Title: Title Subtitle
1Network-based IP VPNsusing Virtual Routers
Tim Hubbard
2Network based VPN Network Reference Model
3Network Based VPN Services
Provider Edge Router (PE)
Provider Edge Router (PE)
4Architecture Design Goals
- Flexibility
- solution architected around choices
- Scalability
- backbone, VPN, PE, etc.
- Resiliency
- NB-VPN services resilient to failures, smooth
migration, - Manageability
- multiple levels of control while reducing NB-VPN
service, and network management complexity - Reusability
- existing management aspects, network mechanisms
and tools - Security
- VPN service, VPN information (routing and data)
5Architecture Requirements
- Per VPN routing and forwarding.
- No routing/forwarding based on private addresses
in the backbone. - Any routing protocol can be used in the VPN
domain and in the backbone. - Overlapping of VPN addresses.
- Not limited to a single tunneling mechanism.
- Accommodates different backbone deployment
scenarios. - Not limited to a single backbone technology
6What is a Virtual Router?
- A virtual router (VR) is an emulation of physical
router. - A VR has the same mechanisms and functionality as
physical routers. - Each virtual router maintains separate routing
and forwarding tables. - Each virtual router can run any routing protocols
(OSPF, RIP, BGP-4, etc).
7VPN Tunneling
- Network-based VPNs are implemented through some
form of tunneling mechanism. - Different tunneling mechanisms can be used (MPLS,
IPSec, GRE, L2TP, etc). - The architecture allows per VPN tunnels, or using
VPN shared tunnels across the backbone.
8Scenario 1- VR to VR Direct Connectivity
PE
PE
VPN A
VPN A
VR-A
VR-A
VR-B
VPN B
VPN B
VR-B
VPN C
VPN C
VR-C
VR-C
9Virtual Router Backbone Aggregation
- Virtual router (called Backbone Virtual Router)
for routing in the backbone used at the PE level
only. - IP or MPLS based tunnels between VRs for
transport of VPN information across the backbone.
10Scenario 2- VPNs with Backbone VRs
PE
VPN A
VR-A
VR-B
Backbone VR
VPN B
The backbone virtual router is not functionally
different than other virtual routers.
VR-C
VPN C
Backbone Routing Space
VPN Routing Space
11Scenario 3 - Combination of VR Deployment
Scenarios
PE
VPN A
VR-A
VPN B
VR-B
VR-C
Backbone VR
VPN C
12Scenario 4- Multiple Backbones
VPN A
PE
VR-A
VPN B
VR-B
Backbone VR-1
VR-C
VPN C
VR-D
VPN D
Backbone VR-2
VPN E
13Scenario 5- VPNs with Backdoor Links
VPN A
VR-A
VR-B
VPN B
Backbone VR-1
VPN A
VR-C
VPN C
VR-A
VR-B
VPN B
Backbone VR-1
VPN C
VR-C
VPN C
14Scenario 6- Outsourcing/Management of the PE
PE
VPN A
Service Provider-1
VR-A
VR-B
VPN B
Backbone VR-1
VR-C
VPN C
VR-D
VPN D
Backbone VR-2
VPN E
Service Provider-2
15Scenario 7- Multi-protocol VPNs
PE
VPN A IPv6
VR-A
VPN B IPv4
VR-B
Backbone VR-1
VR-C
VPN C IPv6
16Scenario 8- Backbone Migration Example
PE
VPN A
VR-A
Backbone VR-1
VPN B
VR-B
VR-C
Backbone VR-2 (MPLS)
VPN C
VPN services are migrated one at a time
17Virtual Router Reachability Scheme
Provider Edge Router 2
Provider Edge Router 1
Virtual
Virtual
Virtual
Router A
Router A
Backbone
Virtual
Virtual
Virtual
Router B
Router B
Backbone
Virtual
Virtual
Virtual
Router C
Router C
Per VPN Reachability Info
- Each routing instance is independent of each
other.
18Membership and Topology Determination
- Different mechanisms can be used (not mutually
exclusives) - Directory server approach.
- Explicit configuration
- Using a VPN auto-discovery mechanism
19What can be discovered?
Tunnel Mechanism (optionally Tunnel endpoints)
VPN Auto-Discovery
Membership Information
Topology Information
VPN Reachability Information (draft RFC2547)
The virtual router architecture doesnt require
piggybacking VPN reachability information onto
the backbone routing instance.
20Discovering VPN Information
Provider Edge Router (PE2)
Provider Edge Router (PE1)
Backbone
BVR
BVR
BGP
BGP
BGP
BGP UPDATE
BGP UPDATE
VPN Information (membership, etc.)
21Discovering Membership Information
Provider Edge Router (PE2)
Provider Edge Router (PE1)
VPN-ID11
VPN-ID11
Backbone
VPN-ID12
BVR
BVR
VPN-ID12
BGP
BGP
BGP
BGP UPDATE
BGP UPDATE
(VPN-IDs,PE-BVR)
VPN-ID13
VPN-ID13
22Discovering Tunnel Endpoints
Provider Edge Router (PE2)
Provider Edge Router (PE1)
VPN-ID11
VPN-ID11
Backbone
IPsec Tunnel
VPN-ID12
BVR
BVR
VPN-ID12
BGP
BGP
BGP
BGP UPDATE
BGP UPDATE
(VPN-IDs, 123.3.4.5, PE-BVR)
VPN-ID13
VPN-ID13
23Discovering VPN Topology Information
Provider Edge Router (PE2)
Provider Edge Router (PE1)
VPN-ID11
VPN-ID11
Backbone
VPN-ID12
BVR
BVR
VPN-ID12
BGP
BGP
BGP
BGP UPDATE
BGP UPDATE
(11, hub, PE BVR)
VPN-ID13
VPN-ID13
24BGP based Auto-Discovery Mechanism (for layer-3
VPNs)
- Using BGP as an Auto-Discovery Mechanism for
Network-based VPNs - Hamid Ould-Brahim, Bryan Gleeson, Peter
Ashwood-Smith, Eric Rosen, Yakov Rekhter - draft-ouldbrahim-bgpvpn-auto-00.txt
25Conclusion
- Virtual Routers allow Service Providers to build
differentiated network-based VPN services. - The architecture is highly flexible and
accommodates different tunneling mechanisms, and
different backbone technologies.
26Contacts
27Thank You