MPLS VPN Technologies
Chapter 2 provided some brief discussion of Virtual Private Network (VPN) architecture with respect to connectivity options for teleworkers. Remote-access VPNs and IPsec VPNs were both discussed along with some key differences between the two. Among the items discussed was the fact that a remote-access VPN is an on-demand connection, whereas an IPsec VPN is an alwayson connection. Each has its particular place in the bigger picture of the Intelligent Information Network (IIN). The Service-Oriented Network Architecture (SONA) framework encourages the offering of applications and services to all network users so that they may have the same network experience regardless of how they access the network. The Multiprotocol Label Switching (MPLS) VPN is another piece of the SONA framework that allows those applications and services to be offered to remote branch offices and small office/home office (SOHO) sites. With MPLS VPNs, two key pieces of the framework fall into place: the teleworker and, now, the branch office sites. For SOHO sites, any of the three VPN options is viable depending on the implementation. “Do I Know This Already?” Quiz The purpose of the “Do I Know This Already?” quiz is to help you decide whether you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 12-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you to determine how to spend your limited study time. Table 11-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics. 150x01x.book
1. Which type of VPN does not require any participation by the service provider in the routing functionality?Overlay VPN b. Peer-to-peer VPN c. Overlay-to-overlay VPN d. MPLS VPN 2. Which of the following is implemented with routers, ACLs, and dedicated routers per customer? a. Overlay VPNs b. Peer-to-peer VPNs c. Overlay-to-overlay VPNs d. MPLS VPNs 3. In a Layer 2 overlay VPN model, how is redundancy achieved? a. It is automatic due to routing protocol convergence. b. By provisioning additional circuits between critical sites. c. Only through the hub router. d. Redundancy is the responsibility of the provider.
Foundation Topics MPLS VPN
Architecture To properly understand MPLS VPNs as a solution, it is important to understand the problem. MPLS VPNs are a Layer 3 WAN solution to an age-old Layer 2 WAN problem—that is, the quest to provide any-to-any connectivity among sites in a cost-efficient manner. In the past, WAN architects struggled with topological design principals that amounted to choosing the least of all evils. A full mesh topology was too expensive but most robust. A hub-and-spoke topology was least expensive but least robust. A failure at the hub site would have a severe network impact. Partial mesh topologies created a balance of pain created by leveraging cost against connectivity. MPLS is the answer to the problem. With MPLS, it is possible to have a fully meshed network, but beyond that, it is a Layer 3–capable, fully meshed network. The possibilities for architecting a WAN solution are greatly expanded with little or no incremental cost over traditional Layer 2 circuits. The idea of a VPN brings to mind the concepts of security and privacy. These things have always been an enterprise solution that had to be implemented by knowledgeable individuals within a particular company or by an outside consultant brought in for just such a deployment. The term VPN still brings to mind, for most people, the IPsec and remote-access VPNs discussed in Chapter 2. All-in-all, the term VPN has become rather wide reaching. Figure 11-1 illustrates this fact in detailing what VPN has come to mean in a wider sense. Figure 11-1 VPN Taxonomy Overlay VPN Virtual Networks Access Control Lists (Shared Router) Split Routing (Dedicated Router) MPLS VPN Peer-to-Peer VPN GRE IPsec Layer 2 VPN Layer 3 VPN X.25 Frame Relay ATM Layer 1 VPN Dedicated Circuits T1 / n x DS0 E1 / n x DS0 Virtual Dialup Networks VLANs 150x01x.book Page 229 Monday, June 18, 2007 8:52 AM 230 Chapter 11: MPLS VPN Technologies In essence, Figure 11-1 shows an evolutionary path of the VPN and how it has come to encompass a very different set of technologies depending on how it is to be deployed. Virtual local-area networks (VLAN) allow the isolation of traffic on a per-subnet basis across a common physical infrastructure. Virtual private dialup networks (VPDN) allow the use of dialup infrastructure via private implementation or as a service offered by a service provider. VPNs allow the use of a shared infrastructure offered by a service provider to implement private networks. The degree of security is, of course, subject to negotiation. Many service provider offerings now include a “firewall in the cloud” offering to filter traffic to and from an Internet connection or other network. Also available are managed voice, content caching, and content filtering services. It all depends on the negotiated package. From a typical VPN implementation standpoint, there are essentially two models: ■ Overlay VPNs—Include older technologies such as X.25, Frame Relay, and Asynchronous Transfer Mode (ATM) for Layer 2 overlay VPNs as well as generic routing encapsulation (GRE) tunnels and IPsec for Layer 3 overlay VPNs ■ Peer-to-peer VPNs—Implemented with shared service provider router infrastructure using access control lists (ACL) and providing separate routers per customer Traditional VPNs Traditional VPNs, or overlay VPNs, are essentially what has been considered a WAN solution for the past few decades and then some. These are based on a Layer 2 overlay model in which a service provider sells permanent virtual circuits (PVC) and/or switched virtual circuits (SVC). The drawbacks of the Layer 2 overlay have been discussed in quite a bit of detail up to this point. Like most other networking technologies, VPN connections have evolved from Layer 1 up. The concept of Overlay VPNs began years ago in the form of dedicated circuits primarily used for Time-Division Multiplex (TDM) traffic. This evolution continued upward to reach Layers 2 and 3 in their respective forms. Layer 1 Overlay Layer 1 overlay VPN implementations were also sold by service providers in the form of Layer 1 circuits. These included such technologies as Integrated Services Digital Network (ISDN). Not to be excluded are the circuits that formed the backbone of the access technology offerings, the digital service (DS) hierarchy, DS0, DS1, and so on. A single DS0 offers 64 kbps of bandwidth 150x01x.book Page 230 Monday, June 18, 2007 8:52 AM Traditional VPNs 231 but when time-division multiplexing (TDM) implementations grouped 24 DS0s together, a DS1 was the result, offering 1.544 Mbps of bandwidth or what is more commonly referred to as a T1 line. In Europe and other locales around the globe, service providers would group 30 DS0s into a bundle, use an additional DS0 for framing operations, and use yet another DS0 for signaling. This 32 DS0 implementation, known as E1, offers 2.048 Mbps of bandwidth. Other higher-speed technologies such as Synchronous Optical Network (SONET) and Synchronous Digital Hierarchy (SDH) were brought about by the ever-present need for more speed. Service providers delivered the Layer 1 and the customer was responsible for applying a Layer 2 and any other features that might be appropriate. Today’s market calls for much more on the part of the service provider. Layer 2 Overlay Layer 2 VPN overlay, as mentioned, is more along the lines of what most network administrators and IT staff think of as a traditional WAN service. This includes X.25, Frame Relay, ATM, HighLevel Data Link Control (HDLC), Synchronous Data Link Control (SDLC), and Switched Multimegabit Data Service (SMDS), to name a few. At this point, the service provider is delivering Layer 1 and Layer 2, leaving the higher-level services at the discretion of the customer. Again, today’s market demands yet more from the service provider as protection of applications and services traffic becomes more significant across the WAN. The momentum behind this is driven by the ideas expressed in the SONA framework and the desire to deliver a single experience for all users, regardless of location or access method. Figure 11-2 illustrates a classic example of a Layer 2 overlay VPN. In Figure 11-2, a headquarters site is connected via Layer 2 virtual circuits (VCs) in a hub-andspoke topology. The Layer 3 connectivity is unknown to the provider’s network and routing updates must be sent across the VCs to each site. All traffic between the remote sites traverses the hub router at the headquarters site. Should the router at the headquarters site experience a failure, there will be considerable impact on the other remote sites. In such scenarios, enterprise network administrators implement such backup features as dialbackup to facilitate data flow between sites in the event of a primary WAN link failure.