Juniper L2 MPLS VPN

Juniper Networks, Inc. Copyright © 2000 1

L2 MPLS VPNs

Hector Avalos

Technical Director-Southern Europe [email protected]


Agenda: L2 MPLS VPNs

VPNs Overview

Provider-provisioned L2 MPLS VPNs

Taxonomy

Operational Model

Conclusion


What is a VPN?

A private network constructed over a shared infrastructure Virtual: not a separate physical network Private: separate addressing and routing Network: a collection of devices that communicate Policies are key—global connectivity is not the goal

SharedInfrastructure

SharedInfrastructure

Mobile Users and TelecommutersRemote AccessRemote Access

BranchOffice

Corporate Headquarters

Suppliers, Partnersand Customers

IntranetIntranet

ExtranetExtranet


Deploying VPNs in the 1990s

Operational model PVCs overlay the shared infrastructure (ATM/Frame Relay) Routing occurs at customer premise

Benefits Mature technologies Relatively “secure” Service commitments (bandwidth, availability, and more)

Limitations Scalability, provisioning and management Not a fully integrated IP solution

Provider Frame Relay Network

CPE CPE

DLCIDLCI

FR Switch

DLCIDLCI

DLCIDLCI

FR SwitchFR Switch

FR Switch


Traditional (Layer 2) VPNs

Router

Frame Relay/ATM Switch


Improving Traditional Layer 2 VPNs

Decouple edge (customer-facing) technology from core technology

Have a single network infrastructure for all desired services

Internet

L3 MPLS VPNs

L2 MPLS VPNs

Simplify provisioning

Appropriate signaling mechanisms for VPN auto-provisioning


VPN Classification Model

Customer-managed VPN solutions (CPE-VPNs) Layer 2: L2TP and PPTP Layer 3: IPSec

Provider-provisioned VPN solutions (PP-VPNs) Layer 3: MPLS-Based VPNs (RFC 2547bis) Layer 3: Non-MPLS-Based VPNs (Virtual Routers) Layer2: MPLS VPNs

PE

PE

CPE

CPE

SubscriberSite 3

PP-VPN

SubscriberSite 2

CPE

PE

VPN Tunnel

VPN T

unne

l VP

N T

un

nel

CPE

PE PE

PE

CPE

CPE

CPE-VPN

VPN TunnelSubscriber

Site 1

SubscriberSite 3

SubscriberSite 2

VP

N T

un

nel

VPNTu

nn

el

SubscriberSite 1


PP-VPNs:Layer 2 Classification

Service Provider delivers Layer 2 circuit IDs (DLCI, VPI/VCI, 802.1q vlan) to the customer One for each reachable site

Customer maps their own routing architecture to the

circuit mesh

Provider router maps the circuit ID to a Label Switched Path (LSP) to traverse the provider core

Customer routes are transparent to provider routers Provider-provisioned L2 MPLS VPN Internet drafts

draft-kompella-mpls-l2vpn-02.txt draft-martini-l2circuit-encap-mpls-01.txt


Agenda: L2 MPLS VPNs

Overview of VPNs

Provider-provisioned L2 MPLS VPNs

Taxonomy

Operational Model

Conclusion


Customer Edge Routers

Customer Edge (CE) routers Router or switch device located at customer premises providing access

to the service provider network Layer 2 (FR, ATM, Ethernet) and Layer 3 (IP, IPX, SNA …) independence

of the service provider network CEs within a VPN, uses the same L2 technology to access the service

provider network Requires a sub-interface per CE it needs to interconnect to within the

VPN Maintains routing adjacencies with other CEs within the VPN

CEPP

PECE

Customer Edge

CE

CE

PE VPN AVPN A

VPN B VPN B

PE

ATM

FR

ATM

FR

VPN Site


Provider Edge Routers

Provider Edge (PE) routers Maintain site-specific VPN Forwarding Tables Exchange VPN Connection Tables with other PE

routers using MP-IBGP or LDP Use MPLS LSPs to forward VPN traffic

CEPP

PECE

CE

CE

PE VPN AVPN A

VPN B VPN B

PE

Provider Edge

ATM

FR

ATM

FR


CEPP

PECE

CE

CE

PE VPN AVPN A

VPN B VPN B

PE

Provider Routers

Provider (P) routers Forward data traffic transparently over established

LSPs Do not maintain VPN-specific forwarding information

Provider Routers

ATM

FR

ATM

FR


VPN Forwarding Tables (VFT)

P

P

P PE 2

VPN ASite 3

VPN ASite 1

VPN BSite2

VPN BSite 1

PE 1

PE 3

VPN ASite2

CE–A1

CE–B1

CE–A3

CE–A2

CE–B2

P

A VA VFTFT is created is createdfor each site for each site

connected to the connected to the PEPE

OSPF

OSPF

OSPF

ATM

ATM

ATM

Each VFT is populated with:

The forwarding information provisioned for the local CE sites

VPN Connection Tables received from other PEs via iBGP or LDP


Site 1Site 1 Site 2Site 2

Site 1Site 1Site 2Site 2

VPN Connection Tables (VCT)

PE-2

CE-4

PE-1CE-2

CE-2

CE-1

VFTVFT

VFTVFT

The VCT is a subset of information hold by the VFT VCTs are distributed by the PEs via iBGP or LDP

A VA VCTCT is is distributed distributed for each VPN site for each VPN site to to

PEPEss

MP-iBGP session / LDP


L2 VPN Provisioning

Provisioning the network

Provisioning the CEs

Provisioning the VPN (PEs)

VPN Connection Table Distribution

Assumption: access technology is Frame Relay (other cases are similar)


Provisioning the Network

P

P

P PE 2

VPN ASite 3

VPN ASite 1

VPN BSite2

VPN BSite 1

PE 1

PE 3

VPN ASite2

CE–A1

CE–B1

CE–A3

CE–A2

CE–B2

P

OSPF

OSPF

OSPF

ATM

ATM

ATM

PE-to-PE LSPs pre-established via RSVP-TE LDP LDP over RSPV-TE tunneling

LSPs used for many services: IP, L2 VPN, L3 VPN, … Provisioned independent of Layer 2 VPNs


Provisioning Customer Sites

List of DLCIs: one for each site, some spare for over-provisioning

DLCIs independently numbered at each site

LMI, inverse ARP and/or routing protocols for auto-discovery and learning addresses

No changes as VPN membership changes Until over-provisioning runs out

CE-4 DLCIs

63

758294

CE-4 Routing Table

In Out

DLCI 6310/8

DLCI 7520/8

DLCI 8230/8DLCI 94-


Provisioning CE’s at the PE A VFT is provisioned at each PE for each CE

VPN-ID : unique value within the service provider network CE-ID : unique value in the context of a VPN CE Range : maximum number of CEs that it can connect to Sub-interface list : set of local sub-interface IDs assigned

for the CE-PE connection

CECE44 VFT VFT

VPN IDCE ID

RED VPN4

CE Range 4

Sub-int IDs

63

758294


Provisioning CE’s at the PE A VFT is provisioned at each PE for each CE

VPN-ID : unique value within the service provider network CE-ID : unique value in the context of a VPN CE Range : maximum number of CEs that it can connect to Sub-interface list : set of local sub-interface IDs assigned for

the CE-PE connection Label-base : Label assigned to the first sub-interface ID

The PE reserves N contiguous labels, where N is the CE Range

CECE44 VFT VFT

VPN IDCE ID

RED VPN4

CE Range

1000

4

Label BaseSub-int IDs

63

758294

CECE44 VCT VCT




Provisioning CE’s at the PE

PE-2

CE-4

PE-1CE-2

CE-2

CE-1

VFTVFT

VFTVFT

CECE44 VFT VFT

VPN IDCE ID

RED VPN4

CE Range

Label base

4

Sub-int IDs

63

758294

1000100110021003

Label used by CE1 to reach CE4

1001Label used by CE2 to reach

CE4 1002


1000

FRFR

CE4‘s DLCI to CE0 63CE4‘s DLCI to CE1 75CE4‘s DLCI to CE2 82CE4‘s DLCI to CE3 94

PE-2 is configured with the CE4 VFT


1003


Distributing VCTs

Key: signalling using LDP or MP-iBGP

Auto-discovery of members

Auto-assignment of inter-member circuits

Flexible VPN topology

O(N) configuration for the whole VPN

Could be more for complex topologies

O(1) configuration to add a site

“Overprovision” DLCIs (sub-interfaces) at customer sites




Distributing VCTs

PE-1 accepts PE-2’s CE4 VCT

PE-2

CE-4

PE-1CE-2

CE-2

CE-1

VFTVFT

VFTVFT

FRFR


1002

MP-iBGP session / LDP

CECE44 VCT update VCT update

VPN IDCE ID

RED VPN4

CE Range

Label base

41000

CECE44 VCT update VCT update

VPN IDCE ID

RED VPN4

CE Range

Label base

41000




Updating VFTs

PE-1 update its CE2 VFT

PE-2

CE-4

PE-1CE-2

CE-2

CE-1

VFTVFT

VFTVFT

FR DLCI 82FR DLCI 414

CECE22 VFT VFT

CE ID Inner LabelSub-int IDs

Label used to reach CE4 1002

107

209265414

1

234

50207500

9350




Updating VFTs

PE-1 update its CE2 VFT

PE-2

CE-4

PE-1CE-2

CE-2

CE-1

VFTVFT

VFTVFT

CECE22 VFT VFT

CE ID Inner LabelSub-int IDs

LSP to PE-2 500

107

209265414

1

234

50207500

93501002

Outer Label

FR DLCI 82FR DLCI 414




Data Flow

The CE-2 sends packets to the PE via the DLCI which connects to CE-4 (414)

PE-2

CE-4

PE-1CE-2

CE-2

CE-1

VFTVFT

VFTVFT

DLCI 82DLCI 414

packet DLCI

414




Data Flow

The DLCI number is removed by the ingress PE Two labels are derived from the VFT sub-interface lookup

and “pushed” onto the packet Outer IGP label

Identifies the LSP to egress PE router Derived from core’s IGP and distributed by RSVP or LDP

Inner site label Identifies outgoing sub-interface from egress PE to CE Derived from MP-IBGP/LDP VCT distributed by egress PE

PE-2

CP-4

PE-1CE-2

CE-2

CE-1

PE-1 1) Lookup DLCI in Red

VFT2) Push VPN label (1002)3) Push IGP label (500)

PE-1 1) Lookup DLCI in Red

VFT2) Push VPN label (1002)3) Push IGP label (500)

VFTVFT

VFTVFT

DLCI 82

Packet

site label (1002)

IGP label (500)



10.1/1610.1/16


Data Flow

After packets exit the ingress PE, the outer label is used to traverse the LSP P routers are not VPN-aware

PE-2

CPE-4

PE-1CE-2

CE-2

CE-1

VFTVFT

VFTVFT

Packet

site label (1002)

IGP label (z) DLCI 82DLCI 414



10.1/1610.1/16


Data Flow

The outer label is removed through penultimate hop popping (before reaching the egress PE)

PE-2

CE-4

PE-1CE-2

CE-2

CE-1PenultimatePop top label

VFTVFT

VFTVFT

Packet

site label (1002)

DLCI 82DLCI 414




Data Flow

The inner label is removed at the egress PE The egress PE does a label lookup to find the

corresponding DLCI value

The native Frame Relay packet is sent to the corresponding outbound sub-interface

PE-2

CE-4

PE-1CE-2

CE-2

CE-1

VFTVFT

VFTVFT

DLCI 82DLCI 414

packet DLCI

82


VPN Topologies

Arbitrary topologies are possible: full mesh hub-and-spoke

BGP communities are used to configure VPN topologies when using BGP signaling

“Connectivity” parameter serves similar purpose in LDP signaling


Conclusions


A Range of VPN Solutions

Each customer has different Security requirements Staff expertise Tolerance for outsourcing

Customer networks vary by size and traffic volume

Providers also have different preferences concerning Extensive policy management Inclusion of customer routes in backbone routers Approaches to managed service


MPLS-Based Layer 2 VPNs

MPLS-based Layer 2 VPNs are identical to Layer 2 VPNs from customers’ perspective Familiar paradigm Layer 3 independent Provider not responsible for routing No hacks for OSPF Rely on SP only for connectivity

MPLS transport in provider network Decouples edge and core Layer 2 technologies Multiple services over single infrastructure

Single network architecture for both Internet and VPN services

Label stacking

Provision once, and use same LSP for multiple purposes

Auto-provisioning VPN


MPLS-based Layer 2 VPNs: Advantages

Subscriber Outsourced WAN infrastructure Easy migration from existing Layer 2 fabric Can maintain routing control, or opt for managed service Supports any Layer 3 protocol Supports multicast

Provider Complements RFC 2547bis

Operates over the same core, using the same outer LSP Existing Frame Relay and ATM VPNs can be collapsed onto a

single IP/MPLS infrastructure Label stacking allows multiple services over a single LSP No scalability problems associated with storing numerous

customer VPN routes Simpler than the extensive policy-based configuration

used with 2547


MPLS-based Layer 2 VPNs: Disadvantages

Circuit type (ATM/FR) to each VPN site must be uniform

Managed network service required for provider revenue opportunity

Customer must have routing expertise (or opt for managed service)


Layer 2 MPLS-based VPNs Application

Customer profile High degree of IP expertise

Desire to control their own routing infrastructure

Prefer to outsource tunneling

Large number of users and sites

Provider profile MPLS deployed in the core

Migrating an existing ATM or Frame Relay network

Offers CPE managed service, or

Provisions only the layer 2 circuits at a premium cost

Layer 2 MPLS-based VPNs are ideal for this customer profile


http://www.juniper.net

Thank you!

Technology

Juniper L2 MPLS VPN