Beruflich Dokumente
Kultur Dokumente
14-ian-2013
VPN Taxonomy
Virtual networks VPNs Virtual dial-up networks VLANs
Overlay VPNs Layer 2 VPNs X.25 Frame relay ATM Layer 3 VPNs GRE IPsec
Peer-to-peer VPNs ACLs (shared router) Split routing (dedicated router) MPLS VPN
There are two types of VPN topologies Overlay VPNs: the SP provides virtual point-to-point links Customers send their routes through their own tunnels. Peer-to-peer VPNs: the SP participates in customer routing The SP is aware and transports the customers routes.
3
Overlay VPNs
Layer 1 Overlay VPN
Mentioned for historical reasons only (ISDN, E1/T1)
Router B
Router C
Router D
The service provider infrastructure appears as point-to-point links to customer routes. Routing protocols run directly between customer routers.
Adjacencies are established over the SP network
The use of tunnels allows the use of private addresses (RFC 1918).
Interconnecting sites with private addressing can be done without NAT
5
Peer-to-peer VPNs
The SP and the customers use the same network protocol (IPv4, for example). The SPs core carries all customer routes
PE routers exchange routing information with CE routers CE routers establish L3 adjacencies only with the PE routers
This greately reduces the overhead of full or partial mesh topologies
Peer-to-peer VPNs
Routing information is exchanged between CE and PE routers.
PE router
PE router
PE router
PE router
Disadvantages:
Implementing optimum routing requires a full mesh of VCs. VCs have to be configured manually. Bandwidth must be reserved on a site-to-site basis. Overlay VPNs always increase encapsulation overhead (IPsec or GRE).
24 to 80+ bytes per packet
8
Disadvantages:
The service provider participates in customer routing. The service provider becomes responsible for customer convergence. PE routers carry all routes from all customers. The service provider needs detailed IP routing knowledge. And skilled employees.
9
Dedicated PE router:
All customers share the same address space. Each customer requires a dedicated PE router. Much more expensive.
10
11
Customer A Site 2
PE router
P router
PE router
Customer A Site 3
Customer B Site 1
Customer A Site 2
Customer A Site 3
Virtual router for customer B
Customer B
Customer C
Customer D
The number of customer routes can be very large; BGP is the only routing protocol that can scale to such a number. BGP is used to exchange customer routes directly between PE routers.
Only one routing protocol is required for any number of customers
14
Route Distinguishers
How is information about overlapping subnets of two customers propagated via a single routing protocol?
Question?
Answer:
The 64-bit RD is prepended to an IPv4 address to make the address globally unique. The resulting address is a (96-bit) VPNv4 address. VPNv4 addresses are exchanged between PE routers via BGP. BGP that supports address families other than IPv4 addresses is called multiprotocol BGP (MPBGP).
15
The RD has no special meaning. The RD is used only to make potentially overlapping IPv4 addresses globally unique. However, using RDs alone cannot support all topologies that are required by the customer.
16
PE router
PE router
Customer B
Customer C
Customer D
P-network
VoIP gateway
Customer D
Requirements:
All sites of one customer need to communicate. Central sites of both customers need to communicate with VoIP gateways and other central sites. Other sites from different customers do not communicate with each other.
17
Central site A
Site A-1
Site A-2
VoIP gateway
VoIP gateway
Customer B
Central site B
Site B-1
Site B-2
18
Route Targets
VPN 2 VPN 1 Site 1 Site 2 Site 4 Site 5 Site 3 VPN 3
RTs were introduced in the MPLS VPN architecture to support complex VPN topologies. RTs are additional attributes that attach to VPNv4 BGP routes to indicate VPN membership.
19
Import RTs:
Associated with each virtual routing table Select which routes are inserted into the virtual routing table
20
21
CE router
PE router
CE router
The CE routers run standard IP routing software and exchange routing updates with the PE router. The PE router appears as another router in the Cnetwork.
22
23
MP-BGP
CE router
CE router
VPN routing
PE router P router PE router
CE router
IPv4 update
PE router
MPBGP update
P router PE router
IPv4 update
CE router
CE router
PE routers receive IPv4 routing updates from CE routers and install them in the appropriate VRF table 26
The routes installed in the VRF tables are propagated to the CE routers.
27
The route target value is independent of the route distinguishers value. The notation 999:1 stands for 2 bytes represented by 999, followed by 6 bytes that end in 1.
28
The second VRF will allow its customer to communicate its routes securely but also to receive routes from the other VRF/client.
29
Basic permit statements in the ACLs indicate routes that will be allowed.
30
Make sure you configure the VRF before applying the IP address on the interfac, otherwise you will see something like this:
% Interface FastEthernet0/0 IP address 11.100.1.2 removed due to enabling VRF MY_FIRST_VRF
You can still apply the IP address on the interface afterwards. One VRF can be associated with multiple interfaces.
31
BGP configuration
BGP must be configured to carry VPNv4 routes. First, neighbor relationships must be established between BGP-speaking routers (mainly PE routers):
Router(config)# router bgp 999 Router(config-router)# no synchronization Router(config-router)# no bgp default ipv4-unicast Router(config-router)# neighbor 180.17.1.8 remote-as 999 Router(config-router)# neighbor 180.17.1.8 update-source loopback0 Router(config-router)# neighbor 180.17.1.9 remote-as 999 Router(config-router)# neighbor 180.17.1.9 update-source loopback0
AS Number
32
33
Route redistribution occurs now from BGP into the customers routing protocol.
But only routes imported in this VRF will be redistributed, not all BGP routes.
PE1(config)# router rip PE1(config-router)# version 2 PE1(config-router)# address-family ipv4 vrf MY_FIRST_VRF PE1(config-router-af)#redistribute bgp 64512 metric 1 PE1(config-router-af)# network 10.0.0.0 PE1(config-router-af)# no auto-summary PE1(config-router-af)# version 2 PE1(config-router-af)# exit-address-family
34
Summary
VPNs allow you to use the shared infrastructure of a SP to implement your private networks. There are two implementation models: overlay and peer-to-peer. The MPLS VPN architecture offers SPs a peer-to-peer VPN architecture that combines the best features of overlay VPNs with the best features of peer-to-peer VPNs. MPLS VPNs use a 32-bit prefix called the route distinguisher (RD) to convert non-unique 32-bit customer IPv4 addresses into 64-bit unique addresses that can be transported.
35
36