MULTI PROTOCOL LABEL SWITCHING VIRTUAL PRIVATE NETWORKING (MPLS-VPN)

MULTI PROTOCOL LABEL SWITCHING

VIRTUAL PRIVATE NETWORKING

(MPLS-VPN)

Why MPLS is attractive?

Performance

MPLS

Labeling packets is effective for aggregating traffic and avoiding

complex classifcations at every hop

Classification flexibility

Labels can be assigned on basis of diverse crit ia.. QoS

guarantees, IP header info, time of day, incoming interface,..

Scalability

Customers can use overlapping (non-unique) IP addresses,

making it easy to supportarge scale VPN

Benefits of MPLS features

Benefits of MPLS

Traffic

Engineeri

For Lower trunk costs and higher reliabiliy

Fast reroute for protection and resilency

Guaranteed bandwidth for hard QoS guarantees

MPLS

VPNS

IP + ATM

integrati

New revenue opportunities for SPs

Scalability for lower operational costs and faster rollout

L2 privacy and performance for IP

Shared backbone for economies of sale

Reduced complexity for lower operational cost

Faster time to market for IP services => more revenue

Use best technology => lower costs

Introduction to MPLS-VPN

Today, business customers accept the level of security that Frame-Relay

and ATM offer as layer 2 VPNs, however they might have concerns about the

level of security that an MPLS based VPN offers.

Virtual Private Networks

A VPN can be defined loosely as a network in which customer

connectivity amongst multiple sites is deployed on a shared infrastructure,

with the same access or security policies as a private network. As a alternative

solution to expensive leased-lines or circuit switched infrastructures, the

growth rate of VPNs in the business world has been expanding.

In a VPN service provider provides an enterprising customer with an

ability to inter-connect many sites utilizing a private WAN IP network. Each

site requiring connectivity will receive a router that needs to be peered

through an appropriate interior gateway protocol (IGP) to at least one head

end router. The backbone here is owned by the service provider and shared

between multiple enterprise customers. So the network is not really a private

network but a VPN.

The figure shows a completely meshed VPN where routing is optimal.

Parti ly meshed VPNs are also possible. A trade of between effiency and

cost is to be made while making a choice between parti ly and fully meshed

VPNs. This model doesnt scale well for large topologies. Such a model where

enterprise IP network is overl d on top of the service provider backbone; the

enterprise network is the higher layer network (layer3) while the backbone is

the lower layer (layer 2) is called overl d model

Other model mostly used for VPNs is the Peer model, where both the

service provider and the customer use the same protocol. n this model the PE

(Provider Edge) device is a router that directly exchanges routing informati

with the CPE router. This provides the abiliy to simplify the routing from

customers perspective, as they no longer have to peer with every other end

site instead, only with one PE router. Routing is now optimal between

customers sites, as the provider routers now know the customers network

171

MPLS

topology. Also the addition of a new site is simpler as the service provider has

not to provide a whole new set of VCs.

Head-

End

End-Site

Router

Frame-Relay

Or ATM

End-Site

A FULLY MESHED VPN

End-Site

Two approaches existed before introduction of MPLS-VPN, the shared router

approach and the dedicated router approach. The shared router approach is

where several VPN customers share the same PE-router. This approach has to

be concerned with access control, making sure that there is no crossover

between diferent customers traffi While the dedicated VPN utilzed a

dedicated PE-router for each customer, t caused scalabiliy concerns to the

service provider. Neither approach allows use of private IP addresses, as each

customer would have to have a unique addressing.

None of the above two approaches provide traffi solation.

MPLS-VPN:

Terminologies used in MPLS-VPN:

1.Provider network (P-Network)

The backbone under control of service provider

2.Customer Network (C-Network)

Network under customer control

3.CE Router

Customer Edge Router, part of C-Network and interfaces to a PE router

4.Site

Set of sub(networks) part of C-network and co-located

A site is connected to VPN backbone through one or more PE/CE links

5.PE Router

Provider Edge Router, part of P-Network and interface to CE router

6.P Router

Provider (core) Router, without knowledge of VPN

7.Border Router

PE Router interfacing to other provider networks

8.Extended Community

BGP attribute used to identify a Route ori n, Route-target

9.Site of Ori n Identifi (SOO)

64 bits identif ng routers where the route has been changed

10.Route-Target

64 bits identif ng the routers that should receive the route

11.Route Distinguisher

Attributes of each route used to uniquely identify prefixes among VPNs

(64 bit

VRF base (not VPN based)

12.VPN-IPv4 addresses

172

Addresses including the 64 bits route

Distinguisher and the 32 bits IP address

13.VRF

VPN routing and forwarding instance

Routing table and FIB table

Populated by routing protocol contexts

14.VPN-Aware network

A provider backbone where MPLS-VPN is deployed

MPLS

In this VPN model, MPLS is used for forwarding packets over backbone,

and BGP is used for distributing routes over backbone. This method provides

the SP with the abily to provide Internet access to these customers as well.

An MPLS-VPN is a true peer VPN model that performs traffic

separation at layer 3, through the use of a separate IP VPN forwarding tables.

MPLS-VPN forces tr fic separation by all ting a unique VRF to each

customers VPN. Users in a specific VPN cannot see outside their VPN.

This is basically due to the fact that forwarding wit n SPs backbone is

in the form of labels. These label switched paths (LSPs), etup by MPLS, begin

and end at the PE routers whil he CE routers perf m the normal routing. It

is the job of the incoming interface on the PE routers to determine which

forwarding table to use when handling a packet because each incoming

interface on a PE router is associated with a particular VPN. That shows that a

packet can enter VPN only through an interface that is associated with that

VPN.

Traffic separation occurs without tunneling or encryption because it s

built directly into the network itself. MPLS-VPN uses Multi protocol BGP

extensions to encode customer IPv4 addresses prefixes into unique VPN-IPv4

NLRIs. Through the use of extended BGP community attribute the PE routers

are able to control the distribution of these routes. These PE routers also

assign label with each VPN customer route and share these labels with other

PEs , assuring that data packets are directed to the correct egress CE.

When a data packet is forwarded two labels are used. The top label

directs the traffi o the correct whil he second label indicates the way the

packet is to be handled. MPLS then takes over by forwarding the packet across

the backbone using dynamic IP paths or traffic engineered paths.

To simpliy things further, standard INPUT forwarding between the PE

and CE routers. The PE has a per-site VRF forwarding table that contains only

the set of routes avail e to that CE router. The CE router is the routing peer

of the PE to which its directly connected but is not a routing peer of routers

at other sites. Routers at diferent sites dont directly exchange routi

information with each other. This allows for very large VPN to be easily

supported while simpliying the routing configuration at each individual sit

CE

Router

CE

Router

MPLS-VPN

CE

Router

PE

Router

MPL

S

PE

Router

CE

Router

Addressing Space and Routing separation:

173

MPLS

MPLS looks at the layer 3 portion of packet but stil is able to all

multi e VPNs to use the same address space. This is possible by adding 64-bit

route distinguisher (RD) to each IPv4 route. This new route called VPN-IPv4

address ensures that VPN-unique addresses are also unique in MPLS core.

The only exception here is the IP addressing of the PE to CE links, they wil

need to be unique if using dynamic routing protocols.

MPLS provides route separation by having each PE router maintain its

separate table called a Virtual Routing and Forwarding instance (VRF) contains

the routes from one VPN that were learned statically or through a dynamic

routing protocol. These VRFs are separate from each other as well rom the

global routing table.

This separation is maintained across MPLS core to the other PE routers

by utilzing multi otocol BGP (MP-BGP). By adding unique identifi s such as

route distinguishers, MP-BGP has provided the abily to uniquely identify VPN

routes through the core of network. MP-BGP is the only way that VPN routes

are exchanged across the core. These BGP routes are not redistributed into

the core network but only to the PE routers. The PE routers exchange the

information and then place the information into VPN specific VRFs. Thus

routing across a MPLS network is separate per VPN.

MPLS based VPNs provide both addressing and routing separation. CE

routers hold tables of a VPN of which they are a member of and have no

routes to other VPNs of the core. Its the case with PE routers. In P routers no

VRF routing tables and contains routes that belong to other routers in the

providers network.

Security/Label Spoofing:

At the core of MPLS network packets are not forwarded based on IP

destination addresses, but rather based on labels the are pre-pended by the

PE routers. Though it s theoretically possible to spoof a MPLS packet,

practicall t is not.

In MPLS the interface between the CE router and its peering PE router is

an IP interface, i. , an interface without labels. The CE router is unaware of

the MPLS core, and thinks that it s sending IP packets to simple router. The

i elligence is done in the PE router, where based on configuration the

device pre-pends a label to the packet. This is the case fore all PE routers

towards CE as well as the upstream service providers. For security reasons a

PE router should never accept packets with labels on it. Thus its not possible

to insert any fake labels as the PE router will ot accept any packets with

labels over them.