Professional Documents
Culture Documents
VPN Terminology
Customer site
Pro(i'er Networ !P"Networ #$ the Ser(ice Pro(i'er in&rastructure use' to %ro(i'e VPN ser(ices Customer Networ !C"Networ #$ the %art o& the networ still un'er customer control Customer Site$ a contiguous %art o& customer networ !can encom%ass many %hysical locations#
2000, Cisco Systems, Inc.
www.cisco.com
Page2
VPN Terminology
Customer site
Pro(i'er *'ge !P*# 'e(ice$ the 'e(ice in the P"networ to which the C*"'e(ices are connecte' Pro(i'er core !P# 'e(ice$ the 'e(ice in the P"networ with no customer connecti(ity Customer *'ge !C*# 'e(ice$ the 'e(ice in the C"networ with lin into P"networ . +lso calle' Customer Premises *,ui%ment !CP*#
www.cisco.com
Page)
www.cisco.com
Page-
3outer + Customer Site !VC# 78 Pro(i'er *'ge 6e(ice !2rame 3elay Switch# 2rame 3elay *'ge Switch
3outer 6
www.cisco.com
Page1
3outer 5
3outer C
3outer 6
Ser(ice Pro(i'er in&rastructure a%%ears as %oint"to" %oint lin s to customer routes 3outing %rotocols run 'irectly .etween customer routers Ser(ice Pro(i'er 'oes not see customer routes an' is res%onsi.le only &or %ro(i'ing %oint"to"%oint trans%ort o& customer 'ata
2000, Cisco Systems, Inc.
www.cisco.com
Page9
IS6N
S6;, S0N*T
This is the tra'itional T6M solution$ Ser(ice Pro(i'er esta.lishes %hysical"layer connecti(ity .etween customer sites Customer ta es res%onsi.ility &or all higher layers
www.cisco.com
Page:
>.21
2rame 3elay
+TM
This is the tra'itional Switche' =+N solution$ Ser(ice Pro(i'er esta.lishes layer"2 (irtual circuits .etween customer sites Customer ta es res%onsi.ility &or all higher layers
www.cisco.com
Page<
IP Security !IPSec#
VPN is im%lemente' with IP"o(er"IP tunnels Tunnels are esta.lishe' with @3* or IPSec @3* is sim%ler !an' ,uic er#, IPSec %ro(i'es authentication an' security
www.cisco.com
Page?
VPN is im%lemente' with PPP"o(er"IP tunnels Asually use' in access en(ironments !'ial"u%, 6SL#
www.cisco.com
Page80
Customer Site
3outer 6
Ser(ice Pro(i'er routers e4change customer routes through the core networ 2inally, the customer routes %ro%agate' through the ser(ice"%ro(i'er networ are sent to other customer routers
2000, Cisco Systems, Inc.
www.cisco.com
Page88
Customer A Site #2
P0P router carries all customer routes Isolation .etween customers is achie(e' with %ac et &ilters on P*"C* inter&aces
Customer B Site #1
www.cisco.com
Page82
www.cisco.com
Page8)
P"Networ
!emote "ffice
Customer A Site #
Customer A Site #2
P*"3outer P0P">
P"3outer
P*"3outer P0P"B
Customer B Site #2
Customer A Site #3
Customer B Site #3
Customer B Site #1
Customer B Site #
www.cisco.com
Page8-
Customer +
Customer 5
Customer 5
P*"3outer">
P"3outer
P*"3outer"B
Customer C
Customer C
P"Networ
Customer +
C$ ;ow will P* routers e4change customer routing in&ormationD +8$ 3un a 'e'icate' I@P &or each customer across P"networ . =rong answer$ The solution 'oes not scale. P"routers carry all customer routers.
2000, Cisco Systems, Inc.
www.cisco.com
Page81
Customer 5
P*"3outer">
P"3outer
P*"3outer"B
Customer C
Customer C
P"Networ
Customer +
C$ ;ow will P* routers e4change customer routing in&ormationD +2$ 3un a single routing %rotocol that will carry all customer routes insi'e the %ro(i'er .ac .one. 5etter answer, .ut still not goo' enough P"routers carry all customer routers.
2000, Cisco Systems, Inc.
www.cisco.com
Page89
Customer 5
P*"3outer">
P"3outer
P*"3outer"B
Customer C
Customer C
P"Networ
Customer +
C$ ;ow will P* routers e4change customer routing in&ormationD +)$ 3un a single routing %rotocol that will carry all customer routes .etween P* routers. Ase MPLS la.els to e4change %ac ets .etween P* routers. The .est answer P"routers 'o not carry customer routes, the solution is scala.le.
2000, Cisco Systems, Inc.
www.cisco.com
Page8:
Customer 5
P*"3outer">
P"3outer
P*"3outer"B
Customer C
Customer C
P"Networ
Customer +
C$ =hich %rotocol can .e use' to carry customer routes .etween P*"routersD +$ The num.er o& customer routes can .e (ery large. 5@P is the only routing %rotocol that can scale to a (ery large num.er o& routes. Conclusion$ 5@P is use' to e4change customer routes 'irectly .etween P* routers.
2000, Cisco Systems, Inc.
www.cisco.com
Page8<
Customer 5
P*"3outer">
P"3outer
P*"3outer"B
Customer C
Customer C
P"Networ
Customer +
C$ Customers can ha(e o(erla%%ing a''ress s%ace. ;ow will you %ro%agate in&ormation a.out the same su.net o& two customers (ia a single routing %rotocolD +$ Customer a''resses are e4ten'e' with 9-".it %re&i4 !3oute 6istinguisherE36# to ma e them uni,ue. Ani,ue ?9".it a''resses are e4change' .etween P*"routers.
2000, Cisco Systems, Inc.
www.cisco.com
Page8?
3oute 6istinguisher
3oute 6istinguisher !36# is a 9-".it ,uantity %re%en'e' to an IP(- a''ress to ma e it glo.ally uni,ue The resulting ?9".it a''ress is calle' VPN(a''ress VPN(- a''resses are only e4change' (ia 5@P .etween P* routers
5@P su%%orting other a''ress &amilies than IP(- a''resses is calle' multi"%rotocol 5@P
www.cisco.com
Page20
P-network
Customer-A
Customer-A
PE-1 Customer-B
PE-2 Customer-B
www.cisco.com
Page28
P-network
Customer-A Customer-A
PE-1 Customer-B
PE-2 Customer-B
www.cisco.com
Page22
www.cisco.com
Page2)
3oute Targets
Some sites ha(e to %artici%ate in more than one VPNEroute 'istinguisher cannot i'enti&y %artici%ation in VPN + 'i&&erent metho' is nee'e' where a set o& i'enti&iers can .e attache' to a route 3oute Targets were intro'uce' in the MPLS VPN architecture to su%%ort com%le4 VPN to%ologies
2000, Cisco Systems, Inc.
www.cisco.com
Page2-
www.cisco.com
Page21
www.cisco.com
Page29
Im%act o& Com%le4 VPN To%ologies on Virtual 3outing Ta.les + (irtual routing ta.le in a P* router can only .e use' &or sites with i'entical connecti(ity re,uirements Com%le4 VPN to%ologies re,uire more than one (irtual routing ta.le %er VPN +s each (irtual routing ta.le re,uires a 'istinct 36 (alue, the num.er o& 36s in the MPLS VPN networ increases
2000, Cisco Systems, Inc.
www.cisco.com
Page2:
Customer routers run stan'ar' IP routing so&tware an' e4change routing u%'ates with the P*"router
www.cisco.com
Page2<
P*"router
P*"router
C*"router
Site I@P
Site I@P
Site I@P
P*"routers a%%ear as core routers connecte' (ia a 5@P .ac .one to the customer Asual 5@PGI@P 'esign rules a%%ly P"routers are hi''en &rom the customer
2000, Cisco Systems, Inc.
www.cisco.com
Page2?
P*"router
P"router
P*"router
P"routers 'o not %artici%ate in MPLS VPN routing an' 'o not carry VPN routes P"routers run .ac .one I@P with the P*"routers an' e4change in&ormation a.out glo.al su.nets !core lin s an' loo%.ac s#
www.cisco.com
Page)0
C*"router P*"router
VPN routing
P*"router
P"router
Core I@P
Core I@P
C*"router
C*"router
P*"routers$
*4change VPN routes with C*"routers (ia %er"VPN routing %rotocols *4change core routes with P"routers an' P*"routers (ia core I@P *4change VPN(- routes with other P*"routers (ia multi" %rotocol I5@P sessions
2000, Cisco Systems, Inc.
www.cisco.com
Page)8
P*"router C*"router
P"router
Core I@P
Core I@P
P*"routers can run stan'ar' IP(- 5@P in the glo.al routing ta.le
*4change Internet routes with other P* routers C*"routers 'o not %artici%ate in Internet routing P"routers 'o not nee' to %artici%ate in Internet routing
www.cisco.com
Page)2
P"router
IP(- 5@P &or Internet
P*"router C*"router
Core I@P
Core I@P
www.cisco.com
Page))
IP(- u%'ate
C*"router
P*"routers recei(e IP(- routing u%'ates &rom C*"routers an' install them in the a%%ro%riate Virtual 3outing an' 2orwar'ing !V32# ta.le
www.cisco.com
Page)-
www.cisco.com
Page)1
www.cisco.com
Page)9
www.cisco.com
Page):
MP"5@P u%'ate
P*"router C*"router P"router P*"router C*"router
3ecei(ing P*"router im%orts incoming VPN(- routes into the a%%ro%riate V32 .ase' on route targets attache' to the routes 3outes installe' in V32 are %ro%agate' to C*"routers
www.cisco.com
Page)<
www.cisco.com
Page)?
Ingress"P*
C*"router
C$ ;ow will P* routers &orwar' VPN %ac ets across MPLS VPN .ac .oneD +8$ Just &orwar' %ure IP %ac ets. =rong answer$ P"routers 'o not ha(e VPN routes, %ac et is 'ro%%e' on IP loo u%. ;ow a.out using MPLS &or %ac et %ro%agation across .ac .oneD
www.cisco.com
Page-0
C*"router
Ingress"P*
P"router
P"router
*gress"P* C*"router
C*"router
C$ ;ow will P* routers &orwar' VPN %ac ets across MPLS VPN .ac .oneD +2$ La.el VPN %ac ets with L6P la.el &or egress P*"router, &orwar' la.ele' %ac ets across MPLS .ac .one. 5etter answer$ P"routers %er&orm la.el switching, %ac et reaches egress P*"router. ;owe(er, egress P*"router 'oes not now which V32 to use &or %ac et loo u%E%ac et is 'ro%%e'. ;ow a.out using a la.el stac D
2000, Cisco Systems, Inc.
www.cisco.com
Page-8
C*"router
#P
Ingress"P*
P"router
P"router
*gress"P* C*"router
C*"router
C$ ;ow will P* routers &orwar' VPN %ac ets across MPLS VPN .ac .oneD +)$ La.el VPN %ac ets with a la.el stac . Ase L6P la.el &or egress P*"router as the to% la.el, VPN la.el assigne' .y egress P*"router as the secon' la.el in the stac . Correct answer$ P"routers %er&orm la.el switching, %ac et reaches egress P*"router. *gress P*"router %er&orms loo u% on the VPN la.el an' &orwar's the %ac et towar' the C*"router.
2000, Cisco Systems, Inc.
www.cisco.com
Page-2
C*"router
#P
Ingress"P*
P"router
P"router
*gress"P* C*"router
C*"router
Penultimate ho% %o%%ing on the L6P la.el can .e %er&orme' on the last P"router *gress P*"router %er&orms only la.el loo u% on VPN la.el, resulting in &aster an' sim%ler la.el loo u% IP loo u% is %er&orme' only onceEin ingress P* router
2000, Cisco Systems, Inc.
www.cisco.com
Page-)
C$ ;ow will the ingress P*"router get the secon' la.el in the la.el stac &rom the egress P*"routerD +$ La.els are %ro%agate' in MP"5@P VPN(- routing u%'ates.
www.cisco.com
Page--
Ste% 78$ VPN la.el is assigne' to e(ery VPN route .y the egress P* router
Egress-PE#show tag-switching forwarding vrf SiteA2 Local Outgoing Prefix Bytes tag Outgoing tag tag or "# or $unnel %d switched interface 2& Aggregate '()*'*+'*+&,+)-". ) +/ 0ntagged 2)+*'*2*',+2-". ) Se',)*2) +1 0ntagged 2)+*'*2)*),22-". ) Se',)*2)
2000, Cisco Systems, Inc.
Next
o!
!oint2!oint !oint2!oint
Page-1
www.cisco.com
Ste% 72$ VPN la.el is a'(ertise' to all other P*"routers in MP"5@P u%'ate
%ngress-PE#show i! 3g! v!nv2 all tags Networ4 Next o! %n tag,Out tag 5oute 6istinguisher7 '))7' 8vrf'9 '2*)*)*) ')*2)*)*&) 2&,notag ')*2)*)*&) 2&,notag 2)+*'*2)*) ')*'(*)*'( notag,+1
2000, Cisco Systems, Inc.
www.cisco.com
Page-9
www.cisco.com
Page-:
www.cisco.com
Page-<