Presentation is loading. Please wait.

Presentation is loading. Please wait.

MPLS / VPN Connectivity between VPNs JET 2004/03/15.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "MPLS / VPN Connectivity between VPNs JET 2004/03/15."— Presentation transcript:

1 MPLS / VPN Connectivity between VPNs JET 2004/03/15

2 Outline Security of the MPLS Architecture Case Study : SuperNet Connectivity between VPNs Overlapping Virtual Private Networks Multiprotocol BGP in the SuperNet Network Conclusions

3 Security of the MPLS Architecture Address Space and Routing Separation Hiding of the MPLS Core Structure Resistance to Attacks Impossibility of Label Spoofing

4 Address Space and Routing Separation Any VPN must be able to use the same address space as any other VPN Any VPN must be able to use the same address space as the MPLS core Routing between any two VPNs must be independent Routing between any VPN and the core must be independent ----Format of a VPN IPv4 Address ----

5 Hiding of the MPLS Core Structure Attacks become more difficult As a comparable Layer 2 (such as Frame Relay or ATM) infrastructure MPLS Core VRF CE1 VRF CE2 IP(PE;L0) PE CE 1 CE 2 IP(CE1) IP(CE2) IP(PE;fa0) IP(PE;fa1) Visible Address Space

6 Resistance to Attacks The MPLS core can be attacked in two basic ways: By attacking the PE routers directly By attacking the signaling mechanisms of MPLS (mostly routing) Has AccessHas No Access Authorized UserNormalDenial of service Unauthorized UserIntrusionNormal

7 Impossibility of Label Spoofing In Cisco routers, the implementation is such that packets that arrive on a CE interface with a label will be dropped There is strict addressing separation within the PE router, and each VPN has its own VRF The VPN that the spoofed packet originated from

8 Case Study : SuperNet EuroBank 高雄 總部 財務資訊台北 總部 忠孝仁愛高雄 台北台南嘉義 SuperNet 台北 POP 台中 POP 高雄 POP Eurobank Fastfood CE PE P CE C C POP : Point of Presenc e

9 Address Space of EuroBank and FastFood Company SiteSubnet EuroBank 台北總部 195.12.2.0/24 忠孝 10.1.1.0/24 仁愛 10.1.2.0/24 財務 10.1.3.0/24 資訊 10.1.4.0/24 台南 10.2.1.0/24 FastFood 高雄總部 196.7.25.0/24 台南 10.2.1.0/24 嘉義 10.2.2.0/24 台北 10.1.1.0/24

10 SuperCom can traditionally solve the overlapping addresses issue in three ways It can persuade the customers to renumber their networks. Most customers would not be willing to do that and would rat her find another service provider. It can implement the VPN service with IP-over-IP tunnels, where the customer IP addresses are hidden from the service provider routers. It can implement a complex network address translation (NAT) scheme

11 VPN Routing and Forwarding Tables Major obstacles of the peer-to-peer VPN implementations -- The overlapping addresses MPLS/VPN technology provides an elegant solution Each VPN has its own routing and forwarding table in the router Any customer is provided access only to the set of routes contained within that table PE router in an MPLS/VPN network thus contains a number of per-VPN routing tables A global routing table that is used to reach other routers in the provider ne twork A number of virtual routers are created in a single physical router

12 Virtual Routers Created in a PE Router SuperNet 台北 POP 台北 總部 忠孝仁愛 台北 Eurobank Virtual Router Fastfood Virtual Router A global Routing 台中

13 More structures are associated with each virtual router A forwarding table that is derived from the routing table and is based on CEF (Cisco Express Forwarding) technology. A set of interfaces that use the derived forwarding table. Rules that control the import and export of routes from and in to the VPN routing table. These rules were introduced to supp ort overlapping VPNs A set of routing protocols/peers, which inject information into the VPN routing table. This includes static routing. Router variables associated with the routing protocol that is used to populate the VPN routing table

14 VRF—VPN routing/forwarding instance A VRF consists of an IP routing table a derived forwarding table a set of interfaces that use the forwarding table a set of rules and routing protocols that determine what goes into the forwarding table In general, a VRF includes the routing information that define s a customer VPN site that is attached to a PE router

15 Connectivity between VPNs Routing Context 1 PE CE 1 CE 2 Routing Context 2 VRF Forwarding Table Routing Table ACL IP PACKET Routing Protocol Control Plane (Binding Layer) Data Plane (Forwarding Layer)

16 Overlapping Virtual Private Networks Imagine that SuperCom wants to extend its service offering w ith a Voice over IP (VoIP) service with gateways to the public voice network IP Addresses of VoIP Gateways in SuperCom Network VoIP Gateway Location VoIP Gateway IP Address 台北 212.15.23.12 高雄 212.15.27.35

17 VoIP Service EuroBank 財務資訊台北 總部 忠孝仁愛高雄 台北高雄 總部 台南嘉義 SuperNet 台北 POP 台中 POP 高雄 POP Eurobank Fastfood VoIP Gateway Both EuroBank and FastFood decided to use the service, but only from their central sites the branch offices have no need for international voice connectivity.

18 VPN Connectivity Requirements in SuperNet Network 台北 總部 忠孝仁愛高雄 台北台南嘉義 VoIP Gateway 高雄 總部

19 VRFs in the PE Routers in the SuperNet Network PE-routerVRFSites in the VRFVRF Belongs to VPNs 台北 EuroBank 總部 EuroBank 台北 EuroBank, VoIP EuroBankEuroBank 忠孝 EuroBank 仁愛 EuroBank FastFoodFastFood 台北 FastFood VoIP 台北 VoIP gatewayVoIP 高雄 EuroBankEuroBank 高雄 EuroBank FastFood 總部 FastFood 高雄 FastFood, VoIP FastFoodFastFood 台南 FastFood 嘉義 FastFood VoIP 高雄 VoIP gatewayVoIP

20 Propagation of VPN Routing Information in the Provider Network Two fundamentally different ways exist for approaching the VPN route exchange between PE routers 1.The PE routers could run a different routing algorithm for each VPN. Scalability problems in service provider networks with a large number of Face interesting design challenges when asked to provide support for ov erlapping VPNs. 2.The PE routers run a single routing protocol to exchange all VPN routes. To support overlapping address spaces of VPN customers, the IP addresses used by the VPN customers must be augmented with additional information to make the m unique

21 IP subnets advertised by the CE routers to the PE routers are augmented with a 64-bit prefix called a route distinguisher to make them unique. Why MP-BGP ? The number of VPN routes in a network can become very large. This BGP feature supports keeping VPN routing information out of the provider core routers (P routers). BGP can carry any information attached to a route as an optional BGP att ribute

22 VoIP Service 台北 總部 忠孝仁愛高雄 台北高雄 總部 台南嘉義 SuperNet 台北 台中 高雄 VoIP Gateway IGP for VoIP IGP for Eurobank IGP for Fastfood IGP for VoIP IGP for Eurobank IGP for Fastfood

23 Multiprotocol BGP in the SuperNet Network MP-BGP 台北 總部 忠孝仁愛高雄 OSPF RIP static route RIP Step 1 run each routing protocol for per VRF Step 2 Advertise the VRF rout by MP-BGP cross the P Step 3 Receive the route informa tion and save with VRF Step 4 advertise the route information for CE

24 Conclusion How to connect two sites in a VPN that the two sites with the same address space ?

Download ppt "MPLS / VPN Connectivity between VPNs JET 2004/03/15."

Similar presentations

Virtual Links: VLANs and Tunneling

Virtual Links: VLANs and Tunneling
APNOMS03 1 A Resilient Path Management for BGP/MPLS VPN Jong T. Park School of Electrical Eng. And Computer Science Kyungpook National University

APNOMS03 1 A Resilient Path Management for BGP/MPLS VPN Jong T. Park School of Electrical Eng. And Computer Science Kyungpook National University
MPLS VPN.

MPLS VPN.
Identifying MPLS Applications

Identifying MPLS Applications
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.26-1 Complex MPLS VPNs Introducing Central Services VPNs.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Complex MPLS VPNs Introducing Central Services VPNs.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.24-1 MPLS VPN Technology Introducing the MPLS VPN Routing Model.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing the MPLS VPN Routing Model.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.24-1 MPLS VPN Technology Introducing MPLS VPN Architecture.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing MPLS VPN Architecture.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.
Deployment of MPLS VPN in Large ISP Networks

Deployment of MPLS VPN in Large ISP Networks
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 Module Summary The VRF table is a virtual routing and forwarding instance separating sites.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 Module Summary The VRF table is a virtual routing and forwarding instance separating sites.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring VRF Tables.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring VRF Tables.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—4-1 MPLS VPN Technology Introducing VPNs.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—4-1 MPLS VPN Technology Introducing VPNs.
MPLS-VPN/BGP Approach Hari Rakotoranto Technical Marketing Engineer

MPLS-VPN/BGP Approach Hari Rakotoranto Technical Marketing Engineer
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Troubleshooting MPLS VPNs.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Troubleshooting MPLS VPNs.
CS 672 1 Summer 2003 Lecture 14. CS 672 2 Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.

CS Summer 2003 Lecture 14. CS Summer 2003 MPLS VPN Architecture MPLS VPN is a collection of sites interconnected over MPLS core network. MPLS.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 4: Frame Mode MPLS Implementation.
MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,

MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,

Similar presentations

Ads by Google