IP NETWORKS

Agenda
Virtual Private Network IP MPLS Virtual Private Network

VIRTUAL PRIVATE NETWORKS

VPN

What is a VPN ?.
Virtual Private Network (VPN) is a network where customer connectivity among multiple sites are deployed on a public infrastructure with high security.

Virtual Private network Models

Overlay Model Peer to Peer Model

VPN Models
Overlay Model
The service provider provides customers with a set of emulated leased lines between customer sites.
Frame relay circuits PVCs Point to Point leased circuits

VPN Models Overlay Model (Over Point to Point Leased Lines)

CE Office 1 CE Office 2

CE Office5

Service Provider Network

TDM Network Data Muxs Network TDM Network + Data Muxs Network

CE Office 3

Network Cost - High Security - High CE Office 4 Scalability - Low

VPN Models Overlay Model (Over Frame Relay Network)

CE Office 1 CE Office 2

CE Office5

Service Provider Network Frame Relay Network

CE Office 3

Network Cost Less than LL Option Security - High CE Office 4 Scalability - Low

PVC

VPN Models
Peer to Peer Model
Service provider provides the Provider edge device that directly exchanges the routing information with the customer premises equipment.

VPN Models Peer to Peer Model

Provider Edge Device (PE)

Customers Network

Customer Premises Equipment (CPE)

Service Provider IP Network

Traditional IP Forwarding
D est 4 7 .1 4 7 .2 4 7 .3 O ut 1 2 3
D est 4 7 .1 4 7 .2 4 7 .3 O ut 1 2 3

Customer A Network 47.1/16

1

D est 4 7 .1 4 7 .2 4 7 .3

O ut 1 2 3

3 IP 47.1.1.1 1

1 2

IP 47.1.1.1 2

IP 47.1.1.1
D est 4 7 .1 4 7 .2 4 7 .3 O ut 1 2 3

Cost Low Security - Low Scalability - High

3 2 IP 47.1.1.1 IP 47.2.1.1 IP 47.2.1.1

2 IP 47.2.1.1 1

Customer A Network 47.3/16

D est 4 7 .1 4 7 .2 4 7 .3

O ut 1 2 3

D est 4 7 .1 4 7 .2 4 7 .3

O ut 1 2 3

IP 47.2.1.1

Customer B Network 47.2/16

2 47.2.1.1 IP 3

Leased Line Model Network Cost Network Security Network Scalability High High Low

Frame Relay Model Comparatively Low High Low

Peer to Peer Model Low Low High

With the combination of layer 2 switching with layer 3 routing and switching, it is possible to construct a The New that combinesis called of technology a benefit technology MPLS IP VPNbenefit of overlay VPN with the simplified routing that peer to peer VPN implementation brings.

MULTI PROTOCOL LABEL SWITCHING

MPLS

Basic Intranet Model

VPN A VPN A
Site-1 & Site-2 routes RT=VPN-A Site-3 & Site-4 routes RT=VPN-A

SITE-1

SITE-3

MP-iBGP

P Router

IP MPLS Backbone

SITE-2
VPN A

Site-1 routes Site-2 routes Site-3 routes Site-4 routes

Site-1 routes Site-2 routes Site-3 routes Site-4 routes

SITE-4
VPN A

MPLS VPN Network Model

VPN Models
CE Office 1 CE Office 2 CE Office5 CE Office5 CE Office 1 CE Office 2

Frame Relay Network

CE Office 3
PVC

MPLS Network
CE Office 3 CE Office 4
Full meshed by default LSP

CE Office 4
Point to Point by default Can be converted into full meshed network

MPLS Domain And Components

IP Domain at Customer site CPE IP Domain at Customer site CPE LER LSR MPLS Domain LSR LSR

LER CPE IP Domain at Customer site

LER

Label Assignment and Distribution

Use label 30 for destination 171.68.10/24 171.68.40/24
IF : 1 IF : 0 IF : 1

Use label 40 for destination 171.68.10/24

IF : 0

171.68.10/24

R-A
In I/F In Lab Address Prefix Out I/F Out Lab

R-B
In I/F In Lab Address Prefix Out I/F Out Lab In I/F In Lab

R-C 40 NextNext ... -Hop... ...

1
Address Prefix Out I/F Out Lab

171.68.10

... ...

30 NextNext ... -Hop... ...

1

30 171.68.10

... ...

40 171.68.10

... ...
IGP derived routes

NextNext ... -Hop...

...

LSRs distribute labels to the upstream neighbours Labels are used to designate LSPs

VPN Packet Forwarding

In Label 28 FEC 149.27.2.0/24 Out Label In Label FEC 149.27.2.0/24 Out Label 40 VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28) 40 28 149.27.2.27 149.27.2.27

PE-1 VPN label assigned

197.26.15.1

Kandy
149.27.2.0/24

Colombo

Ingress PE receives IP data packets PE router performs IP Best Match from VPN LFIB, finds iBGP next-hop and imposes a stack of labels <IGP, VPN>

VPN Packet Forwarding cont

In Label 28(V) VPN-A VRF 149.27.2.0/24, NH=Kandy FEC 149.27.2.0/24 Out Label In Label In Label 40 40 FEC FEC 197.26.15.1/32 197.26.15.1/32 Out Label Out Label POP 30 VPN-A VRF 149.27.2.0/24, NH=197.26.15.1 Label=(28) 30 28 149.27.2.27 40 28 149.27.2.27 149.27.2.27

PE-1
149.27.2.27

Kandy
149.27.2.0/24

Colombo

Penultimate PE router removes the IGP label

Penultimate Hop Popping procedures (implicit-null label)

Egress PE router uses the VPN label to select which VPN/CE to forward the packet to VPN label is removed and the packet is routed toward the VPN site

Separate Routing - Private Addressing

10.150.25.1 Parts DB

Customer A Boston
10.151/16

10.150.25/24 10.150/16 VPN B

VR VR VR VR

Customer B San Jose

Vendors

Extranet

Internet

Customer A NYC

MPLS
10.150.5/24 VPN A
VR

Customer B NYC

10.152/16

Customer A Wash. DC

MPLS Operation
IP Forwarding LABEL SWITCHING IP Forwarding Standard Routing protocols Labels are exchanged . Egress

Ingress

LER Ingress LER receives IP packets, performs packet classification (into FECs), assigns a label, & forwards the labeled packet

LSR

LSR

LER

Egress LER LSRs forward removes label before packets based on forwarding IP packets the label (no outside MPLS packet classification network in the core)

Label IP Hdr Payload

Terminology
Provider network (P network) Provider edge router (PE/LER router) - physical connection to CE router and to core of P network Provider router (P/LSR router) - internal to P network and oblivious to existence of VPNs Customer edge router (CE router) - physically connected to PE router Customer router (C router) - internal to C network and invisible to PE router PE-CE link

IP Forwarding

Label Edge Routers/Provider Edge Routers ( LER/PE )

IP Forwarding

LER Functions MPLS Forwarding 1. Map IP Packets to labels 2. Push Labels on IP packets IP Domain LSR LER 3. Apply QoS Functions LSR 4. Initiate LSP setup process 5. Traffic IP Forwarding Engineering MPLS LER Domain LER LSR IP Domain

IP Domain

Ingress and Egress LERs

IP Forwarding Ingress LER MPLS Forwarding IP Domain LER LSR IP Domain Egress LER LER IP Forwarding

LSR MPLS Domain LSR

IP Forwarding

LER

IP Domain

Label Switched Routers/ Provider Routers ( LSR/P )

IP Forwarding IP Forwarding LSR Functions 1. Swap Labels MPLS Forwarding 2. Apply QoS Functions IP Domain 3. Participate in LSP setup process LSR LER 4. Only knows routes within MPLS Domain LSR IP Forwarding LER MPLS Domain LSR IP Domain

IP Domain

LER

VPN Label Stack

Minimum 2 Labels are needed for MPLS VPN service.
C onfiguration: IG P (e.g. O S PF , or IS IS ) routing in th e core M PL S (e.g. L D P) enab led for all P and PE M P-iB G P fully m es h ed betw een PE s PE -C E can b e e -B G P, O S PF , R IP or S tatic L ab el sw app in g b ased on IG P (top) lab el
PE 1

T w o le ve l Labe ls: T op lab el : L D P lab el forw ard ing th rough th e core, PE -PE Inner lab el : V PN lab el id entify th e d estination V PN , forw ard ing to C E

V PN R e d X1 V PN G re e n X1 V PN R e d X2

CE1

Penultim ate H op Popping P4 rem oves th e top lab el

P2 PE 2

V PN

G re e n Y1

CE2 V PN R e d

CE3 PE 3

P1 P3

P4 PE 4

CE4 V PN G re e n

Y1

CE5

L ookup d one once th e ingress PE 3 attach es tw o lab els on each packet

Pop V PN lab el (inner) find th e outgoing interface aggregate to C E 6

Y2 CE6

Multi Protocol Label Switching

MPLS is an Internet Engineering Task Force (IETF) specified framework for efficient designing, forwarding, Routing and Switching of traffic flows in a network. (RFC 2547)

MPLS Quality Of Service (QOS)

Traffic Classification

MPLS Network
Colombo Kandy

Types of Traffic 1 Voice Data 2 Business Critical Data 3 Best Effort Traffic

Internet

Traffic Classification

MPLS Network
Voice Traffic Queue BCD Traffic Queue Best Kandy Traffic Queue Effort
Colombo

Voice (Highest Priority) Business Critical Data (Second Priority) Best Effort Traffic (Lowest Priority)

Internet

Differentiated Model Divide Traffic into Classes

Differentiated IP Services
Internet, E-Mail

Voice

Platinum Class Low Latency

Gold
Application Traffic Critical Application Data Voice

Traffic Classification Silver

Guaranteed Latency and Delivery

Guaranteed Delivery

Bronze Best Effort Delivery

Traffic Policing
Scheduling Policy

MPLS Network
Colombo Kandy

Drop Policy

Traffic Classification and Marking

Internet

Differential Model Features

Classification Marking Policing and Shaping Congestion Avoidance Congestion Management

Differentiated Model Features Marking

Layer 3 IPV4
Version ToS Length 1 Byte Len ID Offset TTL Proto FCS IP-SA IP-DA Data 2

IP Precedence

Unused Bits

DSCP (Differentiated Services Code Point)

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Label | EXP |S| TTL | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

MPLS Label

Differentiated Model Features Policing and Shaping

Policing is the QoS component that limits Incoming / Outgoing traffic flow to a defined/assigned bit rate Shaping is the QoS feature component that regulates Outgoing traffic flow to a defined/assigned bit rate

Differentiated Model Features Congestion Management

Scheduling Policy First In First Out (FIFO) Weighted Fair Queuing (WFQ) Class Based Weighted Fair Queuing (CBWFQ) Priority Queuing Custom Queuing

Congestion Management - FIFO

Data In

Data Out

Buffer

Congestion Management - WFQ

Weighted Fair Queuing
(5 Packets) (8 Packets) (2 Packets) Output Link

Lowest number of packets stream go first

Congestion Management - CBWFQ

Class Based Weighted Fair Queuing
(5 Packets, Prec = 3) (8 Packets, Prec = 5) (2 Packets, Prec = 2) Output Link

Highest Priority packets stream go first (Precedence = 5). DSCP Bits also can be used.

MPLS QoS
SP Customer
2) Match IP Precedence/DSCP Set MPLS EXP. Rate-limit/Police and apply drop policy

MPLS

Core
3) Invoke QoS Policy Action Based on Edge Classification (based on MPLS EXP) e.g. LLQ, CBWFQ, Drop Policy Low Priority via WRED if rate limit exceeded

1) Packet Classification through IP Precedence /DSCP

END
Thank You