L3VPN

http://www.ist-nobel.org/Nobel2/servlet/Nobel2.Main

Next Generation Optical Networks for Broadband European Leadership

Valerio MartiniThis tutorial is licensed under the Creative Commons

creativecommons.org/licenses/by-nc-sa/3.0/

Layer3 Virtual Private Network (L3VPN)

Training course

[email protected] tutorial is licensed under the Creative Commons


Summary

What is a VPN?

MPLS VPN (RFC4364). A choice

Private Instances of routing (VRFs Table)

Multi Protocol BGP

A MPLS Tunnel

A quick view on:VPN Multi Domain

VPN QoS and Scalability



What is a VPN ?

A Virtual Private Network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy and reservation through the use of tunneling protocols

Layer3 VPNs (L3VPN) are based on IP/MPLS networks (cfr. RFC4364 BGP MPLS/IP VPN)

L3 VPN connectivity is provided across Service Providers networks

L3 VPNs are based on IP address scheme and the relevant virtual connectivity is based on the use of ad hoc forwarding table called VRF (VPN Routing and Forwarding tables)

Backbone Routers (P-Routers) are unaware of the tunnel and VRF tables but are aware of tunneling protocols

Service Provider routers (PE-Routers) are outsourced to corporate network WANs (Sites) to establish L3 VPN



PProvider Router

CECustomer Edge Router

PEProvider Edge Router

VPN Terminology

VPN 1

VPN 1VPN 3

VPN 3VPN 2VPN 3

VPN 1

VPN 2

GEGE

FE

FE

BackboneBackbone

P



VPN Terminology

VPN 1

VPN 1VPN 3

VPN 3VPN 2VPN 3

VPN 1

VPN 2

GEGE

FE

FE

BackboneBackbone

P

VPN areaDifferent Customer Sites

WAN of a corporate network (Site) consists of a network systems placed in geographic proximity

BackboneBGP - IP/MPLS - OSPF/(RSVP)



VPN Terminology

VPN 1

VPN 1VPN 3

VPN 3VPN 2VPN 3

VPN 1

VPN 2

GEGE

FE

FE

BackboneBackbone

P

End System

An Attachment Circuit is usually considered as a Data Link e.g., a Fast Ethernet (FE) or GE Gigabit Ethernet



VPN Taxonomy

A brief classification :

Type of customer side Virtual Tunnel Layer 2 VPNs provide Layer 2 connectivity e.g., Nat ive Ethernet LAN Layer 3 VPNs provide Layer 3 connectivity e.g., bas ed on Access IP Router

Type of VPN (in terms of end-point Location) CE-based :

VPNs are configured and maintained by customer Provider network is VPN unaware

PE-based : Network providers are responsible for VPN configuration and maintenance

Type of Architecture possible

VPN Layer 3 (e.g., IPsec)

VPN Layer 2 (e.g., VPLS, VPWS)



Layer2 Vs Layer3 VPN

Type of customer payload carried by the Virtual Tunnel

Layer3 VPN provides BGP IP/MPLS backbone connectivity:The Layer3 approach to create an IP/MPLS-based VPN offers a routed solution:

completely based on Ipv4 address scheme scalable

The DE FACTO standard is described in RFC4364 (February 2006)

Layer2 VPN provides a native Layer 2 backbone connectivity:The Layer2 approach:

offers an encapsulation methods to transport Layer 2 Frames Over MPLS Networks. It p:

provides a optimization between the Providers and Customers network allows PEs to offer services that are INDIPENDENT of Layer3 protocols

The RFC/Draft for describing the establishment of point-to-point connectivity in Layer2 VPN is described in RFC 4906

VPLS provides an L2/L3 Hybrid connectivity:The Virtual Private LAN Service offers an hybrid con nectivity based on:

Provider-Customer VLAN (Virtual LAN) association on access network BGP IP/MPLS connectivity in the Backbone



CE Vs PE Based

Type of endpoint (Location) of the tunnel

VPN Customer Edges (CE) are maintained by CustomersCustomer is responsible for its endpoint Routers maintenance Routing Protocols configuration VRFs configuration its own security

For example: VPLS belongs natively to this category

VPN Provider Edge (PE) are maintained by Service Providers Service Provider is responsible for all domain endp oints and must be

able to configure all Edge Routers maintain the router provide advanced services operate on point-to-point Security (IPsec PE-based)

For example: VPN L3 belongs natively to this categoryThe Customer network is completely VPN unaware



BGP IP/MPLS VPN. A choice

RFC4364 defines an emerging standard commonly named MPLS VPN or more exactly BGP/MPLS IP VPN

Service providers that offer Layer 3 VPN services c an take advantage of new, advanced features

L3 VPN services allow businesses to outsource their current network core using a private IP-based service offering from an SP.

the most common deployment is an any-to-any topology where any customer device can connect directly to the L3 VPN.

Enterprise traffic entering the SP domain is then routed based on the information in the VRF table and encapsulated with MPLS labels to ensure proper tunneling and de-multiplexing through the core.

The main three steps for the establishment of a VPN over an IP/MPLS backbone:

1. Routing Instance Configuration (VRFs Table and Policy) 2. BGP-MP (MultiProtocol) configuration (it carry VRFs table Among PEs)3. MPLS Configuration



The Virtual Tunnel Connection is based on Ad-hoc fo rwarding table called VRF

The Address space used by VRF is composed by IP Prefix Route Distinguisher (RD)

Different forwarding table are distinguished by Route Target (RT)

Each VPN has its own address space A given address may denote different system in different VPN A given address may denote same system in different VPN (unique address)

A new Address Space :

Private Instances of Routing (Step-1)

4Byte (Standard IP Prefix) 8Byte (Route Distinguisher (RD))

VPN - IPv4 FamilyVPN - IPv4 Family

Type Providers AS Assigned Number

+



IP MPLSBackbone

IP MPLSBackbone

VPN 1

VPN 1

VPN 2

VPN 1VPN 3

VPN 3

VPN 3VPN 2VPN 3

VPN 1

VPN 2

Key

Firewall

FEFE

FE - 1

FE - 2

FE

FE

FE FE

Full Scenario Full Scenario




VRF tablefor

VPN1

VRF tablefor

VPN2

VRF tableFor

VPN3

CERouting Tables

CERouting Tables

CERouting Tables

EnterprisesEnterprisesEnterprisesEnterprises

MPLS OSPFRSVP

BGP-MPBackbone

MPLS OSPFRSVP

BGP-MPBackbone

OSPFDomain

There are three methods to populate the VRFStatically (by manually configuration) or RIPOSPFBGP

Populate VRF Tables Populate VRF Tables




1. Identify VPN

2. Select VRF entry for this VPN

4. Attach VPN label info

VRFs Tables

Customer Network

Customer Network

Customer Network

BackboneIP MPLS

Label VPN

IP pkt

Label MPLS

Label VPNLabel MPLS

IP pkt

3. Attach MPLS label info

5. Send out

Customer Network

At Least a VRF Table for Each Attachment Circuit Eventually different VRF for each VPN

IP pkt

PE Router Composes The Labeled Frame

IP pkt

The Route Target

is used to distinguish

different VRF tables


Routing and Forwarding Routing and Forwarding



Label VPN IP

VPN SiteVPN Site

IP

IP

IP

PE COMPOSES

the packets

Label VPN IP

PE DECOMPOSES

the packets

IP MPLSBackbone

IP MPLSBackbone

IP

The Core Routers

Are Completely UNAWARE

of the label VPN -TAG


Label Switched Path Label Switched Path



IP MPLSBackbone

IP MPLSBackbone

vpn-ABC

VRF

fe-0/3/1.0

2.2.2.2:RD

vpn-ABC

VRF

fe-0/3/1.0

2.2.2.2:RD

Config

FIRSTthe name of routing instance

SECONDthe type of routing instance

THIRDthe name of Juniper physical interface

FOURTHthe VPN IPv4 family Address


Routers PE Configuration Routers PE Configuration



BGP Multi Protocol (Step-2)

IP MPLSBackbone

IP MPLSBackbone

VPN 1

VPN 1

VPN 2

VPN 1VPN 3

VPN 3

VPN 3VPN 2VPN 3

VPN 1

VPN 2

Key

Firewall

FEFE

FE - 1

FE - 2

FE

FE

FE FE




2.2.2.2

AS

1-2-3internal

Edge-11.1.1.1Edge-33.3.3.3

2.2.2.2

AS

1-2-3internal

Edge-11.1.1.1Edge-33.3.3.3

VRFs Tables are

EXCHANGED

Config

FIRSTthe name of the Local Address of PE

SECONDthe Autonomous System

THIRDthe name of BGP group

FOURTHthe List of the neighbors

RouterId = 3.3.3.3BGPGroup A-B-CNeighbour 2.2.2.2Neighbour 1.1.1.1

RouterId = 2.2.2.2BGP Group A-B-CNeighbour 1.1.1.1Neighbour 3.3.3.3RouterId = 1.1.1.1

BGPGroup A-B-CNeighbour 2.2.2.2Neighbour 3.3.3.3





RouterId = 3.3.3.3BGPGroup A-B-CNeighbour 2.2.2.2Neighbour 1.1.1.1

RouterId = 2.2.2.2BGP Group A-B-CNeighbour 1.1.1.1Neighbour 3.3.3.3RouterId = 1.1.1.1

BGPGroup A-B-CNeighbour 2.2.2.2Neighbour 3.3.3.3

Config

Route

REFLECTOR

BGP is based over a full mesh refresh

n(n-1)/2 Session

e.g., 10 Routers

10*(10-1)/2 = 45 BGP Sessions

BGP with RR

(n-1)+(n-1) Session

e.g., 10 Routers

9+9 = 18 BGP Sessions

Route REFLECTOR

RR is a Designated Router

VRFs Tables are

EXCHANGED

Routers Route-Reflector Routers Route-Reflector




IP MPLSBackbone

IP MPLSBackbone

VPN 1

VPN 1

VPN 2

VPN 1VPN 3

VPN 3

VPN 3VPN 2VPN 3

VPN 1

VPN 2

Key

Firewall

FEFE

FE - 1

FE - 2

FE

FE

FE FE

MPLS (LSP-tunnelling) (Step-3)




to-A

1.1.1.1

30m

10.20.12.0/24

to-A

1.1.1.1

30m

10.20.12.0/24

Core Router

VPN Site

VPN Site

VPN Site

CR 2

CR 3

CR 1

The FIRSTthe name of the LSP

The SECONDthe Destination of LSP (EGRESS ROUTER)

The THIRDthe bandwidth reserved

The FOURTHthe set of IP activated

Config

MPLS (LSP-tunnelling) (Step-3)




Benefits


VPNs use overlapping Address Spaces (VPN IPv4 Family)

Providers use existing protocols (BGP, RSVP, OSPF, MPLS)

Provider backbones routers do not need to have any VPN routing information

Providers can get good SLA and QoS support

Customers are UNAWARE of MPLS (all the work is done by Service Provider)

Customers are UNAWARE of security policy Customers are UNAWARE of connectivity and routing VPN

management



Drawback


IP onlyL3 VPNs transport only IPv4 traffic. Non-IP protocols need to be tunneled through some mechanism (such as

GRE) on the CE or C devices

The customer is dependent on the SP in regards to L ayer 3 features and capabilities

Layer 3-based convergence and QoS capabilities are also dependent on the SP offering, and SLAs must be negotiated to manage these requirements

Possible difficulties in integration The difficulty of integration from Layer 2 to Layer 3 peering varies greatly depending on the SP offering. If the SP does not offer some service, integration with a different routing protocol, such as eBGP, might require



VPN Multi-Domain

Two sites of a VPN are connected to a different AUTONOMUS SYSTEM (AS)

There are 2 methods to implement this features : VRF-to-VRF

EBGP (External BGP)

IP MPLSBackbone

IP MPLSBackbone

IP MPLSBackbone

IP MPLSBackbone

Directly Connection

Between PE

External BGP

Protocol

AS 1 AS 3IP MPLSBackbone

IP MPLSBackbone

AS 2



QoS and Scalability

The BGP/MPLS IP VPN provides Quality of Service (QoS): MPLS reserves bandwidth using RSVP

Policy used in PE router grooms selected IP Address over a reserved LSP

The BGP/MPLS IP VPN presents a good scalability: Route Reflector produces less BGP sessions

Two levels of labels keep P Routers free of all the VPN routing information

PE routers maintain routes information only for VPNs whose sites are directly connected



References

IANA Consideration (Internet Assigned Number Authority) IANA has created a new registry for the Route Distinguisher Type Field

Rosen, E., Rekhter, Y., BGP/MPLS IP Virtual Private Network, RFC 4364

Mertz, C., The Latest in Virtual Private Network, Part I&II, IEEE Internet Computing, June 2004; available at http://computer.org/internet

Daugherty, B., and Mertz, C., Multiprotocol Label Switching And IP, Part I, IEEE Internet Computing, June 2005; available at http://computer.org/internet

JUNOS software documentation for M-series and T-series platforms, available at http://www.juniper.net/techpubs

Documents

L3VPN