Академический Документы
Профессиональный Документы
Культура Документы
vprokopov@solidex.by
4 2009
1. VPN
2. Layer 3 VPN
3. Layer 2 VPN
4. QoS/H-QoS
V=Virtual
P=Private
3
VPN
...
VPN
Customer Provisioned
:
Layer 2
Layer 3 IPSec
1. ,
2.
MPLS VPN
Point-to-Point
Multipoint
3.
L2TPv3
VPWS
(EoMPLS)
802.1ad PB
802.1ah PBB
802.1Qay PBB-TE
GRE
VPLS
H-VPLS
#1
PE
L3
E
PE
L3
E
Layer
VPN3 PSN
PE
L3
- ,
6
1 #1
MPLS VPN
VPN
Layer 2 VPN
Point-to-Point
L2TPv3
VPWS
(EoMPLS)
Customer Provisioned
Layer 3 VPN
Multipoint
802.1ad PB
802.1ah PBB
802.1Qay PBB-TE
IPSec
GRE
MPLS VPN
VPLS
H-VPLS
MPLS
IP
PE
PE
IGP
IP
1.
2.
MPLS VPN -
Ethernet
Ethernet
header
MPLS
Label
IP
header
Data
MPLS
Label
EXP S
TTL
MPLS
L2 L3
Label (20 ) - MPLS
EXP (3 ) - QoS
S (1 ) -
TTL (8 ) -
10
IGP
CE
LDP
LDP
VPN Red
PE
CE
LDP
LDP
LDP
P
VPN Red
VRF
IGP
IGP
IGP
LDP
VRF
VRF
CE
PE
VRF
VPN Green
IGP
CE
VPN Green
MP-BGP
1.
2.
3.
4.
11
Multiprotocol-BGP
MP-BGP:
8
RD (Route Distinguisher)
1:1
IPv4
10.0.0.1
RT (Route Target)
2:2
Label
50
VPNv4
RD - IPv4
RT - VRF VPNv4
VPNv4 MPLS
12
MPLS VPN -
IP ?
Next-Hop = PE2
CE
L3
VPLS Red
L3
VPNv4 LSP
Label Label
PSN
LSP 2
LSP 3
VRF Red
S=1
S=0
LSP 4
PE1
PE2
L3
CE
VRF Green
VPLS Green
13
MPLS VPN
Control Plane
Interior Gateway Protocol (IGP)
Label Distribution Protocol (LDP)
LSP
Multiprotocol-BGP ( PE)
VPNv4-
Data Plane
(Tunnel label) -
PE (LSP)
(VPNv4 label) - MPLS
VPN
14
MPLS-TE
RSVP-TE
MPLS-TE
PSN
L3
P
MPLS-TE
RSVP-TE
TE tunnel 2
MPLS-TE
PE
RSVP-TE
L3
MPLS-TE
RSVP-TE
MPLS-TE :
(UCLB)
(RSVP-TE)
50 (FRR)
15
Node protection
50
PE
PE
50
PE
PE
Path protection
PE
> 50
PE
16
MPLS VPN -
:
1. 4- Control Plane
IGP
LDP
MP-BGP
RSVP-TE
2. MPLS MPLS-TE
3. IGP
17
2 #1
IPsec VPN
18
VPN
Virtual Private Networks
(Site-to-Site)
Operator Provisioned
Layer 2 VPN
Point-to-Point
L2TPv3
VPWS
(EoMPLS)
Customer Provisioned
Layer 3 VPN
Multipoint
802.1ad PB
802.1ah PBB
802.1Qay PBB-TE
IPSec
GRE
MPLS VPN
VPLS
H-VPLS
19
IPsec VPN
IP-
IPsec
IPsec VPN
2
IPsec VPN
1
PSN
IPsec VPN
3
20
IPsec
IPSec - IETF, :
21
IPsec VPN
1. IPsec VPN -
2. IPsec VPN :
()
22
Authentication Header
AH,
IP
header
L2 header
AH
header
TCP/UDP
header
Data
authenticated
AH,
L2 header
IPsec IP
header
AH
header
IP
header
TCP/UDP
header
Data
authenticated
AH :
23
IP
header
ESP
header
TCP/UDP
header
IPsec IP
header
ESP
header
ESP
trailer
ESP
auth
ESP
trailer
ESP
auth
encrypted
authenticated
ESP,
L2 header
Data
IP
header
TCP/UDP
header
Data
encrypted
authenticated
ESP :
(DES, 3DES, AES)
24
IPsec VPN -
1.
2.
3.
4.
5.
NAT/PAT IPsec
multicast IPsec VPN
IPsec VPN
IPsec VPN
25
IPsec VPN -
1.
2. ( IKE)
IPsec VPN
IKEv1 (RFC 2408, 2408, 2409)
IKEv2 (RFC 4306) - IKEv1 + NAT traversal
26
Internet
IPsec VPN
1
IPsec VPN
2
2
: ,
2
(DH),
2
27
IPsec VPN
1. (Preshared keys)
n (n - 1) /2
2. (Digital certificates)
Public Key Infrastructure (PKI)
IPsec VPN
, ()
28
Internet
IPsec VPN
Gateway 1
IPsec VPN
Gateway 2
3
: ,
29
-
IPsec:
PKI
()
X.509
X.509
Certificate Revocation List (CRL)
Online Certificate Status Protocol (OCSP)
IPsec VPN
Simple Certificate Enrollment Protocol (SCEP)
30
IPsec VPN -
1.
2. NAT/PAT IPsec
31
IPsec VPN -
L2
IP
10.0.0.1
L2
Internet
IPsec VPN
Gateway 1
IP
80.94.224.32
NAT/PAT
IPsec VPN
Gateway 2
IPsec
IPsec NAT/PAT
IP ( UDP/TCP)
32
Authentication Header
AH,
IP
header
L2 header
AH
header
TCP/UDP
header
Data
authenticated
AH,
L2 header
IPsec IP
header
AH
header
IP
header
TCP/UDP
header
Data
authenticated
IP TCP/UDP :
, IPsec
NAT/PAT
33
IP
header
ESP
header
IPsec IP
header
ESP
header
Data
ESP
trailer
ESP
auth
ESP
trailer
ESP
auth
encrypted
authenticated
ESP,
L2 header
TCP/UDP
header
IP
header
TCP/UDP
header
Data
encrypted
authenticated
TCP/UDP :
: Checksum
TCP/UDP,
: PAT
34
NAT traversal
ESP,
L2 header
IP
header
ESP
header
IP
header
Data
ESP
trailer
ESP
auth
ESP
trailer
ESP
auth
encrypted
authenticated
UDP
L2 header
TCP/UDP
header
UDP
header
ESP
header
TCP/UDP
header
Data
encrypted
authenticated
NAT traversal
NAT/PAT IPsec-
PAT UDP
UDP
35
Vendor ID
NAT Existence
NAT-D
NAT-D
Internet
IPsec VPN
Gateway 1
NAT/PAT
IPsec VPN
Gateway 2
36
NAT traversal -
IPsec :
NAT/PAT- IPsec
ESP AH
ESP PAT
,
IPsec
37
IPsec VPN -
1.
2. NAT/PAT IPsec
3. multicast IPsec VPN
4. IPsec VPN
5. IPsec VPN
38
Gateway 1
Internet
IPsec
Gateway 2
IPsec point-to-point
IPsec IP unicast-
IPsec
, IP
39
IP multicast
Non-IP traffic
Internet
Gateway 1
GRE
Gateway 2
IPsec
GRE :
IP multicast- IPsec VPN
IPsec VPN
non-IP
40
IPsec VPN -
1.
2. NAT/PAT IPsec
3. multicast IPsec VPN
4. IPsec VPN
5. IPsec VPN
41
IPsec VPN -
Hub-and-Spoke
IPsec
IPsec VPN
HUB
IPsec VPN
Spoke 1
Internet
IPsec VPN
Spoke 2
:
VRRP
GRE
42
VRRP
Hub 1
VR
Internet
Spoke
Hub 2
IPsec-
IKE
43
VRRP
Hub 1
VR
Internet
10.0.0.1
.254
Hub 2
Spoke
10.0.0.2
1.
2.
3.
4.
44
VRRP
Hub 1
VR
Internet
Spoke
Hub 2
SSO/SSP
IKE keepalive (10 sec)
IPsec-
Stateful Switchover (SSO) -
State Synchronization Protocol (SSP) - IPsec
45
VRRP
Hub 1
.
VR
Internet
Spoke
Hub 2
.
SSO/SSP
IKE keepalive (10 sec)
1.
2.
3.
4.
IPsec Hub 2
IPsec- , IPsec Spoke Hub 2
46
IPsec -
IPsec
Hub 1
(Master)
Hub 2
Internet
Spoke
Hub 3
IPsec
Master IPsec
Master:
IPsec
Master
47
IPsec - GRE
GRE/IPsec
Hub 1
Internet
Spoke
Hub 2
GRE/IPsec
GRE
GRE/IPsec- Active-Active
48
IPsec - GRE
GRE/IPsec
Hub 1
Internet
Spoke
Hub 2
GRE/IPsec
GRE/IPsec
Hub 1
Internet
Spoke
Hub 2
GRE/IPsec
49
IPsec VPN -
ESP,
L2 header
IP
header
ESP
header
IPsec IP
header
ESP
header
Data
ESP
trailer
ESP
auth
ESP
trailer
ESP
auth
encrypted
authenticated
ESP,
L2 header
TCP/UDP
header
IP
header
TCP/UDP
header
Data
encrypted
authenticated
IP ( ToS/DS)
QoS IP
50
IPsec
Gateway
WAN
Router
QoS
IPsec
Internet
Shaping
Policing
Queuing
QoS IPsec
51
IPsec VPN -
1.
2.
3.
4.
NAT/PAT IPsec
multicast IPsec VPN
IPsec VPN
5. IPsec VPN
52
IPsec VPN -
IPsec
VPN n (n-1) / 2
53
GET VPN
54
GET VPN -
ESP,
L2 header
GET VPN
L2 header
NEW IP
header
ESP
header
IP
header
TCP/UDP
header
Data
ESP
trailer
ESP
auth
TCP/UDP
header
Data
ESP
trailer
ESP
auth
IP
header
ESP
header
IP
header
IP
p2p
Native Routing Overlay Routing
- multicast-
55
GET VPN -
Control
Plane
KS
KS = Key Server
GM = Group Member
GM
GM
GET VPN
Data Plane
Data Plane
GM
Data Plane
GM
Data Plane
56
GET VPN -
Key Server (Control Plane)
:
ACL
GM
Group Member (Data Plane)
KS
GET VPN
57
GET VPN -
Control
Plane
KS
GM
Data Plane
Data Plane
GM
Data Plane
GM
Data Plane
KS KEK TEK
58
GET VPN -
GET VPN IPsec VPN:
tunnel-less
multicast-
59
VPN.
2
vprokopov@solidex.by
4 2009
61
#2
2
L2
IP MPLS
L2
192.168.0.x /24
192.168.0.x /24
L2-
L2-
- (point-to-point)
62
VPN
Layer 2 VPN
Point-to-Point
L2TPv3
VPWS
(EoMPLS)
Multipoint
802.1ad PB
802.1ah PBB
802.1Qay PBB-TE
VPLS
H-VPLS
63
Point-to-Point L2 VPN
L2TPv3
VPWS
IP
Ethernet AC
Frame Relay AC
ATM AC
PPP AC
MPLS
Ethernet (EoMPLS)
Frame Relay AC
ATM AC
PPP AC
1 #1
L2TPv3
65
L2TPv3
1
LAC
IP
2
LAC
L2
L2
192.168.0.x /24
192.168.0.x /24
AC
VC
VC
AC
L2TPv3
L2TPv3
Control Plane
L2TP Control Channel ()
L2TPv3
Data Plane
2
IP Header (PID = 115)
Data Channel Header
Session ID VC
Cookie ()
67
L2 Frame
L2 Frame
Data Channel
Hdr
IP Hdr
PID=115
L2 Frame
Session ID (VC)
Cookie
2
LAC
L2
LAC
L2TP Control Channel
L2
192.168.0.x /24
192.168.0.x /24
68
L2TPv3
1.
2.
3.
4.
5. ,
69
L2TPv3 -
LAC
L2
LAC
L2
IP
PSN
192.168.0.x /24
192.168.0.x /24
AC
VC
IPsec
VC
AC
L2TPv3
L2TPv3 -
OSPF
IS-IS
OSPF
IS-IS
PSN
LAC
LAC
L2
L2
OSPF
IS-IS
OSPF
IS-IS
OSPF
IS-IS
OSPF
IS-IS
,
QoS
71
L2TPv3 -
1. QoS:
L2 Frame
IP Hdr (ToS = 160)
IP Hdr
L2TPv3
L2 Frame
(ToS = 160) Hdr
IP Hdr (ToS =160)
L2TPv3
pseudowire-class l2tpv3.pw
ip tos reflect
LAC
2. L2TPv3 :
IP Hdr
L2TPv3
(ToS = 160) Hdr
L2 Frame
LAC
L2 Frame
L2TPv3
pseudowire-class l2tpv3.pw
ip tos value 160
72
L2TPv3 - (.)
3. L2TPv3 :
L2 Frame
IP Hdr (Src: 10.3.0.5)
IP Hdr
L2TPv3
L2 Frame
(DSCP = 46) Hdr IP Hdr (Src: 10.3.0.5)
L2TPv3
LAC
access-list 1 permit 10.3.0.0 0.0.0.255
class-map l2tpv3.net
match access-group 1
policy-map l2tpv3.pol
class l2tpv3.net
set ip dscp tunnel 46
interface FastEthernet0/0
service-policy input l2tpv3.pol
73
L2TPv3 -
L2TPv3
LAC
LAC
L2 AC
IGP
L2 AC
PSN
L2 AC
2
LAC
1
2
74
L2TPv3 - LAC
L2TPv3
L2TPv3
LAC
IGP
LAC
L2 AC
L2 AC
L2 AC
LAC
LAC
LAC
2 LAC
75
2 #1
VPWS (EoMPLS)
76
IP/MPLS
L2 PE
L2
L2 PE
Targeted LDP
L2
MPLS
192.168.0.x /24
192.168.0.x /24
MPLS Pseudowire
EoMPLS-
PE = Provider Edge
EoMPLS
Control Plane
Targeted LDP
VPN PE-
Data Plane
2
(Tunnel Label)
PE- (LSP)
(VPN Label)
MPLS PW
78
EoMPLS
L2
L2
VPN
Label
VPN
Label
Tunnel
Label B
L2
Tunnel
Label A
VPN
Label
L2
L2
L2 PE
MPLS
L2PE
AC
AC
LDP
LDP
Targeted LDP
79
EoMPLS -
L2 PE
L2 PE
EoMPLS
L2
L2
EoMPLS
L2
L2 PE
PE-
1:1 1:N
Active-Standby
80
EoMPLS - :
L2 PE
DSLAM
L2 PE
EoMPLS
BNG
1
2
EoMPLS
L2 PE
PPPoE
1. BNG
PPPoE; BNG
2. PE
3. EoMPLS ,
81
EoMPLS - :
L2 PE
BNG
DSLAM
L2 PE
EoMPLS
1
2
EoMPLS
L2 PE
:
-
- L2 PE BNG
82
MPLS-TE
RSVP-TE
MPLS-TE
PSN
L2
P
MPLS-TE
RSVP-TE
TE tunnel 2
MPLS-TE
PE
RSVP-TE
L2
MPLS-TE
RSVP-TE
MPLS-TE :
(UCLB)
50 (FRR)
(RSVP-TE)
83
L2TPv3
MPLS IP
LAC
UCLB
QoS
EoMPLS
MPLS IP
L2 PE
UCLB (MPLS-TE)
QoS ( RSVP-TE)
84
EoMPLS
?
50 ?
QoS?
?
L2TPv3
85
#3
86
#3
PE
.
VPN
PE
.
VPN
PE
-
-
87
#3
PE
.
VPN
FHRP
.
VPN
Multipoint
L2 VPN
PE
PE
FHRP - VPN
Multipoint L2 VPN FHRP
88
Multipoint L2 VPN
VPLS
MPLS
Ethernet AC
BGP/LDP
Hierarchical VPLS
Metro Ethernet
Ethernet
802.1ad, PB
802.1ah, PBB
802.1Qay, PBB-TE
89
1 #3
Virtual Private LAN Services (VPLS)
90
VPLS
1
PE
PE
AC
VPLS
PSN
2
PE
PE
CE
IP/MPLS
LDP
LDP
VPLS Red
LDP
VFI
VFI
CE
VFI
IGP
LDP
LDP
LDP
P
VPLS Green
PE
VPLS Red
VFI
P
Full-mesh
Targeted LDP
1.
2.
3.
CE
CE
VPLS Green
92
VPLS - ?
PE
PE
CE
PE
MPLS PW
L2 VPN
PE
CE
Split-Horizon
PE
PE
Ethernet STP
VPLS , :
MPLS PW
, Targeted-LDP
Split-Horizon
93
Hierarchical VPLS
PSN
CPE
MTU-s
PE-rs
PE-rs
Split-Horizon
PW
PE-rs
PE-rs
MTU-s
CPE
Full-mesh PW,
Split-Horizon
-
Split-Horizon
94
PSN
CPE
MTU-s
AC
PE-rs
PE-rs
PW
PE-rs
PE-rs
AC
MTU-s
CPE
Split-Horizon
PE-rs
MTU-rs
Hierarchical VPLS -
PSN
AC
CPE
MTU-s
PE-rs
PE-rs
PW
PE-rs
PE-rs
AC
MTU-s
802.1q / EoMPLS
VPLS
CPE
802.1q / EoMPLS
L2 VPN
L2-
96
: H-VPLS 802.1q .
VPLS
Red
802.1q
VLAN 10
CPE
MTU-s
VPLS
Green
VLAN 20
PE-rs Full-mesh
PW
CPE
VLAN 30
VPLS
Blue
VLAN per
VPLS
CPE
MTU-s
VPLS
Blue
Eth. Frame
VPN Tunnel
Label Label
CPE
Eth. Frame
802.1q
VLAN 30
Eth. Frame
97
H-VPLS
VPLS
Red
CPE
MTU-s
VPLS
Green
VPLS
Blue
MAC- PE-rs
CPE
CPE
PE-rs Full-mesh
PW
CPE
MTU-s
VPLS
Blue
Control Plane
Data Plane
98
2 #3
802.1ad PB 802.1ah PBB
99
Metro Ethernet
1. L3 L2
MPLS -
2. Ethernet
Ethernet?
100
Payload
Payload
Ethertype
TAG
C-TAG
SA
Ethertype
Ethertype
0x8100
0x8100
DA
SA
S-TAG
Ethernet
Frame
DA
Ethertype
802.1q
SA
0x0800, IPv4
0x88a8
VMAN
Payload
VLAN
Ethernet
DA
TAG - VLAN
S-TAG = Service Tag
C-TAG = Customer Tag
802.1ad
Provider Bridges
101
802.1ad -
1
PE
PE
PSN
MultiVLAN VC
C-Tag = 25
C-Tag = 30
C-Tag = 35
2
PE
C-Tag = 25
C-Tag = 30
C-Tag = 35
S-TAG L2 VPN
-TAG VLAN
102
802.1ad
Control Plane
Spanning-tree protocol (STP)
Ethernet
Flooding
Learning
Data Plane
Service-Tag (S-Tag)
Customer-Tag (C-Tag)
103
VLAN ID
2
L2
C-Tag
2
S-Tag
125
L2
PE
MultiVLAN AC
VLAN ID
2
PE
PSN
2
PE
S-Tag, L2 VPN = 4094
104
802.1ad -
STP-,
802.1ad
MAC-
STP-
( RSTP)
STP
105
MAC-in-MAC
Payload
Payload
C-TAG
C-TAG
S-TAG
S-TAG
SA
SA
DA
DA
802.1ad
Provider Bridges
24-bit I-SID
B-VID
B-DA = Backbone DA
B-SA
B-SA = Backbone SA
B-DA
.
Ethernet
- 802.1ah
802.1ah
Provider Backbone Bridges
106
802.1ah
MAC-
MAC-
UNI
802.1ah
UNI
UNI
: MAC-
; MAC- PE ;
: STP-;
107
, 802.1ah
STP (flooding learning)
Control Plane, connectionless Ethernet
connection-oriented ,
:
Traffic Engineering
IP , MPLS
Ethernet ...
108
802.1Qay PBB-TE
109
Ethernet
Control Plane
MAN
Flooding -
Learning - MAC-
MAC-
STP -
loop-free
Data Plane
MAC + VLAN ID
VLAN ID loop-free
MAC
loop-free , VLAN ID
110
802.1Qay -
STP
VLAN ID + MAC
DA =
2222.2222.2222
Frame
VLAN 48
VLAN 50
4
MAC-
PE
111
Management Plane
MAC + VLAN ( )
Payload
C-TAG
S-TAG
SA
DA
I-SID
B-VID -
B-VID
B-DA - MAC-
B-DA
B-SA
802.1ah PBB
112
DA: PE2
VLAN 45
PE1
PBB-TE
PSN
P
L2
PE2
L2
Protection path
DA: PE2
VLAN 55
113
114
802.1Qay -
connection-oriented 802.1Qay
Metro Ethernet
QoS
(802.1ag)
115
117
QoS
First-in-first-out (FIFO)
PE 2
CE 1
CE 2
PE 1
CE 3
PE 3
Best-Effort
118
QoS
1. Packet Classification
2. Congestion Avoidance
QoS
3. Congestion Management
4. Traffic Policing / Shaping
PE 2
CE 1
CE 2
PE 1
IP/MPLS
CE 3
PE 3
119
QoS
2
PE 1
PE 2
VPN Red
1
VPN Red
2
VPN Red
VPN Green
1
VPN Green
2
VPN Green
3
VPN Green
QoS
,
QoS VPN ( )
120
Hierarchical QoS
Session
Scheduler
VC
Scheduler
VC Group
Scheduler
VP
Scheduler
Physical port
Scheduler
Virtual Port 1
Service 1
Service 2
Service 3
IP
Ethernet
Classifier
Virtual Port 2
Service 1
Service 2
Service 3
S = Scheduler
H-QoS VPLS
3 H-QoS
CE
5 H-QoS
PE
PE
PE
L2 VPN Red
VPLS Red
VPLS Red
L2 VPN Green
VPLS Green
VFI Green
VPLS Green
VPLS Green
122
H-QoS CE
VPN
8 8
VPN
123
H-QoS PE
VPN
8 8
VPN
VPN
VPLS L2 VPN
VPN
VPN
MPLS LSP
124
125