Next Generation Optical Networks for Broadband European Leadership

Layer3 Virtual Private Network (L3VPN)

Training course

Valerio Martini
This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/ http://www.ist-nobel.org/Nobel2/servlet/Nobel2.Main

Summary
What is a VPN? MPLS VPN (RFC4364). A choice Private Instances of routing (VRFs Table) Multi Protocol BGP A MPLS Tunnel A quick view on:
VPN Multi Domain VPN QoS and Scalability

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

What is a VPN ?
A Virtual Private Network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy and reservation through the use of tunneling protocols
Layer3 VPNs (L3VPN) are based on IP/MPLS networks (cfr. RFC4364 BGP MPLS/IP VPN) L3 VPN connectivity is provided across Service Providers networks L3 VPNs are based on IP address scheme and the relevant virtual connectivity is based on the use of ad hoc forwarding table called VRF (VPN Routing and Forwarding tables) Backbone Routers (P-Routers) are unaware of the tunnel and VRF tables but are aware of tunneling protocols Service Provider routers (PE-Routers) are outsourced to corporate network WANs (Sites) to establish L3 VPN

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

VPN Terminology
VPN 1 VPN 2 VPN 3 VPN 3

FE P Provider Router PE Provider Edge Router CE Customer Edge Router GE VPN 1 VPN 3

P
FE

VPN 1

Backbone Backbone

GE

VPN 2

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

VPN Terminology
WAN of a corporate network (Site) consists of a network systems placed in geographic proximity VPN 3 VPN 1 VPN 2 VPN 3

FE VPN area Different Customer Sites

Backbone
BGP - IP/MPLS - OSPF/(RSVP)

P
FE

VPN 1

GE VPN 1 VPN 3

Backbone Backbone

GE

VPN 2

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

VPN Terminology
VPN 1 VPN 2 VPN 3 VPN 3

FE End System An Attachment Circuit is usually considered as a Data Link e.g., a Fast Ethernet (FE) or GE Gigabit Ethernet GE VPN 1 VPN 3

P
FE

VPN 1

Backbone Backbone

GE

VPN 2

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

VPN Taxonomy
A brief classification :
Type of customer side Virtual Tunnel
Layer 2 VPNs provide Layer 2 connectivity e.g., Native Ethernet LAN Layer 3 VPNs provide Layer 3 connectivity e.g., based on Access IP Router

Type of VPN (in terms of end-point Location)

CE-based :
VPNs are configured and maintained by customer Provider network is VPN unaware

PE-based :
Network providers are responsible for VPN configuration and maintenance

Type of Architecture possible

VPN Layer 3 (e.g., IPsec) VPN Layer 2 (e.g., VPLS, VPWS)

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

Layer2 Vs Layer3 VPN

Type of customer payload carried by the Virtual Tunnel

Layer3 VPN provides BGP IP/MPLS backbone connectivity:

The Layer3 approach to create an IP/MPLS-based VPN offers a routed solution: completely based on Ipv4 address scheme scalable The DE FACTO standard is described in RFC4364 (February 2006)

Layer2 VPN provides a native Layer 2 backbone connectivity:

The Layer2 approach: offers an encapsulation methods to transport Layer 2 Frames Over MPLS Networks. It p: provides a optimization between the Providers and Customers network allows PEs to offer services that are INDIPENDENT of Layer3 protocols The RFC/Draft for describing the establishment of point-to-point connectivity in Layer2 VPN is described in RFC 4906

VPLS provides an L2/L3 Hybrid connectivity:

The Virtual Private LAN Service offers an hybrid connectivity based on: Provider-Customer VLAN (Virtual LAN) association on access network BGP IP/MPLS connectivity in the Backbone
This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

CE Vs PE Based
Type of endpoint (Location) of the tunnel

VPN Customer Edges (CE) are maintained by Customers

Customer is responsible for

its endpoint Routers maintenance Routing Protocols configuration VRFs configuration its own security

For example: VPLS belongs natively to this category

VPN Provider Edge (PE) are maintained by Service Providers

Service Provider is responsible for all domain endpoints and must be able to
configure all Edge Routers maintain the router provide advanced services operate on point-to-point Security (IPsec PE-based) For example: VPN L3 belongs natively to this category The Customer network is completely VPN unaware
This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

BGP IP/MPLS VPN. A choice

RFC4364 defines an emerging standard commonly named MPLS VPN or more exactly BGP/MPLS IP VPN

Service providers that offer Layer 3 VPN services can take advantage of new, advanced features
L3 VPN services allow businesses to outsource their current network core using a private IP-based service offering from an SP. the most common deployment is an any-to-any topology where any customer device can connect directly to the L3 VPN. Enterprise traffic entering the SP domain is then routed based on the information in the VRF table and encapsulated with MPLS labels to ensure proper tunneling and de-multiplexing through the core.

The main three steps for the establishment of a VPN over an IP/MPLS backbone:
1. 2. 3.

Routing Instance Configuration (VRFs Table and Policy) BGP-MP (MultiProtocol) configuration (it carry VRFs table Among PEs) MPLS Configuration

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

10

Private Instances of Routing (Step-1)

The Virtual Tunnel Connection is based on Ad-hoc forwarding table called VRF The Address space used by VRF is composed by IP Prefix Route Distinguisher (RD) Different forwarding table are distinguished by Route Target (RT) Each VPN has its own address space A given address may denote different system in different VPN A given address may denote same system in different VPN (unique address) A new Address Space :

VPN - IPv4 Family

4Byte (Standard IP Prefix)

8Byte (Route Distinguisher (RD))

Type Providers AS Assigned Number

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

11

Private Instances of Routing (Step-1)

Full Scenario
VPN 1 VPN 2 VPN 3

VPN 3

FE

FE FE - 1

Key
FE - 2 VPN 1 VPN 2 VPN 3 Firewall FE

IPMPLS MPLS IP Backbone Backbone

VPN 1

VPN 1 VPN 3

FE

FE

FE VPN 2

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

12

Private Instances of Routing (Step-1)

Populate VRF Tables
CE Routing Tables CE Routing Tables

MPLS MPLS OSPF OSPF RSVP RSVP BGP-MP BGP-MP Backbone Backbone

Enterprises

CE Routing Tables

OSPF Domain

VRF table for VPN 1

VRF table for VPN 2

VRF table For VPN 3

There are three methods to populate the VRF Statically (by manually configuration) or RIP OSPF BGP [email protected] 13

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

Private Instances of Routing (Step-1)

Customer Network Customer Network

IP pkt
Customer Network

Routing and Forwarding

At Least a VRF Table for Each Attachment Circuit Eventually different VRF for each VPN
Label MPLS IP pkt Label VPN IP pkt Backbone IP MPLS

Customer Network

1. Identify VPN

VRFs Tables

2. Select VRF entry for this VPN

5. Send out

The Route Target is used to distinguish different VRF tables PE Router Composes The This tutorial is licensed under the Creative Commons Labeled Frame
creativecommons.org/licenses/by-nc-sa/3.0/

3. Attach MPLS label info

4. Attach VPN label info

Label MPLS

Label VPN

IP pkt

[email protected]

14

Private Instances of Routing (Step-1)

Label Switched Path
PE COMPOSES the packets
Label VPN IP

PE DECOMPOSES the packets

Label VPN IP

IP

IP

IP IP

VPN Site

VPN Site IPMPLS MPLS IP Backbone Backbone

The Core Routers Are Completely UNAWARE of the label VPN -TAG This tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

15

Private Instances of Routing (Step-1)

Config

Routers PE Configuration <routing-instances> <routing-instances> <instance> <instance> <name> <name> vpn-ABC vpn-ABC </name> </name> <instance-type> <instance-type> VRF VRF </instance-type> </instance-type> <interface> <interface> fe-0/3/1.0 fe-0/3/1.0 </interface> </interface> <route-distinguisher> <route-distinguisher> 2.2.2.2:RD 2.2.2.2:RD </route-distinguisher> </route-distinguisher> </instance> </instance> </routing-instances> </routing-instances>
This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

IPMPLS MPLS IP Backbone Backbone

FIRST the name of routing instance SECOND the type of routing instance THIRD the name of Juniper physical interface FOURTH the VPN IPv4 family Address [email protected] 16

BGP Multi Protocol (Step-2)

Full Scenario
VPN 1 VPN 2 VPN 3

VPN 3

FE

FE FE - 1

Key
FE - 2 VPN 1 VPN 2 VPN 3 Firewall FE

IPMPLS MPLS IP Backbone Backbone

VPN 1

VPN 1 VPN 3

FE

FE

FE VPN 2

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

17

BGP Multi Protocol (Step-2)

Config

Routers PE Configuration

RouterId = 1.1.1.1 BGP Group A-B-C Neighbour 2.2.2.2 Neighbour 3.3.3.3

RouterId = 2.2.2.2 BGP Group A-B-C Neighbour 1.1.1.1 Neighbour 3.3.3.3

<bgp> <bgp> <local-address> <local-address> 2.2.2.2 2.2.2.2 </local-address> </local-address> <local-as> <local-as> AS AS </local-as> </local-as> <group> <group> <name> 1-2-3 </name> <name> 1-2-3 </name> <type>internal</type> <type>internal</type> <neighbor> <neighbor> <name> Edge-1 </name> <name> Edge-1 </name> <local-address> 1.1.1.1 </local-address> <local-address> 1.1.1.1 </local-address> <name> Edge-3 </name> <name> Edge-3 </name> <local-address> 3.3.3.3 </local-address> <local-address> 3.3.3.3 </local-address>
This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

VRFs Tables are EXCHANGED

FIRST the name of the Local Address of PE SECOND the Autonomous System THIRD the name of BGP group

RouterId = 3.3.3.3 BGP Group A-B-C Neighbour 2.2.2.2 Neighbour 1.1.1.1

FOURTH the List of the neighbors [email protected]

18

BGP Multi Protocol (Step-2)

Config

Routers Route-Reflector
Route REFLECTOR RR is a Designated Router

RouterId = 1.1.1.1 BGP Group A-B-C Neighbour 2.2.2.2 Neighbour 3.3.3.3

RouterId = 2.2.2.2 BGP Group A-B-C Neighbour 1.1.1.1 Neighbour 3.3.3.3

VRFs Tables are EXCHANGED

BGP is based over a full mesh refresh n(n-1)/2 Session e.g., 10 Routers 10*(10-1)/2 = 45 BGP Sessions BGP with RR (n-1)+(n-1) Session e.g., 10 Routers 9+9 = 18 BGP Sessions

Route REFLECTOR

RouterId = 3.3.3.3 BGP Group A-B-C Neighbour 2.2.2.2 Neighbour 1.1.1.1

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

19

MPLS (LSP-tunnelling) (Step-3)

Full Scenario
VPN 1 VPN 2 VPN 3

VPN 3

FE

FE FE - 1

Key
FE - 2 VPN 1 VPN 2 VPN 3 Firewall FE

IPMPLS MPLS IP Backbone Backbone

VPN 1

VPN 1 VPN 3

FE

FE

FE VPN 2

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

20

MPLS (LSP-tunnelling) (Step-3)

Config

VPN Site

Routers PE Configuration
VPN Site <mpls> <mpls> <label-switched-path> <label-switched-path> <name> <name> to-A CR 2 to-A </name> </name> Core Router <to> CR 1 <to> 1.1.1.1 1.1.1.1 </to> </to> The FIRST <bandwidth> the name of the LSP <bandwidth> 30m 30m The SECOND </bandwidth> </bandwidth> the Destination of LSP (EGRESS ROUTER) <install> <install> 10.20.12.0/24<active/> The THIRD 10.20.12.0/24<active/> the bandwidth reserved </install> </install> </label-switched-path> </label-switched-path> The FOURTH </mpls> set of IP activated </mpls> This tutorial is licensed under the Creative the Commons
creativecommons.org/licenses/by-nc-sa/3.0/

CR 3

VPN Site

[email protected]

21

Benefits
RFC4364 defines an emerging standard commonly named MPLS VPN or more exactly BGP/MPLS IP VPN
VPNs use overlapping Address Spaces (VPN IPv4 Family) Providers use existing protocols (BGP, RSVP, OSPF, MPLS) Provider backbones routers do not need to have any VPN routing information Providers can get good SLA and QoS support Customers are UNAWARE of MPLS (all the work is done by Service Provider) Customers are UNAWARE of security policy Customers are UNAWARE of connectivity and routing VPN management
This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

22

Drawback
RFC4364 defines an emerging standard commonly named MPLS VPN or more exactly BGP/MPLS IP VPN
IP onlyL3 VPNs transport only IPv4 traffic.
Non-IP protocols need to be tunneled through some mechanism (such as GRE) on the CE or C devices

The customer is dependent on the SP in regards to Layer 3 features and capabilities

Layer 3-based convergence and QoS capabilities are also dependent on the SP offering, and SLAs must be negotiated to manage these requirements

Possible difficulties in integrationThe difficulty of integration from Layer 2 to Layer 3 peering varies greatly depending on the SP offering. If the SP does not offer some service, integration with a different routing protocol, such as eBGP, might require

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

23

VPN Multi-Domain
Two sites of a VPN are connected to a different AUTONOMUS SYSTEM (AS) There are 2 methods to implement this features :
VRF-to-VRF EBGP (External BGP)

AS 2

AS 1

IPMPLS MPLS IP Directly Connection Backbone Backbone Between PE

AS 3

External BGP Protocol IPMPLS MPLS IP Backbone Backbone

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

IPMPLS MPLS IP Backbone Backbone [email protected] 24

QoS and Scalability

The BGP/MPLS IP VPN provides Quality of Service (QoS):
MPLS reserves bandwidth using RSVP Policy used in PE router grooms selected IP Address over a reserved LSP

The BGP/MPLS IP VPN presents a good scalability:

Route Reflector produces less BGP sessions Two levels of labels keep P Routers free of all the VPN routing information PE routers maintain routes information only for VPNs whose sites are directly connected

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

25

References
IANA Consideration (Internet Assigned Number Authority) IANA has created a new registry for the Route Distinguisher Type Field Rosen, E., Rekhter, Y., BGP/MPLS IP Virtual Private Network, RFC 4364 Mertz, C., The Latest in Virtual Private Network, Part I&II, IEEE Internet Computing, June 2004; available at http://computer.org/internet Daugherty, B., and Mertz, C., Multiprotocol Label Switching And IP, Part I, IEEE Internet Computing, June 2005; available at http://computer.org/internet JUNOS software documentation for M-series and T-series platforms, available at http://www.juniper.net/techpubs

This tutorial is licensed under the Creative Commons creativecommons.org/licenses/by-nc-sa/3.0/

[email protected]

26