GRE Resiliency 353
CE-to-CE IPsec 354 DMVPN Overview 355 mGRE for Tunneling 356 NHRP for Address Resolution 357 Routing Protocol Concerns 358 IPsec Profiles for Data Protection 359 Summary of DMVPN Operation 361
The Impact of Transporting Multiservice Traffic over IPsec 362 Split Tunneling in IPsec 365
Supporting Internet Access in IP VPNs 366
Case Study Selections 369
Summary 370
References 371 Genera] PPP Information 371 Configuring Dial-In Ports 371 L2TP 371 Layer 2 Tunnel Protocol Fact Sheet 371 Layer 2 Tunnel Protocol 371 VPDN Configuration Guide 371 VPDN Configuration and Troubleshooting 371 Security Configuration Guide 371 RADIUS Configuration Guide 372
XVIII
Broadband Aggregation to MPLS VPN 372 Remote Access to MPLS VPN 372 Network-Based IPsec VPN Solutions 372 IPsec 372 GRE + IPsec 372 DMVPN 372 Split Tunneling 373 Prefragmentation 373
ChapteMO Migration Strategies 375
Network Planning 375 Writing the RFP 375 Architecture and Design Planning with the Service Providers 379 Project Management 381 SLAs with the Service Providers 381 Network Operations Training 385
Implementation Planning 388 Phase 1 388 Phase 2 389 Phase 3 389 Phase 4 390
On-Site Implementation 390
Case Study Selections 392
Summary 392
Part IM Appendix 395
Appendix Questions to Ask Your Provider Regarding Layer 3 IP/MPLS VPN Capability 397
Coverage and Topology 398
Customer Edge Router Management 398
Network Access, Resiliency, and Load Balancing 399
QoS Capability 400
Multicast Capability 402
Routing Protocol Capability 403 SLA Measurement and Monitoring Capability 404 SLA Details 404
Security 405
Software Deployment Processes 406