l3vpn training course
TRANSCRIPT
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 1/26
http://www.ist-nobel.org/Nobel2/servlet/Nobel2.Main
Next Generation Optical Networks forBroadband European Leadership
Valerio MartiniThis tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
Layer3 Virtual Private Network (L3VPN)
Training course
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 2/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
Summary
What is a VPN?
MPLS VPN (RFC4364). A choice
“Private” Instances of routing (VRFs Table)
Multi Protocol BGP
A MPLS Tunnel
A quick view on:
VPN Multi Domain
VPN QoS and Scalability
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 3/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
What is a VPN ?
A Virtual Private Network (VPN) is a private data network that
makes use of the public telecommunication infrastructure,
maintaining privacy and reservation through the use oftunneling protocols
Layer3 VPNs (L3VPN) are based on IP/MPLS networks (cfr. RFC4364 “BGP
MPLS/IP VPN”)
L3 VPN connectivity is provided across Service Provider’s networks L3 VPNs are based on IP address scheme and the relevant virtual connectivity is
based on the use of ad hoc forwarding table called VRF (VPN Routing and
Forwarding tables)
Backbone Routers (P-Routers) are unaware of the tunnel and VRF tables but are
aware of tunneling protocols
Service Provider routers (PE-Routers) are outsourced to corporate network WANs
(Sites) to establish L3 VPN
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 4/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
P
Provider Router
CE
Customer Edge Router
PE
Provider Edge Router
VPN Terminology
VPN 1
VPN 1
VPN 3
VPN 3VPN 2
VPN 3
VPN 1
VPN 2
GE
GE
FE
FE
BackboneBackbone
P
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 5/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
VPN Terminology
VPN 1
VPN 1
VPN 3
VPN 3VPN 2
VPN 3
VPN 1
VPN 2
GE
GE
FE
FE
BackboneBackbone
P
VPN area
Different Customer Sites
WAN of a corporate network (Site)
consists of a network systems
placed in geographic proximity
BackboneBGP - IP/MPLS - OSPF/(RSVP)
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 6/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
VPN Terminology
VPN 1
VPN 1
VPN 3
VPN 3VPN 2
VPN 3
VPN 1
VPN 2
GE
GE
FE
FE
BackboneBackbone
P
End System
An Attachment Circuit is usually
considered as a “Data Link” e.g., a
Fast Ethernet (FE) or GE Gigabit
Ethernet
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 7/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
VPN Taxonomy
A brief classification :
Type of customer side Virtual Tunnel
Layer 2 VPNs provide Layer 2 connectivity e.g., Native Ethernet LAN
Layer 3 VPNs provide Layer 3 connectivity e.g., based on Access IP Router
Type of VPN (in terms of end-point Location)
CE-based : VPNs are configured and maintained by customer
Provider network is VPN unaware
PE-based :
Network providers are responsible for VPN configuration and maintenance
Type of Architecture possible
VPN Layer 3 (e.g., IPsec)
VPN Layer 2 (e.g., VPLS, VPWS)
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 8/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
Layer2 Vs Layer3 VPN
Type of customer payload carried by the Virtual Tunnel
Layer3 VPN provides BGP IP/MPLS backbone connectivity: The Layer3 approach to create an IP/MPLS-based VPN offers a routed solution:
completely based on Ipv4 address scheme scalable
The DE FACTO standard is described in RFC4364 (February 2006)
Layer2 VPN provides a native Layer 2 backbone connectivity:
The Layer2 approach: offers an encapsulation methods to transport Layer 2 Frames Over MPLS Networks. It p:
provides a optimization between the Provider’s and Customer’s network allows PEs to offer services that are INDIPENDENT of Layer3 protocols
The RFC/Draft for describing the establishment of point-to-point connectivity in Layer2VPN is described in RFC 4906
VPLS provides an L2/L3 Hybrid connectivity: The Virtual Private LAN Service offers an hybrid connectivity based on:
Provider-Customer VLAN (Virtual LAN) association on access network
BGP IP/MPLS connectivity in the Backbone
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 9/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
CE Vs PE Based
Type of endpoint (Location) of the tunnel
VPN Customer Edges (CE) are maintained by Customers
Customer is responsible for its endpoint Routers maintenance Routing Protocol’s configuration VRF’s configuration its own security
For example: VPLS belongs natively to this category
VPN Provider Edge (PE) are maintained by Service Providers
Service Provider is responsible for all domain endpoints and must beable to
configure all Edge Routers maintain the router provide advanced services operate on point-to-point Security (IPsec PE-based)
For example: VPN L3 belongs natively to this categoryThe Customer network is completely VPN unaware
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 10/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
BGP IP/MPLS VPN. A choice
RFC4364 defines an emerging standard commonly named “MPLS VPN” or more exactly“BGP/MPLS IP VPN”
Service providers that offer Layer 3 VPN services can take advantage of new,
advanced features L3 VPN services allow businesses to outsource their current network core using a private IP-basedservice offering from an SP.
the most common deployment is an any-to-any topology where any customer device can connectdirectly to the L3 VPN.
Enterprise traffic entering the SP domain is then routed based on the information in the VRF tableand encapsulated with MPLS labels to ensure proper tunneling and de-multiplexing through the
core.
The main three steps for the establishment of a VPN over an IP/MPLSbackbone:
1. Routing Instance Configuration (VRFs Table and Policy)
2. BGP-MP (MultiProtocol) configuration (it carry VRFs table Among PEs) 3. MPLS Configuration
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 11/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
The Virtual Tunnel Connection is based on Ad-hoc forwarding table called VRF
The Address space used by VRF is composed by
IP Prefix Route Distinguisher (RD)
Different forwarding table are distinguished by
Route Target (RT)
Each VPN has its own address space A given address may denote different system in different VPN
A given address may denote same system in different VPN (unique address)
A new Address Space :
“Private” Instances of Routing (Step-1)
4Byte (Standard IP Prefix) 8Byte (Route Distinguisher (RD))
VPN - IPv4 FamilyVPN - IPv4 Family
Type Provider’s AS Assigned Number
+
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 12/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
IP MPLS
Backbone
IP MPLS
Backbone
VPN 1
VPN 1
VPN 2
VPN 1
VPN 3
VPN 3
VPN 3 VPN 2VPN 3
VPN 1
VPN 2
Key
Firewall
FEFE
FE - 1
FE - 2
FE
FE
FE FE
Full ScenarioFull Scenario
“Private” Instances of Routing (Step-1)
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 13/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
VRF
table
for
VPN
1
VRF
table
for
VPN
2
VRF
table
For
VPN
3
CERouting Tables
CERouting Tables
CERouting Tables
Enterprises Enterprises Enterprises Enterprises
MPLS
OSPF
RSVP
BGP-MP
Backbone
MPLS
OSPF
RSVP
BGP-MP
Backbone
OSPF
Domain
There are three methods to populate the VRF
•Statically (by manually configuration) or RIP
•OSPF
•BGP
Populate VRF TablesPopulate VRF Tables
“Private” Instances of Routing (Step-1)
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 14/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
1.Identify VPN
2.Select VRFentry forthis VPN
4.Attach VPNlabel info
VRFs Tables
CustomerNetwork
CustomerNetwork
CustomerNetwork
Backbone
IP MPLS
Label VPN
IP pkt
Label MPLS
Label VPNLabel MPLS
IP pkt
3.AttachMPLSlabel info
5.Send out
CustomerNetwork
•At Least a VRF Table for Each Attachment Circuit
•Eventually different VRF for each VPN
IP pkt
PE Router
Composes TheLabeled Frame
IP pkt
The Route Target
is used to distinguish
different VRF tables
“Private” Instances of Routing (Step-1)
Routing and ForwardingRouting and Forwarding
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 15/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
Label VPN IP
VPN SiteVPN Site
IP
IP
IP
PE COMPOSES
the packets
Label VPN IP
PE DECOMPOSES
the packets
IP MPLS
Backbone
IP MPLS
Backbone
IP
The Core Routers
Are Completely UNAWARE
of the label VPN -TAG
“Private” Instances of Routing (Step-1)
Label Switched PathLabel Switched Path
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 16/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
IP MPLS
Backbone
IP MPLS
Backbone
<routing-instances>
<instance><name>
vpn-ABC
</name>
<instance-type>
VRF</instance-type>
<interface>
fe-0/3/1.0
</interface>
<route-distinguisher>2.2.2.2:RD
</route-distinguisher>
</instance>
</routing-instances>
<routing-instances>
<instance><name>
vpn-ABC
</name>
<instance-type>
VRF</instance-type>
<interface>
fe-0/3/1.0
</interface>
<route-distinguisher>2.2.2.2:RD
</route-distinguisher>
</instance>
</routing-instances>
Config
FIRST
the name of routing instance
SECOND
the type of routing instance
THIRD
the name of Juniper physical interface
FOURTH
the VPN IPv4 family Address
“Private” Instances of Routing (Step-1)
Routers PE ConfigurationRouters PE Configuration
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 17/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
BGP Multi Protocol (Step-2)
IP MPLS
Backbone
IP MPLS
Backbone
VPN 1
VPN 1
VPN 2
VPN 1
VPN 3
VPN 3
VPN 3 VPN 2VPN 3
VPN 1
VPN 2
Key
Firewall
FEFE
FE - 1
FE - 2
FE
FE
FE FE
Full ScenarioFull Scenario
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 18/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
<bgp>
<local-address>
2.2.2.2
</local-address>
<local-as>
AS
</local-as>
<group>
<name>1-2-3</name>
<type>internal</type><neighbor>
<name>Edge-1</name>
<local-address>1.1.1.1</local-address>
<name>Edge-3</name>
<local-address>3.3.3.3</local-address>
<bgp>
<local-address>
2.2.2.2
</local-address>
<local-as>AS
</local-as>
<group>
<name>1-2-3</name>
<type>internal</type><neighbor>
<name>Edge-1</name>
<local-address>1.1.1.1</local-address>
<name>Edge-3</name>
<local-address>3.3.3.3</local-address>
VRFs Tables
areEXCHANGED
Config
FIRST
the name of the Local Address of PE
SECOND
the Autonomous System
THIRD
the name of BGP group
FOURTH
the List of the neighbors
RouterId = 3.3.3.3
BGP
Group A-B-C
Neighbour 2.2.2.2
Neighbour 1.1.1.1
RouterId = 2.2.2.2
BGPGroup A-B-C
Neighbour 1.1.1.1
Neighbour 3.3.3.3RouterId = 1.1.1.1
BGP
Group A-B-C
Neighbour 2.2.2.2
Neighbour 3.3.3.3
Routers PE ConfigurationRouters PE Configuration
BGP Multi Protocol (Step-2)
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 19/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
RouterId = 3.3.3.3
BGP
Group A-B-C
Neighbour 2.2.2.2
Neighbour 1.1.1.1
RouterId = 2.2.2.2
BGPGroup A-B-C
Neighbour 1.1.1.1
Neighbour 3.3.3.3RouterId = 1.1.1.1
BGP
Group A-B-C
Neighbour 2.2.2.2
Neighbour 3.3.3.3
Config
Route
REFLECTOR
• BGP is based over a full mesh refresh
•n(n-1)/2 Sessione.g., 10 Routers
10*(10-1)/2 = 45 BGP Sessions
• BGP with RR
•(n-1)+(n-1) Sessione.g., 10 Routers
9+9 = 18 BGP Sessions
Route REFLECTOR
RR is a Designated Router
VRFs Tables
areEXCHANGED
Routers Route-ReflectorRouters Route-Reflector
BGP Multi Protocol (Step-2)
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 20/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
IP MPLS
Backbone
IP MPLS
Backbone
VPN 1
VPN 1
VPN 2
VPN 1
VPN 3
VPN 3
VPN 3VPN 2VPN 3
VPN 1
VPN 2
Key
Firewall
FEFE
FE - 1
FE - 2
FE
FE
FE FE
MPLS (LSP-tunnelling) (Step-3)
Full ScenarioFull Scenario
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 21/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
<mpls><label-switched-path>
<name>
to-A
</name>
<to>1.1.1.1
</to>
<bandwidth>
30m
</bandwidth><install>
10.20.12.0/24<active/>
</install>
</label-switched-path>
</mpls>
<mpls><label-switched-path>
<name>
to-A
</name>
<to>1.1.1.1
</to>
<bandwidth>
30m
</bandwidth>
<install>
10.20.12.0/24<active/>
</install>
</label-switched-path>
</mpls>
Core Router
VPN Site
VPN Site
VPN Site
CR 2
CR 3
CR 1
The FIRST
the name of the LSP
The SECONDthe Destination of LSP (EGRESS ROUTER)
The THIRD
the bandwidth reserved
The FOURTHthe set of IP activated
Config
MPLS (LSP-tunnelling) (Step-3)
Routers PE ConfigurationRouters PE Configuration
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 22/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
Benefits
RFC4364 defines an emerging standard commonly named
“MPLS VPN” or more exactly “BGP/MPLS IP VPN”
VPNs use overlapping Address Spaces (VPN IPv4 Family)
Providers use existing protocols (BGP, RSVP, OSPF, MPLS)
Provider backbone’s routers do not need to have any VPN
routing information Providers can get good SLA and QoS support
Customers are UNAWARE of MPLS (all the work is done byService Provider)
Customers are UNAWARE of security policy
Customers are UNAWARE of connectivity and routing VPNmanagement
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 23/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
Drawback
RFC4364 defines an emerging standard commonly named
“MPLS VPN” or more exactly “BGP/MPLS IP VPN”
IP only—L3 VPNs transport only IPv4 traffic. Non-IP protocols need to be tunneled through some mechanism (such as
GRE) on the CE or C devices
The customer is dependent on the SP in regards to Layer
3 features and capabilities Layer 3-based convergence and QoS capabilities are also dependent on
the SP offering, and SLAs must be negotiated to manage theserequirements
Possible difficulties in integration —The difficulty of
integration from Layer 2 to Layer 3 peering varies greatlydepending on the SP offering. If the SP does not offer someservice, integration with a different routing protocol, such aseBGP, might require
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 24/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
VPN Multi-Domain
Two sites of a VPN are connected to a different AUTONOMUS SYSTEM (AS)
There are 2 methods to implement this features :
VRF-to-VRF
EBGP (External BGP)
IP MPLS
Backbone
IP MPLS
BackboneIP MPLS
Backbone
IP MPLS
Backbone
Directly Connection
Between PE
External BGP
Protocol
AS 1 AS 3
IP MPLS
Backbone
IP MPLSBackbone
AS 2
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 25/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
QoS and Scalability
The BGP/MPLS IP VPN provides Quality of Service (QoS):
MPLS reserves bandwidth using RSVP
Policy used in PE router grooms selected IP Address over a reserved LSP
The BGP/MPLS IP VPN presents a good scalability:
Route Reflector produces less BGP sessions
Two levels of labels keep P Routers free of all the VPN routing information
PE routers maintain routes information only for VPNs whose sites are directly connected
8/22/2019 L3VPN Training Course
http://slidepdf.com/reader/full/l3vpn-training-course 26/26
[email protected] tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
References
IANA Consideration (Internet Assigned Number Authority)
IANA has created a new registry for the “Route Distinguisher Type Field”
Rosen, E., Rekhter, Y., “BGP/MPLS IP Virtual Private Network”, RFC 4364
Mertz, C., “The Latest in Virtual Private Network, Part I&II”, IEEE InternetComputing, June 2004; available at http://computer.org/internet
Daugherty, B., and Mertz, C., “Multiprotocol Label Switching And IP, Part I”,IEEE Internet Computing, June 2005; available at http://computer.org/internet
JUNOS software documentation for M-series and T-series platforms,available at http://www.juniper.net/techpubs