Tải bản đầy đủ - 0 (trang)
Chapter 10. Deploying BGP/MPLS Layer-3 VPNs

Chapter 10. Deploying BGP/MPLS Layer-3 VPNs

Tải bản đầy đủ - 0trang

WhatIsaVirtualPrivateNetwork?

Thetermvirtualprivatenetwork(VPN)iswidelyused;infact,

it'ssowidelyused,itmeansdifferentthingstodifferentpeople.

Let'slookatthethreewordsinvolved:

Virtualindicatesthenetworktopologyisn'ttiedtoaphysical

topologybutratheralogicaltopologywhichisdefined

throughaphysicalnetwork.Thenetworkequipmentused

forforwardingtrafficalongavirtualnetworkisn'townedor

operatedbytheenduserbutratherbysomeservice

provider.

Privateindicatesthatthesecurity,addressing,androuting

ofthenetwork(orlogicaltopology)arecompletely

independentofthenetworksecurity,addressing,and

routingofothernetworksrunningacrossthesamephysical

topology.

Anetworkisnothingbutasysteminterconnectingother

systemstoallowdatatobeexchangedbetweenthose

systems.Anetworkisn'tnecessarilyinonephysicallocation

butrathercanbedispersedgeographically.

Inthischapter,aVPNisasetofsitesabletocommunicatewith

eachotherviaoneormoreserviceprovidernetworkswhile

maintainingtheirownsetofpolicies(includingqualityof

service),security,addressing,androutingwithoutregardtothe

physicaltopologyoftheserviceprovider'snetworkorother

customersusingthesamephysicalnetworktotransittraffic.



OverlayandPeer-to-PeerVPNs



Fromanimplementationperspective,VPNscanbeclassified

intooverlayandpeer-to-peerVPNs.Fromaconnectivity

perspective,VPNscanbeclassifiedintointranetandextranet

VPNs.Letslookcloserattheseclassifications.



TheOverlayModel

InaVPNbasedonoverlaymodel,theserviceprovider

provisionsasetofemulatedleasedlinescalledvirtualcircuits

(VCs),andthecustomerestablishesrouter-to-router

communicationsbetweenitssitesovertheseVCs.Theservice

providerneitherhasknowledgeofthecustomer'snetworknor

participatesinroutingwiththecustomer;theVPNissimplya

layer-2circuitfromthecustomer'spointofview.

TheserviceproviderbackbonemayhavemanysuchVPNs

runningacrossthesamephysicalcircuitsanddevices,buteach

customer'strafficappearstobetravelingacrossacompletely

separatelayer-2infrastructurefromthecustomer'spointof

view.InFigure10.1,customersitesA,C,andEbuildneighbor

adjacencieswithoneanotherviatheVPNwhileB,D,F,andG

formneighboradjacencieswithoneanotheroveranotherVPN,

bothoverlaidonanSPnetworkinfrastructure.



Figure10.1.AnoverlaymodelVPN.



OverlayVPNnetworkscanbeimplementedwithanumberof

switchedWANlayer-2technologies,suchasframerelayorATM.

Recently,IP-over-IPtunnelingmethods,likeGenericRoute

Encapsulation(GRE)andIPSecencryption,havebeenusedto

implementVPNsbasedontheoverlaymodel.



ThePeer-to-PeerModel

InaVPNbasedonpeer-to-peermodel,sitesareinterconnected

viaaserviceproviderinthesamewaytheyareinterconnected

inanoverlaymodel,butratherthanthecustomerrunning

routingprotocolsovertheVPNVCs,thecustomeractually

injectstheirroutinginformationintotheserviceprovider's

routingtable.Theservicethenprovidertakesresponsibilityfor

conveyingthecustomer'sroutinginformationfromone

customersitetoanother,providinglayer-3connectivity



betweenthem,asFigure10.2illustrates.



Figure10.2.Apeer-to-peerVPN.



Inthisnetwork,ratherthanrouterApeeringdirectionwith

routersB,C,andDtoreceiveroutinginformationfromthem,it

onlypeerswithrouterE.RouterAcaninjectroutinginformation

learnedfromthesiteit'sattachedtointotheISP'srouting

tablesatrouterE.InformationinjectedbyrouterAisthen

pulledfromtheISP'sroutingtableatF,H,andI,andgivento

routersB,C,andD,attheothercustomersites.

Peer-to-peerVPNnetworkscanbeimplementedviasharedor

dedicatedroutersontheserviceproviderend,withaccess

controllistscontrollingtheroutinginformationadvertised

towardthecustomer.BGP/MPLS-basedVPNsfallintothepeerto-peerVPNcategory.



WhichModelIsBest?

ThereareadvantagesanddisadvantagestoVPNnetworksbuilt

basedoneitherofthesetwomodels.OverlayVPNnetworks

placetheburdenofroutingonthecustomer,sotheycanbe

difficulttomanageifthenumberofsitesincreasesespeciallyin

thecasewherethereisaneedtoconnectfromasitetoevery

othersite(fullmeshintersiteconnectionsarerequired).

Further,theserviceproviderisnowjustalayer-2providerand

isn'tabletoaddmuchvaluetothecustomer'snetwork.

Peer-to-peerVPNnetworksonlyrequirethecustomertopeer

withtheserviceproviderregardlessofhowmanysitesare

interconnectedusingtheVPN,thecustomeronlyhastomanage

onepeeringsessionforeachsite.Thetradeoffisthatthe

serviceproviderhastonowmanagemultipleroutingclouds,

thusaffectingscalabilityoftheserviceprovider'sinfrastructure.

InthenextsectionwewillfocusonBGP/MPLS-basedVPNsand

seeitsadvantagesoverotherVPNsolutions.



IntranetandExtranetVPNs

IfaVPNisonlyusedtointerconnectasinglecompany'ssites,

it'sconsideredanintranetVPN.Forinstance,inFigure10.2,if

routersA,B,C,andDareallconnectedtoasinglecustomer's

sites,theVPNinterconnectingthemacrosstheservice

provider'snetworkwouldbeconsideredanintranetVPN.Inan

intranetVPN,allthesitesconnectedtotheVPNareunderthe

administrativecontrolofasingleentity,suchasacompanyor

governmentagency.AnintracnetVPN,then,isanalgoustoa

singleautonomoussysteminBGP.

AnextranetVPN,ontheotherhand,interconnectsmultiple

networks.ExtranetVPNscanbeusedtoprovideprivate

connectivitybetweentwoautonomoussystemsforinstance,two



partneringcompaniesmaywanttoshareinventoryinformation

betweentheirsalessystems.Theycoulddothisbysettingup

anextranetVPNratherthanpurchasingaprivatelinkofsome

type.



OtherTerms

Othertermsyouwillseeonaregularbasiswhendiscussing

MPLS/BGPVPNsincludethefollowing:

Asiteisacollectionofsystemsthatcanaccesseachother

withoutanyexternalproviderconnectivity.

Acustomeredge(CE)routeristhecustomerownedand

managedrouterthatconnectstotheserviceprovider's

network.RoutersA,B,C,andDinFigure10.2areCE

routers.

Aprovideredge(PE)routeristheserviceproviderowned

andmanagedrouterconnectedtothecustomer'snetwork.

RoutersE,F,HandIarePEroutersinFigure10.2.

Routerswithintheserviceprovider'snetwork,providing

connectivitybetweenthePErouters,arecalledprovider(P)

routers,suchasroutersGandJinFigure10.2.



TheBGP/MPLS-BasedVPN

Inthepeer-to-peermodel,serviceprovidersareresponsiblefor

propagatingroutinginformationbetweenthecustomer'ssites,

soaserviceproviderwhoprovidespeer-to-peerVPNsfor

multiplecustomerswillendupparticipatinginroutingforevery

oneofthosecustomers.Thismeansthat

Thereisaheavyburdenontheserviceprovider'sroutersto

maintainmultipleroutingandforwardingtables,onefor

eachcustomerusingapeer-to-peerVPNacrosstheservice

provider'snetwork.

Eachcustomermayusethesameaddressspace(infact,

manyprobablywill,sincemostlargenetworksare

addressedoutofoneoftheprivate,ornonroutable,IP

addressspaces).

BGP/MPLS-basedVPNssolvethesetwoproblemsandprovide

otheradvantagesoverothertraditionalpeer-to-peer

modelbasedVPNsolutions.Figure10.3showsaVPNservice

providernetworkanditsconnectivitytoitscustomers.



Figure10.3.AnMPLS/VPNnetwork.



Thefollowinglistssomeofitssalientfeatures.

TheBGP/MPLS-basedVPNdefinestheadministrative

boundarybetweenthecustomerandserviceprovider

networks.Eachcustomersiteismodeledasaseparate

autonomoussystem,sothecustomer'sinteriorrouting

protocolrunsindependentlyateachsite.Thismeansthe

customercanactuallyrundifferentroutingprotocolsat

eachsite.Theserviceprovider'sPErouterswilllearn

routinginformationfromthecustomer'ssitesbyforming

adjacencieswiththeCEsateachcustomersite.

Anaddressconversionschemeisusedtomakeevery

customerVPNrouteuniquewithintheserviceprovider's

network,allowingVPNcustomerstohaveacommon

addressingscheme.

Multipleroutingandforwardingtablesaresupportedon



eachPErouter,maintainingseparationbetweendifferent

customer'sroutinginformation.

ItemploysBGPasasignalingprotocoltosetupofVPN

connectivityamongthecustomer'ssites.

ItemployshierarchicalMPLStokeeptheserviceprovider

corefreeofallcustomerVPNroutinginformation.

ThelevelofsecurityitprovidestoVPNcustomersis

equivalenttothatprovidedbyoverlayVCsbasedonframe

relayorATMnetworks.

YoucanbeseeBGP/MPLS-basedVPNsoffermanyadvantages

overothercommonlyavailableVPNs.Customersgenerally

preferVPNsbuiltusingBGP/MPLStechniquesbecausesuch

techniquescansimplifytheirnetworksandconnectivity

requirements,directlyimpactingtheiroperationalexpenses.

Theserviceprovider,ontheotherhand,addsvaluetoits

customer'snetworksnotonlythroughprovidingasimpler

solutionforitscustomersbutalsoinpossiblegainsthroughthe

deploymentoftrafficengineering,fastreroute,andother

technologies.



CEtoPErouting

OneofthecriticalcomponentsintheBGP/MPLSarchitectureis

thePErouter;itmustlearnroutesthroughvariousrouting

protocolsfromthecustomersiteCEandproviderouting

informationbacktothecustomersiteCErouterthroughthose

sameroutingprotocols.Variouscustomersideroutingprotocols

needtobesupported,suchaseBGP,RIPv2,OSPF,IS-IS,EIGRP,

andevenstaticroutes,makingthePE'sjobmorecomplex,and

someextensionstoexistingroutingprotocolsarerequiredto

providethefeaturesrequiredfortheprotocoltoworkinthis



environment.

Usingstaticroutesissimple;theCEisconfiguredwiththe

listofroutesreachableviathePE,andthePErouteris

configuredwiththelistofroutesreachableviatheCE.

BGPistheprotocolusedintoday'sInternetforexchanging

routinginformationacrossadministrativeboundaries.Ifa

customerisalreadyusingBGPinhisnetwork,itmakes

moresensetousethesameprotocolalsotoexchange

routinginformationwiththeirVPNserviceprovider.Note

thateBGPisusedinthisrole,ratherthaniBGP,sothe

customer'sandserviceprovider'snetworksareintwo

differentautonomoussystems.

OSPF,RIPv2,EIGRP,andIS-ISareallwidelydeployed

routingprotocols.Fromacustomer'sperspective,itis

beneficialtohaveverylittleornoextraroutingrequirement

asimposedbytheVPNserviceprovider.AslongasthePE

canexchangeroutinginformationthroughoneofthese

protocols,andthecustomerandserviceproviderhave

softwareinstalledthatsupportsthefeaturesrequiredfor

theprotocoltoworkinthisenvironment,thecustomercan

simplycontinueusingtheprotocolandfeaturesettheyare

accustomedtointheirnetwork.

Usinganyoftheseprotocols,aCErouteratalocalcustomer

siteadvertisesitsroutinginformationtothelocallyattachedPE

router.ThePErouterthentakescareofpropagatingrouting

informationlearnedfromthecustomer'sCEthroughtheservice

provider'snetworkandthustotherelevantremotePErouter(s)

intheserviceprovider'snetwork.TheremotePElearnsthis

routinginformationthroughtheserviceprovider'snetwork,and

thenadvertisestheroutinginformationtotheremoteCErouter.

Thus,routinginformationbetweentwocustomersitesofaVPN

areexchangedandthetwositeswillbeabletoaccessone



anotherovertheserviceprovidernetwork.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 10. Deploying BGP/MPLS Layer-3 VPNs

Tải bản đầy đủ ngay(0 tr)

×