Your SlideShare is downloading. ×
Juniper L2 MPLS VPN
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Juniper L2 MPLS VPN

3,252
views

Published on

Juniper L2 MPLS VPN

Juniper L2 MPLS VPN

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,252
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
373
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The agenda for Part I is …
  • Provider network technology dictated by VPN services Frame Relay switches ATM switches Provisioning is complex for provider Topology dictated by cost rather than traffic patterns Multiple networks – adds to provider’s administrative burden The Internet is the shared infrastructure Increasing importance of IP/MPLS (not ATM/FR) Subscriber requirements A single network connection for all services Semi-public connectivity rather than private connectivity Provider requirements Multiservice infrastructure that supports all services Enhance the provider’s role in VPN solutions
  • Issues: Customers requires intranet connectivity. Then internet connectivity. The service provider needs to deploy a parallel router infrastructure. Increase costs, operational expenses, and margins are reduced. Provisioning a new site, or extranet connectivity to a site, takes a lot of time.
  • The IETF classifies VPNs in two distinct models. The Customer Premise Equipment (CPE) based VPN utilizes equipment located at the Subscriber site. This model can utilize both Layer 2 and Layer 3 technologies. Layer 2 is handled using Layer 2 Tunneling Protocol (L2TP) and Point to Point Tunneling Protocol (PPTP). Tunnels are created between CPEs creating a secure pipe to transfer data across. In a Network-Based (NB) VPN model, Layer 3 is supported using 2 separate solutions. Non-MPLS-Based VPNs utilize Virtual Routers to route CPE based VLAN traffic to a the far-end CPE. MPLS-Based VPNs, based on the RFC 2547bis, use Labels to switch VPN traffic between CPEs.
  • The agenda for Part I is …
  • The Customer Edge (CE) device is usually assigned to the subscriber site and may be considered as a layer 2 switch or a layer 3 router. This device is the manner in which the Provider Edge (PE) at the service provider’s site communicates with the subscriber. Any type of data link will work between the connection of the CE device and PE device and may be connected to two or more PE routers. When the CE device is a router connected to a PE router, then the term router adjacency is established between the two routers. After this router adjacency is established, the CE router will advertise all of the subscriber site’s local routes to the PE router. The PE router in turn allows the CE router to learn other VPN routes that is directly connected to from the PE router.
  • The Provider Edge (PE) router connects to the CE device with different types of data links, such as, Frame Relay DCLI, ATM PVC, VLANs, etc. Regardless of the data link they are connected by, the PE routers ensures each of the ports that these data links are coming in on are mapped to a particular table known as a VPN routing and forwarding (VRF) table. Therefore the PE port is associated with a particular VRF and the information associated with the incoming data link. The PE router maintains all of the VRFs of the virtual private networks attached to it. The exchange of routing information between the CE device and the PE device may take place using Routing Information Protocol (RIP) version 2, Open Shortest Path First (OSPF), or Exterior Border Gateway Protocol (E-BGP). The PE router is only responsible for maintaining the IPv4 packets and their routes of the CE devices that are actually attached to it. This feature enables the RFC 2547bis operational model to be scalable. The PE router also exchanges VPN routing information with other PE routers using I-BGP, and may use this I-BGP session to maintain connections with Route Reflectors as an alternative to a full mesh of I-BGP sessions. By deploying multiple Route Reflectors the scalability of the RFC 2547bis operational model is enhanced, because of the need for any single component to handle all of the IPv4 routes.  When forwarding traffic across the MPLS backbone, the PE router will perform this function as a Label Switch Router (LSR). In the case of forwarding the initial forwarding of traffic across the MPLS backbone, the PE router will be considered as the Ingress LSR, and in the case of receiving the traffic at the destination point of the traffic the PE router will function as the Egress LSR.
  • In the Multiprotocol Label Switching environment, the topology is very clear as to which routers are considered as PE routers and which ones are Provider (P) routers. A rule of thumb used in identifying a P router from a PE router, and works every time within the MPLS environment, is that only PE routers will attach directly to a CE device. Therefore, if a router is within the MPLS topology and it does not attach to a CE device, then this router is known as a P router. The P router functions within the MPLS backbone as a transit Label Switch Router (LSR) when it is called upon to forward data traffic between the PE routers, known in the MPLS backbone as the Ingress LSR and the Egress LSR. Because the P router operates in the MPLS backbone and within a two layer stack, the P routers are only aware of and required to maintain the routes to the PE routers. This prevents the P routers from being bogged down with all of the subscriber site’s routes as does the PE router. Therefore, specific VPN routes are only found in the PE routers.
  • When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers.
  • In this section we look at the provisioning issues and the tasks associated with Layer 2 VPNs.
  • The list of DLCIs is configured on the PEs. No changes are required even if new sites are added, existing sites will remain unchanged if the provider has over-provisioned the PEs in the network.
  • A key benefit is Auto-discovery. Comparing this to the traditional Layer 2 VPN slide, there is no need to manually configure additional VPN members. All sites must be configured after the initial bootstrap of the network. However, after that initial build, it is only necessary to configure the newly added sites without having to touch existing sites. Note: the label base is chosen automatically by the PE; the other info is assigned by the ISP administrator. The choice of sub-int ids must be agreed to by both the SP and Customer. The VFT is annouced via LDP as a new FEC, or via MPBGP as a new AFI Label base : BGP only, LDP carry the label with the FEC VPN ID : LDP only with BGP we use communities with the form of <VPN-ID>:<connectivit>
  • A key benefit is Auto-discovery. Comparing this to the traditional Layer 2 VPN slide, there is no need to manually configure additional VPN members. All sites must be configured after the initial bootstrap of the network. However, after that initial build, it is only necessary to configure the newly added sites without having to touch existing sites. Note: the label base is chosen automatically by the PE; the other info is assigned by the ISP administrator. The choice of sub-int ids must be agreed to by both the SP and Customer. The VFT is annouced via LDP as a new FEC, or via MPBGP as a new AFI Label base : BGP only, LDP carry the label with the FEC VPN ID : LDP only with BGP we use communities with the form of <VPN-ID>:<connectivit>
  • When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers.
  • A key benefit is Auto-discovery. Comparing this to the traditional Layer 2 VPN slide, there is no need to manually configure additional VPN members. All sites must be configured after the initial bootstrap of the network. However, after that initial build, it is only necessary to configure the newly added sites without having to touch existing sites.
  • When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers.
  • When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers.
  • When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers.
  • Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label.
  • Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label.
  • Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label.
  • Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label.
  • Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label.
  • This section of the presentation provides an insight how a Service Provider operating within an Internet Protocol (IP) backbone may provide Virtual Private Networks (VPNs) for their customer, the enterprising subscriber. The 2547 Virtual Private Network platform differs from the normal way of forwarding packets and routes over the Internet backbone than the traditional ways of the 1990’s. The 2547 VPN platform uses Multiprotocol Label Switching (MPLS) to forward packets, and the Border Gateway Protocol (BGP) for route distribution, both over the Internet backbone. The 2547 VPN platform’s primary goal is to support the service providers in their effort to outsource Internet Protocol backbone services for enterprise subscribing customers. By using the methodology available from the Multiprotocol Label Switching and Border Gateway Protocol, the service provider providing these services has made the task very simple for the enterprise subscriber, while improving scalability and flexibility for themselves. The 2547 VPN platform also allows the service provider an opportunity to add value to the services they are providing the enterprising subscriber. Additionally, the 2547 VPN platform provides the necessary techniques for an enterprising subscriber to develop a VPN that can ultimately be used to provides IP service to their customers. We will now start at a high level discussion about the 2547 VPN platform and become more granular as we start understanding how the Border Gateway Protocol and the Multiprotocol Label Switching are implemented as the underlying technology for this highly scalable and secure VPN. Without any further delay lets take look at the 2547 VPN objectives.
  • Many subscribers have limited IP expertise available and want to outsource their wide area interconnection and routing to service providers. Those service providers with the RFC 2547bis VPNs platforms are the ideal candidates to receive the business and have the capabilities to support the subscriber in their challenges. For the remote access user to the corporate network layer two tunneling protocols, such as, Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) are convenient and effective to use. Users have capability to access the network from anywhere on the Internet.
  • Many subscribers have limited IP expertise available and want to outsource their wide area interconnection and routing to service providers. Those service providers with the RFC 2547bis VPNs platforms are the ideal candidates to receive the business and have the capabilities to support the subscriber in their challenges. For the remote access user to the corporate network layer two tunneling protocols, such as, Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) are convenient and effective to use. Users have capability to access the network from anywhere on the Internet.
  • Transcript

    • 1. L2 MPLS VPNs Hector Avalos Technical Director-Southern Europe [email_address]
    • 2. Agenda: L2 MPLS VPNs
      • VPNs Overview
      • Provider-provisioned L2 MPLS VPNs
        • Taxonomy
        • Operational Model
      • Conclusion
    • 3. What is a VPN?
      • A private network constructed over a shared infrastructure
      • Virtual: not a separate physical network
      • Private: separate addressing and routing
      • Network: a collection of devices that communicate
      • Policies are key — global connectivity is not the goal
      Shared Infrastructure Mobile Users and Telecommuters Remote Access Branch Office Corporate Headquarters Suppliers, Partners and Customers Intranet Extranet
    • 4. Deploying VPNs in the 1990s
      • Operational model
        • PVCs overlay the shared infrastructure (ATM/Frame Relay)
        • Routing occurs at customer premise
      • Benefits
        • Mature technologies
        • Relatively “secure”
        • Service commitments (bandwidth, availability, and more)
      • Limitations
        • Scalability, provisioning and management
        • Not a fully integrated IP solution
      Provider Frame Relay Network CPE CPE DLCI FR Switch DLCI DLCI FR Switch FR Switch
    • 5. Traditional (Layer 2) VPNs Router Frame Relay/ ATM Switch
    • 6. Improving Traditional Layer 2 VPNs
      • Decouple edge (customer-facing) technology from core technology
      • Have a single network infrastructure for all desired services
        • Internet
        • L3 MPLS VPNs
        • L2 MPLS VPNs
      • Simplify provisioning
        • Appropriate signaling mechanisms for VPN auto-provisioning
    • 7. VPN Classification Model
      • Customer-managed VPN solutions (CPE-VPNs)
        • Layer 2: L2TP and PPTP
        • Layer 3: IPSec
      • Provider-provisioned VPN solutions (PP-VPNs)
        • Layer 3: MPLS-Based VPNs (RFC 2547bis)
        • Layer 3: Non-MPLS-Based VPNs (Virtual Routers)
        • Layer2: MPLS VPNs
      PE PE CPE CPE Subscriber Site 3 PP-VPN Subscriber Site 2 CPE PE VPN Tunnel VPN Tunnel VPN Tunnel CPE PE PE PE CPE CPE CPE-VPN VPN Tunnel Subscriber Site 1 Subscriber Site 3 Subscriber Site 2 VPN Tunnel Subscriber Site 1 VPN Tunnel
    • 8. PP-VPNs: Layer 2 Classification
      • Service Provider deliver s Layer 2 circuit IDs (DLCI, VP I/V CI, 802.1q vlan) to the customer
        • One for each reachable site
      • Customer maps their own routing architecture to the circuit mesh
      • Provider router maps the circuit ID to a L abel Switched Path (LSP) to traverse the provider core
      • Customer routes are transparent to provider routers
      • Provider-provisioned L2 MPLS VPN Internet drafts
        • draft-kompella-mpls-l2vpn-02.txt
        • draft-martini-l2circuit-encap-mpls-01.txt
    • 9. Agenda: L2 MPLS VPNs
      • Overview of VPNs
      • Provider-provisioned L2 MPLS VPNs
        • Taxonomy
        • Operational Model
      • Conclusion
    • 10. Customer Edge Routers
      • Customer Edge (CE) routers
        • Router or switch device located at customer premises providing access to the service provider network
        • Layer 2 (FR, ATM, Ethernet) and Layer 3 (IP, IPX, SNA …) independence of the service provider network
        • CEs within a VPN, uses the same L2 technology to access the service provider network
        • Requires a sub-interface per CE it needs to interconnect to within the VPN
        • Maintains routing adjacencies with other CEs within the VPN
      CE P P PE CE Customer Edge CE CE PE VPN A VPN A VPN B VPN B PE ATM FR ATM FR VPN Site
    • 11. Provider Edge Routers
      • Provider Edge (PE) routers
        • Maintain site-specific VPN Forwarding Tables
        • Exchange VPN Connection Tables with other PE routers using MP-IBGP or LDP
        • Use MPLS LSPs to forward VPN traffic
      CE P P PE CE CE CE PE VPN A VPN A VPN B VPN B PE Provider Edge ATM FR ATM FR
    • 12. Provider Routers
      • Provider (P) routers
        • Forward data traffic transparently over established LSPs
        • Do not maintain VPN-specific forwarding information
      CE P P PE CE CE CE PE VPN A VPN A VPN B VPN B PE Provider Routers ATM FR ATM FR
    • 13. VPN Forwarding Tables ( VFT )
      • Each VFT is populated with:
        • The forwarding information provisioned for the local CE sites
        • VPN Connection Tables received from other PEs via iBGP or LDP
      P P P PE 2 VPN A Site 3 VPN A Site 1 VPN B Site2 VPN B Site 1 PE 1 PE 3 VPN A Site2 CE–A1 CE–B1 CE–A3 CE–A2 CE–B2 P A V FT is created for each site connected to the PE OSPF OSPF OSPF ATM ATM ATM
    • 14. VPN Connection Tables ( VCT )
      • The VCT is a subset of information hold by the VFT
      • VCTs are distributed by the PEs via iBGP or LDP
      PE-2 CE- 4 PE-1 CE-2 CE- 2 CE-1 A V CT is distributed for each VPN site to PE s MP-i BGP session / LDP Site 1 Site 2 Site 1 Site 2 VFT VFT VFT VFT
    • 15. L2 VPN Provisioning
      • Provisioning the network
      • Provisioning the CEs
      • Provisioning the VPN (PEs)
      • VPN Connection Table Distribution
      Assumption: access technology is Frame Relay (other cases are similar)
    • 16. Provisioning the Network
      • PE-to-PE LSPs pre-established via
        • RSVP-TE
        • LDP
        • LDP over RSPV-TE tunneling
      • LSPs used for many services: IP, L2 VPN, L3 VPN, …
      • Provisioned independent of Layer 2 VPNs
      P P P PE 2 VPN A Site 3 VPN A Site 1 VPN B Site2 VPN B Site 1 PE 1 PE 3 VPN A Site2 CE–A1 CE–B1 CE–A3 CE–A2 CE–B2 P OSPF OSPF OSPF ATM ATM ATM
    • 17. Provisioning Customer Sites
      • List of DLCIs: one for each site, some spare for over-provisioning
      • DLCIs independently numbered at each site
      • LMI, inverse ARP and/or routing protocols for auto-discovery and learning addresses
      • No changes as VPN membership changes
        • Until over-provisioning runs out
      CE-4 Routing Table In Out DLCI 6 3 10/8 CE- 4 DLCIs 63 75 82 94 DLCI 75 20/8 DLCI 82 3 0/8 DLCI 94 -
    • 18. Provisioning CE’s at the PE
      • A VFT is provisioned at each PE for each CE
        • VPN-ID : unique value within the service provider network
        • CE-ID : unique value in the context of a VPN
        • CE Range : maximum number of CEs that it can connect to
        • Sub-interface list : set of local sub-interface IDs assigned for the CE-PE connection
      CE 4 VFT VPN ID CE ID RED VPN 4 CE Range 4 Sub-int IDs 63 75 82 94
    • 19. Provisioning CE’s at the PE
      • A VFT is provisioned at each PE for each CE
        • VPN-ID : unique value within the service provider network
        • CE-ID : unique value in the context of a VPN
        • CE Range : maximum number of CEs that it can connect to
        • Sub-interface list : set of local sub-interface IDs assigned for the CE-PE connection
        • Label-base : Label assigned to the first sub-interface ID
          • The PE reserves N contiguous labels, where N is the CE Range
      CE 4 VCT CE 4 VFT VPN ID CE ID RED VPN 4 CE Range 1000 4 Label Base Sub-int IDs 63 75 82 94
    • 20. Provisioning CE’s at the PE
      • PE-2 is configured with the CE4 VFT
      PE-2 CE- 4 PE-1 CE-2 CE- 2 CE-1 CE 4 VFT VPN ID CE ID RED VPN 4 CE Range Label base 4 Sub-int IDs 63 75 82 94 1000 1001 1002 1003 FR FR Site 1 Site 2 Site 1 Site 2 VFT VFT VFT VFT Label used by CE 1 to reach CE 4 1001 Label used by CE 2 to reach CE 4 1002 Label used by CE 0 to reach CE 4 1000 CE 4 ‘s DLCI to CE 0 63 CE 4 ‘s DLCI to CE 1 75 CE 4 ‘s DLCI to CE 2 82 CE 4 ‘s DLCI to CE 3 94 Label used by CE 3 to reach CE 4 1003
    • 21. Distributing VCTs
      • Key: signalling using LDP or MP-iBGP
        • Auto-discovery of members
        • Auto-assignment of inter-member circuits
        • Flexible VPN topology
      • O(N) configuration for the whole VPN
        • Could be more for complex topologies
      • O(1) configuration to add a site
        • “ Overprovision” DLCIs (sub-interfaces) at customer sites
    • 22. Distributing VCTs
      • PE-1 accepts PE-2’s CE 4 VCT
      PE-2 CE- 4 PE-1 CE-2 CE- 2 CE-1 FR FR MP-i BGP session / LDP Site 1 Site 2 Site 1 Site 2 VFT VFT VFT VFT Label used by CE 2 to reach CE 4 1002 CE 4 VCT update VPN ID CE ID RED VPN 4 CE Range Label base 4 1000 CE 4 VCT update VPN ID CE ID RED VPN 4 CE Range Label base 4 1000
    • 23. Updating VFTs
      • PE-1 update its CE 2 VFT
      PE-2 CE- 4 PE-1 CE-2 CE- 2 CE-1 FR DLCI 82 FR DLCI 414 5020 7500 9350 Site 1 Site 2 Site 1 Site 2 VFT VFT VFT VFT CE 2 VFT CE ID Inner Label Sub-int IDs Label used to reach CE 4 1002 107 209 265 414 1 2 3 4
    • 24. Updating VFTs
      • PE-1 update its CE 2 VFT
      PE-2 CE- 4 PE-1 CE-2 CE- 2 CE-1 CE 2 VFT CE ID Inner Label Sub-int IDs 107 209 265 414 1 2 3 4 5020 7500 9350 1002 Outer Label FR DLCI 82 FR DLCI 414 Site 1 Site 2 Site 1 Site 2 VFT VFT VFT VFT LSP to PE-2 500
    • 25. Data Flow
      • The CE-2 sends packets to the PE via the DLCI which connects to CE-4 (414)
      PE-2 CE-4 PE-1 CE-2 CE- 2 CE-1 DLCI 82 DLCI 414 Site 1 Site 2 Site 1 Site 2 VFT VFT VFT VFT packet DLCI 414
    • 26. Data Flow
      • The DLCI number is removed by the ingress PE
      • Two labels are derived from the VFT sub-interface lookup and “pushed” onto the packet
        • Outer IGP label
          • Identifies the LSP to egress PE router
          • Derived from core’s IGP and distributed by RSVP or LDP
        • Inner site label
          • Identifies outgoing sub-interface from egress PE to CE
          • Derived from MP-IBGP/LDP VCT distributed by egress PE
      PE-2 CP-4 PE-1 CE-2 CE- 2 CE-1 PE-1 1) Lookup DLCI in Red V FT 2) Push VPN label ( 1002 ) 3) Push IGP label ( 500 ) DLCI 82 Packet site label ( 1002 ) IGP label ( 500 ) Site 1 Site 2 Site 1 Site 2 VFT VFT VFT VFT
    • 27. Data Flow
      • After packets exit the ingress PE, the outer label is used to traverse the LSP
        • P routers are not VPN-aware
      PE-2 CPE-4 PE-1 CE-2 CE- 2 CE-1 Packet site label ( 1002 ) IGP label ( z ) DLCI 82 DLCI 414 Site 1 Site 2 10.1/16 Site 1 Site 2 VFT VFT VFT VFT
    • 28. Data Flow
      • The outer label is removed through penultimate hop popping (before reaching the egress PE)
      PE-2 CE-4 PE-1 CE-2 CE- 2 CE-1 Packet site label ( 1002 ) DLCI 82 DLCI 414 Site 1 Site 2 10.1/16 Site 1 Site 2 Penultimate Pop top label VFT VFT VFT VFT
    • 29. Data Flow
      • The inner label is removed at the egress PE
      • The egress PE does a label lookup to find the corresponding DLCI value
      • The native Frame Relay packet is sent to the corresponding outbound sub-interface
      PE-2 CE-4 PE-1 CE-2 CE- 2 CE-1 DLCI 82 DLCI 414 DLCI 82 Site 1 Site 2 Site 1 Site 2 VFT VFT VFT VFT packet
    • 30. VPN Topologies
      • Arbitrary topologies are possible:
        • full mesh
        • hub-and-spoke
      • BGP communities are used to configure VPN topologies when using BGP signaling
      • “Connectivity” parameter serves similar purpose in LDP signaling
    • 31. Conclusions
    • 32. A Range of VPN Solutions
      • Each customer has different
        • Security requirements
        • Staff expertise
        • Tolerance for outsourcing
      • Customer networks vary by size and traffic volume
      • Providers also have different preferences concerning
        • Extensive policy management
        • Inclusion of customer routes in backbone routers
        • Approaches to managed service
    • 33. MPLS-Based Layer 2 VPNs
      • MPLS-based Layer 2 VPNs are identical to Layer 2 VPNs from customers’ perspective
        • Familiar paradigm
        • Layer 3 independent
        • Provider not responsible for routing
        • No hacks for OSPF
        • Rely on SP only for connectivity
      • MPLS transport in provider network
        • Decouples edge and core Layer 2 technologies
        • Multiple services over single infrastructure
          • Single network architecture for both Internet and VPN services
      • Label stacking
        • Provision once, and use same LSP for multiple purposes
      • Auto-provisioning VPN
    • 34. MPLS-based Layer 2 VPNs: Advantages
      • Subscriber
        • Outsourced WAN infrastructure
        • Easy migration from existing Layer 2 fabric
        • Can maintain routing control, or opt for managed service
        • Supports any Layer 3 protocol
        • Supports multicast
      • Provider
        • Complements RFC 2547bis
          • Operates over the same core, using the same outer LSP
        • Existing Frame Relay and ATM VPNs can be collapsed onto a single IP/MPLS infrastructure
        • Label stacking allows multiple services over a single LSP
        • No scalability problems associated with storing numerous customer VPN routes
        • Simpler than the extensive policy-based configuration used with 2547
    • 35. MPLS-based Layer 2 VPNs: Disadvantages
      • Circuit type (ATM/FR) to each VPN site must be uniform
      • Managed network service required for provider revenue opportunity
      • Customer must have routing expertise (or opt for managed service)
    • 36. Layer 2 MPLS-based VPNs Application
      • Customer profile
        • High degree of IP expertise
        • Desire to control their own routing infrastructure
        • Prefer to outsource tunneling
        • Large number of users and sites
      • Provider profile
        • MPLS deployed in the core
        • Migrating an existing ATM or Frame Relay network
        • Offers CPE managed service, or
        • Provisions only the layer 2 circuits at a premium cost
      • Layer 2 MPLS-based VPNs are ideal for this customer profile
    • 37. http://www.juniper.net Thank you!