© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Implementation of Frame Mode MPLS MPLS VPN Technology
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Defining MPLS VPN
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v VPN Taxonomy
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v VPN Models VPN services can be offered based on two major models: Overlay VPNs, in which the service provider provides virtual point-to-point links between customer sites Peer-to-peer VPNs, in which the service provider participates in the customer routing
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Overlay VPNs: Frame Relay Example
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Overlay VPNs: Layer 3 Routing The service provider infrastructure appears as point-to-point links to customer routes. Routing protocols run directly between customer routers. The service provider does not see customer routes and is responsible only for providing point-to-point transport of customer data.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Peer-to-Peer VPNs
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Benefits of VPN Implementations Overlay VPN: –Well-known and easy to implement –Service provider does not participate in customer routing –Customer network and service provider network are well- isolated Peer-to-peer VPN: –Guarantees optimum routing between customer sites –Easier to provision an additional VPN –Only sites are provisioned, not links between them
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Drawbacks of VPN Implementations Overlay VPN: –Implementing optimum routing requires a full mesh of VCs. –VCs have to be provisioned manually. –Bandwidth must be provisioned on a site-to-site basis. –Overlay VPNs always incur encapsulation overhead (IPsec or GRE). Peer-to-peer VPN: –The service provider participates in customer routing. –The service provider becomes responsible for customer convergence. –PE routers carry all routes from all customers. –The service provider needs detailed IP routing knowledge.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Drawbacks of Peer-to-Peer VPNs Shared PE router: –All customers share the same (provider-assigned or public) address space. –High maintenance costs are associated with packet filters. –Performance is lowereach packet has to pass a packet filter. Dedicated PE router: –All customers share the same address space. –Each customer requires a dedicated router at each POP.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v MPLS VPN Architecture
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v MPLS VPN Architecture An MPLS VPN combines the best features of an overlay VPN and a peer-to-peer VPN: PE routers participate in customer routing, guaranteeing optimum routing between sites and easy provisioning. PE routers carry a separate set of routes for each customer (similar to the dedicated PE router approach). Customers can use overlapping addresses.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v MPLS VPN Architecture: Terminology
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v PE Router Architecture
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Propagation of Routing Information Across the P-Network
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Propagation of Routing Information Across the P-Network The number of customer routes can be very large; BGP is the only routing protocol that can scale to such a number. BGP is used to exchange customer routes directly between PE routers.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Route Distinguishers Question: How will information about the overlapping subnetworks of two customers be propagated via a single routing protocol? Answer: Extend the customer addresses to make them unique. The 64-bit RD is prepended to an IPv4 address to make it globally unique. The resulting address is a VPNv4 address. VPNv4 addresses are exchanged between PE routers via BGP. BGP that supports address families other than IPv4 addresses is called multiprotocol BGP (MPBGP).
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Route Distinguishers (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Route Distinguishers (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Usage of RDs in an MPLS VPN The RD has no special meaning. The RD is used only to make potentially overlapping IPv4 addresses globally unique. This design cannot support all topologies required by the customer.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v VoIP Service Example Requirements: All sites of one customer need to communicate. Central sites of both customers need to communicate with VoIP gateways and other central sites. Other sites from different customers do not communicate with each other.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v VoIP Service Example: Connectivity Requirements
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Route Targets Some sites have to participate in more than one VPN. The RD cannot identify participation in more than one VPN. RTs were introduced in the MPLS VPN architecture to support complex VPN topologies. RTs are additional attributes attached to VPNv4 BGP routes to indicate VPN membership.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v How Do RTs Work? Export RTs: –Identify VPN membership –Append to the customer route when it is converted into a VPNv4 route Import RTs: –Associate with each virtual routing table –Select routes inserted into the virtual routing table
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v End-to-End Routing Information Flow
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v MPLS VPN Routing Requirements CE routers have to run standard IP routing software. PE routers have to support MPLS VPN services and Internet routing. P routers have no VPN routes.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v MPLS VPN Routing: CE Router Perspective The CE routers run standard IP routing software and exchange routing updates with the PE router. The PE router appears as another router in the C-network.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v PE-CE Routing Protocols PE-CE routing protocols are configured for individual VRFs. Supported protocols include BGP, OSPF, static, RIP, and EIGRP. Routing configuration on the CE router has no VRF information.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v MPLS VPN Routing: Overall Customer Perspective To the customer, the PE routers appear as core routers connected via a BGP backbone. The usual BGP and IGP design rules apply. The P routers are hidden from the customer.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v MPLS VPN Routing: P Router Perspective P routers perform as follows: Do not participate in MPLS VPN routing and do not carry VPN routes. Run backbone IGP with the PE routers and exchange information about global subnetworks (core links and loopbacks).
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v MPLS VPN Routing: PE Router Perspective PE routers exchange the following: VPN routes with CE routers via per-VPN routing protocols Core routes with P routers and PE routers via core IGP VPNv4 routes with other PE routers via MPBGP sessions
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v End-to-End Routing Information Flow
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v MPLS VPNs and Packet Forwarding
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v MPLS VPNs and Packet Forwarding The PE routers will label the VPN packets with a label stack, as follows: Using the LDP label for the egress PE router as the top label Using the VPN label assigned by the egress PE router as the second label in the stack
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v VPN PHP PHP on the LDP label can be performed on the last P router. The egress PE router performs label lookup only on the VPN label, resulting in faster and simpler label lookup. IP lookup is performed only oncein the ingress PE router.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary There are two major VPN paradigms: overlay VPN and peer- to-peer VPN. MPLS VPN architecture combines the best features of the overlay and peer-to-peer VPN models. BGP is used to exchange customer routes between PE routers. Routes are transported using IGP (internal core routes), BGP IPv4 (core Internet routes), and BGP VPNv4 (PE-to-PE VPN routes). PE routers forward packets across the MPLS VPN backbone using label stacking.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v