CATEGORII DOCUMENTE |
Bulgara | Ceha slovaca | Croata | Engleza | Estona | Finlandeza | Franceza |
Germana | Italiana | Letona | Lituaniana | Maghiara | Olandeza | Poloneza |
Sarba | Slovena | Spaniola | Suedeza | Turca | Ucraineana |
MULTI PROTOCOL LABEL SWITCHING
VIRTUAL PRIVATE NETWORKING
(MPLS-VPN)
Why MPLS is attractive?
Performance
MPLS
Labeling packets is effective for aggregating traffic and avoiding
complex classifcations at every hop
Classification flexibility
Labels can be assigned on basis of diverse crit ia.. QoS
guarantees, IP header info, time of day, incoming interface,..
Scalability
Customers can use overlapping (non-unique) IP addresses,
making it easy to supportarge scale VPN
Benefits of MPLS features
Benefits of MPLS
Traffic
Engineeri
For Lower trunk costs and higher reliabiliy
Fast reroute for protection and resilency
Guaranteed bandwidth for hard QoS guarantees
MPLS
VPNS
IP + ATM
integrati
New revenue opportunities for SPs
Scalability for lower operational costs and faster rollout
L2 privacy and performance for IP
Shared backbone for economies of sale
Reduced complexity for lower operational cost
Faster time to market for IP services => more revenue
Use best technology => lower costs
Introduction to MPLS-VPN
Today, business customers accept the level of security that Frame-Relay
and ATM offer as layer 2 VPNs, however they might have concerns about the
level of security that an MPLS based VPN offers.
Virtual Private Networks
A VPN can be defined loosely as a network in which customer
connectivity amongst multiple sites is deployed on a shared infrastructure,
with the same access or security policies as a private network. As a alternative
solution to expensive leased-lines or circuit switched infrastructures, the
growth rate of VPNs in the business world has been expanding.
In a VPN service provider provides an enterprising customer with an
ability to inter-connect many sites utilizing a private WAN IP network. Each
site requiring connectivity will receive a router that needs to be peered
through an appropriate interior gateway protocol (IGP) to at least one head
end router. The backbone here is owned by the service provider and shared
between multiple enterprise customers. So the network is not really a private
network but a VPN.
The figure shows a completely meshed VPN where routing is optimal.
Parti ly meshed VPNs are also possible. A trade of between effiency and
cost is to be made while making a choice between parti ly and fully meshed
VPNs. This model doesnt scale well for large topologies. Such a model where
enterprise IP network is overl d on top of the service provider backbone; the
enterprise network is the higher layer network (layer3) while the backbone is
the lower layer (layer 2) is called overl d model
Other model mostly used for VPNs is the Peer model, where both the
service provider and the customer use the same protocol. n this model the PE
(Provider Edge) device is a router that directly exchanges routing informati
with the CPE router. This provides the abiliy to simplify the routing from
customers perspective, as they no longer have to peer with every other end
site instead, only with one PE router. Routing is now optimal between
customers sites, as the provider routers now know the customers network
171
MPLS
topology. Also the addition of a new site is simpler as the service provider has
not to provide a whole new set of VCs.
Head-
End
End-Site
Router
Frame-Relay
Or ATM
End-Site
A FULLY MESHED VPN
End-Site
Two approaches existed before introduction of MPLS-VPN, the shared router
approach and the dedicated router approach. The shared router approach is
where several VPN customers share the same PE-router. This approach has to
be concerned with access control, making sure that there is no crossover
between diferent customers traffi While the dedicated VPN utilzed a
dedicated PE-router for each customer, t caused scalabiliy concerns to the
service provider. Neither approach allows use of private IP addresses, as each
customer would have to have a unique addressing.
None of the above two approaches provide traffi solation.
MPLS-VPN:
Terminologies used in MPLS-VPN:
1.Provider network (P-Network)
The backbone under control of service provider
2.Customer Network (C-Network)
Network under customer control
3.CE Router
Customer Edge Router, part of C-Network and interfaces to a PE router
4.Site
Set of sub(networks) part of C-network and co-located
A site is connected to VPN backbone through one or more PE/CE links
5.PE Router
Provider Edge Router, part of P-Network and interface to CE router
6.P Router
Provider (core) Router, without knowledge of VPN
7.Border Router
PE Router interfacing to other provider networks
8.Extended Community
BGP attribute used to identify a Route ori n, Route-target
9.Site of Ori n Identifi (SOO)
64 bits identif ng routers where the route has been changed
10.Route-Target
64 bits identif ng the routers that should receive the route
11.Route Distinguisher
Attributes of each route used to uniquely identify prefixes among VPNs
(64 bit
VRF base (not VPN based)
12.VPN-IPv4 addresses
172
Addresses including the 64 bits route
Distinguisher and the 32 bits IP address
13.VRF
VPN routing and forwarding instance
Routing table and FIB table
Populated by routing protocol contexts
14.VPN-Aware network
A provider backbone where MPLS-VPN is deployed
MPLS
In this VPN model, MPLS is used for forwarding packets over backbone,
and BGP is used for distributing routes over backbone. This method provides
the SP with the abily to provide Internet access to these customers as well.
An MPLS-VPN is a true peer VPN model that performs traffic
separation at layer 3, through the use of a separate IP VPN forwarding tables.
MPLS-VPN forces tr fic separation by all ting a unique VRF to each
customers VPN. Users in a specific VPN cannot see outside their VPN.
This is basically due to the fact that forwarding wit n SPs backbone is
in the form of labels. These label switched paths (LSPs), etup by MPLS, begin
and end at the PE routers whil he CE routers perf m the normal routing. It
is the job of the incoming interface on the PE routers to determine which
forwarding table to use when handling a packet because each incoming
interface on a PE router is associated with a particular VPN. That shows that a
packet can enter VPN only through an interface that is associated with that
VPN.
Traffic separation occurs without tunneling or encryption because it s
built directly into the network itself. MPLS-VPN uses Multi protocol BGP
extensions to encode customer IPv4 addresses prefixes into unique VPN-IPv4
NLRIs. Through the use of extended BGP community attribute the PE routers
are able to control the distribution of these routes. These PE routers also
assign label with each VPN customer route and share these labels with other
PEs , assuring that data packets are directed to the correct egress CE.
When a data packet is forwarded two labels are used. The top label
directs the traffi o the correct whil he second label indicates the way the
packet is to be handled. MPLS then takes over by forwarding the packet across
the backbone using dynamic IP paths or traffic engineered paths.
To simpliy things further, standard INPUT forwarding between the PE
and CE routers. The PE has a per-site VRF forwarding table that contains only
the set of routes avail e to that CE router. The CE router is the routing peer
of the PE to which its directly connected but is not a routing peer of routers
at other sites. Routers at diferent sites dont directly exchange routi
information with each other. This allows for very large VPN to be easily
supported while simpliying the routing configuration at each individual sit
CE
Router
CE
Router
MPLS-VPN
CE
Router
PE
Router
MPL
S
PE
Router
CE
Router
Addressing Space and Routing separation:
173
MPLS
MPLS looks at the layer 3 portion of packet but stil is able to all
multi e VPNs to use the same address space. This is possible by adding 64-bit
route distinguisher (RD) to each IPv4 route. This new route called VPN-IPv4
address ensures that VPN-unique addresses are also unique in MPLS core.
The only exception here is the IP addressing of the PE to CE links, they wil
need to be unique if using dynamic routing protocols.
MPLS provides route separation by having each PE router maintain its
separate table called a Virtual Routing and Forwarding instance (VRF) contains
the routes from one VPN that were learned statically or through a dynamic
routing protocol. These VRFs are separate from each other as well rom the
global routing table.
This separation is maintained across MPLS core to the other PE routers
by utilzing multi otocol BGP (MP-BGP). By adding unique identifi s such as
route distinguishers, MP-BGP has provided the abily to uniquely identify VPN
routes through the core of network. MP-BGP is the only way that VPN routes
are exchanged across the core. These BGP routes are not redistributed into
the core network but only to the PE routers. The PE routers exchange the
information and then place the information into VPN specific VRFs. Thus
routing across a MPLS network is separate per VPN.
MPLS based VPNs provide both addressing and routing separation. CE
routers hold tables of a VPN of which they are a member of and have no
routes to other VPNs of the core. Its the case with PE routers. In P routers no
VRF routing tables and contains routes that belong to other routers in the
providers network.
Security/Label Spoofing:
At the core of MPLS network packets are not forwarded based on IP
destination addresses, but rather based on labels the are pre-pended by the
PE routers. Though it s theoretically possible to spoof a MPLS packet,
practicall t is not.
In MPLS the interface between the CE router and its peering PE router is
an IP interface, i. , an interface without labels. The CE router is unaware of
the MPLS core, and thinks that it s sending IP packets to simple router. The
i elligence is done in the PE router, where based on configuration the
device pre-pends a label to the packet. This is the case fore all PE routers
towards CE as well as the upstream service providers. For security reasons a
PE router should never accept packets with labels on it. Thus its not possible
to insert any fake labels as the PE router will ot accept any packets with
labels over them.
Politica de confidentialitate | Termeni si conditii de utilizare |
Vizualizari: 729
Importanta:
Termeni si conditii de utilizare | Contact
© SCRIGROUP 2024 . All rights reserved