27
connect • communicate • collaborate MPLS multi-domain services MD-VPN service Xavier Jeannin, RENATER Tomasz Szewczyk / PSNC Training and Workshops for advancing NRENs 8-11 Sept 2014 Chisinau, Moldova

MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

  • Upload
    lytram

  • View
    224

  • Download
    2

Embed Size (px)

Citation preview

Page 1: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

connect • communicate • collaborate

MPLS multi-domain services

MD-VPN service

Xavier Jeannin, RENATER

Tomasz Szewczyk / PSNC

Training and Workshops for

advancing NRENs

8-11 Sept 2014

Chisinau, Moldova

Page 2: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

2

connect • communicate • collaborate

MPLS brief overview

• Original purpose: avoid complex and long IP lookup in the router

• Routing by label

– Forwarding based on label

– Distributed label (LDP, MP-BGP,

CR-LDP, RSVP-TE) – Push, Pop, Swap

– Build Label switched path (LSP)

Page 3: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

3

connect • communicate • collaborate

MPLS overview

• Topology

– P = Provide router (core) – switch only label

– PE = Provider Edge router

deliver the service to end users

IPv4, IPv6, L2VPN, L3VPN

– CE = Customer Edge Router

• MPLS services

– Transport IPv4 IPv6

– VPN

– L3VPN , L2VPN Point-to-Point,

L2VPN Multi-Point (VPLS)

– Traffic Engineering

– Path selection, QoS, path protection

Fast-ReRoute,

Page 4: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

4

connect • communicate • collaborate

MPLS VPN overview

• Double labelling

– VPN Label added

to standard label

Page 5: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

5

connect • communicate • collaborate

MPLS VPN overview

L3VPN examples

Page 6: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

6

connect • communicate • collaborate

Point-to-Point L2VPN over MPLS

PseudoWire Reference Model over MPLS

• The pseudowire can emulate several service among them, an Ethernet or 802.Q (VLAN)

services

Reference http://www.sanog.org/resources/sanog7/waris-l2vpn-tutorial.pdf

Page 7: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

7

connect • communicate • collaborate

VPLS overview

• A Multi-point L2 VPN service

– Architecture built on MPLS networks to provide Layer 2 multi point Ethernet services

– Emulates an Ethernet bridge

– Use MAC to forward, MAC address learning, Flooding mechanism, MAC Forwarding Information

Base named VSI Virtual Switching Instance

• Technical simplification

– Based on a full mesh of pseudowire

(hierarchic VPLS does not require full mesh other architecture)

– Split-horizon to avoid loop (no transmission what you have learnt through a pseudowire)

– Pseudowire signalling can be achieved LDP or MP-BGP

Page 8: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

8

connect • communicate • collaborate

MPLS and MD-VPN Deployment

• Widely deployed in European NREN

– In the beginning, MPLS targeted the core of the backbone and now “small MPLS switch”

are now positioned close the end users in order to extend the service up to the end client

• Multi-AS backbone

– Solution A, B and C (RFC4364)

• MD-VPN aim to extend MPLS-VPN service over multi-domain using a hierarchical design

• MD-VPN aim to offer to European scientist community a bundle of new network

services (L2-L3 VPN) with an easy and quick to access

Page 9: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

9

connect • communicate • collaborate

GÉANT VPN services

• GÉANT IP

• GÉANT L3VPN

• GÉANT Plus

• GÉANT Lambda

• GÉANT Open

• GÉANT MDVPN

• GÉANT Bandwidth-on-Demand

Page 10: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

10

connect • communicate • collaborate

• A joint service provided by the GÉANT

network and NRENs

• A seamless transport infrastructure for

point-to-point or multipoint transmission:

– Multi-domain networking

– Layer3 or Layer2 VPNs

spanning several

domains

MD-VPN provides a seamless, scalable

transport infrastructure

L3VPN

MP L2VPN P2P L2VPN

IPv4 IPv6

Page 11: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

11

connect • communicate • collaborate

http://www.scottcochrane.com

What is MD-VPN?

• MD-VPN is based on well known and proven technology

– available right now in almost all boxes

– MPLS and BGP protocols

– No material investment required - only small piece of configuration is needed

• High scalability

– Hierarchical architecture

– Independent signaling for transport paths and services

– Total number of provisioned VPNs has no impact on GEANT and NREN core

– VPNs are multiplexed in the core so the service is provisioned

only on the edge routers

– OPEX reduction for GEANT and NREN

– no capex investment

– Service lead time dramatically reduced

Page 12: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

12

connect • communicate • collaborate

What is MD-VPN?

• Added-value service for end-users

– Dedicated virtual network

– Safe infrastructure

– Security opex saved on site

– No firewall needed

Site B Site A

Site C

Safe Inter-university

Research and Educational

Network

(S.I.R.E.N)

Page 13: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

13

connect • communicate • collaborate

Configure only

at the edge

VPN multiplexing

Configure only once

An end-to-end

extensible

and

flexible service

High scalability

Lead-time

reduced

Reduced opex

MD-VPN service highly scalable, seamless

transport infrastructure

Page 14: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

14

connect • communicate • collaborate

• Underlying principle behind this Multi-Domain VPN technology

– The LSP is extended from a PE up to the remote PE in another domain

– Signaling is split in 2 parts – Signalling for multi-domain MPLS path between PE routers thanks to a BGP peering with labelled unicast SAFI

(internal route)

– Signalling for VPN labels and prefixes exchange between PE routers (external route) thanks to an external BGP VPNv4 family peering

– GEANT implement Carrier of Carriers (CoC) providing transparent transport of VPN traffic (configuration is closed to a simple VRF)

MDVPN technical principle overview

RR RR

ABR

PE

ABR

PE

PE

PE

GEANT

NREN A

NREN BSSP

SSP

VPNproxy

PE

PE

PE

PE

VPN1

VPN1SDP

SDP Multi-hop VPNv4 e-BGP

BGP

Labelled unicast BGP Labelled unicast

label exchange (BGP protocol)

in MDVPN service

for L3VPN and L2VPN (Kompella)

Page 15: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

15

connect • communicate • collaborate

• Number of peering BGP reduction VPN Route Reflector (VR)

MDVPN technical principle overview

VPN Route Reflector

P2P L2VPN using LPD (Martini) : The labels is exchanged LDP protocol

RR RR

ABR

PE

ABRPE

PE

PE

GEANT

NREN A

NREN B

SSP

SSP

VPNproxy

PE

PE

PE

PE

VPN1

VPN1SDP

SDPTargeted LDP

BGP Labelled unicast

BGP Labelled unicast

Label exchange in MDVPN service (using LDP protocol for L2 VPN services)

Page 16: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

16

connect • communicate • collaborate

• Transparent transport technology

• Scalability in the core

– Label hierarchy and...

– No MAC learning and/or prefixes for end user traffic

– No VLAN ID negotiations between NRENs and GEANT

Carrier of Carrier / hierarchical VPN

Page 17: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

17

connect • communicate • collaborate

• VPN-PROXY

– Provide ASBR, PE and VPN route exchange feature

– Use if

– NREN is not MPLS aware

– You want to not extend the service (external partner)

Interoperability with non-MPLS domains

GEANT

AS 2995

AS 1

NREN

not MPLS-aware

• Back-to-back

connection, VRF

BIO, VRF

ASTRO, …

logical router ASBR-GEANT

VPN-Proxy

Play the role of ASBR

+ PE + route exchange

VRR

VPN-Route-Reflector

Page 18: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

GEANT

CPE-NRE-A-VPN-ASTRO

Peering BGP VPNv4

CPE-NREN-B-VPN-ASTRO

PE-RENATER

ASBR-1-GEANT

ASBR-NREN-A

ASBR-2-GEANT

ASBR-NREN-B

PE-NREN-B

RR-NREN-B

RR- NREN-A

NREN-A

NREN B

Peering Multi-hop E-BGP VPNv4 (No next-hop self)

Physical connections

Peering labeled-unicast

VRF ASTRO RT:22:30

VRF BIO - RT:22:32

VRF CoC - RT:23:30

VRF md-vpn1 - RT:33:10

VRF md-vpn2 - RT:13092:17

L2Circuit toward AMRES

L2Circuit PE-RENATER - PE-REMOTE-NREN

Detailed design

VPN-Route-

Reflector

Peering Multi-hop E-BGP VPNv4 (No next-hop self)

Page 19: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

GEANT

CPE-NRE-A-VPN-ASTRO

Peering BGP VPNv4

CPE-NREN-B-VPN-ASTRO

PE-RENATER

ASBR-1-GEANT

ASBR-NREN-A

ASBR-2-GEANT

ASBR-NREN-B

PE-NREN-B

RR- NREN-A

NREN-A

NREN B

Peering Multi-hop E-BGP VPNv4 (No next-hop self)

Physical connections

Peering labeled-unicast

VRF ASTRO RT:22:30

VRF BIO - RT:22:32

VRF CoC - RT:23:30

VRF md-vpn1 - RT:33:10

VRF md-vpn2 - RT:13092:17

L2Circuit toward AMRES

L2Circuit PE-RENATER - PE-REMOTE-NREN

Alternative design

VPN-Route-

Reflector

VPN is propagated

internally by any other

internal means:

VLAN, dedicated link,

other solutions …

MPLS is enabled only on

the AS Border Router

Page 20: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

20

connect • communicate • collaborate

• Test realized by SA3T3 on SA3T3 testbed (CISCO, JUNIPER) full mesh of pseudowire topology

• Security investigation

• Availability

– Bug in JunOS on the VPN-Route-Reflector slow down MD-VPLS roll-out

– Plan to be available in the beginning of GN4

VPLS

Signalling autodiscovery Inter-AS Result Comment

Target-LDP No OK Manual configuration of full

mesh pseudowire

Less scalable

MP-BGP BGP OK Pseudowire automatically

established

Bug discovered – upgrade –

test ongoing

Target-LDP BGP OK Pseudowire automatically

established

Bug discovered, upgrade

version, test ongoing

Intermediate result

Page 21: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

21

connect • communicate • collaborate

MD-VPN offers a new way of cooperating

• MD-VPN enables a new way for GÉANT and

NRENs to cooperate, which significantly increases

network scalability from a service point of view

• A collaboration to manage:

– VPN Provisioning

– Monitoring

– Troubleshooting

Ensure Operational

Level Agreements

commitments are

achieved

Page 22: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

22

connect • communicate • collaborate

Deployment Status

• Setting-up pilot phase

– Setting-up GÉANT pilot, during 2014

– Feature-proofed on production infrastructure

– 18 NRENs connected

– 3 NRENs committed to connect

• Pilot generalization phase

– Service reliability long-term assessment

– Operation implementation

– Roll-out the 22/07/2014

– Service validation period 01/08/2014 – 31/10/2014

• MD-VPN service in the GÉANT portfolio Q4 Year 1

Page 23: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

23

connect • communicate • collaborate

Deployment status

A first scientist project XiFi XIFI is a project of the European

Public-Private-Partnership on

Future Internet (FI-PPP)

programme

http://infographic.lab.fi-ware.org/status

GÉANT

NORDUnet

SUnet DeiC FUnet

Litnet

HEAnet

FCCN

RENATER

RedIRIS

GARR DFN

AMRES

PSNC

CESNET

XiFi

TSSG

XiFi

Sevilla

XiFi

Malaga XiFi

Lannion XiFi

Trento XiFi

Berlin

NREN currently

connected NREN nearly connected

Active XiFi L3 VPN

Future XiFi L3 VPN

XiFi

Com4Innov

GRNET Uni

Thessaly

BELnet

XiFi

Iminds

Page 24: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

24

connect • communicate • collaborate

SA3T3 International testbed

15th,June 2013

Page 25: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

25

connect • communicate • collaborate

• All scientific projects based on international

collaboration

– LHCONE is an example of successful L3VPN multi-domain

service

– ITER, CONFINE

• Quick P2P connection

– Conference demonstration

– P2P data transport between to sites

• Distributed infrastructure over multi-domain

– Cloud provider

– Grid – HPC center

– Scientific infrastructure: Telescope, sensor network

• …

MD-VPN use cases A wide scope for MD-VPN use

Page 26: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

26

connect • communicate • collaborate

MD-VPN use cases A wide scope for MD-VPN use

Optical transport

MD-VPN

Innovation

Users

User Network Interface

• MD-VPN transparent data transport layer for high level

network services like SDN, BoD, … and in general by future

internet project

• Education

– Remote lecture

– E-learning

Page 27: MPLS multi-domain services MD-VPN service - TERENA · MPLS multi-domain services MD-VPN service Xavier Jeannin, ... • Technical simplification ... (hierarchic VPLS does not require

27

connect • communicate • collaborate

Multi-Domain VPN summary

• An innovative and highly scalable design

– Seamless transport infrastructure

• A bundle of services (IPv4, IPv6, P2P L2VPN, L3VPN) with added value

for our users that is available, VPLS is plan to be available

during GN4

• An original and useful service

unavailable in a commercial NSP portfolio

• Broad European deployment

– 18 connected NRENs, 3 NRENs committed to connect

• A FI-PPP project, XiFi, selected GÉANT’s MD-VPN to provide

its network infrastructure