MPLS multi-domain services MD-VPN service Xavier Jeannin, RENATER Tomasz Szewczyk / PSNC Training and Workshops for advancing NRENs 8-11 Sept 2014 Chisinau, Moldova
MPLS brief overview Original purpose: avoid complex and long IP lookup in the router Routing by label Forwarding based on label Distributed label (LDP, MP-BGP, CR-LDP, RSVP-TE) Push, Pop, Swap Build Label switched path (LSP) 2
MPLS overview Topology P = Provide router (core) switch only label = Provider Edge router deliver the service to end users IPv4, IPv6, L2VPN, L3VPN CE = Customer Edge Router MPLS services Transport IPv4 IPv6 VPN L3VPN, L2VPN Point-to-Point, L2VPN Multi-Point (VPLS) Traffic Engineering Path selection, QoS, path protection Fast-ReRoute, 3
MPLS VPN overview Double labelling VPN Label added to standard label 4
MPLS VPN overview L3VPN examples 5
Point-to-Point L2VPN over MPLS PseudoWire Reference Model over MPLS The pseudowire can emulate several service among them, an Ethernet or 802.Q (VLAN) services Reference http://www.sanog.org/resources/sanog7/waris-l2vpn-tutorial.pdf 6
VPLS overview A Multi-point L2 VPN service Architecture built on MPLS networks to provide Layer 2 multi point Ethernet services Emulates an Ethernet bridge Use MAC to forward, MAC address learning, Flooding mechanism, MAC Forwarding Information Base named VSI Virtual Switching Instance Technical simplification Based on a full mesh of pseudowire (hierarchic VPLS does not require full mesh other architecture) Split-horizon to avoid loop (no transmission what you have learnt through a pseudowire) Pseudowire signalling can be achieved LDP or MP-BGP 7
MPLS and MD-VPN Deployment Widely deployed in European NREN In the beginning, MPLS targeted the core of the backbone and now small MPLS switch are now positioned close the end users in order to extend the service up to the end client Multi-AS backbone Solution A, B and C (RFC4364) MD-VPN aim to extend MPLS-VPN service over multi-domain using a hierarchical design MD-VPN aim to offer to European scientist community a bundle of new network services (L2-L3 VPN) with an easy and quick to access 8
GÉANT VPN services GÉANT IP GÉANT L3VPN GÉANT Plus GÉANT Lambda GÉANT Open GÉANT MDVPN GÉANT Bandwidth-on-Demand 9
MD-VPN provides a seamless, scalable transport infrastructure A joint service provided by the GÉANT network and NRENs A seamless transport infrastructure for point-to-point or multipoint transmission: Multi-domain networking Layer3 or Layer2 VPNs spanning several domains IPv4 MP L2VPN IPv6 P2P L2VPN L3VPN 10
What is MD-VPN? MD-VPN is based on well known and proven technology available right now in almost all boxes MPLS and BGP protocols No material investment required - only small piece of configuration is needed High scalability Hierarchical architecture Independent signaling for transport paths and services Total number of provisioned VPNs has no impact on GEANT and NREN core VPNs are multiplexed in the core so the service is provisioned only on the edge routers OX reduction for GEANT and NREN no capex investment Service lead time dramatically reduced http://www.scottcochrane.com 11
What is MD-VPN? Added-value service for end-users Dedicated virtual network Safe infrastructure Security opex saved on site No firewall needed Safe Inter-university Research and Educational Network (S.I.R.E.N) Site A Site B Site C 12
MD-VPN service highly scalable, seamless transport infrastructure Configure only at the edge High scalability VPN multiplexing Configure only once An end-to-end extensible and flexible service Lead-time reduced Reduced opex 13
MDVPN technical principle overview Underlying principle behind this Multi-Domain VPN technology The LSP is extended from a up to the remote in another domain Signaling is split in 2 parts Signalling for multi-domain MPLS path between routers thanks to a BGP peering with labelled unicast SAFI (internal route) Signalling for VPN labels and prefixes exchange between routers (external route) thanks to an external BGP VPNv4 family peering GEANT implement Carrier of Carriers (CoC) providing transparent transport of VPN traffic (configuration is closed to a simple VRF) VPN1 SDP Multi-hop VPNv4 e-bgp RR RR VPN1 SDP NREN A label exchange (BGP protocol) in MDVPN service for L3VPN and L2VPN (Kompella) ABR BGP Labelled unicast SSP GEANT VPN proxy SSP BGP Labelled unicast ABR NREN B 14
MDVPN technical principle overview Number of peering BGP reduction VPN Route Reflector (VR) VPN Route Reflector P2P L2VPN using LPD (Martini) : The labels is exchanged LDP protocol VPN1 SDP Targeted LDP RR RR VPN1 SDP NREN A ABR SSP BGP Labelled unicast VPN proxy SSP BGP Labelled unicast ABR NREN B GEANT Label exchange in MDVPN service (using LDP protocol for L2 VPN services) 15
Carrier of Carrier / hierarchical VPN Transparent transport technology Scalability in the core Label hierarchy and... No MAC learning and/or prefixes for end user traffic No VLAN ID negotiations between NRENs and GEANT 16
Interoperability with non-mpls domains VPN-PROXY Provide ASBR, and VPN route exchange feature Use if NREN is not MPLS aware You want to not extend the service (external partner) logical router AS 2995 GEANT ASBR-GEANT AS 1 NREN not MPLS-aware VPN-Route-Reflector VPN-Proxy Play the role of ASBR + + route exchange VRR Back-to-back connection, VRF BIO, VRF ASTRO, 17
Detailed design Peering Multi-hop E-BGP VPNv4 (No next-hop self) VPN-Route- Reflector Peering Multi-hop E-BGP VPNv4 (No next-hop self) ASBR-1-GEANT GEANT ASBR-2-GEANT ASBR-NREN-B RR-NREN-B RR- NREN-A ASBR-NREN-A NREN B NREN-A -RENATER Physical connections Peering labeled-unicast Peering BGP VPNv4 -NREN-B VRF ASTRO RT:22:30 VRF BIO - RT:22:32 VRF md-vpn1 - RT:33:10 VRF md-vpn2 - RT:13092:17 L2Circuit toward AMRES L2Circuit -RENATER - -REMOTE-NREN C-NRE-A-VPN-ASTRO VRF CoC - RT:23:30 C-NREN-B-VPN-ASTRO
Alternative design Peering Multi-hop E-BGP VPNv4 (No next-hop self) VPN-Route- Reflector ASBR-1-GEANT GEANT ASBR-2-GEANT MPLS is enabled only on the AS Border Router RR- NREN-A NREN B NREN-A ASBR-NREN-A Physical connections ASBR-NREN-B VPN is propagated internally by any other internal means: VLAN, dedicated link, other solutions -RENATER Peering labeled-unicast Peering BGP VPNv4 -NREN-B VRF ASTRO RT:22:30 VRF BIO - RT:22:32 VRF md-vpn1 - RT:33:10 VRF md-vpn2 - RT:13092:17 L2Circuit toward AMRES L2Circuit -RENATER - -REMOTE-NREN C-NRE-A-VPN-ASTRO VRF CoC - RT:23:30 C-NREN-B-VPN-ASTRO
VPLS Test realized by SA3T3 on SA3T3 testbed (CISCO, JUNIR) full mesh of pseudowire topology Security investigation Availability Intermediate result Signalling autodiscovery Inter-AS Result Comment Target-LDP No OK Manual configuration of full mesh pseudowire Less scalable MP-BGP BGP OK Pseudowire automatically established Bug discovered upgrade test ongoing Target-LDP BGP OK Pseudowire automatically established Bug discovered, upgrade version, test ongoing Bug in JunOS on the VPN-Route-Reflector slow down MD-VPLS roll-out Plan to be available in the beginning of GN4 20
MD-VPN offers a new way of cooperating MD-VPN enables a new way for GÉANT and NRENs to cooperate, which significantly increases network scalability from a service point of view A collaboration to manage: VPN Provisioning Monitoring Troubleshooting Ensure Operational Level Agreements commitments are achieved 21
Deployment Status Setting-up pilot phase Setting-up GÉANT pilot, during 2014 Feature-proofed on production infrastructure 18 NRENs connected 3 NRENs committed to connect Pilot generalization phase Service reliability long-term assessment Operation implementation Roll-out the 22/07/2014 Service validation period 01/08/2014 31/10/2014 MD-VPN service in the GÉANT portfolio Q4 Year 1 22
Deployment status A first scientist project XiFi XIFI is a project of the European Public-Private-Partnership on Future Internet (FI-PPP) programme XiFi TSSG NREN currently connected NREN nearly connected Active XiFi L3 VPN Future XiFi L3 VPN HEAnet DeiC SUnet FUnet Litnet Uni Thessaly GRNET NORDUnet PSNC FCCN GÉANT CESNET RedIRIS AMRES XiFi Sevilla XiFi Malaga RENATER XiFi Lannion XiFi Com4Innov GARR XiFi Trento BELnet XiFi Iminds DFN XiFi Berlin http://infographic.lab.fi-ware.org/status 23
SA3T3 International testbed 15 th,june 2013 24
MD-VPN use cases A wide scope for MD-VPN use All scientific projects based on international collaboration LHCONE is an example of successful L3VPN multi-domain service ITER, CONFINE Quick P2P connection Conference demonstration P2P data transport between to sites Distributed infrastructure over multi-domain Cloud provider Grid HPC center Scientific infrastructure: Telescope, sensor network 25
MD-VPN use cases A wide scope for MD-VPN use Users Innovation User Network Interface MD-VPN MD-VPN transparent data transport layer for high level network services like SDN, BoD, and in general by future internet project Optical transport Education Remote lecture E-learning 26
Multi-Domain VPN summary An innovative and highly scalable design Seamless transport infrastructure A bundle of services (IPv4, IPv6, P2P L2VPN, L3VPN) with added value for our users that is available, VPLS is plan to be available during GN4 An original and useful service unavailable in a commercial NSP portfolio Broad European deployment 18 connected NRENs, 3 NRENs committed to connect A FI-PPP project, XiFi, selected GÉANT s MD-VPN to provide its network infrastructure 27