L2 MPLS VPNs
advertisement
L2 MPLS VPNs Hector Avalos Technical Director-Southern Europe havalos@juniper.net Juniper Networks, Inc. Copyright © 2000 1 Agenda: L2 MPLS VPNs VPNs Overview Provider-provisioned L2 MPLS VPNs Taxonomy Operational Model Conclusion Juniper Networks, Inc. Copyright © 2000 2 What is a VPN? Corporate Headquarters Intranet Branch Office Shared Infrastructure Mobile Users and Telecommuters Remote Access Suppliers, Partners and Customers Extranet A private network constructed over a shared infrastructure Virtual: not a separate physical network Private: separate addressing and routing Network: a collection of devices that communicate Policies are key—global connectivity is not the goal Juniper Networks, Inc. Copyright © 2000 3 Deploying VPNs in the 1990s Provider Frame Relay Network DLCI DLCI FR Switch DLCI CPE FR Switch FR Switch CPE Operational model PVCs overlay the shared infrastructure (ATM/Frame Relay) Routing occurs at customer premise Mature technologies Relatively “secure” Service commitments (bandwidth, availability, and more) Scalability, provisioning and management Not a fully integrated IP solution Benefits Limitations Juniper Networks, Inc. Copyright © 2000 4 Traditional (Layer 2) VPNs Router Frame Relay/ ATM Switch Juniper Networks, Inc. Copyright © 2000 5 Improving Traditional Layer 2 VPNs Decouple edge (customer-facing) technology from core technology Have a single network infrastructure for all desired services Internet L3 MPLS VPNs L2 MPLS VPNs Simplify provisioning Appropriate signaling mechanisms for VPN autoprovisioning Juniper Networks, Inc. Copyright © 2000 6 VPN Classification Model CPE Subscriber Site 1 CPE-VPN PE Subscriber Site 2 VPN Tunnel PE PP-VPN CPE CPE Subscriber Site 1 PE PE PE Subscriber Site 3 VPN Subscriber Site 3 CPE CPE PE Customer-managed VPN solutions (CPE-VPNs) Layer 2: L2TP and PPTP Layer 3: IPSec Provider-provisioned VPN solutions (PP-VPNs) Layer 3: MPLS-Based VPNs (RFC 2547bis) Layer 3: Non-MPLS-Based VPNs (Virtual Routers) Layer2: MPLS VPNs Juniper Networks, Inc. Copyright © 2000 7 Subscriber Site 2 CPE PP-VPNs: Layer 2 Classification Service Provider delivers Layer 2 circuit IDs (DLCI, VPI/VCI, 802.1q vlan) to the customer One for each reachable site Customer maps their own routing architecture to the circuit mesh Provider router maps the circuit ID to a Label Switched Path (LSP) to traverse the provider core Customer routes are transparent to provider routers Provider-provisioned L2 MPLS VPN Internet drafts draft-kompella-mpls-l2vpn-02.txt draft-martini-l2circuit-encap-mpls-01.txt Juniper Networks, Inc. Copyright © 2000 8 Agenda: L2 MPLS VPNs Overview of VPNs Provider-provisioned L2 MPLS VPNs Taxonomy Operational Model Conclusion Juniper Networks, Inc. Copyright © 2000 9 Customer Edge Routers VPN Site VPN A Customer Edge CE P P PE FR CE VPN A PE FR ATM CE VPN B CE PE ATM VPN B Customer Edge (CE) routers Router or switch device located at customer premises providing access to the service provider network Layer 2 (FR, ATM, Ethernet) and Layer 3 (IP, IPX, SNA …) independence of the service provider network CEs within a VPN, uses the same L2 technology to access the service provider network Requires a sub-interface per CE it needs to interconnect to within the VPN Maintains routing adjacencies with other CEs within the VPN Juniper Networks, Inc. Copyright © 2000 10 Provider Edge Routers Provider Edge VPN A CE P P PE FR CE VPN A PE FR ATM CE VPN B CE PE ATM VPN B Provider Edge (PE) routers Maintain site-specific VPN Forwarding Tables Exchange VPN Connection Tables with other PE routers using MP-IBGP or LDP Use MPLS LSPs to forward VPN traffic Juniper Networks, Inc. Copyright © 2000 11 Provider Routers Provider Routers VPN A CE P P PE FR CE VPN A PE FR ATM CE VPN B CE PE ATM VPN B Provider (P) routers Forward data traffic transparently over established LSPs Do not maintain VPN-specific forwarding information Juniper Networks, Inc. Copyright © 2000 12 VPN Forwarding Tables (VFT) VPN A Site 1 VPN A Site2 A VFT is created for each site connected to the PE CE–A2 CE–A1 VPN B Site 1 OSPF ATM ATM OSPF PE 2 P P VPN B Site2 CE–B2 PE 1 CE–B1 P P PE 3 ATM CE–A3 VPN A Site 3 OSPF Each VFT is populated with: The forwarding information provisioned for the local CE sites VPN Connection Tables received from other PEs via iBGP or LDP Juniper Networks, Inc. Copyright © 2000 13 VPN Connection Tables (VCT) A VCT is distributed for each VPN site to PEs Site 2 CE-1 PE-1 CE-2 Site 1 MP-iBGP session / LDP PE-2 VFT VFT VFT VFT CE-2 CE-4 The VCT is a subset of information hold by the VFT VCTs are distributed by the PEs via iBGP or LDP Juniper Networks, Inc. Copyright © 2000 Site 1 14 Site 2 L2 VPN Provisioning Provisioning the network Provisioning the CEs Provisioning the VPN (PEs) VPN Connection Table Distribution Assumption: access technology is Frame Relay (other cases are similar) Juniper Networks, Inc. Copyright © 2000 15 Provisioning the Network VPN A Site 1 VPN A Site2 CE–A2 CE–A1 VPN B Site 1 OSPF ATM ATM OSPF PE 2 P P VPN B Site2 CE–B2 PE 1 CE–B1 P P PE 3 ATM OSPF PE-to-PE LSPs pre-established via RSVP-TE LDP LDP over RSPV-TE tunneling LSPs used for many services: IP, L2 VPN, L3 VPN, … Provisioned independent of Layer 2 VPNs Juniper Networks, Inc. Copyright © 2000 16 CE–A3 VPN A Site 3 Provisioning Customer Sites CE-4 CE-4 Routing Table DLCIs 63 75 82 94 In Out 10/8 DLCI 63 20/8 30/8 - DLCI 75 DLCI 82 DLCI 94 List of DLCIs: one for each site, some spare for over-provisioning DLCIs independently numbered at each site LMI, inverse ARP and/or routing protocols for auto-discovery and learning addresses No changes as VPN membership changes Until over-provisioning runs out Juniper Networks, Inc. Copyright © 2000 17 Provisioning CE’s at the PE A VFT is provisioned at each PE for each CE CE4 VFT VPN ID CE ID CE Range RED VPN 4 4 Sub-int IDs 63 75 82 94 VPN-ID : unique value within the service provider network CE-ID : unique value in the context of a VPN CE Range : maximum number of CEs that it can connect to Sub-interface list : set of local sub-interface IDs assigned for the CE-PE connection Juniper Networks, Inc. Copyright © 2000 18 Provisioning CE’s at the PE A VFT is provisioned at each PE for each CE CE4 VFT VPN ID CE ID CE Range Label Base Sub-int IDs RED VPN 4 4 CE4 VCT 1000 63 75 82 94 VPN-ID : unique value within the service provider network CE-ID : unique value in the context of a VPN CE Range : maximum number of CEs that it can connect to Sub-interface list : set of local sub-interface IDs assigned for the CE-PE connection Label-base : Label assigned to the first sub-interface ID The PE reserves N contiguous labels, where N is the CE Range Juniper Networks, Inc. Copyright © 2000 19 Provisioning CE’s at the PE Site 2 CE-1 CE-2 Site 1 PE-1 PE-2 VFT VFT VFT VFT CE-2 Site 1 CE-4 Site 2 FR FR CE4 VFT VPN ID CE ID CE Range RED VPN 4 4 Sub-int IDs Label base CE4‘s DLCI to CE0 CE4‘s DLCI to CE1 CE4‘s DLCI to CE2 63 75 82 94 CE4‘s DLCI to CE3 PE-2 is configured with the CE4 VFT Juniper Networks, Inc. Copyright © 2000 20 1000 1001 1002 1003 Label used by CE0 to reach CE4 Label used by CE1 to reach CE4 Label used by CE2 to reach CE4 Label used by CE3 to reach CE4 Distributing VCTs Key: signalling using LDP or MP-iBGP Auto-discovery of members Auto-assignment of inter-member circuits Flexible VPN topology O(N) configuration for the whole VPN Could be more for complex topologies O(1) configuration to add a site “Overprovision” DLCIs (sub-interfaces) at customer sites Juniper Networks, Inc. Copyright © 2000 21 Distributing VCTs CE-1 Site 2 PE-1 CE-2 Site 1 MP-iBGP session / LDP PE-2 VFT VFT VFT VFT CE4 VCT update RED VPN 4 4 1000 1002 VPN ID CE ID CE Range Label base Label used by CE2 to reach CE4 PE-1 accepts PE-2’s CE4 VCT Juniper Networks, Inc. Copyright © 2000 Site 2 FR CE4 VCT update Label base Site 1 CE-4 FR VPN ID CE ID CE Range CE-2 22 RED VPN 4 4 1000 Updating VFTs Site 2 CE-1 CE-2 Site 1 PE-1 PE-2 VFT VFT VFT VFT FR DLCI 82 CE2 VFT CE ID 1 2 3 4 Inner Label 7500 5020 9350 1002 Label used to reach CE4 PE-1 update its CE2 VFT Juniper Networks, Inc. Copyright © 2000 Site 1 CE-4 FR DLCI 414 Sub-int IDs 107 209 265 414 CE-2 23 Site 2 Updating VFTs Site 2 CE-1 CE-2 Site 1 PE-1 PE-2 VFT VFT VFT VFT FR DLCI 82 CE2 VFT CE ID 1 2 3 4 Inner Label 7500 5020 Outer Label 9350 1002 LSP to PE-2 500 PE-1 update its CE2 VFT Juniper Networks, Inc. Copyright © 2000 Site 1 CE-4 FR DLCI 414 Sub-int IDs 107 209 265 414 CE-2 24 Site 2 Data Flow Site 2 CE-1 CE-2 Site 1 PE-1 PE-2 VFT VFT VFT VFT CE-4 Site 1 Site 2 DLCI 82 DLCI 414 packet CE-2 DLCI 414 The CE-2 sends packets to the PE via the DLCI which connects to CE-4 (414) Juniper Networks, Inc. Copyright © 2000 25 Data Flow Site 2 CE-1 CE-2 Site 1 PE-1 1) Lookup DLCI in Red VFT 2) Push VPN label (1002) 3) Push IGP label (500) PE-1 PE-2 VFT VFT VFT VFT CE-2 CP-4 Site 1 Site 2 DLCI 82 IGP label (500) site label (1002) Packet The DLCI number is removed by the ingress PE Two labels are derived from the VFT sub-interface lookup and “pushed” onto the packet Outer IGP label Identifies the LSP to egress PE router Derived from core’s IGP and distributed by RSVP or LDP Inner site label Identifies outgoing sub-interface from egress PE to CE Derived from MP-IBGP/LDP VCT distributed by egress PE Juniper Networks, Inc. Copyright © 2000 26 Data Flow Site 2 CE-1 CE-2 Site 1 PE-1 PE-2 VFT VFT VFT VFT DLCI 414 CE-2 CPE-4 IGP label (z) DLCI 82 Site 1 Site 2 10.1/16 site label (1002) Packet After packets exit the ingress PE, the outer label is used to traverse the LSP P routers are not VPN-aware Juniper Networks, Inc. Copyright © 2000 27 Data Flow Site 2 CE-1 CE-2 Site 1 PE-1 Penultimate Pop top label PE-2 VFT VFT VFT VFT CE-2 CE-4 DLCI 82 DLCI 414 Site 1 Site 2 10.1/16 site label (1002) Packet The outer label is removed through penultimate hop popping (before reaching the egress PE) Juniper Networks, Inc. Copyright © 2000 28 Data Flow Site 2 CE-1 CE-2 Site 1 PE-1 VFT VFT VFT VFT CE-4 packet Site 1 Site 2 DLCI 82 DLCI 414 CE-2 PE-2 DLCI 82 The inner label is removed at the egress PE The egress PE does a label lookup to find the corresponding DLCI value The native Frame Relay packet is sent to the corresponding outbound sub-interface Juniper Networks, Inc. Copyright © 2000 29 VPN Topologies Arbitrary topologies are possible: full mesh hub-and-spoke BGP communities are used to configure VPN topologies when using BGP signaling “Connectivity” parameter serves similar purpose in LDP signaling Juniper Networks, Inc. Copyright © 2000 30 Conclusions Juniper Networks, Inc. Copyright © 2000 31 A Range of VPN Solutions Each customer has different Security requirements Staff expertise Tolerance for outsourcing Customer networks vary by size and traffic volume Providers also have different preferences concerning Extensive policy management Inclusion of customer routes in backbone routers Approaches to managed service Juniper Networks, Inc. Copyright © 2000 32 MPLS-Based Layer 2 VPNs MPLS-based Layer 2 VPNs are identical to Layer 2 VPNs from customers’ perspective Familiar paradigm Layer 3 independent Provider not responsible for routing No hacks for OSPF Rely on SP only for connectivity MPLS transport in provider network Decouples edge and core Layer 2 technologies Multiple services over single infrastructure Label stacking Single network architecture for both Internet and VPN services Provision once, and use same LSP for multiple purposes Auto-provisioning VPN Juniper Networks, Inc. Copyright © 2000 33 MPLS-based Layer 2 VPNs: Advantages Subscriber Outsourced WAN infrastructure Easy migration from existing Layer 2 fabric Can maintain routing control, or opt for managed service Supports any Layer 3 protocol Supports multicast Provider Complements RFC 2547bis Operates over the same core, using the same outer LSP Existing Frame Relay and ATM VPNs can be collapsed onto a single IP/MPLS infrastructure Label stacking allows multiple services over a single LSP No scalability problems associated with storing numerous customer VPN routes Simpler than the extensive policy-based configuration used with 2547 Juniper Networks, Inc. Copyright © 2000 34 MPLS-based Layer 2 VPNs: Disadvantages Circuit type (ATM/FR) to each VPN site must be uniform Managed network service required for provider revenue opportunity Customer must have routing expertise (or opt for managed service) Juniper Networks, Inc. Copyright © 2000 35 Layer 2 MPLS-based VPNs Application Customer profile High degree of IP expertise Desire to control their own routing infrastructure Prefer to outsource tunneling Large number of users and sites Provider profile MPLS deployed in the core Migrating an existing ATM or Frame Relay network Offers CPE managed service, or Provisions only the layer 2 circuits at a premium cost Layer 2 MPLS-based VPNs are ideal for this customer profile Juniper Networks, Inc. Copyright © 2000 36 Thank you! http://www.juniper.net Juniper Networks, Inc. Copyright © 2000 37
