MPLS-based Layer 2 VPNs

Kireeti Kompella Juniper Networks

Agenda
! Introduction
" Traditional

Layer 2 VPNs " MPLS-based Layer 2 VPNs " Layer 3 VPNs

! Details
" Provisioning " Transport " Carrying

non-address information

17/01/01

Juniper Networks, Inc. Copyright 2000

Co-Authors
! Service
" Javier

Providers

! Vendors
" Manoj

Achirica " Ronald Bonica " Chris Liljenstolpe " Eduard Metz

Leelanivas " Chandramouli Sargor " Vijay Srinivasan " Quaizar Vohra

17/01/01

Juniper Networks, Inc. Copyright 2000

Traditional (Layer 2) VPNs

Router Frame Relay/ ATM Switch

17/01/01

Juniper Networks, Inc. Copyright 2000

Traditional (Layer 2) VPNs

! Provider
" Frame

network technology dictated by VPN services

switches? ATM switches?

! Provisioning

complex for provider ! Topology dictated by cost rather than traffic patterns ! Multiple networks adds to providers administrative burden

17/01/01

Juniper Networks, Inc. Copyright 2000

MPLS-Based Layer 2 VPNs

! Traditional
" Layer

Layer 2 VPN from customers point-of-view

3 independent " Provider not responsible for routing

! MPLS

transport in provider network

between edge and core technologies

" Isolation

! Auto-provisioning

VPN ! Single network architecture for both Internet traffic and VPN traffic

17/01/01

Juniper Networks, Inc. Copyright 2000

MPLS-Based Layer 2 VPNs

CE B
Router

CE A

CE C

PE 1

PE 2

PE 3 PE 4

CE G
17/01/01

CE D CE F CE E
Juniper Networks, Inc. Copyright 2000 7

Privacy Security
! Encryption

is a must if you want security ! Wheres the weak point? ! CE-to-CE

" Use

IPSec! " Not PP VPN

! PE-to-PE
" Per

VPN " Per PE-to-PE session

17/01/01

Juniper Networks, Inc. Copyright 2000

Layer 3 VPNs
! SP

participates in customers routing

" Out-sourced

routing " Added SP responsibilities " Value-added service ~ cost structure

! BGP

MPLS VPNs
Carrier of Carriers, inter-SP VPNs

" QoS/CoS,

! Virtual

routers ! Migration may take some work

17/01/01

Juniper Networks, Inc. Copyright 2000

Provisioning the Network

! PE-to-PE
" Key:

MPLS LSPs

signaling " LDP LSPs " RSVP-TE LSPs " LDP over RSVP tunneling
! Fully-meshed

Traffic Engineered core ! Edge-to-edge LDP LSPs

! Used

for all services IP, L2 VPNs, L3 VPNs, differentiated services ! Provisioned independent of Layer 2 VPNs!

17/01/01

Juniper Networks, Inc. Copyright 2000

10

Provisioning a VPN
! Key:

signaling

" Auto-discovery

of members, auto-assignment of inter-member circuits " Flexible VPN topology " Signaling using LDP or BGP
! O(N) ! O(1)

configuration for the whole VPN

be more for complex topologies DLCIs at customer sites

" Could

configuration to add a site

" Overprovision

17/01/01

Juniper Networks, Inc. Copyright 2000

11

Provisioning Customer Sites

! List

of DLCIs, one for each other site, some spare (over-provisioning) ! DLCIs independently numbered at each site ! LMI, inverse ARP and/or routing protocols for auto-discovery and learning addresses ! No changes as VPN membership changes (until over-provisioning runs out)

17/01/01

Juniper Networks, Inc. Copyright 2000

12

VPN Transport
CE B
Router

CE A

CE C

PE 1

PE 2

PE 3 PE 4

CE G
17/01/01

CE D CE F CE E
Juniper Networks, Inc. Copyright 2000 13

VPN Transport
CE list: - E - C DLCI list: 65, 77, 88, 94 CE list: G DLCI list: 53, 66 CE A dlci 53 PE 1 L1/L2 Label L2 to CE G Label L1 to PE 2 Label L1 To PE 4 CE B dlci 94 77 L1/L2 Label L2 to CE C

Label L1 to PE 3

L1/L2 to PE4/CE E

17/01/01

Juniper Networks, Inc. Copyright 2000

14

Virtual Network
CE B DLCI 94 DLCI 77 DLCI 111 CE C

DLCI 89

DLCI 63 CE E
17/01/01

DLCI 101

Juniper Networks, Inc. Copyright 2000

15

Signaling
! Compact

representation of mapping of layer 2 address to inner label ! Signaling through either BGP or LDP ! Arbitrary topologies possible; common ones such as full mesh and hub-and-spoke easy to configure

17/01/01

Juniper Networks, Inc. Copyright 2000

16

Packet Format (1)

Packet format from customer: <dlci><UI><proto><layer 3 packet> Remove DLCI; add two labels Packet format in network: <MPLS encap><outer label><inner label> <UI><proto><layer 3 packet> In the example, outer label = L1, inner = L2

17/01/01

Juniper Networks, Inc. Copyright 2000

17

Packet Format (2)

At destination PE: remove MPLS encap and label(s), add new DLCI to get: <dlci><UI><proto><layer 3 packet>
! Effectively,

the SP network acts as a big Frame Relay switch for this VPN

17/01/01

Juniper Networks, Inc. Copyright 2000

18

Non-address Information
! What
" Use

about F/B ECN, DE, C/R, ?

experimental bits to carry this info " Cant squeeze 4 bits into 3, so use twice the number of labels if needed
! Not

for preferential treatment in the core!

" For

this, use MPLS with Diff-Serv " Different DLCIs mapped to different PE-to-PE LSPs (L-LSPs) or different EXP bits (E-LSPs) " DE/not DE mapped to different EXP bits

17/01/01

Juniper Networks, Inc. Copyright 2000

19

Summary
! MPLS-based
" Familiar

Layer 2 VPNs identical to Layer 2 VPNs from customers perspective

paradigm " Easy to migrate

! Benefits
" Single

network infrastructure " Auto-provisioning " Layer 3 and routing independent

! Drawbacks
" Layer
17/01/01

2 dependent
Juniper Networks, Inc. Copyright 2000 20

Future Work
! MPLS
" CE

as layer 2 to CE

needs to be MPLS-aware

! Secure

MPLS ! VLANs as layer 2 to CE ! Carrier of carriers model, inter-SP VPNs ! CoS support

17/01/01

Juniper Networks, Inc. Copyright 2000

21

Thank you!
http://www.juniper.net