MBA智库文档行业 IT互联网 IT 制胜的VPN策略.ppt

制胜的VPN策略.ppt

下载

Sirwise23

134页 | 6.50MB | 0次下载 |

0.0

(0人评价)

我要评价：

投诉举报

用手机看文档

扫一扫,手机看文档

下载

开通VIP

制胜的VPN策略 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 日程安排虚拟专网（VPN）介绍运营模式：BGP/MPLS VPN （RFC 2547bis）运营模式：二层MPLS VPN 总结第一部分 VPN介绍 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 日程： VPN介绍 VPN概况基于CPE的VPN 由服务商实施的VPN IETF标准更新日程： VPN介绍 VPN概况基于CPE的VPN 由提供商实施的VPN IETF标准更新 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 什么是VPN？专网是建立在共享基础设施之上的虚拟：并不是一个独立的物理网络专有：独立的地址使用及路由网络：一组能够相互通信的设备的集合约束是关键 – 无限制的连通性并不是目的共享基础设施移动用户及远程用户远程接入分支办公室公司总部供应商，合作伙伴及客户企业内部互联网企业间互联网 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 90年代实施的VPN 运营模式 PVC覆盖在共享基础设施（ATM/帧中继）之上用户路由（或桥接）在用户处实施优点更低的开销（相对于专线来讲）相对“安全” 局限可扩展性及管理并不是一个完全集成的IP解决方案提供商帧中继网络 CE CE DLCI 帧中继交换机 DLCI DLCI 帧中继交换机帧中继交换机 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 21世纪实施的VPN 使用IP基础设施可以与Internet业务共享 IP/MPLS（并不是ATM/FR）变得越来越为重要用户需求更低的运营成本一个网络为所有服务提供连接提供商需求可支持所有业务的多业务基础设施创造更多盈利机会 Internet 远程接入企业内部互联网企业间互联网移动用户及远程用户分支办公室公司总部供应商，合作伙伴及客户 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 一个VPN模型不能满足所有用户！挑战：客户具有多种VPN需求解决方案：建立灵活的、支持多业务的核心网集成公共、半公共及专有业务支持多种VPN业务模式站点数用户数业务量希望托管程度职员专业技术 0 100 0 100 0 100 0 100 0 100 0 100 安全要求 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * VPN分类模型用户管理的VPN解决方案（CPE-VPN） L2TP及PPTP IPsec隧道模式提供商实施的VPN解决方案（PP-VPN）基于BGP/MPLS的VPN （RFC 2547bis）虚拟路由器二层MPLS VPN PE PE CPE CPE 用户站点 3 PP-VPN 用户站点 2 CPE PE VPN 隧道 VPN 隧道 VPN 隧道 CPE PE PE PE CPE CPE CPE-VPN VPN 隧道用户站点 1 用户站点 3 用户站点 2 VPN 隧道 VPN 隧道用户站点 1 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 日程： VPN 介绍 VPN概况基于CPE的VPN 由提供商实施的VPN IETF标准更新 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * CPE-VPN：L2TP及PPTP 应用：远程用户拨号接入二层隧道协议（L2TP） RFC 2661 L2F及点到点隧道协议的组合点到点隧道协议（PPTP）与Windows及Windows NT捆绑在建立过程中进行认证 IPsec可在PPP上运行以提供更高的安全性拨号接入提供商调制解调器 PPP 拨号服务提供商或VPN L2TP 接入服务器拨号接入服务器 L2TP 隧道拨号接入服务器 PPTP 接入服务器 PPTP 隧道 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * CPE-VPN：IPsec隧道模式 IPsec定义了IETF三层安全性体系结构应用高安全性要求，跨越一个或多个服务提供商用户负责密匙管理安全性服务包括访问控制数据起源认证重放保护数据完整性数据私密性（加密）密匙管理 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * CPE-VPN：IPsec – 例子路由必须在CPE处执行隧道在用户处终结只有CPE设备需要支持IPsec 不需要对共享/公共资源进行修改封装安全有效载荷（ESP）隧道模型认证确保完整（CPE至CPE）加密原有的报头/有效载荷通过Internet 支持私有地址空间公司总部分支办公室 CPE CPE IPsec ESP 隧道模型公共 Internet Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * IPsec特点从服务提供商处获得普通IP服务使用现有路由器对受保护的数据包进行转发自身不参与QoS/SLA 提供商机会较小客户管理自己的路由美国正逐步放宽对加密技术的出口限制公司总部分支办公室 CPE CPE IPsec ESP 隧道模型公共Internet Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 日程： VPN 介绍 VPN概况基于CPE的VPN 由提供商实施的VPN IETF标准更新 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 由提供商实施的VPN：三层与二层比较提供商路由器参与客户三层路由提供商路由器管理与VPN相关的路由表，将路由发布给远端站点 CPE路由器将其路由广播给提供商客户将其三层路由映射至链路网络提供商为用户的每个远端站点提供一条二层链路客户路由对提供商透明三层二层 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 三层PP-VPN： RFC 2547bis 应用：外包VPN PE为每个直连的VPN站点维护与该站点相关的转发表客户与提供商间运行传统IP路由使用BGP发布VPN路由使用MPLS在提供商骨干网中对VPN业务进行转发服务提供商网络站点 1 站点 1 站点 2 站点 3 站点 2 站点 3 CE CE CE VRF VRF VRF VRF VRF PE PE PE P P PE P P P CE CE CE VRF Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 三层PP-VPN： RFC 2547bis 使用LDP或RSVP建立PE至PE的标记交换路径（LSP） BGP用于发布 VPN相关信息（发现） VPN路由及可达信息每条VPN LSP的标记（封装在PE-PE LSP隧道中）通过路由过滤进行连接的限制灵活的、基于策略的控制机制 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 三层PP-VPN：虚拟路由器 PE设备为专网提供网络层（IP）转发与VPN相关的转发表 PE参与专网路由穿过公网的专网路由与数据一起被封装在隧道中 PE中的VR象专网中的一台普通路由器一样运行可使用MPLS或其它隧道方式实现 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 虚拟路由器的问题 VPN端点发现多种选择（BGP，组播，LDAP及其它）路由可扩展性必须在公网上运行多个路由进程互通性多种VR实现方式没有任何一个获得“领导地位” 网间互联不像2547bis那样普通 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 三层PP-VPN优势用户将路由复杂性转移给提供商适于不希望在其组织结构中建立核心路由功能的中小型公司提供商不需所有骨干网路由器中维护与VPN相关的路由信息增值业务（盈利机遇） Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 3层PP-VPN缺点基于策略的控制增加了提供商管理负担一些客户希望维持控制他们的路由体系 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 基于MPLS的二层PP-VPN 线路交叉连接 (CCC) Draft-Martini 二层VPN Draft-Kompella 二层VPN Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 输入输出 LSP 1 DLCI 600 LSP 2 DLCI 610 输入输出 DLCI 600 10/8 DLCI 610 20/8 线路交叉连接（CCC）为基于MPLS的二层VPN提供基础 CPE与PE间使用FR/ATM接口服务提供商管理PE间的LSP全网状互联 CPE基于子网/PVC映射对VPN业务进行路由入口PE将每条入境PVC映射至一条专用LSP 出口PE将进来的LSP映射至出境PVC CE CE DLCI 600 DLCI 610 LSP 1 LSP 2 DLCI 608 DLCI 605 PE PE CE 源路由表 CCC 表 “好服务提供商” (美国区域) “好服务提供商” (欧洲区域) “好服务提供商” (亚洲区域) CCC 表 CCC 表输入输出 DLCI 605 LSP1 大型 IP/MPLS网络 CCC = 线路交叉连接输入输出 DLCI 608 LSP2 PE Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 线路交叉连接的问题需对CPE及PE系统进行配置复杂的初始配置添加、移动及更改的配置非常冗长每条DLCI/PVC需要一条专用LSP 只适用于小数量的个别私有连接 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * ATM（或帧中继） ATM（或帧中继） Draft-Martini 基于MPLS的二层VPN 继承使用CCC及MPLS的经验在传统实现方式的基础上提高数据层面的可扩展性标记堆栈将多条DLCI、PVC，或VLAN合并到一条LSP上去增加一个站点时，需在每条链路的两端进行实施专网路由为CPE至CPE PE PE LSP LSP 2 LSP 6 LSP 5 DLCI 600 DLCI 610 DLCI 506 DLCI 408 (MPLS 核心) CPE CPE Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Kompella 基于MPLS的二层VPN 继承使用CCC及MPLS的经验可扩展的数据及控制层面数据层面：通过标记堆栈将多条DLCI、PVC，或VLAN合并到一条LSP上去实施：进行自动配置专网路由为CPE至CPE PE PE LSP DLCI 600 DLCI 610 DLCI 506 DLCI 408 CPE PE CPE CPE Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 基于MPLS的二层VPN：优势用户外包线路能够维持对路由的控制支持任何三层协议提供商对RFC 2547bis的补充在相同的核心网上运行，使用相同的出境LSP L2 VPN（帧中继，ATM及VLAN）可被合并至一个IP/MPLS基础设施平台上与CCC相比，标记堆栈减少了LSP的数量 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 基于MPLS的二层VPN：问题到达每个VPN站点的线路类型（ATM/FR）必须一致减少了提供商的盈利机会客户必须具有路由专业技能 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 日程： VPN 介绍 VPN概况基于CPE的VPN 由提供商实施的VPN IETF标准更新 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 标准：基于CPE的VPN CPE-VPN标准是稳定的而且已被实施 L2TP的RFC 2661 许多针对IPsec的RFC 配置及实施具有挑战性具有许多专有的实施方案 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 标准： BGP/MPLS VPN RFC 2547提供了优势的概况 2547bis （Internet-Draft）详细说明了有关互通性方面所需的细节由Cisco，Juniper及多家服务提供商和其它组织联合撰写可互通的产品已经开始发运完整的IETF标准化将需要一段时间扩展正被考虑 MPLS/BGP VPN的组播 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 标准：其它VPN文件框架文件正在草案拟定过程中综合了多家的建议覆盖了 L3 VPN 已被更新覆盖了L2，CPE PP-VPN 需求文件正在草案拟定过程中已撰写了多个VR的建议二层MPLS VPN是Internet草案 draft-martini-l2circuit-signaling-mpls-??.txt IETF中运营商实施的VPN工作组会议 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 第二部分 BGP/MPLS VPN Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 日程： BGP/MPLS VPN RFC 2547bis术语 VPN地址结构运行模式基于策略的路由信息交换业务转发可扩展的2547bis Internet访问服务等级日程： BGP/MPLS VPN RFC 2547bis术语 VPN地址结构运行模式基于策略的路由信息交换业务转发可扩展的2547bis Internet访问服务等级 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 客户边界路由器客户边界（CE）路由器位于客户处提供到服务提供商网络的接入 CE/PE连接可使用任何接入技术或路由协议 CE P P PE CE CE CE PE VPN A VPN A VPN B VPN B PE 客户边界 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 提供商边界路由器提供商边界（PE）路由器维护与站点相关的转发表使用BGP与其它PE路由器交换VPN路由信息使用MPLS LSP转发VPN业务 CE P P PE CE CE CE PE VPN A VPN A VPN B VPN B PE 提供商边界 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 提供商路由器提供商（P）路由器使用已建立的LSP对VPN数据进行透明转发不维护与VPN有关的路由信息 CE P P PE CE CE CE PE VPN A VPN A VPN B VPN B PE 提供商路由器 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * VPN路由及转发表（VRF） P P P PE 2 VPN A 站点 3 VPN A 站点 1 VPN B 站点 2 VPN B 站点 1 PE 1 PE 3 VPN A 站点 2 CE–A1 CE–B1 CE–A3 CE–A2 CE–B2 P VPN B 站点 3 CE–B3 CE–C1 VPN C 站点 1 VPN C 站点 2 CE–C2 为连接到PE上的每个站点建立一个VRF 静态路由 OSPF路由 E-BGP Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * VRF 每个VRF广播时具有：与此VRF相关的、直接从CE站点接收到的路由从其它PE路由器接收到的、具有可接受的BGP属性的路由来自某VPN站点的数据包只使用与该VPN相关的VRF 提供不同VPN间的隔离 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 日程： BGP/MPLS VPN RFC 2547bis术语 VPN地址结构运行模式基于策略的路由信息交换业务转发可扩展的2547bis Internet访问服务等级 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 地址复用 P P P PE 2 VPN A 站点 3 VPN A 站点 1 VPN B 站点 2 VPN B 站点 1 PE 1 PE 3 VPN A 站点 2 CE–A1 CE–B1 CE–A3 CE–A2 CE–B2 P VPN B 站点 3 CE–B3 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 路由区分器 (RD) VPN-IPv4 地址族 VPN-IPv4 地址族新的BGP-4并发地址族识别器路由区分器（RD）+用户IPv4前缀路由区分器消除IPv4地址的歧义支持私有IP地址空间允许服务提供商管理自己的“数字空间” VPN-IPV4地址通过BGP发布使用“BGP 4多协议扩展”（RFC 2283） VPN-IPV4地址只在控制层面被使用类型管理器分配数值用户 IPv4前缀 (2字节) (变长) (变长) (4 字节) Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * VPN-IPv4地址族类型区域有两个可选值：0和1 类型0：管理器区域=2字节，AN区域=4字节管理器区域必须包含一个来自IANA的自治域号码（ASN） AN区域为由服务提供商分配的一个数值类型1：管理器区域=4字节，AN区域=2字节管理器区域必须包含一个由IANA分配的IP地址 AN为由服务提供商分配的一个数值例子：10458:22: 类型管理器分配数值用户 IPv4前缀 (2 字节) (变长) (变长) 8字节路由区分器（RD） (4 字节) 2字节类型区域：决定其它两个区域的长度管理器区域：定义一个分配数值单位分配数值区域: 由指定单位分配的用于特殊目的的数值 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * VPN-IPv4地址族路由区分器消除IPv4地址歧义 VPN-IPv4路由入口PE为从每个CE接收到的路由建立RD及IPv4前缀 VPN-IPv4使用BGP在PE间进行交换出口PE在将路由信息装入站点路由表前将VPN-IPv4路由转变为IPv4路由 VPN-IPv4只在控制层面被使用数据层面使用MPLS及IPv4地址 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 使用路由区分器 P P P PE 2 VPN A 站点 3 VPN A 站点 1 VPN B 站点 2 VPN B 站点 1 PE 1 PE 3 VPN A 站点 2 CE–A1 CE–B1 CE–A3 CE–A2 CE–B2 P VPN B 站点 3 CE–B3 10458:22: 10458:23: BGP Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 日程： BGP/MPLS VPN RFC 2547bis术语 VPN地址结构运行模式基于策略的路由信息交换业务转发可扩展的2547bis Internet访问服务等级 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 运营模式概况控制流路由信息在CE与PE间进行交换路由信息在PE间进行交换在PE间建立LSP（RSVP或LDP作为信令）数据流转发用户业务 P P P PE 2 VPN A 站点 3 VPN A 站点 1 VPN B 站点 2 VPN B 站点 1 PE 1 PE 3 VPN A 站点 2 CE–A1 CE–B1 CE–A3 CE–A2 CE–B2 P Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * RFC 2547bis策略 VPN通过管理策略定义用于连通性及CoS保证由客户定义由服务提供商通过输入及输出路由策略进行实施定义VPN成员定义拓扑结构（例如，全网状结构，hub-spoke结构等） Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 路由发布路由发布通过BGP扩展Community属性控制路由目标：定义PE路由器发布路由前往的一组站点起始站点：定义PE路由器从某一特定站点学习到一条路由 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 路由目标每条VPN-IPv4路由被BGP广播时都与一个路由目标属性相关联输出策略定义哪一目标与路由相关联在接收一条VPN-IPv4路由时，PE路由器将决定是否将该条路由添加到一个VRF中输入策略定义哪些路由将被添加到一个VRF中 VRF间的路由隔离通过仔细的策略管理来实现服务提供商实施工具确定适当的输出和输入目标间关系 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 路由信息的交换 CE设备向PE路由器广播路由使用传统路由技术（OSPF，IS-IS，RIP，BGP，静态路由等） OSPF 站点 1 站点 2 站点 1 站点 2 PE-2 CE-4 PE-1 BGP 会话期 CE-2 CE-3 CE-1 VRF VRF VRF VRF Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 PE-2 CE-4 PE-1 BGP会话期 CE-2 CE-3 CE-1 VRF VRF VRF VRF 路由信息的交换 IPv4地址被添加至适当的转发表 PE路由器将IPv4地址转换成VPN-IPv4地址 VPN-IPv4地址被安装至BGP路由表中 10458:23: OSPF Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 PE-2 CE-4 PE-1 BGP 会话期 CE-2 CE-3 CE-1 VRF VRF VRF VRF 路由信息的交换 VPN-IPv4地址与一个输出目标相关联 “VPN RED” 10458:23: “VPN RED” 输出 OSPF Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 PE-2 CE-4 PE-1 BGP会话期 CE-2 CE-3 CE-1 VRF VRF VRF VRF 路由信息的交换 VPN-IPv4地址被广播至其它PE 内部标记目标下一跳 10458:23: “VPN RED” 输出标记 Z OSPF 下一跳 PE-2 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 PE-2 CE-4 PE-1 BGP会话期 CE-2 CE-3 CE-1 VRF VRF VRF VRF 路由信息的交换每个PE都配置了输入目标输入目标用于有选择地将VPN-IPv4路由合并至VRF 如果输入目标属性与BGP消息中的属性匹配，路由则被合并至VRF 基于配置的输入策略，10458:23: “VPN BLUE” 输入 “VPN RED” 输入 BGP OSPF 10458:23: “VPN RED” 输出标记 Z 下一跳 PE-2 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 PE-2 CE-4 PE-1 BGP会话期 CE-2 CE-3 CE-1 VRF VRF VRF VRF 路由信息的交换 VRF中的每条VPN-IPv4路由与下面信息相关：到达被广播的NLRI的内部标记到达每个PE的外部标记（在BGP Next-Hop中承载）来自同一CE的多条路由可以共享相同的标记 “VPN BLUE” 输入 10458:23: BGP 标记 (内部) 标记 (Z) IGP (外部) 标记 (y) BGP OSPF 10458:23: “VPN RED” 输出标记 Z 下一跳 PE-2 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 PE-2 CE-4 PE-1 BGP会话期 CE-2 CE-3 CE-1 VRF VRF VRF VRF 路由信息的交换每条VRF接收到的IPv4路由可能被广播至与该VRF相关的站点使用传统路由技术（RIP，OSPF，IS-IS，EBGP，或静态路由） “VPN BLUE” 输入下一跳 PE1 OSPF，… Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 2 ( 站点 1 站点 1 站点 2 PE-2 CE-4 PE-1 CE-2 CE-3 CE-1 VRF VRF VRF VRF 数据流必须在对数据进行转发以通过MPLS骨干网前建立PE至PE的LSP LSP通过LDP或RSVP进行信令交换 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 数据流 CE执行传统IPv4查询并将数据包发送给PE 站点 2 ( 站点 1 站点 1 站点 2 PE-2 CE-4 PE-1 CE-2 CE-3 CE-1 VRF VRF VRF VRF IP Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 2 ( 站点 1 站点 1 站点 2 PE-2 CE-4 PE-1 CE-2 CE-3 CE-1 VRF VRF VRF VRF IP 数据流 PE针对特定入境接口使用适当的VRF 从VRF路由查询获得两个标记并“压入”给数据包 PE-1 1) 在红色FT中查询路由 2) 压入 BGP标记 (Z) 3) 压入IGP标记 (Y) Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 标记 2 ( 站点 1 站点 1 站点 2 PE-2 CE-4 PE-1 CE-2 CE-3 CE-1 VRF VRF VRF VRF 数据流数据包通过两级标记堆栈在LSP中被转发外部IGP标记定义去往出口PE路由器的LSP 从核心网的IGP获得并通过RSVP或LDP发布内部BGP标记定义从出口PE至CE的输出接口从来自出口PE的MP-IBPG更新获得 PE-1 1) 在红色FT中查询路由 2) 压入 BGP标记 (Z) 3) 压入IGP标记 (Y) IP BGP 标记 (Z) IGP 标记 (Y) Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 2 ( 数据流在数据包离开入口PE后，外部标记用于穿过服务提供商网络 P路由器并不意识到VPN的存在站点 1 站点 1 站点 2 PE-2 CE-4 PE-1 CE-2 CE-3 CE-1 VRF VRF VRF VRF IP BGP 标记 (z) IGP 标记 (x) Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 数据流外部标记在通过倒数第二跳时被弹出（在到达出口PE前）站点 2 ( 站点 1 站点 1 站点 2 PE-2 CE-4 PE-1 CE-2 CE-3 CE-1 VRF VRF VRF VRF IP BGP 标记 (z) 倒数第二跳弹出外部标记 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 数据流内部标记在出口PE被拆除原来的IPv4包被发往与该标记相关联的出境接口站点 2 ( 站点 1 站点 1 站点 2 PE-2 CE-4 PE-1 CE-2 CE-3 CE-1 VRF VRF VRF VRF IP Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 日程： BGP/MPLS VPN RFC 2547bis术语 VPN地址结构运行模式基于策略的路由信息交换业务转发可扩展的2547bis Internet访问服务等级休息 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 日程： BGP/MPLS VPN RFC 2547bis术语 VPN地址结构运行模式基于策略的路由信息交换业务转发可扩展的2547bis Internet访问服务等级 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 如何使其具有可扩展性，来自 RFC 2547bis的建议考虑PE的局限（例如，总路由数）尽量使CE至PE间的路由简单专门为VPN路由建立多个独立的BGP路由反射器使用BGP-RFRSH (刷新)建议标准 RFC 2918 使用BGP-ORF（出境路由过滤器）建议标准 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 可扩展性：划分和解决两级堆栈使P路由器不必了解VPN路由信息 PE路由器只维持与其具有直接连接站点的VPN路由如果需要，由提供商提供VPN中部分BGP路由反射器系统中没有任何一个单个设备需要维持所有VPN的路由系统的能力并不由某个单个设备所限制 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 可扩展性： VPN有关的路由反射器 RR不需成为PE或P 不需要进行转发，不需要具有VRF，甚至不需要MPLS PE路由器来来自每个组的RR建立对等关系在PE上自动建立路由过滤器，只允许接收直接连接到该PE的VPN路由 P P P PE 3 P PE 2 PE 1 随着VPN数量的增加而添加路由反射器 VPN 1 VPN 48 用于100-200 的VPN RR 用于1-99的 VPN RR VPN 188 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 可扩展性： BGP-Refresh BGP为状态协议一旦对等体间同步后，他们将不再交换路由直到发生改变 PE已经过滤了与RRvpn间交换的路由以限制其接收到的路由数量 PE增加/删除一个VPN需要对BPG路由表进行更新 BGP-refresh允许PE以非分裂方式从一个新的VPN获得路由（无需中断与RR间的BGP会话期） RRvpn2 RRvpn1 PE CE Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * RRvpn2 可扩展性： BGP-出境路由过滤器（ORF）没有BGP-ORF PE从RRvpn接收更新更新包括RRvpn所知的每条路由 PE则根据路由目标实施路由过滤器，丢弃不适当的路由具有BGP-ORF PE发送给RRvpn一个其感兴趣的路由目标列表 RRvpn应用路由过滤器，只发送给PE适当的路由 RRvpn1 PE CE Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 日程： BGP/MPLS VPN RFC 2547bis术语 VPN地址结构运行模式基于策略的路由信息交换业务转发可扩展的2547bis Internet访问服务等级 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 访问公共Internet 如果VPN使用专有地址，连接至Internet需要NAT CE可执行NAT功能服务提供商可执行NAT功能选项 1：PE不维护Internet相关路由甚至无0/0 选项 2：PE维护一些或所有 Internet路由范围可从0/0到全Internet路由客户公共 Internet VPN CE Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 访问公共Internet：选项 VPN服务提供商在Internet连接中不起作用 VPN客户在其从其部分或所有站点具有独立的Internet连接站点 1 站点 2 VRF VRF 公共Internet 站点 3 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 访问公共Internet：选项 PE提供二层连通性至一台维护部分或所有Internet路由的路由器 SP提供2547bis及L2 PP-VPN 假设CE及PE间具有分离的逻辑（不需要物理连接）链路（例如，DLCI，VLAN，GRE…） L2 VPN具有到达与Internet相关的路由器的L2连通性不同的VPN可能使用不同的Internet相关路由器站点 1 站点 2 VRF VRF 公共 Internet Internet 业务 Internet相关路由器 VPN 业务 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 访问公共Internet：选项所有连接到PE的VPN共享包含部分或完整Internet路由的路由表迫使所有连接到该PE的所有VPN对于Internet路由作相似的路由选择可能需要在CE和PE间具有分离的逻辑链路以承载去往及来自Internet的业务公共 Internet Internet 表 VRF Internet 路由 VPN 路由站点 1 站点 2 VRF VRF Internet Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 访问公共Internet：选项 PE上的一个（独立的）VRF具有部分/所有Internet路由 Internet连通性被作为一个（独立的）的VPN 允许为Internet路由进行定制路由选择在一个PE上使用多个Internet-VRF 可能需要在CE和PE间具有分离的逻辑链路以承载去往及来自Internet的业务如果VRF维护全路由，则可能出现可扩展性方面的问题此选项可能需要每个VRF维护0/0及少量的其它Internet路由公共 Internet 站点 1 站点 2 VRF Internet VRF VPN-Red VRF Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 访问公共Internet：选项 PE上的一个VRF维护部分/全部Internet路由与用于VPN的VRF相同允许对于Internet路由根据每个VPN进行路由选择如果VRF维护全路由，则可能出现可扩展性方面的问题此选项可能需要每个VRF维护0/0及少量的其它Internet路由 Internet及VPN可通过一条逻辑链路提供不确定是否与用户网络中具有NAT功能的设备兼容公共Internet 站点 1 站点 2 VRF VPN-Red + Internet VRF Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 日程： BGP/MPLS VPN RFC 2547bis术语 VPN地址结构运行模式基于策略的路由信息交换业务转发可扩展的2547bis Internet访问服务等级 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * VPN服务等级 VPN业务必须提供CoS区别至少要与现有的服务模式相匹配，甚至更好多种可能的模式：每隔VPN 每种应用每…? Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 2547bis的服务等级 CoS可支持许多不同的方法 CoS值可由下列因素确定： DiffServ值 IP优先级位静态配置应用与DiffServ所使用的衡定、分类及标识等机制相一致在PE至PE路径上，CoS可使用MPLS的EXP/CoS位及/或标记、基于每条LSP进行实施可在边缘及核心使用排队机制共享链路带宽及对拥塞进行管理 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * MPLS/VPN CoS服务模型点到网络远端CE被作为一个组本地端口对于入口及出口具有不同的保证速率点到点与具有“硬”性能保证的PVC相似可组合作为混合模式例如具有硬备份的软服务需要灵活的实施 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 第三部分二层MPLS VPN Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 提供商实施的二层VPN 过去，提供商使用唯一的ATM核心支持Internet及VPN业务用于Internet业务（ISP）的ATM PVC 用于VPN的ATM PVC ATM的速度不足以支持 Internet 提供商被迫使用两个核心网为什么不在一个MPLS核心网上对两种业务同时予以支持呢？将帧中继及ATM映射到MPLS LSP （L3 VPN可使用相同的核心网） Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 使用MPLS的提供商实施的二层VPN 提供商边缘设备为用户提供二层链路ID（DLCI，VPI/VCI，或VLAN ID）客户得到标准的FR或ATM PVC 从本地站点，每个可达站点都具有一条提供商边缘设备将链路ID映射到一条MPLS LSP以穿过提供商核心网客户将自己的路由体系结构映射到链路网上去客户路由对提供商透明管理责任分离 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 通过MPLS对传统二层VPN进行改进从核心技术中减弱边界（客户面对）技术对所有希望的服务提供单一的网络基础设施简化实施 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 两个提议： Draft-Kompella Draft-Martini 两个提议在数据层面相似都支持多种二层技术两个提议在控制层面不同标准处于早期阶段二层VPN标准 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 客户边界路由器客户边界（CE）路由器路由器或交换机位于客户处，提供服务提供商网络的接入与服务提供商网络在二层（FR，ATM，以太网）及三层（IP，IPX，SNA）独立 VPN内的CE使用相同的L2技术接入服务提供商网络不同的链接可使用不同的第二层技术每个远端CE需要一个逻辑链接 CE P P PE CE CE CE PE VPN A VPN A VPN B VPN B PE 客户边缘 ATM FR ATM FR VPN 站点 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 提供商边界路由器边界路由器（PE）路由器维持VPN相关信息与其它PE交换VPN相关信息对于draft-kompella，使用BGP或LDP 对于draft-martini，使用LDP 在PE间使用MPLS LSP转发VPN业务 CE P P PE CE CE CE PE VPN A VPN A VPN B VPN B PE ATM FR ATM FR 提供商边界 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 提供商路由器提供商（P）路由器通过已建立的LSP对VPN数据进行透明转发并不维护与VPN有关的转发信息 CE P P PE CE CE CE PE VPN A VPN A VPN B VPN B PE ATM FR ATM FR 提供商路由器 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Kompella介绍面向用户的接口使用标准的第二层技术将这些第二层接口（“链路”）映射至骨干网内的LSP上去使用MPLS标记堆栈以降低核心网内的LSP数量规范中还包括用于自动实施的协议机制增加/删除/更改一个单一站点只需对一个PE进行重新配置支持全网状拓扑及hub-spoke拓扑结构 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * P P P PE 2 VPN A 站点 3 VPN A 站点 1 VPN B 站点 2 VPN B 站点 1 PE 1 PE 3 VPN A 站点 2 CE–A1 CE–B1 CE–A3 CE–A2 CE–B2 P 为每个连接至PE的站点建立一个VRF Draft-Kompella： VPN转发表（VFT） ATM ATM ATM 每个VFT连同下面一些因素一起被广播：为本地CE站点实施的转发信息通过BGP或LDP从其它PE接收到的VPN连接表 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 Draft-Kompella： VPN连接表（VCT） PE-2 CE-4 PE-1 CE-2 CE-2 CE-1 VFT VFT VFT VFT VCT是VFT所拥有信息的子集 VCT由PE通过BGP或LDP进行发布为每个VPN站点广播VCT至PE BGP 会话期 / LDP Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Kompella： L2 VPN实施实施网络在PE上实施信息实施VPN（PE）假设：A，接入技术为帧中继（其他情况与之相似）B，使用BGP在PE间对VPN信息进行分配 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * P P P PE 2 VPN A 站点 3 VPN A 站点 1 VPN B 站点 2 VPN B 站点 1 PE 1 PE 3 VPN A 站点 2 CE–A1 CE–B1 CE–A3 CE–A2 CE–B2 P Draft-Kompella：实施网络必须在PE间事先建立LSP： LSP被用于多种服务（例如，对Internet业务实施流量工程，L2 VPN，L3 VPN） OSPF OSPF OSPF ATM ATM ATM Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Kompella：在PE处实施用户站点 DLCI列表每个远端CE一个，一些多余的用于过盈实施每个CE的DLCI数值相互独立用于自动发现及地址学习的LMI，反向ARP和/或路由协议 VPN关系更改时不会发生更改直到过盈实施被用尽 CE-4 DLCIs 63 75 82 94 CE-4 路由表入出 DLCI 63 10/8 DLCI 75 20/8 DLCI 82 30/8 DLCI 94 - Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Kompella：在PE处实施用户站点在每个PE处为每个CE实施VFT 输入/输出路由目标BGP共同体：VPN ID CE-ID：在相关VPN中为唯一值 CE范围：可连接CE的最大数量标记库：为第一个子接口ID分配的标记 PE预留N个连续的标记，这里N为CE范围子接口ID列表：分配给CE-PE连接的一组本地子接口ID（DLCI） CE4 VFT 输入/输出路由表 CE ID RT1 4 CE 范围 1000 4 标记基准子接口 ID 63 75 82 94 CE4 VCT 标记 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Site 1 Site 2 Site 1 Site 2 Draft-Kompella：在PE处实施用户站点 PE-2 CE-4 PE-1 CE-2 CE-2 CE-1 VFT VFT VFT VFT CE4 VFT 输入/输出路由表 CE ID RT1 4 CE 范围标记 4 子接口ID 63 75 82 94 1001 1002 1003 由 CE2 使用的用于到达CE4 的标记 1001 由 CE3 使用的用于到达CE4 的标记 1002 1000 由 CE1 使用的用于到达CE4 的标记 1000 FR FR CE4的 DLCI 至 CE1 63 CE4的 DLCI 至 CE2 75 CE4的 DLCI 至 CE3 82 CE4的 DLCI 至 CEnew 94 PE-2使用CE4 VFT进行配置由 CEnew 使用的用于到达CE4 的标记 1003 标记标准 1000 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Kompella：发布VCT 使用BGP 成员自动发现成员间链路自动分配使用BGP路由目标共同体+路由过滤（基于路由目的）配置VPN拓扑 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 Draft-Kompella：发布 VCT PE-1接收承载PE-2 CE4 VCT的BGP路由 PE-2 CE-4 PE-1 CE-2 CE-2 CE-1 VFT VFT VFT VFT FR FR BGP 会话期 / LDP CE4 VCT 更新 RT CE ID RT1 4 CE 范围标记基准 4 1000 CE4 VCT 更新 RT CE ID RT1 4 CE 范围标记基准 4 1000 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 Draft-Kompella：更新VFT PE-1更新其CE2 VFT的子接口ID列表 CE2 VFT (RT1) 的输入路由目标匹配BGP路由中承载的路由目标（RT1）匹配 PE-2 CE-4 PE-1 CE-2 CE-2 CE-1 VFT VFT VFT VFT FR DLCI 75 FR DLCI 414 CE2 VFT CE ID 内部标记子接口 ID 用于到达CE4 的标记 1001 107 209 265 414 1 2 3 4 5020 7500 9350 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 Draft-Kompella：更新VFT PE-1更新其CE2 VFT的子接口ID列表 CE2 VFT (RT1) 的输入路由目标匹配BGP路由中承载的路由目标匹配 PE-2 CE-4 PE-1 CE-2 CE-2 CE-1 VFT VFT VFT VFT CE2 VFT CE ID 内部标记子接口 ID 到达 PE-2的LSP 500 107 209 265 414 1 2 3 4 5020 7500 9350 1001 外部标记 FR DLCI 75 FR DLCI 414 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 Draft-Kompella：数据流假设PE至PE的LSP已经存在（与RFC2547bis相似） CE-2使用于CE-4相关的DLCI（414）将数据包发送给PE-1 PE-2 CE-4 PE-1 CE-2 CE-2 CE-1 VFT VFT VFT VFT DLCI 75 DLCI 414 数据包 DLCI 414 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 Draft-Kompella：数据流 DLCI数值由入口PE除去两个标记从VFT子接口查询得到并“压入”数据包之上外部IGP标记定义到出口PE路由器的LSP 从核心网IGP获得并由RSVP或LDP发布内部站点标记定义从PE至CE的出境子接口从通过BGP发布的VCT获得并由出口PE发布 PE-2 CP-4 PE-1 CE-2 CE-2 CE-1 PE-1 1) 在红色VFT中查询DLCI 2) 压入VPN标记 (1001) 3) 压入IGP标记 (500) VFT VFT VFT VFT DLCI 75 数据包站点标记 (1001) IGP 标记 (500) Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 Draft-Kompella：数据流当数据包离开入口PE后，使用外部标记在LSP中进行传输 P路由器并不了解VPN PE-2 CPE-4 PE-1 CE-2 CE-2 CE-1 VFT VFT VFT VFT 数据包站点标记 (1001) IGP 标记 (z) DLCI 75 DLCI 414 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 Draft-Kompella：数据流由倒数第二跳路由器弹出外部标记（在到达出口PE前） PE-2 CE-4 PE-1 CE-2 CE-2 CE-1 倒数第二跳弹出外部标记l VFT VFT VFT VFT 数据包站点标记 (1001) DLCI 75 DLCI 414 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 站点 1 站点 2 站点 1 站点 2 Draft-Kompella：数据流在出口PE处将内部标记去除出口PE进行一次标记查询以寻找相应的DLCI值原来的帧中继包被发送至相应的出境子接口 PE-2 CE-4 PE-1 CE-2 CE-2 CE-1 VFT VFT VFT VFT DLCI 75 DLCI 414 数据包 DLCI 75 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Kompella: 支持的2层技术帧中继 ATM AAL5 CPCS模式 ATM透明信元模式以太网以太网VLAN Cisco HDLC PPP Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Martini介绍比draft-kompella简单的机制标准的第二层用户接口，被映射至LSP，使用标记堆栈以减少核心网LSP的数量但并不包括用于自动实施的协议使协议更为简单但需要更多的手动实时适合于高度定制的拓扑结构 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Martini: 实施L2 VPN 站点 1 站点 2 站点 1 站点 2 PE-2 CE-4 PE-1 CE-2 CE-2 CE-1 DLCI 82 DLCI 414 间接LDP会话期以广播VC标记 500 VC 类型 VC ID 帧中继 25 DLCI 到达PE-2的标记 414 500 PE-1 到达CE-2的标记 1001 VC 类型 VC ID 帧中继 25 DLCI 到达PE-1的标记 82 501 PE-2 到达CE-4的标记 1002 VC 类型 VC ID 帧中继 25 VC 标记 1002 PE-2 LDP 广播接口参数 MTU = 4482 VC 类型 VC ID 帧中继 25 VC 标记 1001 PE-1 LDP 广播接口参数 MTU = 4482 501 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Martini：数据流站点 1 站点 2 站点 1 站点 2 PE-2 CE-4 PE-1 CE-2 CE-2 CE-1 DLCI 82 DLCI 414 500 VC 类型 VC ID 帧中继 25 DLCI 到达PE-2的隧道标记 414 500 PE-1 到达CE-4的VC标记 1002 VC 类型 VC ID 帧中继 25 DLCI 到达 PE-1的隧道标记 82 501 PE-2 到达 CE-2的VC标记 1001 501 数据包 DLCI 414 PE-1 1) 压入 VC标记(1002) 2) 压入隧道标记 (500) 数据包 VC 标记 1002 隧道标记 500 倒数第二跳弹出顶部标记数据包 DLCI 82 数据包 VC 标记 1002 数据流与draft-Kompella相似 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Martini: 可选控制字控制字的出现及其功能依赖于被封装的L2有效载荷可被用于：排序添加信息承载与协议相关的控制位帧中继FECN，BECN，DE，C/R ATM传输类型，EFCI，CLP，C/R VC 标记（32 位）控制字（32 位）被封装的有效载荷隧道标记（32位） Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Martini: 支持的二层技术帧中继 ATM AAL5 CPCS模式 ATM透明信元模式以太网以太网 VLAN Cisco HDLC PPP SONET/SDH链路仿真服务（CEM） Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 二层MPLS VPN的CoS 与2547bis CoS相同的机制业务模型可从现有的L2技术继承而来基于速率基于丢失基于CoS Martini ID方法为对FECN，BECN，DE/CLP进行端到端保留 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 第四部分总结 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * IP VPN的优势更低的设备投资使用普通骨干网进行经济的扩展更低的服务成本更低的管理和支持开支管理可外包给服务提供商最终用户能够专注于其核心业务而不是网络为最终用户提供更好的连通性 IP无处不在服务提供商的一个机遇 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 一系列的VPN解决方案每个客户都有所不同安全性需求职员专业技能外包的可能性客户网络的规模及业务量不同提供商具有不同的考虑客户群提供外包的期望程度处理托管路由器服务 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 一系列的VPN解决方案具有很强安全性需求的客户在客户处的加密/认证可与任何VPN方式一同使用IPSec IPSec VPN非常普通（或L2 VPN）希望对路由进行完全管理的客户例如，在整个专网中运行一个OSPF进程（具有VPN及后门连接）客户在其路由器间需要链路二层VPN非常适合 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 一系列VPN解决方案一些客户仅有有限的IP专业经验需要外包广域网互联及路由 RFC2547bis VPN非常适合适合于绝大部份VPN业务用户对于需远程接入公司网络的用户拨号解决方案非常通用 PPTP / L2TP非常方便和经济用户可以通过Internet在任何地方接入网络 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * JUNOS RFC 2547实施 JUNOS 支持RFC 2547bis的基本功能已发运并所有平台上支持所有平台都支持CE，PE，P路由器功能继承了JUNOS的稳定性及可扩展性继承了Internet处理器II的性能及功能 – 通过硬件对数据包进行处理将来可对RFC 2547bis进行增强（组播…）标准仍在制定中 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 总结：虚拟专网背景客户管理的VPN（CPE-VPN） L2TP及PPTP IPsec 提供商实施的VPN （PP-VPN） MPLS/BGP VPN：RFC 2547bis 虚拟路由器基于MPLS的二层VPN VPN的实施途径是互补的可以同时存在于一个多业务核心网上支持不同的客户模式允许客户自由选择最佳的解决方案 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential 谢谢！ Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 一系列的VPN解决方案虚拟路由器解决方案又如何？在概念上非常吸引人，但是… 对于希望外包路由的用户来说，在提供商网络上增加了不必要的负担对于那些在整个网络中只运行一个IGP进程的用户来说，要求他们与提供商在IGP运行上合作可以在整个专网中使用一个OSPF区域，但是二层VPN非常适合这种情况不清楚是否有某种环境下，VR是最佳的VPN解决方案 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Martini: 虚链路FEC网元 VC TLV C VC 类型 VC 信息长度组 ID VC ID 接口参数 “ “ 在LDP标记映射及标记撤销消息中使用 VC类型定义VC封装类型 VC ID 32位连接ID 与VC类型一起定义特定的VC Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Martini: 虚链路FEC网元接口参数定义CE面向的接口相关特定参数确认LSR及边缘端口有互操作所必须的能力可定义：接口MTU 连接ATM信元的最大数量随意的接口描述字符串 CEM有效载荷字节 CEM选项 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * VPN A 站点 1 VPN B 站点 1 VPN B 站点 2 VPN A 站点 2 Inter-AS运营： ASBR间的VRF至VRF直接连接 AS边界路由器担当PE 直接相互连接需要为每个VRF提供一个单独的子接口每个ASBR/PE将另一个ASBR/PE作为一个CE 存在可扩展性方面的问题 EBGP P 1 ASBR 1 PE 1 ASBR 2 P 2 PE 2 SP 1 SP 2 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * VPN A 站点 1 VPN B 站点 1 VPN B 站点 2 VPN A 站点 2 P 1 ASBR 1 PE 1 ASBR 2 P 2 PE 2 SP 1 SP 2 Inter-AS运营： Multihop EBGP 广播被标记的IPv4 /32路由至另一个AS 在入口及出口PE间建立LSP 使用Multihop EBGP 如果/32 PE地址不被广播，P路由器可使用3层堆栈 ASBR并不了解VPN-IPv4路由 Multihop EBGP RR RR Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * MPLS CoS机制机制为标记联同MPLS帧中的3位Exp/CoS区域，或只简单的使用Exp/CoS区域，可进行：业务分类标示/修改排队：管理（例如，RED）服务（例如，WRR）在入口处进行管理 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * 了解Diffserv的TE OSPF，IS-IS，RSVP及CR-LDP的扩展允许基于CoS的流量工程及资源预留等级类型等级类型可支持一种或多种等级针对每种等级类型对链路参数进行广播 TE为基于每种等级类型的排队可进行更好的调整（每等级）具有一定的灵活性可在更为详细的信息与可扩展性/开销间进行折衷 Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Draft-Kompella: 配置复杂性对通用拓扑提供优化例如，全网状结构，hub-and-spoke易于实施同时支持任意拓扑为整个VPN进行O(N)配置对于复杂拓扑可能更多增加一个站点需要O(1)个配置在客户站点“过盈实施” DLCI（子接口） Juniper Networks, Inc. Copyright © 2001 - Proprietary & Confidential * Welcome to the Juniper Networks Virtual Private Network seminar. This presentation shall last approximately 4 hours in length, and is expected to provide each of you with an informative outlook on Juniper’s understanding of the RFC 2547 Virtual Private Network platform for the Service Provider. As an audience you can anticipate an informative and persuasive presentation of the RFC 2547 Virtual Private Network. Furthermore, this presentation will persuade each of you that Juniper is ready and willing to implement the RFC 2547 Virtual Private Network platform using the Border Gateway Protocol and layer three Multipoint Label Switching (MPLS) over a secured, shared Internet Protocol (IP) infrastructure. We fully understand that the RFC 2547 Virtual Private Network is complex, and we understand it well. So without any further delay, let us begin this presentation by first reviewing and discussing the VPN presentation objectives. * The agenda for Part I is … * The agenda for Part I is … * The agenda for Part I is … * * The IETF classifies VPNs in two distinct models. The Customer Premise Equipment (CPE) based VPN utilizes equipment located at the Subscriber site. This model can utilize both Layer 2 and Layer 3 technologies. Layer 2 is handled using Layer 2 Tunneling Protocol (L2TP) and Point to Point Tunneling Protocol (PPTP). Tunnels are created between CPEs creating a secure pipe to transfer data across. In a Network-Based (NB) VPN model, Layer 3 is supported using 2 separate solutions. Non-MPLS-Based VPNs utilize Virtual Routers to route CPE based VLAN traffic to a the far-end CPE. MPLS-Based VPNs, based on the RFC 2547bis, use Labels to switch VPN traffic between CPEs. * The agenda for Part I is … * In a Remote Access scenario, a tunnel is created using either L2TP or PPTP to the Far-End CPE to allow access to network resources. Either L2TP or PPTP can be used to create a secure pipe to the Far-End CPE. L2TP is a combination of Layer 2 Forwarding Protocol (L2F) and PPTP to create a hybrid of Layer 2 and Layer 3 functionality. IPsec is used to encrypt the data stream protecting it from Internet hackers. Authentication of data is done at the tunnel endpoints where a checksum of the data stream is completed to look for unauthorized alteration of the data during transit. * IPsec is used throughout CPE VPN solutions because it is able to span multiple Service Providers without the need for duplicate encryption by the transit Service Provider. IPsec has strong encryption schemes creating a very secure data stream. Security services include Access Control Data Origin Authentication Replay Protection Data Privacy Key Management * Let’s look at how a VPN works in conjunction with a CPE model. The first important fact is to understand that all routing is performed at the Customer site eliminating any possibility of loss of data due to incorrect Public Internet routing. It is also important to understand that a local routing function does have implied support and configuration requirements. Each tunnel is terminated at the Subscriber site giving entire security and integrity responsibilities to the Subscriber. When IPSEC is implemented, only the Subscriber site is required to support IPSEC. This means that if the Service Provider does not support IPSEC, the Subscriber can utilize the Public infrastructure provided without loss of security functionality. Data integrity is insured by each CPE using encryption and Key technologies. The original header and data payloads are encrypted at the CPE and a shared key is used to remove the encryption from the payload on the far-end CPE Finally, private address spaces are supported giving complete flexibility to the Subscriber to implement addressing schemes that meet Subscriber changing needs. * CPE based VPN solutions with IPsec have many benefits. They do not interfere with existing Subscriber applications. Because IPsec is a Layer 3 technology, it is easier to implement in conjunction with other corporate application such as SAP or PeopleSoft. Local routing of data by Subscriber routers gives greater control of the routing process to the Subscriber. However, local routing also indicates that the Subscriber has no one to blame if a packet does not reach its final destination due to a routing issue. The Service Provider usually is not given much of an opportunity to provide any services. This is a limitation to the Service Provider in regards to possible revenue streams and Service Level Agreements. * The agenda for Part I is … * The agenda for Part I is … * Border Gateway Protocol/ Multiprotocol Label Switching Virtual Private Networks mechanisms are defined in the Request For Comments 2547bis. This document defines the mechanisms in such a way as to where service providers are provided the opportunity to learn how to better use their backbone to provide VPN services to their customers. This presentation illustrates may of the techniques used in the RFC 2547bis document where the Border Gateway Protocol is used for distributing VPN routes across the service provider’s backbone and how Multiprotocol Label Switching is used to forward the VPN traffic from one VPN site to another. This presentation allows for the understanding of how service providers can make their service very simple for customers to use, even though they may lack the required Internet Protocol routing skills to effectively implement a VPN themselves. This presentation also allows the VPN service to be scalable and flexible for deployment in a facility in support of a large scale service provider. Like all VPNs, policy drives the configuration and the implementation of the particular VPN. In the case of the BGP/MPLS VPN, the policy is always subscriber initiated and may be implemented either by both the subscriber and service provider or solely implemented by the service provider. This allows the service provider to deliver a critical value-added service that galvanizes subscriber’s loyalty. * The agenda for Part I is … * The agenda for Part I is … * The Customer Edge (CE) device is usually assigned to the subscriber site and may be considered as a layer 2 switch or a layer 3 router. This device is the manner in which the Provider Edge (PE) at the service provider’s site communicates with the subscriber. Any type of data link will work between the connection of the CE device and PE device and may be connected to two or more PE routers. When the CE device is a router connected to a PE router, then the term router adjacency is established between the two routers. After this router adjacency is established, the CE router will advertise all of the subscriber site’s local routes to the PE router. The PE router in turn allows the CE router to learn other VPN routes that is directly connected to from the PE router. * The Provider Edge (PE) router connects to the CE device with different types of data links, such as, Frame Relay DCLI, ATM PVC, VLANs, etc. Regardless of the data link they are connected by, the PE routers ensures each of the ports that these data links are coming in on are mapped to a particular table known as a VPN routing and forwarding (VRF) table. Therefore the PE port is associated with a particular VRF and the information associated with the incoming data link. The PE router maintains all of the VRFs of the virtual private networks attached to it. The exchange of routing information between the CE device and the PE device may take place using Routing Information Protocol (RIP) version 2, Open Shortest Path First (OSPF), or Exterior Border Gateway Protocol (E-BGP). The PE router is only responsible for maintaining the IPv4 packets and their routes of the CE devices that are actually attached to it. This feature enables the RFC 2547bis operational model to be scalable. The PE router also exchanges VPN routing information with other PE routers using I-BGP, and may use this I-BGP session to maintain connections with Route Reflectors as an alternative to a full mesh of I-BGP sessions. By deploying multiple Route Reflectors the scalability of the RFC 2547bis operational model is enhanced, because of the need for any single component to handle all of the IPv4 routes. When forwarding traffic across the MPLS backbone, the PE router will perform this function as a Label Switch Router (LSR). In the case of forwarding the initial forwarding of traffic across the MPLS backbone, the PE router will be considered as the Ingress LSR, and in the case of receiving the traffic at the destination point of the traffic the PE router will function as the Egress LSR. * In the Multiprotocol Label Switching environment, the topology is very clear as to which routers are considered as PE routers and which ones are Provider (P) routers. A rule of thumb used in identifying a P router from a PE router, and works every time within the MPLS environment, is that only PE routers will attach directly to a CE device. Therefore, if a router is within the MPLS topology and it does not attach to a CE device, then this router is known as a P router. The P router functions within the MPLS backbone as a transit Label Switch Router (LSR) when it is called upon to forward data traffic between the PE routers, known in the MPLS backbone as the Ingress LSR and the Egress LSR. Because the P router operates in the MPLS backbone and within a two layer stack, the P routers are only aware of and required to maintain the routes to the PE routers. This prevents the P routers from being bogged down with all of the subscriber site’s routes as does the PE router. Therefore, specific VPN routes are only found in the PE routers. * * * The agenda for Part I is … * Overlapping Customer Address Spaces VPN customers will often manage their own networks and use the RFC 1918 private address space. If customers do not use globally unique IP addresses, the same 32-bit IPv4 address can be used to identify different systems in different VPNs. This can result in routing difficulties because BGP assumes that each IPv4 addresses it carries is globally unique. To solve this problem, BGP/MPLS VPNs support a mechanism that converts non-unique IP addresses into globally unique addresses. This is accomplished by combining the use of the VPN-IPv4 address family with the deployment of Multiprotocol BGP Extensions (MP-BGP). * * * The agenda for Part I is … * When discussing the operational model of the BGP/MPLS model, you must break down the operational process into two distinct operations. The first is the operational models’ ability to control flow. For example, the IPv4 routes must be delivered across the backbone via VPN route distribution and Label Switch Path (LSP) establishment. There are two sub control flows within the control operation. The first control sub-flow is responsible for the exchange of routing information between the CE and PE routers at the edges of the provider's backbone and between the PE routers across the provider's backbone. This is commonly known as the route distribution from the source address to the destination address. The second sub control flow is best illustrated as the responsible establishment of LSPs across the provider’s backbone between PE routers. Only when this Label Switch Path is established, can the second ability of this operational model take place. The second ability of the BGP/MPLS operational model is data flow, that is, to forward subscriber data traffic across the MPLS backbone successfully. * Virtual Private Networks require administrative policies to help the persons implementing the configuration to perform their work accurately. Otherwise the connectivity of the virtual private network may not perform in the manner requested by the subscriber as well as any Quality of Service guarantees the service provider may had made in the service agreement. Therefore it is essential that the subscriber defines the policies that they can live by. This allows for the implementation of the configuration to move smoother and ensures that any service agreement between the subscriber and the service provider is fulfilled. Once the administrative policy is determined the implementation of the VPN and its policy may be performed by the subscriber if its calls for a level 2 virtual private network. A level 3 VPN may require a subscriber and a service provider or a service provider by themselves to implement the VPN policy, with respect to the level of IP routing expertise of the subscriber. A policy may request a full mesh or a hub and spoke connectivity between the many subscriber sites. This is usually determined by the import and export target policies that have been derived by the subscriber. Be very careful with the configuration of these types of targets as they are used for the building of specific types of connectivity or topology with a subscriber’s site. These mechanisms can be completely restricted to the service provider where the subscriber has no awareness of their use. * * The next section reviews issues concerning the different attributes of the BGP protocol. Those attributes include the Target VPN attribute and, the VPN of Origin attribute. It is possible to create different types of VPNs using only these two attributes as we shall see in the sub section “Building VPNs using Target and Origin Attributes. We shall also discuss route distribution among PE routers in this section. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * As previously mentioned, the label switch path must be in place prior to the forwarding of any data traffic across the MPLS backbone from on subscriber site to another subscriber site. To illustrate, lets say a host forwarded data packets a server that doubles as the default gateway. This default gateway is the CE router, of course, and performs a longest-match route lookup on the packet when it arrives. Once the longest-match lookup is accomplished, the packet is forwarded by the CE router to the attached PE router. The PE router receives the packet and performs its own route lookup and obtains the Egress LSR MPLS label advertised, BGP Next Hop, an outgoing sub-interface for the label switch path between the Ingress LSR and the Egress LSR, as well as the Ingress LSR MPLS label. The data packet is forwarded from the Ingress LSR using a two label MPLS stack convention. Before the Ingress LSR actually forwards the packet towards the Egress LSR, the Ingress LSR pushes a Bottom Label onto the MPLS two label stack. The Ingress LSR then pushes the Top Label associated with appropriate signaling protocol label switched path onto the Bottom Label. The Ingress LSR then forwards the two label stack packet to the outgoing interface if the Ingress LSR to the first transit LSR’s ingoing interface, which is a P router. The first transit LSR receives the two label stack packet and pops the top label and sends pushes another Top Label onto the Bottom Label creating a different two label stack association with the same data packet. The first transit LSR then sends the packet to an outgoing interface to the next transit LSR’s ingoing interface that repeats the steps of the first transit LSR. This continues until the penultimate router is reached, where the final Top Label is popped from the two label stack and the packet goes out of the penultimate routers outgoing interface to the Egress LSR ingoing interface. The Egress router then sends the packet to the associated CE router who in turns sends the packet to the host destination of the originally IPv4 address. * Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. * Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. * Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. * Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. * Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. * Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. * The agenda for Part I is … * The agenda for Part I is … * Thing to point out on this slide, this is not “our opinion”. This is detailed in the RFC! Bullet2: According to the RFC to scale the provisioning you want to run a routing protocol between CE and PE. To scale network implementation they say you should statically configure the PE with the VPN routes. Interesting conflict! The RFC recommends BGP for the CE/PE communication. This eliminates the benefits of lower cost (bgp capable routers aren’t cheap) and eliminates the “simplification of routing” that customers want. Any other protocol (OSPF, ISIS, RIP) does not have the protections that BGP does to protect the PE from stupid customer tricks. How well will a router handle 100’s of OSPF processes (hint, C doesn’t handle one instance well). * * Running multiple RRs and keeping the updates isolated is Very complex for the NSP. Each PE needs to implement filters so it only learns the routes associated with the VPNs it is handling. And each RR needs filters for the same reason. Also, the RFC recommends that the NSP only have the PE peer with the specific RR’s that has VPN routes it needs. This means that the NSP must manually remove the peering config whenever the first VPN from an RR is added or the last VPN from an RR is removed. The network provisioning and network management of 2547 does not scale for the NSP. * When there is a filter change the routers need to be able to request a BGP update: this is RFRSH. BUT not a single vendor has it yet. We might have it by end of year. Last bullet: “Although at least one is close” wink wink * Having the PE do the filtering means that it must accept ALL routes from all RRs it is connected to and then process all (potentially millions of) routes dropping what it doesn’t want. ORF is a specification that has the PE tell the RR what to filter so the RR only sends down what is interesting to the PE. As of April 2000 the BGP NLRI had not even been assigned for this so no one CAN develop it. * The agenda for Part I is … * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * The agenda for Part I is … * This section of the presentation provides an insight how a Service Provider operating within an Internet Protocol (IP) backbone may provide Virtual Private Networks (VPNs) for their customer, the enterprising subscriber. The 2547 Virtual Private Network platform differs from the normal way of forwarding packets and routes over the Internet backbone than the traditional ways of the 1990’s. The 2547 VPN platform uses Multiprotocol Label Switching (MPLS) to forward packets, and the Border Gateway Protocol (BGP) for route distribution, both over the Internet backbone. The 2547 VPN platform’s primary goal is to support the service providers in their effort to outsource Internet Protocol backbone services for enterprise subscribing customers. By using the methodology available from the Multiprotocol Label Switching and Border Gateway Protocol, the service provider providing these services has made the task very simple for the enterprise subscriber, while improving scalability and flexibility for themselves. The 2547 VPN platform also allows the service provider an opportunity to add value to the services they are providing the enterprising subscriber. Additionally, the 2547 VPN platform provides the necessary techniques for an enterprising subscriber to develop a VPN that can ultimately be used to provides IP service to their customers. We will now start at a high level discussion about the 2547 VPN platform and become more granular as we start understanding how the Border Gateway Protocol and the Multiprotocol Label Switching are implemented as the underlying technology for this highly scalable and secure VPN. Without any further delay lets take look at the 2547 VPN objectives. * The Customer Edge (CE) device is usually assigned to the subscriber site and may be considered as a layer 2 switch or a layer 3 router. This device is the manner in which the Provider Edge (PE) at the service provider’s site communicates with the subscriber. Any type of data link will work between the connection of the CE device and PE device and may be connected to two or more PE routers. When the CE device is a router connected to a PE router, then the term router adjacency is established between the two routers. After this router adjacency is established, the CE router will advertise all of the subscriber site’s local routes to the PE router. The PE router in turn allows the CE router to learn other VPN routes that is directly connected to from the PE router. * The Provider Edge (PE) router connects to the CE device with different types of data links, such as, Frame Relay DCLI, ATM PVC, VLANs, etc. Regardless of the data link they are connected by, the PE routers ensures each of the ports that these data links are coming in on are mapped to a particular table known as a VPN routing and forwarding (VRF) table. Therefore the PE port is associated with a particular VRF and the information associated with the incoming data link. The PE router maintains all of the VRFs of the virtual private networks attached to it. The exchange of routing information between the CE device and the PE device may take place using Routing Information Protocol (RIP) version 2, Open Shortest Path First (OSPF), or Exterior Border Gateway Protocol (E-BGP). The PE router is only responsible for maintaining the IPv4 packets and their routes of the CE devices that are actually attached to it. This feature enables the RFC 2547bis operational model to be scalable. The PE router also exchanges VPN routing information with other PE routers using I-BGP, and may use this I-BGP session to maintain connections with Route Reflectors as an alternative to a full mesh of I-BGP sessions. By deploying multiple Route Reflectors the scalability of the RFC 2547bis operational model is enhanced, because of the need for any single component to handle all of the IPv4 routes. When forwarding traffic across the MPLS backbone, the PE router will perform this function as a Label Switch Router (LSR). In the case of forwarding the initial forwarding of traffic across the MPLS backbone, the PE router will be considered as the Ingress LSR, and in the case of receiving the traffic at the destination point of the traffic the PE router will function as the Egress LSR. * In the Multiprotocol Label Switching environment, the topology is very clear as to which routers are considered as PE routers and which ones are Provider (P) routers. A rule of thumb used in identifying a P router from a PE router, and works every time within the MPLS environment, is that only PE routers will attach directly to a CE device. Therefore, if a router is within the MPLS topology and it does not attach to a CE device, then this router is known as a P router. The P router functions within the MPLS backbone as a transit Label Switch Router (LSR) when it is called upon to forward data traffic between the PE routers, known in the MPLS backbone as the Ingress LSR and the Egress LSR. Because the P router operates in the MPLS backbone and within a two layer stack, the P routers are only aware of and required to maintain the routes to the PE routers. This prevents the P routers from being bogged down with all of the subscriber site’s routes as does the PE router. Therefore, specific VPN routes are only found in the PE routers. * * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * In this section we look at the provisioning issues and the tasks associated with Layer 2 VPNs. * * The list of DLCIs is configured on the PEs. No changes are required even if new sites are added, existing sites will remain unchanged if the provider has over-provisioned the PEs in the network. * A key benefit is Auto-discovery. Comparing this to the traditional Layer 2 VPN slide, there is no need to manually configure additional VPN members. All sites must be configured after the initial bootstrap of the network. However, after that initial build, it is only necessary to configure the newly added sites without having to touch existing sites. Note: the label base is chosen automatically by the PE; the other info is assigned by the ISP administrator. The choice of sub-int ids must be agreed to by both the SP and Customer. The VFT is annouced via LDP as a new FEC, or via MPBGP as a new AFI Label base : BGP only, LDP carry the label with the FEC VPN ID : LDP only with BGP we use communities with the form of <VPN-ID>:<connectivit> * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * A key benefit is Auto-discovery. Comparing this to the traditional Layer 2 VPN slide, there is no need to manually configure additional VPN members. All sites must be configured after the initial bootstrap of the network. However, after that initial build, it is only necessary to configure the newly added sites without having to touch existing sites. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * When exchanging routing information the PE is configured to associate a particular interface or sub-interface with a forwarding table. This association with the interface allows the PE to learn the routes associated with the site in which the CE device is a member. The CE device will advertise a route to the PE router, who checks its own forwarding tables for a direct connection. When the direct connection is not available, the PE router will advertise using the Interior Border Gateway Protocol (I-BGP) to another PE router and place its own address as the BGP Next Hop for the route. When the second PE router receives the advertisement from the first PE router, the second PE router performs a route filtering based upon the BGP extended community attributes carried with the route. When the route is determined to be installed within the PE VPN forwarding tables, then the second PE router advertises the destination route back to the first PE router. This process describes the exchange of routing information between two PE routers. * Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. * Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. * Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. * Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. * Forwarding the data traffic between sites is performed using a two label approach recognized by the Multipoint Label Switching process. Basically speaking the Top Label is considered the Interior Border Gateway Protocol (IBGP) and is used to identify the label switch path to the Egress router. This derived from the core interior gateway protocol and then distributed either with label distribution protocol or the resource reservation protocol. The Bottom Label is considered to operate with the Border Gateway Protocol (BGP) and identifies the outgoing interface from the Egress PE router to the CE device with the destination address. This information is obtained when the exchanging of route distribution information took place between the two PE routers using the Interior Border Gateway Protocol. What happen is the Egress LSR sent the Update message back to the Ingress LSR and provided the Ingress LSR with the appropriate routing information for the Bottom Label. * * * Emphasize that as with draft-Kompella, the LSPs between PEs must be pre-established. Also note that there is no VFT as there is with draft-Kompella. Instead, there is a simple logical interface-to-VCID binding, somewhat similar to CCC. The same DLCIs and labels are used here as in the draft-Kompella slides for comparison. * Emphasize that as with draft-Kompella, the LSPs between PEs must be pre-established. Note to the audience that the label-swap between the two P-routers is not shown to avoid cluttering the slide. * The control word is 32 bits in length, and is added between the MPLS header and whatever protocol PDU is being transported. It consists of 4 reserved bits, 4 flag bits whose meaning is dependent on the transported protocol, an 8-bit length field, and a 16-bit sequence number field. If the length of the encapsulated L2 payload plus the control word is less than 256 bits, the length field is set to that length. Otherwise, it is set to 0. The length field is useful when padding is added to small packets, which can then be removed at the egress LSR. The control word sequence number is a 16-bit unsigned circular number used to guarantee ordered packet delivery (but only if the egress LSRs supports receive sequence number processing). If the egress LSR receives out-of-order packets, it may drop or reorder the packets at its discretion. If the egress LSR does not support sequence number processing, it may ignore the sequence number. Protocol-specific flags are defined as follows: FECN/BECN: Forward/ Backward Explicit Congestion Notification DE: Discard Eligible C/R: Command/ Response T: Transport type (ATM cell or AAL5 CPCS-PDU) EFCI: Explicit Forward Congestion Indicator CLP: Cell Loss Priority * * This section of the presentation provides an insight how a Service Provider operating within an Internet Protocol (IP) backbone may provide Virtual Private Networks (VPNs) for their customer, the enterprising subscriber. The 2547 Virtual Private Network platform differs from the normal way of forwarding packets and routes over the Internet backbone than the traditional ways of the 1990’s. The 2547 VPN platform uses Multiprotocol Label Switching (MPLS) to forward packets, and the Border Gateway Protocol (BGP) for route distribution, both over the Internet backbone. The 2547 VPN platform’s primary goal is to support the service providers in their effort to outsource Internet Protocol backbone services for enterprise subscribing customers. By using the methodology available from the Multiprotocol Label Switching and Border Gateway Protocol, the service provider providing these services has made the task very simple for the enterprise subscriber, while improving scalability and flexibility for themselves. The 2547 VPN platform also allows the service provider an opportunity to add value to the services they are providing the enterprising subscriber. Additionally, the 2547 VPN platform provides the necessary techniques for an enterprising subscriber to develop a VPN that can ultimately be used to provides IP service to their customers. We will now start at a high level discussion about the 2547 VPN platform and become more granular as we start understanding how the Border Gateway Protocol and the Multiprotocol Label Switching are implemented as the underlying technology for this highly scalable and secure VPN. Without any further delay lets take look at the 2547 VPN objectives. * Many subscribers have limited IP expertise available and want to outsource their wide area interconnection and routing to service providers. Those service providers with the RFC 2547bis VPNs platforms are the ideal candidates to receive the business and have the capabilities to support the subscriber in their challenges. For the remote access user to the corporate network layer two tunneling protocols, such as, Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP) are convenient and effective to use. Users have capability to access the network from anywhere on the Internet. * * Martini-draft label bindings are distributed using the LDP downstream unsolicited mode. LSRs establish an LDP session using the Extended Discovery mechanism. See RFC 3036 for more information. VC Type may be: Frame Relay DLCI Ethernet VLAN ATM AAL5 VCC Transport Ethernet ATM Transparent Cell Transport Cisco HDLC ATM VCC Cell Transport PPP ATM VPC Cell Transport MPLS SONET/SDH Circuit Emulation Service over MPLS (CEM) The C bit signals the presence of a control word in the MPLS PDUs. The Group ID is an arbitrary, user-configurable 32 bit value that represents a group of VCs that is used to augment the VC space. It is intended to be used as a port index or a virtual tunnel index, and is useful for sending wild card label withdrawals to remote LSRs in the event of a physical port failure. * *

联系我们

智库文档公众号

客服微信

制胜的VPN策略.ppt

下载

相关专题更多

联系我们

意见反馈

相关专题 更多

联系我们

意见反馈

相关专题更多