Provider network technology dictated by VPN services Frame Relay switches ATM switches Provisioning is complex for provider Topology dictated by cost rather than traffic patterns Multiple networks – adds to provider’s administrative burden The Internet is the shared infrastructure Increasing importance of IP/MPLS (not ATM/FR) Subscriber requirements A single network connection for all services Semi-public connectivity rather than private connectivity Provider requirements Multiservice infrastructure that supports all services Enhance the provider’s role in VPN solutions
Issues: Customers requires intranet connectivity. Then internet connectivity. The service provider needs to deploy a parallel router infrastructure. Increase costs, operational expenses, and margins are reduced. Provisioning a new site, or extranet connectivity to a site, takes a lot of time.
The IETF classifies VPNs in two distinct models. The Customer Premise Equipment (CPE) based VPN utilizes equipment located at the Subscriber site. This model can utilize both Layer 2 and Layer 3 technologies. Layer 2 is handled using Layer 2 Tunneling Protocol (L2TP) and Point to Point Tunneling Protocol (PPTP). Tunnels are created between CPEs creating a secure pipe to transfer data across. In a Network-Based (NB) VPN model, Layer 3 is supported using 2 separate solutions. Non-MPLS-Based VPNs utilize Virtual Routers to route CPE based VLAN traffic to a the far-end CPE. MPLS-Based VPNs, based on the RFC 2547bis, use Labels to switch VPN traffic between CPEs.
The agenda for Part I is …
The Customer Edge (CE) device is usually assigned to the subscriber site and may be considered as a layer 2 switch or a layer 3 router. This device is the manner in which the Provider Edge (PE) at the service provider’s site communicates with the subscriber. Any type of data link will work between the connection of the CE device and PE device and may be connected to two or more PE routers. When the CE device is a router connected to a PE router, then the term router adjacency is established between the two routers. After this router adjacency is established, the CE router will advertise all of the subscriber site’s local routes to the PE router. The PE router in turn allows the CE router to learn other VPN routes that is directly connected to from the PE router.
The Provider Edge (PE) router connects to the CE device with different types of data links, such as, Frame Relay DCLI, ATM PVC, VLANs, etc. Regardless of the data link they are connected by, the PE routers ensures each of the ports that these data links are coming in on are mapped to a particular table known as a VPN routing and forwarding (VRF) table. Therefore the PE port is associated with a particular VRF and the information associated with the incoming data link. The PE router maintains all of the VRFs of the virtual private networks attached to it. The exchange of routing information between the CE device and the PE device may take place using Routing Information Protocol (RIP) version 2, Open Shortest Path First (OSPF), or Exterior Border Gateway Protocol (E-BGP). The PE router is only responsible for maintaining the IPv4 packets and their routes of the CE devices that are actually attached to it. This feature enables the RFC 2547bis operational model to be scalable. The PE router also exchanges VPN routing information with other PE routers using I-BGP, and may use this I-BGP session to maintain connections with Route Reflectors as an alternative to a full mesh of I-BGP sessions. By deploying multiple Route Reflectors the scalability of the RFC 2547bis operational model is enhanced, because of the need for any single component to handle all of the IPv4 routes. When forwarding traffic across the MPLS backbone, the PE router will perform this function as a Label Switch Router (LSR). In the case of forwarding the initial forwarding of traffic across the MPLS backbone, the PE router will be considered as the Ingress LSR, and in the case of receiving the traffic at the destination point of the traffic the PE router will function as the Egress LSR.
In the Multiprotocol Label Switching environment, the topology is very clear as to which routers are considered as PE routers and which ones are Provider (P) routers. A rule of thumb used in identifying a P router from a PE router, and works every time within the MPLS environment, is that only PE routers will attach directly to a CE device. Therefore, if a router is within the MPLS topology and it does not attach to a CE device, then this router is known as a P router. The P router functions within the MPLS backbone as a transit Label Switch Router (LSR) when it is called upon to forward data traffic between the PE routers, known in the MPLS backbone as the Ingress LSR and the Egress LSR. Because the P router operates in the MPLS backbone and within a two layer stack, the P routers are only aware of and required to maintain the routes to the PE routers. This prevents the P routers from being bogged down with all of the subscriber site’s routes as does the PE router. Therefore, specific VPN routes are only found in the PE routers.
When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers.
In this section we look at the provisioning issues and the tasks associated with Layer 2 VPNs.
The list of DLCIs is configured on the PEs. No changes are required even if new sites are added, existing sites will remain unchanged if the provider has over-provisioned the PEs in the network.
A key benefit is Auto-discovery. Comparing this to the traditional Layer 2 VPN slide, there is no need to manually configure additional VPN members. All sites must be configured after the initial bootstrap of the network. However, after that initial build, it is only necessary to configure the newly added sites without having to touch existing sites. Note: the label base is chosen automatically by the PE; the other info is assigned by the ISP administrator. The choice of sub-int ids must be agreed to by both the SP and Customer. The VFT is annouced via LDP as a new FEC, or via MPBGP as a new AFI Label base : BGP only, LDP carry the label with the FEC VPN ID : LDP only with BGP we use communities with the form of <VPN-ID>:<connectivit>
A key benefit is Auto-discovery. Comparing this to the traditional Layer 2 VPN slide, there is no need to manually configure additional VPN members. All sites must be configured after the initial bootstrap of the network. However, after that initial build, it is only necessary to configure the newly added sites without having to touch existing sites. Note: the label base is chosen automatically by the PE; the other info is assigned by the ISP administrator. The choice of sub-int ids must be agreed to by both the SP and Customer. The VFT is annouced via LDP as a new FEC, or via MPBGP as a new AFI Label base : BGP only, LDP carry the label with the FEC VPN ID : LDP only with BGP we use communities with the form of <VPN-ID>:<connectivit>
When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers.
A key benefit is Auto-discovery. Comparing this to the traditional Layer 2 VPN slide, there is no need to manually configure additional VPN members. All sites must be configured after the initial bootstrap of the network. However, after that initial build, it is only necessary to configure the newly added sites without having to touch existing sites.
When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers.
When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers.
When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers.
Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label.
Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label.
Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label.
Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label.
Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label.
This section of the presentation provides an insight how a Service Provider operating within an Internet Protocol (IP) backbone may provide Virtual Private Networks (VPNs) for their customer, the enterprising subscriber. The 2547 Virtual Private Network platform differs from the normal way of forwarding packets and routes over the Internet backbone than the traditional ways of the 1990’s. The 2547 VPN platform uses Multiprotocol Label Switching (MPLS) to forward packets, and the Border Gateway Protocol (BGP) for route distribution, both over the Internet backbone. The 2547 VPN platform’s primary goal is to support the service providers in their effort to outsource Internet Protocol backbone services for enterprise subscribing customers. By using the methodology available from the Multiprotocol Label Switching and Border Gateway Protocol, the service provider providing these services has made the task very simple for the enterprise subscriber, while improving scalability and flexibility for themselves. The 2547 VPN platform also allows the service provider an opportunity to add value to the services they are providing the enterprising subscriber. Additionally, the 2547 VPN platform provides the necessary techniques for an enterprising subscriber to develop a VPN that can ultimately be used to provides IP service to their customers. We will now start at a high level discussion about the 2547 VPN platform and become more granular as we start understanding how the Border Gateway Protocol and the Multiprotocol Label Switching are implemented as the underlying technology for this highly scalable and secure VPN. Without any further delay lets take look at the 2547 VPN objectives.
Many subscribers have limited IP expertise available and want to outsource their wide area interconnection and routing to service providers. Those service providers with the RFC 2547bis VPNs platforms are the ideal candidates to receive the business and have the capabilities to support the subscriber in their challenges. For the remote access user to the corporate network layer two tunneling protocols, such as, Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) are convenient and effective to use. Users have capability to access the network from anywhere on the Internet.
Many subscribers have limited IP expertise available and want to outsource their wide area interconnection and routing to service providers. Those service providers with the RFC 2547bis VPNs platforms are the ideal candidates to receive the business and have the capabilities to support the subscriber in their challenges. For the remote access user to the corporate network layer two tunneling protocols, such as, Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) are convenient and effective to use. Users have capability to access the network from anywhere on the Internet.