Upload
malcolm-tucker
View
215
Download
0
Embed Size (px)
Citation preview
Network-based IP VPNsusing Virtual Routers
Tim Hubbard
Backbone(s)
VPN A
VPN C
VPN B
VPN D
VPN A
VPN B
VPN C
VPN D
PE
PE
PE
CE
CE
CE
CE
CE
CE
CE
CE
CE P P
P P
Network based VPN Network Reference Model
CE - Customer Edge Router
PE - Provider Edge Router
P - Provider Router
CE
Network Based VPN Services
Provider Edge Router (PE)
VPN A
VPN B
VPN C
Provider Edge Router (PE)
VPN Service 1
VPN Service 2
VPN Service 3
VPN Service 1
VPN Service 2
VPN Service 3
VPN A
VPN B
VPN C
Backbone(s)
Architecture Design Goals• Flexibility
– solution architected around choices
• Scalability– backbone, VPN, PE, etc.
• Resiliency– NB-VPN services resilient to failures, smooth migration,
• Manageability– multiple levels of control while reducing NB-VPN service, and
network management complexity• Reusability
– existing management aspects, network mechanisms and tools• Security
– VPN service, VPN information (routing and data)
Architecture Requirements
• Per VPN routing and forwarding.
• No routing/forwarding based on private addresses in the backbone.
• Any routing protocol can be used in the VPN domain and in the backbone.
• Overlapping of VPN addresses.
• Not limited to a single tunneling mechanism.
• Accommodates different backbone deployment scenarios.
• Not limited to a single backbone technology
What is a Virtual Router?
• A virtual router (VR) is an emulation of physical router.
• A VR has the same mechanisms and functionality as physical routers.
• Each virtual router maintains separate routing and forwarding tables.
• Each virtual router can run any routing protocols (OSPF, RIP, BGP-4, etc).
VPN Tunneling
• Network-based VPNs are implemented through some form of tunneling mechanism.
• Different tunneling mechanisms can be used (MPLS, IPSec, GRE, L2TP, etc).
• The architecture allows per VPN tunnels, or using VPN shared tunnels across the backbone.
Scenario 1:- VR to VR Direct Connectivity
VR-C
VR-A
VR-B
VPN A
VPN B
VPN C
PE
VR-C
VR-A
VR-BBackbone
(ATM, FR, MPLS, etc)
PE
VPN A
VPN B
VPN C
Virtual Router Backbone Aggregation
• Virtual router (called Backbone Virtual Router) for routing in the backbone used at the PE level only.
• IP or MPLS based tunnels between VRs for transport of VPN information across the backbone.
Scenario 2:- VPNs with Backbone VRs
PE
Backbone Routing SpaceVPN Routing Space
The backbone virtual router
is not functionally different
than other virtual routers.
BackboneVR
Backbone
VR-C
VR-A
VR-B
VPN A
VPN B
VPN C
Scenario 3: - Combination of VR Deployment Scenarios
VR-B
VR-C BackboneVR
VPN B
VPN C
Backbone(s)
VR-AVPN A
PE
Scenario 4:- Multiple Backbones
VR-C
VR-A
VR-B BackboneVR-1
VPN A
VPN B
VPN C
Backbone-1
VR-D
VR-EBackbone
VR-2
Backbone-2
VPN E
VPN D
PE
Scenario 5:- VPNs with Backdoor Links
VR-C
VR-A
VR-B BackboneVR-1
VPN A
VPN B
VPN C
Backbone-1
VR-C
VR-A
VR-BBackboneVR-1
VPN A
VPN B
VPN CVPN C
Scenario 6:- Outsourcing/Management of the PE
VR-C
VR-A
VR-B BackboneVR-1
VPN A
VPN B
VPN C
Backbone-1
VR-D
VR-EBackbone
VR-2
Backbone-2
VPN E
VPN D
PEService Provider-1
Service Provider-2
Scenario 7:- Multi-protocol VPNs
VR-C
VR-A
VR-B BackboneVR-1
VPN A
IPv6
VPN B
IPv4
VPN CIPv6
Backbone-1IPv4/IPv6
PE
Scenario 8:- Backbone Migration Example
VR-C
VR-A
VR-B
BackboneVR-1
VPN A
VPN B
VPN C
BackboneIPv4
BackboneVR-2
(MPLS)
BackboneMPLS
PE
VPN services are migrated one at a time
Provider Edge Router 1
VirtualRouter
B
VirtualRouter
A
VirtualRouter
C
Provider Edge Router 2
VirtualRouter
A
VirtualRouter
C
VirtualRouter
B
Routing Instance
Routing Instance
Routing Update
Routing Update
Routing Update
Backbone
Backbone
Per VPN Reachability Info
Virtual
Virtual
Virtual
Virtual Router Reachability Scheme
Each routing instance is independent of each other.
Routing Instance
Routing Instance
Routing Update
Routing Update
Routing Update
Routing Instance
Routing Instance
Routing Update
Routing Update
Routing Update
VPN A
VPN B
VPN C
VPN A
VPN B
VPN C
Membership and Topology Determination
Different mechanisms can be used (not mutually exclusives):
• Directory server approach.• Explicit configuration• Using a VPN auto-discovery
mechanism
What can be discovered?
VPNAuto-Discovery
Tunnel Mechanism(optionally Tunnel endpoints)
MembershipInformation
TopologyInformation
VPN Reachability Information (draft RFC2547)
The virtual router architecture doesn’t require piggybacking VPN reachability information onto the backbone routing instance.
Discovering VPN Information
Provider Edge Router (PE1)
VPN A
VPN B
VPN C
Backbone
BGP BGPBGPBGPBGP UPDATE
BGP UPDATE
VPN Information(membership, etc.)
Provider Edge Router (PE2)
BVR BVR
VR-C
VR-A
VR-B
VR-C
VR-A
VR-B
VPN A
VPN B
VPN C
Discovering Membership Information
Provider Edge Router (PE1)
VPN A
VPN B
VPN C
BackboneVPN A
VPN B
VPN C
BGP BGPBGPBGPBGP UPDATE
BGP UPDATE
(VPN-IDs,PE-BVR)
Provider Edge Router (PE2)
BVR BVR
VPN-ID=1:1
VPN-ID=1:2
VPN-ID=1:3
VPN-ID=1:1
VPN-ID=1:2
VPN-ID=1:3VR-C
VR-A
VR-B
VR-C
VR-A
VR-B
Discovering Tunnel Endpoints
Provider Edge Router (PE1)
Backbone
BGP BGPBGPBGPBGP UPDATE
BGP UPDATE
(VPN-IDs, 123.3.4.5, PE-BVR)
Provider Edge Router (PE2)
BVR BVR
VPN-ID=1:1
VPN-ID=1:2
VPN-ID=1:3
VPN-ID=1:1
VPN-ID=1:2
VPN-ID=1:3
VR-C
VR-A
VR-B
VR-C
VR-A
VR-B
IPsec TunnelVPN A
VPN B
VPN C
VPN A
VPN B
VPN C
Discovering VPN Topology Information
Provider Edge Router (PE1)
Backbone
BGP BGPBGPBGPBGP UPDATE
BGP UPDATE
(1:1, hub, PE BVR)
Provider Edge Router (PE2)
BVR BVR
VPN-ID=1:1
VPN-ID=1:2
VPN-ID=1:3
VPN-ID=1:1
VPN-ID=1:2
VPN-ID=1:3
VR-C
VR-A
VR-B
VR-C
VR-A
VR-B
VPN A
VPN B
VPN C
VPN A
VPN B
VPN C
BGP based Auto-Discovery Mechanism (for layer-3 VPNs)
“Using BGP as an Auto-Discovery Mechanism for Network-based VPNs”
Hamid Ould-Brahim, Bryan Gleeson, Peter Ashwood-Smith, Eric Rosen, Yakov Rekhter
draft-ouldbrahim-bgpvpn-auto-00.txt
Conclusion
• Virtual Routers allow Service Providers to build differentiated network-based VPN services.
• The architecture is highly flexible and accommodates different tunneling mechanisms, and different backbone technologies.
Contacts
Hamid Ould-BrahimNortel Networks
P. O. Box 3511 Station COttawa, ON, K1Y 4H7
CanadaPhone: +1 (613) 765 3418
[email protected] Bryan GleesonNortel Networks
2305 Mission College BlvdSanta Clara CA 95054
USAPhone: +1 (408) 565 [email protected]
Thank You