Академический Документы
Профессиональный Документы
Культура Документы
MPLS-based Layer 2
Virtual Private Networks
List of Figures
Figure 1: MPLS-based Layer 2 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 2: Example Network with Circuit Cross-connect for Frame Relay . . . . . . . . . . . . . . 7
Figure 3: Example Network with Circuit Cross-connect for Ethernet 802.1Q VLANs . . . . 7
Figure 4: Carrier of Carriers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 5: LSP Stitching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 6: High-speed Transparent Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Figure 7: MPLS Internet Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 8: Example Local and Remote Peerings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Perspective
The first corporate networks were based on dedicated leased lines interconnecting the various
offices of the corporation. Such networks offered connectivity, but were wasteful of bandwidth,
expensive, and difficult to provision.
The first VPNs were based on Layer 2 circuits: X.25 to some extent, Frame Relay, and ATM.
These Layer 2 VPNs are easier to provision than dedicated lines, and virtual circuits allow you
to share a common infrastructure for all the VPNs. However, while these traditional VPNs are
a significant step forward from dedicated lines, they still have their drawbacks.
They are too slow. Without support for OC-192c/STM-64, they cannot keep pace with the
increasing speed requirements of the Internet.
They tie your VPN infrastructure to a single medium, such as ATM. This burden increases
if the Internet infrastructure shares the same physical links.
While provisioning is much easier than for dedicated lines, it is still complex, which is
especially evident when adding a site to an existing VPN.
An MPLS-based Layer 2 VPN solution preserves the benefits of a traditional Layer 2 VPN,
while leveraging the advantages of today's routing technology with regard to speed, flexibility,
and ease of provisioning. You can offer MPLS-based Layer 2 VPN services together with
best-effort IP and Layer 3 VPNs, and provision all three services from the same network
infrastructure.
VPN B VPN B
LSP M20
CE CE
PE
CE = Customer Edge
P = Provider Routers
PE = Provider Edge
Inherent Scalability
In an MPLS-based Layer 2 VPN, PE routers share between themselves only a small amount of
information about each CE router. Therefore, each PE need only maintain a single entry from
each CE and keep a single route to each CE in every VPN. Both the Forwarding Information
Base and the Routing Information Base of provider routers scale linearly with the number of
customer sites.
Ease of Configuration
Configuring traditional Layer 2 VPNs is a burden primarily because of the n-squared nature of
the task in a fully meshed environment. If there are n number of fully meshed CEs in a Frame
Relay VPN, you must provision n*(n-1)/2 PVCs across the your network. At each CE, you
must configure (n-1) DLCIs to reach each of the other CEs. Furthermore, when a new CE is
added, you must provision n new DLCI PVCs and update each existing CE with a new DLCI
to reach the new CE.
Signaling Flexibility
The VPN path across your provider routers can be signaled using LDP or RSVP. A hybrid
solution is also possible: LDP on the edge and RSVP in the core. RSVP allows for the
considerable benefit of traffic engineering across the network, which makes it possible to
choose explicit paths for a particular VPN. Using RSVP, you can traffic engineer paths for
customer data to meet such needs as low latency, and to include that attribute as part of an SLA
for which the customer pays a premium.
PE membership in a Layer 2 VPN can be signaled in two ways: LDP or BGP4. While there is no
industry consensus on which protocol is preferable, BGP4 offers several advantages.
Edge routers already run BGP4 almost without exception.
BGP4 was designed to carry numerous routes of various kinds.
BGP4 is better positioned to handle interdomain routing, which is needed for
multiprovider VPNs and carrier-of-carrier VPNs.
PE routers can maintain IBGP sessions to route reflectors as an alternative to a full mesh of
IBGP sessions. Deploying multiple route reflectors enhances scalability because it
eliminates the need for any single network component to maintain all VPN routes.
Import and export route targets allow control over where a particular route is advertised.
Table
In Out Good Service SP
LSP 1 DLCI 605 DLCI Europe Region
Good Service SP 605
USA Region DLCI LSP 1
CE M160 M20 10.0.0.0
600 PE M160 PE
Figure 3: Example Network with Circuit Cross-connect for Ethernet 802.1Q VLANs
Table
In Out Good Service SP
LSP 1 VLAN 2 Europe Region
Good Service SP VLAN 2
USA Region LSP 1
M160 M20 10.0.0.0
CE VLAN 2 PE M160 PE
The PDUs of the various encapsulations are handled by the Circuit Cross-connect feature in the
following manner.
For ATM AAL5 VPNs, the AAL5 PDU is transported without directly carrying the
VPI/VCI. At the receiving PE, the AAL5 PDU is fragmented, a VPI/VCI added to each cell,
and the cells sent to the CE. The VPI/VCI to use is inferred from the top level MPLS label.
For ATM cell relay, cells submitted by one CE are transported as is, with an MPLS header
applied to each cell. The receiving PE removes the MPLS header and forwards the cell to
the appropriate CE.
For Frame Relay VPNs, the two DLCI octets are stripped, and the rest of the Layer 2 frame
transported. At the receiving PE, the new DLCI is applied to a newly generated Frame
Relay header, which is added back to the frame and sent to the CE.
For PPP, Cisco HDLC, and Ethernet VLANs VPNs, the Layer 2 frame is transported whole,
without any modification. The Layer 2 frame does not include HLDC flags, Ethernet
pre-ambles, or CRCs. The assumption is that the bit/byte stuffing is undone. At the
receiving PE, the frame is sent to the CE on the appropriate interface.
ATM Replacement
With MPLS Circuit Cross-connect's capability to handle cell-relay and AAL5 ATM services,
you can offer transit solutions for many customer applications that currently operate over
end-to-end ATM. AAL5 services are well suited for applications that use ATM as a generic
Layer 2 transport and are therefore tolerant of some degree of delay and delay variation, as is
expected in an AAL5 service. Cell-relay service operates in an AAL-agnostic fashion, with no
segmentation or re-assembly in the provider network, and is therefore suitable for many VBR
applications.
While some ATM networks exist primarily for circuit emulation and other real-time CBR
services, virtually all other ATM circuits are candidates for extension or replacement with
MPLS-based Layer 2 VPNs.
Value-added Services
You can use MPLS-based Layer 2 VPNs to build and sell value-added IP services on a single
core infrastructure, such as carrier of carriers, Layer 2 VPNs, extranet access at Layer 2,
high-speed transparent, and Internet exchange services.
Carrier of Carriers
You can offer other carriers transparent bandwidth services to deploy their core backbone
without having to build their own transport network (Figure 4). You could deploy such
services, which you could name virtual core services, on a regional, national, or international
basis. The carrier can continue to manage its own network equipment and simply connect to
your provider network as a CE site to a PE node. You could use any supported Layer 2 protocol
between the CE and PE provided each point-to-point connection implements the same access
protocol at both ends. You need only maintain MPLS LSPs between any point-to-point
interconnection for the carrier. You can apply traffic engineering to these transit LSPs in order
to offer SLAs as a value-added benefit.
Such a service is much more efficient for the carrier than using leased lines or fibers. A single
CE can connect to multiple remote CEs when you create a mapping between a pair of PVCs or
VLANs. Moreover, you can offer bandwidth at any speed because local connections can range
from T1 and E1 up to OC-48c/STM-16 and OC-192c/STM-64.
Table
In Out Good Service SP
LSP 1 DLCI 605 DLCI Europe Region
Good Service SP 605
USA Region DLCI LSP 1
M160 M20 10.0.0.0
CE 600 PE M160 PE
To meet the needs of customers who are carriers using MPLS, you can deploy the Juniper
Networks LSP stitching feature(Figure 5). LSP stitching enables you to map a carrier's ingress
LSP to a core LSP on your own backbone and then to the carrier's egress LSP at the remote end.
This method enables a carrier to provide MPLS-based services to its customers by enlisting
your network as a bridge between areas of its network that are not contiguous, either from lack
of full MPLS support or due to geographic considerations.
AS 1 AS 2 AS 1
M5 M20 M40 M10
LSP Stitching
over fiber (to connect to an existing LAN switch, for instance), a leased Ethernet concentrator
(which several customers in the same building could share), or a Juniper Networks router to
connect one or more customers at a variety of speeds.
Benefits of using Juniper Networks routers in a high-speed transparent LAN solution include
the following.
Transit delays of the Juniper Networks routers are so low and stable that you can plan any
mesh or loop architecture that evolves and expands easily without having to reconsider the
whole network design.
You can offer an access from 100 Mbps to 1 Gbps seamlessly.
Services range up to 43.50 miles / 70 km with the use of advanced long haul Gigabit
Ethernet technologies.
You can offer transparent LAN service benefits from the inherent redundancy of the MPLS
core. For example, the MPLS fast reroute feature reroutes LSPs in less than 100 milliseconds
in case of a core trunk or node failure, making the failure transparent to user traffic.
VPN A VPN B
Fast Ethernet
Gigabit Ethernet
VLAN ID VLAN ID VLAN ID
with 802.1Q Business Center
612 600 601
PE M160
PE Fast
M20
Ethernet VPN B
LSP 5
VLAN ID
LSP 6 601
LSP 3
PE M40 M10 CE
MPLS Core VLAN ID
Fast Ethernet VLAN ID PE 612 VPN A
Gigabit Ethernet 600 Fast
with 802.1Q Fast Ethernet Ethernet
Gigabit Ethernet
with 802.1Q
VPN B
Circuit Cross-connect Function
M5 M5
Peer 3 Peer 3
MPLS has the advantage of offering OC-192c/STM-64 speeds between sites, with remote
peering made available by the simple extension of LSPs between both sites using the
MPLS-based Layer 2 VPN. You can even offer the MPLS Internet exchange between the two
sites as a service or when renting co-location space in both sites.
You can view such a remote peering service on a national or international scale, where using a
transit connection to set up a peering relationship with service providers located in a
completely different region or country (Figure 8).
Peer 3
M10
MPLS IX MPLS IX
Router Router Local
OC-192c/STM-64 MPLS Pipe Peering
Peer 1
M160
Connection
M160
M20
M10
Conclusion
Juniper Networks MPLS-based Layer 2 VPNs address the most significant VPN issues today.
Easily configurable and maintained, and thus cost efficient.
Delivery of value-added services with predictable performance.
Private, any-to-any VPN connectivity for increased scalability.
Differentiation of traffic on a per-customer basis.
Reduced operation costs by converging traffic across a single IP infrastructure.
In addition to offering the simplicity and transparency of Layer 2 VPNs, Juniper Networks also
makes it possible for you to provision MPLS-based Layer 3 VPNs, and to thus provide
customers with the outsourced routing, single-point CE connection, and provider oversight
that are the hallmarks of such a service.
By offering customers the option of deploying either or both of these VPN models, you reap
the benefits of retaining an existing customer base, attracting new customers that you can
quickly, reliably provision, and remaining flexible in capitalizing on new opportunities.
Acronyms
AAL ATM Adaptation Layer
CE customer edge
IP Internet Protocol
PE provider edge
PPP Point-to-Point
Copyright 2001, Juniper Networks, Inc. All rights reserved. Juniper Networks is a registered trademark of Juniper Networks, Inc. Internet Processor, Internet
Processor II, JUNOS, JUNOScript, M5, M10, M20, M40, and M160 are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered
trademarks, or registered service marks may be the property of their respective owners. All specifications are subject to change without notice. Printed in USA