1 / 18

MPLS Virtual Private Networks (VPNs)

MPLS Virtual Private Networks (VPNs). When VPN?. Internet as your own private network Communicate securely between various corporate sites (Intranet) Communicate securely between partner sites (Extranet) Connect remote dial-up users securely to corporate networks. Advantages.

dalton
Télécharger la présentation

MPLS Virtual Private Networks (VPNs)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MPLS Virtual Private Networks (VPNs) CSE 8344

  2. When VPN? • Internet as your own private network • Communicate securely between various corporate sites (Intranet) • Communicate securely between partner sites (Extranet) • Connect remote dial-up users securely to corporate networks CSE 8344

  3. Advantages • Flexible and cost effective • Better business-to-business connectivity • business partners, service providers, contractors, and customers • Advances in security CSE 8344

  4. Layer2 vs. Layer3 VPNs Layer 2 VPNs Layer 3 VPNs • Provider devices forward customer packets based on Layer 3 information (e.g., IP) • Provider devices forward customer packets based on Layer 2 information • Tunnels, circuits, LSPs, MAC address • SP involvement in routing • MPLS/BGP VPNs (RFC 2547), GRE, virtual router approaches • “pseudo-wire” concept CSE 8344

  5. Step #3 R2 receives IP/L2TP/Ethernet Packet and removes the IP/L2TPv3 headers. The remaining Ethernet frame is forwarded to Server B. Step #1 Workstation A sends packet destined for Server B IP Core IP or MPLS Core Layer2 Example Step #2 R1 takes Ethernet frame and encapsulates it in L2TP and routes it to tunnel destination R1 R2 IP L2TP Ethernet Ethernet Ethernet L2TPv3 Tunnel Server B Workstation A CSE 8344

  6. Overlay Model • Each site has a router connected via P-T-P links to routers on other sites • Leased lines • Frame relay • ATM circuit • Connectivity • Fully connected • Hub-and-spoke CSE 8344

  7. Limitations of Overlay • Customers need to manage the back-bones • Mapping between Layer2 Qos and IP QoS • Scaling problems • Cannot support large number of customers • (n-1) peering requirement CSE 8344

  8. The Peer Model • Aims to support large-scale VPN service • Key technologies • Constrained distribution of routing info. • Multiple forwarding tables • VPN-IP addresses • MPLS switching CSE 8344

  9. Terminology • CE router • Customer Edge router • PE router • Provider Edge router. Part of the P-Network and interfaces to CE routers • P router • Provider (core) router, without knowledge of VPN CSE 8344

  10. Terminology (cont’d) • Route Distinguisher • Attributes of each route used to uniquely identify prefixes among VPNs (64 bits) • VPN-IPv4 addresses • Address including the 64 bits Route Distinguisher and the 32 bits IP address • VRF • VPN Routing and Forwarding Instance • Routing table and FIB table CSE 8344

  11. Connection Model • The VPN backbone is composed by MPLS LSRs • PE routers (edge LSRs) • P routers (core LSRs) • PE routers are faced to CE routers and distribute VPN information through BGP to other PE routers • P routers do not run BGP and do not have any VPN knowledge CSE 8344

  12. Model (cont’d) • P and PE routers share a common IGP • PE and CE routers exchange routing information through: • EBGP, OSPF, RIP, Static routing • CE router run standard routing software CSE 8344

  13. Routing • The routes the PE receives from CE routers are installed in the appropriate VRF • The routes the PE receives through the backbone IGP are installed in the global routing table • By using separate VRFs, addresses need NOT to be unique among VPNs CSE 8344

  14. Forwarding • PE and P routers have BGP next-hop reachability through the backbone IGP • Labels are distributed through LDP (hop-by-hop) corresponding to BGP Next-Hops • Label Stack is used for packet forwarding • Top label indicates Next-Hop (interior label) • Second level label indicates outgoing interface or VRF (exterior label) CSE 8344

  15. Forwarding (cont’d) • The upstream LDP peer of the BGP next-hop (PE router) will pop the first level label • The egress PE router will forward the packet based on the second level label which gives the outgoing interface (and VPN) CSE 8344

  16. PE2 receives the packets with the label corresponding to the outgoing interface (VRF) One single lookup Label is popped and packet sent to IP neighbour P routers switch the packets based on the IGP label (label on top of the stack) Penultimate Hop Popping P2 is the penultimate hop for the BGP next-hop P2 remove the top label This has been requested through LDP by PE2 IP packet IGP Label(PE2)VPN Label IGP Label(PE2)VPN Label IP packet IP packet IP packet VPN Label IP packet PE1 receives IP packet Lookup is done on site VRF BGP route with Next-Hop and Label is found BGP next-hop (PE2) is reachable through IGP route with associated label Forwarding Example CE1 PE1 CE2 P1 P2 PE2 CE3 CSE 8344

  17. Scalability • Existing BGP techniques can be used to scale the route distribution • Each edge router needs only the information for the VPNs it supports • Directly connected VPNs • Easy to add new sites • configure the site on the PE connected to it, the network automatically does the rest CSE 8344

  18. QoS Support • Pipe model • Similar to int-serv • Unidirectional as opposed to bi-directional model in ATMs • Hose Model • Similar to diff-serv CSE 8344

More Related