L2 MPLS VPNs

Hector Avalos
Technical Director-Southern Europe
havalos@juniper.net
Juniper Networks, Inc. Copyright1 2000

Agenda: L2 MPLS VPNs

VPNs

Overview

Provider-provisioned
Taxonomy
Operational

Model

Conclusion

L2 MPLS VPNs

What is a VPN?
Corporate
Headquarters

Intranet
Branch
Office

Shared
Infrastructure
Remote Access

Suppliers, Partners
and Customers

Extranet

Mobile Users and

Telecommuters

A private network constructed over a shared infrastructure

Virtual: not a separate physical network
Private: separate addressing and routing
Network: a collection of devices that communicate
Policies are keyglobal connectivity is not the goal

Deploying VPNs in the 1990s

Provider Frame Relay Network

DLCI
DLCI
FR Switch

DLCI
CPE

PVCs overlay the shared infrastructure (ATM/Frame Relay)

Routing occurs at customer premise

Benefits

CPE

Operational model

FR Switch

FR Switch

Mature technologies
Relatively secure
Service commitments (bandwidth, availability, and more)

Limitations

Scalability, provisioning and management

Not a fully integrated IP solution

Traditional (Layer 2) VPNs

Router
Frame Relay/
ATM Switch

Improving Traditional
Layer 2 VPNs

Decouple edge (customer-facing)

technology from core technology

Have a single network infrastructure for all

desired services

Internet

L3 MPLS VPNs

L2 MPLS VPNs

Simplify provisioning

Appropriate signaling mechanisms for VPN autoprovisioning

VPN Classification Model

VPN

Tunne
l

VPN Tunne
l

Subscriber
Site 3

CPE

PE

Subscriber
Site 2

CPE

Customer-managed VPN solutions (CPE-VPNs)

Tu
nn
el

VPN Tun
nel

PE

CPE

Subscriber
Site 1

PE

PE

CPE

nnel
VPN Tu

Subscriber
Site 3

PE

Subscriber
Site 2

VPN Tunnel

PE

PP-VPN

CPE

Subscriber
Site 1

CPE-VPN

V
P

CPE

Layer 2: L2TP and PPTP

Layer 3: IPSec

Provider-provisioned VPN solutions (PP-VPNs)

Layer 3: MPLS-Based VPNs (RFC 2547bis)

Layer 3: Non-MPLS-Based VPNs (Virtual Routers)
Layer2: MPLS VPNs

PP-VPNs:
Layer 2 Classification

Service Provider delivers Layer 2 circuit IDs

(DLCI, VPI/VCI, 802.1q vlan) to the customer

One for each reachable site

Customer maps their own routing architecture to the

circuit mesh

Provider router maps the circuit ID to a Label

Switched Path (LSP) to traverse the provider core

Customer routes are transparent to provider routers

Provider-provisioned L2 MPLS VPN Internet drafts

draft-kompella-mpls-l2vpn-02.txt

draft-martini-l2circuit-encap-mpls-01.txt

Agenda: L2 MPLS VPNs

Overview

of VPNs

Provider-provisioned
Taxonomy
Operational

Model

Conclusion

L2 MPLS VPNs

Customer Edge Routers

VPN Site

VPN A

Customer
Edge
CE

PE
FR

CE

VPN A

PE
FR
ATM

CE

VPN B
CE

PE

ATM

VPN B

Customer Edge (CE) routers

Router or switch device located at customer premises providing access to

the service provider network
Layer 2 (FR, ATM, Ethernet) and Layer 3 (IP, IPX, SNA ) independence
of the service provider network
CEs within a VPN, uses the same L2 technology to access the service
provider network
Requires a sub-interface per CE it needs to interconnect to within the VPN
Maintains routing adjacencies with other CEs within the VPN

10

Provider Edge Routers

Provider Edge
VPN A

CE

PE
FR

CE

VPN A

PE
FR
ATM

CE

VPN B
CE

PE

ATM

VPN B

Provider Edge (PE) routers

Maintain site-specific VPN Forwarding Tables

Exchange VPN Connection Tables with other PE
routers using MP-IBGP or LDP
Use MPLS LSPs to forward VPN traffic

11

Provider Routers
Provider Routers
VPN A

CE

PE
FR

CE

VPN A

PE
FR
ATM

CE

VPN B
CE

PE

ATM

VPN B

Provider (P) routers

Forward data traffic transparently over established

LSPs
Do not maintain VPN-specific forwarding information

12

VPN Forwarding Tables (VFT)

VPN A
Site 1

A VFT is created
for each site
connected to the
PE

VPN A
Site2
CEA2

CEA1

VPN B
Site 1

OSPF

ATM

ATM

VPN B
Site2
OSPF
PE 2

CEB2

PE 1
CEB1

PE 3

ATM

CEA3

VPN A
Site 3

OSPF

Each VFT is populated with:

The forwarding information provisioned for the local CE sites

VPN Connection Tables received from other PEs via iBGP or LDP

13

VPN Connection Tables (VCT)

A VCT is distributed
for each VPN site to
PEs

Site 2

CE-1
PE-1

CE-2

Site 1

MP-iBGP session / LDP

PE-2

VFT

VFT

VFT

VFT

CE-2

Site 1

CE-4

The VCT is a subset of information hold by the VFT

VCTs are distributed by the PEs via iBGP or LDP

14

Site 2

L2 VPN Provisioning

Provisioning the network

Provisioning the CEs

Provisioning the VPN (PEs)

VPN Connection Table Distribution

Assumption: access technology is Frame

Relay (other cases are similar)

15

Provisioning the Network

VPN A
Site 1

VPN A
Site2
CEA2
CEA1

VPN B
Site 1

OSPF

ATM

ATM

OSPF
PE 2

VPN B
Site2

CEB2

PE 1
CEB1

PE 3

ATM

CEA3

OSPF

PE-to-PE LSPs pre-established via

RSVP-TE
LDP
LDP over RSPV-TE tunneling

LSPs used for many services: IP, L2 VPN, L3 VPN,

Provisioned independent of Layer 2 VPNs

16

VPN A
Site 3

Provisioning Customer Sites

CE-4

CE-4 Routing Table

DLCIs
63
75
82
94

In

Out

10/8

DLCI 63

20/8
30/8
-

DLCI 75
DLCI 82
DLCI 94

List of DLCIs: one for each site, some spare

for over-provisioning

DLCIs independently numbered at each site

LMI, inverse ARP and/or routing protocols

for auto-discovery and learning addresses

No changes as VPN membership changes

Until over-provisioning runs out

17

Provisioning CEs at the PE

A VFT is provisioned at each PE for each CE

CE4 VFT
RED VPN
VPN ID
CE ID
4
CE Range
4
Sub-int IDs
63
75
82
94

VPN-ID : unique value within the service provider network

CE-ID : unique value in the context of a VPN

CE Range : maximum number of CEs that it can connect to

Sub-interface list : set of local sub-interface IDs assigned

for the CE-PE connection

18

Provisioning CEs at the PE

A VFT is provisioned at each PE for each CE

CE4 VFT
RED VPN
VPN ID
CE ID
4
CE Range
4
Label Base
Sub-int IDs

CE4 VCT

1000

63
75
82
94

VPN-ID : unique value within the service provider network

CE-ID : unique value in the context of a VPN

CE Range : maximum number of CEs that it can connect to

Sub-interface list : set of local sub-interface IDs assigned for the

CE-PE connection

Label-base : Label assigned to the first sub-interface ID

The PE reserves N contiguous labels, where N is the CE Range

19

Provisioning CEs at the PE

Site 2

CE-1

CE-2

Site 1

PE-1

PE-2

VFT

VFT

VFT

VFT

CE-2

Site 1

CE-4

Site 2
FR

FR

CE4 VFT
RED VPN
VPN ID
CE ID
4
CE Range
4
Sub-int IDs Label base
CE4s
CE4s
CE4s
CE4s

DLCI
DLCI
DLCI
DLCI

to
to
to
to

CE0
CE1
CE2
CE3

PE-2 is configured with the CE4 VFT

20

63
75
82
94

1000
1001
1002
1003

Label
Label
Label
Label

used by CE0
used CE
by 4CE1
CE4CE2
used by
used CE
by 4CE3
CE4

to
to
to
to

reach
reach
reach
reach

Distributing VCTs

Key: signalling using LDP or MP-iBGP

Auto-discovery of members

Auto-assignment of inter-member circuits

Flexible VPN topology

O(N) configuration for the whole VPN

Could be more for complex topologies

O(1) configuration to add a site

Overprovision DLCIs (sub-interfaces) at customer

sites

21

Distributing VCTs
Site 2

CE-1
PE-1

CE-2

Site 1

MP-iBGP session / LDP

PE-2

VFT

VFT

VFT

VFT

Site 1

CE-4

Site 2
FR

FR

CE4 VCT update

CE4 VCT update

RED VPN
VPN ID
CE ID
4
CE Range
4
1000
Label base

RED VPN
VPN ID
CE ID
4
CE Range
4
1000
Label base

1002

CE-2

Label used by CE2 to reach

CE4

PE-1 accepts PE-2s CE4 VCT

22

Updating VFTs
Site 2

CE-1

CE-2

Site 1

PE-1

PE-2

VFT

VFT

VFT

VFT
FR DLCI 82

CE2 VFT

CE ID
1
2
3
4

Inner Label
7500
5020
9350
1002

Site 1

CE-4

FR DLCI 414

Sub-int IDs
107
209
265
414

CE-2

Label used to reach CE4

PE-1 update its CE2 VFT

23

Site 2

Updating VFTs
Site 2

CE-1

CE-2

Site 1

PE-1

PE-2

VFT

VFT

VFT

VFT
FR DLCI 82

CE2 VFT

CE ID
1
2
3
4

Site 1

CE-4

FR DLCI 414

Sub-int IDs
107
209
265
414

CE-2

Inner Label Outer Label

7500
5020
9350
1002
500

LSP to PE-2

PE-1 update its CE2 VFT

24

Site 2

Data Flow
Site 2

CE-1

CE-2

Site 1

PE-1

PE-2

VFT

VFT

VFT

VFT

CE-4

Site 1
Site 2

DLCI 82

DLCI 414
packet

CE-2

DLCI
414

The CE-2 sends packets to the PE via the

DLCI which connects to CE-4 (414)

25

Data Flow
Site 2

CE-1

CE-2

Site 1

PE-1
PE-1
1)
Lookup
1) Lookup DLCI
DLCI in
in Red
Red
VFT
VFT
2)
2) Push
Push VPN
VPN label (1002)
(1002)
3)
Push
IGP
3) Push IGP label
label (500)
(500)

PE-1

PE-2

VFT

VFT

VFT

VFT

CE-2

CP-4

Site 1
Site 2

DLCI 82

IGP label (500)

site label (1002)
Packet

The DLCI number is removed by the ingress PE

Two labels are derived from the VFT sub-interface lookup
and pushed onto the packet

Outer IGP label

Identifies the LSP to egress PE router
Derived from cores IGP and distributed by RSVP or LDP
Inner site label
Identifies outgoing sub-interface from egress PE to CE
Derived from MP-IBGP/LDP VCT distributed by egress PE

26

Data Flow
Site 2

CE-1

CE-2

Site 1

PE-1

PE-2

VFT

VFT

VFT

VFT

DLCI 414

CE-2

Site 1

CPE-4
IGP label (z)

DLCI 82

Site 2
10.1/16

site label (1002)

Packet

After packets exit the ingress PE, the outer

label is used to traverse the LSP

P routers are not VPN-aware

27

Data Flow
Site 2

CE-1

CE-2

Site 1

Penultimate
Pop top label

PE-1

PE-2

VFT

VFT

VFT

VFT

CE-2

CE-4
DLCI 82

DLCI 414

Site 1
Site 2
10.1/16

site label (1002)

Packet

The outer label is removed through

penultimate hop popping (before reaching
the egress PE)

28

Data Flow
Site 2

CE-1

CE-2

Site 1

PE-1

CE-2

PE-2

VFT

VFT

VFT

VFT

CE-4
DLCI 82

DLCI 414
packet

DLCI
82

The inner label is removed at the egress PE

The egress PE does a label lookup to find the
corresponding
DLCI value
The native Frame Relay packet is sent to the
corresponding outbound sub-interface

29

Site 1
Site 2

VPN Topologies

Arbitrary topologies are possible:

full mesh
hub-and-spoke

BGP communities are used to configure VPN

topologies when using BGP signaling
Connectivity parameter serves similar
purpose in LDP signaling

30

Conclusions

Juniper Networks, Inc. Copyright

31 2000

A Range of VPN Solutions

Each customer has different

Security requirements

Staff expertise

Tolerance for outsourcing

Customer networks vary by size and traffic

volume

Providers also have different preferences

concerning

Extensive policy management

Inclusion of customer routes in backbone routers

Approaches to managed service

32

MPLS-Based Layer 2 VPNs

MPLS-based Layer 2 VPNs are identical to Layer 2 VPNs from

customers perspective

Familiar paradigm
Layer 3 independent
Provider not responsible for routing
No hacks for OSPF
Rely on SP only for connectivity

MPLS transport in provider network

Decouples edge and core Layer 2 technologies

Multiple services over single infrastructure

Label stacking

Single network architecture for both Internet and VPN services

Provision once, and use same LSP for multiple purposes

Auto-provisioning VPN

33

MPLS-based Layer 2 VPNs:

Advantages

Subscriber

Outsourced WAN infrastructure

Easy migration from existing Layer 2 fabric
Can maintain routing control, or opt for managed service
Supports any Layer 3 protocol
Supports multicast

Provider

Complements RFC 2547bis

Operates over the same core, using the same outer LSP

Existing Frame Relay and ATM VPNs can be collapsed onto a

single IP/MPLS infrastructure
Label stacking allows multiple services over a single LSP
No scalability problems associated with storing numerous
customer VPN routes
Simpler than the extensive policy-based configuration
used with 2547

34

MPLS-based Layer 2 VPNs:

Disadvantages

Circuit type (ATM/FR) to each VPN site must be

uniform

Managed network service required for provider

revenue opportunity

Customer must have routing expertise

(or opt for managed service)

35

Layer 2 MPLS-based VPNs

Application

Customer profile

High degree of IP expertise

Desire to control their own routing infrastructure

Prefer to outsource tunneling

Large number of users and sites

Provider profile

MPLS deployed in the core

Migrating an existing ATM or Frame Relay network

Offers CPE managed service, or

Provisions only the layer 2 circuits at a premium cost

Layer 2 MPLS-based VPNs are ideal for this customer

profile

36

Thank you!
http://www.juniper.net

Juniper Networks, Inc. Copyright

37 2000