Selecting MPLS VPN Services Chris Lewis Steve Pickavance Contributions by: Monique Morrow John Monaghan Craig Huegen Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA
ix Contents Introduction xxii Part I Business Analysis and Requirements of IP/MPLS VPN 3 Chapter 1 Assessing Enterprise Legacy WANs and IPA/PN Migration 5 Current State of Enterprise Networks 5 Evolutionary Change of Enterprise Networks 7 Acme, a Global Manufacturer 10 Acme's Global Span 10 Business Desires of Acme's Management 10 Acme's IT Applications Base 10 Acme's IT Communications Infrastructure 11 Acme's Intranet: Backbone WAN 12 Acme's Intranet: Regional WANs 12 New WAN Technologies for Consideration by Acme 13 Layer 3 IP/MPLS VPN Services 13 IP/MPLS VPN Service Topologies and Provisioning 14 IP/MPLS VPN: A Foundation for Network Services 16 IP/MPLS VPN Transparency 16 IP/MPLS VPN Network Management and SLAs 16 Enterprise Vendor Management Approach 17 Extranet Integration in IP/MPLS VPN Networks 18 Layer 2 IP/MPLS VPN Services 18 VPWS 18 VPLS 21 Convergence Services 22 Internet Access 22 Mobile Access and Teleworker Access 22 Voice Services: Service Provider Hosted PSTN Gateway 22 Voice Services: Service Provider Hosted IP Telephony 23 Summary 23 Chapter 2 Assessing Service Provider WAN Offerings 27 Enterprise/Service Provider Relationship and Interface 27 Investigation Required in Selecting a Service Provider 28 Coverage, Access, and IP 28 Financial Strength of the Service Provider 29 Convergence 30
X Transparency 31 IP Version 6 35 Provider Cooperation/Tiered Arrangements 38 Enhanced Service-Level Agreement 39 Customer Edge Router Management 40 Service Management 41 Customer Reports and SLA Validation 41 Summary 42 Chapter 3 Analyzing Service Requirements 45 Application/Bandwidth Requirements 45 Backup and Resiliency 51 Enterprise Segmentation Requirements 53 Mapping VLANs to VPNs in the Campus 55 Access Technologies 56 Frame Relay 57 ATM 57 Dedicated Circuit from CE to PE 58 ATM PVC from CE to PE 59 Frame Relay PVC from CE to PE 60 Metro Ethernet 60 QoS Requirements 62 Bandwidth 62 Packet Delay and Jitter 63 Packet Loss 63 Enterprise Loss, Latency, and Jitter Requirements 64 QoS at Layer 2 65 Subscriber Network QoS Design 68 Baseline New Applications 68 Develop the Network 68 Security Requirements 70 Topological and Network Design Considerations 71 SP-Managed VPNs 72 Multiprovider Considerations 73 Extranets 74 Case Study: Analyzing Service Requirements for Acme, Inc. 75 Layer 2 Description 76 Existing Customer Characteristics That Are Required in the New Network 76
DefenseCo's Backbone Is a Single Autonomous System 77 Reasons for Migrating to MPLS 77 Evaluation Testing Phase 78 Routing Convergence 79 Jitter and Delay 79 Congestion, QoS, and Load Testing 80 First Scenario 81 Second Scenario 81 Third Scenario 81 Subjective Measures 82 Vendor Knowledge and Technical Performance 83 Evaluation Tools 83 TTCP 84 Lessons Learned 85 Transition and Implementation Concerns and Issues 86 Post-Transition Results 86 Summary 87 References 88 Part II Deployment Guidelines 91 Chapter 4 IP Routing with IP/MPLS VPNs 93 Introduction to Routing for the Enterprise MPLS VPN 93 Implementing Routing Protocols 95 Network Topology 95 Addressing and Route Summarization 96 Route Selection 98 Convergence 99 Network Scalability 99 Memory 100 CPU 100 Security 102 Plaintext Password Authentication 102 MD5 Authentication 102 Site Typifying WAN Access: Impact on Topology 103 Site Type: Topology 104 WAN Connectivity Standards 107 Site Type A Attached Sites: Dual CE and Dual PE 108 Site Type B/3 Dual-Attached Site-Single CE, Dual PE 110 Site Type B/3 Dual-Attached Site-Single CE, Single PE 110 Site Type D Single-Attached Site Single CE with Backup 111 Convergence: Optimized Recovery 112
XII IPAddressing 113 Routing Between the Enterprise and the Service Provider 113 Using EIGRP Between the CE and PE 114 How EIGRP MPLS VPN PE-to-CE Works 114 PE Router: Non-EIGRP-Originated Routes 115 PE Router: EIGRP-Originated Internal Routes 116 PE Router: EIGRP-Originated External Routes 116 Multiple VRF Support 117 Extended Communities Defined for EIGRP VPNv4 117 Metrie Propagation 117 Configuring EIGRP for CE-to-PE Operation 118 Using BGP Between the CE and PE 119 Securing CE-PE Peer Sessions 120 Improving BGP Convergence 121 Case Study: BGP and EIGRP Deployment in Acme, Inc. 122 Small Site Single-Homed, No Backup 122 Medium Site Single-Homed with Backup 124 Medium Site Single CE Dual-Homed to a Single PE 126 Large Site-Dual-Homed (Dual CE, Dual PE) 128 Load Sharing Across Multiple Connections 130 Very Large Site/Data Center Dual Service Provider MPLS VPN 131 Site Typifying Site Type A Failures 134 Solutions Assessment 134 Summary 135 References 136 Cisco Press 136 Chapter 5 Implementing Quality of Service 139 Introduction to QoS 139 Building a QoS Policy: Framework Considerations 141 QoS Tool Chest: Understanding the Mechanisms 143 Classes of Service 143 IP ToS 145 Hardware Queuing 146 Software Queuing 146 QoS Mechanisms Defined 146 Pulling It Together: Build the Trust 152 Building the Policy Framework 154 Classification and Marking of Traffic 154 TrustedEdge 154
Device Trust 155 Application Trust 155 CoSandDSCP 156 Strategy for Classifying Voice Bearer Traffic 156 QoS on Backup WAN Connections 156 Shaping/Policing Strategy 157 Queuing/Link Efficiency Strategy 158 IP/VPN QoS Strategy 160 Approaches for QoS Transparency Requirements for the Service Provider Network 161 Uniform Mode 162 PipeMode 163 Short-Pipe Mode 163 QoS CoS Requirements for the SP Network 163 WRED Implementations 163 Identification of Traffic 165 What Would Constitute This Real-Time Traffic? 165 QoS Requirements for Voice, Video, and Data 167 QoS Requirements for Voice 167 Sample Calculation 168 QoS Requirements for Video 169 QoS Requirements for Data 170 The LAN Edge: L2 Configurations 171 Classifying Voice on the WAN Edge 174 Classifying Video on the WAN Edge 175 Classifying Data on the WAN Edge 176 Case Study: QoS in the Acme, Inc. Network 179 QoS for Low-Speed Links: 64 kbps to 1024 kbps 180 Slow-Speed (768-kbps) Leased-Line Recommendation: Use MLP LFI and crtp 181 QoS Reporting 181 Summary 182 References 183 Multicast in an MPLS VPN 187 Introduction to Multicast for the Enterprise MPLS VPN 187 Multicast Considerations 188
Mechanics of IP Multicast 190 RPF 190 RPF Check 191 Source Trees Versus Shared Trees 191 Protocol-Independent Multicast 192 PIM Dense Mode 192 PIM Sparse Mode 192 Bidirectional PIM (Bidir-PIM) 193 Interdomain Multicast Protocols 194 Multiprotocol Border Gateway Protocol 194 Multicast Source Discovery Protocol 195 Source-Specific Multicast 195 Multicast Addressing 196 Administratively Scoped Addresses 197 Deploying the IP Multicast Service 198 Default PIM Interface Configuration Mode 200 Host Signaling 200 Sourcing 202 Multicast Deployment Models 203 Any-Source Multicast 203 Source-Specific Multicast 204 Enabling SSM 206 Multicast in an MPLS VPN Environment: Transparency 207 Multicast Routing Inside the VPN 208 Case Study: Implementing Multicast over MPLS for Acme 210 Multicast Addressing 210 Multicast Address Management 212 Predeployment Considerations 212 MVPN Configuration Needs on the CE 213 BoundaryACL 214 Positioning of Multicast Boundaries 215 Configuration to Apply a Boundary Access List 216 RateLimiting 218 Rate-Limiting Configuration 219 MVPN Deployment Plan 219 Preproduction User Test Sequence 220 What Happens When There Is No MVPN Support? 224 Other Considerations and Challenges 225 Summary 226 References 227
Enterprise Security in an MPLS VPN Environment 229 Setting the Playing Field 230 Comparing MPLS VPN Security to Frame Relay Networks 234 Security Concerns Specific to MPLS VPNs 236 Issues for Enterprises to Resolve When Connecting at Layer 3 to Provider Networks 244 History of IP Network Attacks 244 Strong Password Protection 245 Preparing for an Attack 245 Identifying an Attack 246 Initial Precautions 247 Receiving ACLs 247 Infrastructure ACLs 248 Basic Attack Mitigation 250 Basic Security Techniques 253 Remote-Triggered Black-Hole Filtering 253 Loose urpf for Source-Based Filtering 255 Strict urpf and Source Address Validation 256 Sinkholes and Anycast Sinkholes 258 Backscatter Traceback 259 Cisco Guard 262 Distributed DoS, Botnets, and Worms 263 Anatomy of a DDoS Attack 264 Botnets 266 Worm Mitigation 268 Case Study Selections 270 Summary 270 References 271 Comparing MPLS VPN to Frame Relay Security 271 ACL Information 271 Miscellaneous Security Tools 271 Cisco Reference for MPLS Technology and Operation 271 Cisco Reference for Cisco Express Forwarding 272 Public Online ISP Security Bootcamp 272 Tutorials, Workshops, and Bootcamps 272 Original Backscatter Traceback and Customer-Triggered Remote-Triggered Black-Hole Techniques 272
xvi Source for Good Papers on Internet Technologies and Security 272 Security Work Definitions 272 NANOG SP Security Seminars and Talks 272 Birds of a Feather and General Security Discussion Sessions at NANOG 274 Chapter 8 MPLS VPN Network Management 277 The Enterprise: Evaluating Service Provider Management Capabilities 279 Provisioning 279 SLA Monitoring 280 Fault Management 281 Handling Reported Faults 281 Passive Fault Management 282 Reporting 288 Root Cause Analysis 289 The Enterprise: Managing the VPN 289 Planning 290 Ordering 291 Provisioning 291 CE Provisioning 292 CE Management Access 293 Acceptance Testing 297 Monitoring 298 Optimization 299 The Service Provider: How to Meet and Exceed Customer Expectations 300 Provisioning 300 Zero-Touch Deployment 300 PE Configuration 302 Fault Monitoring 302 MPLS-Related MIBs 302 Resource Monitoring 304 OAM and Troubleshooting 306 Proactive Monitoring in Detail 306 Performance Problems 319 Fault Management 320 Proactive Fault Management 320 Reactive Fault Management 326 SLA Monitoring 327 Accuracy 327 Probe Metrie Support 328 QoS Support 329 Specialized Voice Probes 330 Threshold Breach Notification 330
XVII Reporting 331 Summary 332 References 333 Chapter 9 Off-Net Access to the VPN 335 Remote Access 335 Dial Access via RAS 336 RAS Configuration 338 Dial Access via L2TP 339 L2TP Components 340 L2TP Call Procedure 340 Connecting L2TP Solutions to VRFs 341 DSL Considerations 345 Cable Considerations 347 IPsec Access 347 GRE + IPsec on the CPE 350 Designing for GRE Resiliency 352 Configuring GRE Resiliency 353 CE-to-CE IPsec 354 DMVPN Overview 355 mgre for Tunneling 356 NHRP for Address Resolution 357 Routing Protocol Concerns 358 IPsec Profiles for Data Protection 359 Summary of DMVPN Operation 361 The Impact of Transporting Multiservice Traffic over IPsec 362 Split Tunneling in IPsec 365 Supporting Internet Access in IP VPNs 366 Case Study Selections 369 Summary 370 References 371 Genera] PPP Information 371 Configuring Dial-In Ports 371 L2TP 371 Layer 2 Tunnel Protocol Fact Sheet 371 Layer 2 Tunnel Protocol 371 VPDN Configuration Guide 371 VPDN Configuration and Troubleshooting 371 Security Configuration Guide 371 RADIUS Configuration Guide 372
XVIII Broadband Aggregation to MPLS VPN 372 Remote Access to MPLS VPN 372 Network-Based IPsec VPN Solutions 372 IPsec 372 GRE + IPsec 372 DMVPN 372 Split Tunneling 373 Prefragmentation 373 ChapteMO Migration Strategies 375 Network Planning 375 Writing the RFP 375 Architecture and Design Planning with the Service Providers 379 Project Management 381 SLAs with the Service Providers 381 Network Operations Training 385 Implementation Planning 388 Phase 1 388 Phase 2 389 Phase 3 389 Phase 4 390 On-Site Implementation 390 Case Study Selections 392 Summary 392 Part IM Appendix 395 Appendix Questions to Ask Your Provider Regarding Layer 3 IP/MPLS VPN Capability 397 Coverage and Topology 398 Customer Edge Router Management 398 Network Access, Resiliency, and Load Balancing 399 QoS Capability 400 Multicast Capability 402 Routing Protocol Capability 403 SLA Measurement and Monitoring Capability 404 SLA Details 404 Security 405 Software Deployment Processes 406
XIX Index 413 Inter-Provider IP/VPN 406 IPv6 406 MTU Considerations 407 Hosting Capability 407 IP Telephony PSTN Integration 408 IP Telephony Hosted Call Agent 408 Remote and Dial Access 409 Internet Access 410 Other Network Services 410