Documente Academic
Documente Profesional
Documente Cultură
®
Private IP Service
BGP/MPLS VPN Networks
Private IP Service
BGP/MPLS VPN Networks
Advantages Disadvantages
CE GREEN
HOST CE GREEN
LAN
RD
VPN TD
LNK
TD RD
DBU
STAT WAN
NetVanta 3205
P P
LAN
STAT WAN
VPN
DBU TD RD
LNK
LAN
TD
RD
P P LAN
LAN ROUTER/
PE3 LAYER 3 SWITCH
LAN
CE GREEN
CE BLUE
LAN
LAN
RD
VPN TD
LNK
TD RD
DBU
STAT WAN
LAN
RD
VPN TD
LNK
TD RD
DBU
STAT WAN
LAN
LAN
LAN
A Private IP network is architectured around an Some new terms must be defined in order to
emerging standard known as RFC 2547 bis or more understand the concept of the BGP/MPLS VPN.
commonly by BGP/MPLS VPN. Service providers ■ Customer Edge Router (CE): Router located
use this approach to combine MPLS for forwarding
on the customer premise that terminates the
the data and BGP for controlling the routes in
connection to the carrier.
order to construct secure, cost-effective VPNs that
■ Provider Edge Router (PE): Router located at the
are easy to implement. Figure 1 illustrates a basic
network topology. ingress or egress point in the provider’s network
that terminates the connection to the CE router.
The network in Figure 1 looks like an ordinary Frame
It runs BGP on the core side of the router.
Relay hub-and-spoke or mesh network with two cus-
■ Provider Router (P): Routers inside the service
tomers connected, represented by the BLUE and
GREEN labels. In some respects, the network above provider’s network running BGP and MPLS.
is a traditional Frame Relay network, with one key Even though the local loop connects the cus-
exception—what happens when the data hits the tomer’s site via Frame Relay, the traditional concepts
service provider’s core. of Frame Relay with PVCs in the network to each site
Although the local loop is not restricted to stop here. The first departure from Frame Relay lies
Frame Relay, Frame Relay access is the most in the fact that generally only one PVC is present on
prevalent. A common misconception with an the local loop, regardless of whether the site is a
IP network like a BGP/MPLS VPN is that IP is the branch or the host site. That single PVC connects the
local loop technology. This is incorrect because IP CE router to the ingress PE router. From the core side
is not a Layer 2 technology. Frame Relay, PPP, or of the ingress PE router to the core side of the egress
ATM are examples of Layer 2 protocols which must PE router, the Frame Relay PVC and corresponding
be present. The examples used throughout this white Data Link Connection Identifier (DLCI) no longer
paper will assume the local loop is Frame Relay. exist in the network.
Internet
MPLS/BGP VPN Core
CE GREEN
HOST CE GREEN
LAN
RD
VPN TD
LNK
TD RD
DBU
STAT WAN
NetVanta 3205
P P
VRF VRF LAN
LAN
VRF VRF
LAN ROUTER/
PE3
LAN LAYER 3 SWITCH
CE GREEN
CE BLUE
LAN
LAN
RD
VPN TD
LNK
TD RD
DBU
STAT WAN
LAN
RD
VPN TD
LNK
TD RD
DBU
STAT WAN
LAN
LAN
LAN
How is Traffic Routed in the Core? VRF tables are independent. The GREEN and
Since no PVCs exist in the core, how does the BLUE customers, while physically connected to the
traffic know where to go? The answer lies in the same PE router, would never be able to route between
combination of MPLS for label switching and BGP each other’s network or even know other networks
for routing. To understand this process, a further exist. If connectivity between these customers was
explanation of the network in Figure 1 is necessary. desirable, the PE router’s VRF tables could be config-
ured accordingly.
The network in Figure 1 represents two different
customers’ networks—represented by the BLUE and The PE routers maintain BGP sessions with each
GREEN CE routers. The GREEN customer only has other and convey customer-specific route information
access to GREEN routers and similarly, the BLUE and MPLS labels between PEs (VRFs). This is accom-
customer has access only to the BLUE routers. So plished by adding properties to an advertised route,
how does the network restrict the traffic such that called Route Distinguishers, which instruct the PE to
the BLUE and GREEN customers do not see each associate a route with a specific VRF. The PE routers
other’s traffic? A new concept known as VPN Routing are BGP peers with other PE routers. The P routers
and Forwarding Table (VRF) is used in the PE routers typically run an Interior Gateway Routing Protocol
to establish a unique routing table for each customer. (IGP), like Open Shortest Path First (OSPF), within
This concept, combined with Label Switched Paths the core to provide the IP routed backbone between
(see Switching Labels section on page 8), creates a all P and PE routers. The P routers do not have
logical separation of customer networks. Figure 2 knowledge of customer routes. They simply provide
illustrates the VRF concept. paths between PE routers.
There are situations where BGP provides advantages 30-second routing table updates regardless of net-
over static routing. Three common scenarios exist work topology changes. OSPF is not well suited for
that require BGP and are generally associated with this situation because of the additional complexity
the host site requirements (non-stub VPN site). Two with OSPF areas.
situations are illustrated in Figure 2 at the BLUE host
The third situation where BGP is needed is when
site CE router. The first case is where multiple con-
multiple networks exist behind the CE router. This
nections exist between the CE router and PE router(s)
is illustrated in Figure 2 at the BLUE host site with
for redundancy, extra capacity, or tariff benefits. It is
routers or Layer 3 switches behind the CE router. If
more likely that a second connection would be to a
additional networks are added behind the CE router,
second PE router or a second carrier. This architec-
BGP running on the CE router will automatically
ture is called a multi-homed network, meaning the
notify the PE router of the new networks, allowing
CE router has multiple connections. In a multi-
all other CE routers in the network to know of the
homed architecture, BGP affords a network adminis-
new networks without any configuration changes to
trator great control over how traffic flows over the
any CE routers. While RIP and OSPF will work to
two connections. BGP is more suited to this type of
advertise routes, the service provider must configure
route control over other routing protocols.
the PE router to run multiple routing protocols. In
The second situation is one where a Disaster a spoke where no other routers are present (a stub
Recovery (DR) site is present. In this example, the VPN), a routing protocol does not benefit a
DR site is at a different location than the primary customer on the CE router.
host site. Much like the first scenario where BGP
One less common scenario in which a customer
has well defined control over routes, BGP benefits
might choose to use BGP on the CE router is for
this situation as well because of its ability to control
controlling which routes are advertised to the PE
routing. Routing Information Protocol (RIP) can be
router. This will not likely be a common scenario
used in this situation as well, but many people think
with stub VPNs.
RIP is not a robust routing protocol and can have an
impact on bandwidth because of the mandatory
CE GREEN
HOST CE GREEN
LAN
RD
VPN TD
LNK
TD RD
DBU
STAT WAN
LSP
NetVanta 3205
P P
VRF VRF LAN
P
LAN PE1 PE2 LAN ROUTER/
VRF VRF LAYER 3 SWITCH
CE BLUE LSP
P P HOST CE BLUE
LAN
LAN
RD
VPN TD
LNK
TD RD
DBU
STAT WAN
VRF VRF
LAN ROUTER/
PE3
LAN LAYER 3 SWITCH
CE GREEN
CE BLUE
LAN
LAN
RD
VPN TD
LNK
TD RD
DBU
STAT WAN
LAN
RD
VPN TD
LNK
TD RD
DBU
STAT WAN
LAN
LAN
LAN
another how is the best path chosen? BGP’s metrics Private IP networks offer many benefits over more
define the best path. Alternatively, if a customer traditional methods of connectivity. The benefits
requests a specific QoS, data flows over a specific path of Private IP service include lower monthly cost,
that is engineered to provide that level of QoS. equivalent security, easier management and configu-
ration of routers at the customer premise, and the
Traffic Prioritization availability of QoS inside the service provider’s
Neither a CPE-based VPN nor traditional Frame network. Additional benefits include the ability
Relay-based VPN have in-network QoS support to connect any site together with any other site just
generally available. While it is true that routers and by changing routing information on the service
VPN appliances can selectively mark outbound pack- provider’s PE router. This reduces cost to the
ets with a priority higher than general traffic, these customer and network complexity by eliminating
markings are not guaranteed to be honored once the the need for PVC, point-to-point, or
traffic leaves the local loop and enters the Internet or IPSec/L2TP/PPTP tunnels to each site.
service provider’s network. If an ATM-based VPN is
present, QoS is available as part of the ATM protocol, The ADTRAN Advantage
but ATM connections are not commonly found in ADTRAN’s NetVanta routers are well positioned
Enterprise-class networks with connection speeds of to support a variety of connectivity options into a
less than T3. carrier’s private IP network. The NetVanta 3000 Series
is designed for customers with bandwidth needs up
The ability to prioritize traffic is another benefit
to three T1s. The NetVanta 4000 Series includes con-
of BGP/MPLS VPNs. Part of the standard allows the
nectivity options for aggregating up to eight T1s
reservation of a certain Local Service Provider (LSP)
together, while the NetVanta 5000 Series includes sup-
through the network with a given QoS. Using a tech-
port for dual DS3s. All NetVanta routers are based on
nology called Resource Reservation Protocol (RSVP),
the ADTRAN Operating System (OS), a common
a request of each router along the path in the core can
operating system across all NetVanta routers, switch-
reserve resources to guarantee a specific level of QoS.
es, and security appliance products. ADTRAN OS
In order for the PE router to know which traffic is
supports common routing protocols such as RIP and
destined for the priority path, the CE router marks
OSPF, and provides for Frame Relay, PPP, Multilink
priority packets using DiffServ, a technology present
PPP, and PPPoE connectivity. Management of
in ADTRAN NetVanta® routers.
ADTRAN’s NetVanta routers is based around the
Internet Connectivity with Private IP industry’s de facto standard Command Line Interface
Today, when a customer needs Internet connectivity, (CLI), minimizing the need to retrain IT staff. In
the carriers surveyed do not offer a direct Internet addition to the CLI, the NetVanta 3000 Series includes
connection via their Private IP network. This is a built-in web-based Graphical User Interface (GUI)
because of the need to redistribute all Internet routes for configuration and SNMP support for third party
into each VRF table, which substantially increases the SNMP management platforms.
number of routes in the VRF table and potentially In addition, ADTRAN’s NetVanta router products
results in reduced PE router performance. are part of an overall network security solution. By
Connecting a customer’s network to the Internet including a stateful inspection firewall as part of the
is accomplished in the same way that is commonly standard feature package, network security is
found in existing Frame Relay or Point-to-Point net- enhanced without costly add-ons. Optional IPSec-
works today with a separate connection and firewall based VPN support is also available for customers
at the host site. In this architecture, Internet traffic is who need a hybrid network infrastructure model to
backhauled over the Private IP network. If the host support mobile users or gateway-to-gateway VPNs.
site firewall is not configured properly, only that cus- Finally, every ADTRAN NetVanta product
tomer’s network is affected because of the inherent includes no cost pre- and post-sale technical support
security found in the Private IP core by virtue of the and software updates for the life of the product
VRF tables in the PE routers. without requiring a costly maintenance contract.
For more information on ADTRAN’s complete
family of NetVanta LAN-to-WAN products, see
ADTRAN’s Dare to Compare web site at:
www.dare2compare.adtran.com
An ADTRAN White Paper • 9
ADTRAN, Inc.
Attn: Enterprise Networks
901 Explorer Boulevard
Huntsville, AL 35806
General Information
800 9ADTRAN
info@adtran.com About ADTRAN®
www.adtran.com
ADTRAN, Inc. is one of the world’s most successful net-
Pre-Sales work access equipment suppliers, with a 17-year history of
Technical Support profitability and a portfolio of more than 1,300 solutions
800 615-1176 toll-free for use in the last mile of today’s telecommunications net-
application.engineer@adtran.com
works. Widely deployed by carriers and enterprises,
www.adtran.com/support
ADTRAN solutions enable voice, data, video, and Internet
Where to Buy communications across copper, fiber, and wireless network
877 280-8416 toll-free infrastructures. ADTRAN solutions are currently in use by
channel.sales@adtran.com
www.adtran.com/where2buy every major domestic service provider and many interna-
tional ones, as well as by thousands of public, private and
Post-Sales governmental organizations worldwide.
Technical Support
888 423-8726
support@adtran.com
www.adtran.com/support
International Inquiries
256 963 8000 voice
ADTRAN, Inc.
256 963-6300 fax
901 Explorer Boulevard
international@adtran.com
www.adtran.com/international Huntsville, Alabama 35806
P.O. Box 140000
For the regional office Huntsville, Alabama 35814-4000
nearest you, visit:
www.adtran.com/regional 800 9ADTRAN 256 963-8000 voice
To download a searchable version 256 963-8004 fax
of the 2005 ADTRAN Enterprise info@adtran.com e-mail
Networks Catalog, visit: www.adtran.com website
www.adtran.com/ecatalog
ADTRAN, Inc. is committed to utilize
Minority Business Enterprises (MBE),
Woman-Owned Business Enterprises
(WBE) and Disabled Veteran Business
Enterprises (DVBE) whenever possible
and practical for procurements supporting
ADTRAN is an ADTRAN and our customers.
ISO 9001: 2000 certified supplier.
Copyright © 2005
ADTRAN, Inc. All rights reserved.
ADTRAN and NetVanta are registered
ADTRAN is a
trademarks of ADTRAN, Inc. All other
TL 9000 3.0 certified supplier. trademarks and registered trademarks are
the property of their respective owners.
EN683A