Application of BGPMPLS VPN Technology in Metropolitan Area Network

By Brian Ellis,2014-11-07 21:14
20 views 0
Application of BGPMPLS VPN Technology in Metropolitan Area Network

Application of BGP/MPLS VPN Technology in Metropolitan

    Area Network

     Qian Hua Lin lou xue ming

    Computer Network Information Center,Chinese Computer Network Information Center,Chinese

    Academy of Sciences (CNIC,CAS) Academy of Sciences (CNIC,CAS)

    No.4,4th South Street, No.4,4th South Street,

    Zhong Guan Cun, Zhong Guan Cun, Haidian District,P.O.Box 349,Beijing,China(100080) Haidian District,P.O.Box 349,Beijing,China(100080)

    8610-62537785 8610-62537785 frames/packets/datagrams of different customers over a packet-The paper begins with a brief description of a typical current based service network. virtual private networks as a concept isn't metropolitan Area network, the technologies used and typical new, such as X.25.Frame Relay ,ATM. Service Providers must metro provider requirements, A brief description of BGP/MPLS offer subscribers a portfolio that contains a number of different VPN, and gives emphasis to present the application of VPN service delivery models. Over the years, a number of BGP/MPLS VPN technology in the Metropolitan Area Network. diverse VPN models have been proposed. VPN can be classified It can divide the unitive network platform into several based on the business problem (Extranet, Intranet, Virtual independent VPN channels for the applications of each customer, Private Dial-up Networks) that the VPN needs to solve. The avoid the repeated construction and the wasteful resources, give traffic matrix of the VPN also determines the VPN model, the guarantee of security and independence for each customer. topology and technology. presents the classification very clearly.

    See Figure 1.

     Categories and Subject Descriptors Let's give a careful comparison among those options.C.2.1 [Internet] Legacy FR MPLS MPLS VPN Type IPSec or ATM L2 VPN L3 VPN

    General Terms



    MPLS, BGP ,Province Metropolitan Area Network (PMAN),

    Customer Equipment(CE),Provider Equipment(PE).



    The landscape of the network Service Provider (SP) is

    rapidly changing. As competition increases, customer retention

    becomes more of a challenge and profitability can suffer. SP need Figure 1. VPN Family Tree a cost-effective way to retain and grow their customer base, increase profitability and deliver differentiated services that ? Point-Multipoint × × ? customers want and are willing to pay for. .

    ? Multi-protocol ? × × Virtual Private Networks (VPN) give SP the opportunity to

    attract subscribers with service offerings that the subscriber will ? Qos &COS ? ? ? need for years to come. However, the limitations of first-? Low Latency ? × ? generation VPN equipment make it difficult for SP to deploy × managed VPN services profitably and to scale delivery to meet Encryption × ? × increasing demand. Table 1. Types of VPN ,Compared by Function

    Compared to other VPN technologies described above, 2. BGP/MPLS OVERVIEW BGP/MPLS scales to increasing number of users and customer

    sites without burdening routing tables and P routers. It also 2.1 IP VPN Overview

    allows customers to hold onto their existing network addressing Virtual Private Networking is based on the concept of plans. BGP/MPLS VPN can use overlapping address spaces (i.e. providing a form of security insulation between the data RFC1918 IP addresses) as long as they do not have sites in Copyright is held by the lou xue ming common. First, lets take a look at an important component of Asia Pacific Advanced Network 2004, 25-29 August 2003, Cairans, BGP/MPLS. Australia

    2.2 MPLS VPN Introduction 2. Data Flow RFC2547bis implements a VPN by using BGP to distribute Assume that Host at Site 2 wants to communicate VPN routing information and MPLS to forward VPN traffic. with Server forwards its packets to the default ? Network Components gateway, CE2. CE2 looks up the packet’s destination IPv4

    address in its forwarding table and forwards the packet to PE2. Customer sites connect to service provider (SP) through one PE2 receives the packet and performs a route lookup in the or more ports. The SP associates each port with a VPN Routing corresponding VRF table. The following information is used to and Forwarding (VRF) table. forward the packet. 1. VRF Tables ? The MPLS label advertised by PE1 for this route. A VRF defines the VPN membership of a customer site ? The BGP next hop for this route. attached to a PE router. A VRF consists of an IP routing table, a

    set of interfaces that use the forwarding table and a set of rules ? The MPLS label for the LSP from PE2 to PE1. and routing protocol parameters that control the information that ? The outgoing interface for the LSP. is included into the routing table.

    PE2 forwards the packet with two labels. The outer label 2. Customer-Edge (CE) Routers gets the packet to PE1. The inner label identifies, to PE1, the A CE router connects the customer site via a data link to one host or the customer site to which this packet should be or more PE routers. To enable inbound traffic, the CE router forwarded. The P routers forward the packet based on the outer advertises local routes to the PE router. For outbound traffic, it label. may have a default route to the PE router.

    3. Application of BGP/MPLS in PMAN 3. Provider-Edge(PE) Routers

    3.1 Customer Requirement Analysis PE routers maintain a VRF table per port or per VPN. They 1. A SP fully-managed network solution that exchange routing information with CE routers using static encompasses customer premises equipment (CPE) and routing, Interior Gateway Protocol (IGP) or External BGP network services, with support for any access speed (EBGP). PE routers exchange VPN routing information with and any access technology. other PE routers using IBGP. These routes are not leaked into the

    SP backbone. 2. Distinct classes of service for data, voice, video, and

    ERP traffic with guaranteed service levels (determined 4. P Routers by the service provider for each traffic type).

    P routers forward traffic using MPLS. They need to 3. Managed Internet access with security and privacy maintain routes to PE routers only and are not required to learn features, IPSEC etc. the VPN routing information.

    4. Support for a private IP addressing scheme, including ? Operational Model Customer IP address freedom, NAT and DHCP.

    5. Automatic failover features to assure high network


    3.2 SP Requirement

    ? reduce capex (capital expenditure)/opex(operational


    ? integration of legacy network with IP/MPLS core Figure 2. BGP/MPLS network. See Figure 2. Its a single provider network to describe the ? offer new Metro Ethernet services-VOIP,VIDEO-to operation of BGP/MPLS.generate revenue . ? ensure SLAS are honored 1. Control Flow ? transport multi-service traffic using connection PE1 learns the local route 10.1/16 from CE1. PE1 installs oriented ,"ATM-like" QOS the route in the corresponding VRF table. It also selects an

    MPLS label for this route. PE1 advertises 10.1/16 to PE2 via ? Generate new value-added services IBGP. The distribution of VPN routes is constrained by using Through lot of Customer and SP requirement analysis, we choose BGP extended community attributes. PE2 receives PE1’s route IPSEC to BGP/MPLS backbone deployment strategies. The advertisement and installs it in the corresponding VRF network can provide lot of user(including IPSEC remote access) depending on the community attribute and its import policy. PE2 and VPN tunnel on the unified network information platform and advertises this route to CE2. Before, data traffic can flow, LSPs all those VPN tunnel are isolated by BGP/MPLS. The strategies need to be setup between the PE router that advertises the route permit the first stages of transition to IP/MPLS to happen now and the PE router that learns the route. This is done using LDP and do preparation for next-generation convergence networks. or RSVP.

    3.3 Network backbone topology VLAN100 can be used local VPN.VLAN 500-VLAN 800 can be


    PMAN Core Layer Si SiCPE IPSec Tunnels PE PMAN Distribute Layer


    PMAN Access Layer 220KM CITY D PE10KM GE-LX Layer 120KM 2M E1 VPN1150KM 622Mbps POS CITY A PE Core Router CITY C PE CITY B PE PE Router VPN2VPN2 Core Switch VPN1 Si

    Figure 3 The topology of PMAN Figure 3 shows that the Province Metro Area Network (PMAN) used separate usage VPN. set up for three layers follow a hub& spoken topology on

    physical link. In the core network design 1+1 redundancy is 3.5 Implementation of BGP/MPLS adopted. WAN routers are implemented in pairs and the core The MAN backbone network has one AS, The cloud of provider infrastructure is equipped with dual power supplies to provide (P) routers maintains only service provider internal routes (to power redundancy. Two core route are connected via Fast provider edge [PE] routers and other P routers, but it does not Ethernet channel 2GE,10 Cities, including B,C,D,10 PE route maintain VPN routes). PE routers are the only devices in the linked two core route via OC-12 622Mbps POS links and 2Mbps provider network that are required to maintain external routes. E1 backup links. City A PE used 1Gbps GE-LX module to

    connect one core route and 1 FE module as backup links. This The glue that binds external routing with internal routing is the will greatly minimize outages caused by equipment failure. The BGP next hop .The BGP next hop is advertised with each design phase also plans for a high-level of link diversity and external route in BGP advertisements .The route to the BGP next redundancy into the operator's IP Network to ensure non-stop hop is an internal route that is advertised by the OSPF.MPLS availability. provides packet forwarding from the ingress PE router to BGP

    next hop egress PE router. Cisco GSR 12008 was chosen for core router as core layer

    backbone, Access layer used Cisco 7609 as PE route. A variety of deployment strategies are available ,as follows: Aggregation route used Catalyst 6509 if lots of customer VLAN 1. All the 10 cities or need to deployment VPN customer use ID want to aggregate. a layer 3 switch (CE) to connect PE ,Different customer

    VLAN subnet are aggregated by local CE, then terminate

    the VLAN to PE through trunk. 3.4 VLAN plan

    VLAN and MPLS VPN provide logical segmentation in a 2. Each customer connection (VLAN) is mapped to a switched network, so that management policies and security can specific VRF. Thus, we divide the PE and CE's be implemented between focus groups. connection interface into sub-interface, every sub-In the PMAN there are many user communities with diverse interface is associated with a VLAN, different sub-requirements. It is decided to separate some of the user interface can be bound to different VRF. It is a sub-communities by using separate physical transmission paths and interface connected to CE router on the PE router and not having separate but interconnected switch/routing hardware. a site that is associated with a VRF. Note that multiple After a detailed study of the options it is decided that five sub-interface on a PE router can be associated with a separate networks presented the best solution. single VRF and thus multiple sub-interface associated

    with VLAN subnet can communicate each other. Every IP address can be presented X.Y.Z.0,X can represent Province PE routers maintain multiple forwarding tables that code, Y can represent City code, Y can represent separate supports the per-VPN segregation of routing information. networks,0-20 be reserved ,we can assigned from 21,the subnet

    is,Every separate network used a class C address. 3. BGP/MPLS use a VPN-IPV4 address which include 8 VLAN2 can be used network management,VLAN3 can be used byte RD and 4 byte IPV4 and thus we can generate video/VOIP,VLAN 1 and VLAN 4-20 reserved. VLAN21-

    different route for different VPN-IPV4 associated with class CUSTOMER-A customer. In this case RD use 16bits:32bits format,

    assign rules is industry number. VPN community bandwidth <min_cir> relation can be acquired Route target attribute., Route shape average <cir> <bc> <be> Target(RT) use 16bits:32bits format, assign rules is also

    industry number. service policy CHILD-A

    ! 4. At the core P route, we configure it for transiting LSRs

    when forwarding VPN traffic between PE routers. class CUSTOMER-B

    bandwidth <min_cir> 3.6 Implementation of IPSEC remote access shape average <cir> <bc> <be> With IPSec remote access, mobile workers and single client

    locations can connect to a specific VPN. service policy CHILD-B The following is configuration step. ! ? Configure the AAA group list for the new customer This per-customer configuration is repeated for each of the n pointing to RADIUS for authentication as well as customers that are configured under interface GigabitEthernet0. authorization.

    policy-map CHILD-A ? Configure the VRF including route descriptor and the

    export/import route targets. class SP-RealTime ? Configure ISAKMP policy for Phase 1 if it is different from {VoIP-sub-model} the existing policies or does not exist.

    class SP-Video ? Configure the remote access profile.

    ? Configure the transform set if it is different than the {Data-sub-model}

    existing ones or does not exist. class class-Critical Data ? Configure the dynamic map for remote access clients and {Default-sub-model} the address pool corresponding to the customer.

     ? Assuming that the BGP PE configuration is already

    configured, add the customer-specific address family ! configuration. Optional route maps can be applied to filter

    any routes. policy-map CHILD-B

     3.7 QOS configuration ! The QoS implementation follows the principle of

    policing/marking at the edge ,scheduling/queuing at the core. A interface GigabitEthernet0 mapping capability is essential to map several edge classes into a service-policy output PARENT single aggregate backbone class.

    DSCP value PE edge classes Backbone classes In core network, if MPLS EXP=3 is used for the admission

    criteria to the backbone aggregate class (core critical data),the 111XXX Real time Core real time service provider's PE edge routers will impose MPLS labels with 110XXX(AF11) (Streaming) Video Core Critical Data EXP=3 for packets received with DSCP AF21 (edge critical data), 011XXX(AF21) Critical Data(ERP) AF11 (edge streaming video) or DSCP AF31 (edge bulk data). 001XXX(AF31) Bulk

    000XXX Best Effort Core Best Effort 4. CONCLUSIONS

    The PMAN network is split into a number of different Table 2. Backbone Classes Definitions independent VPN channels using the BGP/MPLS techniques The following configuration would be used on the CE described above. With its QoS provision and rich featured outbound towards the PE and on the PE outbound towards the services, it will avoid the repeated construction and the wasteful CE. resources, meet the customer deep requirements. The return of

    investment(ROI) is very high to SP. class-map CUSTOMER-A

    match vlan 500 505 510 5. ACKNOWLEDGMENTS class-map CUSTOMER-B Our thanks to APAN for allowing us to modify templates they

    had developed. match vlan 600 605 610


    policy-map PARENT [1] IEEE 802.1Q Virtual LANs,

[2] Semeria, Chuck. “RFC 2547bis: BGP/MPLS VPN Parallel Processing, Proceedings of International Workshops Fundamentals”. Juniper Networks, March 2001. URL: on, 21-24 Aug. 2000. [9] Service requirements for Layer 3 Provider Provisioned

    Virtual Private Networks”, draft-ietf-ppvpn-requirements-05 [3] Mackay, W.E. Ethics, lies and videotape... in Proceedings of

    CHI '95 (Denver CO, May 1995), ACM Press, 138-145. [10] Jessica, Yu. “Network based IPVPN Architecture using

    Virtual Routers”. February 19 2003 URL: http://www. [4] Rosen and Rekhter. “BGP/MPLS VPNs”. RFC 2547, March /mtg-0102/ppt/yu.ppt (January 15 2003) 1999. URL:

    [11][5] Metropolitan Optical Networks: Overview and

    working_solutions_packages_list.html Requirements’ by Sorrento Networks.

    [12] B.Fox, et al, "Virtual Private Networks Identifier", RFC [6] How Ethernet, RPR, and MPLS work together: The Unified

    2685, Sep. 1999.Future of Metro Networking’By Tim Wu, Riverstone


    [7] B.Fox, et al, "Virtual Private Networks Identifier", RFC

    2685, Sep. 1999.

    [8] Haeryong Lee, et al, “End-To-End QoS Architecture for

    VPNs: MPLS VPN Deployment in a Backbone Network”,

Report this document

For any questions or suggestions please email