TM

MPLS Virtual Private
Networks
Peter Joy
Senior Product Marketing Manager

Presentation Title
10/18/19

Lucent Technologies – Proprietary


The IP VPN Challenge
IP MPLS VPNs Emulate a Private Network Over a Shared IP Network...

Branch/Regional
Offices

Remote
Workers

Shared IP
Network
Corporate
Headquarters
•
•
•

Internet

Customers,
Suppliers

Layer 3 - Any to Any connectivity
Security, reliability, performamce,
management
No manual configuration of PVCs
2


VPN forecasted growth
$B
10
9

•

73% of Fortune 1000
companies are moving away
from private networks

•

51% of companies plan to
outsource VPNs

•

All ISPs will have a VPN

solution by end 1999

•

80% of service provider
profits will come from data most of it from VPN services

8
7
6
5
4
3
2
1

(Tom Nolle, CIMI Group)

$0
1998

1999

2000

IP VPN Services
VPN Equipment
Management

2001

CAGR
81%
42%
16%

2002

2003

Source : IDC July 31999


Networking industry trends
Circuit Switch
Voice

Private
Networks

Frame Relay
Internet

ATM

IP VPNs
Growth
Rate

IP Voice/Fax


Introduction

Early
Growth

Majority
Adoption

Maturity

Decline

Time
4


IP Navigator/MPLS
Layer 3 edge
routing lookup to
determine cut
through path

GX550, CBX 500, B-STDX 9000
Multiservice QoS core

IP
Fast Layer 2 switching
along quality of service
connection
•

•
•
•
•
•

The industry’s First baseline MPLS implementation
Uses standard IP protocols - OSPF, BGP-4, RIP-2
Maps connectionless IP through switched core
Entire backbone appears as single QoS aware hop
Uses advanced label switch path aggregation technology (MPT) to minimize the use
of virtual circuit resources
Provides Absolute QoS in the core-mapping IP to ATM class of service
5


Lucent’s MPLS IP VPN
approach - Key Features
•
•
•
•
•
•
•
•

Submitted to IETF for RFC approval
Unique VPNID within the Service Provider network
Use of existing routing protocols without modification

Easy configuration/adding of new sites - equivalent to
adding a new logical port
User Security - uses industry standard router security
Dynamic of discovery of virtual routers within the VPN
Highly scalable - no pre-allocation of resources
Use of private and unregistered address space allows for
ease of enterprise adoption

6


What are Virtual Routers?
•
•
•
•

Logically independent routing domain for each VPN
Each virtual router is NOT a separate operating system“task”
Resides only at edge of SP network
Logically equivalent to a physical router (filters, interfaces,
access lists, configuration, management, monitoring,)
• Virtual Routers in a VPN represent a virtual routing domain
and dynamically discover each other in the service provider
network
• Customer view is similar to Ethernet LAN connected routers
• Carrier management similar to layer 2 services

7



Traditional IP Enterprise Network
Traditional method:
-PVC or leased line connections
-Fully meshed cost prohibitive or difficult to manage
Customer A
Headquarters

Customer A
Boston Branch

Company A’s
Enterprise
Network

Customer A
LA Branch

Customer A
Dallas Branch
8


Multiple MPLS IP VPNs
Physical Topology View
Customer A
Headquarters

Customer B
Dallas Branch


CE Router

Customer B
Headquarters

Logical VPN View

CE Router

CE Router

HQ

Customer A
VPN
B-STDX
9000

B-STDX
9000

CBX
500

Boston

CBX
500


HQ

B-STDX
9000
B-STDX
9000
CE Router
Customer B
LA Branch

CE Router

Customer A
LA Branch

LA

Customer B
VPN
CE Router
Customer A
Boston Branch

Dallas

LA

9



Accessing the VPN
Customer B
HQ (NY)

Customer C
HQ (NY)

Customer A
Branch (Boston)

Router

•

VR

VR

VR

•

•
•
•
VR

Customer B
Branch (Peoria)


VR

Customer A
HQ (Chicago)

VR

Ingress IP interfaces allow IP VPN traffic
to access the Lucent network.
For IP logical ports that use frame
relay, each IP VPN that uses the lport
has one or more DLCIs. A DLCI is
associated with a particular VPN
For ATM, each VPI/VCI is associated
with each VPN
For PPP or Ethernet, a single IP VPN
owns the port
When a DCLI or VPI/VCI is assigned to a
VPN for the first time in a switch, a VR
is created for the VPN

Customer C
Branch (Dallas)

10


Auto-Discovery/Routing Within a VPN
•


Each VR is automatically assigned a class D multicast address (internally
in SP network only) in the form 239.192.x.x (x.x is the VPN ID, which is
assigned when the VPN is added and uniquely mapped to the specific VPN)
•
Allows a VR to discover and be discovered by other VRs
•
IGMP allows VRs to join a multicast group(VPN)
EXAMPLE:
Customer A
•
To get VR-Bs address (switch-Bs address) VR-A sends an ARP request
Branch
(Boston)
packet with the address of VR B as the logical address. This ARP request is
encapsulated in this VPNs multicast address (239.192.0.1) and sent out.
Switch B recognizes the VPN address and responds with the switch
“hardware” address
•
This response is sent to the VPN multicast address

Parts DB
165.1.1.1

Switch-B internal H/W
address =150.202.77.2
VR-B

IP Interface
(150.1.1.1)


Service Provider’s Network
IP Interface
(150.1.1.2)
VR-A
Switch-A internal
H/W address=
150.202.78.12

Customer A
HQ (Chicago)

VR-C
IP Interface
(150.1.1.3)
Extranet connection to the parts
database reachable through VR-B
advertises a default route to VR-B
VR-B exports only 165.1.1.1 to VR-C
to keep the corporate network secure

Switch-C internal
H/W address=
150.202.79.12

Customer A’s
Vendor
11


Forwarding/QoS within a VPN/service

level guarantees
Customer A
Branch (Boston)

•

Point to Point LSP
–
–
–

•

Policy Based Forwarding LSP
–
–
–

•

A predefined path between any two switches within a VPN
Useful for traffic engineering
UBR, ABR , nrt-VBR, rt-VBR
Based on filter match
PVC is switch to switch or switch to lport
UBR, ABR , nrt-VBR, rt-VBR, CBR

VR-B

Best Effort LSP (default)

–

UBR/ABR

VR-A

Customer A
HQ (Chicago)

VR-C

Customer A
Branch
(Portland)

12


VPN Security
• Routing/Data Security
– The use of standard routing protocols means that standard security methods (MD5 for
example) are available in VRs
– Separate routing tables ensure that routes are not leaked from one VPN to another
– The use of VPNIDs guarantees data privacy, packet filters can also be configured on any
VR
– As secure as other switched services - Frame/ATM

• Configuration Security
– VRs appear as “real” routers to the SPs customer
– Password, RADIUS are available


• Physical Security
– customer logs into the VPN for monitoring
– ping, traceroute, display private route tables, link state databases
– no such privileges for the physical network

13


VPN Management
NavisXtend:
CNM Gateway
SLA Reports
NavisXtend:
Acc’t

Performance

NavisCore

Configuration

Security

Accounting Server
Statistics Server &
Report Generator
Provisioning Server
Switch and Application
Levels

Fault Server

Fault

14


NetCare™ Services

Global “Direct Touch”







Planning &
Consulting

Management &
Operations

44 Countries Worldwide
5 NOCs / Reliability Centers
Over 5500 Professionals

Software Services
Systems


VPN Services









Basic services plus :
VPN Security Consulting
Network Planning and Design
NOC Design Services

Support &
Maintenance

Network
Implementation

15


Core IP VPN Test Environment
• Network used by software
development
• Comprised of several device types:
– 8-10 GX-550 Nodes
– 10-16 CBX-500 Nodes

– 18-20 B-STDX 9000 Nodes
– Several DS-3-HSSI CSU/DSU Devices
– Lucent NavisCore NMS Support
– Assorted tools (Linux, other hardware)

16


N o rth
W est

N o rth
E ast
B -S T D X
9000
O re g o n
1 .3 4

B -S T D X
9000
K ansas
1 .4 6

B -S T D X
9000
A riz o n a
1 .3 5

B -S T D X
9000

A rk a n s a s
1 .4

B -S T D X
9000
N H
1 .9

H SSI XO VR

H SSI XO VR

HSSI XO VR

HSSI XO VR

H SSI XO VR

D S 3 C S U /D S U

D S 3 C S U /D S U

D S 3 C S U /D S U

D S 3 C S U /D S U

D S 3 C S U /D S U

D S 3 -F R


D S 3 -F R

D S 3 -F R

D S 3 -F R

D S 3 -F R

C B X -5 0 0
B ra z il
1 .4 3

C B X -5 0 0
Ira n
1 .4 4

C B X -5 0 0
E qypt
1 .4 2

C B X -5 0 0
E n g la n d
1 .2 7

C B X -5 0 0
Japan
1 .4 7

1 5 .1


1 5 .1

1 5 .1

1 5 .1

O C -3
O C -3

O C -3

C B X -5 0 0
Ir e la n d
1 .2 0
1 5 .1

O C -3

3 .1

O C -3

3 .2

B -S T D X
9000
D a lla s

3 .1


C B X -5 0 0
F iji
1 .1 7

G X -5 5 0
S .A m e ric a
1 .3 9

3 .2

G X -5 5 0
Pangea
1 .2

3 .9

G X -5 5 0
A n ta r tic a
1 .4 0

O C -1 2

3 .3

O C -3

O C -1 2

4 .1


G X -5 5 0
A t la n t is
1 .3

4 .5

3 .1 7
O C -4 8 c (x 2 )

G X -5 5 0
A fr ic a
1 .3 8

O C -1 2

G X -5 5 0
E u ro p e
1 .3 7

3 .1 8
4 .9

T h is is th e 5 5 0
C o re o f th e V P N
te s t n e tw o rk .

1 3 .3

3 .9


O C -3

3 .1 0

O C -3

1 5 .1

1 3 .3

C B X -5 0 0
C anada
1 .1 4
1 3 .3

1 5 .2

O C -3

O C -3

C B X -5 0 0
A u s t r a lia
1 .3 2

L in u x

C B X -5 0 0
Ita ly
1 .3 0


L in u x

•The core is made up of high
performance GX-550s

1 2 .6

O C -3

C B X -5 0 0
F ra n c e
1 .3 1

B -S T D X
9000
H o u s to n

1 2 .5

O C -3
7 .2

C B X -5 0 0
C h in a
1 .1 5

7 .1

C B X -5 0 0

In d ia
1 .1 6

•Edge switches are shown in
hashed colors:
•Blue = B-STDX 9K

1 2 .9

G X -5 5 0
A s ia
1 .2 2

O C -3
1 5 .1

C B X -5 0 0
U .S .A .
1 .1 3
S o u th
W est

O C -1 2

G X -5 5 0
N .A m e r ic a
1 .1 9

O C -3


4 .1

O C -1 2

C B X -5 0 0
R u s s ia
1 .2 9

L in u x

3 .9

O C -1 2

C B X -5 0 0
G e rm a n y
1 .4 1

Current “Top
Level” Network
Map

A T M /IP
SRVR

1 5 .1

O C -3

3 .3


B -S T D X
9000
N e w Y o rk
1 .3 3

L in u x

S o u th
East

•Green = CBX 500

V P N T e s t N e tw o rk
T r it o n L a b , W e s t f o r d
O C -4 8

4 .3

4 .2

O C -1 2

4 .1

4 .1

D S 3 -F R

O C -3

1 4 .1

4 .1

1 4 .1

B -S T D X
9000
Z a k is w 1
1 .1

B -S T D X
9000
V ir g in ia
1 .2 3 0

B -S T D X
9000
D a k o ta
1 .6

B -S T D X
9000
M a in e
1 .1 0

B -S T D X
9000
M ass
1 .8


B -S T D X
9000
R G -1

B -S T D X
9000
R G -6

B -S T D X
9000
R G -2

B -S T D X
9000
R G -3

B -S T D X
9000
R G -4

HSSI
V P N A c c e s s D e v ic e ( V P N ID
3 0 -2 5 5 )
V P N A c c e s s D e v ic e ( V P N ID
3 0 0 -4 0 0 )

N e tw o rk A d d re s s : 1 5 3 .2 0 7

17



Lab Performance Snap Shot
•Testing so far has confirmed high scalability
•255 VPNs currently tested in network - more to be added
•500+ IP routes/VPN
•Full convergence time generally is 5-10 minutes
•Memory requirements on the CP/SP are well within limits
•After a switch is removed completely from a fully converged
network, the remaining switches all wait for the OSPF dead
timer to expire - within 10-20 seconds all of the routes
associated with that neighbor in each VPN it was participating in
are removed and the remaining network converges with little
effort.
18


Technical comparison to
the BGP overlay approach

Presentation Title
10/18/19

Lucent Technologies – Proprietary


Comparison to BGP “overlay” model Scalability of configuration

• In the VR approach, each connection to the network
requires one Layer 3 configuration.

• In the overlay approach, each connection to the the
network requires Route Distinguisher (RD), Route Target
(RT), Site Of Origin (SOI), VPN of Origin (VOI)

20


Comparison to BGP “overlay” model
-Standards compliance
• The VR approach uses a VR discovery mechanism based
on a pending RFC
• Requires no changes to existing, standardized protocols
• All configuration is standard router configuration.
• The overlay approach uses a route distribution
methodology described in RFC 2547, but requires
significant changes to BGP, an existing Internet
standard.

21


Comparison to BGP “overlay” model
-Additional IETF standards/proposals
required for operation
• The VR approach simply makes use of standards such as
routing protocols and ARP which are router requirements
set forth in existing RFCs
• The overlay model requires the additional
implementation of the following drafts:
–

–
–
–
–
–

draft-ietf-idr-bgp4-multiprotocol-v2-02.txt
draft-ietf-mpls-bgp4-mpls-02.txt
draft-ietf-idr-bgp4-cap-neg-03.txt
draft-ramachandra-bgp-ext-communities-01.txt
draft-chen-bgp-route-refresh-01.txt
RFC 1997

22


Comparison to BGP “overlay” model
-Rules for network configuration and
operation- CE peering requirements

• Since the VR approach is based on standard routing
protocols and routing domains, there are no special rules
for how to connect customer sites to the core network
• The overlay approach requires network administrator
and CPE administrator implementation of special
configuration rules.

23



Comparison to BGP “overlay” model
-Rules for network configuration and
operation (CE peering requirements)
• If RIP is run to the CE, it is required that the PNA configure the
multi-homed CE correctly to NOT leak routes distributed from PE to
another PE.
• If OSPF is run to the CE, it is required that the site be run as 1 large
OSPF area with the CE being the area border router.
• Additionally, it is required that the PE should be in a different area
and the PE report no inter-CE links.
• RFC 2547 does not specify if other special rules apply for other
protocols, e.g., ISIS.
• A new and special parameter "SOI" has to be configured to ensure
routing loops are avoided.

24


Comparison to BGP “overlay” model
-Dynamic discovery of VPN endpoints

• The VR approach specifies a methodology for the
dynamic discovery of other VRs in the network using IP
multicast facilities. A manual override for completeness
is also specified
• The overlay approach does not use dynamic discovery of
other PEs involved in a VPN. The RT attribute only
suggests a Closed User Group. It does not specify who
the members are


25