L3VPN

Next Generation Optical Networks for
Broadband European Leadership
Layer3 Virtual Private Network (L3VPN)

Training course
Valerio Martini
This tutorial is licensed under the Creative Commons
creativecommons.org/licenses/by-nc-sa/3.0/
http://www.ist-nobel.org/Nobel2/servlet/Nobel2.Main
Summary
What is a VPN?
MPLS VPN (RFC4364). A choice
Private Instances of routing (VRFs Table)
Multi Protocol BGP
A MPLS Tunnel
A quick view on:
VPN Multi Domain
VPN QoS and Scalability

valerio.martini@sssup.it
What is a VPN ?
A Virtual Private Network (VPN) is a private data network that
makes use of the public telecommunication infrastructure,
maintaining privacy and reservation through the use of
tunneling protocols
Layer3 VPNs (L3VPN) are based on IP/MPLS networks (cfr. RFC4364 BGP
MPLS/IP VPN)
L3 VPN connectivity is provided across Service Providers networks
L3 VPNs are based on IP address scheme and the relevant virtual connectivity is
based on the use of ad hoc forwarding table called VRF (VPN Routing and
Forwarding tables)
Backbone Routers (P-Routers) are unaware of the tunnel and VRF tables but are
aware of tunneling protocols
Service Provider routers (PE-Routers) are outsourced to corporate network WANs
(Sites) to establish L3 VPN

VPN Terminology
VPN 1
VPN 2
VPN 3
VPN 3
FE
P
Provider Router
PE
Provider Edge Router
VPN 1
FE
CE
Customer Edge Router
GE
VPN 1
VPN 3
Backbone
Backbone
GE
VPN 2

VPN Terminology
WAN of a corporate network (Site)
consists of a network systems
placed in geographic proximity
VPN 1
VPN 2
VPN 3
VPN 3
FE
VPN area
Different Customer Sites
Backbone
BGP - IP/MPLS - OSPF/(RSVP)
VPN 1
FE
GE
VPN 1
VPN 3
Backbone
Backbone
GE
VPN 2

VPN Terminology
VPN 1
VPN 2
VPN 3
VPN 3
FE
End System
An Attachment Circuit is usually
considered as a Data Link e.g., a
Fast Ethernet (FE) or GE Gigabit
Ethernet
VPN 1
FE
GE
VPN 1
VPN 3
Backbone
Backbone
GE
VPN 2

VPN Taxonomy
A brief classification :
Type of customer side Virtual Tunnel
Layer 2 VPNs provide Layer 2 connectivity e.g., Native Ethernet LAN
Layer 3 VPNs provide Layer 3 connectivity e.g., based on Access IP Router
Type of VPN (in terms of end-point Location)

CE-based :

VPNs are configured and maintained by customer

Provider network is VPN unaware
PE-based :
Network providers are responsible for VPN configuration and maintenance
Type of Architecture possible

VPN Layer 3 (e.g., IPsec)

VPN Layer 2 (e.g., VPLS, VPWS)
Layer2 Vs Layer3 VPN

Type of customer payload carried by the Virtual Tunnel
Layer3 VPN provides BGP IP/MPLS backbone connectivity:

The Layer3 approach to create an IP/MPLS-based VPN offers a routed solution:
completely based on Ipv4 address scheme
scalable
The DE FACTO standard is described in RFC4364 (February 2006)
Layer2 VPN provides a native Layer 2 backbone connectivity:

The Layer2 approach:
offers an encapsulation methods to transport Layer 2 Frames Over MPLS Networks. It p:
provides a optimization between the Providers and Customers network
allows PEs to offer services that are INDIPENDENT of Layer3 protocols
The RFC/Draft for describing the establishment of point-to-point connectivity in Layer2
VPN is described in RFC 4906
VPLS provides an L2/L3 Hybrid connectivity:

The Virtual Private LAN Service offers an hybrid connectivity based on:
Provider-Customer VLAN (Virtual LAN) association on access network
BGP IP/MPLS connectivity in the Backbone
CE Vs PE Based
Type of endpoint (Location) of the tunnel
VPN Customer Edges (CE) are maintained by Customers
Customer is responsible for

its endpoint
Routers maintenance
Routing Protocols configuration
VRFs configuration
its own security
For example: VPLS belongs natively to this category
VPN Provider Edge (PE) are maintained by Service Providers
Service Provider is responsible for all domain endpoints and must be

able to

configure all Edge Routers

maintain the router
provide advanced services
operate on point-to-point Security (IPsec PE-based)
For example: VPN L3 belongs natively to this category

The Customer network is completely VPN unaware
BGP IP/MPLS VPN. A choice

RFC4364 defines an emerging standard commonly named MPLS VPN or more exactly
BGP/MPLS IP VPN
Service providers that offer Layer 3 VPN services can take advantage of new,
advanced features

L3 VPN services allow businesses to outsource their current network core using a private IP-based
service offering from an SP.
the most common deployment is an any-to-any topology where any customer device can connect
directly to the L3 VPN.
Enterprise traffic entering the SP domain is then routed based on the information in the VRF table
and encapsulated with MPLS labels to ensure proper tunneling and de-multiplexing through the
core.
The main three steps for the establishment of a VPN over an IP/MPLS
backbone:
1.
2.
3.
Routing Instance Configuration (VRFs Table and Policy)

BGP-MP (MultiProtocol) configuration (it carry VRFs table Among PEs)
MPLS Configuration

10
Private Instances of Routing (Step-1)

The Virtual Tunnel Connection is based on Ad-hoc forwarding table called VRF
The Address space used by VRF is composed by
IP Prefix
Route Distinguisher (RD)
Different forwarding table are distinguished by
Route Target (RT)
Each VPN has its own address space
A given address may denote different system in different VPN
A given address may denote same system in different VPN (unique address)
A new Address Space :
VPN - IPv4 Family
4Byte (Standard IP Prefix)
8Byte (Route Distinguisher (RD))

Type Providers AS Assigned Number

11

Full Scenario
VPN 1
VPN 2
VPN 3
VPN 3
FE
FE
FE - 1
Key
FE - 2
VPN 1
VPN 2
VPN 3
VPN 1
VPN 3
Firewall
IPMPLS
MPLS
IP
Backbone
Backbone
FE
FE
VPN 1
FE
FE
VPN 2

12

Populate VRF Tables
CE
Routing Tables
CE
Routing Tables
MPLS
MPLS
OSPF
OSPF
RSVP
RSVP
BGP-MP
BGP-MP
Backbone
Backbone
Enterprises
CE
Routing Tables
OSPF
Domain
VRF
table
for
VPN
1
VRF
table
for
VPN
2
VRF
table
For
VPN
3
There are three methods to populate the VRF

Statically (by manually configuration) or RIP
OSPF
BGP

13

Customer
Network
Customer
Network
IP pkt
Routing and Forwarding
Customer
Network
At Least a VRF Table for Each Attachment Circuit

Eventually different VRF for each VPN
Customer
Network
Label MPLS
Label VPN
IP pkt
Backbone
IP MPLS
IP pkt
1.
Identify VPN
VRFs Tables
The Route Target

is used to distinguish
different VRF tables
PE Router
Composes The
This tutorial is licensed under
the Creative
Commons
Labeled
Frame
2.
Select VRF
entry for
this VPN
5.
Send out
3.
Attach
MPLS
label info
4.
Attach VPN
label info
Label MPLS
Label VPN
IP pkt
14

Label Switched Path
PE COMPOSES
the packets
PE DECOMPOSES
the packets
Label VPN
Label VPN
IP
IP
IP
IP
IP
IP
VPN Site
VPN Site
IPMPLS
MPLS
IP
Backbone
Backbone
The Core Routers

Are Completely UNAWARE
of the label
VPN
-TAG
This
tutorial
is licensed under the Creative Commons
15

Config
Routers PE Configuration
<routing-instances>
<routing-instances>
<instance>
<instance>
<name>
<name>
vpn-ABC
vpn-ABC
</name>
</name>
<instance-type>
<instance-type>
VRF
VRF
</instance-type>
</instance-type>
<interface>
<interface>
fe-0/3/1.0
fe-0/3/1.0
</interface>
</interface>
<route-distinguisher>
<route-distinguisher>
2.2.2.2:RD
2.2.2.2:RD
</route-distinguisher>
</route-distinguisher>
</instance>
</instance>
</routing-instances>
</routing-instances>
IPMPLS
MPLS
IP
Backbone
Backbone
FIRST
the name of routing instance
SECOND
the type of routing instance
THIRD
the name of Juniper physical interface
FOURTH
the VPN IPv4 family Address

16
BGP Multi Protocol (Step-2)

Full Scenario
VPN 1
VPN 2
VPN 3
VPN 3
FE
FE
FE - 1
Key
FE - 2
VPN 1
VPN 2
VPN 3
VPN 1
VPN 3
Firewall
IPMPLS
MPLS
IP
Backbone
Backbone
FE
FE
VPN 1
FE
FE
VPN 2

17
RouterId = 2.2.2.2
BGP
Group A-B-C
Neighbour 1.1.1.1
Neighbour 3.3.3.3
Config
RouterId = 1.1.1.1
BGP
Group A-B-C
Neighbour 2.2.2.2
Neighbour 3.3.3.3
<bgp>
<bgp>
<local-address>
<local-address>
2.2.2.2
2.2.2.2
</local-address>
</local-address>
<local-as>
<local-as>
AS
AS
</local-as>
</local-as>
<group>
<group>
<name>1-2-3</name>
<name>1-2-3</name>
<type>internal</type>
<type>internal</type>
<neighbor>
<neighbor>
<name>Edge-1</name>
<name>Edge-1</name>
<local-address>1.1.1.1</local-address>
<name>Edge-3</name>
<name>Edge-3</name>
VRFs Tables
are
EXCHANGED
FIRST
the name of the Local Address of PE
RouterId = 3.3.3.3
BGP
Group A-B-C
Neighbour 2.2.2.2
Neighbour 1.1.1.1
SECOND
the Autonomous System
THIRD
the name of BGP group
FOURTH
the List of the neighbors
18
RouterId = 2.2.2.2
BGP
Group A-B-C
Neighbour 1.1.1.1
Neighbour 3.3.3.3
Config
Routers Route-Reflector
Route REFLECTOR
RouterId = 1.1.1.1
BGP
Group A-B-C
Neighbour 2.2.2.2
Neighbour 3.3.3.3
RR is a Designated Router
BGP is based over a full mesh refresh

n(n-1)/2 Session
e.g., 10 Routers
10*(10-1)/2 = 45 BGP Sessions
BGP with RR
(n-1)+(n-1) Session
e.g., 10 Routers
9+9 = 18 BGP Sessions
VRFs Tables
are
EXCHANGED
Route
REFLECTOR
RouterId = 3.3.3.3
BGP
Group A-B-C
Neighbour 2.2.2.2
Neighbour 1.1.1.1

19
MPLS (LSP-tunnelling) (Step-3)

Full Scenario
VPN 1
VPN 2
VPN 3
VPN 3
FE
FE
FE - 1
Key
FE - 2
VPN 1
VPN 2
VPN 3
VPN 1
VPN 3
Firewall
IPMPLS
MPLS
IP
Backbone
Backbone
FE
FE
VPN 1
FE
FE
VPN 2

20
MPLS (LSP-tunnelling) (Step-3)

Config
VPN Site
VPN Site
<mpls>
<mpls>
<label-switched-path>
<label-switched-path>
<name>
<name>
to-A
CR 2
to-A
</name>
</name>
Core Router
<to>
CR 1
<to>
1.1.1.1
1.1.1.1
</to>
</to>
The FIRST
<bandwidth>
the name of the LSP
<bandwidth>
30m
30m
The SECOND
</bandwidth>
</bandwidth>
the Destination of LSP (EGRESS ROUTER)
<install>
<install>
10.20.12.0/24<active/>
The THIRD
10.20.12.0/24<active/>
the bandwidth reserved
</install>
</install>
</label-switched-path>
</label-switched-path>
The FOURTH
</mpls>
set of IP activated
</mpls>
This tutorial is licensed under the Creative the
Commons
CR 3
VPN Site
21
Benefits
RFC4364 defines an emerging standard commonly named
MPLS VPN or more exactly BGP/MPLS IP VPN

VPNs use overlapping Address Spaces (VPN IPv4 Family)

Providers use existing protocols (BGP, RSVP, OSPF, MPLS)
Provider backbones routers do not need to have any VPN
routing information
Providers can get good SLA and QoS support
Customers are UNAWARE of MPLS (all the work is done by
Service Provider)
Customers are UNAWARE of security policy
Customers are UNAWARE of connectivity and routing VPN
management
22
Drawback
RFC4364 defines an emerging standard commonly named
MPLS VPN or more exactly BGP/MPLS IP VPN
IP onlyL3 VPNs transport only IPv4 traffic.

The customer is dependent on the SP in regards to Layer

3 features and capabilities
Non-IP protocols need to be tunneled through some mechanism (such as

GRE) on the CE or C devices
Layer 3-based convergence and QoS capabilities are also dependent on

the SP offering, and SLAs must be negotiated to manage these
requirements
Possible difficulties in integrationThe difficulty of

integration from Layer 2 to Layer 3 peering varies greatly
depending on the SP offering. If the SP does not offer some
service, integration with a different routing protocol, such as
eBGP, might require

23
VPN Multi-Domain
Two sites of a VPN are connected to a different AUTONOMUS SYSTEM (AS)
AS 2
There are 2 methods to implement this features :

VRF-to-VRF
EBGP (External BGP)
IPMPLS
MPLS
IP
Directly
Connection
Backbone
Backbone
AS 1
AS 3
Between PE
External BGP
Protocol
IPMPLS
MPLS
IP
Backbone
Backbone
IPMPLS
MPLS
IP
Backbone
Backbone

24
QoS and Scalability

The BGP/MPLS IP VPN provides Quality of Service (QoS):

MPLS reserves bandwidth using RSVP

Policy used in PE router grooms selected IP Address over a reserved LSP
The BGP/MPLS IP VPN presents a good scalability:

Route Reflector produces less BGP sessions

Two levels of labels keep P Routers free of all the VPN routing information
PE routers maintain routes information only for VPNs whose sites are directly connected

25
References
IANA Consideration (Internet Assigned Number Authority)
IANA has created a new registry for the Route Distinguisher Type Field
Rosen, E., Rekhter, Y., BGP/MPLS IP Virtual Private Network, RFC 4364
Mertz, C., The Latest in Virtual Private Network, Part I&II,
IEEE Internet
Computing, June 2004; available at http://computer.org/internet
Daugherty, B., and Mertz, C., Multiprotocol Label Switching And IP, Part I,
IEEE Internet Computing, June 2005; available at http://computer.org/internet
JUNOS software documentation for M-series and T-series platforms,
available at http://www.juniper.net/techpubs

26

L3VPN

Uploaded by

Copyright:

Available Formats

L3VPN

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

L3VPN

Uploaded by

Copyright:

Available Formats

Next Generation Optical Networks for

Broadband European Leadership

Layer3 Virtual Private Network (L3VPN)

This tutorial is licensed under the Creative Commons

This tutorial is licensed under the Creative Commons

This tutorial is licensed under the Creative Commons

BGP - IP/MPLS - OSPF/(RSVP)

This tutorial is licensed under the Creative Commons

This tutorial is licensed under the Creative Commons

Type of VPN (in terms of end-point Location)

VPNs are configured and maintained by customer

Network providers are responsible for VPN configuration and maintenance

Type of Architecture possible

VPN Layer 3 (e.g., IPsec)

Layer2 Vs Layer3 VPN

Layer3 VPN provides BGP IP/MPLS backbone connectivity:

Layer2 VPN provides a native Layer 2 backbone connectivity:

VPLS provides an L2/L3 Hybrid connectivity:

VPN Customer Edges (CE) are maintained by Customers

Customer is responsible for

For example: VPLS belongs natively to this category

VPN Provider Edge (PE) are maintained by Service Providers

Service Provider is responsible for all domain endpoints and must be

configure all Edge Routers

For example: VPN L3 belongs natively to this category

BGP IP/MPLS VPN. A choice

Routing Instance Configuration (VRFs Table and Policy)

This tutorial is licensed under the Creative Commons

Private Instances of Routing (Step-1)

VPN - IPv4 Family

4Byte (Standard IP Prefix)

8Byte (Route Distinguisher (RD))

This tutorial is licensed under the Creative Commons

Private Instances of Routing (Step-1)

This tutorial is licensed under the Creative Commons

Private Instances of Routing (Step-1)

There are three methods to populate the VRF

This tutorial is licensed under the Creative Commons

Private Instances of Routing (Step-1)

Routing and Forwarding

At Least a VRF Table for Each Attachment Circuit

The Route Target

Private Instances of Routing (Step-1)

The Core Routers

Private Instances of Routing (Step-1)

This tutorial is licensed under the Creative Commons

BGP Multi Protocol (Step-2)

This tutorial is licensed under the Creative Commons

BGP Multi Protocol (Step-2)

BGP Multi Protocol (Step-2)

BGP is based over a full mesh refresh

This tutorial is licensed under the Creative Commons

MPLS (LSP-tunnelling) (Step-3)

This tutorial is licensed under the Creative Commons

MPLS (LSP-tunnelling) (Step-3)

VPNs use overlapping Address Spaces (VPN IPv4 Family)

IP onlyL3 VPNs transport only IPv4 traffic.

The customer is dependent on the SP in regards to Layer

Non-IP protocols need to be tunneled through some mechanism (such as