Documente Academic
Documente Profesional
Documente Cultură
Hector Avalos
Technical Director-Southern Europe
havalos@juniper.net
Juniper Networks, Inc. Copyright1 2000
Overview
Provider-provisioned
Taxonomy
Operational
Model
Conclusion
L2 MPLS VPNs
What is a VPN?
Corporate
Headquarters
Intranet
Branch
Office
Shared
Infrastructure
Remote Access
Suppliers, Partners
and Customers
Extranet
DLCI
DLCI
FR Switch
DLCI
CPE
Benefits
CPE
Operational model
FR Switch
FR Switch
Mature technologies
Relatively secure
Service commitments (bandwidth, availability, and more)
Limitations
Improving Traditional
Layer 2 VPNs
Internet
L3 MPLS VPNs
L2 MPLS VPNs
Simplify provisioning
VPN
Tunne
l
VPN Tunne
l
Subscriber
Site 3
CPE
PE
Subscriber
Site 2
CPE
Tu
nn
el
VPN Tun
nel
PE
CPE
Subscriber
Site 1
PE
PE
CPE
nnel
VPN Tu
Subscriber
Site 3
PE
Subscriber
Site 2
VPN Tunnel
PE
PP-VPN
CPE
Subscriber
Site 1
CPE-VPN
V
P
CPE
PP-VPNs:
Layer 2 Classification
draft-kompella-mpls-l2vpn-02.txt
draft-martini-l2circuit-encap-mpls-01.txt
of VPNs
Provider-provisioned
Taxonomy
Operational
Model
Conclusion
L2 MPLS VPNs
VPN A
Customer
Edge
CE
PE
FR
CE
VPN A
PE
FR
ATM
CE
VPN B
CE
PE
ATM
VPN B
10
CE
PE
FR
CE
VPN A
PE
FR
ATM
CE
VPN B
CE
PE
ATM
VPN B
11
Provider Routers
Provider Routers
VPN A
CE
PE
FR
CE
VPN A
PE
FR
ATM
CE
VPN B
CE
PE
ATM
VPN B
12
A VFT is created
for each site
connected to the
PE
VPN A
Site2
CEA2
CEA1
VPN B
Site 1
OSPF
ATM
ATM
VPN B
Site2
OSPF
PE 2
CEB2
PE 1
CEB1
PE 3
ATM
CEA3
VPN A
Site 3
OSPF
VPN Connection Tables received from other PEs via iBGP or LDP
13
Site 2
CE-1
PE-1
CE-2
Site 1
PE-2
VFT
VFT
VFT
VFT
CE-2
Site 1
CE-4
14
Site 2
L2 VPN Provisioning
15
VPN A
Site2
CEA2
CEA1
VPN B
Site 1
OSPF
ATM
ATM
OSPF
PE 2
VPN B
Site2
CEB2
PE 1
CEB1
PE 3
ATM
CEA3
OSPF
16
VPN A
Site 3
DLCIs
63
75
82
94
In
Out
10/8
DLCI 63
20/8
30/8
-
DLCI 75
DLCI 82
DLCI 94
17
18
CE4 VCT
1000
63
75
82
94
19
CE-1
CE-2
Site 1
PE-1
PE-2
VFT
VFT
VFT
VFT
CE-2
Site 1
CE-4
Site 2
FR
FR
CE4 VFT
RED VPN
VPN ID
CE ID
4
CE Range
4
Sub-int IDs Label base
CE4s
CE4s
CE4s
CE4s
DLCI
DLCI
DLCI
DLCI
to
to
to
to
CE0
CE1
CE2
CE3
20
63
75
82
94
1000
1001
1002
1003
Label
Label
Label
Label
used by CE0
used CE
by 4CE1
CE4CE2
used by
used CE
by 4CE3
CE4
to
to
to
to
reach
reach
reach
reach
Distributing VCTs
Auto-discovery of members
21
Distributing VCTs
Site 2
CE-1
PE-1
CE-2
Site 1
PE-2
VFT
VFT
VFT
VFT
Site 1
CE-4
Site 2
FR
FR
RED VPN
VPN ID
CE ID
4
CE Range
4
1000
Label base
RED VPN
VPN ID
CE ID
4
CE Range
4
1000
Label base
1002
CE-2
22
Updating VFTs
Site 2
CE-1
CE-2
Site 1
PE-1
PE-2
VFT
VFT
VFT
VFT
FR DLCI 82
CE2 VFT
CE ID
1
2
3
4
Inner Label
7500
5020
9350
1002
Site 1
CE-4
FR DLCI 414
Sub-int IDs
107
209
265
414
CE-2
23
Site 2
Updating VFTs
Site 2
CE-1
CE-2
Site 1
PE-1
PE-2
VFT
VFT
VFT
VFT
FR DLCI 82
CE2 VFT
CE ID
1
2
3
4
Site 1
CE-4
FR DLCI 414
Sub-int IDs
107
209
265
414
CE-2
LSP to PE-2
24
Site 2
Data Flow
Site 2
CE-1
CE-2
Site 1
PE-1
PE-2
VFT
VFT
VFT
VFT
CE-4
Site 1
Site 2
DLCI 82
DLCI 414
packet
CE-2
DLCI
414
25
Data Flow
Site 2
CE-1
CE-2
Site 1
PE-1
PE-1
1)
Lookup
1) Lookup DLCI
DLCI in
in Red
Red
VFT
VFT
2)
2) Push
Push VPN
VPN label (1002)
(1002)
3)
Push
IGP
3) Push IGP label
label (500)
(500)
PE-1
PE-2
VFT
VFT
VFT
VFT
CE-2
CP-4
Site 1
Site 2
DLCI 82
26
Data Flow
Site 2
CE-1
CE-2
Site 1
PE-1
PE-2
VFT
VFT
VFT
VFT
DLCI 414
CE-2
Site 1
CPE-4
IGP label (z)
DLCI 82
Site 2
10.1/16
27
Data Flow
Site 2
CE-1
CE-2
Site 1
Penultimate
Pop top label
PE-1
PE-2
VFT
VFT
VFT
VFT
CE-2
CE-4
DLCI 82
DLCI 414
Site 1
Site 2
10.1/16
28
Data Flow
Site 2
CE-1
CE-2
Site 1
PE-1
CE-2
PE-2
VFT
VFT
VFT
VFT
CE-4
DLCI 82
DLCI 414
packet
DLCI
82
29
Site 1
Site 2
VPN Topologies
full mesh
hub-and-spoke
30
Conclusions
Security requirements
Staff expertise
32
Familiar paradigm
Layer 3 independent
Provider not responsible for routing
No hacks for OSPF
Rely on SP only for connectivity
Label stacking
Auto-provisioning VPN
33
Subscriber
Provider
Operates over the same core, using the same outer LSP
34
35
Customer profile
Provider profile
36
Thank you!
http://www.juniper.net