Sie sind auf Seite 1von 52

2001-12-19

Internal

ODD010011 DCN Network Planning


ISSUE1.0
www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

With the constantly increased network status of the data communication equipment of our company, which widely covers network access layer, convergent layer, core layer, and core backbone layer, we should provide entire network solutions. DCN is an important network for carriers. With the wide application of our equipment in DCN, we should have a better understanding of DCN and master the key points in DCN design planning to construct better DCN for clients and increase its expandability.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 2

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

This course helps you to know: [ Definition of DCN Typical [ networking of DCN [ MPLS VPN in DCN

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 3

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Chapter 1 Introduction of DCN Chapter 2 Typical networking of DCN Chapter 3 Network protocol design of DCN Chapter 4 MPLS design of DCN

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 4

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Definition of DCN
l The full name of DCN is Data Communication Network:

[ Its initial definition is the network for carriers to carry out out-band network management.The actual DCN covers various services of carriers.For example SPC switch NM, transmission NM, billing system, and OA.
l DCN is used to connect Network Elements (NE) and corresponding

Operation Support System (OSS), which is an important network between the network providing service and the network operation center.
l DCN is the nervous system! of the carriers, with the characteristics of

physical entity network, virtual service network !. Comparing with service networks of carriers (for example 169 network), DCN does not need a very high broadband, but has a high demand for network security, reliability, and manageability.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 5

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Development of DCN
l OSN (Operation Support Network):

[ DCN can be seen as a subset of OSN, or DCN is the main part of current OSN. Before IP networks are widely used, DCN/OSN has existed already, just not through IP. But X.25 protocol has been widely used in 1980s, and X.25 once played an important role in OSN, for the above historical reasons, current DCN is impossible IP Only.
l DCN has become a comprehensive network with IP service as its main

service and compatible with X.25, and Async at the same time.
l Standard of DCN ITU-T G.7712/Y.1703 (Architecture and specification

of data communication network, DCN).


l This protocol is a regulation and guide document on DCN framework

and construction
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 6

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Development of DCN
l For example, past MSC switch provided X.25 NM interface, but

now it provides IP-based Ethernet interface.


l Traditional telecom service should be changed into IP based NM,

which has become a tendency.


l Previous DCN, constrained by different protocols (X.25, Async),

may be comparatively independent physically in practice. X.25 is a network, and Async is another network.
l Currently IP-based DCN has integrated the above networks into a

large DCN

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 7

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

DCN integrated with X.25


l To integrate OSN (mixed with X.25, Async, and IP) into an IP-

based DCN, corresponding technical supports are needed.


l Such kind of technology is usually applied in lower end router

at access layer.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 8

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

DCN integrated with X.25 "- X2T


l

X2T (X.25 to TCP Translation) [ The principle and implementation methods of X2T scheme. X2T implements direct mutual translation between X.25 and TCP packet. Pure X.25 packet from X.25 network queries address translation list based on called party X.121 address, and triggers setting up TCP connection with the designated IP address. After setting up TCP connection, a router will extract pure data from X.25 packet and send them to IP host side through TCP connection.

Equipment: [ A Router supporting X2T; [ An X.25 Terminal server which can run X25 application, supporting x25 protocol, connected in X25 network; [ An IP Host, supporting/IP, connected in IP network.

X .121

X.121 address 1111 S0 X . 25 Network

IP address 10 .1.1.1 E0 IP Network Router

IP address 10 .1.1.2

X .25 Terminal

IP Host

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 9

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

DCN integrated with X.25 "- X2T


l X2T looks like an NAT translation. Different from NAT translation,

it is the protocol translation between X.25 and IP.


l X25 host at the X25 network side runs a server application

program supporting X25 protocol, responsible for receiving request, and transmitting data.
l IP host at the IP network side runs a client program supporting

TCP/IP, responsible for requesting data from X25 host, and receiving the transmitted data.
l X25 Terminal Communicates with Router through PVC.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 10

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

DCN integrated with X.25 "- X2T


X2T- A E0 Client S0 S0 X2T-B E0 Server

20.1.1.1

20.1.1.2

10.110.96.49

10.110.96.51

IP Network

X.25 Network

IP Network

l Data first flow to router A from client application program and implement IP to X25

translation; then flow to router B through X25 network; finally flow to server application program, and implement X25 to IP translation.
l The example is used to check the translation between X.25 and TCP/IP

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 11

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

DCN integrated with X.25 "- X2T


l X2T looks like an NAT translation. Different from NAT

translation, it is the protocol translation between X.25 and IP.


l X25 host at the X25 network side runs a server application

program supporting X25 protocol, responsible for receiving request, and transmitting data.
l IP host at the IP network side runs a client program supporting

TCP/IP, responsible for requesting data from X25 host, and receiving the transmitted data.
l X25 Terminal Communicates with Router through PVC.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 12

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Competitor#s X.25 translation technology "- XOT


l XOT (X.25 Over TCP) is designed by Cisco. See RFC 1613 for details. l It is designed for transmitting X.25 in IP network, permitting to transmit X.25 packet

through TCP/IP network instead of LAPB.


l XOT transmits X.25 packet in the IP network by packing it into an IP packet.
S0 S1 S0 S1

IP Router 1 Router 2

X.25 Router 3

IPNetwork

X.25 Network

IP Network
IP Cloud

IP Cloud X25 Cloud 7000 2500

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 13

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Chapter 1 Introduction of DCN Chapter 2 Typical networking of DCN Chapter 3 Network protocol design of DCN Chapter 4 MPLS design of DCN

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 14

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Typical networking of DCN


l Typical networking of

R
National DCN

R
R

DCN [ National network of DCN [ Provincial network of DCN [ Municipal network of DCN
l Running BGP in National

Provincial DCN

R
R R R R

R
Municipal DCN

and Provincial DCNsAS


l AS numbers are
Municipal DCN

R
R

uniformly planned by

R S
R

R
S S

R
S S

R
R R

carriers. The private AS numbers should be used to the most.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 15

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Typical networking of DCN


AS AA DCN DCN National

Municipal network may own AS numbers of themselves and establish EBGP

AS XX DCN Provincial DCN

neighborhood relationship with the provincial

R R R
EBGP RR

R R

R
l

network. When the provincial network releases BGP router to the

R
EBGP

RR

AS ZZZ DCN Municipal DCN

R
R

R
X.25

AS YYY DCN DCN Municipal

national network,

R
R

R
S S

R
S
R
DD N

it may filter out the municipal AS


R

numbers. Page 16

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Typical networking of DCN National DCN


R R R R R R
l l l l

R R

R R R R

National DCN can be divided into two layers "- core layer and convergence layer. Considering redundancy and disaster prevention, generally, one core node is not enough. As shown in the diagram above, there are two core nodes, which are in different cities geographically. Convergence layer is used to access to province and region/city, and the link is POS or E1, or binding of multiple E1s. Convergence layer routers geographically are in different provinces, through which connect with provincial network routers. This is for management consideration. The link between national network convergence layer and provincial network router is the division interface of national and provincial network. Provincial network takes charge of the management and maintenance of the lower part, while national network the upper part.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 17

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Typical networking of DCN


Billing System Network Management System (NMS) OA System

$$
S
R

S
R

Backbone Network

Backbone Network of DCN


R R R R R R R
R

Provincial network of DCN


R R

Provincial network of DCN


R

The service between national network and provincial network, for example, national toll circuit NMS, intelligent network NMS, central interconnection of 97 system, finance and billing system. Page 18 HUAWEI TECHNOLOGIES CO., LTD. All rights reserved
PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Typical networking of DCN


l l

Provincial DCN is the main part of DCN; Provincial DCN is used to connect national DCN and municipal DCN and at same time, connect the services of different provincial networks, for example, carriers# centralized billing and NM service. Provincial DCN itself can be divided into two layers, core layer, and access layer, core router of the core layer. Access layer includes layer-three switch, mainly used for access to server and PC of various services within provincial networks. As a connection between a province and a region/city, access layer router may be in a region/city physically, and is also the management boundary point between a province and a region/city. The distance between provincial core router and provincial distribution layer router is far, so generally the link between them is POS 155/622, and even E1. Provincial core router generally is NE80, Cisco 12000 series or Juniper M160 Layer-three switch of a provincial distribution layer can be S8500, S8016, and S6500 series. Provincial distribution layer router can be NE40, NE20, NE16/8,M20, M10, Cisco 7500,and Cisco 7200. All rights reserved Page 19

l l l

HUAWEI TECHNOLOGIES CO., LTD.

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Typical networking of DCN


l Municipal DCN is used to connect with provincial DCN, and takes charge of the

interconnection between municipal and branch offices.


l Concept of LDCN (compared with provincial DCN, municipal DCN is LDCN,L=Local) l LDCN can be divided into three layers "- core layer, convergent layer, and access

layer.
l Core layer takes charge of interconnection with provincial networks and municipal

nodes.
l Comparatively powerful performance, in urban area geographically, a large number of

services from branch office to municipal office must pass through it


l In LDCN, a distribution layer device may be used at the same time as an access layer

device, providing sufficient Ethernet ports to access to various important servers.


l Core layer equipment in common use: NE80, NE40-8, S8016; l General convergent equipment in common use: NE40-4, S8500; l Access layer equipment in common use: low end router (WAN access) and switch,

R26, S3
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 20

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Typical networking of DCN


l Main traffic is between municipal DCN and provincial DCN l Very small part of traffic is from municipal DCN to national DCN l DCN of different carriers may have different names, for example, the Mobile

is called MDCN.
l DCN is a private network of carriers, on which there are various operation

support services of carries. At the same time it is a pilot network for carriers, all new features of data communication may be on trial first by carriers in DCN.
l DCN is a private network, so theoretically its IP address and AS numbers

can be allocated at will. But in practice, carriers have corresponding regulations on IP address, AS numbers, and service name, which should be abided by in design planning.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 21

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Chapter 1 Introduction of DCN Chapter 2 Typical networking of DCN Chapter 3 Network protocol design of DCN Chapter 4 MPLS design of DCN

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 22

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Typical networking of DCN - BGP


l On AS numbers, each province can
AS AA DCNDCN National

R
R

R
R

own one AS or each region/city own one.


l With the expanding of DCN, each

R
AS XX DCN Provincial DCN

R
R

region/city tends to own an AS number of itself.


l When provincial DCN releases

routers to municipal DCN, it is better not to release default routers.


Municipal DCN DCN

R
R
S
R

R
R

l From municipal network to

R
S S

R
S

provincial network, and from provincial network to national network, there are generally dual egresses.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 23

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Typical networking of DCN - BGP


National DCN

R
R

R
R

l Adopt link selection that Local-

preference influences internal access to EBGP.


l Adopt link selection that MED

R
Provincial DCN

influences external access to internal.


l Municipal DCN AS numbers are

R
R R R

R
R R
Municipal DCN

filtered at Provincial DCN egress to National network to avoid being sent to the national network
l A strategy can be set in provincial

DCN to filter out over-convergent routers sent from municipal DCN, for example /8 router.
Page 24

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Typical networking of DCN - BGP

R
l

In municipal DCN, a router reflector is adopted, which is taken charge of by municipal DCN core layer equipment. The router reflector has redundancy setting, and configured with Cluster-id. Convergent layer equipment acts as the client of reflector. IBGP uses loopback to establish neighborhood relationship. Multi-egress load sharing should be considered, it can be into two cases: VRP version supports BGP load sharing, and VRP version does not support BGP load sharing. All rights reserved Page 25

l l

HUAWEI TECHNOLOGIES CO., LTD.

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Typical networking of DCN - IGP


l IGP router protocol that used most in practice is OSPF. l There is the case that the whole provincial network runs EIGRP (Cisco

private router protocol, enhanced IGRP) in early DCN.


l But carriers will consider the coordination between different manufacturers,

so they have changed the principle "- don#t put all eggs in one basket !.
l When BGP province and region/city have the same AS, provincial and

municipal networks may be in the same OSPF domain, and all in Area 0. There will be no problem if only from the largest router numbers one Area can support. One internal-province router is double-digit order of magnitude.
l In addition, different carriers or provinces may have different cases, so the

relationship between province and region/city may be EBGP neighborhood relationship, may be not.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 26

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

OSPF design consideration


Provincial DCN OSPF Area0

R
R R R R R
Municipal DCN OSPF Area1

R
R R R R R

Municipal DCN OSPF Area2

If province and region/city have the same AS, provincial and municipal networks belong to the same OSPF Domain but different Areas, province and region/city are separated in management, and should be taken in charge by provincial and municipal offices. Divide into different Areas to ease management and router handling, and reduce calculating of OSPF.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 27

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

OSPF design consideration


R
OSPF Area 0

Provincial DCN

R R R R R Region/city A DCN R R

R R R R R
Municipal B DCN

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 28

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

OSPF design consideration


l When Provincial and municipal networks belongs to different AS, they run IGP

router protocol of their own separately


l When provincial and municipal BGP have the same AS, l OSPF has the following two modes:

[ The province and region/city are in the same Area, this may be present status of carriers# DCN [ The provincial network is Area 0, and municipal network is other Areas, for example Area 1,Area 2$ for convenience of management, router convergence and other operations
l Provincial network and municipal network are managed separately, so dividing

multiple Areas is more convenient for management; if province and region/city using different AS numbers can be predicated on the schedule, then consider to keep current state to ease dividing one Area 0 into multi Area 0s in the future.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 29

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

ISIS design consideration

Provincial DCN ISIS L2

R
R

R R R R R
Municipal DCN ISISL1 R

R R R R

Municipal DCN R ISISL1

l When ISIS router protocol is used as IGP, the same case exists l Divide provincial DCN into ISIS Level 2, and take municipal DCN as ISIS Level 1

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 30

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

ISIS design consideration


ISIS L2

Provincia DCN

R R R R R
Municipal DCN ISISL1

R R R R R R
Municipal DCN ISISL1

l For expandability, provincial network and municipal network can be divided

wholly into one layer, all belonging to ISIS Level 2,


l An IGP convergence within AS is MPLS, VPN should notice that loopback

interface does not converge.


HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 31

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Cost Value and Load Sharing


l

On IGP link COST value, united rules are recommended. Refer to the following recommended value: Interface type GE 155M POS 100M FE 10M ETHERNET N!E1 Cost 1 7 10 100 500/N

COST value at Loopback interface usually is 1.


l

Usually there exist the following two load-sharing technologies: [ 1) Per-Packet: rotates output interfaces to send packet, with effective load sharing. But the packet with the same session may start off at different interfaces and different paths will result in disorder. [ 2) Per-Flow: distributes service flow to different output interfaces based on certain rules, for example (source IP +Destination IP) /N, and N is the router number of load sharing. It has effective load sharing, and at the same time it ensures the packet with the same session to start off at the same interface with the same path.

Equipment from different manufacturers with different models, supports different types and numbers of load sharing technologies, which should be considered when the equipment cooperates with each other.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 32

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Cost Value and Load Sharing


R
R

R
R

l Global load sharing can be implemented through modifying link COST value. l For a node, data are transmitted uplink through a path; while for the whole network, at

different nodes, data are transmitted uplink through different paths.


l In addition, modification of Cost value is also a mode affecting BGP link selection. HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 33

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Chapter 1 Introduction of DCN Chapter 2 Typical networking of DCN Chapter 3 Network protocol design of DCN Chapter 4 MPLS design of DCN

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 34

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Application of MPLS VPN in DCN


l Layer-three MPLS VPN in DCN is increasingly applied. l Putting different service types into different VPNs has become a

tendency.
l Classification of Common VPN:

[ BOSS [ Billing [ NMS [ Settlement [ Integrated Service [ OA [ Finance


l Carriers are changing Common! network into VPN network

based on service types.


l In design planning, we should cover and consider about it.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 35

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Examples of Service Classification on DCN


ISNMS NSNMS IPCNMS SS7NMS LSNMS 97COMM 97BSS INBSS INSMP DNMS DCSMS TNMS SDHNMS MNMS RSS MBAS INBAS ISNMS NSNMS IPCNMS SS7NMS LSNMS 97COMM 97BSS INBSS INSMP DNMS DCSMS TNMS SDHNMS MNMS RSS MBAS INBAS

l The actual service quantity is far more

than that of current VPN on DCN, the classification of VPN is not so detailed as it is in service, not excluding the possibility that in future single item or several items of services will be classified separately into one VPN.
l Consideration should be given in

designing.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 36

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

MPLS VPN Design Change of IP Address


To hub

SPC Switch

Transmission

l Present situation of nodes in a certain office on a municipal DCN: l The IP addresses are classified geographically, but not in accordance with

service types. Different types of services are in the same Vlan and the same network segment.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 37

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

MPLS VPN Design Change of IP Address


To hub

Switch Manages IP

SPC Switch

Transmission

l Divide Vlan based on the service types of nodes on each branch office,

and reallocate IP addresses


l Refer to relevant regulations of carriers on service classification. "
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 38

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

MPLS VPN Design Change of IP Address


l l l

When re-planning the IP addresses, consider the following points: Re-allocate addresses based on service types that are defined by carriers. Allocate address segment based on IP address numbers occupied by each service type on each node, at the same time consider the possible added numbers in the future. Ensure IP addresses are enough to be allocated and certain address segments have been reserved, then reserve fully. For future expandability, divide IP addresses strictly based on service types. Carriers may operate several VPNs in practice, and many services may be divided into one VPN as a large category, but not excluding the possibility that in the coming future single item or several items of services will be classified separately into one VPN. If dividing IP addresses strictly based on service types, we need not to re-allocate IP addresses again when the demands above appear." Though allocating IP addresses should be based on service types, we should follow the default principle in actual application. If the IP addresses are enough, do not multiplex IP address segment. Though VPN address composed of RD+IP address can distinguish multiplexing addresses, don#t use this way as far as possible. In addition, DCN featured in that itself is a large private network, and many addresses are available.
All rights reserved Page 39

HUAWEI TECHNOLOGIES CO., LTD.

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Internet Access Modes on MPLS VPN


l Considerer often that in DCN some VPNs require to access to Internet. l Sometimes, the public network egress is centralized in the provincial company,

but most of times Internet access should be in the LDCN of each region/city (with the management right is gradually transferred to the upper, Internet egress of the carriers# DCN can only be found in national network in the future).
l Refer to modes of public network access for Internet access. There are several

ways for option.


l It should be noted that generally a default route is released in each VPN l The default route should be treated cautiously to ensure it would not result in

route disorder.
l Particularly do not affect provincial DCN access

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 40

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Internet Access Modes on MPLS VPN


National DCN

Provincial DCN

R
R R R R

Municipal DCN

R R R

R
Municipal DCN

R
Firewall

R
R

R
S

l Each region/city DCN owns Internet egress of itself. HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 41

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

VPN User Access to Internet - Traditional Mode


National DCN

Firewall

Provincial DCN

R
R R R R

Municipal DCN

R R

R
R
Municipal DCN

R
R

l Provincial DCN configures Internet access egress, handling Internet access

requirements in a centralized manner. HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 42

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

VPN User Access to Internet - Traditional Mode


Internet

R
PE Private network access MPLS VPN

R
CE
l

Public network access

There are two logical links between PE and CE: [ One is private network access. This logic interface is bound to a corresponding VPN on PE. [ Another is public network access. This logic interface is not bound to a corresponding VPN on PE, but belongs to public network. [ On CE there are VPN private network route and public network default route for Internet access [ Because this mode is easy to operate and the earliest to be used, so it is called traditional way! for VPN users to access Internet. [ The disadvantage is that CE owns public router and private router at the same time. [ The mode may occur in earlier DCN deployed MPLS VPN

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 43

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

VPN User Access to Internet - Modes of routing leakage


Internet

R
PE VPN A MPLS VPN

R R

R
CE l l l l l VPN B CE

By Configuring a route to the private network in the public network And by leaking a default route to access to public Internet in the private network, VPN user can access to InternetIp route-static x.x.x.x 255.255.255.0 ethernet 0/0/0 Ip route-static vpn-instance VPNA 0.0.0.0 0.0.0.0 y.y.y.y public The principle of this method is simple, and its disadvantage is that route management is complicated and maintenance is difficult. All rights reserved Page 44

HUAWEI TECHNOLOGIES CO., LTD.

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

VPN User Access to Internet - Centralized Access of Center VPN


VPN Internet Internet

R
PE VPN A MPLS VPN

R
R

R
CE

VPN B CE

l l l l

Connect Internet and put it in the public VPN Allow other VPNs to visit this VPN through Hub-Spoke, and deliver default router to other VPNs from Internet VPN This mode is the completely-mutual access between VPNs, unrelated to public network route, having good security, Some public servers in DCN, for example, file server, virus server, can be put to the Internet VPN for centralized management All rights reserved Page 45

HUAWEI TECHNOLOGIES CO., LTD.

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

VPN Mutual Access in MPLS VPN


l Mutual access between VPNs is a headache in DCN designing. VPN is

designed just for isolating different services and mutual access, but in actual application, for some historical reasons and practical requirements, this kind of mutual access is often needed.
l The most fearful mutual access is that all VPNs can access mutually, thus

VPN will totally lose its meaning. VPN in this kind of application is useless except that it looks pretty!. In addition, it will waste the equipment of the whole network (CPU, MEM, convergence speed and delay) and broadband resource.
l Our design planning is to guarantee users # VPN application will not get into

the above state, and ensure users will really benefit from their investment.
l Guide users, explain the problem and try to find solution together
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 46

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

VPN Mutual Access in MPLS VPN


l

Mutual access demand of each VPN generally should be confined within several servers. For example, in financial VPN, one server may require mutual access with a billing server, while in OA an anti-virus server requires all VPN can access it. Refer to the solution in MPLS VPN for servers# mutual access with certain limited numbers in VPN, or consider dividing the servers with this kind of requirement into one VPN, just as the centralized access of center VPN mode above.
NMS of group company functional network Import:100:1 Export:200:1 PE Network platform of DCN PE PE Network platform of DCN PE PE Import:200:1 Export:100:1 PE

Billing system of group company Import:100:1 Export:100:1

Billing system of provincial company

Billing system NMS of provincia NMS of provincia of provincial company l company functional network l company functional network

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 47

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

VPN Mutual Access in MPLS VPN


Host Host access access through through L2TP L2TP tunnel tunnel L2TP Multi-role Host VLAN LNS PE MPLS VPN Radius/CAMS

PE dynamically imports different VPNs based on user name and password and allocates different IP addresses

l Typical Application of ACCESS MPLS VPN l L2TP adaptor can replace real network card l Realize dynamic selection of VPN by using L2TP verification mechanism HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 48

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

VPN Mutual Access in MPLS VPN


Firewall PE MPLS VPN Shared server VRF Configure VRF for multipurpose server. Configure Firewall to protect server.

l Share multiple VPNs, with a fixed position and fixed role. l Configure a special VRF for multi-purpose server, and exchange routes with

multiple VPNs.
l Multi-purpose server IP address is unique within the office. l Add security protection to server. HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 49

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Consideration in Cross-Area MPLS VPN Design


CE PE PE ASBR CE AS1 MP-IBGP EBGP PE VPN LSP1 IP Transmit ASBR ASBR VPN LSP2 AS2 MP-IBGP PE PE CE

ASBR CE PE

LSP1 l

LSP2

Between national and provincial network, or between provincial and municipal network, VPNs interconnections all belongs to cross-area MPLS VPN. In DCN, two modes, Option A or Option B, are usually adopted. Option A configuration is simple and not necessary to consider the compatibility of different manufactures. RT can be different in two AS, which is not suitable for the case with many VPNs. All rights reserved Page 50

HUAWEI TECHNOLOGIES CO., LTD.

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Consideration in Cross-Area MPLS VPN Design


CE PE PE ASBR CE PE AS1 MP-IBGP MP-EBGP ASBR ASBR VPN LSP2 ASBR AS2 MP-IBGP PE PE VPN LSP2 LSP2 CE CE

PE VPN LSP1 LSP1

l l

When Option B is used, it is necessary to consider the compatibility of different manufactures. Option B requires that RT in two AS be consistent. If RT rule in relevant regulation of carriers is ASN: XX, then RT of two AS cannot be consistent, which needs negotiation for a solution. The substance of users# selection schemes%dynamic access of VPN

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 51

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com

Thank You
www.huawei.com

PDF created with FinePrint pdfFactory Pro trial version www.pdffactory.com