Full Transcript

JTO Phase II Data Network & IT MPLS based Layer 2 VPNs 8 MPLS-Based Layer 2 VPNs & MPLS based Layer-2 configuration 8.1 Learning Objectives After reading this chapter, the participant will be able to understand;  MPLS L2 VPN...

JTO Phase II Data Network & IT MPLS based Layer 2 VPNs 8 MPLS-Based Layer 2 VPNs & MPLS based Layer-2 configuration 8.1 Learning Objectives After reading this chapter, the participant will be able to understand;  MPLS L2 VPN  Provider provisioned VPN  Benefits of Layer 2 VPN  Standards for Layer 2 VPN  Comparison between MPLS L2 & L3 VPN  MPLS based VPN Configuration 8.2 Introduction Multi Protocol Label Switching (MPLS) is a data-carrying mechanism in packet-switched networks and it operates at a TCP/IP layer that is generally considered to lie between traditional definitions of Layer 2 (data link layer) and Layer 3 (network layer or IP Layer), and thus is often referred to as a "Layer 2.5" protocol. It was designed to provide a unified data-carrying service for both circuit-based clients and packet-switching clients, which provide a datagram service model. It can be used to carry many different kinds of traffic, including IP packets, as well as native ATM, SONET, and Ethernet frames. The Internet has emerged as the network for providing converged, differentiated classed of services to user with optimal use of resources and also to address the issues related to Class of service (CoS) and Quality of Service (QoS). MPLS is the technology that addresses all the issues in the most efficient manner. MPLS is a packet-forwarding technology that uses labels to make data forwarding decisions. With MPLS, the Layer 3 header analysis (IP header) is done just once (when the packet enters the MPLS domain).MPLS helps build scalable VPNs with traffic- engineering capability. 8.3 MPLS-layer 2 vpn In an MPLS-based Layer 2 VPN, traffic is forwarded by the customer‘s customer edge (CE) switch (or router) to the service provider‘s provider edge (PE) switch in a Layer 2 format. It is carried by MPLS over the service provider‘s network and then converted back to Layer 2 format at the receiving site. On a Layer 2 VPN, routing occurs on the customer‘s switches, typically on the CE switch. The CE switch connected to a service provider on a Layer 2 VPN must select the appropriate circuit on which to send traffic. The PE switch receiving the traffic sends it across the service provider‘s network to the PE switch connected to the receiving site. The PE switches do not store or process the customer‘s routes; the switches must be configured to send data to the appropriate tunnel. For a Layer 2 VPN, customers must configure their own switches to carry all Layer 3 traffic. The service provider must detect only how much traffic the Layer 2 VPN will JTO Phase II (DNIT) Version 1.0 Sep 2021 Page 112 of 174 For Restricted Circulation JTO Phase II Data Network & IT MPLS based Layer 2 VPNs need to carry. The service provider‘s switches carry traffic between the customer‘s sites using Layer 2 VPN interfaces. The VPN topology is determined by policies configured on the PE switches. Customers must know only which VPN interfaces connect to which of their own sites. Figure 1 illustrates a full-mesh Layer 2 VPN in which each site has a VPN interface linked to each of the other customer sites. In a full-mesh topology between all three sites, each site requires two logical interfaces (one for each of the other CE routers or switches), although only one physical link is needed to connect each PE switch to each CE router or switch. Figure 48: Layer 2 VPN Connecting CE Switches 8.4 Layer 2 Circuits A Layer 2 circuit is a point-to-point Layer 2 connection that uses MPLS or another tunneling technology on the service provider‘s network. A Layer 2 circuit is similar to a circuit cross-connect (CCC), except that multiple Layer 2 circuits can be transported over a single label-switched path (LSP) tunnel between two provider edge (PE) switches. In contrast, each CCC requires a dedicated LSP. The Junos OS implementation of Layer 2 circuits supports only the remote form of a Layer 2 circuit; that is, a connection from a local customer edge (CE) switch to a remote CE switch. Packets are sent to the remote CE switch by means of an egress virtual private network (VPN) label advertised by the remote PE switch. The VPN label transits over either an RSVP or an LDP LSP (or other type) tunnel to the remote PE switch connected to the remote CE switch. LDP is the signalling protocol used for advertising VPN labels. Return traffic sent from the remote CE switch to the local CE switch uses an ingress VPN label advertised by the local PE switch. JTO Phase II (DNIT) Version 1.0 Sep 2021 Page 113 of 174 For Restricted Circulation JTO Phase II Data Network & IT MPLS based Layer 2 VPNs 8.5 Layer 2 Provider-Provisioned VPNs  In the past, providers have used a single ATM core to support Internet and VPN traffic ATM PVCs for Internet traffic (ISP) ATM PVCs for VPNs  ATM isn‘t fast enough to support Internet Providers are pushed to two core networks  Why not support both over an MPLS core? Map Frame Relay and ATM to MPLS LSPs (L3 VPNs can also be over the same core) 8.6 The benefits of Layer 2 MPLS  Service providers do not have to invest in separate Layer 2 devices to provide Layer 2 VPN service.  The same PE router can run Layer 3 VPNs as well as Layer 2 VPNs.  A Layer 2 MPLS VPN allows the customer to use his existing Layer 2 VPN service over MPLS backbone.  In Layer 2 VPN Customers can maintain control over most of the administration of their networks (own routing policies). Layer 2 VPNs with MPLS  Customer sends the traffic over Layer 2 circuit (DLCI, VPI/VCI, or VLAN- ID)  Provider edge (PE) device maps the circuit ID to an MPLS LSP to traverse the provider core to other PE  Customer maps their own routing policies over the Layer 2 circuit mesh 8.7 Layer 2 VPN Standards  Two proposals known for MPLS-based Layer 2 VPNs :  Draft-Kompella (uses MP-iBGP for Layer 2 VPN label distribution) draft-kompella-mpls-l2vpn-02.txt  Draft-Martini (uses LDP for Layer 2 Label Distribution)  draft-martini-l2circuit-trans-mpls-06.txt  draft-martini-l2circuit-encap-mpls-02.txt JTO Phase II (DNIT) Version 1.0 Sep 2021 Page 114 of 174 For Restricted Circulation JTO Phase II Data Network & IT MPLS based Layer 2 VPNs 8.8 Draft-Kompella: VPN Forwarding Tables (VFTs) A VFT is created VPN A for each CE VPN A Site 1 connected to the PE Site2 CE–A2 VPN B Site2 CE–A1 ATM P P PE 2 ATM VPN B CE–B2 Site 1 VPN A PE 1 Site 3 CE–A3 ATM CE–B1 P P PE 3  Each VFT is populated with the information provisioned for the local Ces (Cct ID, Inner Label & Outer label)  VCT -VPN Connection Tables (VCT is subset of VFT) are received from other PEs via MP-iBGP Figure 49: Draft Complella - VPN Forwarding Tables (VFTs) Draft-Kompella: Distributing VCTs Uses MP-iBGP – Auto-discovery of members – Auto-assignment of inter-member circuits – BGP route filtering (based on Route Target) to configure VPN topologies A VCT is distributed for each VPN site to PEs CE-1 CE-2 BGP session / LDP Site 1 Site 2 PE-1 PE-2 VFT VFT CE-2 CE-4 Site 2 VFT VFT VFT VFT Site 4 CE-1 CE-3 Site 1 Site 3 VCTs are distributed by the PEs via MP-iBGP Figure 50: Draft-Kompella: VPN Connection Tables (VCT) JTO Phase II (DNIT) Version 1.0 Sep 2021 Page 115 of 174 For Restricted Circulation JTO Phase II Data Network & IT MPLS based Layer 2 VPNs Draft-Kompella: Provisioning Customer Site on PE CE-4 DLCIs CE-4 Routing Table 63 75 In Out 82 10/8 DLCI 63 94 20/8 DLCI 75 30/8 DLCI 82 - DLCI 94 Figure 51: Provisioning Customer site on PE List of DLCIs: one for each remote CE, some spare for over-provisioning DLCIs independently numbered for each CE Draft-komplella data flow IGP label (500) IGP label (540) site label (1002) site label (1002) site label (1002) Packet CE-1 Packet Packet CE-2 Site 2 PE-1 PE-2 Site 1 P-1 VFT VFT P-2 CE-2 CE-4 VFT VFT VFT VFT Site 4 Site 2 DLCI 82 DLCI 414 packet DLCI CE-1 CE-3 packet DLCI 82 414 Site 1 Site 3 PE-1 PE-1 P-2 1) Pop label1002 and lookup 1) Lookup DLCI in Red VFT P-1 1) Lookup MPLS table in respective VFT 2) Push VPN label (1002) 1) Lookup MPLS table 2) Pop IGP label 540 and 2) Find cct ID (DLCI=82) 3) Push IGP label (500) 2) Swap IGP label (500 to 540) forward to PE-2 3) Forward to CE-4 CE2 VFT CE4 VFT Sub-int IDs CE ID Inner Label Outer Label Imp/Exp RT RT1 107 1 7500 CE ID 4 209 2 5020 CE Range 4 265 3 9350 Label base 1000 414 4 1002 500 LSP to PE-2 Sub-int IDs Label CE4‘s DLCI to CE0 63 63 1000 1000 Label used to reach CE4 from CE0 CE4‘s DLCI to CE1 75 75 1001 Label used to reach CE4 from CE1 CE4‘s DLCI to CE2 82 82 1002 Label used to reach CE4 from CE2 CE4‘s DLCI to CE3 94 94 1003 Label used to reach CE4 from CE3 Figure 52: Data flow Draft-Kompella: Supported Layer 2 Technologies  Frame Relay  ATM AAL5 CPCS Mode  ATM Transparent Cell Mode  Ethernet JTO Phase II (DNIT) Version 1.0 Sep 2021 Page 116 of 174 For Restricted Circulation JTO Phase II Data Network & IT MPLS based Layer 2 VPNs  Ethernet VLAN  Cisco HDLC  PPP 8.9 Draft-Martini Overview  Draft-Martini Layer 2 VPNs use LDP for signalling in the provider‘s network.  Since LDP is used BGP is not required.  Only like circuits are allowed between PE-CE at both the ends  Inner label is defined as Virtual Circuit Label (VC Label) Martini- VC Label Distribution  The PE uses LDP to distribute a VC label for each Layer 2 circuit defined  PE-1 advertises input labels for each Layer 2 circuit configured to PE-2.  PE-2 uses the received labels as output labels to reach the respective Layer 2 circuit connected to PE-1.  PE-2 also advertises the input labels in the same way for the use of other PE-routers. JTO Phase II (DNIT) Version 1.0 Sep 2021 Page 117 of 174 For Restricted Circulation JTO Phase II Data Network & IT MPLS based Layer 2 VPNs Martini- VC Label Distribution A VC label is distributed for each l2circuit to other PEs A VC label is distributed for each l2circuit to other PEs CE-1 Extended LDP Session CE-2 Site 2 PE-1 PE-2 Site 1 VFT VFT CE-2 CE-4 Site 2 VFT VFT VFT VFT Site 4 VLAN ID 82 VLAN ID 414 CE-1 CE-3 Site 1 Site 3 PE-2 ‘s input Label (for eg. 1002) to access CE-4 from CE-2 advertised thru’ LDP PE-1 ‘s output Label (1002) to reach CE-4 from CE-2 Figure 53: Label Distribution Draft Martini - Data Flow IGP label (500) IGP label (540) site label (1002) site label (1002) site label (1002) Packet Packet Packet CE-1 Extended LDP Session CE-2 Site 2 PE-1 PE-2 Site 1 VFT VFT CE-2 CE-4 Site 2 VFT VFT VFT VFT Site 4 VLAN ID 414 VLAN ID 414 CE-1 CE-3 packet VLAN 82 packet VLAN 414 Site 1 Site 3 A VC label is distributed for A VC label is distributed for each l2circuit to other PEs each l2circuit to other PEs Figure 54: Data flow JTO Phase II (DNIT) Version 1.0 Sep 2021 Page 118 of 174 For Restricted Circulation JTO Phase II Data Network & IT MPLS based Layer 2 VPNs Provisioning the CE for Martini Configure Layer 2 circuit IDs one each for remote CE device. VLAN ID must be same at both the ends (PE-CE layer 2 circuit) Frame Relay & ATM AAL5 encapsulations are not supported at present. CE devices at both the ends should be configured for routing to carry layer 3 traffic. 8.10 Comparison between MPLS-Based Layer 2 VPN & Layer 3 VPN Table 6. Comparison Layer 2 VPN Layer 3 VPN Customer sites appear to be on Service provider‘s technical expertise ensures efficient the same LAN even if site-to-site routing. Service providers can provide geographically dispersed. additional value-added services through network convergence that encompasses voice, video, and data. The service provider does not Customers must share information about their network require information about the topology. customer‘s network topology, policies, routing information, etc. The customer has complete The service provider determines the policies and control over policies and routing. routing. The CE switch forwards traffic The customer‘s CE switch must be configured to use to the service provider‘s PE BGP or OSPF to communicate with the service switch in Layer 2 format. provider‘s PE switch to carry IP prefixes across the network. Other protocol packets are not supported. JTO Phase II (DNIT) Version 1.0 Sep 2021 Page 119 of 174 For Restricted Circulation JTO Phase II Data Network & IT MPLS based Layer 2 VPNs 8.11 Configuration of MPLS LAYER 2 VPN USING ETHERNET AS LAYER 2 TRANSPORT Configuration on customer Routers R4, R5 R4# R4#configure terminal R4(config)#int fa0/0 R4(config-if)#ip address 172.16.0.9 255.255.255.252 R4(config-if)#no shutdown R4(config-if)#exit R4(config)#int fa0/1 R4(config-if)#ip address 192.168.1.1 255.255.255.0 R4(config-if)#no shutdown R4(config-if)#exit R4(config)#ip routing R4(config)#router rip R4(config-router)#ver 2 R4(config-router)#network 192.168.1.0 R4(config-router)#network 172.16.0.8 R4(config-router)#no auto-summary JTO Phase II (DNIT) Version 1.0 Sep 2021 Page 120 of 174 For Restricted Circulation JTO Phase II Data Network & IT MPLS based Layer 2 VPNs R4(config-router)#end R4#wr R5#configure terminal R5(config)#int fa0/0 R5(config-if)#ip address 172.16.0.10 255.255.255.252 R5(config-if)#no shutdown R5(config-if)#exit R5(config)#int fa0/1 R5(config-if)#ip address 192.168.2.1 255.255.255.0 R5(config-if)#no shut R5(config-if)#exit R5(config)#ip routing R5(config)#router rip R5(config-router)#ver 2 R5(config-router)#network 192.168.2.0 R5(config-router)#network 172.16.0.8 R5(config-router)#no auto-summary R5(config-router)#end R5#wr Configuration on ISP Routers R1, R2, R3 R1#configure terminal R1(config)#int loopback 0 R1(config-if)#ip address 10.10.10.103 255.255.255.255 R1(config-if)#no shut R1(config-if)#exit R1(config)#int s1/0 R1(config-if)#ip address 172.16.0.2 255.255.255.252 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#int fa0/0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#ip routing R1(config)#router ospf 10 R1(config-router)#network 10.10.10.103 0.0.0.0 area 0 JTO Phase II (DNIT) Version 1.0 Sep 2021 Page 121 of 174 For Restricted Circulation JTO Phase II Data Network & IT MPLS based Layer 2 VPNs R1(config-router)#network 172.16.0.0 0.0.0.3 area 0 R1(config-router)#exit R1(config)#ip cef R1(config)#mpls ip R1(config)#mpls label protocol ldp R1(config)#mpls ldp router-id loopback 0 R1(config)#mpls label range 100 199 R1(config)#int s1/0 R1(config-if)#mpls ip R1(config-if)#mpls label protocol ldp R1(config-if)#exit R1#wr R3#configure terminal R3(config)#int loopback 0 R3(config-if)#ip address 10.10.10.105 255.255.255.255 R3(config-if)#no shutdown R3(config-if)#exit R3(config)#int s1/1 R3(config-if)#ip address 172.16.1.2 255.255.255.252 R3(config-if)#no shut R3(config-if)#exit R3(config)#int fa0/0 R3(config-if)#no shutdown R3(config-if)#exit R3(config)#ip routing R3(config)#router ospf 10 R3(config-router)#network 10.10.10.105 0.0.0.0 area 0 R3(config-router)#network 172.16.1.0 0.0.0.3 area 0 R3(config-router)#exit R3(config)#ip cef R3(config)#mpls ip R3(config)#mpls label protocol ldp R3(config)#mpls label range 300 399 R3(config)#mpls ldp router-id loopback 0 R3(config)#int s1/1 R3(config-if)#mpls ip R3(config-if)#mpls label protocol ldp R3(config-if)#end R3#wr R2#conf t R2(config)#int loopback 0 R2(config-if)#ip address 10.10.10.104 255.255.255.255 R2(config-if)#no shut R2(config-if)#exit R2(config)#int s1/1 R2(config-if)#ip address 172.16.1.1 255.255.255.252 R2(config-if)#no shut R2(config-if)#exit JTO Phase II (DNIT) Version 1.0 Sep 2021 Page 122 of 174 For Restricted Circulation JTO Phase II Data Network & IT MPLS based Layer 2 VPNs R2(config)#int s1/0 R2(config-if)#ip address 172.16.0.1 255.255.255.252 R2(config-if)#no shut R2(config-if)#exit R2(config)#ip routing R2(config)#router ospf 10 R2(config-router)#network 172.16.0.0 0.0.0.3 area 0 R2(config-router)#network 172.16.1.0 0.0.0.3 area 0 R2(config-router)#network 10.10.10.104 0.0.0.0 area 0 R2(config-router)#exit R2(config)#ip cef R2(config)#mpls ip R2(config)#mpls label protocol ldp R2(config)#mpls label range 200 299 R2(config)#mpls ldp router-id loo R2(config)#mpls ldp router-id loopback 0 R2(config)#int s1/1 R2(config-if)#mpls ip R2(config-if)#mpls label protocol ldp R2(config-if)#exit R2(config)#int s1/0 R2(config-if)#mpls ip R2(config-if)#mpls label protocol ldp R2(config-if)#exit R2(config)#exit R2#wr Configuration of MPLS LAYER 2 VPN virtual circuit using Pseudo-wire Technology On Router R1 R1(config)# R1(config)#int fa0/0 R1(config-if)#xconnect 10.10.10.105 1 encapsulation mpls R1(config-if-xconn)#end R1# *Jul 6 13:14:09.311: %LINEPROTO-5-UPDOWN: Line protocol on Interface pseudowire0, changed state to up *Jul 6 13:14:10.831: %SYS-5-CONFIG_I: Configured from console by console R1#wr Building configuration... [OK] R1# *Jul 6 13:14:40.831: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.105:0 (2) is UP On Router R3 JTO Phase II (DNIT) Version 1.0 Sep 2021 Page 123 of 174 For Restricted Circulation JTO Phase II Data Network & IT MPLS based Layer 2 VPNs R3(config)# R3(config)#int fa0/0 R3(config-if)#xconnect 10.10.10.103 1 encapsulation mpls R3(config-if-xconn)#end R3#wr *Jul 6 13:14:39.195: %LINEPROTO-5-UPDOWN: Line protocol on Interface pseudowire0, changed state to up R3#wr Building configuration... *Jul 6 13:14:39.487: %SYS-5-CONFIG_I: Configured from console by console *Jul 6 13:14:39.883: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.103:0 (2) is UP[OK] R3# Observations R4#ping 172.16.0.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 176/188/212 ms R4#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R5#ping 172.16.0.9 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.9, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 148/155/168 ms R5#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 148/175/220 ms R5# 8.12 Conclusion MPLS VPN provides optimal routing for traffic belonging to the customer for inter-site traffic. The MPLS-based VPN model permits overlapping address spaces, thus helps in JTO Phase II (DNIT) Version 1.0 Sep 2021 Page 124 of 174 For Restricted Circulation JTO Phase II Data Network & IT MPLS based Layer 2 VPNs handling IPv4 address scarcity within MPLS domain and allows large number of customers, each of which is spanning across multiple locations. MPLS VPN combines the advantages of both peer to peer model and overlay model of VPN implementation. It ensures desired levels of QOS & COS parameters, helpings ISPs to honour SLAs and thereby retain customers. It is a very cost effective solution and scaling is very easy and does not make the network complex and also minimizes maintenance issues. JTO Phase II (DNIT) Version 1.0 Sep 2021 Page 125 of 174 For Restricted Circulation

Use Quizgecko on...
Browser
Browser