Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hector Avalos Technical Director-Southern Europe

Published byTyler York Modified over 6 years ago

Similar presentations

Presentation on theme: "Hector Avalos Technical Director-Southern Europe"— Presentation transcript:

1 Hector Avalos Technical Director-Southern Europe havalos@juniper.net
MPLS L2 VPNs Hector Avalos Technical Director-Southern Europe Juniper Networks, Inc. Copyright © 2000

2 Agenda: L2 MPLS VPNs Overview of VPNs
Provider-provisioned L2 MPLS VPNs Taxonomy Operational Model Conclusion The agenda for Part I is … Juniper Networks, Inc. Copyright © 2000

3 What is a VPN? Shared Infrastructure Mobile Users and Telecommuters Remote Access Branch Office Corporate Headquarters Suppliers, Partners and Customers Intranet Extranet A private network constructed over a shared infrastructure Virtual: not a separate physical network Private: separate addressing and routing Network: a collection of devices that communicate Policies are key—global connectivity is not the goal Juniper Networks, Inc. Copyright © 2000

4 Provider Frame Relay Network
Deploying VPNs in the 1990s Provider Frame Relay Network DLCI DLCI FR Switch DLCI CPE FR Switch FR Switch CPE Operational model PVCs overlay the shared infrastructure (ATM/Frame Relay) Routing occurs at customer premise Benefits Mature technologies Relatively “secure” Service commitments (bandwidth, availability, and more) Limitations Scalability and management Not a fully integrated IP solution Juniper Networks, Inc. Copyright © 2000

5 Deploying VPNs in the 21st Century
Corporate Headquarters Intranet Branch Office Internet Mobile Users and Telecommuters Remote Access Suppliers, Partners and Customers Extranet The Internet is the shared infrastructure Increasing importance of IP/MPLS (not ATM/FR) Subscriber requirements A single network connection for all services Semi-public connectivity rather than private connectivity Provider requirements Multiservice infrastructure that supports all services Enhance the provider’s role in VPN solutions Juniper Networks, Inc. Copyright © 2000

6 VPN Classification Model
CPE-VPN PP-VPN CPE CPE PE CPE Subscriber Site 1 Subscriber Site 2 Subscriber Site 1 VPN Tunnel PE PE VPN Tunnel VPN Tunnel PE VPN Tunnel VPN Tunnel PE Subscriber Site 3 VPN Tunnel Subscriber Site 3 Subscriber Site 2 PE CPE CPE CPE Customer-managed VPN solutions (CPE-VPNs) Layer 2: L2TP and PPTP Layer 3: IPSec Provider-provisioned VPN solutions (PP-VPNs) Layer 3: MPLS-Based VPNs (RFC 2547bis) Layer 3: Non-MPLS-Based VPNs (Virtual Routers) Layer2: MPLS VPNs The IETF classifies VPNs in two distinct models. The Customer Premise Equipment (CPE) based VPN utilizes equipment located at the Subscriber site. This model can utilize both Layer 2 and Layer 3 technologies. Layer 2 is handled using Layer 2 Tunneling Protocol (L2TP) and Point to Point Tunneling Protocol (PPTP). Tunnels are created between CPEs creating a secure pipe to transfer data across. In a Network-Based (NB) VPN model, Layer 3 is supported using 2 separate solutions. Non-MPLS-Based VPNs utilize Virtual Routers to route CPE based VLAN traffic to a the far-end CPE. MPLS-Based VPNs, based on the RFC 2547bis, use Labels to switch VPN traffic between CPEs. Juniper Networks, Inc. Copyright © 2000

7 VPN Classification Model
PP-VPN PE CPE Subscriber Site 1 VPN Tunnel PE VPN Tunnel VPN Tunnel Subscriber Site 3 Subscriber Site 2 PE CPE CPE Provider-provisioned L2 MPLS VPN solutions Internet drafts draft-kompella-mpls-l2vpn-02.txt draft-martini-l2circuit-encap-mpls-01.txt The IETF classifies VPNs in two distinct models. The Customer Premise Equipment (CPE) based VPN utilizes equipment located at the Subscriber site. This model can utilize both Layer 2 and Layer 3 technologies. Layer 2 is handled using Layer 2 Tunneling Protocol (L2TP) and Point to Point Tunneling Protocol (PPTP). Tunnels are created between CPEs creating a secure pipe to transfer data across. In a Network-Based (NB) VPN model, Layer 3 is supported using 2 separate solutions. Non-MPLS-Based VPNs utilize Virtual Routers to route CPE based VLAN traffic to a the far-end CPE. MPLS-Based VPNs, based on the RFC 2547bis, use Labels to switch VPN traffic between CPEs. Juniper Networks, Inc. Copyright © 2000

8 Customer Edge Routers Customer Edge (CE) routers VPN Site
PE CE VPN A VPN A CE P P FR PE FR ATM CE VPN B VPN B CE PE ATM Customer Edge (CE) routers Router or switch device located at customer premises providing access to the service provider network Layer 2 (FR, ATM, Ethernet) and Layer 3 (IP, IPX, SNA …) independence of the service provider network CEs within a VPN, uses the same L2 technology to access the service provider network Requires a sub-interface per CE it needs to interconnect to within the VPN Maintains routing adjacencies with other CEs within the VPN The Customer Edge (CE) device is usually assigned to the subscriber site and may be considered as a layer 2 switch or a layer 3 router. This device is the manner in which the Provider Edge (PE) at the service provider’s site communicates with the subscriber. Any type of data link will work between the connection of the CE device and PE device and may be connected to two or more PE routers. When the CE device is a router connected to a PE router, then the term router adjacency is established between the two routers. After this router adjacency is established, the CE router will advertise all of the subscriber site’s local routes to the PE router. The PE router in turn allows the CE router to learn other VPN routes that is directly connected to from the PE router. Juniper Networks, Inc. Copyright © 2000

9 Provider Edge Routers Provider Edge (PE) routers
CE VPN A VPN A CE P P FR PE FR ATM CE VPN B VPN B CE PE ATM The Provider Edge (PE) router connects to the CE device with different types of data links, such as, Frame Relay DCLI, ATM PVC, VLANs, etc. Regardless of the data link they are connected by, the PE routers ensures each of the ports that these data links are coming in on are mapped to a particular table known as a VPN routing and forwarding (VRF) table. Therefore the PE port is associated with a particular VRF and the information associated with the incoming data link. The PE router maintains all of the VRFs of the virtual private networks attached to it. The exchange of routing information between the CE device and the PE device may take place using Routing Information Protocol (RIP) version 2, Open Shortest Path First (OSPF), or Exterior Border Gateway Protocol (E-BGP). The PE router is only responsible for maintaining the IPv4 packets and their routes of the CE devices that are actually attached to it. This feature enables the RFC 2547bis operational model to be scalable. The PE router also exchanges VPN routing information with other PE routers using I-BGP, and may use this I-BGP session to maintain connections with Route Reflectors as an alternative to a full mesh of I-BGP sessions. By deploying multiple Route Reflectors the scalability of the RFC 2547bis operational model is enhanced, because of the need for any single component to handle all of the IPv4 routes.  When forwarding traffic across the MPLS backbone, the PE router will perform this function as a Label Switch Router (LSR). In the case of forwarding the initial forwarding of traffic across the MPLS backbone, the PE router will be considered as the Ingress LSR, and in the case of receiving the traffic at the destination point of the traffic the PE router will function as the Egress LSR. Provider Edge (PE) routers Maintain site-specific VPN Forwarding Tables Exchange VPN Connection Tables with other PE routers using MP-IBGP or LDP Use MPLS LSPs to forward VPN traffic Juniper Networks, Inc. Copyright © 2000

10 Provider Routers Provider (P) routers
PE CE VPN A VPN A CE P P FR PE FR ATM CE VPN B VPN B CE PE ATM In the Multiprotocol Label Switching environment, the topology is very clear as to which routers are considered as PE routers and which ones are Provider (P) routers. A rule of thumb used in identifying a P router from a PE router, and works every time within the MPLS environment, is that only PE routers will attach directly to a CE device. Therefore, if a router is within the MPLS topology and it does not attach to a CE device, then this router is known as a P router. The P router functions within the MPLS backbone as a transit Label Switch Router (LSR) when it is called upon to forward data traffic between the PE routers, known in the MPLS backbone as the Ingress LSR and the Egress LSR. Because the P router operates in the MPLS backbone and within a two layer stack, the P routers are only aware of and required to maintain the routes to the PE routers. This prevents the P routers from being bogged down with all of the subscriber site’s routes as does the PE router. Therefore, specific VPN routes are only found in the PE routers. Provider (P) routers Forward VPN data transparently over established LSPs Do not maintain VPN-specific forwarding information Juniper Networks, Inc. Copyright © 2000

11 VPN Forwarding Tables (VFT)
VPN A Site 1 VPN A Site2 A VFT is created for each site connected to the PE CE–A2 VPN B Site2 CE–A1 ATM OSPF PE 2 P P OSPF ATM VPN B Site 1 CE–B2 VPN A Site 3 PE 1 CE–A3 ATM PE 3 CE–B1 P P OSPF CE–B3 VPN C Site 1 CE–C1 CE–C2 VPN C Site 2 VPN B Site3 Juniper Networks, Inc. Copyright © 2000

12 VPN Forwarding Tables (VFT)
Each VFT is populated with: The forwarding information provisioned for the local CE sites VPN Connection Tables received from other PE routers via iBGP or LDP Juniper Networks, Inc. Copyright © 2000

13 VPN Connection Tables (VCT)
A VCT is distributed for each VPN site to PEs Site 2 CE-1 Site 1 CE-2 MP-iBGP session / LDP PE-1 PE-2 VFT VFT Site 1 CE-2 CE-4 Site 2 VFT VFT When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. The VCT is a subset of information hold by the VFT Juniper Networks, Inc. Copyright © 2000

14 Assumption: access technology is Frame Relay (other cases are similar)
L2 VPN Provisioning Provisioning the network Provisioning the CEs Provisioning the VPN (PEs) VPN Connection Table Distribution In this section we look at the provisioning issues and the tasks associated with Layer 2 VPNs. Assumption: access technology is Frame Relay (other cases are similar) Juniper Networks, Inc. Copyright © 2000

15 Provisioning the Network
VPN A Site 1 VPN A Site2 CE–A2 VPN B Site2 CE–A1 ATM OSPF PE 2 P P OSPF ATM VPN B Site 1 CE–B2 VPN A Site 3 PE 1 CE–A3 ATM PE 3 CE–B1 P P OSPF LSPs pre-established between PEs via RSVP-TE or LDP signalling LSPs used for many services: IP, L2 VPN, L3 VPN, differentiated services Provisioned independent of Layer 2 VPNs Juniper Networks, Inc. Copyright © 2000

16 Provisioning Customer Sites
CE-4 Routing Table CE-4 DLCIs 63 75 82 94 In Out 10/8 DLCI 63 DLCI 75 20/8 DLCI 82 30/8 DLCI 94 - List of DLCIs: one for each site, some spare for over-provisioning DLCIs independently numbered at each site LMI, inverse ARP and/or routing protocols for auto-discovery and learning addresses No changes as VPN membership changes Until over-provisioning runs out The list of DLCIs is configured on the PEs. No changes are required even if new sites are added, existing sites will remain unchanged if the provider has over-provisioned the PEs in the network. Juniper Networks, Inc. Copyright © 2000

17 Provisioning CE’s at the PE
A VFT needs to be provisioned at each PE for each CE VPN-ID : unique value within the service provider network CE-ID : unique value in the context of a VPN CE Range : maximum number of CEs that it can connect to Sub-interface list : set of local sub-interface IDs assigned for the CE-PE connection Label-base : Label assigned to the first sub-interface ID The PE reserves N contiguous labels, where N is the CE Range CE4 VFT VPN ID CE ID RED VPN 4 CE Range 1000 Label Base Sub-int IDs 63 75 82 94 CE4 VCT A key benefit is Auto-discovery. Comparing this to the traditional Layer 2 VPN slide, there is no need to manually configure additional VPN members. All sites must be configured after the initial bootstrap of the network. However, after that initial build, it is only necessary to configure the newly added sites without having to touch existing sites. Note: the label base is chosen automatically by the PE; the other info is assigned by the ISP administrator. The choice of sub-int ids must be agreed to by both the SP and Customer. The VFT is annouced via LDP as a new FEC, or via MPBGP as a new AFI Label base : BGP only, LDP carry the label with the FEC VPN ID : LDP only with BGP we use communities with the form of <VPN-ID>:<connectivit> Juniper Networks, Inc. Copyright © 2000

18 Provisioning CE’s at the PE
Site 2 CE-1 Site 1 CE-2 PE-1 PE-2 VFT VFT Site 1 CE-2 CE-4 Site 2 VFT VFT FR FR CE4 VFT VPN ID RED VPN CE ID 4 CE Range 4 Sub-int IDs Label base When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. CE4‘s DLCI to C0 63 63 Label used by CE0 to reach CE4 1000 1000 CE4‘s DLCI to C1 75 75 Label used by CE1 to reach CE4 1001 1001 CE4‘s DLCI to C2 82 82 Label used by CE2 to reach CE4 1002 1002 CE4‘s DLCI to C3 94 94 Label used by CE3 to reach CE4 1003 1003 PE-2 is configured with the CE4 VFT Juniper Networks, Inc. Copyright © 2000

19 Distributing VCTs Key: signalling using LDP or MP-iBGP
Auto-discovery of members Auto-assignment of inter-member circuits Flexible VPN topology O(N) configuration for the whole VPN Could be more for complex topologies O(1) configuration to add a site “Overprovision” DLCIs (sub-interfaces) at customer sites A key benefit is Auto-discovery. Comparing this to the traditional Layer 2 VPN slide, there is no need to manually configure additional VPN members. All sites must be configured after the initial bootstrap of the network. However, after that initial build, it is only necessary to configure the newly added sites without having to touch existing sites. Juniper Networks, Inc. Copyright © 2000

20 Label used by CE2 to reach CE4
Distributing VCTs Site 2 CE-1 Site 1 CE-2 MP-iBGP session / LDP PE-1 PE-2 VFT VFT Site 1 CE-2 CE-4 Site 2 VFT VFT FR FR CE4 VCT update VPN ID CE ID RED VPN 4 CE Range Label base 1000 CE4 VCT update VPN ID CE ID RED VPN 4 CE Range Label base 1000 When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. Label used by CE2 to reach CE4 1002 PE-1 accepts PE-2’s CE4 VCT Juniper Networks, Inc. Copyright © 2000

21 Updating VFTs PE-1 update its CE2 VFT Site 2 Site 1 Site 1 Site 2 CE-1
FR DLCI 414 FR DLCI 82 CE2 VFT CE ID Inner Label Sub-int IDs Label used to reach CE4 1002 107 209 265 414 1 2 3 4 7500 When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. 5020 9350 PE-1 update its CE2 VFT Juniper Networks, Inc. Copyright © 2000

22 Updating VFTs PE-1 update its CE2 VFT Site 2 Site 1 Site 1 Site 2 CE-1
FR DLCI 414 FR DLCI 82 CE2 VFT Sub-int IDs CE ID Inner Label Outer Label 107 1 7500 When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. 209 2 5020 265 3 9350 414 4 1002 LSP to PE-2 500 PE-1 update its CE2 VFT Juniper Networks, Inc. Copyright © 2000

23 Data Flow Site 2 Site 1 CE-1 CE-2 PE-1 PE-2 VFT VFT Site 1 CE-2 CE-4 Site 2 VFT VFT DLCI 414 DLCI 82 packet DLCI 414 The CE-2 sends packets to the PE via the DLCI which connects to CE-4 (414) Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. Juniper Networks, Inc. Copyright © 2000

24 Data Flow The DLCI number is removed by the ingress PE
1) Lookup DLCI in Red VFT 2) Push VPN label (1002) 3) Push IGP label (500) Site 2 Site 1 CE-1 CE-2 PE-1 PE-2 VFT VFT Site 1 CE-2 CP-4 Site 2 VFT VFT IGP label (500) DLCI 82 site label (1002) Packet The DLCI number is removed by the ingress PE Two labels are derived from the VFT sub-interface lookup and “pushed” onto the packet Outer IGP label Identifies the LSP to egress PE router Derived from core’s IGP and distributed by RSVP or LDP Inner Site label Identifies outgoing sub-interface from egress PE to CE Derived from MP-IBGP/LDP update from egress PE Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. Juniper Networks, Inc. Copyright © 2000

25 Data Flow Site 2 Site 1 CE-1 CE-2 PE-1 PE-2 VFT VFT Site 1 CE-2 CPE-4 Site 2 10.1/16 VFT VFT DLCI 414 IGP label (z) DLCI 82 site label (1002) Packet After packets exit the ingress PE, the outer label is used to traverse the LSP P routers are not VPN-aware Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. Juniper Networks, Inc. Copyright © 2000

26 Data Flow Penultimate Pop top label Site 2 Site 1 CE-1 CE-2 PE-1 PE-2 VFT VFT Site 1 CE-2 CE-4 Site 2 10.1/16 VFT VFT DLCI 414 DLCI 82 site label (1002) Packet The outer label is removed through penultimate hop popping (before reaching the egress PE) Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. Juniper Networks, Inc. Copyright © 2000

27 Data Flow The inner label is removed at the egress PE
Site 2 Site 1 CE-1 CE-2 PE-1 PE-2 VFT VFT Site 1 CE-2 CE-4 Site 2 VFT VFT DLCI 414 DLCI 82 packet DLCI 82 The inner label is removed at the egress PE The egress PE does a label lookup to find the corresponding DLCI value The native Frame Relay packet is sent to the corresponding outbound sub-interface Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. Juniper Networks, Inc. Copyright © 2000

28 Juniper Networks, Inc. Copyright © 2000
Conclusions This section of the presentation provides an insight how a Service Provider operating within an Internet Protocol (IP) backbone may provide Virtual Private Networks (VPNs) for their customer, the enterprising subscriber. The 2547 Virtual Private Network platform differs from the normal way of forwarding packets and routes over the Internet backbone than the traditional ways of the 1990’s. The 2547 VPN platform uses Multiprotocol Label Switching (MPLS) to forward packets, and the Border Gateway Protocol (BGP) for route distribution, both over the Internet backbone. The 2547 VPN platform’s primary goal is to support the service providers in their effort to outsource Internet Protocol backbone services for enterprise subscribing customers. By using the methodology available from the Multiprotocol Label Switching and Border Gateway Protocol, the service provider providing these services has made the task very simple for the enterprise subscriber, while improving scalability and flexibility for themselves. The 2547 VPN platform also allows the service provider an opportunity to add value to the services they are providing the enterprising subscriber. Additionally, the 2547 VPN platform provides the necessary techniques for an enterprising subscriber to develop a VPN that can ultimately be used to provides IP service to their customers. We will now start at a high level discussion about the 2547 VPN platform and become more granular as we start understanding how the Border Gateway Protocol and the Multiprotocol Label Switching are implemented as the underlying technology for this highly scalable and secure VPN. Without any further delay lets take look at the 2547 VPN objectives. Juniper Networks, Inc. Copyright © 2000

29 A Range of VPN Solutions
Each customer has different Security requirements Staff expertise Tolerance for outsourcing Customer networks vary by size and traffic volume Providers also have different preferences concerning Extensive policy management Inclusion of customer routes in backbone routers Approaches to managed service Many subscribers have limited IP expertise available and want to outsource their wide area interconnection and routing to service providers. Those service providers with the RFC 2547bis VPNs platforms are the ideal candidates to receive the business and have the capabilities to support the subscriber in their challenges. For the remote access user to the corporate network layer two tunneling protocols, such as, Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) are convenient and effective to use. Users have capability to access the network from anywhere on the Internet. Juniper Networks, Inc. Copyright © 2000

30 MPLS-Based Layer 2 VPNs Traditional Layer 2 VPN from customer’s point of view Layer 3 independent Provider not responsible for routing MPLS transport in provider network Decouples edge and core Layer 2 technologies Multiple services over single infrastructure Single network architecture for both Internet and VPN services Label stacking Provision once, and use same LSP for multiple purposes Auto-provisioning VPN Juniper Networks, Inc. Copyright © 2000

31 MPLS-based Layer 2 VPNs: Advantages
Subscriber Outsourced WAN infrastructure Easy migration from existing Layer 2 fabric Can maintain routing control, or opt for managed service Supports any Layer 3 protocol Provider Complements RFC 2547bis Operates over the same core, using the same outer LSP Existing Frame Relay and ATM VPNs can be collapsed onto a single IP/MPLS infrastructure Label stacking reduces the number of LSPs compared with CCC No scalability problems associated with storing numerous customer VPN routes Simpler than the extensive policy-based configuration used with 2547 Juniper Networks, Inc. Copyright © 2000

32 MPLS-based Layer 2 VPNs: Disadvantages
Circuit type (ATM/FR) to each VPN site must be uniform Managed network service required for provider revenue opportunity Customer must have routing expertise (or opt for managed service) Juniper Networks, Inc. Copyright © 2000

33 Layer 2 MPLS-based VPNs Customer profile Provider profile
High degree of IP expertise Desire to control their own routing infrastructure Prefer to outsource tunneling Large number of users and sites Provider profile MPLS deployed in the core Migrating an existing ATM or Frame Relay network Offers CPE managed service, or Provisions only the layer 2 circuits at a premium cost Layer 2 MPLS-based VPNs are ideal for this customer profile Many subscribers have limited IP expertise available and want to outsource their wide area interconnection and routing to service providers. Those service providers with the RFC 2547bis VPNs platforms are the ideal candidates to receive the business and have the capabilities to support the subscriber in their challenges. For the remote access user to the corporate network layer two tunneling protocols, such as, Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) are convenient and effective to use. Users have capability to access the network from anywhere on the Internet. Juniper Networks, Inc. Copyright © 2000

34 Juniper Networks, Inc. Copyright © 2000
Thank you! Juniper Networks, Inc. Copyright © 2000

Download ppt "Hector Avalos Technical Director-Southern Europe"

Similar presentations

Virtual Links: VLANs and Tunneling

Virtual Links: VLANs and Tunneling
MPLS VPN.

MPLS VPN.
Identifying MPLS Applications

Identifying MPLS Applications
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.24-1 MPLS VPN Technology Introducing the MPLS VPN Routing Model.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing the MPLS VPN Routing Model.
Deployment of MPLS VPN in Large ISP Networks

Deployment of MPLS VPN in Large ISP Networks
Juniper Networks, Inc. Copyright © 2000 1 L2 MPLS VPNs Hector Avalos Technical Director-Southern Europe

Juniper Networks, Inc. Copyright © L2 MPLS VPNs Hector Avalos Technical Director-Southern Europe
Leading Edge Routing MPLS Enhancements to Support Layer 2 Transport Services Jeremy Brayley

Leading Edge Routing MPLS Enhancements to Support Layer 2 Transport Services Jeremy Brayley
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
MPLS-VPN/BGP Approach Hari Rakotoranto Technical Marketing Engineer

MPLS-VPN/BGP Approach Hari Rakotoranto Technical Marketing Engineer
Hierarchy of Routing Knowledge IP Routing: All routers within domains that carry transit traffic have to maintain both interior and exterior routing information.

Hierarchy of Routing Knowledge IP Routing: All routers within domains that carry transit traffic have to maintain both interior and exterior routing information.
CS 672 1 Summer 2003 Lecture 14. CS 672 2 Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.

CS Summer 2003 Lecture 14. CS Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.
MPLS H/W update Brief description of the lab What it is? Why do we need it? Mechanisms and Protocols.

MPLS H/W update Brief description of the lab What it is? Why do we need it? Mechanisms and Protocols.
CS 672 1 Summer 2003 Lecture 13. CS 672 2 Summer 2003 MP_REACH_NLRI Attribute The MP_REACH_NLRI attribute is encoded as shown below: +---------------------------------------------------------+

CS Summer 2003 Lecture 13. CS Summer 2003 MP_REACH_NLRI Attribute The MP_REACH_NLRI attribute is encoded as shown below:
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.
MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,

MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,
COS 420 Day 16. Agenda Assignment 3 Corrected Poor results 1 C and 2 Ds Spring Break?? Assignment 4 Posted Chap 16-20 Due April 6 Individual Project Presentations.

COS 420 Day 16. Agenda Assignment 3 Corrected Poor results 1 C and 2 Ds Spring Break?? Assignment 4 Posted Chap Due April 6 Individual Project Presentations.
A Study of MPLS Department of Computing Science & Engineering DE MONTFORT UNIVERSITY, LEICESTER, U.K. By PARMINDER SINGH KANG

A Study of MPLS Department of Computing Science & Engineering DE MONTFORT UNIVERSITY, LEICESTER, U.K. By PARMINDER SINGH KANG
SMUCSE 8344 MPLS Virtual Private Networks (VPNs).

SMUCSE 8344 MPLS Virtual Private Networks (VPNs).
Copyright 2005-2010 Kenneth M. Chipps Ph.D. www.chipps.com 1 VPN Last Update 2010.11.29 1.3.0.

Copyright Kenneth M. Chipps Ph.D. 1 VPN Last Update

Similar presentations

Ads by Google