VPN-MPLS - OK

  • View
    223

  • Download
    0

Embed Size (px)

Text of VPN-MPLS - OK

  • 8/3/2019 VPN-MPLS - OK

    1/23

    Deployment of MPLS VPN

    in Large ISP Networks

    IP Network Architecture

  • 8/3/2019 VPN-MPLS - OK

    2/23

    NANOG21, February 2001, Atlanta 2

    Outline

    Requirements Associated with theDeployment of MPLS VPN in an ISP Network

    Strategy for the Incremental Deployment ofMPLS VPN

    MPLS VPN - Implementation Options

    Carriers Carrier and Inter-provider BackboneVPN

    Deployment Issues and Future Work

  • 8/3/2019 VPN-MPLS - OK

    3/23

    NANOG21, February 2001, Atlanta 3

    Requirements Associated with theDeployment of MPLS VPN in an ISP Network

    Preservation of network integrity the new service features must not entail the risk of

    degrading the reliability and availability of the existing

    network

    Scalability Scaleable to large number of provider-based VPN

    Network of network VPN services Carriers Carrier and Inter-provider backbone VPN

    Satisfaction of customers security requirements

    Proactive management and fast restoration incase of failure

  • 8/3/2019 VPN-MPLS - OK

    4/23

    NANOG21, February 2001, Atlanta 4

    Strategy for the IncrementalDeployment of MPLS VPN

    The steps described here are simplified forillustrative purposes

    The steps may not be followed in the exactorder proposed in a production environment

    Different steps may also be takensimultaneously, depending on the business

    needs, feature availability, andinteroperability

  • 8/3/2019 VPN-MPLS - OK

    5/23

    NANOG21, February 2001, Atlanta 5

    Strategy for the IncrementalDeployment of MPLS VPN (2)

    Step 1. Preparation: Extensive lab test: feature, regression,

    network integration Potential hardware and software upgrade on

    all routers (Ps - Provider backbone routers,and PEs - Provider Edge routers) for

    supporting MPLS LDP, VPN, RSVP features Routing

    IGP - link state protocol, e.g. OSPF or IS-IS

    BGP - multiple BGP sessions for VPN PE routers

  • 8/3/2019 VPN-MPLS - OK

    6/23

    NANOG21, February 2001, Atlanta 6

    Strategy for the IncrementalDeployment of MPLS VPN (3)

    Step 2. Enable MPLS in the core

    Enable LDP on all backbone routers if

    possible

    MPLS TE may be enabled in certain areasas necessary

    The distribution and access routers maynot be all MPLS enabled at this time

  • 8/3/2019 VPN-MPLS - OK

    7/23

    NANOG21, February 2001, Atlanta 7

    Strategy for the IncrementalDeployment of MPLS VPN (4)

    Step 3. Basic MPLS VPN connectivity withlimited sites and limited number of VPNs:

    Upgrade the hardware and software on the VPNPE routers only

    Enable LDP and VPN on the selected PEs

    Step 4. Expand the MPLS VPN footprint

    Enable MPLS LDP in more (or all) router locations Enable VPN in additional PE routers as needed

    Step 5. MPLS VPN General Availability

  • 8/3/2019 VPN-MPLS - OK

    8/23

    NANOG21, February 2001, Atlanta 8

    Strategy for the IncrementalDeployment of MPLS VPN (5)

    Step 6. Inter-AS MPLS VPN and Carriers Carrier

    Interconnect different ASs of the same provider providing

    MPLS VPN services Interconnect with international partners for Global

    reachability

    Provide VPN services to other ISPs Carriers Carrier VPN

    Step 7. QoS-enabled MPLS VPN Enable QoS features for the MPLS network, including VPN

    Using QoS VPN for potential VoIP, Video services

  • 8/3/2019 VPN-MPLS - OK

    9/23

    MPLS VPN - Implementation Options

  • 8/3/2019 VPN-MPLS - OK

    10/23

    NANOG21, February 2001, Atlanta 10

    Configuration:

    IGP (e.g. OSPF, or IS-IS) routing in the core

    MPLS (e.g. LDP) enabled for all P and PE routers

    MP-iBGP fully meshed between PEs

    VPN configured on VPN PEs

    PE-CE can be e-BGP, OSPF, RIP or Static

    Setting up LSP through LDP, LSP path = IGP path - Simplicity Requires LDP interoperability; VPN/LDP inter-working No control on LSP, label failure on IGP path can cause VPN failure

    Case Study 1: VPN (PE) + LDP(P, PE)

    VPN A

    VPN A

    VPN B

    VPN A

    VPN B

    VPN

    LDPVPN

    LDPVPN

    LDPVPN

    P1

    P2

    P3

    P4

    P5

    LSP - Label Switched Path

    PHP LDP

    PHP: Penultimate Hop Popping

  • 8/3/2019 VPN-MPLS - OK

    11/23

    NANOG21, February 2001, Atlanta 11

    Requires RSVP TE tunnel, potentially across multi-OSPF areas Requires RSVP TE interoperability; VPN / TE inter-working End-to-end LSP control - better failure protection, fast re-route may be used

    VPN A

    VPN A

    VPN B

    VPN A

    VPN B

    VPNP1

    P2

    P3

    P4

    P5

    TEVPN TE

    VPNTE

    VPN

    OSPF area 0OSPF area 1 OSPF area 2

    Configuration:

    Using RSVP TE Tunnel (PE-PE) to set up the LSP Set up back-up tunnel for failure protection IGP, BGP, VPN, and PE-CE link configuration as in Case 1

    Case Study 2: VPN (PE) + RSVPTE Tunnel (PE-PE)

    PHP TE

  • 8/3/2019 VPN-MPLS - OK

    12/23

    NANOG21, February 2001, Atlanta 12

    Configuration:

    LDP enabled on all routers, except P4 and P5

    RSVP TE Tunnels used only in OSPF area 0 (P1-P3-P5), with back-up tunnel(P1-P2-P4-P5)

    Requires RSVP TE interoperability Requires VPN/LDP inter-working, LDP/TE inter-working Provides feasible solutions when cases 1 and 2 cannot be realized

    Case Study 3: VPN + LDP + RSVPTE Tunnel

    VPN A

    VPN A

    VPN B

    VPN A

    VPN B

    VPNP1

    P2

    P3

    P4

    P5

    OSPF area 0OSPF area 1 OSPF area 2

    LDPVPN

    LDPVPN

    TELDP

    VPN

    P3

    PHP LDP

    PHP TE

  • 8/3/2019 VPN-MPLS - OK

    13/23

    NANOG21, February 2001, Atlanta 13

    ISP A backbone provides VPN services to ISP B Case 1. ISP B may not run MPLS in its network

    Case 2. ISP B may run MPLS (LDP) in its network Case 3. ISP B may run MPLS VPN in its network - Hierarchical VPNs

    ISP B - Site Y

    ISP Bs Customers

    PE2

    ISP A Carrier Backbone

    ISP B - Site X

    ISP Bs Customers

    CE2

    CE1 PE1

    ASBR1, RRASBR2, RR

    iBGP

    MP- iBGP

    LDP

    VPN B

    VPN B

    VPN A

    VPN B

    LDP

    VPN A

    VPN B

    LDP

    VPN A

    VPN B

    LDP

    VPN B

    LDP

    VPN A

    VPN B

    LDP

    VPN B

    Carriers Carrier VPN Case 3

    Carriers Carrier VPN

  • 8/3/2019 VPN-MPLS - OK

    14/23

    NANOG21, February 2001, Atlanta 14

    Carriers Carrier VPN (2)

    MPLS (LDP) used between PE and CE in all threecases

    PE-CE routing: OSPF/RIP/Static

    Security mechanism needed for label spoofingprevention

    iBGP sessions between ISP B sites

    Use Route Reflectors to improve scalability

    ISP A distributes ISP Bs internal routes throughMPLS-VPN only

    ISP Bs external routes advertised to all ISP B sitethrough ISP Bs Route Reflector iBGP session

  • 8/3/2019 VPN-MPLS - OK

    15/23

    NANOG21, February 2001, Atlanta 15

    Inter-Providers Backbone VPN

    Customers have sites connected to different ASs or ISPs

    PE-ASBRs connect the two ASs

    E-BGP sessions for VPN-IPv4 single VPN label, no LDP label

    no VRF assigned, based on policy agreed by the two ISPs (ASs)

    Route reflectors reflect VPN-IPv4 internal routes within its AS

    Security, scalability, policies between ISPs

    PE-ASBR1PE-ASBR2

    AS B

    CE1 CE2

    PE1

    PE2

    RR-A RR-B

    LDP

    VPN BVPN B

    LDPVPN A LDP

    VPN A

    VPN AB

    AS A

    MP- eBGP

    MP- iBGPMP- iBGP

  • 8/3/2019 VPN-MPLS - OK

    16/23

    NANOG21, February 2001, Atlanta 16

    MPLS VPN Deployment Issues

    MPLS Feature availability VPN, LDP, RSVP, CR-LDP: individually, and Inter-

    working amongst subsets of these

    Coping with reality of feature availability Multi-vendor inter-operability

    Required in an heterogeneous IP network

    Deployment strategy Partially enable MPLS vs. Fully enable MPLS in the

    entire IP backbone

    TE tunnels, use only as needed vs. fully meshed

    QoS VPN: map VPN into guaranteed bandwidthtunnels with class of service

  • 8/3/2019 VPN-MPLS - OK

    17/23

    NANOG21, February 2001, Atlanta 17

    MPLS VPN Deployment Issues (2)

    Scalability The use of Route Reflectors

    Performance impact on PEs needs to be

    measured Carrier of Carriers and Inter-AS backbone

    Load sharing between PE-CE links Assign different RDs to different sites vs. single

    RD for each VPN

    Security One VPNs route does not exist in other non-

    connected VPNs VRF or the global routing table

    FR/ATM equivalent security - more study needed

  • 8/3/2019 VPN-MPLS - OK

    18/23

    NANOG21, February 2001, Atlanta 18

    MPLS VPN Network Management

    Available MIBs today

    LSR MIB, LDP MIB, VPN MIB, MBGP MIB,

    RSVP TE MIB, FTN MIB, Configuration and Provisioning

    Auto-provisioning tools needed for largescale VPN deployment

  • 8/3/2019 VPN-MPLS - OK

    19/23

    NANOG21, February 2001, Atlanta 19

    MPLS VPN Network Management(2)

    Performance All MPLS features impact on performance,

    including basic VPN on PE routers, and need to bestudied

    More study needed for VPN supporting QoS

    Network performance: delay, jitter, loss,throughput, availability

    Element performance: utilization Security management

    Authentication, control access, monitoring

  • 8/3/2019 VPN-MPLS - OK

    20/23

    N

Search related