Methods of interconnecting MPLS Networks

Similar documents
MPLS VPN Services. PW, VPLS and BGP MPLS/IP VPNs

For internal circulation of BSNLonly

MPLS Implementation MPLS VPN

Introduction Inter-AS L3VPN

MPLS-based Virtual Private Network (MPLS VPN) The VPN usually belongs to one company and has several sites interconnected across the common service

RFC 2547bis: BGP/MPLS VPN Fundamentals

Notice the router names, as these are often used in MPLS terminology. The Customer Edge router a router that directly connects to a customer network.

SEC , Cisco Systems, Inc. All rights reserved.

MPLS VPN Implementation

MPLS VPN Route Target Rewrite

Deploying and Configuring MPLS Virtual Private Networks In IP Tunnel Environments

Introducing Basic MPLS Concepts

Configuring MPLS Hub-and-Spoke Layer 3 VPNs

PRASAD ATHUKURI Sreekavitha engineering info technology,kammam

MP PLS VPN MPLS VPN. Prepared by Eng. Hussein M. Harb

Table of Contents. Cisco Configuring a Basic MPLS VPN

Implementing MPLS VPNs over IP Tunnels on Cisco IOS XR Software

White Paper. Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM. March 30, 2001

How Routers Forward Packets

Why Is MPLS VPN Security Important?

IP/MPLS-Based VPNs Layer-3 vs. Layer-2

Introduction to MPLS-based VPNs

DD2491 p MPLS/BGP VPNs. Olof Hagsand KTH CSC

MikroTik RouterOS Introduction to MPLS. Prague MUM Czech Republic 2009

Implementing MPLS VPNs over IP Tunnels

AT&T Managed IP Network Service (MIPNS) MPLS Private Network Transport Technical Configuration Guide Version 1.0

Enterprise Network Simulation Using MPLS- BGP

Configuring MPLS QoS

Configuring a Basic MPLS VPN

MPLS-based Layer 3 VPNs

BGP-MPLS IP VPN Network Security

MPLS Security Considerations

Using OSPF in an MPLS VPN Environment

MPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre

Inter-Autonomous Systems for MPLS VPNs

Implementing VPN over MPLS

MPLS Concepts. Overview. Objectives

Analyzing Capabilities of Commercial and Open-Source Routers to Implement Atomic BGP

l.cittadini, m.cola, g.di battista

IPv6 over IPv4/MPLS Networks: The 6PE approach

Tackling the Challenges of MPLS VPN Testing. Todd Law Product Manager Advanced Networks Division

S ITGuru Exercise (3: Building the MPLS BGP VPN) Spring 2006

MPLS Inter-AS VPNs. Configuration on Cisco Devices

Quidway MPLS VPN Solution for Financial Networks

Implementing Cisco Service Provider Next-Generation Edge Network Services **Part of the CCNP Service Provider track**

Approach to build MPLS VPN using QoS capabilities

A Simulation Analysis of Latency and Packet Loss on Virtual Private Network through Multi Virtual Routing and Forwarding

AMPLS - Advanced Implementing and Troubleshooting MPLS VPN Networks v4.0

MPLS Layer 2 VPNs Functional and Performance Testing Sample Test Plans

WHITE PAPER. Addressing Inter Provider Connections with MPLS-ICI CONTENTS: Introduction. IP/MPLS Forum White Paper. January Introduction...

MPLS VPN Security BRKSEC-2145

Advanced BGP Policy. Advanced Topics

Expert Reference Series of White Papers. An Overview of MPLS VPNs: Overlay; Layer 3; and PseudoWire

IPv6 over MPLS VPN. Contents. Prerequisites. Document ID: Requirements

- QoS Classification and Marking -

MPLS VPN. Agenda. MP-BGP VPN Overview MPLS VPN Architecture MPLS VPN Basic VPNs MPLS VPN Complex VPNs MPLS VPN Configuration (Cisco) L86 - MPLS VPN

Transitioning to BGP. ISP Workshops. Last updated 24 April 2013

--BGP 4 White Paper Ver BGP-4 in Vanguard Routers

ANALYSIS OF THREE PUBLICALLY AVAILABLE INTER-AS MPLS L3 VPN IMPLEMENTATIONS. A Thesis by. Abdulhakim Abubaker Abushaala

How To Import Ipv4 From Global To Global On Cisco Vrf.Net (Vf) On A Vf-Net (Virtual Private Network) On Ipv2 (Vfs) On An Ipv3 (Vv

MPLS L3 VPN Supporting VoIP, Multicast, and Inter-Provider Solutions

Examination. IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491

MPLS VPNs with DiffServ A QoS Performance study

Building VPNs. Nam-Kee Tan. With IPSec and MPLS. McGraw-Hill CCIE #4307 S&

- Multiprotocol Label Switching -

Exam Name: BGP + MPLS Exam Exam Type Cisco Case Studies: 3 Exam Code: Total Questions: 401

Addressing Inter Provider Connections With MPLS-ICI

MPLS/BGP Network Simulation Techniques for Business Enterprise Networks

MPLS multi-domain services MD-VPN service

IMPLEMENTING CISCO MPLS V3.0 (MPLS)

GRNet. Advanced Network Services Tool

BGP1 Multihoming and Traffic Engineering

MPLS-based Layer 2 VPNs. Kireeti Kompella Juniper Networks

WAN Topologies MPLS. 2006, Cisco Systems, Inc. All rights reserved. Presentation_ID.scr Cisco Systems, Inc. All rights reserved.

Kingston University London

Project Report on Traffic Engineering and QoS with MPLS and its applications

Cisco Exam CCIE Service Provider Written Exam Version: 7.0 [ Total Questions: 107 ]

Investigation of different VPN Solutions And Comparison of MPLS, IPSec and SSL based VPN Solutions (Study Thesis)

Data Networking and Architecture. Delegates should have some basic knowledge of Internet Protocol and Data Networking principles.

Implementing Cisco MPLS

Fundamentals of MPLS for Broadcast Applications

MPLS Applications. Karel Pouzar CCIE#20198, CCSI#31414

INTRODUCTION TO L2VPNS

MPLS VPN Security. Intelligent Information Network. Klaudia Bakšová Systems Engineer, Cisco Systems

Virtual Private Networks. Juha Heinänen Song Networks

Computer Network Architectures and Multimedia. Guy Leduc. Chapter 2 MPLS networks. Chapter 2: MPLS

MPLS in Private Networks Is It a Good Idea?

IP interconnect interface for SIP/SIP-I

Cisco IOS Flexible NetFlow Technology

Network Virtualization with the Cisco Catalyst 6500/6800 Supervisor Engine 2T

Routing Issues in deploying MPLS VPNs. Mukhtiar Shaikh Moiz Moizuddin

MPLS VPN - Route Target Rewrite

MPLS L2VPN (VLL) Technology White Paper

DD2491 p BGP-MPLS VPNs. Olof Hagsand KTH/CSC

Transcription:

Methods of interconnecting MPLS Networks NANOG31, May 2005 San Francisco Cable & Wireless Internet Engineering Udo Steinegger

What this talk is about General This presentation covers technologies on how to possibly interconnect MPLS networks of different carriers, that support RFC2547bis VPN s Little view in the future what is going on at IETF regarding MPLS VPN s considerations Report from the real life implementation that C&W have done The interconnection method that C&W have chosen and why The issues that C&W have found during the implementation How the issues have been addressed.

Agenda Technologies to interconnect MPLS networks that support VPN s according to RFC2547bis A real life report The method C&W have chosen and why. Details - bits & pieces

Agenda (cont d) Stuff C&W considers to support soon Carrier supporting Carrier (CSC) OAM support PWE3 Future Stuff Current actions from the IETF working groups Questions

Multi-AS Backbone Interconnections VRF-to-VRF connections at the AS Border Routers Using this architecture, a PE router in one AS attaches directly to a PE router in another AS. The two PE routers will be attached by multiple subinterfaces (at least one for each of the VPNs spanning both AS s). Each PE router treats the other PE router as if it were a CE router and attaches a VRF to the sub-interface. Any ibgp-learned prefixes associated with that VRF are subsequently advertised in ebgp as an unlabelled prefix to the other PE. No requirement for MPLS support between the PE routers Relies on OSI layer 2 for VPN separation (Frame Relay, ATM, 802.1q VLAN).

Multi-AS Backbones Multi-hop ebgp redistribution of labelled VPNv4 routes between AS s, with ebgp redistribution of labelled IPv4 routes from AS to neighbouring AS. Using this architecture, VPNv4 prefixes are not advertised by ASBRs. An ASBR must maintain labelled IPv4 /32 routes to the PE routers within its AS. It uses IPv4 ebgp to distribute these routes to other AS s. Results in the creation of a label switched path from the ingress PE router to the egress PE router.

Multi-AS Backbones Multi-hop ebgp redistribution of labelled VPNv4 routes between AS s, with ebgp redistribution of labelled IPv4 routes from AS to neighbouring AS. (cont d) PE routers in different AS s can subsequently establish multi-hop ebgp sessions to each other and exchange labelled VPNv4 prefixes over those connections. Potential to use multi-hop ebgp sessions between Route-Reflectors in each AS to avoid meshing issues.

Multi-AS Backbones ebgp redistribution of labelled VPNv4 prefixes from AS to neighbouring AS Using this architecture, the ASBR learns VPNv4 prefixes within its AS through ibgp. The ASBR then uses ebgp to redistribute those labelled VPNv4 prefixes to an ASBR in another AS, which in turn distributes them to the PE routers in that AS using ibgp. Label-switched interface exists between ASBRs. ASBR should never accept a labelled packet from an ebgp peer unless it actually distributed the top label to that peer.

What C&W has chosen for their MPLS network - a real life report C&W has built and operates a seperate global MPLS network for IP VPNs. This network is not part of C&W s public IP network, though there are links in between these. ebgp redistribution of labelled VPNv4 prefixes from AS to neighbouring AS

Confederated AS4445 UK Region AS65501 US Region AS65502 EU Region AS65503 ASPAC Region AS65504

Details - bits and pieces On the following pages there s a discussion in detail about things that we had to think of when planning and testing the interconnection methods. The most important things we have found are things: Route distinguisher values Route target values Route target filtering QoS Continuity Resilience Security

Details - Bits & Pieces Route distinguisher numbering When prepended to an IPv4 prefix, it is the 8-byte Route- Distinguisher that makes a unique VPNv4 prefix. Providing the Route-Distinguishers themselves are unique Cable & Wireless Route-Distinguishers take the form Global Administrator sub-field (2 octets) Autonomous System Number (ASN) assigned by IANA. The C&W IP-VPN has the registered ASN 4445 Local Administrator sub-field (4 octets) The organisation identified by the Global Administrator subfield can encode any information in this field. C&W assigns unique decimal integers to each VRF within the IP-VPN. When interconnecting with other Service Providers MPLS-VPN networks, we should attempt to ensure that a single Route- Distinguisher is used across both Autonomous Systems.

Details - Bits & Pieces Route distinguisher numbering To understand rationale for this, it is necessary to understand the BGP decision process when PE routers receive a VPNv4 prefix Take all routes with the same Route-Target as any of the configured import statements within the VRF. Consider all routes that have the same Route-Distinguisher as the one assigned to the VRF being processed. Create new BGP paths with a Route-Distinguisher that is equal to the Route-Distinguisher configured for the VRF that is being processed. All routes are now comparable, and at the point the conventional BGP path selection algorithm can be executed. Point 3 is critical create new BGP paths.. BGP prefixes consume valuable (finite) PE memory. With different Route-Distinguishers 1 BGP prefix consumes 2 BGP prefixes worth of memory 1000 BGP prefixes consumes 2000 BGP prefixes worth of memory etc.

Bits & Pieces Route distinguisher numbering Route-Distinguishers need to be agreed and reconciled between Service Providers. A simple proposal is as follows. If the customer is C&W customer whose reach is being extended through another SP s network, then a C&W Route- Distinguisher should be used. If the customer is another SP s, and that customers reach is being extended through C&W s IP-VPN, then that SP s Route-Distinguisher should be used. Unfortunately this does create some issues with provisioning systems that appear to hard-code Route- Distinguishers. Manually provision if necessary to avoid prefix duplication and needless PE memory consumption.

Bits & Pieces Route Target Numbering The BGP Extended Community attribute Route-Target is used to determine whether a prefix is accepted by other PE routers. Cable & Wireless Route-Targets take the form Global Administrator sub-field (2 octets) Autonomous System Number (ASN) assigned by IANA. The C&W IP-VPN has the registered ASN 4445 Local Administrator sub-field (4 octets) The organisation identified by the Global Administrator sub-field can encode any information in this field. C&W assigns unique decimal integers to each VRF within the IP-VPN. it is possible to re-write Route-Target values. Why not only use our own Route-Target values within the C&W IP-VPN using this Route-Target re-write feature at the ASBR?

Bits & Pieces Route Target Numbering Potentially, we could.. So, we receive a VPNv4 prefix with a neighbouring SP s Route-Distinguisher and Route-Target. Re-write the Route-Target(s) to a C&W Route-Target that our PE routers will import. Impossible to re-write Route-Distinguisher C&W PE routers import VPNv4 prefix, but because SP s Route-Distinguisher is different from C&W Route- Distinguisher configured on PE routers, VPNv4 prefix must be duplicated. Memory consumption issue. Route-Target values need to be agreed and reconciled. Same proposal as for Route-Distinguisher values If the customer is C&W customer then a C&W Route-Target should be used. If the customer is another SP s, then that SP s Route- Distinguisher should be used.

Bits & Pieces Route Target Filtering When a PE router receives a VPNv4 prefix with a Route- Target for which it has no configured import statements, it will silently discard the update. Known as Automatic Route Filtering (ARF). When a neighbouring SP has a customer with B end requirements in C&W s IP-VPN, C&W will configure a VRF on the ASBR with the relative (agreed) Route-Target and Route-Distinguisher values. No requirement for Route-Target export statements on ASBR as both VPNv4 ibgp updates (within own AS) and VPNv4 ebgp updates (from neighbouring ASBR) already have BGP Extended Community attribute Route-Target attached. Requirement for import statement only All other VPNv4 prefixes discarded using ARF. Some providers may (and do) use other Route-Target filtering mechanisms - beware!

Bits & Pieces QoS Continuity Each Service Provider operating an MPLS-VPN will offer a differing number of CoS, and will use different IP Precedence/DiffServ Codepoints to represent these CoS. But all will use common queuing/scheduling tools available in IOS to implement their QoS model (PQ, CBWFQ etc). As far as C&W or other SP s MPLS-VPN networks are concerned, packet is exposed at IP layer twice only PE ingress PE egress Everything between these two points is label-switched, hence no manipulation of layer 3 fields (such as ToS/DSCP bits) is possible. No QoS mediation/reconciliation available at PE-ASBR

Bits & Pieces QoS Continuity Implication of this is that C&W PE router must Support other SP s IP QoS model on PE router egress port Police against contracted traffic levels for each CoS on PE router ingress port B end is effectively unmanaged with QoS. Neither of the above should represent a problem, although manual provisioning will undoubtedly be required. Egress IP QoS scheduling / queuing based on ToS DSCP using PQ/LLQ and CBWFQ P-1 ASBR-1 ASBR-2 P-2 PE-2 PE-1 CE-1 Ingress Police against contracted traffic rates for each CoS using Class-Based policing or Committed Access Rate (CAR) CE-2

Bits & Pieces QoS Continuity Each Service Provider operating an MPLS-VPN will offer a differing number of CoS, and will use different IP Precedence/DiffServ Codepoints to represent these CoS. It follows therefore that traffic from a neighbouring PE-ASBR will have EXP bits set which are derived from the IP Precedence or DiffServ Codepoints in use in that Autonomous System For example, assume SP#1 implements three CoS; Gold, Silver, and Bronze using IP precedence 5, 4, and 0 respectively. By default, PE-ASBR will not modify EXP bits, therefore traffic will be passed across C&W core with EXP bits 5, 4, and 0 for each CoS Currently, C&W do not implement queuing and/or MPLS traffic engineering in the core using EXP bits, however, it is likely that this will happen in the future Likely to be based around C&W classes of service using EXP 5, 3, and 1 respectively for Premium, Enhanced, and Standard

Bits & Pieces QoS Continuity Therefore, we need to ensure that SP#1 s Gold/Silver/Bronze is mapped with C&W Premium/Enhanced/Standard to avoid SP#1s traffic receiving unfair treatment in C&W core in the presence of EXP-based queuing. EXP bit manipulation required at PE-ASBR Match EXP x--->set EXP y AS4445 AS100 PE-1 EXP=1 EXP=1 IP=0 ASBR-1 Ingress Match EXP 0 Set EXP 1 EXP=0 IP=0 ASBR-2 P-2 IP=0 PE-2 IP=0 CE-2

Bits & Pieces QoS continuity Manipulation of MPLS labels can only be done on ingress interfaces (not possible on egress interfaces) Responsibility therefore lies with SP to map EXP settings from neighbouring SP to those in use in own AS Below example maps EXP 5 EXP5 in Gold class (not really required but shown for clarity) EXP 4 EXP3 in Silver class EXP everything else EXP 1 in Bronze class. class-map match-all Gold match mpls experimental topmost 5 class-map match-all Silver match mpls experimental topmost 4 class-map match-all Bronze match mpls experimental topmost 0 1 2 3 6 7! policy-map EXP class Gold set mpls experimental topmost 5 class Silver set mpls experimental topmost 3 class Bronze set mpls experimental topmost 1! interface Serial2/0 description E3 link to neighbouring PE-ASBR ip address 172.25.0.5 255.255.255.252 service-policy input EXP inbound QoS policy

Bits & Pieces Resilience When interconnecting with other SP s networks multiple links can/might be considered and leaves some things to think of: Suboptimal asymetric routing Etc.

Bits & Pieces Resilience Most sub-optimal and asymmetric routing can be avoided by manipulating BGP attributes at the PE-ASBR (for example, BGP MED or Local-Pref). In order to set an attribute, we need to match against something in the BGP update first. VPNv4 prefix. Matching against VPNv4 prefix is a) not possible in IOS today, and b) not scalable/manageable anyway. Route-Target. Route-Targets are generally VPN-wide. Matching against BGP Extended Community Route-Target may resolve sub-optimal routing issues for Site#1-->Site#2, but break optimal routing Site#1-->Site#3 BGP Standard Community. Possible. CE routers could set BGP Standard Community value which PE-ASBRs could match against and manipulate BGP attributes. This is possible, however, don t assume that all other Service Providers will pass BGP Standard Communities as only BGP Extended Communities are required in an MPLS-VPN. Careful consideration needs to be given to where the ASBRs are located. If they are geographically close, then most of these issues can be avoided.

Bits & Pieces Security Security of the C&W IP-VPN is a major concern. If we connect our private network to another SP, it could be argued that it s no longer private! From a security perspective, there are two major concerns The point-to-point link that connects the PE-ASBRs. Requirement to protect from undesirable IP traffic sourced from within other SP s network. Point-to-point link is label-switched. Therefore, deny all IP except BGP and ICMP. Managed CE routers If C&W managed CE router is in other SP s network, requirement is to protect CE from attack through serial interface. Use Access-Lists in the same way as we do today on PE ingress If other SP managed CE router is connected to C&W s network, requirement is to protect PE from attack through serial interface. Use conventional Access-Lists on PE-->CE interface like we do today.

Stuff that C&W will support soon Carrier supporting Carrier (CSC) OAM support Draft Martini L2 VPNs

Future stuff What is currently going on at IETF The most hot thing (as I see it) is in the working group PWE3 Pseudo wire edge to edge emulation VCCV

Any Questions??? Either write a mail to udo@cw.net Or Bring beer and talk to me :-)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information