Post on 14-Dec-2015
Juniper Networks, Inc. Copyright © 2000 1
L2 MPLS VPNs
Hector Avalos
Technical Director-Southern Europe havalos@juniper.net
Juniper Networks, Inc. Copyright © 2000 2
Agenda: L2 MPLS VPNs
VPNs Overview
Provider-provisioned L2 MPLS VPNs
Taxonomy
Operational Model
Conclusion
Juniper Networks, Inc. Copyright © 2000 3
What is a VPN?
A private network constructed over a shared infrastructure Virtual: not a separate physical network Private: separate addressing and routing Network: a collection of devices that communicate Policies are key—global connectivity is not the goal
SharedInfrastructure
SharedInfrastructure
Mobile Users and TelecommutersRemote AccessRemote Access
BranchOffice
Corporate Headquarters
Suppliers, Partnersand Customers
IntranetIntranet
ExtranetExtranet
Juniper Networks, Inc. Copyright © 2000 4
Deploying VPNs in the 1990s
Operational model PVCs overlay the shared infrastructure (ATM/Frame Relay) Routing occurs at customer premise
Benefits Mature technologies Relatively “secure” Service commitments (bandwidth, availability, and more)
Limitations Scalability, provisioning and management Not a fully integrated IP solution
Provider Frame Relay Network
CPE CPE
DLCIDLCI
FR Switch
DLCIDLCI
DLCIDLCI
FR SwitchFR Switch
FR Switch
Juniper Networks, Inc. Copyright © 2000 5
Traditional (Layer 2) VPNs
Router
Frame Relay/ATM Switch
Juniper Networks, Inc. Copyright © 2000 6
Improving Traditional Layer 2 VPNs
Decouple edge (customer-facing) technology from core technology
Have a single network infrastructure for all desired services
Internet
L3 MPLS VPNs
L2 MPLS VPNs
Simplify provisioning
Appropriate signaling mechanisms for VPN auto-provisioning
Juniper Networks, Inc. Copyright © 2000 7
VPN Classification Model
Customer-managed VPN solutions (CPE-VPNs) Layer 2: L2TP and PPTP Layer 3: IPSec
Provider-provisioned VPN solutions (PP-VPNs) Layer 3: MPLS-Based VPNs (RFC 2547bis) Layer 3: Non-MPLS-Based VPNs (Virtual Routers) Layer2: MPLS VPNs
PE
PE
CPE
CPE
SubscriberSite 3
PP-VPN
SubscriberSite 2
CPE
PE
VPN Tunnel
VPN T
unne
l VP
N T
un
nel
CPE
PE PE
PE
CPE
CPE
CPE-VPN
VPN TunnelSubscriber
Site 1
SubscriberSite 3
SubscriberSite 2
VP
N T
un
nel
VPNTu
nn
el
SubscriberSite 1
Juniper Networks, Inc. Copyright © 2000 8
PP-VPNs:Layer 2 Classification
Service Provider delivers Layer 2 circuit IDs (DLCI, VPI/VCI, 802.1q vlan) to the customer One for each reachable site
Customer maps their own routing architecture to the
circuit mesh
Provider router maps the circuit ID to a Label Switched Path (LSP) to traverse the provider core
Customer routes are transparent to provider routers Provider-provisioned L2 MPLS VPN Internet drafts
draft-kompella-mpls-l2vpn-02.txt draft-martini-l2circuit-encap-mpls-01.txt
Juniper Networks, Inc. Copyright © 2000 9
Agenda: L2 MPLS VPNs
Overview of VPNs
Provider-provisioned L2 MPLS VPNs
Taxonomy
Operational Model
Conclusion
Juniper Networks, Inc. Copyright © 2000 10
Customer Edge Routers
Customer Edge (CE) routers Router or switch device located at customer premises providing access
to the service provider network Layer 2 (FR, ATM, Ethernet) and Layer 3 (IP, IPX, SNA …) independence
of the service provider network CEs within a VPN, uses the same L2 technology to access the service
provider network Requires a sub-interface per CE it needs to interconnect to within the
VPN Maintains routing adjacencies with other CEs within the VPN
CEPP
PECE
Customer Edge
CE
CE
PE VPN AVPN A
VPN B VPN B
PE
ATM
FR
ATM
FR
VPN Site
Juniper Networks, Inc. Copyright © 2000 11
Provider Edge Routers
Provider Edge (PE) routers Maintain site-specific VPN Forwarding Tables Exchange VPN Connection Tables with other PE
routers using MP-IBGP or LDP Use MPLS LSPs to forward VPN traffic
CEPP
PECE
CE
CE
PE VPN AVPN A
VPN B VPN B
PE
Provider Edge
ATM
FR
ATM
FR
Juniper Networks, Inc. Copyright © 2000 12
CEPP
PECE
CE
CE
PE VPN AVPN A
VPN B VPN B
PE
Provider Routers
Provider (P) routers Forward data traffic transparently over established
LSPs Do not maintain VPN-specific forwarding information
Provider Routers
ATM
FR
ATM
FR
Juniper Networks, Inc. Copyright © 2000 13
VPN Forwarding Tables (VFT)
P
P
P PE 2
VPN ASite 3
VPN ASite 1
VPN BSite2
VPN BSite 1
PE 1
PE 3
VPN ASite2
CE–A1
CE–B1
CE–A3
CE–A2
CE–B2
P
A VA VFTFT is created is createdfor each site for each site
connected to the connected to the PEPE
OSPF
OSPF
OSPF
ATM
ATM
ATM
Each VFT is populated with:
The forwarding information provisioned for the local CE sites
VPN Connection Tables received from other PEs via iBGP or LDP
Juniper Networks, Inc. Copyright © 2000 14
Site 1Site 1 Site 2Site 2
Site 1Site 1Site 2Site 2
VPN Connection Tables (VCT)
PE-2
CE-4
PE-1CE-2
CE-2
CE-1
VFTVFT
VFTVFT
The VCT is a subset of information hold by the VFT VCTs are distributed by the PEs via iBGP or LDP
A VA VCTCT is is distributed distributed for each VPN site for each VPN site to to
PEPEss
MP-iBGP session / LDP
Juniper Networks, Inc. Copyright © 2000 15
L2 VPN Provisioning
Provisioning the network
Provisioning the CEs
Provisioning the VPN (PEs)
VPN Connection Table Distribution
Assumption: access technology is Frame Relay (other cases are similar)
Juniper Networks, Inc. Copyright © 2000 16
Provisioning the Network
P
P
P PE 2
VPN ASite 3
VPN ASite 1
VPN BSite2
VPN BSite 1
PE 1
PE 3
VPN ASite2
CE–A1
CE–B1
CE–A3
CE–A2
CE–B2
P
OSPF
OSPF
OSPF
ATM
ATM
ATM
PE-to-PE LSPs pre-established via RSVP-TE LDP LDP over RSPV-TE tunneling
LSPs used for many services: IP, L2 VPN, L3 VPN, … Provisioned independent of Layer 2 VPNs
Juniper Networks, Inc. Copyright © 2000 17
Provisioning Customer Sites
List of DLCIs: one for each site, some spare for over-provisioning
DLCIs independently numbered at each site
LMI, inverse ARP and/or routing protocols for auto-discovery and learning addresses
No changes as VPN membership changes Until over-provisioning runs out
CE-4 DLCIs
63
758294
CE-4 Routing Table
In Out
DLCI 6310/8
DLCI 7520/8
DLCI 8230/8DLCI 94-
Juniper Networks, Inc. Copyright © 2000 18
Provisioning CE’s at the PE A VFT is provisioned at each PE for each CE
VPN-ID : unique value within the service provider network CE-ID : unique value in the context of a VPN CE Range : maximum number of CEs that it can connect to Sub-interface list : set of local sub-interface IDs assigned
for the CE-PE connection
CECE44 VFT VFT
VPN IDCE ID
RED VPN4
CE Range 4
Sub-int IDs
63
758294
Juniper Networks, Inc. Copyright © 2000 19
Provisioning CE’s at the PE A VFT is provisioned at each PE for each CE
VPN-ID : unique value within the service provider network CE-ID : unique value in the context of a VPN CE Range : maximum number of CEs that it can connect to Sub-interface list : set of local sub-interface IDs assigned for
the CE-PE connection Label-base : Label assigned to the first sub-interface ID
The PE reserves N contiguous labels, where N is the CE Range
CECE44 VFT VFT
VPN IDCE ID
RED VPN4
CE Range
1000
4
Label BaseSub-int IDs
63
758294
CECE44 VCT VCT
Juniper Networks, Inc. Copyright © 2000 20
Site 1Site 1 Site 2Site 2
Site 1Site 1Site 2Site 2
Provisioning CE’s at the PE
PE-2
CE-4
PE-1CE-2
CE-2
CE-1
VFTVFT
VFTVFT
CECE44 VFT VFT
VPN IDCE ID
RED VPN4
CE Range
Label base
4
Sub-int IDs
63
758294
1000100110021003
Label used by CE1 to reach CE4
1001Label used by CE2 to reach
CE4 1002
Label used by CE0 to reach CE4
1000
FRFR
CE4‘s DLCI to CE0 63CE4‘s DLCI to CE1 75CE4‘s DLCI to CE2 82CE4‘s DLCI to CE3 94
PE-2 is configured with the CE4 VFT
Label used by CE3 to reach CE4
1003
Juniper Networks, Inc. Copyright © 2000 21
Distributing VCTs
Key: signalling using LDP or MP-iBGP
Auto-discovery of members
Auto-assignment of inter-member circuits
Flexible VPN topology
O(N) configuration for the whole VPN
Could be more for complex topologies
O(1) configuration to add a site
“Overprovision” DLCIs (sub-interfaces) at customer sites
Juniper Networks, Inc. Copyright © 2000 22
Site 1Site 1 Site 2Site 2
Site 1Site 1Site 2Site 2
Distributing VCTs
PE-1 accepts PE-2’s CE4 VCT
PE-2
CE-4
PE-1CE-2
CE-2
CE-1
VFTVFT
VFTVFT
FRFR
Label used by CE2 to reach CE4
1002
MP-iBGP session / LDP
CECE44 VCT update VCT update
VPN IDCE ID
RED VPN4
CE Range
Label base
41000
CECE44 VCT update VCT update
VPN IDCE ID
RED VPN4
CE Range
Label base
41000
Juniper Networks, Inc. Copyright © 2000 23
Site 1Site 1 Site 2Site 2
Site 1Site 1Site 2Site 2
Updating VFTs
PE-1 update its CE2 VFT
PE-2
CE-4
PE-1CE-2
CE-2
CE-1
VFTVFT
VFTVFT
FR DLCI 82FR DLCI 414
CECE22 VFT VFT
CE ID Inner LabelSub-int IDs
Label used to reach CE4 1002
107
209265414
1
234
50207500
9350
Juniper Networks, Inc. Copyright © 2000 24
Site 1Site 1 Site 2Site 2
Site 1Site 1Site 2Site 2
Updating VFTs
PE-1 update its CE2 VFT
PE-2
CE-4
PE-1CE-2
CE-2
CE-1
VFTVFT
VFTVFT
CECE22 VFT VFT
CE ID Inner LabelSub-int IDs
LSP to PE-2 500
107
209265414
1
234
50207500
93501002
Outer Label
FR DLCI 82FR DLCI 414
Juniper Networks, Inc. Copyright © 2000 25
Site 1Site 1Site 2Site 2
Site 1Site 1Site 2Site 2
Data Flow
The CE-2 sends packets to the PE via the DLCI which connects to CE-4 (414)
PE-2
CE-4
PE-1CE-2
CE-2
CE-1
VFTVFT
VFTVFT
DLCI 82DLCI 414
packet DLCI
414
Juniper Networks, Inc. Copyright © 2000 26
Site 1Site 1Site 2Site 2
Site 1Site 1Site 2Site 2
Data Flow
The DLCI number is removed by the ingress PE Two labels are derived from the VFT sub-interface lookup
and “pushed” onto the packet Outer IGP label
Identifies the LSP to egress PE router Derived from core’s IGP and distributed by RSVP or LDP
Inner site label Identifies outgoing sub-interface from egress PE to CE Derived from MP-IBGP/LDP VCT distributed by egress PE
PE-2
CP-4
PE-1CE-2
CE-2
CE-1
PE-1 1) Lookup DLCI in Red
VFT2) Push VPN label (1002)3) Push IGP label (500)
PE-1 1) Lookup DLCI in Red
VFT2) Push VPN label (1002)3) Push IGP label (500)
VFTVFT
VFTVFT
DLCI 82
Packet
site label (1002)
IGP label (500)
Juniper Networks, Inc. Copyright © 2000 27
Site 1Site 1Site 2Site 2
10.1/1610.1/16
Site 1Site 1Site 2Site 2
Data Flow
After packets exit the ingress PE, the outer label is used to traverse the LSP P routers are not VPN-aware
PE-2
CPE-4
PE-1CE-2
CE-2
CE-1
VFTVFT
VFTVFT
Packet
site label (1002)
IGP label (z) DLCI 82DLCI 414
Juniper Networks, Inc. Copyright © 2000 28
Site 1Site 1Site 2Site 2
10.1/1610.1/16
Site 1Site 1Site 2Site 2
Data Flow
The outer label is removed through penultimate hop popping (before reaching the egress PE)
PE-2
CE-4
PE-1CE-2
CE-2
CE-1PenultimatePop top label
VFTVFT
VFTVFT
Packet
site label (1002)
DLCI 82DLCI 414
Juniper Networks, Inc. Copyright © 2000 29
Site 1Site 1Site 2Site 2
Site 1Site 1Site 2Site 2
Data Flow
The inner label is removed at the egress PE The egress PE does a label lookup to find the
corresponding DLCI value
The native Frame Relay packet is sent to the corresponding outbound sub-interface
PE-2
CE-4
PE-1CE-2
CE-2
CE-1
VFTVFT
VFTVFT
DLCI 82DLCI 414
packet DLCI
82
Juniper Networks, Inc. Copyright © 2000 30
VPN Topologies
Arbitrary topologies are possible: full mesh hub-and-spoke
BGP communities are used to configure VPN topologies when using BGP signaling
“Connectivity” parameter serves similar purpose in LDP signaling
Juniper Networks, Inc. Copyright © 2000 31
Conclusions
Juniper Networks, Inc. Copyright © 2000 32
A Range of VPN Solutions
Each customer has different Security requirements Staff expertise Tolerance for outsourcing
Customer networks vary by size and traffic volume
Providers also have different preferences concerning Extensive policy management Inclusion of customer routes in backbone routers Approaches to managed service
Juniper Networks, Inc. Copyright © 2000 33
MPLS-Based Layer 2 VPNs
MPLS-based Layer 2 VPNs are identical to Layer 2 VPNs from customers’ perspective Familiar paradigm Layer 3 independent Provider not responsible for routing No hacks for OSPF Rely on SP only for connectivity
MPLS transport in provider network Decouples edge and core Layer 2 technologies Multiple services over single infrastructure
Single network architecture for both Internet and VPN services
Label stacking
Provision once, and use same LSP for multiple purposes
Auto-provisioning VPN
Juniper Networks, Inc. Copyright © 2000 34
MPLS-based Layer 2 VPNs: Advantages
Subscriber Outsourced WAN infrastructure Easy migration from existing Layer 2 fabric Can maintain routing control, or opt for managed service Supports any Layer 3 protocol Supports multicast
Provider Complements RFC 2547bis
Operates over the same core, using the same outer LSP Existing Frame Relay and ATM VPNs can be collapsed onto a
single IP/MPLS infrastructure Label stacking allows multiple services over a single LSP No scalability problems associated with storing numerous
customer VPN routes Simpler than the extensive policy-based configuration
used with 2547
Juniper Networks, Inc. Copyright © 2000 35
MPLS-based Layer 2 VPNs: Disadvantages
Circuit type (ATM/FR) to each VPN site must be uniform
Managed network service required for provider revenue opportunity
Customer must have routing expertise (or opt for managed service)
Juniper Networks, Inc. Copyright © 2000 36
Layer 2 MPLS-based VPNs Application
Customer profile High degree of IP expertise
Desire to control their own routing infrastructure
Prefer to outsource tunneling
Large number of users and sites
Provider profile MPLS deployed in the core
Migrating an existing ATM or Frame Relay network
Offers CPE managed service, or
Provisions only the layer 2 circuits at a premium cost
Layer 2 MPLS-based VPNs are ideal for this customer profile
Juniper Networks, Inc. Copyright © 2000 37
http://www.juniper.net
Thank you!