Virtual Private Networks: An Introduction and MPLS Realization

1
Virtual Private Networks An Introduction and
MPLS Realization

• SURFnet Relatiedagen 2000
• Phil Chimento
• CTIT/University of Twente

2
Outline

• Introduction to Virtual Private Networks
• VPN requirements
• MPLS
• BGP/MPLS approach
• Virtual Routers
• Summary

3
What is a VPN ?

• Private network on shared facilities
• Virtual because circuits not used
• Private because the set of users is closed

4
Customer VPN Requirements

• What are customer VPN requirements ?
• Transport is not aware of information carried
• Security
• Protocol Insensitive
• Address Isolation
• Security
• Trust Models
• Customer provides all security
• Network provides all security
• QoS Guarantees

5
Provider VPN Requirements

• What are Service Provider VPN Requirements ?
• Scalability
• Configurability
• Manageability
• QoS support per VPN
• Security
• No restriction on core network technology
• No restrictions on routing or addressing

6
MPLS Fundamentals

• Basic elements
• Label is associated with FEC
• Label is totally arbitrary
• A Label Switched Path (LSP) composed of a
  sequence of hops
• MPLS does not define a single label distribution
  protocol

7
MPLS Label Stack
8
Next Hop Label Forwarding Entry
9
MPLS/BGP VPNs

• Basic Elements
• Site Mutual IP connectivity
• Site can be in multiple VPNs
• Customer Edge Device
• Router or switch belonging to a site
• Provider Edge Router
• May serve multiple CE s, multiple sites
• Provider Core Router
• No knowledge of VPN

10
PE Routers

• Key role in VPN service
• PE maintains separate forwarding tables
• Exchanges reachability information with CE
  routers
• Provides reachability information to other PE
  routers in the same VPN(s)

11
Route Distribution

• PE router learns reachability from CE router
• PE router distributes route to other PE routers
  via BGP
• PE router shares information with CE router

12
Packet Handling

• CE router sends packet to PE router
• PE router uses site forwarding table
• PE router pushes VPN label on stack
• PE router uses IGP forwarding table
• PE router pushes transport label on stack

13
Virtual Routers

• A VR services each CPE VPN site
• VR is adjacent peer to the CPE router
• VRs distribute reachability information to each
  other
• CPE router learns reachability from VR peer
• CPE router tells VR peer what addresses are
  reachable at site

14
Virtual Routers

• Virtual Connection Gateway
• Connects VRs to the backbone
• Aggregates traffic from VRs servicing CPEs
• Addresses in VCGs are public (unique)
• Addresses in VRs are private (unique within the
  VPN)

15
Some Vendors of VPN solutions

• Ascend (Lucent)
• Cisco
• Juniper

• Alcatel
• Ericsson
• Nortel

16
Summary

• VPNs offer flexibility to providers and customers
• Currently activity in IETF on VPN architectures
• MPLS is a good vehicle for providing VPNs
• University of Twente is participating in MPLS and
  VPN tests
• QoS is problematic and requires more work

17
References

• RFC 2764, A framework for IP Based Virtual
  Private Networks
• RFC 2547, BGP/MPLS VPNs (also draft-rosen-rfc2547b
  is-00.txt)
• Draft-ouldbrahim-vpn-vr-00.txt, Network based IP
  VPN Architecture Using Virtual Routers
• Cisco and Juniper White Papers