Click here to load reader

Mpls10s07-Mpls VPN Technology

  • View
    218

  • Download
    1

Embed Size (px)

Text of Mpls10s07-Mpls VPN Technology

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    1/108

    2001, Cisco Systems, Inc.

    MPLS VPNTechnology

    Module 7

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    2/108

    2001, Cisco Systems, Inc. MPLS v1.07-2

    Objectives

    Upon completion of this lesson, youwill be able to perform the followingtasks:

    Identify major Virtual Private network

    topologies, their characteristics and usagescenarios

    Describe the differences between overlayVPN and peer-to-peer VPN

    List major technologies supporting overlayVPNs and peer-to-peer VPNs

    Position MPLS VPN in comparison withother peer-to-peer VPN implementations

    Describe major architectural blocks ofMPLS VPN

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    3/108

    Introduction toVirtual Private

    Networks

    2001, Cisco Systems, Inc. MPLS v1.07-3

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    4/108

    2001, Cisco Systems, Inc. MPLS v1.07-4

    Objectives

    Upon completion of this section,you will be able to perform thefollowing tasks:

    Describe the concept of VPN

    Explain VPN terminology as defined byMPLS VPN architecture

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    5/108

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    6/108

    2001, Cisco Systems, Inc. MPLS v1.07-6

    Service Provider Network

    Virtual Private Networks

    Virtual Private Networks (VPNs) replacededicated point-to-point links with emulatedpoint-to-point links sharing commoninfrastructure.

    Customers use VPNs primarily to reduce theiroperational costs.

    Customer Site

    Customer Premises

    Router (CPE) Large Customer Site

    CPE Router

    Other

    CustomerRouters

    Provider Edge Device

    (Frame Relay Switch)

    PE Device

    Provider Core

    Device

    PE DeviceCPE Router

    Virtual Circuit (VC) #2

    Virtual Circuit (VC) #1

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    7/108 2001, Cisco Systems, Inc. MPLS v1.07-7

    Customer Site

    Large Customer Site

    VPN Terminology

    Customer network (C-network): the part

    of the network still under customer

    control

    Provider network (P-network): the

    service provider infrastructure

    used to provide VPN services

    Customer Site: a contiguous part of the

    customer network (can encompass many

    physical locations)

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    8/108 2001, Cisco Systems, Inc. MPLS v1.07-8

    Service Provider Network

    Customer Site

    Large Customer Site

    VPN Terminology

    Customer edge (CE) device: the

    device in the C-network that links to

    into P-network; also called customer

    premises equipment (CPE)

    Provider edge (PE) device: the

    device in the P-network to which

    the CE devices are connected

    Provider (P) device: the

    device in the P-network

    with no customer

    connectivity

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    9/108 2001, Cisco Systems, Inc. MPLS v1.07-9

    Service Provider Network

    Customer Site

    CPERouter Large Customer Site

    CPE Router

    OtherCustomer

    RoutersPE Device(Frame Relay switch)

    PE Device

    PDevice

    PE DeviceCPE Router

    VC #2

    VC #1

    VPN TerminologySpecific to Switched WANs

    A permanent virtual circuit (PVC) is established through out-of-

    band means (network management) and is always active.

    A switched virtual circuit (SVC) is established through CE-PE

    signaling on demand from the CE device.

    Virtual Circuit (VC): emulated

    point-to-point link established

    across shared Layer 2infrastructure

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    10/108 2001, Cisco Systems, Inc. MPLS v1.07-10

    Summary

    After completing this section, you

    should be able to perform thefollowing tasks:

    Describe the concept of VPN

    Explain VPN terminology as defined byMPLS VPN architecture

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    11/108 2001, Cisco Systems, Inc. MPLS v1.07-11

    Review Questions

    Why are customers interested inVirtualPrivate Networks?

    What is the main role of a VPN?What is a C-network?

    What is a customer site?

    What is a CE-router?What is a P-network?

    What is the difference between aPE-device and a P-device?

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    12/108

    Overlay and

    Peer-to-Peer VPN

    2001, Cisco Systems, Inc. MPLS v1.07-12

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    13/108 2001, Cisco Systems, Inc. MPLS v1.07-13

    Objectives

    Upon completion of this section,you will be able to perform thefollowing tasks:

    Describe the differences betweenoverlay and peer-to-peer VPN

    Describe the benefits and drawbacksof each VPN implementation option

    List major technologies supportingoverlay VPNs

    Describe traditional peer-to-peer VPN

    implementation options

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    14/108 2001, Cisco Systems, Inc. MPLS v1.07-14

    VPN ImplementationTechnologies

    VPN services can be offered basedon two major paradigms:

    Overlay VPNs, in which the serviceprovider provides virtual point-to-pointlinks between customer sites

    Peer-to-Peer VPNS, in which the

    service provider participates in thecustomer routing

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    15/108 2001, Cisco Systems, Inc. MPLS v1.07-15

    Service Provider Network

    Overlay VPN Implementation(Frame Relay Example)

    Customer Site

    Router A

    Customer Site

    Router B

    Customer Site

    Router C

    Customer Site

    Router D

    PE Device

    (Frame Relay Switch)

    Frame Relay

    Edge Switch

    Frame Relay

    Edge Switch

    Frame Relay

    Edge Switch

    VC #3

    VC #2

    VC #1

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    16/108 2001, Cisco Systems, Inc. MPLS v1.07-16

    Layer 3 Routing in OverlayVPN Implementation

    Service provider infrastructure appears aspoint-to-point links to customer routes.

    Routing protocols run directly betweencustomer routers.

    Service provider does not see customer routesand is responsible only for providing point-to-point transport of customer data.

    Router A

    Router B Router C Router D

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    17/108 2001, Cisco Systems, Inc. MPLS v1.07-17

    Overlay VPNLayer 1 Implementation

    This is the traditional TDM solution:

    Service provider establishes physical-layerconnectivity between customer sites.

    Customer takes responsibility for all higherlayers.

    ISDN E1, T1, DS0 SDH, SONET

    PPP HDLC

    IP

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    18/108 2001, Cisco Systems, Inc. MPLS v1.07-18

    Overlay VPNLayer 2 Implementation

    This is the traditional switched WANsolution:

    Service provider establishes Layer 2 virtualcircuits between customer sites.

    Customer takes responsibility for all higherlayers.

    X.25 Frame Relay ATM

    IP

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    19/108

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    20/108 2001, Cisco Systems, Inc. MPLS v1.07-20

    Overlay VPNLayer 2 Forwarding

    VPN is implemented with PPP-over-IPtunnels:

    Usually used in access environments (dialup,

    digital subscriber line)

    Layer 2 Tunnel

    Protocol (L2TP)

    IP

    PPP

    Layer 2Forwarding

    Protocol (L2F

    Protocol)

    Point-to-PointTunneling Protocol

    (PPTP)

    IP

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    21/108 2001, Cisco Systems, Inc. MPLS v1.07-21

    Service Provider Network

    Peer-to-Peer VPN Concept

    Customer Site

    Router A

    Customer Site

    Router B

    Customer Site

    Router C

    Customer Site

    Router D

    PERouter

    PE Router

    PE Router

    PE Router

    Routing information is exchangedbetween CE and PE routers.

    PE routers exchange

    customer routes through

    the core network.

    Finally, the customer routes

    propagated through the PE network

    are sent to other CE routers.

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    22/108

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    23/108

    2001, Cisco Systems, Inc. MPLS v1.07-23

    Peer-to-Peer VPN withControlled Route Distribution

    Service provider networkCustomer ASite #1

    Customer ASite #2

    Customer BSite #1

    Point of Presence (POP)

    PE Router

    Customer A

    PE Router

    Customer B

    P Router

    Uplink

    Each customer has a

    dedicated PE routerthat carries only its

    routes.

    The P-router contains

    all customer routes.

    Customer isolation is

    achieved through lack of

    routing information on the

    PE router.

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    24/108

    2001, Cisco Systems, Inc. MPLS v1.07-24

    Benefits of Various VPNImplementations

    Overlay VPN:

    Well-known and easyto implement.

    Service provider doesnot participate incustomer routing.

    Customer network

    and service providernetwork are wellisolated.

    Peer-to-peer VPN:

    Guarantees optimumrouting betweencustomer sites.

    Easier to provision anadditional VPN.

    Only the sites are

    provisioned, not thelinks between them.

    f i

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    25/108

    2001, Cisco Systems, Inc. MPLS v1.07-25

    Drawbacks of Various VPNImplementations

    Overlay VPN:

    Implementingoptimum routingrequires full mesh of

    virtual circuits. Virtual circuits have

    to be provisionedmanually.

    Bandwidth must beprovisioned on a site-to-site basis.

    Overlay VPNs alwaysincur encapsulation

    overhead.

    Peer-to-peer VPN:

    Service providerparticipates incustomer routing.

    Service providerbecomes responsiblefor customerconvergence.

    PE routers carry allroutes from allcustomers.

    Service providerneeds detailed IP

    routing knowledge.

    D b k f T di i l

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    26/108

    2001, Cisco Systems, Inc. MPLS v1.07-26

    Drawbacks of TraditionalPeer-to-Peer VPNs

    Shared PE router:

    All customers sharethe same (provider-assigned or public)

    address space. High maintenance

    costs are associatedwith packet filters.

    Performance is lower each packet has topass a packet filter.

    Dedicated PErouter:

    All customers share

    the same addressspace.

    Each customerrequires a dedicatedrouter at each POP.

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    27/108

    2001, Cisco Systems, Inc. MPLS v1.07-27

    VPN Taxonomy

    Virtual Networks

    Virtual Dialup Networks Virtual LANsVirtual Private

    Networks

    Peer-to-Peer VPN

    Access Lists(Shared Router)

    Split Routing

    (Dedicated Router)

    MPLS VPN

    Overlay VPN

    Layer 2 VPN Layer 3 VPN

    X.25

    Frame Relay

    ATM

    IPSec

    GRE

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    28/108

    2001, Cisco Systems, Inc. MPLS v1.07-28

    Summary

    After completing this section, youshould be able to perform thefollowing tasks:

    Describe the differences betweenoverlay and peer-to-peer VPN

    Describe the benefits and drawbacksof each VPN implementation option

    List major technologies supportingoverlay VPNs

    Describe traditional peer-to-peer VPNimplementation options

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    29/108

    2001, Cisco Systems, Inc. MPLS v1.07-29

    Review Questions

    What is an overlay VPN?

    Which routing protocol runs between thecustomer and the service provider in an overlayVPN?

    Which routers are routing protocol neighbors ofaCE-router in overlay VPN?

    List three IP-based overlay VPN technologies.

    What is the major benefit of peer-to-peer VPNas compared to overlay VPN?

    List two traditional peer-to-peer VPNimplementations.

    What is the drawback of all traditional peer-to-

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    30/108

    Major VPN

    Topologies

    2001, Cisco Systems, Inc. MPLS v1.07-30

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    31/108

    2001, Cisco Systems, Inc. MPLS v1.07-31

    Objectives

    Upon completion of this section,you will be able to perform thefollowing tasks:

    Identify major VPN topologiesDescribe the implications of usingoverlay VPN or peer-to-peer VPNapproach with each topology

    List sample usage scenarios for eachtopology

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    32/108

    2001, Cisco Systems, Inc. MPLS v1.07-32

    VPN Topology Categorization

    Overlay VPNs are categorizedbased on the topology of the virtual

    circuits: (Redundant) Hub and spoke topology

    Partial mesh topology

    Full mesh topologyMultilevel topologycombines severallevels of overlay VPN topologies

    O l VPN

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    33/108

    2001, Cisco Systems, Inc. MPLS v1.07-33

    Service Provider Network

    Overlay VPNHub-and-Spoke Topology

    Central Site

    (Hub)

    Remote Site (Spoke)

    Remote Site (Spoke)

    Remote Site (Spoke)Central Site

    Router

    Remote Site (Spoke)

    O l VPN R d d t H b

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    34/108

    2001, Cisco Systems, Inc. MPLS v1.07-34

    Service Provider Network

    Overlay VPN Redundant Huband Spoke Topology

    Central Site

    (Hub)

    Remote Site (Spoke)

    Remote Site (Spoke)

    Remote Site (Spoke)Redundant

    Central Site

    Router

    Remote Site (Spoke)

    Redundant

    Central Site

    Router

    O erla VPN

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    35/108

    2001, Cisco Systems, Inc. MPLS v1.07-35

    Overlay VPNPartial Mesh

    Moscow

    Sydney

    Guam

    Berlin

    Hong Kong

    New York

    Virtual circuits (Frame Relay Data-

    Link Connection Identifier)

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    36/108

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    37/108

    2001, Cisco Systems, Inc. MPLS v1.07-37

    VPN Business Categorization

    VPNs can be categorized on thebusiness needs they fulfill:

    Intranet VPNconnects sites withinan organization.

    Extranet VPNconnects differentorganizations in a secure way.

    Access VPN VPDN provides dialupaccess into a customer network.

    Extranet VPN Overlay

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    38/108

    2001, Cisco Systems, Inc. MPLS v1.07-38

    Extranet VPNOverlayVPN Implementation

    Provider IP BackboneGlobalMotors

    Firewall

    AirFilters Inc.

    Firewall

    BoltsAndNuts

    Firewall

    SuperBrakes Inc.

    Firewall

    Firewall

    Frame RelaySwitch

    Frame Relay

    Switch

    Frame Relay

    Switch

    Frame Relay

    Switch

    Frame Relay VCs

    (DLCI)

    Extranet VPN Peer to Peer

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    39/108

    2001, Cisco Systems, Inc. MPLS v1.07-39

    Extranet VPNPeer-to-PeerVPN Implementation

    Provider IP BackboneGlobalMotors

    Firewall

    AirFilters Inc.

    Firewall

    BoltsAndNuts

    Firewall

    SuperBrakes Inc.

    Firewall

    PE Router

    PE Router

    PE Router

    PE Router

    PE Router

    VPN Connectivity

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    40/108

    2001, Cisco Systems, Inc. MPLS v1.07-40

    VPN ConnectivityCategorization

    VPNs can also be categorized bythe connectivity required betweensites:

    Simple VPNevery site can communicatewith every other site.

    Overlapping VPNsome sites participatein more than one simple VPN.

    Central Services VPNall sites cancommunicate with central servers, butnot with each other.

    Managed Networka dedicated VPN is

    established to manage CE routers.

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    41/108

    2001, Cisco Systems, Inc. MPLS v1.07-41

    Central Services Extranet

    Service Provider Network

    Service Provider Extranet

    Infrastructure

    London

    VoIP Gateway

    Amsterdam

    VoIP Gateway

    Paris

    VoIP Gateway

    Customer A

    Customer B

    Customer C

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    42/108

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    43/108

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    44/108

    2001, Cisco Systems, Inc. MPLS v1.07-44

    Summary

    After completing this section, youshould be able to perform the followingtasks:

    Identify major VPN topologies

    Describe the implications of usingoverlay VPN or peer-to-peer VPN

    approach with each topology

    List sample usage scenarios for eachtopology

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    45/108

    2001, Cisco Systems, Inc. MPLS v1.07-45

    Review Questions

    What are the major Overlay VPNtopologies?

    Why would the customers prefer

    partial mesh over full mesh topology?

    What is the difference between anIntranet and an Extranet?

    What is the difference between asimple VPN and a Central ServicesVPN?

    What are the connectivity

    requirements of a Central Services

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    46/108

    MPLS VPN

    Architecture

    2001, Cisco Systems, Inc. MPLS v1.07-46

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    47/108

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    48/108

    2001, Cisco Systems, Inc. MPLS v1.07-48

    MPLS VPN Architecture

    MPLS VPN combines the bestfeatures of overlay VPN and peer-to-peer VPN:

    PE routers participate in customerrouting, guaranteeing optimumrouting between sites and easyprovisioning.

    PE routers carry a separate set ofroutes for each customer (similar tothe dedicated PE router approach).

    Customers can use overlappingaddresses.

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    49/108

    2001, Cisco Systems, Inc. MPLS v1.07-49

    MPLS VPN Terminology

    Customer A

    Site #1

    Site #1

    CE router

    Customer A

    Site #2

    Customer B

    Site #1

    Customer B

    Site #3

    Customer B

    Site #2

    Customer A

    Site #4

    Remote

    Office

    Remote

    Office

    Customer A

    Site #3

    Customer B

    Site #4

    PE Router

    POP-XP Router PE Router

    POP-Y

    P-Network

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    50/108

    ou ng n orma on

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    51/108

    2001, Cisco Systems, Inc. MPLS v1.07-51

    P-Network

    P Router

    Customer A

    Customer B

    Customer A

    Customer C

    Customer B

    PE Router X PE Router Y

    Customer C

    ou ng n orma onPropagation Across the P-

    Network

    : How will PE routers exchange customer routing information?

    IGP for Customer C

    IGP for Customer B

    IGP for Customer A

    IGP for Customer C

    IGP for Customer B

    IGP for Customer A

    A1: Run a dedicated Interior Gateway Protocol (IGP) for each

    customer across P-network.

    Wrong answer:

    The solution does not scale.

    P routers carry all customer routers.

    ou ng n orma on

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    52/108

    2001, Cisco Systems, Inc. MPLS v1.07-52

    P-Network

    P Router

    Customer A

    Customer B

    Customer A

    Customer C

    Customer B

    PE Router X PE Router Y

    Customer C

    ou ng n orma onPropagation Across the P-

    Network (cont.)

    : How will PE routers exchange customer routing information?

    Better answer, but still not good enough:

    P routers carry all customer routers.

    Run a single routing protocol that will carry all customer routes

    inside the provider backbone.

    A dedicated routing protocol used

    to carry customer routes

    ou ng n orma on

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    53/108

    2001, Cisco Systems, Inc. MPLS v1.07-53

    P-Network

    A dedicated routing protocol used

    to carry customer routes between PE routers

    P Router

    Customer A

    Customer B

    Customer A

    Customer C

    Customer B

    PE Router X PE Router Y

    Customer C

    ou ng n orma onPropagation Across the P-

    Network (cont.)

    : How will PE routers exchange customer routing information?

    e best answer:

    P routers do not carry customer routes; the solution is scalable.

    : Run a single routing protocol that will carry all customer routes

    between PE routers. Use MPLS labels to exchange packets between

    PE routers.

    ou ng n orma on

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    54/108

    2001, Cisco Systems, Inc. MPLS v1.07-54

    P-Network

    A dedicated routing protocol used

    to carry customer routes between PE routers

    P Router

    Customer A

    Customer B

    Customer A

    Customer C

    Customer B

    PE Router X PE Router Y

    Customer C

    ou g o a oPropagation Across the P-

    Network (cont.)

    : Which protocol can be used to carry customer routes between PE rout

    : The number of customer routes can be very large. BGP is the only

    routing protocol that can scale to a very large number of routes.

    nclusion:

    BGP is used to exchange customer routes directly between PE routers

    ou ng n orma on

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    55/108

    2001, Cisco Systems, Inc. MPLS v1.07-55

    P-Network

    A dedicated routing protocol used

    to carry customer routes between PE routers

    P Router

    Customer A

    Customer B

    Customer A

    Customer C

    Customer B

    PE Router X PE Router Y

    Customer C

    gPropagation Across the P-

    Network (cont.)

    Q: Customers can have overlapping address spaces. How will

    information about the same subnet of two customers bepropagated via a single routing protocol?

    A: Customer addresses are extended with a 64-bit prefix (route

    distinguisherRD) to make them unique. Unique 96-bit

    addresses are exchanged between PE routers.

    R Di i i h

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    56/108

    2001, Cisco Systems, Inc. MPLS v1.07-56

    Route Distinguisher

    The RD is a 64-bit quantity prepended toan IP version 4 (IPv4) address to makeit globally unique.

    The resulting 96-bit address is called aVPNv4 address.

    VPNv4 addresses are exchanged onlyvia BGP between PE routers.

    BGP that supports address familiesother than IPv4 addresses is calledmultiprotocol BGP (MP-BGP).

    Route Distinguisher Usage in

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    57/108

    2001, Cisco Systems, Inc. MPLS v1.07-57

    Route Distinguisher Usage inan MPLS VPN

    P-Network

    PE 1 PE 2

    Customer A

    Customer B

    Customer A

    Customer B

    The CE-router sends an IPv4

    routing update to the PE-

    router.

    A 64-bit Route Distinguisheris prepended to the

    customer IPv4 prefix to

    make it globally unique,

    resulting in 96-bit VPNv4

    prefix.A 96-bit VPNv4 prefix is

    propagated via BGP to the

    other PE router.

    Route Distinguisher Usage in

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    58/108

    2001, Cisco Systems, Inc. MPLS v1.07-58

    Route Distinguisher Usage inan MPLS VPN

    P-Network

    PE 1 PE 2

    Customer A

    Customer B

    Customer A

    Customer B

    The PE router sends the

    resulting IPv4 prefix to the

    CE router.

    The RD is removed from the

    VPNv4 prefix, resulting in a 32-

    bit IPv4 prefix.

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    59/108

    Complex VPNSample VoIP

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    60/108

    2001, Cisco Systems, Inc. MPLS v1.07-60

    P-Network

    Complex VPN Sample VoIPService

    quirements:

    All sites of one customer need to communicate.

    Central sites of both customers need to communicate with VoIP gatewa

    and other central sites.

    Other sites from different customers do not communicate with each oth

    Customer A

    Central Site

    Customer B

    Site 2

    Customer B

    Site 1

    Customer B

    Central Site

    Customer A

    Site 2

    VoIP

    Gateway

    VoIP

    GatewayCustomer A

    Site 1

    PE Router X P Router PE Router Y

    Sample VoIP Service

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    61/108

    2001, Cisco Systems, Inc. MPLS v1.07-61

    VOIP VPN

    Sample VoIP ServiceConnectivity Requirements

    Customer A

    Customer B

    Central Site A Site A-1 Site A-2

    Central Site B Site B-1 Site B-2

    POP-X

    VoIP

    Gateway

    POP-Y

    VoIP

    Gateway

    R t T t

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    62/108

    2001, Cisco Systems, Inc. MPLS v1.07-62

    Route Targets

    Some sites have to participate in morethan one VPNRD cannot identifyparticipation in more than one VPN.

    A different method is needed in which aset of identifiers can be attached to aroute.

    RDs were introduced in the MPLS VPNarchitecture to support complex VPNtopologies.

    Wh t A R t T t ?

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    63/108

    2001, Cisco Systems, Inc. MPLS v1.07-63

    What Are Route Targets?

    Route targets (RTs) are additionalattributes attached to VPNv4 BGProutes to indicate VPN membership.

    Extended BGP communities are used toencode these attributes.

    Extended communities carry the meaning ofthe attribute together with its value.

    Any number of RTs can be attached to asingle route.

    H D R t T t W k?

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    64/108

    2001, Cisco Systems, Inc. MPLS v1.07-64

    How Do Route Targets Work?

    Export RTs identifying VPN membershipare appended to the customer routewhen it is converted into a VPNv4

    route.

    Each virtual routing table has a set ofassociated import RTs that selectroutes to be inserted into the virtualrouting table.

    Route targets usually identify VPNmembership, but they can also be used

    in more complex scenarios.

    Virtual Private Networks

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    65/108

    2001, Cisco Systems, Inc. MPLS v1.07-65

    Redefined

    With the support of complex VPNtopologies, VPNs have to beredefined

    A VPN is a collection of sitessharing common routinginformation.

    A site can be part of differentVPNs.

    A VPN can be seen as a communityof interest (closed user group

    CUG).

    Impact of Complex VPNT l i Vi t l R ti

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    66/108

    2001, Cisco Systems, Inc. MPLS v1.07-66

    Topologies on Virtual RoutingTables

    A virtual routing table in a PE router canbe used only for sites with identicalconnectivity requirements.

    Complex VPN topologies require morethan one virtual routing table per VPN.

    As each virtual routing table requires a

    distinct RD value, the number of RDs inthe MPLS VPN network increases.

    Sample VoIP Service

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    67/108

    2001, Cisco Systems, Inc. MPLS v1.07-67

    VoiceIP VPN

    pVirtual Routing Tables

    Customer A

    Customer B

    Central Site A Site A-1 Site A-2

    Central Site B Site B-1 Site B-2

    POP-X

    VoIP

    Gateway

    POP-Y

    VoIP

    Gateway

    Central Site A needsits own routing table.

    Central Site B needsits own routing table.

    Site A-1 and A-2 canshare the same routing

    table.

    Voice gateways can

    share routing tables.

    Site B-1 and B-2 can

    share the same routing

    table.

    Benefits of MPLS VPN

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    68/108

    2001, Cisco Systems, Inc. MPLS v1.07-68

    Technology

    MPLS VPN technology has all thebenefits ofpeer-to-peer VPN technology:

    Easy provisioning

    Optimal routing

    It also bypasses most drawbacks oftraditional peer-to-peer VPN

    technologies: RDs enable overlapping customer address

    spaces.

    RTs enable topologies that were hard to

    implement with other VPN technologies.

    Summary

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    69/108

    2001, Cisco Systems, Inc. MPLS v1.07-69

    Summary

    After completing this section, youshould be able to perform the followingtasks:

    Describe the difference betweentraditional peer-to-peer models and MPLSVPN

    List the benefits of MPLS VPN

    Describe major architectural blocks ofMPLS VPN

    Explain the need for route distinguishers

    and route targets

    Review Questions

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    70/108

    2001, Cisco Systems, Inc. MPLS v1.07-70

    Review Questions

    How does MPLS VPN support overlappingcustomer address spaces?

    How are customer routes exchanged acrossthe P-network?

    What is a route distinguisher?

    Why is the RD not usable as VPN identifier?

    What is a route target?

    Why were the route targets introduced in MPLSVPN architecture?

    How are route targets used to build virtualrouting tables in the PE routers?

    What is the impact of complex VPN topologieson virtual routing tables in the PE routers?

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    71/108

    MPLS VPN Routing

    Model

    2001, Cisco Systems, Inc. MPLS v1.07-71

    Objectives

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    72/108

    2001, Cisco Systems, Inc. MPLS v1.07-72

    Objectives

    Upon completion of this section, youwill be able to perform the followingtasks:

    Describe the routing model of MPLSVPN

    Describe the MPLS VPN routing modelfrom customer and provider

    perspectives Identify the routing requirements of CE-routers, PE-routers and P-routers

    MPLS VPN Routing

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    73/108

    2001, Cisco Systems, Inc. MPLS v1.07-73

    gRequirements

    Customer routers (CE routers) have torun standard IP routing software.

    Provider core routers (P routers) haveno VPN routes.

    Provider edge routers (PE routers) haveto support MPLS VPN and Internetrouting.

    MPLS VPN Routing

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    74/108

    2001, Cisco Systems, Inc. MPLS v1.07-74

    CE Router Perspective

    The CE routers run standard IP routingsoftware and exchange routing updates with

    the PE router. External BGP (EBGP), Open Shortest Path First

    (OSPF), RIP version 2 (RIPv2), and static routesare supported.

    The PE router appears as another router in the-

    MPLS VPN Backbone

    PE router

    CE router

    CE router

    u Overall Customer

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    75/108

    2001, Cisco Systems, Inc. MPLS v1.07-75

    Overall CustomerPerspective

    To the customer, the PE routers appear as core

    routers connected via a BGP backbone.The usual BGP and IGP design rules apply.

    The P routers are hidden from the customer.

    Site IGP

    BGP Backbone

    CE router

    PE router

    Site IGP Site IGP

    PE router

    MPLS VPN Routing

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    76/108

    2001, Cisco Systems, Inc. MPLS v1.07-76

    P Router Perspective

    P routers do not participate in MPLS VPNrouting and do not carry VPN routes.

    P routers run backbone IGP with the PE routersand exchange information about global subnets(core links and loopbacks).

    MPLS VPN Backbone

    P routerPE router PE router

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    77/108

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    78/108

    Routing Tables on PE Routers

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    79/108

    2001, Cisco Systems, Inc. MPLS v1.07-79

    Routing Tables on PE Routers

    PE routers contain a number of routing tables:

    Global routing table that contains core routes (filled withcore IGP) and Internet routes (filled with IPv4 BGP).

    VRF tables for sets of sites with identical routingrequirements.

    VRFs filled with information from CE routers and MP-BGPinformation from other PE routers.

    MPLS VPN Backbone

    P RouterPE Router PE Router

    CE Router

    CE Router

    CE Router

    CE Router

    MP-BGP

    Core IGP Core IGP

    VPN routing VPN routing

    IPv4 BGP for Internet

    n - o- nRouting Information Flow

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    80/108

    2001, Cisco Systems, Inc. MPLS v1.07-80

    Routing Information Flow(1/3)

    PE routers receive IPv4 routing updatesfrom CE routers and install them in the

    appropriate VRF table.

    MPLS VPN Backbone

    P RouterPE Router PE Router

    CE Router

    CE Router

    CE Router

    CE Router

    IPv4 Update

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    81/108

    MP-BGP Update

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    82/108

    2001, Cisco Systems, Inc. MPLS v1.07-82

    MP-BGP Update

    An MP-BGP update contains:VPNv4 address

    Extended communities

    (route targets, optionally Site-of-Origin, or SOO)

    Label used for VPN packet forwarding

    Any other BGP attribute (for example,

    AS path, local preference, multi-exitdiscriminator (MED), standardcommunity)

    MP-BGP UpdateVPN 4 Add

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    83/108

    2001, Cisco Systems, Inc. MPLS v1.07-83

    VPNv4 Address

    A VPN IPv4 address contains:

    RD

    64 bits

    Makes the IPv4 route globally unique

    RD is configured in the PE for eachVRF

    RD may or may not be related to a siteor a VPN

    IPv4 address (32 bits)

    MP-BGP UpdateE t d d C iti

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    84/108

    2001, Cisco Systems, Inc. MPLS v1.07-84

    Extended Communities

    64-bit attribute attached to a routeSet of communities can be attached to asingle route

    High-order 16 bits identify extendedcommunity type

    RT: identifies the set of sites to whichthe route must be advertised

    SOO: identifies the originating siteOSPF route type: identifies the link-state advertisement (LSA) type of OSPFroute redistributed into MP-BGP

    Extended BGP CommunityDi l F

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    85/108

    2001, Cisco Systems, Inc. MPLS v1.07-85

    Display Format

    Two display formats aresupported:

    ::-Uses registered AS number

    ::-Uses registered IP address

    n - o- nRouting Information Flow

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    86/108

    2001, Cisco Systems, Inc. MPLS v1.07-86

    Routing Information Flow(3/3)

    Receiving PE router imports incoming VPNv4routes into the appropriate VRF based onroute targets attached to the routes

    Routes installed in VRF are propagated to CErouters

    MPLS VPN Backbone

    P RouterPE Router PE Router

    CE Router

    CE Router

    CE Router

    CE Router

    MP-BGP Update

    Route Distribution toCE R t

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    87/108

    2001, Cisco Systems, Inc. MPLS v1.07-87

    CE Routers

    Route distribution to sites is drivenby the SOO and RT EBGPcommunities.

    A route is installed in the site VRFthat matches the RT attribute.

    A PE router that connects sites

    belonging to multiple VPNs willinstall the route into the site VRF ifthe RT attribute contains one ormore VPNs to which the site is

    associated.

    Summary

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    88/108

    2001, Cisco Systems, Inc. MPLS v1.07-88

    Summary

    After completing this section, youshould be able to perform the followingtasks:

    Describe the routing model of MPLSVPN

    Describe the MPLS VPN routing model

    from customer and providerperspective

    Identify the routing requirements ofCE-routers, PE-routers and P-routers

    Review Questions

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    89/108

    2001, Cisco Systems, Inc. MPLS v1.07-89

    Review Questions

    What is the impact of MPLS VPN on CE-routers?

    What is the customers perception of end-to-end MPLS VPN routing?

    What is the P-router perception of end-to-endMPLS VPN routing?

    How many routing tables does a PE-routerhave?

    How many routing tables reside on a P-router?

    Which routing protocols fill the global routingtable of a PE-router?

    Which routing protocols fill the Virtual

    More Review Questions

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    90/108

    2001, Cisco Systems, Inc. MPLS v1.07-90

    More Review Questions

    How is the Internet routing supported byMPLS VPN architecture?

    How is the VPN routing informationexchanged between the PE-routers?

    Which attributes are always present in aMP-BGP update?

    Which attributes can be optionally presentin a MP-BGP update?

    Which BGP attributes drive the import ofVPNv4 route into a VRF?

    Which BGP attributes control the VPN routedistribution toward CE-routers?

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    91/108

    MPLS VPN Packet

    Forwarding

    2001, Cisco Systems, Inc. MPLS v1.07-91

    Objectives

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    92/108

    2001, Cisco Systems, Inc. MPLS v1.07-92

    Objectives

    Upon completion of this section, youwill be able to perform the followingtasks:

    Describe the MPLS VPN forwarding

    mechanisms Describe the VPN and backbone label

    propagation

    Explain the need for end-to-end LSP

    between PE routers Explain the implications of BGP next-hop

    on MPLS VPN forwarding

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    93/108

    ac e orwar ngAcross an MPLS VPN

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    94/108

    2001, Cisco Systems, Inc. MPLS v1.07-94

    c oss a SBackbone

    Q: How will the PE routers forward the VPN packets across the MPLS

    VPN backbone?

    MPLS VPN Backbone

    P RouterIngress

    PE

    Router

    Egress

    PE

    Router

    CE Router

    CE Router CE Router

    CE Router

    P RouterIP

    However, the egress PE router does not know which VRF to use for packet

    switching, so the packet is dropped.

    How about using a label stack?

    2: They will label the VPN packets with a label distribution protocol (LDP)

    label for the egress PE router and forward the labeled packets across

    the MPLS backbone.

    IP L1

    etter answers:The P routers perform the label switching and the packet reaches the

    egress PE router.

    IP L2 IP L3

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    95/108

    VPN Packet ForwardingPenultimate Hop Popping

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    96/108

    2001, Cisco Systems, Inc. MPLS v1.07-96

    Penultimate Hop Popping

    MPLS VPN Backbone

    P RouterIngress

    PE

    Router

    Egress

    PE

    Router

    CE Router

    CE Router CE Router

    CE Router

    P RouterIP

    IP

    The egress PE router performs label lookup only on th

    VPN label, resulting in faster and simpler label lookup

    IP lookup is performed only oncein the ingress PE

    router.

    Penultimate hop popping on the LDP label can be

    performed on the last P router.

    IP V L1 IP V L2 IP V

    VPN Label Propagation

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    97/108

    2001, Cisco Systems, Inc. MPLS v1.07-97

    p g

    How will the ingress PE router get the second label in the label stack

    from the egress PE router?

    MPLS VPN Backbone

    P RouterIngress

    PE

    Router

    Egress

    PE

    Router

    CE Router

    CE Router CE Router

    CE Router

    P Router

    : Labels are propagated in MP BGP VPNv4 routing updates.

    VPN Label Propagation

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    98/108

    2001, Cisco Systems, Inc. MPLS v1.07-98

    p g

    tep #1: A VPN label is assigned to every VPN route by the egress

    PE router.

    MPLS VPN Backbone

    P RouterIngress

    PE

    Router

    Egress

    PE

    Router

    CE Router

    CE Router CE Router

    CE Router

    P Router

    Egress-PE#show tag-switching forwarding vrf SiteA2

    Local Outgoing Prefix Bytes tag Outgoing Next Hop

    tag tag or VC or Tunnel Id switched interface

    26 Aggregate 150.1.31.36/30[V] 0

    37 Untagged 203.1.2.1/32[V] 0 Se1/0.20 point2point

    38 Untagged 203.1.20.0/24[V] 0 Se1/0.20 point2point

    VPN Label Propagation

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    99/108

    2001, Cisco Systems, Inc. MPLS v1.07-99

    p g

    tep #2: The VPN label is advertised to all other PE routers in an MP-BGP

    update.

    MPLS VPN Backbone

    P RouterIngress

    PE

    Router

    Egress

    PE

    Router

    CE Router

    CE Router CE Router

    CE Router

    P Router

    Ingress-PE#show ip bgp vpnv4 all tags

    Network Next Hop In tag/Out tag

    Route Distinguisher: 100:1 (vrf1)

    12.0.0.0 10.20.0.60 26/notag

    10.20.0.60 26/notag

    203.1.20.0 10.15.0.15 notag/38

    VPN Label Propagation

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    100/108

    2001, Cisco Systems, Inc. MPLS v1.07-100

    p g

    Step #3: A label stack is built in VFR table.

    MPLS VPN Backbone

    P RouterIngress

    PE

    Router

    Egress

    PE

    Router

    CE Router

    CE Router CE Router

    CE Router

    P Router

    Ingress-PE#show ip cef vrf Vrf1 203.1.20.0 detail

    203.1.20.0/24, version 57, cached adjacency to Serial1/0.2

    0 packets, 0 bytes

    tag information setlocal tag: VPN-route-head

    fast tag rewrite with Se1/0.2, point2point, tags imposed: {26 38}

    via 192.168.3.103, 0 dependencies, recursive

    next hop 192.168.3.10, Serial1/0.2 via 192.168.3.103/32

    valid cached adjacency

    tag rewrite with Se1/0.2, point2point, tags imposed: {26 38}

    Effects of MPLS VPN LabelPropagation

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    101/108

    2001, Cisco Systems, Inc. MPLS v1.07-101

    Propagation

    The VPN label must be assigned by the BGPnext hop.

    The BGP next hop should not be changed in theMP-IBGP update propagation.

    Do not use next-hop-self on confederation

    boundaries.

    The PE router must be the BGP next hop.

    Use next-hop-self on the PE router.

    The label must be reoriginated if the next hop ischanged.

    A new label is assigned every time the MP-BGPupdate crosses the AS boundary where the nexthop is changed.

    This functionality is supported by Cisco IOS

    Effects of MPLS VPN PacketForwarding

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    102/108

    2001, Cisco Systems, Inc. MPLS v1.07-102

    Forwarding

    The VPN label is understood only by theegress PE router.

    An end-to-end LSP tunnel is requiredbetween the ingress and egress PErouters.

    BGP next hops must not be announcedas BGP routes.

    LDP labels are not assigned to BGProutes.

    BGP next hops announced in IGP mustnot be summarized in the core network.

    VPN Packet Forwarding

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    103/108

    2001, Cisco Systems, Inc. MPLS v1.07-103

    with Summarization in the Core

    MPLS VPN Backbone

    P RouterIngress

    PE

    Router

    Egress PE

    CE Router

    CE Router CE-router

    CE Router

    P RouterP router

    summarizes PE

    loopbackPenultimate hop

    popping is requested

    through LDP

    IP V

    P router performs

    penultimate hop

    popping

    IP

    IP V L1

    PE router builds a label stack and

    forwards labeled packet toward

    egress PE router

    P router is faced witha VPN label it does not

    understand

    Summary

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    104/108

    2001, Cisco Systems, Inc. MPLS v1.07-104

    After completing this section, youshould be able to perform thefollowing tasks:

    Describe the MPLS VPN forwarding

    mechanisms

    Describe the VPN and backbone labelpropagation

    Explain the need for end-to-end LSPbetween PE routers

    Explain the implications of BGP next-hop on MPLS VPN forwarding

    Review Questions

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    105/108

    2001, Cisco Systems, Inc. MPLS v1.07-105

    How are VPN packets propagated across MPLSVPN backbone?

    How can P-routers forward VPN packets if theydont have VPN routes?

    How is the VPN label propagated between PE-routers?

    Which router assigns the VPN label?

    How is the VPN label used on other PE-routers?

    What is the impact of changing BGP next-hopon MP-BGP update?

    How are MP-BGP updates propagated acrossAS boundary?

    What is the impact of BGP next-hop

    summarization in the network core?

    Summary

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    106/108

    2001, Cisco Systems, Inc. MPLS v1.07-106

    After completing this lesson, you should beable to perform the following tasks:

    Identify major Virtual Private networktopologies, their characteristics and usagescenarios

    Describe the differences between overlay VPNand peer-to-peer VPN

    List major technologies supporting overlayVPNs and peer-to-peer VPNs

    Position MPLS VPN in comparison with otherpeer-to-peer VPN implementations

    Describe major architectural blocks of MPLSVPN

    Describe MPLS VPN routing model and packet

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    107/108

    2000, Cisco Systems, Inc. www.cisco.co Chapter#-107

    Blank for Pagination

  • 8/14/2019 Mpls10s07-Mpls VPN Technology

    108/108