1

MPLS

John JamisonJohn Jamison

University of Illinois at ChicagoUniversity of Illinois at Chicago

November 17, 2000November 17, 2000

What’s in it for Research & Education

Networks?

2

Juniper Networks Product Family

Nov 1999Nov 1999M20M20

Sept 1998Sept 1998M40M40

Mar 2000Mar 2000M160M160

Sept 2000Sept 2000M5M5

Sept 2000Sept 2000M10M10

3

Juniper NetworksResearch and Education Customers

MCI Worldcom – vBNS/vBNS+MCI Worldcom – vBNS/vBNS+

Department of Energy – ESnetDepartment of Energy – ESnet DANTE - TEN-155 (Pan-European DANTE - TEN-155 (Pan-European

Research & Education Backbone)Research & Education Backbone)

NYSERNet – New York State NYSERNet – New York State Education & Research NetworkEducation & Research Network

Georgia Tech – SOX GigaPoPGeorgia Tech – SOX GigaPoP

University of Washington – University of Washington – Pacific/Northwest GigaPoPPacific/Northwest GigaPoP

STAR TAP (International Research STAR TAP (International Research & Education Network Meet Point)& Education Network Meet Point)

APAN (Asia Pacific Advanced APAN (Asia Pacific Advanced Network) ConsortiumNetwork) Consortium

NOAA (National Oceanographic NOAA (National Oceanographic and Atmospheric Administration)and Atmospheric Administration)

NASA – Goddard Space Flight NASA – Goddard Space Flight CenterCenter

NIH (National Institutes of Health)NIH (National Institutes of Health)

DoD (Department of Defense)DoD (Department of Defense)

US Army Engineer Research andUS Army Engineer Research andDevelopment CenterDevelopment Center

University of Illinois – NCSA University of Illinois – NCSA (National Center for (National Center for Supercomputing Applications)Supercomputing Applications)

University of California, San Diego - University of California, San Diego - SDSC (San Diego Supercomputer SDSC (San Diego Supercomputer Center)Center)

University of Southern California, University of Southern California, Information Sciences InstituteInformation Sciences Institute

Indiana UniversityIndiana University Stanford UniversityStanford University University of California, DavisUniversity of California, Davis California Institute of TechnologyCalifornia Institute of Technology North Carolina State UniversityNorth Carolina State University University of AlaskaUniversity of Alaska University of Hiroshima, JapanUniversity of Hiroshima, Japan Korea Telcom Research LabKorea Telcom Research Lab ETRI (Electronic and Transmission ETRI (Electronic and Transmission

Research Institute), KoreaResearch Institute), Korea

4

Original Agenda

MPLS FundamentalsMPLS Fundamentals

Traffic Engineering Traffic Engineering

Constraint-Based RoutingConstraint-Based Routing

Refreshment BreakRefreshment Break

Virtual Private NetworksVirtual Private Networks

Optical Applications for Optical Applications for

MPLS Signaling MPLS Signaling

(GMPLS/MP(GMPLS/MPλλS)S)

Juniper Networks SolutionsJuniper Networks Solutions

Questions and CommentsQuestions and Comments

5

Our Agenda

MPLS OverviewMPLS Overview

Traffic EngineeringTraffic Engineering

VPNsVPNs

6

What are we missing out on?

A bunch of pure marketing slidesA bunch of pure marketing slides

A bunch of filler slidesA bunch of filler slides

Slides with content that is of interest mainly Slides with content that is of interest mainly to ISPsto ISPs Here is how you can use MPLS to bring in more Here is how you can use MPLS to bring in more

revenue, offer different services, etc.revenue, offer different services, etc.

Some Details of MPLS Signaling Protocols Some Details of MPLS Signaling Protocols and RFC 2547 VPNsand RFC 2547 VPNs You can (and should) only cover so much in one You can (and should) only cover so much in one

talktalk

Some MP(Lambda)S DetailsSome MP(Lambda)S Details Seems too much like slide ware right nowSeems too much like slide ware right now

7

What are we gaining?

Besides being spared marketing and ISP Besides being spared marketing and ISP centric stuff:centric stuff: We will see some examples from networks and We will see some examples from networks and

applications we are familiar withapplications we are familiar with

We will save some time and cover almost as much We will save some time and cover almost as much informationinformation

8

Why Is MPLSan Important Technology?

Fully integrates IP routing & L2 switchingFully integrates IP routing & L2 switching

Leverages existing IP infrastructuresLeverages existing IP infrastructures

Optimizes IP networks by facilitatingOptimizes IP networks by facilitatingtraffic engineeringtraffic engineering

Enables multi-service networkingEnables multi-service networking

Seamlessly integrates private and public Seamlessly integrates private and public networks networks

The natural choice for exploring new and richerThe natural choice for exploring new and richerIP service offeringsIP service offerings

Dynamic optical bandwidth provisioningDynamic optical bandwidth provisioning

9

What Is MPLS?

IETF Working Group chartered in spring 1997IETF Working Group chartered in spring 1997

IETF solution to support multi-layer switching: IETF solution to support multi-layer switching: IP Switching (Ipsilon/Nokia)IP Switching (Ipsilon/Nokia)

Tag Switching (Cisco)Tag Switching (Cisco)

IP Navigator (Cascade/Ascend/Lucent)IP Navigator (Cascade/Ascend/Lucent)

ARIS (IBM)ARIS (IBM)

ObjectivesObjectives Enhance performance and scalability of IP routingEnhance performance and scalability of IP routing

Facilitate explicit routing and traffic engineeringFacilitate explicit routing and traffic engineering

Separate control (routing) from the forwarding Separate control (routing) from the forwarding mechanismmechanismso each can be modified independentlyso each can be modified independently

Develop a single forwarding algorithm to support a wideDevelop a single forwarding algorithm to support a widerange of routing and switching functionalityrange of routing and switching functionality

10

MPLS Terminology

LabelLabel Short, fixed-length packet identifierShort, fixed-length packet identifier UnstructuredUnstructured Link local significanceLink local significance

Forwarding Equivalence Class (FEC)Forwarding Equivalence Class (FEC) Stream/flow of IP packets: Stream/flow of IP packets:

Forwarded over the same pathForwarded over the same path Treated in the same mannerTreated in the same manner Mapped to the same labelMapped to the same label

FEC/label binding mechanismFEC/label binding mechanism Currently based on destination IP address prefixCurrently based on destination IP address prefix Future mappings based on SP-defined policyFuture mappings based on SP-defined policy

11

MPLS Terminology

Label SwappingLabel Swapping Connection table maintains mappingsConnection table maintains mappings Exact match lookup Exact match lookup Input (port, label) determines:Input (port, label) determines:

Label operationLabel operation Output (port, label)Output (port, label)

Same forwarding algorithm used in Frame Relay and ATMSame forwarding algorithm used in Frame Relay and ATM

Port 1

Port 3

Port 2

Port 4

Connection TableConnection TableIn

(port, label)Out

(port, label)

(1, 22)

(1, 24)

(1, 25)

(2, 23)

(2, 17)

(3, 17)

(4, 19)

(3, 12)

LabelOperation

Swap

Swap

Swap

Swap

25IP

19IP

12

MPLS Terminology

Label-Switched Path (LSP)Label-Switched Path (LSP) Simplex L2 tunnel across a networkSimplex L2 tunnel across a network

Concatenation of one or more label switched hopsConcatenation of one or more label switched hops

Analogous to an ATM or Frame Relay PVCAnalogous to an ATM or Frame Relay PVC

SanSanFranciscoFrancisco

New New YorkYork

LSPLSP

13

MPLS Terminology

SanSanFranciscoFrancisco

New New YorkYork

LSPLSP

LSRLSR

LSRLSR

LSRLSRLSRLSR

Label-Switching Router (LSR)Label-Switching Router (LSR) Forwards MPLS packets using label-switchingForwards MPLS packets using label-switching Capable of forwarding native IP packetsCapable of forwarding native IP packets Executes one or more IP routing protocolsExecutes one or more IP routing protocols Participates in MPLS control protocolsParticipates in MPLS control protocols Analogous to an ATM or Frame Relay Switch (that Analogous to an ATM or Frame Relay Switch (that

also knows about IP)also knows about IP)

14

MPLS Terminology

SanSanFranciscoFrancisco

New New YorkYork

LSPLSP

Ingress LSR (“head-end LSR”)Ingress LSR (“head-end LSR”) Examines inbound IP packets and assigns them to an Examines inbound IP packets and assigns them to an

FECFEC Generates MPLS header and assigns initial labelGenerates MPLS header and assigns initial label

Transit LSRTransit LSR Forwards MPLS packets using label swappingForwards MPLS packets using label swapping

Egress LSR (“tail-end LSR”)Egress LSR (“tail-end LSR”) Removes the MPLS headerRemoves the MPLS header

IngressIngressLSRLSR TransitTransit

LSRLSR TransitTransitLSRLSR

EgressEgressLSRLSR

15

MPLS Header

FieldsFields LabelLabel Experimental (CoS)Experimental (CoS) Stacking bitStacking bit Time to liveTime to live

IP packet is encapsulated by ingress LSRIP packet is encapsulated by ingress LSR IP packet is de-encapsulated by egress LSRIP packet is de-encapsulated by egress LSR

TTLLabel (20-bits) CoS S

IP PacketIP Packet

32-bits32-bits

L2 HeaderL2 Header MPLS HeaderMPLS Header

16

134.5.1.5134.5.1.5

200.3.2.7200.3.2.7200.3.2.1200.3.2.1

134.5.6.1134.5.6.1

Routing TableRouting TableDestination Next Hop

134.5/16

200.3.2/24

12.29.31.5

12.29.31.5

DestinationRouting TableRouting Table

Next Hop

134.5/16

200.3.2/24

134.5.6.1

200.3.2.1

IP Packet Forwarding Example

200.3.2.7

200.3.2.7

3 5

2

12.29.31.412.29.31.412.29.31.112.29.31.1

Routing TableRouting TableDestination Next Hop

134.5/16

200.3.2/24

12.29.31.5

12.29.31.9

12.29.31.512.29.31.5

Routing TableRouting TableDestination Next Hop

134.5/16

200.3.2/24

12.29.31.5

12.29.31.4

12.29.31.912.29.31.9

200.3.2.7

200.3.2.7

200.3.2.7

17

134.5.1.5134.5.1.5

200.3.2.7200.3.2.7

1 2

200.3.2.1200.3.2.1

134.5.6.1134.5.6.1

Ingress Routing TableIngress Routing TableDestination Next Hop

134.5/16

200.3.2/24

(2, 84)

(3, 99)

MPLS TableMPLS TableIn Out

(1, 99) (2, 56)

MPLS TableMPLS TableIn Out

(3, 56) (5, 0)

DestinationEgress Routing TableEgress Routing Table

Next Hop

134.5/16

200.3.2/24

134.5.6.1

200.3.2.1

MPLS Forwarding Example

200.3.2.7

9999200.3.2.7 00200.3.2.7

MPLS TableMPLS TableIn Out

(2, 84) (6, 0)

200.3.2.75656200.3.2.7

3 5

2

3

2 6

18

How Is Traffic Mappedto an LSP?

Map LSP to the BGP next hopMap LSP to the BGP next hop FEC = {all BGP destinations reachable via egress FEC = {all BGP destinations reachable via egress

LSR}LSR}

134.5.1.5134.5.1.5

Egress Egress LSRLSR

AS 45AS 45 AS 63AS 63

AS 77AS 77Transit SPTransit SP

LSP 32LSP 32

I-BGP peersI-BGP peers

134.5.1.5 E-BGPE-BGPpeerspeers

E-BGPE-BGPpeerspeers

BGPBGP BGPBGP

BGPBGP BGPBGP

Routing TableRouting Table

134.5/16134.5/16 LSP 32LSP 32

Ingress LSRIngress LSR

19

How are LSPs Set Up?

Two approaches:Two approaches: Manual ConfigurationManual Configuration Using a Signaling ProtocolUsing a Signaling Protocol

LSPLSP

IngressIngressLSRLSR

EgressEgressLSRLSR

20

MPLS Signaling Protocols

The IETF MPLS architecture does not assumeThe IETF MPLS architecture does not assumea single label distribution protocola single label distribution protocol

LDPLDP Executes hop-by-hopExecutes hop-by-hop Selects same physical path as IGPSelects same physical path as IGP Does not support traffic engineering Does not support traffic engineering

RSVPRSVP Easily extensible for explicit routes and label distributionEasily extensible for explicit routes and label distribution Deployed by providers in production networks Deployed by providers in production networks

CR-LDPCR-LDP Extends LDP to support explicit routesExtends LDP to support explicit routes Functionally identical to RSVPFunctionally identical to RSVP Not deployed Not deployed

21

How Is the LSP PhysicalPath Determined?

Two approaches:Two approaches: Offline path calculation (in house or 3rd party Offline path calculation (in house or 3rd party

tools)tools) Online path calculation (constraint-based routing)Online path calculation (constraint-based routing)

A hybrid approach may be usedA hybrid approach may be used

LSPLSP

IngressIngressLSRLSR

EgressEgressLSRLSR

22

Offline Path Calculation

Simultaneously considersSimultaneously considers All link resource constraintsAll link resource constraints All ingress to egressAll ingress to egress

traffic trunkstraffic trunks

BenefitsBenefits Similar to mechanisms usedSimilar to mechanisms used

in overlay networksin overlay networks Global resource optimizationGlobal resource optimization Predictable LSP placementPredictable LSP placement StabilityStability Decision support systemDecision support system

In-house and third-party In-house and third-party toolstools

23

IngressIngressLSRLSR

EgressEgressLSRLSR

LSPLSP

Offline Path Calculation

Input to offline path calculation utility:Input to offline path calculation utility: Ingress and egress pointsIngress and egress points Physical topologyPhysical topology Traffic matrix (statistics about city - router pairs)Traffic matrix (statistics about city - router pairs)

Output:Output: Set of physical paths, each expressedSet of physical paths, each expressed

as an explicit routeas an explicit route

R1

R3

R2

R4

R5

R6

R7

R8

R9

Explicit route =Explicit route ={R1, R4, R8, R9}{R1, R4, R8, R9}

24

Explicit Routes: Example 1

LSP from R1 to R9LSP from R1 to R9 Partial explicit route:Partial explicit route:

{loose R8, strict R9}{loose R8, strict R9} LSP physical pathLSP physical path

R1 to R8 – follow IGP pathR1 to R8 – follow IGP path R8 to R9 – directly connectedR8 to R9 – directly connected

IngressIngressLSRLSR

EgressEgressLSRLSRR1

R3

R2

R4

R5

R6

R7

R8

R9

25

IngressIngressLSRLSR

EgressEgressLSRLSRR1

R3

R2

R4

R5

R6

R7

R8

R9

Explicit Routes: Example 2

LSP from R1 to R9LSP from R1 to R9 Full explicit route:Full explicit route:

{strict R3, strict R4, strict R7, strict R9}{strict R3, strict R4, strict R7, strict R9} LSP physical pathLSP physical path

R1 to R3 – directly connectedR1 to R3 – directly connected R3 to R4 – directly connectedR3 to R4 – directly connected R4 to R7 – directly connectedR4 to R7 – directly connected R7 to R9 – directly connected R7 to R9 – directly connected

26

Constraint-Based Routing

IngressIngressLSRLSR

EgressEgressLSRLSR

Online LSP path calculationOnline LSP path calculation Operator configures LSP constraints at ingress LSROperator configures LSP constraints at ingress LSR

Bandwidth reservationBandwidth reservation Include or exclude a specific link(s)Include or exclude a specific link(s) Include specific node traversal(s)Include specific node traversal(s)

Network actively participates in selecting an LSPNetwork actively participates in selecting an LSPpath that meets the constraintspath that meets the constraints

User defined LSP User defined LSP constraintsconstraints

27

Constraint-Based Routing

Thirty-two named groups, 0 through 31Thirty-two named groups, 0 through 31 Groups assigned to interfacesGroups assigned to interfaces

SanFrancisco

Gold

Bronze

Silver

28

Constraint-Based Routing

Choose the path from A to I using:Choose the path from A to I using:admin group {admin group {

include [gold sliver];include [gold sliver];}}

C

D

E

F

G

H

B

A

I

Copper

Copper Copper

BronzeBro

nze

Bronze

Bronze

Gold

Gold

Copper

Silver

Gold

Cop

per

Copp

er

6

29

Constraint-Based Routing

A-C-F-G-I uses only gold or silver linksA-C-F-G-I uses only gold or silver links

C

D

E

F

G

H

B

A

I

Copper

Copper Copper

BronzeBro

nze

Bronze

Bronze

Gold

Gold

Copper

Silver

Gold

Cop

per

Copp

er16

2

30

NewNewYorkYork

AtlantaAtlanta

ChicagoChicago

SeattleSeattle

LosLosAngelesAngeles

SanSanFranciscoFrancisco

KansasKansasCityCity

DallasDallaslabel-switched-path SF_to_NY {label-switched-path SF_to_NY { to New_York;to New_York; from San_Francisco;from San_Francisco; admin-group {exclude admin-group {exclude green}green} cspf}cspf}

Constraint-Based Routing: Example 1

31

ParisParis

LondonLondon

StockholmStockholm

MadridMadrid

RomeRome

GenevaGeneva

MunichMunich

label-switched-path madrid_to_stockholm{ to Stockholm; from Madrid; admin-group {include red, green} cspf}

Constraint-Based Routing: Example 2

31

32

Other Neat MPLS Stuff

Secondary LSPsSecondary LSPs Fast RerouteFast Reroute Label StackingLabel Stacking GMPLSGMPLS

33

MPLS Secondary LSPs

Standard LSP failoverStandard LSP failover Failure signaledFailure signaled

to ingress LSRto ingress LSR Calculate & signal new LSPCalculate & signal new LSP Reroute traffic to new LSPReroute traffic to new LSP

Standby Secondary LSPStandby Secondary LSP Pre-established LSPPre-established LSP Sub-second failoverSub-second failover

New YorkNew YorkData CenterData CenterSan San

FranciscoFranciscoData CenterData Center

Primary LSPPrimary LSPSecondary LSP

34

MPLS Fast Reroute

Ingress signals fast reroute during LSP setupIngress signals fast reroute during LSP setup Each LSR computes a detour pathEach LSR computes a detour path

(with same constraints)(with same constraints) Supports failover in ~100s of msSupports failover in ~100s of ms

New YorkNew YorkData CenterData CenterSan San

FranciscoFranciscoData CenterData Center

Primary LSPPrimary LSP

Active DetourActive Detour

35

MPLS Label Stacking

A label stack is an ordered set of labelsA label stack is an ordered set of labels Each LSR processes the top labelEach LSR processes the top label ApplicationsApplications

Routing hierarchyRouting hierarchy Aggregate individual LSPs into a “trunk” LSPAggregate individual LSPs into a “trunk” LSP VPNsVPNs

21

3

LSP 1LSP 1

LSP 2LSP 2

Trunk LSPTrunk LSP

2

54

TTLLabel (20-bits) CoSS

3 6 2 5

3

5 2

1

36

3

5 2

1

21

3

2

54

Trunk LSPTrunk LSP

MPLS Label Stack: Example 1

442225IP

118825IP

IP 2525IP

56IP

MPLS TableMPLS TableIn Out

(5, 42) (6, 18)

MPLS TableMPLS TableIn Out

(2, 18) (5, Pop)

MPLS TableMPLS TableIn Out

(4, 25) (2, 56)

In Out

(1, 25) (2, Push [42])

MPLS TableMPLS Table

(4, 35) (5, 17)(3, 35) (2, Push [42])

5 6 2 5

37

3

5 2

1

21

3

2

54

Trunk LSPTrunk LSP

MPLS Label Stack: Example 2

442235IP

118835IP

IP 35

35IP

17IP

MPLS TableMPLS TableIn Out

(5, 42) (6, 18)

MPLS TableMPLS TableIn Out

(2, 18) (5, Pop)

MPLS TableMPLS TableIn Out

(4, 25) (2, 56)

(4, 35) (5, 17)

In Out

(1, 25) (2, Push [42])

(3, 35)

MPLS TableMPLS Table

(2, Push [42])

5 6 2 5

38

Label stacking to create a hierarchy of LSP trunksLabel stacking to create a hierarchy of LSP trunks

LSP 4LSP 4

LSP 3LSP 3

LSP 1LSP 1

LSP 2LSP 2

LSP 1LSP 1

LSP TrunkLSP Trunkof Trunksof Trunks

LSP 2LSP 2

LSP 4LSP 4

LSP LSP TrunkTrunk

LSP 3LSP 3LSP LSP

TrunkTrunk

Label Stacking allows you to Reduce the Number of LSPs

39

IP Service(Routers)

Optical Transport(OXCs, WDMs)

Optical Core

Generalized MPLS (GMPLS)Formally known as MPL(amda)S

Reduce complexityReduce complexity Reduce costReduce cost Router subsumes functions performed by other Router subsumes functions performed by other

layerslayers Fast router interfaces eliminate the need for MUXsFast router interfaces eliminate the need for MUXs MPLS replaces ATM/FR for traffic engineeringMPLS replaces ATM/FR for traffic engineering MPLS fast reroute obviates SONET APS restorationMPLS fast reroute obviates SONET APS restoration

Dynamic provisioning of optical bandwidth is Dynamic provisioning of optical bandwidth is required for growth and innovative service required for growth and innovative service creationcreation

40

GMPLS: LSP Hierarchy

Nesting LSPs enhances system scalability Nesting LSPs enhances system scalability LSPs always start and terminate on similar interface LSPs always start and terminate on similar interface

typestypes LSP interface hierarchyLSP interface hierarchy

Packet Switch Capable (PSC) Packet Switch Capable (PSC) LowestLowest Time Division Multiplexing Capable (TDM)Time Division Multiplexing Capable (TDM) Lambda Switch Capable (LSC)Lambda Switch Capable (LSC) Fiber Switch Capable (FSC) Fiber Switch Capable (FSC) HighestHighest

FA-LSC

FA-TDMFA-PSC

BundleBundleFiber nFiber n

Fiber 1Fiber 1

FSC CloudLSC

CloudTDMCloud

PSCCloud

LSCCloud

TDMCloud

PSCCloud

ExplicitLabel LSPs

Time-slotLSPs Fiber LSPsLSPs

ExplicitLabel LSPs

Time-slotLSPsLSPs

(multiplex low-order LSPs) (demultiplex low-order LSPs)

41

AGENDA

MPLS OverviewMPLS Overview

Traffic EngineeringTraffic Engineering

VPNsVPNs

42

What Is Traffic Engineering?

Ability to control traffic flows in the Ability to control traffic flows in the networknetwork

Optimize available resourcesOptimize available resources

Move traffic from IGP path to less congested Move traffic from IGP path to less congested pathpath

SourceSource DestinationDestination

Layer 3 RoutingLayer 3 Routing Traffic EngineeringTraffic Engineering

43

Brief History

Early 1990’sEarly 1990’s Internet core was connected with T1 and Internet core was connected with T1 and

T3 links between routersT3 links between routers Only a handful of routers and links to Only a handful of routers and links to

manage and configuremanage and configure Humans could do the work manuallyHumans could do the work manually Metric-based traffic control was sufficientMetric-based traffic control was sufficient

44

Metric-Based Traffic Engineering

Traffic sent to A or B follows path with Traffic sent to A or B follows path with lowest metricslowest metrics

1 1

1 2

A B

C

45

Metric-BasedTraffic Engineering

DrawbacksDrawbacks Redirecting traffic flow to A via C causes Redirecting traffic flow to A via C causes

traffic for B to move also!traffic for B to move also! Some links become underutilized or Some links become underutilized or

overutilizedoverutilized

1 4

1 2

A B

C

46

Metric-BasedTraffic Engineering

DrawbacksDrawbacks Complexity made metric control trickyComplexity made metric control tricky Adjusting one metric might destabilize Adjusting one metric might destabilize

networknetwork

47

Discomfort Grows

Mid 1990’sMid 1990’s ISPs became uncomfortable with size of ISPs became uncomfortable with size of

Internet coreInternet core Large growth spurt imminentLarge growth spurt imminent Routers too slowRouters too slow Metric “engineering” too complexMetric “engineering” too complex IGP routing calculation was topology IGP routing calculation was topology

driven, not traffic drivendriven, not traffic driven Router based cores lacked predictabilityRouter based cores lacked predictability

48

Overlay Networks are Born

ATM switches offered performance and ATM switches offered performance and predictable behaviorpredictable behavior

ISPs created “overlay” networks that ISPs created “overlay” networks that presented a virtual topology to the edge presented a virtual topology to the edge routers in their networkrouters in their network

Using ATM virtual circuits, the virtual Using ATM virtual circuits, the virtual network could be reengineered without network could be reengineered without changing the physical networkchanging the physical network

BenefitsBenefits Full traffic controlFull traffic control Per-circuit statisticsPer-circuit statistics More balanced flow of traffic across linksMore balanced flow of traffic across links

49

Overlay Networks

ATM core ringed by routersATM core ringed by routers PVCs overlaid onto physical networkPVCs overlaid onto physical network

PhysicalView

A

BC

A

B

CLogicalView

50

vBNS ATM Design

Full UBR PVP mesh between terminal switches to carry “Best Effort” Full UBR PVP mesh between terminal switches to carry “Best Effort” traffictraffic

LosAngeles

Chicago

Cleveland

Boston

SanFrancisco

Denver

Atlanta

WashingtonDC

NewYork City

Houston

SeattlePerryman,

MD

51

San Francisco

National Center forAtmospheric Research

San DiegoSupercomputer Center

Houston

Denver

Ameritech NAP

Chicago

National Center forSupercomputingApplications

Cleveland

Perryman, MD

Sprint NAP

MFS NAP

PittsburghSupercomputing

Center

Los Angeles

A

Atlanta

ANew York City

vBNS Backbone Network Map

Boston

Washington, DC

Seattle

A

A

C

C

C

C

C

CC

C

C

C

C

C

C

C

C

C

C

C

J

J

Ascend GRF 400

Cisco 7507

Juniper M40

FORE ASX-1000

NAP

A

C

DS-3

OC-3C

OC-12C

OC-48

J

52

Overlay Nets Had Drawbacks

Growth in full mesh of ATM PVCs stresses Growth in full mesh of ATM PVCs stresses everythingeverything

Router IGP runs out of steamRouter IGP runs out of steam Practical limitation of updating Practical limitation of updating

configurations in each switch and routerconfigurations in each switch and router ATM 20% Cell TaxATM 20% Cell Tax ATM SAR speed limitationsATM SAR speed limitations

OC-48 SAR very difficult/expensive to OC-48 SAR very difficult/expensive to buildbuild

OC-192 SAR?OC-192 SAR?

53

In the mean time:

Routers caught upRouters caught up Current generation of routers haveCurrent generation of routers have

High speed, wire-rate interfacesHigh speed, wire-rate interfacesDeterministic performanceDeterministic performanceSoftware advancesSoftware advances

MPLS came alongMPLS came along Fuses best aspects of ATM PVCs with high-Fuses best aspects of ATM PVCs with high-

performance routing enginesperformance routing engines Uses low-overhead circuit mechanismUses low-overhead circuit mechanism Automates path selection and configurationAutomates path selection and configuration Implements quick failure recoveryImplements quick failure recovery

54

MPLS for Traffic Engineering

Low-overhead virtual circuits for IPLow-overhead virtual circuits for IP Originally designed to make routers fasterOriginally designed to make routers faster

Fixed label lookup faster than longest match used by IP Fixed label lookup faster than longest match used by IP routingrouting

Not true anymoreNot true anymore Value of MPLS is now in traffic engineeringValue of MPLS is now in traffic engineering Other MPLS Benefits:Other MPLS Benefits:

No second networkNo second network A fully integrated IP solution – no second technologyA fully integrated IP solution – no second technology Traffic engineeringTraffic engineering Lower costLower cost A CoS enablerA CoS enabler Failover/link protectionFailover/link protection Multi-service and VPN supportMulti-service and VPN support

55

AGENDA

MPLS OverviewMPLS Overview

Traffic EngineeringTraffic Engineering

VPNsVPNs

56

What Is a Virtual Private Network?

““A private network constructed over a shared A private network constructed over a shared infrastructure”infrastructure”

VirtualVirtual An artificial object simulated by computers (not really there!)An artificial object simulated by computers (not really there!)

PrivatePrivate Separate/distinct environmentsSeparate/distinct environments Separate addressing and routing systemsSeparate addressing and routing systems

NetworkNetwork A collection of devices that communicate among themselvesA collection of devices that communicate among themselves

SharedSharedInfrastructureInfrastructure Mobile users Mobile users

and and telecommutetelecommute

rsrs

IntranetIntranet

ExtranetExtranet

Remote accessRemote access

BranchBranchofficeoffice

Corporate Corporate headquartersheadquarters

Suppliers, Suppliers, partnerspartners

and customersand customers

57

Deploying VPNs using Overlay Networks

Provider Frame Relay NetworkProvider Frame Relay Network

CPE

CPE

CPE

CPE

CPE

DLCI

DLCI

DLCIFR

switch

FRswitch

FRswitch

FRswitch

FRswitch

FRswitch

FRswitch

Operational modelOperational model PVCs overlay the shared infrastructure (ATM/Frame Relay) PVCs overlay the shared infrastructure (ATM/Frame Relay) Routing occurs at CPERouting occurs at CPE

BenefitsBenefits Mature technologiesMature technologies Inherently ‘secure’Inherently ‘secure’ Service commitments (bandwidth, availability, etc.)Service commitments (bandwidth, availability, etc.)

LimitationsLimitations Scalability and management of the overlay modelScalability and management of the overlay model Not a fully integrated IP solution Not a fully integrated IP solution

CPE

58

MPLS: A VPN Enabling Technology

BenefitsBenefits Seamlessly integrates multiple “networks”Seamlessly integrates multiple “networks” Permits a single connection to the service providerPermits a single connection to the service provider Supports rapid delivery of new servicesSupports rapid delivery of new services Minimizes operational expensesMinimizes operational expenses Provides higher network reliability and availabilityProvides higher network reliability and availability

Service Provider NetworkService Provider Network

Site 1Site 1

Site 1Site 1

Site 2Site 2

Site 3Site 3

Site 2Site 2

Site 3Site 3

59

There are Three Types of VPNs

End to End (CPE Based) VPNsEnd to End (CPE Based) VPNs L2PT & PPTPL2PT & PPTP

IPSECIPSEC

Layer 2 VPNsLayer 2 VPNs CCCCCC

CCC & MPLS HybridCCC & MPLS Hybrid

Layer3 VPNsLayer3 VPNs RFC 2547bisRFC 2547bis

60

End to End VPNs:L2TP and PPTP

Dial Access Provider

V.x modem

PPP dial-upService Provider or VPN

L2TPaccess server

Dial accessserver

L2TP tunnel

Dial accessserver

PPTPaccess serverPPTP tunnel

Application: Dial access for remote usersApplication: Dial access for remote users Layer 2 Tunneling Protocol (L2TP)Layer 2 Tunneling Protocol (L2TP)

RFC 2661RFC 2661 Combination of L2F and PPTPCombination of L2F and PPTP

Point-to-Point Tunneling Protocol (PPTP) Point-to-Point Tunneling Protocol (PPTP) Bundled with Windows/Windows NTBundled with Windows/Windows NT

Both support IPSec for encryptionBoth support IPSec for encryption Authentication & encryptionAuthentication & encryption

at tunnel endpointsat tunnel endpoints

61

End to End VPNs: The IP Security Protocol (IPSec)

Defines the IETF’s layer 3 security architectureDefines the IETF’s layer 3 security architecture Applications:Applications:

Strong security requirements Strong security requirements Extend a VPN across multiple service providersExtend a VPN across multiple service providers

Security services include:Security services include: Access controlAccess control Data origin authenticationData origin authentication Replay protectionReplay protection Data integrityData integrity Data privacy (encryption)Data privacy (encryption) Key managementKey management

62

End to End VPNs: IPSec – Example

Routing must be performed at CPERouting must be performed at CPE Tunnels terminate on subscriber premiseTunnels terminate on subscriber premise

Only CPE equipment needs to support IPSecOnly CPE equipment needs to support IPSec Modifications to shared resources are not requiredModifications to shared resources are not required

ESP tunnel modeESP tunnel mode Authentication insures integrity from CPE to CPEAuthentication insures integrity from CPE to CPE Encrypts original header/payload across internetEncrypts original header/payload across internet Supports private address spaceSupports private address space

Public Internet

CorporateHQ

BranchofficeCPE CPE

IPSec ESP Tunnel ModeIPSec ESP Tunnel Mode

63

Layer 2 VPNs: CCC/MPLS

ATM (or ATM (or Frame Relay)Frame Relay)

PEPE

PEPE

PEPE

ATM (or ATM (or Frame Relay)Frame Relay)

LSPs

CCC Function

In Out

LSP 2 in LSP 5DLCI 600

LSP 6 in LSP 5DLCI 610

CCC TableCCC Table

LSP 2 LSP 6

LSP 5

In Out

LSP 2 in LSP 5 DLCI 506

LSP 6 in LSP 5 DLCI 408

CCC TableCCC Table

DLCIDLCI600600

DLCIDLCI610610

DLCIDLCI506506

DLCIDLCI408408(MPLS core)

CPECPECPECPE

BenefitsBenefits Reduces provider configuration complexityReduces provider configuration complexity MPLS traffic engineered coreMPLS traffic engineered core Subscriber can run any Layer 3 protocolSubscriber can run any Layer 3 protocol User Nets do not know there is a cloud in the User Nets do not know there is a cloud in the

middlemiddle LimitationsLimitations

Circuit type (ATM/FR) must be “like to like”Circuit type (ATM/FR) must be “like to like”

64

CCC Example: Abilene and ISP Service on one link

University XUniversity X

ATM Access

Big “I” Internet Traffic:ATM VC1 terminated, IP packets delivered to Qwest ISP

Abilene Traffic:ATM VC2 mapped to port facing Abilene

An M20/40/160 can both terminate ATM PVCs (layer 3 lookup) and support CCC pass-through on the same port.

AbileneAbilene

Qwest ISPQwest ISP

M40M40

65

vBNS used CCC and MPLS to tunnel IPv6 across their backbone for SC2000

ChicagoChicagoSC2000 SC2000

in Dallasin Dallas

IPv6

IPv6

vBNS/vBNS+vBNS/vBNS+

IPv4IPv4

LSPLSP

ATMATMATMATM

CCCCCCCCCCCC

66

Layer 3 VPNs:RFC 2547 - MPLS/BGP VPNs

MPLS (Multiprotocol Label Switching) is used for MPLS (Multiprotocol Label Switching) is used for forwarding packets over the backboneforwarding packets over the backbone

BGP (Border Gateway Protocol) is used for BGP (Border Gateway Protocol) is used for distributing routes over the backbonedistributing routes over the backbone

Multiple Forwarding Tables (FT) on some edge Multiple Forwarding Tables (FT) on some edge routers, one for each VPNrouters, one for each VPN

Service Provider NetworkService Provider Network

CPECPE

CPECPE

CPECPE

PEPE PEPE

PEPE

CPECPE

CPECPE

CPECPE

Site 1Site 1

Site 1Site 1

Site 2Site 2

Site 3Site 3

Site 2Site 2

Site 3Site 3PP

PP

PP

PP

PP

PEPE

FT

FT

FT

FTFT

FT

67

Questions?

68

Thank You

jjamison@juniper.netjjamison@juniper.net

http://www.juniper.nethttp://www.juniper.net