140 likes | 157 Views
Network based IP VPN Architecture using Virtual Routers. Jessica Yu CoSine Communications, Inc. Feb. 19 th , 2001. Objectives. Enable Service Provider to provide value added VPN services in a scalable manner Scale to large number of VPN customers w.r.t. Router resources
E N D
Network based IP VPN Architecture using Virtual Routers Jessica Yu CoSine Communications, Inc. Feb. 19th, 2001
Objectives • Enable Service Provider to provide value added VPN services in a scalable manner • Scale to large number of VPN customers w.r.t. • Router resources • Operation and management • Utilize existing protocols and tools • Provide: • separation of VPNs serviced by the same provider • separation of VPNs and the provider network • security using standard mechanisms
Customer Site(s) Provider’s Network Customer Site(s) P P PE PE CE CE CE CE VR VR CE CE CE CE VR VR CE CE CE CE VR VR P P VPN Without VR P P P P VPN With VR Virtual Router Concept
Virtual Router Definition • A virtual router (VR) is an emulation of a physical router at the software and hardware levels • VRs have independent IP routing and forwarding tables and they are isolated from each other • Two main functions • Constructing routing using any routing technology • Forwarding packets to the next hops within the VPN domain • From the VPN user point of view, a virtual router provides the same functionality as a physical router
VPN-1 Sites VR-1 SPVR VR-2 VPN Built with VRs VPN-1 Sites SP Network VPN-1 Sites VR-1 SPVR VR-2 VPN-2 Sites VPN-2 Sites Connecting multiple VRs to the Provider Network through the use of a single VR “the provider virtual router” - SPVR
VPN Basic Building Blocks • Membership • VRs belong to the same VPN share the same VPN-ID • Tunnel • VR to VR tunnel, a point-to-point link from each VR’s view • Tunnel mechanisms can be IPsec, GRE, IPinIP or MPLS, etc. • Tunnel type • Per VPN tunnel (originate at VR) or • aggregated two level tunnel (originate at SPVR) • Routing • Independent from SP backbone routing • Each VPN can have its own choice of routing protocols
VPN Establishment with VRs • Like all VPN implementation mechanisms, membership information needs to be disseminated • In VR model, membership information can be distributed with the following mechanism • Manual configuration • Directory based mechanism • Utilize routing protocol • BGP Auto-discovery
Inter-domain VPN Support • With VR model, the mechanisms for multiple domain VPN remains the same as single domain VPN • Main requirements • Providers support a common tunnel mechanism • The ability to assign unambiguous VPN identification across the domains
VPN-1 Sites VPN-1 Sites VPN-1 Sites VPN-1 Sites SP Network SP Network SP Network VR-1 VR-1 SPVR SPVR VR-2 VR-2 VPN-2 Sites VPN-2 Sites Inter-domain VPN Support
Extranet Support • Two or more corporate have network access to a limited amount of each other’s corporate data • It’s a matter of control of who can access what data, i.e. a policy decision • VR model supports extranet by allowing two or more VRs connect to each other with policy control for data flow
VR VPN Properties • VPNs built with VRs are overlay model • The Provider routers (P) are VPN unaware – scalable • Routing for each VPN is the same as regular network routing • The choice of the backbone protocols is not constrained by the VPNs and vise versa • No protocol modifications needed • No tool (debugging, management,etc.) modifications needed • Deployment will not impact normal operation of the provider network
Scalability • Only PEs handle VPN type information, other provider routers are VPN unaware • Establishment and reconfigure can use Directory based tool and BGP-auto discovery – no manual configuration is necessarily
Deployment Status • A number of SPs have already deployed VPN implemented with VR model in their network and providing Network Based VPN service
Reference • ftp://ftp.ietf.org/internet-drafts/draft-oluldbrahim-vpn-vr-02.txt