TM
MPLS Virtual Private
Networks
Peter Joy
Senior Product Marketing Manager
Presentation Title
10/18/19
Lucent Technologies – Proprietary
The IP VPN Challenge
IP MPLS VPNs Emulate a Private Network Over a Shared IP Network...
Branch/Regional
Offices
Remote
Workers
Shared IP
Network
Corporate
Headquarters
•
•
•
Internet
Customers,
Suppliers
Layer 3 - Any to Any connectivity
Security, reliability, performamce,
management
No manual configuration of PVCs
2
VPN forecasted growth
$B
10
9
•
73% of Fortune 1000
companies are moving away
from private networks
•
51% of companies plan to
outsource VPNs
•
All ISPs will have a VPN
solution by end 1999
•
80% of service provider
profits will come from data most of it from VPN services
8
7
6
5
4
3
2
1
(Tom Nolle, CIMI Group)
$0
1998
1999
2000
IP VPN Services
VPN Equipment
Management
2001
CAGR
81%
42%
16%
2002
2003
Source : IDC July 31999
Networking industry trends
Circuit Switch
Voice
Private
Networks
Frame Relay
Internet
ATM
IP VPNs
Growth
Rate
IP Voice/Fax
Introduction
Early
Growth
Majority
Adoption
Maturity
Decline
Time
4
IP Navigator/MPLS
Layer 3 edge
routing lookup to
determine cut
through path
GX550, CBX 500, B-STDX 9000
Multiservice QoS core
IP
Fast Layer 2 switching
along quality of service
connection
•
•
•
•
•
•
The industry’s First baseline MPLS implementation
Uses standard IP protocols - OSPF, BGP-4, RIP-2
Maps connectionless IP through switched core
Entire backbone appears as single QoS aware hop
Uses advanced label switch path aggregation technology (MPT) to minimize the use
of virtual circuit resources
Provides Absolute QoS in the core-mapping IP to ATM class of service
5
Lucent’s MPLS IP VPN
approach - Key Features
•
•
•
•
•
•
•
•
Submitted to IETF for RFC approval
Unique VPNID within the Service Provider network
Use of existing routing protocols without modification
Easy configuration/adding of new sites - equivalent to
adding a new logical port
User Security - uses industry standard router security
Dynamic of discovery of virtual routers within the VPN
Highly scalable - no pre-allocation of resources
Use of private and unregistered address space allows for
ease of enterprise adoption
6
What are Virtual Routers?
•
•
•
•
Logically independent routing domain for each VPN
Each virtual router is NOT a separate operating system“task”
Resides only at edge of SP network
Logically equivalent to a physical router (filters, interfaces,
access lists, configuration, management, monitoring,)
• Virtual Routers in a VPN represent a virtual routing domain
and dynamically discover each other in the service provider
network
• Customer view is similar to Ethernet LAN connected routers
• Carrier management similar to layer 2 services
7
Traditional IP Enterprise Network
Traditional method:
-PVC or leased line connections
-Fully meshed cost prohibitive or difficult to manage
Customer A
Headquarters
Customer A
Boston Branch
Company A’s
Enterprise
Network
Customer A
LA Branch
Customer A
Dallas Branch
8
Multiple MPLS IP VPNs
Physical Topology View
Customer A
Headquarters
Customer B
Dallas Branch
CE Router
Customer B
Headquarters
Logical VPN View
CE Router
CE Router
HQ
Customer A
VPN
B-STDX
9000
B-STDX
9000
CBX
500
Boston
CBX
500
HQ
B-STDX
9000
B-STDX
9000
CE Router
Customer B
LA Branch
CE Router
Customer A
LA Branch
LA
Customer B
VPN
CE Router
Customer A
Boston Branch
Dallas
LA
9
Accessing the VPN
Customer B
HQ (NY)
Customer C
HQ (NY)
Customer A
Branch (Boston)
Router
•
VR
VR
VR
•
•
•
•
VR
Customer B
Branch (Peoria)
VR
Customer A
HQ (Chicago)
VR
Ingress IP interfaces allow IP VPN traffic
to access the Lucent network.
For IP logical ports that use frame
relay, each IP VPN that uses the lport
has one or more DLCIs. A DLCI is
associated with a particular VPN
For ATM, each VPI/VCI is associated
with each VPN
For PPP or Ethernet, a single IP VPN
owns the port
When a DCLI or VPI/VCI is assigned to a
VPN for the first time in a switch, a VR
is created for the VPN
Customer C
Branch (Dallas)
10
Auto-Discovery/Routing Within a VPN
•
Each VR is automatically assigned a class D multicast address (internally
in SP network only) in the form 239.192.x.x (x.x is the VPN ID, which is
assigned when the VPN is added and uniquely mapped to the specific VPN)
•
Allows a VR to discover and be discovered by other VRs
•
IGMP allows VRs to join a multicast group(VPN)
EXAMPLE:
Customer A
•
To get VR-Bs address (switch-Bs address) VR-A sends an ARP request
Branch
(Boston)
packet with the address of VR B as the logical address. This ARP request is
encapsulated in this VPNs multicast address (239.192.0.1) and sent out.
Switch B recognizes the VPN address and responds with the switch
“hardware” address
•
This response is sent to the VPN multicast address
Parts DB
165.1.1.1
Switch-B internal H/W
address =150.202.77.2
VR-B
IP Interface
(150.1.1.1)
Service Provider’s Network
IP Interface
(150.1.1.2)
VR-A
Switch-A internal
H/W address=
150.202.78.12
Customer A
HQ (Chicago)
VR-C
IP Interface
(150.1.1.3)
Extranet connection to the parts
database reachable through VR-B
advertises a default route to VR-B
VR-B exports only 165.1.1.1 to VR-C
to keep the corporate network secure
Switch-C internal
H/W address=
150.202.79.12
Customer A’s
Vendor
11
Forwarding/QoS within a VPN/service
level guarantees
Customer A
Branch (Boston)
•
Point to Point LSP
–
–
–
•
Policy Based Forwarding LSP
–
–
–
•
A predefined path between any two switches within a VPN
Useful for traffic engineering
UBR, ABR , nrt-VBR, rt-VBR
Based on filter match
PVC is switch to switch or switch to lport
UBR, ABR , nrt-VBR, rt-VBR, CBR
VR-B
Best Effort LSP (default)
–
UBR/ABR
VR-A
Customer A
HQ (Chicago)
VR-C
Customer A
Branch
(Portland)
12
VPN Security
• Routing/Data Security
– The use of standard routing protocols means that standard security methods (MD5 for
example) are available in VRs
– Separate routing tables ensure that routes are not leaked from one VPN to another
– The use of VPNIDs guarantees data privacy, packet filters can also be configured on any
VR
– As secure as other switched services - Frame/ATM
• Configuration Security
– VRs appear as “real” routers to the SPs customer
– Password, RADIUS are available
• Physical Security
– customer logs into the VPN for monitoring
– ping, traceroute, display private route tables, link state databases
– no such privileges for the physical network
13
VPN Management
NavisXtend:
CNM Gateway
SLA Reports
NavisXtend:
Acc’t
Performance
NavisCore
Configuration
Security
Accounting Server
Statistics Server &
Report Generator
Provisioning Server
Switch and Application
Levels
Fault Server
Fault
14
NetCare™ Services
Global “Direct Touch”
Planning &
Consulting
Management &
Operations
44 Countries Worldwide
5 NOCs / Reliability Centers
Over 5500 Professionals
Software Services
Systems
VPN Services
Basic services plus :
VPN Security Consulting
Network Planning and Design
NOC Design Services
Support &
Maintenance
Network
Implementation
15
Core IP VPN Test Environment
• Network used by software
development
• Comprised of several device types:
– 8-10 GX-550 Nodes
– 10-16 CBX-500 Nodes
– 18-20 B-STDX 9000 Nodes
– Several DS-3-HSSI CSU/DSU Devices
– Lucent NavisCore NMS Support
– Assorted tools (Linux, other hardware)
16
N o rth
W est
N o rth
E ast
B -S T D X
9000
O re g o n
1 .3 4
B -S T D X
9000
K ansas
1 .4 6
B -S T D X
9000
A riz o n a
1 .3 5
B -S T D X
9000
A rk a n s a s
1 .4
B -S T D X
9000
N H
1 .9
H SSI XO VR
H SSI XO VR
HSSI XO VR
HSSI XO VR
H SSI XO VR
D S 3 C S U /D S U
D S 3 C S U /D S U
D S 3 C S U /D S U
D S 3 C S U /D S U
D S 3 C S U /D S U
D S 3 -F R
D S 3 -F R
D S 3 -F R
D S 3 -F R
D S 3 -F R
C B X -5 0 0
B ra z il
1 .4 3
C B X -5 0 0
Ira n
1 .4 4
C B X -5 0 0
E qypt
1 .4 2
C B X -5 0 0
E n g la n d
1 .2 7
C B X -5 0 0
Japan
1 .4 7
1 5 .1
1 5 .1
1 5 .1
1 5 .1
O C -3
O C -3
O C -3
C B X -5 0 0
Ir e la n d
1 .2 0
1 5 .1
O C -3
3 .1
O C -3
3 .2
B -S T D X
9000
D a lla s
3 .1
C B X -5 0 0
F iji
1 .1 7
G X -5 5 0
S .A m e ric a
1 .3 9
3 .2
G X -5 5 0
Pangea
1 .2
3 .9
G X -5 5 0
A n ta r tic a
1 .4 0
O C -1 2
3 .3
O C -3
O C -1 2
4 .1
G X -5 5 0
A t la n t is
1 .3
4 .5
3 .1 7
O C -4 8 c (x 2 )
G X -5 5 0
A fr ic a
1 .3 8
O C -1 2
G X -5 5 0
E u ro p e
1 .3 7
3 .1 8
4 .9
T h is is th e 5 5 0
C o re o f th e V P N
te s t n e tw o rk .
1 3 .3
3 .9
O C -3
3 .1 0
O C -3
1 5 .1
1 3 .3
C B X -5 0 0
C anada
1 .1 4
1 3 .3
1 5 .2
O C -3
O C -3
C B X -5 0 0
A u s t r a lia
1 .3 2
L in u x
C B X -5 0 0
Ita ly
1 .3 0
L in u x
•The core is made up of high
performance GX-550s
1 2 .6
O C -3
C B X -5 0 0
F ra n c e
1 .3 1
B -S T D X
9000
H o u s to n
1 2 .5
O C -3
7 .2
C B X -5 0 0
C h in a
1 .1 5
7 .1
C B X -5 0 0
In d ia
1 .1 6
•Edge switches are shown in
hashed colors:
•Blue = B-STDX 9K
1 2 .9
G X -5 5 0
A s ia
1 .2 2
O C -3
1 5 .1
C B X -5 0 0
U .S .A .
1 .1 3
S o u th
W est
O C -1 2
G X -5 5 0
N .A m e r ic a
1 .1 9
O C -3
4 .1
O C -1 2
C B X -5 0 0
R u s s ia
1 .2 9
L in u x
3 .9
O C -1 2
C B X -5 0 0
G e rm a n y
1 .4 1
Current “Top
Level” Network
Map
A T M /IP
SRVR
1 5 .1
O C -3
3 .3
B -S T D X
9000
N e w Y o rk
1 .3 3
L in u x
S o u th
East
•Green = CBX 500
V P N T e s t N e tw o rk
T r it o n L a b , W e s t f o r d
O C -4 8
4 .3
4 .2
O C -1 2
4 .1
4 .1
D S 3 -F R
O C -3
1 4 .1
4 .1
1 4 .1
B -S T D X
9000
Z a k is w 1
1 .1
B -S T D X
9000
V ir g in ia
1 .2 3 0
B -S T D X
9000
D a k o ta
1 .6
B -S T D X
9000
M a in e
1 .1 0
B -S T D X
9000
M ass
1 .8
B -S T D X
9000
R G -1
B -S T D X
9000
R G -6
B -S T D X
9000
R G -2
B -S T D X
9000
R G -3
B -S T D X
9000
R G -4
HSSI
V P N A c c e s s D e v ic e ( V P N ID
3 0 -2 5 5 )
V P N A c c e s s D e v ic e ( V P N ID
3 0 0 -4 0 0 )
N e tw o rk A d d re s s : 1 5 3 .2 0 7
17
Lab Performance Snap Shot
•Testing so far has confirmed high scalability
•255 VPNs currently tested in network - more to be added
•500+ IP routes/VPN
•Full convergence time generally is 5-10 minutes
•Memory requirements on the CP/SP are well within limits
•After a switch is removed completely from a fully converged
network, the remaining switches all wait for the OSPF dead
timer to expire - within 10-20 seconds all of the routes
associated with that neighbor in each VPN it was participating in
are removed and the remaining network converges with little
effort.
18
Technical comparison to
the BGP overlay approach
Presentation Title
10/18/19
Lucent Technologies – Proprietary
Comparison to BGP “overlay” model Scalability of configuration
• In the VR approach, each connection to the network
requires one Layer 3 configuration.
• In the overlay approach, each connection to the the
network requires Route Distinguisher (RD), Route Target
(RT), Site Of Origin (SOI), VPN of Origin (VOI)
20
Comparison to BGP “overlay” model
-Standards compliance
• The VR approach uses a VR discovery mechanism based
on a pending RFC
• Requires no changes to existing, standardized protocols
• All configuration is standard router configuration.
• The overlay approach uses a route distribution
methodology described in RFC 2547, but requires
significant changes to BGP, an existing Internet
standard.
21
Comparison to BGP “overlay” model
-Additional IETF standards/proposals
required for operation
• The VR approach simply makes use of standards such as
routing protocols and ARP which are router requirements
set forth in existing RFCs
• The overlay model requires the additional
implementation of the following drafts:
–
–
–
–
–
–
draft-ietf-idr-bgp4-multiprotocol-v2-02.txt
draft-ietf-mpls-bgp4-mpls-02.txt
draft-ietf-idr-bgp4-cap-neg-03.txt
draft-ramachandra-bgp-ext-communities-01.txt
draft-chen-bgp-route-refresh-01.txt
RFC 1997
22
Comparison to BGP “overlay” model
-Rules for network configuration and
operation- CE peering requirements
• Since the VR approach is based on standard routing
protocols and routing domains, there are no special rules
for how to connect customer sites to the core network
• The overlay approach requires network administrator
and CPE administrator implementation of special
configuration rules.
23
Comparison to BGP “overlay” model
-Rules for network configuration and
operation (CE peering requirements)
• If RIP is run to the CE, it is required that the PNA configure the
multi-homed CE correctly to NOT leak routes distributed from PE to
another PE.
• If OSPF is run to the CE, it is required that the site be run as 1 large
OSPF area with the CE being the area border router.
• Additionally, it is required that the PE should be in a different area
and the PE report no inter-CE links.
• RFC 2547 does not specify if other special rules apply for other
protocols, e.g., ISIS.
• A new and special parameter "SOI" has to be configured to ensure
routing loops are avoided.
24
Comparison to BGP “overlay” model
-Dynamic discovery of VPN endpoints
• The VR approach specifies a methodology for the
dynamic discovery of other VRs in the network using IP
multicast facilities. A manual override for completeness
is also specified
• The overlay approach does not use dynamic discovery of
other PEs involved in a VPN. The RT attribute only
suggests a Closed User Group. It does not specify who
the members are
25