CISCO SYSTEMS, INC. / Page 1 of 33
`
`MPLS anp VPN
`ARCHITECTURES
`
`®
`
`Cisco PRESS
`
`ciscopress.com
`
`CSCO-1026
`
`Ivan Pepelnjak,
`CCIE™ #1354
`
`Jim Guichard,
`CCIE #2069
`
`A practical guide to understanding, designing and
`deploying MPLS and MPLS-enabled VPNs
`
`Cisco SYSTEMS
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 1 of 33
`
`

`

`et.See
`
`MPLS and VPN Architectures
`
`Jim Guichard, CCIE #2069
`(
`Ivan Pepelnjak, CCIE #1354
`
`
`
`Cisco SYSTEMS
`
`®
`
`Cisco PRESS
`
`Cisco Press
`201 West 103rd Street
`Indianapolis, IN 46290 USA
`
`CISCO SYSTEMS, INC. / Page 2 of 33
`
`CSCO-1026
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 2 of 33
`
`

`

`
`
`Jim Guichard, CCIE #2069
`Ivan Pepelnjak, CCIE #1354
`Copyright© 2001 Cisco Press
`Cisco Press logois a trademark of Cisco Systems, Inc.
`Published by:
`Cisco Press
`201 West 103rd Street
`Indianapolis, IN 46290 USA
`All rights reserved. No part of this book may be reproducedortransmitted in any form or by any means, electronic
`or mechanical, including photocopying,recording, or by any information storage and retrieval system, without writ-
`ten permission from the publisher, except for the inclusion of brief quotations in a review.
`Printed in the United States of America3 4567890 030201
`
`3rd Printing March 2001
`Library of Congress Cataloging-in-Publication Number: 00-105 168
`ISBN: 1-58705-002-1
`
`Warning and Disclaimer
`This bookis designed to provide information about Multiprotocol Label Switching (MPLS)and Virtual Private
`Networks (VPN). Every effort has been made to makethis book as complete and as accurate as possible, but no °
`warrantyor fitness is implied.
`The information is providedon an “asis” basis. The author, Cisco Press, and Cisco Systems,Inc., shall have neither
`liability nor responsibility to any personorentity with respect to any loss or damagesarising from the information
`contained in this book or from the use ofthe discs or programsthat may accompanyit.
`The opinions expressed in this book belongto the authors and are not necessarily those of Cisco Systems,Inc.
`
` lu MPLSand VPNArchitectures
`
`Feedback Information
`At Cisco Press, our goalis to create in-depth technical booksofthe highest quality and value. Each bookis crafted
`with care and precision, undergoing rigorous developmentthat involves the unique expertise of members from the
`professional technical community.
`Readers’ feedbackis a natural continuation of this process. If you have any comments regarding how we could
`improve the quality of this book,or otherwisealter it to better suit your needs, you can contact us through e-mail at
`ciscopress@mep.com.Please make sure to include the booktitle and ISBN in your message.
`f2 We greatly appreciate your assistance.
`Fradeark Acknowledgments
`AqMermsmentioned in this book that are knownto be trademarksorservice marks have been appropriately capital-
`ized, Cisca Press or Cisco Systems,Inc., cannotattest to the accuracy ofthis information. Useof a term in this book
`should notb regarded as affecting the validity of any trademark or service mark.
`|
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 3 of 33
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 3 of 33
`
`

`

`ne of the
`n IOS. He
`
`ly coversall
`
`whohelped
`acies of writ-
`ano Previdi,
`cluded sev-
`
`milies, espe-
`
`vii
`
`
`
`Contents at a Glance
`
`Part |
`
`Chapter1
`
`Chapter 2
`
`Chapter3
`
`Chapter4
`
`Chapter 5
`
`Chapter6
`
`Part Il
`
`Chapter 7
`
`Chapter 8
`
`Chapter 9
`
`MPLSTechnology and Configuration 3
`
`Multiprotocol Label Switching (MPLS) Architecture Overview 5
`
`Frame-mode MPLS Operation 23
`
`Cell-mode MPLS Operation 49
`
`Running Frame-mode MPLSAcross Switched WAN Media 65
`
`Advanced MPLSTopics 73
`
`MPLSMigration and Configuration Case Study 97
`
`MPLS-basedVirtual Private Networks 113
`
`Virtual Private Network (VPN) Implementation Options 115
`
`MPLS/VPN Architecture Overview 145
`
`MPLS/VPN Architecture Operation 167
`
`Chapter 10
`
`Provider Edge (PE) to Customer Edge (CE) Connectivity Options 207
`
`Chapter 11
`
`Advanced MPLS/VPN Topologies 237
`
`Chapter 12
`
`Advanced MPLS/VPN Topics 249
`
`Chapter 13
`
`Guidelines for the Deployment of MPLS/VPN 319
`
`Chapter 14
`
`Carrier's Carrier and Inter-provider VPN Solutions 357
`
`Chapter 15
`
`IP Tunneling to MPLS/VPN Migration Case Study 387
`
`Appendix A Tag-Switching and MPLS Command Reference 405
`
`Index 408
`
`CISCO SYSTEMS, INC. / Page 4 of 33
`
`CSCO-1026
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 4 of 33
`
`

`

`viii
`
`
`
`
`Contents
`
`Part |
`Chapter 1
`
`MPLS Technology and Configuration 3
` Multiprotocol Label Switching (MPLS) Architecture Overview 5
`Scalability and Flexibility of IP-based Forwarding 5
`Network Layer Routing Paradigm 5
`Differentiated Packet Servicing 9
`Independent Forwarding and Control 10
`External Routing Information Propagation 10
`
`Multiprotocol Label Switching (MPLS)Introduction 11
`MPLSArchitecture—The Building Blocks 13
`Label Imposition at the Network Edge 15
`MPLSPacket Forwarding and Label Switched Paths 17
`
`Other MPLS Applications 19
`
`Summary 20
`
`Chapter 2
`
` Frame-mode MPLS Operation 23
`
`Frame-mode MPLSData Plane Operation 25
`MPLSLabel Stack Header 26
`Label Switching in Frame-mode MPLS28
`
`Label Bindings and Propagation in Frame-mode MPLS31
`LDP/TDPSession Establishment 31
`Label Binding and Distribution 34
`Convergence in a Frame-mode MPLS Network 37
`
`Penultimate Hop Popping 40
`
`MPLSInteraction with the Border Gateway Protocol 42
`
`Summary 45
`
`Chapter 3
`
` Cell-mode MPLS Operation 49
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Control-plane Connectivity Across an LC-ATMInterface 51
`MPLSControl-plane Connectivity in Cisco IOS Software 52
`Control-plane Implementation in an ATM Switch 54
`
`Labeled Packet Forwarding Across an ATM-LSR Domain 55
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 5 of 33
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 5 of 33
`
`

`

`
`
`Label Allocation and Distribution Across an ATM-LSR Domain 56
`VC Merge 58
`Convergence Across an ATM-LSR Domain 61
`
`Chapter 4
`
`Summary 62
`Running Frame-mode MPLSAcross Switched WAN Media 65
`Frame-mode MPLS Operation Across Frame Relay 65
`
`Frame-mode MPLS Operation Across ATM PVCs 67
`Frame-mode and Cell-mode MPLSAcross the Same ATM Interface 69
`
`Summary 70
`
`Chapter5
`
`Advanced MPLS Topics 73
`Controlling the Distribution of Label Mappings 73
`
`MPLSEncapsulation Across Ethernet Links 77
`IP MTU Path Discovery 78
`Ethernet Switches and MPLS MTU 80
`
`MPLSLoop Detection and Prevention 81
`Loop Detection and Prevention in Frame-mode MPLS81
`Loop Detection and Prevention in Cell-mode MPLS 82
`
`Traceroute Across an MPLS-enabled Network 88
`
`Route Summarization Within an MPLS-enabled Network 92
`
`Summary 93
`
`Chapter6 MPLS Migration and Configuration Case Study 97
`
`Migration of the Backbone to a Frame-mode MPLSSolution 97
`
`Pre-migration Infrastructure Checks 99
`Cisco Express Forwarding (CEF) Requirements 100
`Addressing the Internal BGP Structure 101
`Migration of Internal Links to MPLS 103
`Removal of Unnecessary BGP Peering Sessions 105
`
`Migration of an ATM-based Backbone to Frame-mode MPLS 106
`Cell-mode MPLSMigration 108
`
`Summary 110
`
`|
`
`|
`
`CISCO SYSTEMS, INC. / Page 6 of 33
`
`CSCO-1026
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 6 of 33
`
`

`

`
`
`Part Il
`Chapter 7
`
`MPLS-based Virtual Private Networks 113
`Virtual Private Network (VPN) Implementation Options 115
`Virtual Private Network Evolution 115
`Modern Virtual Private Networks 118
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Business Problem-based VPN Classification 118
`
`Overlay and Peer-to-peer VPN Model 121
`Overlay VPN Model 121
`Peer-to-peer VPN Model 123
`
`Typical VPN Network Topologies 129
`Hub-and-spoke Topology 129
`Partial- or Full-mesh Topology 133
`Hybrid Topology 134
`Simple Extranet Topology 135
`Central-services Extranet 137
`VPDNTopology 139
`Managed Network VPN Topology 141
`
`Summary 142
`Chapter 8 MPLS/VPN Architecture Overview 145
`Case Study: Virtual Private Networks in SuperCom Service Provider Network 146
`VPN Routing and Forwarding Tables 149
`
`Overlapping Virtual Private Networks 151
`
`Route Targets 155
`Propagation of VPN Routing Information in the Provider Network 156
`Multiprotocol BGPin the SuperCom Network 158
`
`VPN Packet Forwarding 161
`
`Chapter 9
`
`Summary 163
`MPLS/VPNArchitecture Operation 167
`Case Study: Basic MPLS/VPN IntranetService 168
`
`
`
`
`Configuration of VRFs 170
`Route Distinguishers and VPN-IPv4 Address Prefixes 171
`Configuration of the Route Distinguisher 175
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 7 of 33
`
`
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 7 of 33
`
`

`

`
`
`|
`
`xi
`
`BGP Extended Community Attribute 177
`Route Target BGP Extended Community 178
`Site of Origin BGP Extended Community 180
`BGP Extended Community Attribute Format 182
`
`Basic PE to CE Link Configuration 184
`PE to CE Link Configuration—Static Routing 184
`PE to CE Link Configuration—RIP Version 2 185
`
`Association of Interfaces to VRFs 187
`
`Multiprotocol BGP Usage and Deployment188
`Configuration of Multiprotocol BGP 191
`Enhanced BGP Decision Process for VPN-IPv4 Prefixes 194
`
`Outbound Route Filtering (ORF) and Route Refresh Features 196
`Automatic Route Filtering on PE-routers 197
`Refreshing Routing Information Between PE-routers 199
`ORFfor PE-routers 201
`
`MPLS/VPNData Plane—Packet Forwarding 203
`
`Summary 205
`
`ork 146
`
`Chapter 10 Provider Edge (PE) to Customer Edge (CE) Connectivity Options 207
`VPN Customer Access into the MPLS/VPN Backbone 207
`
`BGP-4 Between Service Provider and Customer Networks 209
`
`Open Shortest Path First (OSPF) Between PE- and CE-routers 212
`
`Separation of VPN Customer Routing Information 214
`
`Propagation of OSPF Routes Across the MPLS/VPN Backbone 217
`BGP Extended Community Attribute for OSPF Routes 219
`
`PE-to-CE Connectivity--OSPFwith Site Area 0 Support 220
`
`PE-to-CE Connectivity—OSPF Without Site Area 0 Support 224
`
`VPN Customer Connectivity—MPLS/VPNDesign Choices 226
`Migrating Customers Using iBGP in Their Network to MPLS/VPNService 230
`Autonomous System Number Override 232
`
`Summary 234
`Chapter 11 Advanced MPLS/VPNTopologies 237
`
`Intranet and ExtranetIntegration 237
`
`Central Services Topology 240
`
`CISCO SYSTEMS, INC. / Page 8 of 33
`
`CSCO-1026
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 8 of 33
`
`

`

`
`
`MPLS/VPN Hub-and-spoke Topology 242
`Deployment of the AllowAS-in Feature 245
`
`Summary 247
`
`Chapter 12 Advanced MPLS/VPN Topics 249
`
`MPLS/VPN: Scaling the Solution 251
`
`Routing Convergence Within an MPLS-enabled VPN Network 25 1
`Convergence Within the Service Provider Backbone 253
`Convergence Between VPN Sites 255
`
`Advertisement of Routes Across the Backbone 260
`BGPfor VPN-IPv4 and IPv4 Routing Information 261
`Full Mesh of MP-iBGP Between PE-routers 265
`Separation of MP-iBGP Sessions Between PE-routers 266
`
`Introduction of Route Reflector Hierarchy 268
`Route Reflection of PE Routes to Aid Scaling 270
`Route Reflector Partitioning 272
`Standard Community Filtering on PE-routers 274
`Route Target Attribute-based Filtering on Route Reflectors 277
`Route Reflection and ORF Capability 279
`
`BGP Confederations Deployment 280
`BGP Confederations—Single IGP Environment 285
`BGP Confederations—Multiple IGP Environment 286
`
`PE-router Provisioning and Scaling 291
`
`Additional Connectivity Requirements—Internet Access 292
`
`Internet Connectivity Through Firewalls 293
`
`Internet Access—Static Default Routing 295
`
`Separate BGP Session Between PE- and CE-routers 300
`
`Internet Connectivity Through Dynamic Default Routing 308
`Dynamic Default Routing—Route Target Assignment 308
`Association of the Global Routing Table with a VRF 310
`
`Additional Lookup in the Global Routing Table 314
`
`Internet Connectivity Through a Different Service Provider 315
`
`Summary 316
`
`
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 9 of 33
`
`
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 9 of 33
`
`

`

`—
`
`
`
`Chapter 13 Guidelines for the Deployment of MPLS/VPN 319
`Introduction to MPLS/VPN Deployment 319
`
`IGP to BGP Migration of Customer Routes 319
`
`Multiprotocol BGP Deployment in an MPLS/VPN Backbone 324
`VPN Routes and Next-hop Forwarding 325
`PE-router Loopback Address Configuration 328
`
`
`
`
`
`
`
`
`
`
`Migration of the SampleNet Central Site 395 CSCO-1026
`
`MPLS/VPN Deployment on LANInterfaces 335
`
`Network Managementof Customer Links 338
`Advertisement of Routes with Different Extended Communities 339
`Use of Standard BGP Communities for Route Filtering 343
`Advertisement of Routes with Different Route Targets Using
`Export Maps 348
`
`Use of Traceroute Across an MPLS/VPN Backbone351
`
`Summary 354
`
`Chapter 14 Carrier's Carrier and Inter-provider VPN Solutions 357
`
`Carrier’s Carrier Solution Overview 358
`
`Carrier’s Carrier Architecture—Topologies 361
`ISP with No MPLS Deployment Within POPSites 362
`ISP with MPLS Deployed Within POPSites 368
`
`Hierarchical Virtual Private Networks 372
`
`Inter-provider VPN Solutions 374
`Inter-provider VPN—Exchange of VPN-IPv4 Across Boundaries 376
`Inter-provider VPN—Multi-hop eBGP Between CustomerSites 382
`
`Summary 384
`
`Chapter 15
`
`IP Tunneling to MPLS/VPN Migration Case Study 387
`
`Existing VPN Solution Deployment—IP Tunneling 388
`
`Definition of VPNs and Routing Policies for PE-routers 390
`
`Definition of VRFs Within the Backbone Network 391
`
`VRF and Routing Polices for SampleNet VPN Sites 392
`
`VRE and Routing Policies for SampleNet Internet Access 393
`
`VREFand Routing Policies for Internet Access Customers 394
`
`MPLS/VPN Migration—Staging and Execution 394
`
`
`CISCO SYSTEMS, INC. / Page 10 of 33
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 10 of 33
`
`

`

`xiv
`
`
`
`Configuration of MP-iBGP on BGP Route Reflectors 398
`Configuration of MP-iBGP on TransitNet PE-routers 400
`Migration of VPN Sites onto the MPLS/VPNSolution 401
`
`
`
`
`
`
`
`Summary 401
`Appendix A Tag-Switching and MPLS CommandReference 405
`Index 408
`
`
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 11 of 33
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 11 of 33
`
`

`

`f
`
`Virtual Private Network (VPN)
`Implementation Options
`
`
`
`A Virtual Private Network (VPN)is defined loosely as a network in which customer
`connectivity amongst multiple sites is deployed on a shared infrastructure with the same
`access or security policies as a private network. With the recent adventof marketing
`activities surrounding the term VPNs, from new technologies supporting VPNsto a flurry
`of VPN-enabled products and services, you might think that the VPN conceptis a major
`technology throughput. However, as is often the case, VPN is a conceptthat is more than
`10-years old and is well known in the service provider market space.
`The new technologies and products merely enable morereliable, scalable, and morecost-
`effective implementation of the same product. With the cost reduction and enhanced
`scalability associated with new VPNtechnologies,it’s not surprising that VPNservices are
`amongthe majordrivers for Multiprotocol Label Switching (MPLS) deploymentin service
`provider and enterprise networks.
`
`Before discussing a technology (VPNservices based on MPLS)designedto solve a
`problem (cost-effective VPN implementation), it’s always advantageous to focus on the
`problem first, which is what wedoin this chapter.
`This chapter gives you an overview of VPN services, common VPN terminology, and
`detailed classification of various VPN usagesand topologies that are encountered most
`often. This chapter also provides an overview oftechnologies that were used traditionally
`to implementVirtual Private Networkseither on individual service provider backbones or
`overthe public Internet,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Virtual Private Network Evolution
`Initial computer networks were implemented with two major technologies: leased lines for
`permanent connectivity and dial-up lines for occasional connectivity requirements. Figure
`7-1 showsa typical network from those days.
`
` CSCO-1026
`
`CISCO SYSTEMS, INC. / Page 12 of 33
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 12 of 33
`
`

`

`116
`
`Chapter 7: Virtual Private Network (VPN) Implementation Options
`
`Figure 7-1
`
`Typical Computer Networkfrom 15 Years Ago
`
`
`
`IBM mainframe and front-end Processor (SNA router)
`
` \ os Leased lines| fv aed lines|/
`
`
`,
`<x
`
`Sc
`
`Ne
`
`inienneiay.
`
`\
`
`Mnlal’
`
`
`
`a
`
`NETa rum
`
`
`
`
`
`
`
`Cluster controllers (SNA end hosts)
`
`Theinitial computer network implementation provided the customers with good security
`(capturing data off leased lines requires dedicated equipmentand physical access to the
`wires), but did not provide cost-effective implementation due to two reasons:
`®
`Thetypicaltraffic profile between any two sites in a network varies based on the time
`of day, the day of the month,and eventhe season (for example,traffic at retail stores
`increases around Christmas season).
`© The end-users always request fast responses, resulting in a high bandwidth
`requirement betweensites, but the dedicated bandwidth available on the leased lines
`is used only part of the time (when the usersare active).
`These two reasons prompted the data communication industry and service providersto
`develop and implement a numberofstatistical multiplexing schemasthat provided the
`customers with a service that was almost an equivalentto leased lines. This service was
`cheaper, however, dueto the statistical benefits the service provider could achieve from a
`large customerbase. Thefirst virtual private networks were based on such technologiesas
`X.25 and FrameRelay,and, later, SMDS and ATM.Figure 7-2 shows a typical VPN built
`with these technologies (for example, Frame Relay).
`
`As you can see in Figure 7-2, the overall VPN solution has a number of components:
`
`©
`
`Theservice provideris the organization that ownstheinfrastructure (the equipment
`and the transmission media) that provides emulated leasedlines to its customers. The
`service providerin this scenario offers a customera Virtual Private Network Service.
`
`
`CISCO SYSTEMS, INC. / Page 13 of 33
`
`
`
`
`
`
`
`
`
`CSCO-1026
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 13 of 33
`
`

`

`
`
`Virtual Private Network Evolution 117
`
`
`
`
`go
`i
`Service provider network en
`ati
`AAS
`
`/
`
`
`S
`]
`
`|| <me
`aA ss
`CPErouter
`PE-device
`wo
`Customersite
`
`eb
`=e SE
`te
`
`' a
`Provider core device ™
`= i Za ‘yg
`: 7s g
`
`-_
`VC #2
`| TS
`,
`Customer Premises —
`q| CPE router Other customer
`
`
`|
`routers
`
`
`Equipment (CPE)
`Provider edge device
`PE-device
`_ (Frame Relay switch) \ J)
`
`
`
`
`
`Large
`customer
`site
`
`
`
`ecurity
`to the
`
`the time
`il stores
`
`ed lines
`
`ers to
`d the
`Was
`
`from a
`ogies as
`PN built
`
`nts:
`
`lipment
`ers. The
`- Service.
`
`The customer connects to the service provider network through a Customer Premises
`Equipment (CPE) device. The CPEis usually a Packet Assembly and Disassembly
`(PAD)devicethat provides plain terminal connectivity, a bridge, or a router. The CPE
`device is also sometimes called a Customer Edge (CE) device.
`The CPE device is connected through transmission media (usually a leasedline, but
`could also be a dial-up connection) to the service provider equipment, which could be
`an X.25, Frame Relay, or ATM switch, or even an IP router. The edge service provider
`device is sometimes called the Provider Edge (PE) device.
`The service provider usually has additional equipment in the core of the service
`provider network (also called the P-network). These devicesare called P-devices (for
`example, P-switches or P-routers).
`
`* A contiguouspart of the customer networkis called a site. A site can connectto the
`P-network throughoneorseveral transmission lines, using one or several CPE and PE
`devices, based on the redundancy requirements.
`The emulatedleased line provided to the customerby the service providerin the
`overlay VPN model(see the section, “Overlay and Peer-to-peer VPN Model,”later in
`this chapter for more details) frequently is called a Virtual Circuit (VC). The VC can
`be either constantly available (PermanentVirtual Circuit [PVC]) or established on
`demand(Switched Virtual Circuit [SVC]). Some technologies used special terms for
`VCs, for example Data Link Connection Identifier (DLCI) in Frame Relay.
`Theservice provider can charge eithera flat rate for the VPN service, which normally
`dependson the bandwidth available to the customer, or a usage-based rate, which can
`depend on the volume of data exchangedor the duration of data exchange.
`
`
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 14 of 33
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 14 of 33
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`118 Chapter 7: Virtual Private Network (VPN) Implementation Options
`
`ModernVirtual Private Networks
`With the introduction of new technologiesin the service provider networks and new
`customer requirements, the VPN concept became more and more complex. Vendors
`introduced different and often conflicting terms, which further increased the complexity.
`The modern VPNservices thus can span a variety of technologies and topologies. The only
`way to copewith this diversity is to introduce VPN classification, which you can do using
`fourcriteria:
`© The business problem a VPNis trying to solve. The majorclasses of business
`problemsare intracompany communication(lately, also called intranet), inter-
`company communication (also called extranet), and access for mobile users(also
`called Virtual Private Dialup Network).
`® The OSI layer at which the service provider exchanges the topology information with
`the customer. Major categories here are the overlay model, where the service provider
`provides the customer with only a set of point-to-point (or multipoint) links between
`the customersites, and the peer model, where the service provider and the customer
`exchange Layer 3 routing information.
`® The Layer 2 or Layer 3 technology used to implement the VPN service within the
`service provider network, which can be X.25, Frame Relay, SMDS, ATM, or IP.
`® The topology of the network, which can range from simple hub-and-spoke topology
`to fully meshed networks and multilevel hierarchical topologies in larger networks.
`
`Business Problem-based VPN Classification
`The three business problemsa typical organization is trying to solve with a Virtual Private
`Networkare:
`
`©
`
`Intra-organizational communication (intranet).
`
`© Communication with other organizations (extranet).
`® Access of mobile users, home workers, remoteoffice, and so on, through inexpensive
`dial-up media (Virtual Private Dial-up Network)
`The three types of VPN solutions usually span most of the topologies and technologies
`offered by VPN service providers, but differ greatly in the level of security required in their
`implementation.
`
`
`
`|
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Intra-organizational communications usually are not protected well by the end hostsor
`the firewalls. The VPNservice used to implementintra-organizational communication
`therefore must offer high levels of isolation and security. Intra-organizational
`communicationsalso require guaranteed quality of service for mission-critical processes.
`
` CSCO-1026
`
`CISCO SYSTEMS, INC. / Page 15 of 33
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 15 of 33
`
`

`

`Business Problem-based VPN Classification
`
`119
`
`These are the two major reasons why we don’t see manyorganizations using Internet,
`which cannotoffer end-to-end quality of service, isolation, or security, as the infrastructure
`for their intra-organizational communications. Intranet VPNs were thus usually
`implementedwith traditional technologies like X.25, Frame Relay, or ATM.
`Inter-organizational communications frequently take place between centralsites of the
`organizations—usually using dedicated security devices, such as firewalls or encryption
`gear similar to the setup demonstrated in Figure 7-3. These communications also might
`haveless stringent quality of service requirements. This set of requirements makes the
`Internet more and moresuitable for inter-organizational communications;therefore,it’s no
`surprise that more and more business-to-businesstraffic takes place overthe Internet.
`Figure 7-3=Typical Extranet Setup
`. h
`/ a“
`_ €
`\
`n ‘
`_ Organization #2
`
`
`ovider fT ~~|Encryptedpoint-to-point
`
`/, tunnels (IPSec)
`>tween
`Public Internet
`g
`stomer
`/
`= -
`j /
`
`i
`x,Firewall a )
`1 the
`¥
`pology
`rf:Sn Organization #3
`vorks.
`ee
`Zi g
`
`
`
`|
`
`Organization #1
`9
`
`V S
`
`exity.
`1e only
`) using
`
`also
`
`
`
`a ==
`
`
`
`Firewall
`
`Private
`
`YENSIVE
`
`gies
`in their
`
`§ Or
`ion
`
`sesses,
`
`ee
`
`Remote useraccess into a corporate network,typically from changing or unknown
`locations, is always riddled with security issues, which have to be resolved on an end-to-
`end basis using such technologies as encryption or one-time passwords. Thus,the security
`requirements for VPDN services were never as high as the requirements for Intranet
`communications.It’s no surprise that most of the VPDNservices today are implemented on
`top of Internet Protocol(IP), either over the Internet or using the private backboneof a
`service provider,asillustrated in Figure 7-4. The protocols used to implement VPDN
`service over IP include Layer 2 Forwarding (L2F) or Layer 2 Transport Protocol (L2TP).
`
`|
`
`|
`
`aa
`
`CISCO SYSTEMS, INC. / Page 16 of 33
`
`CSCO-1026
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 16 of 33
`
`

`

`
`
`|
`
`
`
`
`
`
`
` Virtual dial-up connection (PPP frames
`
`encapsulated in L2F or L2TP packets)
`
`The VPDNtechnology uses a numberof special termsthat are unique to the VPDN world:
`® Network Access Server (NAS)—The Remote Access Server (RAS) managed bythe
`service providerthat accepts the customercall, performstheinitial authentication, and
`forwards the call (via L2F or L2TP)to the customer’s gateway.
`Home Gateway—A customer-managedrouterthat acceptsthe call forwardedby the
`NAS, performsadditional authentication and authorization, and terminates the PPP
`session from thedial-up user. The PPP session parameters(including network
`addresses, such as an IP address) are negotiated between the dial-up user and the
`homegateway; NASonly forwards frames of Point-to-Point Protocol (PPP) between
`the two.
`
`
`
`NOTE
`
`The details of VPDN,L2F, and L2TPare beyondthe scopeofthis book. Please refer to RFC
`2341 Cisco Layer Two Forwarding(Protocol) “L2F” and RFC 2661 Layer Two Tunneling
`Protocol “L2TP”for additional information on thesetopics.
`
`
` CSCO-1026
`
`CISCO SYSTEMS, INC. / Page 17 of 33
`
`120 Chapter 7: Virtual Private Network (VPN) Implementation Options
`
`Figure 7-4
`
`Service Provider Offering Separate VPDN Backbone
`
`
`Private Service Provider IP backbone
`
`
`VPDN tunnel! (L2F
`or L2TP)
`
`
`
`
`Organization with
`remote offices or
`
`Service Provider
`dial-up users
`
`Point-of-Presence (POP)
`
`
`
`nl
`
`
`a!
`
`—~
`
`user
`
`Dial-up network I) =
`(for example, ISDN)
`Remote
`nN
`
`
`
`tA
`(a
`
`
`
` Home Gateway
`Network Access
`
`Server (NAS)
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 17 of 33
`
`

`

`
`
`Overlay and Peer-to-peer VPN Model
`
`121
`
`Overlay and Peer-to-peer VPN Model
`Two VPN implementation models have gained widespread use:
`° The overlay model, where the service provider provides emulated leasedlinesto the
`customer,
`
`®
`
`Thepeer-to-peer model, where the service provider and the customer exchange Layer
`3 routing information and the providerrelays the data between the customersites on
`the optimum path betweenthesites and without the customer’s involvement.
`
`NOTE
`
`
`One might argue that the case where the customer and the provideruse the same Layer 2
`technology(for example, Frame Relay or ATMswitches) also constitutes a peer-to-peer
`model, but because we focus on Layer 3 VPNservices here, we will not considerthis scenario.
`Similarly, a humorous person mightcall a leased line service a Layer 1 peer-to-peer model.
`
`Overlay VPN Model
`The overlay VPN modelis the easiest to understand becauseit provides very clear
`separation between the customer’s and the service provider’s responsibilities:
`®
`Theservice provider provides the customerwith a set of emulated leased lines. These
`leased lines are called VCs, which can be either constantly available (PVCs) or
`established on demand (SVCs). Figure 7-5 shows the topology of a sample overlay
`VPN andthe VCs usedinit.
`
`Figure 7-5
`
`Sample Overlay VPN Network
`
`emote
`user
`
`N world:
`
`d by the
`ion, and
`
`
`
`Customer site
`
`d by the
`he PPP
`rk
`d the
`between
`
`rtoRFC
`
`inneling
`
` Customer site
`
`
`
`
`
`Frame Relay
`Edge switch
`
`
`
`
`
` ,
`Edge switch|
` PE-device
` CSCO-1026
`
`
`
`(Frame Relay switch)
`
`Frame Relay
`
`
`
`
`CISCO SYSTEMS, INC. / Page 18 of 33
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 18 of 33
`
`

`

`
`
`
`
`
`
`
`
`
`
`4122 Chapter 7: Virtual Private Network (VPN) Implementation Options
`
`© The customerestablishes router-to-router communication between the Customer
`Premises Equipment (CPE) devices over the VCsprovisioned by the service provider.
`Therouting protocol data is always exchanged between the customer devices, and the
`service provider has no knowledgeofthe internal structure of the customernetwork.
`Figure 7-6 showsthe routing topology of the VPN networkin Figure 7-5.
`
`Figure 7-6 Routing in Sample Overlay VPN Network
`
`-
`“wa
`Alpha
`
`$
`
`re
`Beta
`
`foe
`ew
`Gamma
`
`The QoS guaranteesin the overlay VPN modelusually are expressed in terms of bandwidth
`guaranteed on a certain VC (Committed Information Rate or CIR) and maximum
`bandwidth available on a certain VC (Peak Information Rate or PIR). The committed
`bandwidth guarantee usually is provided throughthestatistical nature of the Layer 2 service
`but depends onthe overbookingstrategy of the service provider. This meansthat the
`committed rate is not actually guaranteed although the provider can provision a Minimum
`Information Rate (MIR) thateffectively is nailed up across the Layer2 infrastructure.
`
`NOTE
`
`The committed bandwidth guaranteeis also only a guarantee of the bandwidth between two
`points in the customernetwork. Withouta full traffic matrix forall traffic classes, it’s hard
`for the customerto engineer guarantees in most overlay networks. It’s also hard to provide
`multiple classes of service because the service provider cannotdifferentiate the traffic in the
`middle of the network. Working aroundthis by creating multiple connections (for example,
`Frame Relay PVCs) between the customersites only increasesthe overall cost of the
`network.
`
`Overlay VPN networks can be implemented with a numberof switched WAN Layer 2
`technologies, including X.25, Frame Relay, ATM, or SMDS. Inthelast years, overlay VPN
`networks also have been implemented with IP-over-IP tunneling, both in private IP
`backbones andoverthe public Internet. The two most commonly used IP-over-IP tunneling
`methods are Generic Route Encapsulation (GRE) tunneling and IP Security (IPSec)
`encryption.
`
`CISCO SYSTEMS, INC. / Page 19 of 33
`
`CSCO-1026
`
`CSCO-1026
`CISCO SYSTEMS, INC. / Page 19 of 33
`
`

`

`
`
`123
`
`
`
` Overlay and Peer-to-peer VPN Model
`
`NOTE
`
`
`
`This book doesnotdiscuss the various Layer 2 and Layer 3 overlay VPN technologies in
`detail because they are covered well in other Cisco Press publications and are beyond the
`scope of this book. For more information on Layer 2 WANtechnologies, pleaserefer
`to Internetworking Technologies Handbook, Second Edition, from Cisco Press (ISBN
`1-57870-102-3). For a description of IP-over-IP tunneling and IPSec encryption,please see
`RFC 1702 — Generic Routing Encapsulation over IPv4 networks, RFC 2401 — Security
`Architecture for the Internet Protocol, and Enhanced IP Servicesfor Cisco Networks from
`Cisco Press (ISBN 1-57870-106-6).
`
`Althoughit’s relatively easy to understand and implement, the overlay VPN model
`nevertheless has a number of drawbacks:
`
`®
`
`It’s well suited to non-redundant configurations with a few central sites and many
`remotesites, but becomes exceedingly hard to manage in a more meshed
`configuration (see also the section, “Typical VPN Network Topologies,” later
`in this chapter for more details).
`
`Proper provisioning of the VC capacities requires detailed knowledgeof site-to-site
`traffic profiles, which are usually not readily available.
`Last but notleast, the overlay VPN model, when implemented with Layer 2 technologies,
`introduces another unnecessary layer of complexity into the New World Service Provider
`networksthat are mostly IP-based, thus increasing the acquisition and operationalcosts of
`such a network.
`
`Peer-to-peer VPN Model
`The peer-to-peer VPN model was introduced a few years ago to alleviate the drawbacks of
`the overlay VPN model. In the peer-to-peer model, the Provider Edge (PE) device is a router
`(PE-router) that directly exchanges routing information with the CPE router. Figure 7-7
`shows a sample peer-to-peer VPN, which is equivalentto the VPN in Figure 7-5.
`
`
`
`ner
`
`ovider.
`ind the
`twork.
`
`dwidth
`
`ed
`service
`
`e q
`
`imum
`re.
`
`
`
`en two
`’s hard
`rovide
`c in the
`ample,
`he
`
`NOTE
`
`The Managed Network service offered by many service providers, where the service
`provider also manages the CPE devices,is not relevantto this discussion becauseit’s only
`a repackaging of another service. The Managed Network provider concurrently assumes
`the role of the VPNservice provider (providing the VPN infrastructure) andpart of the VPN
`ineling
`customer role (managing the CPE device).
`
`
`y VPN
`
`
`
`CSCO-1026
`C