SEC , Cisco Systems, Inc. All rights reserved.

Size: px
Start display at page:

Download "SEC-370. 2001, Cisco Systems, Inc. All rights reserved."

Transcription

1 SEC , Cisco Systems, Inc. All rights reserved. 1

2

3 Understanding MPLS/VPN Security Issues SEC-370 Michael Behringer SEC , Cisco Systems, Inc. All rights reserved. 3

4 Agenda Analysis of MPLS/VPN Security Security Recommendations MPLS Security Architectures Internet Access Firewalling Options Attacking an MPLS Network IPsec and MPLS Summary SEC , Cisco Systems, Inc. All rights reserved. 4

5 The Principle: A Virtual Router Virtual Routing and Forwarding Instance! ip vrf Customer_A rd 100:110 route-target export 100:1000 route-target import 100:1000! interface Serial0/1 ip vrf forwarding Customer_A! Assign Interface to Virtual Router Route Distinguisher: Makes VPN routes unique Export this VRF with community 100:1000 Import routes from other VRFs with community 100:1000 SEC , Cisco Systems, Inc. All rights reserved. 5

6 General VPN Security Requirements Address Space and Routing Separation Hiding of the MPLS Core Structure Resistance to Attacks Impossibility of VPN Spoofing Working assumption: The core (PE+P) is secure SEC , Cisco Systems, Inc. All rights reserved. 6

7 Address Space Separation 64 bits 32 bits Route Distinguisher IPv4 Address VPN IPv4 Address Within the MPLS core all addresses are unique due to the Route Distinguisher SEC , Cisco Systems, Inc. All rights reserved. 7

8 Routing Separation Each (sub-) interface is assigned to a VRF Each VRF has a RD (route distinguisher) Routing instance: within one RD -> within one VRF -> Routing Separation SEC , Cisco Systems, Inc. All rights reserved. 8

9 CE2 IP(CE2) IP(PE; fa1) VRF CE2 Hiding of the MPLS Core Structure MPLS core Visible Address Space CE1 IP(CE1) IP(PE; fa0) VRF CE1 PE IP(PE; l0) P P P P VRF contains MPLS IPv4 addresses Only peering Interface (on PE) exposed (-> CE)! -> ACL or unnumbered SEC , Cisco Systems, Inc. All rights reserved. 9

10 Resistance to Attacks: Where and How? Where can you attack? Address and Routing Separation, thus: Only Attack point: peering PE How? See ISP Essentials - Intrusions (telnet, SNMP,, routing protocol) -DoS Secure with ACLs Secure with MD5 SEC , Cisco Systems, Inc. All rights reserved. 10

11 Label Spoofing PE router expects IP packet from CE Labelled packets will be dropped Thus no spoofing possible SEC , Cisco Systems, Inc. All rights reserved. 11

12 Comparison with ATM / FR ATM/FR MPLS Address space separation yes yes Routing separation yes yes Resistance to attacks yes yes Resistance to Label Spoofing Direct CE-CE Authentication (layer 3) yes yes yes with IPsec SEC , Cisco Systems, Inc. All rights reserved. 12

13 Agenda Analysis of MPLS/VPN Security Security Recommendations MPLS Security Architectures Internet Access Firewalling Options Attacking an MPLS Network IPsec and MPLS Summary SEC , Cisco Systems, Inc. All rights reserved. 13

14 Security Recommendations for ISPs Secure devices (PE, P): They are trusted! CE-PE interface: Secure with ACLs Static PE-CE routing where possible If routing: Use authentication (MD5) Separation of CE-PE links where possible (Internet / VPN) LDP authentication (MD5) VRF: Define maximum number of routes Note: Overall security depends on weakest link! SEC , Cisco Systems, Inc. All rights reserved. 14

15 PE-CE Routing Security In order of security preference: 1. Static: If no dynamic routing required (no security implications) 2. BGP: For redundancy and dynamic updates (many security features) 3. RIPv2: If BGP not supported (limited security features) SEC , Cisco Systems, Inc. All rights reserved. 15

16 Securing the MPLS Core CE CE PE VPN P MPLS core BGP Route Reflector P PE P VPN Internet CE VPN PE PE VPN VPN PE BGP peering with MD5 authentic. LDP with MD5 CE CE CE ACL and secure routing SEC , Cisco Systems, Inc. All rights reserved. 16

17 Agenda Analysis of MPLS/VPN Security Security Recommendations MPLS Security Architectures Internet Access Firewalling Options Attacking an MPLS Network IPsec and MPLS Summary SEC , Cisco Systems, Inc. All rights reserved. 17

18 MPLS Internet Architectures: Principles Core supports VPNs and Internet VPNs remain separated Internet as an option for a VPN Essential: Firewalling SEC , Cisco Systems, Inc. All rights reserved. 18

19 Separate VPN and Internet Access Customer LAN MPLS core To Internet Firewall / NAT CE1 PE1 P VRF Internet IDS CE2 PE2 VRF VPN To VPN Separation: +++ DoS resistance: +++ Cost: $$$ (Two lines and two PEs: Expensive!) SEC , Cisco Systems, Inc. All rights reserved. 19

20 Separate Access Lines + CEs, one PE Customer LAN MPLS core To Internet Firewall / NAT CE1 PE1 P IDS CE2 VRF Internet VRF VPN To VPN Separation: +++ DoS resistance: Cost: ++ (DoS might impact VPN on PE) $$ (Two lines, but only one PE) SEC , Cisco Systems, Inc. All rights reserved. 20

21 Using a Single Access Line Requirements to share a line: PE requires separate sub-interfaces CE requires separate sub-interfaces CE side requires separate routing SEC , Cisco Systems, Inc. All rights reserved. 21

22 Shared Access Line, Frame Relay Customer LAN MPLS core Firewall / NAT Internet CE PE1 P IDS VPN CE VRF Internet VRF VPN Separation: +++ DoS resistance: Cost: $ FR logical links + (DoS might affect VPN on PE, line, CE) SEC , Cisco Systems, Inc. All rights reserved. 22

23 Shared Access Line, Policy Routing Customer LAN MPLS core Firewall / NAT Internet CE PE1 P IDS VPN CE PR VRF Internet VRF VPN FR logical links Separation: +++ DoS resistance: Cost: $ + (DoS might affect VPN on PE, line, CE) SEC , Cisco Systems, Inc. All rights reserved. 23

24 Shared Access Line, CE with VRFs Customer LAN MPLS core Firewall / NAT Internet CE PE1 P IDS VRF Internet VRF Internet VRF VPN Separation: +++ DoS resistance: Cost: $ FR logical links + (DoS might affect VPN on PE, line, CE) SEC , Cisco Systems, Inc. All rights reserved. 24

25 Hub-and-Spoke VPN with Internet Access Hub Site MPLS core Internet Firewall NAT Internet CE PE1 To Internet --> VRF Internet IDS VPN CE PE2 To VPN mbehring VRF VPN PEs VPN VPN VPN CEs Spoke 1 Spoke 2 Spoke 3 SEC , Cisco Systems, Inc. All rights reserved. 25

26 Alternative Topologies Full VPN mesh, one Internet Access Internet access at several sites -> Several firewalls needed -> More complex Internet Access from all sites -> Complex, one firewall per site SEC , Cisco Systems, Inc. All rights reserved. 26

27 Central Firewalling: Option 1: Stacking Firewalls SP Domain CEs PEs Customer 1 MPLS core VPN Internet VPN VPN Customer 2 NAT and Firewalling VPN Customer 3 + Central Management + Strong firewalls + Customer can choose firewall + Different policies per customer possible + CEs not touched - One firewall per customer SEC , Cisco Systems, Inc. All rights reserved. 27

28 Central Firewalling: Option 2: NAT on CE, one central FW Internet + Central Management SP Domain e.g PIX 535 VPN MPLS core Firewalling + One strong firewall + Easy to deploy - Customer cannot pick his firewall PEs VPN VPN VPN - CEs need config CEs NAT NAT NAT Customer 1 Customer 2 Customer 3 SEC , Cisco Systems, Inc. All rights reserved. 28

29 Central Firewalling: Option 3: IOS Firewall on CE SP Domain PEs MPLS core VPN CEs NAT and firewall Internet VPN VPN VPN NAT and firewall NAT and firewall + Economic + One firewall per customer + No central devices - Management more difficult - CEs need config Customer 1 Customer 2 Customer 3 SEC , Cisco Systems, Inc. All rights reserved. 29

30 A Word on Carrier s Carrier Cust. CE Carrier Carrier s Carrier Carrier Cust. CE PE PE PE PE PE PE IP data IP data label IP data label IP data label label IP data Same principles as in normal MPLS Customer trusts carrier who trusts carrier SEC , Cisco Systems, Inc. All rights reserved. 30

31 Agenda Analysis of MPLS/VPN Security Security Recommendations MPLS Security Architectures Internet Access Firewalling Options Attacking an MPLS Network IPsec and MPLS Summary SEC , Cisco Systems, Inc. All rights reserved. 31

32 Ways to Attack Intrusion : Get un-authorised access Theory: Not possible (as shown before) Practice: Depends on: - Vendor implementation - Correct config and management Denial-of-Service : Deny access of others Much more interesting No Trust? Use IPsec between CEs! SEC , Cisco Systems, Inc. All rights reserved. 32

33 DoS against MPLS DoS is about Resource Starvation, one of: - Bandwidth - CPU - Memory (buffers, routing tables, ) - In MPLS, we have to examine: CE PE - Rest is the same as in other networks SEC , Cisco Systems, Inc. All rights reserved. 33

34 Attacking a CE from MPLS (other VPN) Is the CE reachable from the MPLS side? -> only if this is an Internet CE, otherwise not! (CE-PE addressing is part of VPN!) For Internet CEs: Same security rules apply as for any other access router. MPLS hides VPN-CEs: Secure! Internet CEs: Same as in other networks SEC , Cisco Systems, Inc. All rights reserved. 34

35 Attacking a CE-PE Line Also depends on reachability of CE or the VPN behind it Only an issue for Lines to Internet-CEs Same considerations as in normal networks If CE-PE line shared (VPN and Internet): DoS on Internet may influence VPN! Use CAR! MPLS hides VPN-CEs: Secure! Internet CEs: Same as in other networks SEC , Cisco Systems, Inc. All rights reserved. 35

36 Attacking a PE Router PE CE1 IP(CE1) IP(PE; fa0) IP(PE; l0) IP(P) VRF CE1 CE2 IP(CE2) IP(PE; fa1) VRF CE2 Attack points VRF Internet Only visible: your interface and interfaces of Internet CEs SEC , Cisco Systems, Inc. All rights reserved. 36

37 DoS Attacks to PE can come from: Other VPN, connected to same PE Internet, if PE carries Internet VRF Possible Attacks: Resource starvation on PE Too many routing updates, too many SNMP requests, small servers, Has to be secured SEC , Cisco Systems, Inc. All rights reserved. 37

38 Agenda Analysis of MPLS/VPN Security Security Recommendations MPLS Security Architectures Internet Access Firewalling Options Attacking an MPLS Network IPsec and MPLS Summary SEC , Cisco Systems, Inc. All rights reserved. 38

39 Use IPsec if you need: Encryption of traffic Direct authentication of CEs Integrity of traffic Replay detection Or: If you don t want to trust your ISP for traffic separation! SEC , Cisco Systems, Inc. All rights reserved. 39

40 IPsec Topologies CE to CE (static cryptomap) Hub and Spoke (dynamic cryptomap) Full Mesh with TED: Ideal!!! MPLS/VPN and TED are an ideal combination!! IPsec is independent of MPLS IPsec and MPLS work together SEC , Cisco Systems, Inc. All rights reserved. 40

41 Agenda Analysis of MPLS/VPN Security Security Recommendations MPLS Security Architectures Internet Access Firewalling Options Attacking an MPLS Network IPsec and MPLS Summary SEC , Cisco Systems, Inc. All rights reserved. 41

42 MPLS doesn t provide: Protection against mis-configurations in the core Protection against attacks from within the core Confidentiality, authentication, integrity, anti-replay -> Use IPsec if required Customer network security SEC , Cisco Systems, Inc. All rights reserved. 42

43 Conclusions MPLS VPNs can be secured as well as ATM/FR VPNs Depends on correct configuration and function of the core Use IPsec if you don t trust core There are many ways to map VPNs with Internet access securely onto MPLS SEC , Cisco Systems, Inc. All rights reserved. 43

44 Understanding MPLS/VPN Security Issues Session SEC-370 SEC , Cisco Systems, Inc. All rights reserved. 44

45 Please Complete Your Evaluation Form Session SEC-370 SEC , Cisco Systems, Inc. All rights reserved. 45

46 Presentation_ID 2001, Cisco Systems, Inc. All rights reserved. 46

MPLS Security Considerations

MPLS Security Considerations MPLS Security Considerations Monique J. Morrow, Cisco Systems mmorrow@cisco.com November 1 2004 MPLS JAPAN 2004 1 Acknowledgments Michael Behringer, Cisco Systems 2 Why is MPLS Security Important? Customer

More information

Why Is MPLS VPN Security Important?

Why Is MPLS VPN Security Important? MPLS VPN Security An Overview Monique Morrow Michael Behringer May 2 2007 Future-Net Conference New York Futurenet - MPLS Security 1 Why Is MPLS VPN Security Important? Customer buys Internet Service :

More information

MPLS VPN Security in Service Provider Networks. Peter Tomsu Michael Behringer Monique Morrow

MPLS VPN Security in Service Provider Networks. Peter Tomsu Michael Behringer Monique Morrow MPLS VPN Security in Service Provider Networks Peter Tomsu Michael Behringer Monique Morrow 1 About this Presentation Advanced level advanced MPLS concepts and architectures. Target Audience: Service provider!!

More information

Security of the MPLS Architecture

Security of the MPLS Architecture WHITE PAPER Security of the MPLS Architecture Scope and Introduction Many enterprises are thinking of replacing traditional Layer 2 VPNs such as ATM or Frame Relay (FR) with MPLS-based services. As Multiprotocol

More information

MPLS VPN Security BRKSEC-2145

MPLS VPN Security BRKSEC-2145 MPLS VPN Security BRKSEC-2145 Session Objective Learn how to secure networks which run MPLS VPNs. 100% network focus! Securing routers & the whole network against DoS and abuse Not discussed: Security

More information

MPLS Peter Raedler Systems Engineer praedler@cisco.com 2001, Cisco Systems, Inc. Agenda Overview of MPLS Business Opportunities Security

MPLS Peter Raedler Systems Engineer praedler@cisco.com 2001, Cisco Systems, Inc. Agenda Overview of MPLS Business Opportunities Security MPLS Peter Raedler Systems Engineer praedler@cisco.com 1 Agenda Overview of MPLS Business Opportunities Security 2 Copyright All rights reserved. 1 Optical Internetworking Eliminating the overhead Traditional

More information

MPLS VPN Security in Service Provider Networks

MPLS VPN Security in Service Provider Networks MPLS VPN Security in Service Provider Networks Michael H. Behringer 1 HOUSEKEEPING We value your feedback, don t forget to complete your online session evaluations after each session and complete the Overall

More information

White Paper. Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM. March 30, 2001

White Paper. Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM. March 30, 2001 The leading edge in networking information White Paper Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM March 30, 2001 Abstract: The purpose of this white paper is to present discussion

More information

MPLS Virtual Private Network (VPN) Security

MPLS Virtual Private Network (VPN) Security MPLS Virtual Private Network () Security An MFA Forum Sponsored Tutorial Monique Morrow MFA Forum Ambassador CTO Consulting Engineer Cisco Systems Slide 1 MPLS Security - Agenda Analysis of the Architecture

More information

MPLS VPN Security. Intelligent Information Network. Klaudia Bakšová Systems Engineer, Cisco Systems kbaksova@cisco.com

MPLS VPN Security. Intelligent Information Network. Klaudia Bakšová Systems Engineer, Cisco Systems kbaksova@cisco.com Intelligent Information Network MLS VN Security Klaudia Bakšová Systems Engineer, Cisco Systems kbaksova@cisco.com Agenda Analysis of MLS/VN Security Inter-AS VNs rovider Edge DoS possibility Secure MLS

More information

Category: Informational February 2006

Category: Informational February 2006 Network Working Group M. Behringer Request for Comments: 4381 Cisco Systems Inc Category: Informational February 2006 Status of This Memo Analysis of the Security of BGP/MPLS IP Virtual Private Networks

More information

In this chapter, you learn about the following: How MPLS provides security (VPN separation, robustness against attacks, core hiding, and spoofing

In this chapter, you learn about the following: How MPLS provides security (VPN separation, robustness against attacks, core hiding, and spoofing In this chapter, you learn about the following: How MPLS provides security (VPN separation, robustness against attacks, core hiding, and spoofing protection) How the different Inter-AS and Carrier s Carrier

More information

AT&T Managed IP Network Service (MIPNS) MPLS Private Network Transport Technical Configuration Guide Version 1.0

AT&T Managed IP Network Service (MIPNS) MPLS Private Network Transport Technical Configuration Guide Version 1.0 AT&T Managed IP Network Service (MIPNS) MPLS Private Network Transport Technical Configuration Guide Version 1.0 Introduction...2 Overview...2 1. Technology Background...2 2. MPLS PNT Offer Models...3

More information

PRASAD ATHUKURI Sreekavitha engineering info technology,kammam

PRASAD ATHUKURI Sreekavitha engineering info technology,kammam Multiprotocol Label Switching Layer 3 Virtual Private Networks with Open ShortestPath First protocol PRASAD ATHUKURI Sreekavitha engineering info technology,kammam Abstract This paper aims at implementing

More information

For internal circulation of BSNLonly

For internal circulation of BSNLonly E3-E4 E4 E&WS Overview of MPLS-VPN Overview Traditional Router-Based Networks Virtual Private Networks VPN Terminology MPLS VPN Architecture MPLS VPN Routing MPLS VPN Label Propagation Traditional Router-Based

More information

MP PLS VPN MPLS VPN. Prepared by Eng. Hussein M. Harb

MP PLS VPN MPLS VPN. Prepared by Eng. Hussein M. Harb MP PLS VPN MPLS VPN Prepared by Eng. Hussein M. Harb Agenda MP PLS VPN Why VPN VPN Definition VPN Categories VPN Implementations VPN Models MPLS VPN Types L3 MPLS VPN L2 MPLS VPN Why VPN? VPNs were developed

More information

MPLS VPN Security Best Practice Guidelines

MPLS VPN Security Best Practice Guidelines Security Best Practice Guidelines con 2006 May 24 2006 Monique Morrow and Michael Behringer Distinguished Consulting Engineer and Distinguished Systems Engineer Cisco Systems, Inc. mmorrow@cisco.com mbehring@cisco.com

More information

MPLS Implementation MPLS VPN

MPLS Implementation MPLS VPN MPLS Implementation MPLS VPN Describing MPLS VPN Technology Objectives Describe VPN implementation models. Compare and contrast VPN overlay VPN models. Describe the benefits and disadvantages of the overlay

More information

Expert Reference Series of White Papers. An Overview of MPLS VPNs: Overlay; Layer 3; and PseudoWire

Expert Reference Series of White Papers. An Overview of MPLS VPNs: Overlay; Layer 3; and PseudoWire Expert Reference Series of White Papers An Overview of MPLS VPNs: Overlay; Layer 3; and PseudoWire 1-800-COURSES www.globalknowledge.com An Overview of MPLS VPNs: Overlay; Layer 3; and PseudoWire Al Friebe,

More information

Introduction Inter-AS L3VPN

Introduction Inter-AS L3VPN Introduction Inter-AS L3VPN 1 Extending VPN services over Inter-AS networks VPN Sites attached to different MPLS VPN Service Providers How do you distribute and share VPN routes between ASs Back- to- Back

More information

Virtual Private Networks. Juha Heinänen jh@song.fi Song Networks

Virtual Private Networks. Juha Heinänen jh@song.fi Song Networks Virtual Private Networks Juha Heinänen jh@song.fi Song Networks What is an IP VPN? an emulation of private (wide area) network facility using provider IP facilities provides permanent connectivity between

More information

Notice the router names, as these are often used in MPLS terminology. The Customer Edge router a router that directly connects to a customer network.

Notice the router names, as these are often used in MPLS terminology. The Customer Edge router a router that directly connects to a customer network. Where MPLS part I explains the basics of labeling packets, it s not giving any advantage over normal routing, apart from faster table lookups. But extensions to MPLS allow for more. In this article I ll

More information

Table of Contents. Cisco Configuring a Basic MPLS VPN

Table of Contents. Cisco Configuring a Basic MPLS VPN Table of Contents Configuring a Basic MPLS VPN...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...2 Related Products...2 Conventions...2 Configure...3 Network Diagram...3 Configuration

More information

MikroTik RouterOS Introduction to MPLS. Prague MUM Czech Republic 2009

MikroTik RouterOS Introduction to MPLS. Prague MUM Czech Republic 2009 MikroTik RouterOS Introduction to MPLS Prague MUM Czech Republic 2009 Q : W h y h a v e n 't y o u h e a r d a b o u t M P LS b e fo re? A: Probably because of the availability and/or price range Q : W

More information

Provisioning Cable Services

Provisioning Cable Services CHAPTER 10 This chapter describes how to provision MPLS VPN cable in IP Solutions Center (ISC). It contains the following sections: Overview of MPLS VPN Cable, page 10-1 in ISC, page 10-5 Creating the

More information

Configuring a Basic MPLS VPN

Configuring a Basic MPLS VPN Configuring a Basic MPLS VPN Help us help you. Please rate this document. Contents Introduction Conventions Hardware and Software Versions Network Diagram Configuration Procedures Enabling Configuring

More information

How Routers Forward Packets

How Routers Forward Packets Autumn 2010 philip.heimer@hh.se MULTIPROTOCOL LABEL SWITCHING (MPLS) AND MPLS VPNS How Routers Forward Packets Process switching Hardly ever used today Router lookinginside the packet, at the ipaddress,

More information

Introducing Basic MPLS Concepts

Introducing Basic MPLS Concepts Module 1-1 Introducing Basic MPLS Concepts 2004 Cisco Systems, Inc. All rights reserved. 1-1 Drawbacks of Traditional IP Routing Routing protocols are used to distribute Layer 3 routing information. Forwarding

More information

Securing a Core Network

Securing a Core Network Securing a Core Network Manchester, 21 Sep 2004 Michael Behringer Christian Panigl Session Number Presentation_ID 325_mbehring 2001, 2003 Cisco Systems, Inc. All

More information

Secure Inter-Provider IP VPNs

Secure Inter-Provider IP VPNs Secure Inter-Provider IP VPNs Shankar Rao, Sr. Product Manager, Qwest Communications shankar.rao@qwest.com Scott Poretsky, Director of QA, Quarry Technologies sporetsky@quarrytech.com October 19, 2004

More information

A Policy Information Model for RFC2547-like IP VPNs

A Policy Information Model for RFC2547-like IP VPNs A Policy Information Model for RFC2547-like IP VPNs Arnaud GONGUET / Olivier POUPEL ALCATEL Route de Nozay - 91460 Marcoussis - France Arnaud.Gonguet@alcatel.fr / Olivier.Poupel@alcatel.fr Tel.: +33 (0)1

More information

MPLS VPN Implementation

MPLS VPN Implementation MPLS VPN Implementation Overview Virtual Routing and Forwarding Table VPN-Aware Routing Protocols VRF Configuration Tasks Configuring BGP Address families Configuring BGP Neighbors Configuring MP-BGP Monitoring

More information

Cisco Certified Security Professional (CCSP)

Cisco Certified Security Professional (CCSP) 529 Hahn Ave. Suite 101 Glendale CA 91203-1052 Tel 818.550.0770 Fax 818.550.8293 www.brandcollege.edu Cisco Certified Security Professional (CCSP) Program Summary This instructor- led program with a combination

More information

RFC 2547bis: BGP/MPLS VPN Fundamentals

RFC 2547bis: BGP/MPLS VPN Fundamentals White Paper RFC 2547bis: BGP/MPLS VPN Fundamentals Chuck Semeria Marketing Engineer Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2001 or 888 JUNIPER www.juniper.net

More information

Methods of interconnecting MPLS Networks

Methods of interconnecting MPLS Networks Methods of interconnecting MPLS Networks NANOG31, May 2005 San Francisco Cable & Wireless Internet Engineering Udo Steinegger What this talk is about General This presentation covers technologies on how

More information

MPLS Layer 3 and Layer 2 VPNs over an IP only Core. Rahul Aggarwal Juniper Networks. rahul@juniper.net

MPLS Layer 3 and Layer 2 VPNs over an IP only Core. Rahul Aggarwal Juniper Networks. rahul@juniper.net MPLS Layer 3 and Layer 2 VPNs over an IP only Core Rahul Aggarwal Juniper Networks rahul@juniper.net Agenda MPLS VPN services and transport technology Motivation for MPLS VPN services over an IP only core

More information

Quidway MPLS VPN Solution for Financial Networks

Quidway MPLS VPN Solution for Financial Networks Quidway MPLS VPN Solution for Financial Networks Using a uniform computer network to provide various value-added services is a new trend of the application systems of large banks. Transplanting traditional

More information

Implementing Cisco Service Provider Next-Generation Edge Network Services **Part of the CCNP Service Provider track**

Implementing Cisco Service Provider Next-Generation Edge Network Services **Part of the CCNP Service Provider track** Course: Duration: Price: $ 3,695.00 Learning Credits: 37 Certification: Implementing Cisco Service Provider Next-Generation Edge Network Services Implementing Cisco Service Provider Next-Generation Edge

More information

IP/MPLS-Based VPNs Layer-3 vs. Layer-2

IP/MPLS-Based VPNs Layer-3 vs. Layer-2 Table of Contents 1. Objective... 3 2. Target Audience... 3 3. Pre-Requisites... 3 4. Introduction...3 5. MPLS Layer-3 VPNs... 4 6. MPLS Layer-2 VPNs... 7 6.1. Point-to-Point Connectivity... 8 6.2. Multi-Point

More information

MPLS-based Virtual Private Network (MPLS VPN) The VPN usually belongs to one company and has several sites interconnected across the common service

MPLS-based Virtual Private Network (MPLS VPN) The VPN usually belongs to one company and has several sites interconnected across the common service Nowdays, most network engineers/specialists consider MPLS (MultiProtocol Label Switching) one of the most promising transport technologies. Then, what is MPLS? Multi Protocol Label Switching (MPLS) is

More information

Implementing Cisco MPLS

Implementing Cisco MPLS Implementing Cisco MPLS Course MPLS v2.3; 5 Days, Instructor-led Course Description This design document is for the refresh of the Implementing Cisco MPLS (MPLS) v2.3 instructor-led training (ILT) course,

More information

Cisco 642-889. Implementing Cisco Service Provider Next-Generation Egde Network Services. Version: 4.1

Cisco 642-889. Implementing Cisco Service Provider Next-Generation Egde Network Services. Version: 4.1 Cisco 642-889 Implementing Cisco Service Provider Next-Generation Egde Network Services Version: 4.1 QUESTION NO: 1 Cisco 642-889 Exam Which type of VPN requires a full mesh of virtual circuits to provide

More information

Configuring MPLS Hub-and-Spoke Layer 3 VPNs

Configuring MPLS Hub-and-Spoke Layer 3 VPNs CHAPTER 23 This chapter describes how to configure a hub-and-spoke topology for Multiprotocol Layer Switching (MPLS) Layer 3 virtual private networks (VPNs) on Cisco NX-OS devices. This chapter includes

More information

DD2491 p2 2011. MPLS/BGP VPNs. Olof Hagsand KTH CSC

DD2491 p2 2011. MPLS/BGP VPNs. Olof Hagsand KTH CSC DD2491 p2 2011 MPLS/BGP VPNs Olof Hagsand KTH CSC 1 Literature Practical BGP: Chapter 10 MPLS repetition, see for example http://www.csc.kth.se/utbildning/kth/kurser/dd2490/ipro1-11/lectures/mpls.pdf Reference:

More information

Network Working Group Request for Comments: 2547. March 1999

Network Working Group Request for Comments: 2547. March 1999 Network Working Group Request for Comments: 2547 Category: Informational E. Rosen Y. Rekhter Cisco Systems, Inc. March 1999 BGP/MPLS VPNs Status of this Memo This memo provides information for the Internet

More information

Introduction to MPLS-based VPNs

Introduction to MPLS-based VPNs Introduction to MPLS-based VPNs Ferit Yegenoglu, Ph.D. ISOCORE ferit@isocore.com Outline Introduction BGP/MPLS VPNs Network Architecture Overview Main Features of BGP/MPLS VPNs Required Protocol Extensions

More information

s@lm@n Cisco Exam 642-889 Implementing Cisco Service Provider Next-Generation Egde Network Services Version: 7.0 [ Total Questions: 126 ]

s@lm@n Cisco Exam 642-889 Implementing Cisco Service Provider Next-Generation Egde Network Services Version: 7.0 [ Total Questions: 126 ] s@lm@n Cisco Exam 642-889 Implementing Cisco Service Provider Next-Generation Egde Network Services Version: 7.0 [ Total Questions: 126 ] Cisco 642-889 : Practice Test Question No : 1 Refer to the exhibit.

More information

MPLS VPN. Agenda. MP-BGP VPN Overview MPLS VPN Architecture MPLS VPN Basic VPNs MPLS VPN Complex VPNs MPLS VPN Configuration (Cisco) L86 - MPLS VPN

MPLS VPN. Agenda. MP-BGP VPN Overview MPLS VPN Architecture MPLS VPN Basic VPNs MPLS VPN Complex VPNs MPLS VPN Configuration (Cisco) L86 - MPLS VPN MPLS VPN Peer to Peer VPN s Agenda MP-BGP VPN Overview MPLS VPN Architecture MPLS VPN Basic VPNs MPLS VPN Complex VPNs MPLS VPN Configuration (Cisco) CE-PE OSPF Routing CE-PE Static Routing CE-PE RIP Routing

More information

VPN Technologies A Comparison

VPN Technologies A Comparison VPN Technologies A Comparison Matthew Finlayson, matthewfinlayson@metaswitch.com Jon Harrison, jon.harrison@metaswitch.com Richard Sugarman, richard.sugarman@metaswitch.com First issued February 2003 100

More information

MPLS L2VPN (VLL) Technology White Paper

MPLS L2VPN (VLL) Technology White Paper MPLS L2VPN (VLL) Technology White Paper Issue 1.0 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any

More information

Kingston University London

Kingston University London Kingston University London Thesis Title Implementation and performance evaluation of WAN services over MPLS Layer-3 VPN Dissertation submitted for the Degree of Master of Science in Networking and Data

More information

CISCO IOS NETWORK SECURITY (IINS)

CISCO IOS NETWORK SECURITY (IINS) CISCO IOS NETWORK SECURITY (IINS) SEVENMENTOR TRAINING PVT.LTD [Type text] Exam Description The 640-553 Implementing Cisco IOS Network Security (IINS) exam is associated with the CCNA Security certification.

More information

IMPLEMENTING CISCO MPLS V2.3 (MPLS)

IMPLEMENTING CISCO MPLS V2.3 (MPLS) IMPLEMENTING CISCO MPLS V2.3 (MPLS) COURSE OVERVIEW: The course will enable learners to gather information from the technology basics to advanced VPN configuration. The focus of the course is on VPN technology

More information

MPLS-based Layer 2 VPNs. Kireeti Kompella Juniper Networks

MPLS-based Layer 2 VPNs. Kireeti Kompella Juniper Networks MPLS-based Layer 2 VPNs Kireeti Kompella Juniper Networks Agenda! Introduction " Traditional Layer 2 VPNs " MPLS-based Layer 2 VPNs " Layer 3 VPNs! Details " Provisioning " Transport " Carrying non-address

More information

AMPLS - Advanced Implementing and Troubleshooting MPLS VPN Networks v4.0

AMPLS - Advanced Implementing and Troubleshooting MPLS VPN Networks v4.0 Course Outline AMPLS - Advanced Implementing and Troubleshooting MPLS VPN Networks v4.0 Module 1: MPLS Features Lesson 1: Describing Basic MPLS Concepts Provide an overview of MPLS forwarding, features,

More information

Junos MPLS and VPNs (JMV)

Junos MPLS and VPNs (JMV) Junos MPLS and VPNs (JMV) Course No: EDU-JUN-JMV Length: Five days Onsite Price: $32500 for up to 12 students Public Enrollment Price: $3500/student Course Level JMV is an advanced-level course. Prerequisites

More information

Building VPNs. Nam-Kee Tan. With IPSec and MPLS. McGraw-Hill CCIE #4307 S&

Building VPNs. Nam-Kee Tan. With IPSec and MPLS. McGraw-Hill CCIE #4307 S& Building VPNs With IPSec and MPLS Nam-Kee Tan CCIE #4307 S& -.jr."..- i McGraw-Hill New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto

More information

Fundamentals Multiprotocol Label Switching MPLS III

Fundamentals Multiprotocol Label Switching MPLS III Fundamentals Multiprotocol Label Switching MPLS III Design of Telecommunication Infrastructures 2008-2009 Rafael Sebastian Departament de tecnologies de la Informació i les Comunicaciones Universitat Pompeu

More information

Implementing VPN over MPLS

Implementing VPN over MPLS IOSR Journal of Electronics and Communication Engineering (IOSR-JECE) e-issn: 2278-2834,p- ISSN: 2278-8735.Volume 10, Issue 3, Ver. I (May - Jun.2015), PP 48-53 www.iosrjournals.org Implementing VPN over

More information

MPLS L3 VPN Supporting VoIP, Multicast, and Inter-Provider Solutions

MPLS L3 VPN Supporting VoIP, Multicast, and Inter-Provider Solutions MPLS L3 VPN Supporting VoIP, Multicast, and Inter-Provider Solutions Luyuan Fang ATT MPLSCon 2005, NYC The world s networking company SM Outline Overview of the L3 VPN deployment VoIP over MPLS VPN MPLS

More information

IPv6 over IPv4/MPLS Networks: The 6PE approach

IPv6 over IPv4/MPLS Networks: The 6PE approach IPv6 over IPv4/MPLS Networks: The 6PE approach Athanassios Liakopoulos Network Operation & Support Manager (aliako@grnet.gr) Greek Research & Technology Network (GRNET) III Global IPv6 Summit Moscow, 25

More information

Virtual Private Network VPN, VRF, and MPLS

Virtual Private Network VPN, VRF, and MPLS CE443 Computer Networks Virtual Private Network VPN, VRF, and MPLS Behnam Momeni Computer Engineering Department Sharif University of Technology Acknowledgments: Lecture slides are from Computer networks

More information

Exam : 642-889. Implementing Cisco Service Provider Next-Generation Egde Network Services. Title :

Exam : 642-889. Implementing Cisco Service Provider Next-Generation Egde Network Services. Title : Exam : 642-889 Title : Implementing Cisco Service Provider Next-Generation Egde Network Services Version : DEMO 1 / 6 1.Which type of VPN requires a full mesh of virtual circuits to provide optimal site-to-site

More information

Addressing Inter Provider Connections With MPLS-ICI

Addressing Inter Provider Connections With MPLS-ICI Addressing Inter Provider Connections With MPLS-ICI Introduction Why migrate to packet switched MPLS? The migration away from traditional multiple packet overlay networks towards a converged packet-switched

More information

-Green line is total enrollment -2008 numbers are projected to be near 20,000 (on-campus) not including distance education numbers.

-Green line is total enrollment -2008 numbers are projected to be near 20,000 (on-campus) not including distance education numbers. 1 2 3 4 -Lower yellow line is graduate student enrollment -Red line is undergradate enrollment -Green line is total enrollment -2008 numbers are projected to be near 20,000 (on-campus) not including distance

More information

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications Product Overview Cisco Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software-based security solution for building scalable

More information

Cisco Which VPN Solution is Right for You?

Cisco Which VPN Solution is Right for You? Table of Contents Which VPN Solution is Right for You?...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1 Components Used...1 NAT...2 Generic Routing Encapsulation Tunneling...2

More information

Regaining MPLS VPN WAN Visibility with Route Analytics. Seeing through the MPLS VPN Cloud

Regaining MPLS VPN WAN Visibility with Route Analytics. Seeing through the MPLS VPN Cloud Regaining MPLS VPN WAN Visibility with Route Analytics Seeing through the MPLS VPN Cloud Executive Summary Increasing numbers of enterprises are outsourcing their backbone WAN connectivity to MPLS VPN

More information

WHITE PAPER. Addressing Inter Provider Connections with MPLS-ICI CONTENTS: Introduction. IP/MPLS Forum White Paper. January 2008. Introduction...

WHITE PAPER. Addressing Inter Provider Connections with MPLS-ICI CONTENTS: Introduction. IP/MPLS Forum White Paper. January 2008. Introduction... Introduction WHITE PAPER Addressing Inter Provider Connections with MPLS-ICI The migration away from traditional multiple packet overlay networks towards a converged packet-switched MPLS system is now

More information

Network Virtualization Network Admission Control Deployment Guide

Network Virtualization Network Admission Control Deployment Guide Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus

More information

International Civil Aviation Organization

International Civil Aviation Organization ATNICG/8 WP/09 Agenda Item 04 18/03/13 International Civil Aviation Organization THE EIGHTH MEETING OF AERONAUTICAL TELECOMMUNICATION NETWORK (ATN) IMPLEMENTATION CO-ORDINATION GROUP OF APANPIRG (ATNICG/8)

More information

Enterprise Network Simulation Using MPLS- BGP

Enterprise Network Simulation Using MPLS- BGP Enterprise Network Simulation Using MPLS- BGP Tina Satra 1 and Smita Jangale 2 1 Department of Computer Engineering, SAKEC, Chembur, Mumbai-88, India tinasatra@gmail.com 2 Department of Information Technolgy,

More information

MPLS-based Layer 3 VPNs

MPLS-based Layer 3 VPNs MPLS-based Layer 3 VPNs Overall objective The purpose of this lab is to study Layer 3 Virtual Private Networks (L3VPNs) created using MPLS and BGP. A VPN is an extension of a private network that uses

More information

Securing Networks with Cisco Routers and Switches 1.0 (SECURE)

Securing Networks with Cisco Routers and Switches 1.0 (SECURE) Securing Networks with Cisco Routers and Switches 1.0 (SECURE) Course Overview: The Securing Networks with Cisco Routers and Switches (SECURE) 1.0 course is a five-day course that aims at providing network

More information

Advanced IPSec with GET VPN. Nadhem J. AlFardan Consulting System Engineer Cisco Systems nalfarda@cisco.com

Advanced IPSec with GET VPN. Nadhem J. AlFardan Consulting System Engineer Cisco Systems nalfarda@cisco.com Advanced IPSec with GET VPN Nadhem J. AlFardan Consulting System Engineer Cisco Systems nalfarda@cisco.com 1 Agenda Motivations for GET-enabled IPVPN GET-enabled IPVPN Overview GET Deployment Properties

More information

CS419: Computer Networks. Lecture 9: Mar 30, 2005 VPNs

CS419: Computer Networks. Lecture 9: Mar 30, 2005 VPNs : Computer Networks Lecture 9: Mar 30, 2005 VPNs VPN Taxonomy VPN Client Network Provider-based Customer-based Provider-based Customer-based Compulsory Voluntary L2 L3 Secure Non-secure ATM Frame Relay

More information

Building Trusted VPNs with Multi-VRF

Building Trusted VPNs with Multi-VRF Building Trusted VPNs with Introduction Virtual Private Networks (VPNs) have been a key application in networking for a long time. A slew of possible solutions have been proposed over the last several

More information

Campus LAN at NKN Member Institutions

Campus LAN at NKN Member Institutions Campus LAN at NKN Member Institutions RS MANI rsm@nkn.in 1/7/2015 3 rd Annual workshop 1 Efficient utilization Come from: Good Campus LAN Speed Segregation of LANs QoS Resilient Access Controls ( L2 and

More information

Tackling the Challenges of MPLS VPN Testing. Todd Law Product Manager Advanced Networks Division

Tackling the Challenges of MPLS VPN Testing. Todd Law Product Manager Advanced Networks Division Tackling the Challenges of MPLS VPN ing Todd Law Product Manager Advanced Networks Division Agenda Background Why test MPLS VPNs anyway? ing Issues Technical Complexity and Service Provider challenges

More information

Lecture 17 - Network Security

Lecture 17 - Network Security Lecture 17 - Network Security CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ Idea Why donʼt we just integrate some of these neat

More information

SBSCET, Firozpur (Punjab), India

SBSCET, Firozpur (Punjab), India Volume 3, Issue 9, September 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Layer Based

More information

Multi Protocol Label Switching (MPLS) is a core networking technology that

Multi Protocol Label Switching (MPLS) is a core networking technology that MPLS and MPLS VPNs: Basics for Beginners Christopher Brandon Johnson Abstract Multi Protocol Label Switching (MPLS) is a core networking technology that operates essentially in between Layers 2 and 3 of

More information

Cisco Certified Network Expert (CCNE)

Cisco Certified Network Expert (CCNE) 529 Hahn Ave. Suite 101 Glendale CA 91203-1052 Tel 818.550.0770 Fax 818.550.8293 www.brandcollege.edu Cisco Certified Network Expert (CCNE) Program Summary This instructor- led program with a combination

More information

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0 COURSE OVERVIEW Implementing Secure Converged Wide Area Networks (ISCW) v1.0 is an advanced instructor-led course that introduces techniques and features that enable or enhance WAN and remote access solutions.

More information

- Multiprotocol Label Switching -

- Multiprotocol Label Switching - 1 - Multiprotocol Label Switching - Multiprotocol Label Switching Multiprotocol Label Switching (MPLS) is a Layer-2 switching technology. MPLS-enabled routers apply numerical labels to packets, and can

More information

MPLS Concepts. Overview. Objectives

MPLS Concepts. Overview. Objectives MPLS Concepts Overview This module explains the features of Multi-protocol Label Switching (MPLS) compared to traditional ATM and hop-by-hop IP routing. MPLS concepts and terminology as well as MPLS label

More information

MPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre

MPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre The feature overcomes the requirement that a carrier support multiprotocol label switching (MPLS) by allowing you to provide MPLS connectivity between networks that are connected by IP-only networks. This

More information

Cisco Implementing Cisco Service Provider Next Generation Edge Network Services

Cisco Implementing Cisco Service Provider Next Generation Edge Network Services 642-889 Cisco Implementing Cisco Service Provider Next Generation Edge Network Services http://www.pass4sureofficial.com Dumpspdf.com is a reputable IT certification examination guide, study guides and

More information

S-38.3192 ITGuru Excercise 3: BGP/MPLS VPN. Spring 2007. Timo-Pekka Heikkinen, Juha Järvinen and Piia Töyrylä

S-38.3192 ITGuru Excercise 3: BGP/MPLS VPN. Spring 2007. Timo-Pekka Heikkinen, Juha Järvinen and Piia Töyrylä S-38.3192 ITGuru Excercise 3: BGP/MPLS VPN Spring 2007 Timo-Pekka Heikkinen, Juha Järvinen and Piia Töyrylä Task Description Overview The exercise 3 is about BGP/MPLS VPNs. The MPLS/LDP network from the

More information

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview Configuration Guide How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall Overview This document describes how to implement IPSec with pre-shared secrets establishing

More information

Using OSPF in an MPLS VPN Environment

Using OSPF in an MPLS VPN Environment Using OSPF in an MPLS VPN Environment Overview This module introduces the interaction between multi-protocol Border Gateway Protocol (MP-BGP) running between Provider Edge routers (s) and Open Shortest

More information

IMPLEMENTING CISCO MPLS V3.0 (MPLS)

IMPLEMENTING CISCO MPLS V3.0 (MPLS) IMPLEMENTING CISCO MPLS V3.0 (MPLS) COURSE OVERVIEW: Multiprotocol Label Switching integrates the performance and traffic-management capabilities of data link Layer 2 with the scalability and flexibility

More information

IPv6 Migration Challenges for Large Service Providers

IPv6 Migration Challenges for Large Service Providers IPv6 Migration Challenges for Large Service Providers Aruna P General manager Network Operation Agenda Airtel Overview Drivers of IPV6 Migration challenges Design Considerations Deployment plan Airtel

More information

RA-MPLS VPN Services. Kapil Kumar Network Planning & Engineering Data. E-mail: Kapil.Kumar@relianceinfo.com

RA-MPLS VPN Services. Kapil Kumar Network Planning & Engineering Data. E-mail: Kapil.Kumar@relianceinfo.com RA-MPLS VPN Services Kapil Kumar Network Planning & Engineering Data E-mail: Kapil.Kumar@relianceinfo.com Agenda Introduction Why RA MPLS VPNs? Overview of RA MPLS VPNs Architecture for RA MPLS VPNs Typical

More information

Approach to build MPLS VPN using QoS capabilities

Approach to build MPLS VPN using QoS capabilities International Journal of Engineering Research and Development e-issn: 2278-067X, p-issn: 2278-800X, www.ijerd.com Volume 7, Issue 8 (June 2013), PP. 26-32 Approach to build MPLS VPN using QoS capabilities

More information

l.cittadini, m.cola, g.di battista

l.cittadini, m.cola, g.di battista MPLS VPN l.cittadini, m.cola, g.di battista motivations customer s problem a customer (e.g., private company, public administration, etc.) has several geographically distributed sites and would like to

More information

Internet Services & Protocols

Internet Services & Protocols Department of Computer Science Institute for System Architecture, Chair for Computer Networks Internet Services & Protocols Internet (In)Security Dr.-Ing. Stephan Groß Room: INF 3099 E-Mail: stephan.gross@tu-dresden.de

More information

Implementing MPLS VPNs over IP Tunnels on Cisco IOS XR Software

Implementing MPLS VPNs over IP Tunnels on Cisco IOS XR Software Implementing MPLS VPNs over IP Tunnels on Cisco IOS XR Software The MPLS VPNs over IP Tunnels feature lets you deploy Layer 3 Virtual Private Netwk (L3VPN) services, over an IP ce netwk, using L2TPv3 multipoint

More information

Layer 3 MPLS VPN Enterprise Consumer Guide Version 2

Layer 3 MPLS VPN Enterprise Consumer Guide Version 2 Layer 3 MPLS VPN Enterprise Consumer Guide Version 2 This document is written for networking engineers and administrators responsible for implementing a Layer 3 (L3) MPLS VPN service from a service provider

More information

INTRODUCTION TO L2VPNS

INTRODUCTION TO L2VPNS INTRODUCTION TO L2VPNS 4 Introduction to Layer 2 and Layer 3 VPN Services CE Layer 3 VPN Link Comprised of IP Traffic Passed Over IP Backbone LEGEND Layer 3 VPN Layer 2 VPN CE CE PE IP Backbone PE CE Layer

More information