Copyright © 2000, Juniper Networks, Inc. Virtual Private Networks: Progress and Challenges Panel Session.

Slides:



Advertisements
Similar presentations
Ethernet Switch Features Important to EtherNet/IP
Advertisements

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
Identifying MPLS Applications
AT&T Multi-protocol Label Switching Private Network Transport Service (MPLS PNT) National Communications Tel:
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing the MPLS VPN Routing Model.
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Multicast in BGP/MPLS VPNs and VPLS draft-raggarwa-l3vpn-mvpn-vpls-mcast-
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 E-VPN and Data Center R. Aggarwal
Internetworking II: MPLS, Security, and Traffic Engineering
Juniper Networks, Inc. Copyright © L2 MPLS VPNs Hector Avalos Technical Director-Southern Europe
Leading Edge Routing MPLS Enhancements to Support Layer 2 Transport Services Jeremy Brayley
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—8-1 MPLS TE Overview Introducing the TE Concept.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Broadband and Wide Area Network Services Carrier Gigabit Ethernet Multi Protocol Label Switching Vs. IP VPNs T-1 & T-3 SIP Trunks Security Network Topology.
Guide to Network Defense and Countermeasures Second Edition
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—4-1 MPLS VPN Technology Introducing VPNs.
MPLS-VPN/BGP Approach Hari Rakotoranto Technical Marketing Engineer
A Flexible Model for Resource Management in Virtual Private Networks Presenter: Huang, Rigao Kang, Yuefang.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Provider Opportunities for Enterprise MPLS APRICOT 2006, Perth Matt.
Kae Hsu Communication Network Dept. Redundant Internet service provision - customer viewpoint.
1 © 2004, Cisco Systems, Inc. All rights reserved. WAN Technologies Based on CCNA 4 v3.1 Slides Compiled & modified by C. Pham.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—3-1 Implementing a Scalable Multiarea Network OSPF- Based Solution Improving Routing Performance.
Internet Protocol Security (IPSec)
MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,
MPLS-based Virtual Private Networks Khalid Siddiqui CS 843 Research Paper Department of Computer Science Wichita State University Wichita, KS
© 2009 Cisco Systems, Inc. All rights reserved.ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Planning the Enterprise-to-ISP Connection.
SMUCSE 8344 MPLS Virtual Private Networks (VPNs).
Copyright Kenneth M. Chipps Ph.D. 1 VPN Last Update
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.
MPLS And The Data Center Adrian Farrel Old Dog Consulting / Juniper Networks
Network-based IP VPNs using Virtual Routers Tim Hubbard.
Network based IP VPN Architecture using Virtual Routers Jessica Yu CoSine Communications, Inc. Feb. 19 th, 2001.
Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Extension to LDP-VPLS for Ethernet Broadcast and Multicast draft-delord-l2vpn-ldp-vpls-broadcast-exten-03 Presenter: Zhihua Liu, China Telecom IETF79,
Virtual Private Network prepared by Rachna Agrawal Lixia Hou.
© 2007 AT&T Knowledge Ventures. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Knowledge Ventures. Subsidiaries and affiliates of AT&T.
Selecting a WAN Technology Lecture 4: WAN Devices &Technology.
1 Wide Area Network. 2 What is a WAN? A wide area network (WAN ) is a data communications network that covers a relatively broad geographic area and that.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—2-1 Implementing an EIGRP-Based Solution Configuring and Verifying EIGRP for the Enterprise.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
Copyright ©Universalinet.Com, LLC 2009 Implementing Secure Converged Wide Area Networks ( ISCW) Take-Aways Course 1: Cable (HFC) Technologies.
Introduction to WAN Technologies
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
1 UHG MPLS Experience June 14, 2005 Sorell Slaymaker Director Network Architecture & Technologies
Virtual Private Networks Warren Toomey. Available WAN Links.
VPN. What is VPN An arrangement that provides connections between: An arrangement that provides connections between: –Offices –remote workers and –the.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introducing Network Design Concepts Designing and Supporting Computer Networks.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Services in a Converged WAN Accessing the WAN – Chapter 1.
1MPLS QOS 10/00 © 2000, Cisco Systems, Inc. rfc2547bis VPN Alvaro Retana Alvaro Retana
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Introducing Network Design Concepts Designing and Supporting Computer Networks.
1 Backup Options & Sample WAN Designs. 2 Chapter Topics  WAN Backup Design Options  Sample WAN Designs.
Mr. Mark Welton.  WAN transportation method that formats data into frames and sent over a network controlled by a service provider  Frame Relay is often.
Presented By: Gavin Worden Leased Lines vs. Internet Based VPNs.
Network Access for Remote Users Dr John S. Graham ULCC
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 4 v3.1 Module 2 WAN Technologies.
Multiprotocol Label Switching (MPLS) Routing algorithms provide support for performance goals – Distributed and dynamic React to congestion Load balance.
1 Overview of VPN. 2 Private Networks Leased Lines Organization A Site 1 Organization A Site 2 Organization A Site 3 Organization B Site 1 Organization.
MPLS Virtual Private Networks (VPNs)
Instructor Materials Chapter 1: WAN Concepts
Frame Relay lab1.
Virtual Local Area Networks (VLANs) Part I
Planning and Troubleshooting Routing and Switching
Hector Avalos Technical Director-Southern Europe
Wide Area Network.
Chapter 1: WAN Concepts Connecting Networks
MPLS - How does it work ?.
Kireeti Kompella Juniper Networks
Presentation transcript:

Copyright © 2000, Juniper Networks, Inc. Virtual Private Networks: Progress and Challenges Panel Session

Slide 2Copyright © 2000, Juniper Networks, Inc. Panel Objectives Introduce Virtual Private Network concepts and technologies Introduce Virtual Private Network concepts and technologies Describe some potential service provider VPN offerings Describe some potential service provider VPN offerings List challenges faced by service providers in offering VPN services List challenges faced by service providers in offering VPN services List and describe some of the proposals for addressing VPN challenges List and describe some of the proposals for addressing VPN challenges

Slide 3Copyright © 2000, Juniper Networks, Inc. Panel Participants Paul Ferguson – Cisco Systems Paul Ferguson – Cisco Systems David O’Leary – Juniper Networks David O’Leary – Juniper Networks Keerti Melkote – Nortel Networks Keerti Melkote – Nortel Networks NANOG audience (Question and Answer) NANOG audience (Question and Answer)

Copyright © 2000, Juniper Networks, Inc. Virtual Private Networks: Progress and Challenges David O’Leary Director, Consulting Engineering

Slide 5Copyright © 2000, Juniper Networks, Inc. What is a VPN? Virtual Virtual Emulation of a private network facilities over a shared network infrastructure Emulation of a private network facilities over a shared network infrastructure Private Private Minimally: no mixing with traffic outside the VPN, and support for private address space(s) Minimally: no mixing with traffic outside the VPN, and support for private address space(s) Possibly encryption and protected traffic class Possibly encryption and protected traffic class Network – two or more users or sites Network – two or more users or sites

Slide 6Copyright © 2000, Juniper Networks, Inc. How Virtual is Virtual? The only true non-virtual private network are customer-owned physical plant, like copper and fiber, transport and switching equipment The only true non-virtual private network are customer-owned physical plant, like copper and fiber, transport and switching equipment Leasing TDM circuits from a carrier means that the customer gets a “virtual” slice of the carrier’s transmission network Leasing TDM circuits from a carrier means that the customer gets a “virtual” slice of the carrier’s transmission network Leasing some kind of layer 2 circuits (ATM, Frame Relay) from a carrier means that the customer gets a “virtual” slice of the carrier’s layer 2 network Leasing some kind of layer 2 circuits (ATM, Frame Relay) from a carrier means that the customer gets a “virtual” slice of the carrier’s layer 2 network Statistical multiplexing here means that it’s cheaper for both the provider and (in theory) the customer Statistical multiplexing here means that it’s cheaper for both the provider and (in theory) the customer

Slide 7Copyright © 2000, Juniper Networks, Inc. Focus on “IP VPNs” VPNs over an IP backbone that supports multiple services (e.g., public Internet, VoIP)VPNs over an IP backbone that supports multiple services (e.g., public Internet, VoIP) Exploit economies of scale through use of common backbone facilities Exploit economies of scale through use of common backbone facilities Reduce inefficiencies of separate networks Reduce inefficiencies of separate networks Shared local loops for internal corporate network and Internet access Shared local loops for internal corporate network and Internet access Service providers add value by allowing customers (enterprises networks) to “outsource” their routing (complexity) to the carrier Service providers add value by allowing customers (enterprises networks) to “outsource” their routing (complexity) to the carrier

Slide 8Copyright © 2000, Juniper Networks, Inc. Four models of VPNs Remote User accessRemote User access CPE BasedCPE Based MPLS-based Layer2MPLS-based Layer2 Provider-Based Layer 3Provider-Based Layer 3

Slide 9Copyright © 2000, Juniper Networks, Inc. Remote User Access Variety of protocols developed in mid-90’s to tunnel remote user traffic to a fixed site on the IP network Variety of protocols developed in mid-90’s to tunnel remote user traffic to a fixed site on the IP network ATMP, PPTP, ATMP ATMP, PPTP, ATMP Functions consolidated in IETF L2TP protocol Functions consolidated in IETF L2TP protocol Documented in RFC 2661, with various drafts for extensions Documented in RFC 2661, with various drafts for extensions Dynamic, authenticated tunnels Dynamic, authenticated tunnels Deployments are becoming quite common Deployments are becoming quite common

Slide 10Copyright © 2000, Juniper Networks, Inc. CPE Based VPNs Tunnels configured between CPE devicesTunnels configured between CPE devices Options are GRE, IPSEC, IP-in-IP, PPTP, L2TPOptions are GRE, IPSEC, IP-in-IP, PPTP, L2TP Topology of the VPN is configured into the CPE devicesTopology of the VPN is configured into the CPE devices The provider does not have to do anything to their network (they may not even know it is happening)The provider does not have to do anything to their network (they may not even know it is happening) VPN traffic may be marked and prioritizedVPN traffic may be marked and prioritized The service provider may bundle and manage the CPE devices used to create the VPN service The service provider may bundle and manage the CPE devices used to create the VPN service Provides “value add” beyond best effort Internet connectivity Provides “value add” beyond best effort Internet connectivity This model is already being aggressively deployed by providers around the world This model is already being aggressively deployed by providers around the world

Slide 11Copyright © 2000, Juniper Networks, Inc. CPE Based VPNs Tradeoffs Provider network configuration Provider network configuration Potentially no more than required for Internet access Potentially no more than required for Internet access CoS or managed service adds provider complexity CoS or managed service adds provider complexity Customer (CPE) configuration Customer (CPE) configuration Every tunnel is a separate virtual interface that must be configured, including for routing Every tunnel is a separate virtual interface that must be configured, including for routing Scalability Scalability Provider network – excellent Provider network – excellent Customer – depends on number of tunnels and routing topology/complexity Customer – depends on number of tunnels and routing topology/complexity

Slide 12Copyright © 2000, Juniper Networks, Inc. Layer-2 VPNs A subscriber leases VCs between the sites that need to be connected A subscriber leases VCs between the sites that need to be connected Topologies are hub and spoke, full or partial mesh Topologies are hub and spoke, full or partial mesh The subscriber and provider think of these VCs as “dumb” pipes not at all involved in Layer 3 issues such as routing, packet filtering, etc. The subscriber and provider think of these VCs as “dumb” pipes not at all involved in Layer 3 issues such as routing, packet filtering, etc. Subscriber outsources the Layer 3 management to the provider in a “Managed Router” service Subscriber outsources the Layer 3 management to the provider in a “Managed Router” service Mature support for commitments about service (e.g., bandwidth, availability, etc.) Mature support for commitments about service (e.g., bandwidth, availability, etc.) At least in the business/SLA sense At least in the business/SLA sense Virtual Circuit model eases capacity planning Virtual Circuit model eases capacity planning

Slide 13Copyright © 2000, Juniper Networks, Inc. Layer-2 VPN Tradeoffs Provider configuration Provider configuration A lot in theory, but it’s mostly automated in practice A lot in theory, but it’s mostly automated in practice Subscriber configuration Subscriber configuration Every VC is a separate virtual interface that must be configured, including for routing Every VC is a separate virtual interface that must be configured, including for routing Large, complex topologies yield complex configurations Large, complex topologies yield complex configurations Scalability Scalability Provider -- number of VCs and stability of core Provider -- number of VCs and stability of core Subscriber -- number of interfaces and routing Subscriber -- number of interfaces and routing Other Other Leverages existing investment Leverages existing investment

Slide 14Copyright © 2000, Juniper Networks, Inc. MPLS-Based Layer-2 VPNs Looks identical to “traditional layer 2 VPNs” from the subscriber perspective Looks identical to “traditional layer 2 VPNs” from the subscriber perspective Provider carries the layer 2 circuits over an IP/MPLS backbone Provider carries the layer 2 circuits over an IP/MPLS backbone Provides the ability for multiple services (public IP, private IP, VoIP, etc) over a single access circuit Provides the ability for multiple services (public IP, private IP, VoIP, etc) over a single access circuit

Slide 15Copyright © 2000, Juniper Networks, Inc. MPLS-Based Layer-2 VPNs Provider 1 Subscriber A ATM Access Internet Traffic: ATM VC1 terminated, IP packets delivered to provider 2 Provider 2 VPN Traffic: ATM VC2 mapped to MPLS LSP “tunnel” Termination of ATM PVCs (layer 3 lookup) and support Layer-2 pass- through on the same port.

Slide 16Copyright © 2000, Juniper Networks, Inc. MPLS-Based Layer-2 VPN Tradeoffs Provider configuration Provider configuration Manual configuration of ingress and egress boxes (could be partially automated) Manual configuration of ingress and egress boxes (could be partially automated) Subscriber configuration Subscriber configuration Every VC is a separate virtual interface that must be configured, including for routing Every VC is a separate virtual interface that must be configured, including for routing Retains existing CPE and subscriber model Retains existing CPE and subscriber model Scalability Scalability Provider -- number of LSPs, stability of core Provider -- number of LSPs, stability of core Subscriber -- number of VCs and routing Subscriber -- number of VCs and routing

Slide 17Copyright © 2000, Juniper Networks, Inc. Provider-Based Layer-3 VPNs Concepts outlined in RFC 2547 and RFC 2764 Concepts outlined in RFC 2547 and RFC 2764 Subscriber treats access link as combined internet/VPN link Subscriber treats access link as combined internet/VPN link Except for multiply-connected sites, needs minimal configuration (i.e., Default) Except for multiply-connected sites, needs minimal configuration (i.e., Default) Provider’s edge router supports instances of routing protocols and multiple forwarding tables Provider’s edge router supports instances of routing protocols and multiple forwarding tables If a destination isn’t in a VPN-specific forwarding table then use Internet table If a destination isn’t in a VPN-specific forwarding table then use Internet table VPN site membership and VPN-specific routing information carried in BGP VPN site membership and VPN-specific routing information carried in BGP Supports overlapping private address space Supports overlapping private address space Topology is conceptually always a full mesh between PE’s Topology is conceptually always a full mesh between PE’s

Slide 18Copyright © 2000, Juniper Networks, Inc. Provider-based Layer-3 VPN tradeoffs Provider configurationProvider configuration Minimal static configuration in basic scenariosMinimal static configuration in basic scenarios More configuration needed for complex topologiesMore configuration needed for complex topologies Subscriber configurationSubscriber configuration Basic scenario is straightforwardBasic scenario is straightforward More complex config needed for security, multihoming, participation in multiple VPNs, etc.More complex config needed for security, multihoming, participation in multiple VPNs, etc. ScalabilityScalability ProviderProvider I-BGP possibly sees 100,000s of routes, (in)stability of multiple dynamic routing domains, multiple forwarding tablesI-BGP possibly sees 100,000s of routes, (in)stability of multiple dynamic routing domains, multiple forwarding tables Subscriber – allows shared local loop and CPE device for multiple services (intranet, Internet, voice, etc.)Subscriber – allows shared local loop and CPE device for multiple services (intranet, Internet, voice, etc.)

Slide 19Copyright © 2000, Juniper Networks, Inc. Where Does That Leave Us? Customer-centric tunneling are easier for the providerCustomer-centric tunneling are easier for the provider COS, traffic engineering, SLA’s, etc. are value-addsCOS, traffic engineering, SLA’s, etc. are value-adds For a provider implementing VPNs, scalability and value-add are fundamentally at oddsFor a provider implementing VPNs, scalability and value-add are fundamentally at odds MPLS-based layer-2 VPNs offer the benefits of an integrated/multi-service networkMPLS-based layer-2 VPNs offer the benefits of an integrated/multi-service network But the enterprise network has to handle the routingBut the enterprise network has to handle the routing Layer-3 VPNs allow the enterprise network to be almost unconcerned with routingLayer-3 VPNs allow the enterprise network to be almost unconcerned with routing Doesn’t support as many VPNs, sites per VPN, routes per VPN or customers per access box than MPLS-based layer 2 VPNsDoesn’t support as many VPNs, sites per VPN, routes per VPN or customers per access box than MPLS-based layer 2 VPNs Risk of the stability of the multi-service coreRisk of the stability of the multi-service core So what is the answer?So what is the answer?

Slide 20Copyright © 2000, Juniper Networks, Inc. Where Does That Leave Us? (cont.) The answer is: it depends The answer is: it depends Some subscribers may require the ability to outsource routing Some subscribers may require the ability to outsource routing Layer 3 VPNs or Layer 3 VPNs or MPLS-based layer 2 VPNs where “managed services” are provided and a device at the customer’s premises converts from pure IP to some number of layer 2 virtual circuits MPLS-based layer 2 VPNs where “managed services” are provided and a device at the customer’s premises converts from pure IP to some number of layer 2 virtual circuits Some subscribers may be capable of doing their own routing Some subscribers may be capable of doing their own routing MPLS-based layer 2 VPNs offer scalability for broad deployment as well as stability with less coupling MPLS-based layer 2 VPNs offer scalability for broad deployment as well as stability with less coupling Range of hybrid solutions is probably likely Range of hybrid solutions is probably likely Remote access user VPNs Remote access user VPNs CPE-based VPNs CPE-based VPNs MPLS-based layer 2 VPNs MPLS-based layer 2 VPNs Layer 3 VPNs Layer 3 VPNs

Slide 21Copyright © 2000, Juniper Networks, Inc. Summary There is no one-size-fits-all solution for VPNs There is no one-size-fits-all solution for VPNs Tradeoffs between value add and scalability/stability Tradeoffs between value add and scalability/stability Tradeoffs between customer requirements Tradeoffs between customer requirements Desire to outsource routing, security, etc. Desire to outsource routing, security, etc. Size and complexity of network Size and complexity of network

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.