Ericsson’s network-based IP-VPN solutions

Nail Kavak

The phenomenal success of the Internet and the universal adoption of the Internet protocol are driving profound changes in the telecommunications industry. The infrastructure of the Internet is being used as the foundation for a new public IP network. In addition to existing best-effort applications, the emerging IP networks will offer the functionality needed to support a variety of carrier-class and business-quality services, with the advantage of being ubiquitous, easier to access, and of costing less than competing alternatives. Many service providers are expanding the capacity and geographical coverage of their networks to meet rising customer demand. With virtual private networks, they can improve asset utilization and return on investments by leasing available capacity and providing new services. IP-based virtual private networks provide a means of extending the reach and scalability of legacy frame-relay and ATM networks. End-users gain ubiquitous access to the corporate intranet or extranet for business-to-business applications, IP telephony, or multicast videoconferencing service. Ultimately, Internet VPNs will be the global means of business communication just as the voice network is today. The author describes various virtual private network models and the details of Ericsson’s MPLS-based IP-VPN offering.

VPN services and architectures
VPN services

A virtual private network (VPN) consists of a set of geographically disparate sites that can communicate securely over a public or shared infrastructure. IP-based VPNs (IPVPN) enable business customers seamlessly to receive the same security, connectivi-

ty and reliability as from any other private network, and can be used to offer the following services: • intranet—connectivity between corporate sites; • dial-in access—business employees can access the corporate network remotely; • extranet—secure connectivity between a community of users or business partners whose access is restricted to the resources defined for that community; and • Internet access. VPNs can be built in various ways. Some consist of routers and firewalls that are interconnected to the physical or logical leased line of carriers and service providers. Others might include a combination of application proxy firewall, encryption, intrusion detection, tunneling, and key management. Some VPNs are managed in-house, while others are outsourced to a service provider. Whether the VPN constitutes remoteaccess service to an intranet or extranet, a service provider must somehow integrate the VPN services into a common infrastructure.
VPN architectures
Remote access

Figure 1 Remote access scenario.
Enterprise 2 ISDN xDSL PoP

Dial in Telecommuters

LAC (NAS) L2TP PE PE P P PE P PE Enterprise 3 Tunnel end points ISP network LNS LNS CPE

Enterprise 1 LNS


Remote-access VPNs give end-users access to a corporate intranet or extranet over a shared public infrastructure. Ordinarily, a VPN subscriber or a server in a remote office dials into a network access server (NAS) at the service provider’s point of presence (PoP). After authentication, which is based on the pre-configured user profile, a tunnel is dynamically established to the tunnel server on the customer premises (Figure 1). A tunnel can be • client-initiated (voluntary)—in which case the tunnel is opened by the client and terminated by the corporation without any active involvement by the service provider; or • compulsory—in which case the tunnel is created by the service provider’s network access server and terminated either by a service provider tunnel server or by a central customer site server. The security policy database can reside on the company premises or it can be outsourced to the service provider. A remote-access VPN allows users to take advantage of low-cost Internet-access services (as opposed to being assessed distancesensitive bandwidth charges). Although most remote-access services are currently
Ericsson Review No. 3, 2000


however. A VPN gateway is placed at each customer site between the enterprise and the service provider. and voice over IP (VoIP). the L2 circuits (ATM virtual circuits) initiated at the customer’s site are terminated at the ingress of the service provider’s domain and mapped to MPLS tunnels in the backbone. The L2 VPNs described above can also be used in combination with multiprotocol label switching (MPLS). L2 connectivity is provided between customer sites that use asynchronous transfer mode (ATM) or frame-relay via virtual circuits. other access methods—including cable modems. or other layer 3 (L3) issues. In reality. This way.” since they are not involved in routing. The PVCs are treated as “dumb pipes. over a single access circuit. PPP). xDSL. CPE-based L3 overlay CPE Router Router CPE CPE Router Router CPE Figure 2 Layer 2 overlay VPN scenario. MPLS-based L2 VPNs are identical to traditional L2 VPNs. CPE-based L2 overlay CPE Router Router CPE CPE Router Router CPE The traditional way of building a VPN is to use layer 2 (L2) overlay based on customer premises equipment (CPE). FR. An L3 overlay network is built on top of the L2 network by running IP over virtual interfaces between data link circuit indentifiers (DLCI) or virtual circuits that are connected to the CPE. To the end-user. but sometimes also in hub-and-spoke configurations (Figure 2). BOX A. such as public IP. all complex functionality and all hardware needed to construct the VPN reside on the customer premises. ABBREVIATIONS ATM BA BGP CBR CCB CIR CoS CPE DiffServ DLCI DSCP DSL E-BGP EXP FEC FR GRE iBGP IGP INM IPDA IPSA IPsec ISIS ISP L2FP L2TP LAN LER LL LNS LPM LSP Asynchronous transfer mode Behavior aggregate Border gateway protocol Constant bit rate Customer care and billing system Committed information rate Class of service Customer premises equipment Differentiated service Data link circuit identifier Differentiated services code point Digital subscriber line Exterior border gateway protocol Experimental Forwarding equivalence class Frame relay Generic encapsulation protocol Internal BGP Internet gateway protocol IP network performance monitor IP destination address IP source address IP security protocol Intermediate system-to-intermediate system Internet service provider Layer 2 forwarding protocol Layer 2 tunneling protocol Local area network Label edge router Leased line Local network server Longest prefix match Label-switched path LSR MF MPLS NAS NAT OSPF P PDA PDM PE PHB PoP POS POTS PPTP PVC QoS RD RFC RIP RT rt-VBR SA SLA SLS SONET SP TE UBR VC VoIP VPN VR VRI Label switch router Multi-field classification Multi-protocol label switching Network access server Network address translation Open shortest path first Core router Personal digital assistant Policy deployment manager Provider edge router Per-hop behavior Point of presence Packet over SONET Plain old telephone service Point-to-point tunneling protocol Permanent virtual circuit Quality of service Route distinguisher Request for comments Routing information protocol Route target Real-time VBR Scheduling aggregate Service-level agreement Service-level specification Synchronous optical network Service provider Traffic engineering Unspecified bit rate Virtual circuit Voice over IP Virtual private network Virtual router Virtual router interface The VPN sites are interconnected via a mesh of IP-over-IP (IPIP) tunnels that are established across the public network using any kind of L2 technology (ATM. The service provider is usually responsible for configuring and managing VPN connectivity. the service provider can offer multiple services. Practically any tunneling technique can be used between VPN sites. 2000 179 . and direct Internet access—are becoming increasingly popular. In CPE-based VPNs. packet filtering. • point-to-point tunneling protocol (PPTP). The service provider merely provides access to the public network (without having to know anything about the topology of the VPN).based on dial-in services. In essence. the provider furnishes a set of permanent virtual circuits (PVC) between customer sites—usually in full or partial mesh. Ericsson Review No. private IP. including the • layer 2 forwarding protocol (L2FP). 3.

However. while the border gateway protocol (BGP) is used to distribute routes and VPN membership information. The end-user organization can choose to manage the VPN in-house or it can outsource the service to an external provider. Network-based MPLS VPNs via physical or virtual links—through an ATM or frame-relay access network. and the L2 tunneling protocol (L2TP). which carry the VPN traffic. in particular because they can amortize the cost over several customers. or ATM services. For many VPN user organizations. GRE. On the other hand.• layer 2 tunneling protocol (L2TP). • generic encapsulation protocol (GRE). It also facilitates confidentiality. integrity and key management. They can provide basic Internet access with best-effort services or they can offer multiple class-of-service (CoS) and bandwidth guarantees. management. managing a VPN is costly and requires the services of skilled. authenticity. 2000 . instead of using MPLS tunnels to connect to the ingress and egress of the provider’s edge routers. highly sought-after staff. and hardware resides on the service provider’s domain. all VPN functionality. the networkbased L3 VPN uses IP tunneling mechanisms. Network-based L3 VPNs With a network-based MPLS VPN scenario. ISDN access Management center Remote access Router AXI 520/ AXD 301 AXI 540 Router AXI 520/ AXD 301 AXI 540 SGSN GGSN Frame relay network AXI 540 BSC BSC Router AXI 520/ AXD 301 Router PSTN Central site Mobile network Telecommuters 180 Ericsson Review No. framerelay. and • IP security protocol (IPsec)—IPsec is becoming increasingly popular since it provides tunneling and security through data encryption. All complex functionality and all hardware needed to build the VPN reside on the service provider’s domain. which means customers can use their own routers or an off-the-shelf router to connect to the service provider’s network. such as IPIP. the sites that constitute the VPN are connected to the service provider’s edge router Network-based L3 VPNs are similar to network-based MPLS VPNs—that is. This architecture relaxes requirements for a fully native MPLS Figure 3 Architectural overview of Ericsson’s VPN backbone. The service provider’s backbone routers. 3. are interconnected via MPLS label-switched paths (LSP) or tunnels. MPLS is used for forwarding packets. emulating leased-line. Network-based MPLS VPNs do not put any requirements on VPN customers. the management of outsourced VPNs is a big business opportunity for service providers.

It can also provide quality of service and privacy for delivering value-added and closed user group services over existing infrastructures. In the section that folEricsson Review No. ATM) without the need for point-topoint mesh configurations. lows. inter-VPN connectivity and policy. Customers who manage their own CPE typically want to minimize the requirements put on internal technical staff. by consolidating them over a common infrastructure. network-based MPLS VPNs provide more flexibility and scalability than conventional VPN techniques (frame relay. including classification. to gain access to the global Internet via a single service provider connection. manageability. but do not require service providers or customers to provide specialized CPE. global Internet access. 2000 A primary goal of the IP-VPN solution is to minimize the configuration costs associated with the CPE. and interoperability. which span L2. Furthermore. shaping. inter-provider operation. do not require special configurations or features. carrier-class reliability. leased lines. service providers can offer the services at a lower cost.backbone. scalability. offer comprehensive support for network-based and operator-managed MPLS VPNs. VPN Requirements Ericsson’s VPN offering addresses the requirements put on CPE functionality. ATM or frame-relay switches—which is to say that service provider investments in backbone equipment are protected. Private addressing The service provider must be able to support a customer’s use of addresses that are 181 . Moreover. Network-based VPNs can be implemented on gigabit routers. CPE complexity Ericsson’s MPLS VPN Ericsson’s MPLS VPN solutions. it enables the service provider to utilize backbone resources more efficiently thanks to the advanced traffic-engineering mechanisms that are an integral part of MPLS. In particular. scalability.and L3-based networks. the additional security that is offered by deploying CPE-based equipment does not necessarily outweigh the costs of deploying and managing the equipment. Another requirement is that typical CPE routers should be able to participate in the VPN without a software upgrade. Ericsson’s IP-VPN solutions. the CPE must be configured to perform all differentiated service-related (DiffServ) edge functions. and scheduling. and global reach. They also have better resources and expertise to provide cost-effective. except where service differentiation is required between customer equipment and the service provider’s network. ATM. Service providers who offer a turnkey service want to minimize the management complexity and availability concerns associated with managed CPE services. capacity. quality of service (QoS) and service level agreements (SLA). The MPLS network can differentiate between services according to application type and VPN membership. Service providers have solid network-management expertise. Customers can enhance the security of the basic VPN solution by introducing IPsec. customers with private address space must implement a centralized network address translation (NAT) function within their VPN. When this is the case. At the same time. as well as core components such as the AXD 301 ATM switch and the AXI 520 core router. or MPLS.” Also. we will more closely examine Ericsson’s support for IP-VPNs deployed over L3 infrastructures with either packetover-SONET (POS) or ATM cores. Figure 3 gives an overview of the available network components. private addressing. 3. Furthermore. it also relaxes the requirements to support inter-provider MPLS. marking. security. Why network-based VPNs? End-user organizations can reap significant advantages from outsourcing the operation and management of their virtual private networks to service providers. MPLS better integrates IP and L2 networks (FR. mobile or remote access. With respect to the IPsec-based L3 overlay. and so on). corporate customers need not invest in special VPN hardware or software—any off-the-shelf CPE router can be used to connect to the service provider network. since the edge nodes of the network are “VPN aware. and in cases of inter-provider operation. Ericsson’s VPN architecture makes use of edge components such as the AXI 510 and AXI 512 access routers and the AXI 540 edge aggregation router. which make use of standard customer CPE (routers).

an address must always be interpreted within the scope of the VPN on which a packet is traveling. customers who migrate to a shared IP network must also be given the same kind of assurances.PE CPE PE CPE PE PE CPE CPE Figure 4 Pipe model: Specified distribution of traffic between each site. such as frame relay or ATM. An address might. committed information rates (CIR). Obviously. Security violations could result in the exposure or corruption of sensitive corporate data. The hose QoS model guarantees performance based on aggregate traffic specifications. That is. Addresses are solely guaranteed unique within the scope of a given VPN. for example. In this model. The NAT function is only required when two business customers with overlapping address space communicate with each other or when a business customer who uses private addresses wants to access the global Internet. Ericsson Review No. Similarly. customers who use IP-VPNs in place of frame relay or ATM L2 VPN services obtain adequate security via L2 (MPLS or ATM) or L3 182 Customers who build private leased-line networks can be guaranteed specific bandwidth on each link. and denial of service or electronic vandalism. on the global Internet. the customer does not necessarily know the traffic matrix. unauthorized access to computing resources. Security tunneling within the service provider network. be used in multiple VPNs. for example. receive service provider guarantees of bandwidth through. not globally unique (for example. the local addresses defined in RFC 1918. The pipe model is analogous to conventional leased-line VPNs in which the customer knows the traffic matrix or how traffic is distributed between VPN sites. QoS models Ericsson’s VPN solution can be based either on a pipe or hose QoS model. or addresses that rightfully belong to another organization). In this case—provided it is possible to limit the topology with which the data is exposed when under the administrative control of a single service provider—the advantages of operational simplicity outweigh the security risks of breached confidentiality. Thus. QoS/SLA IP-VPNs replace private backbones with the shared backbone of a public network provider. Consequently. Instead. 2000 . 3. topology control enhances data confidentiality—the routing-decision processes that include VPN constraints are leveraged as part of the packet-forwarding decision process. VPN customers might be concerned about the confidentiality of data passing between VPN sites. The traffic matrix is translated into a set of pipes that meets the customer requirements. or both. While the utmost security is obtained by implementing IPsec or like technologies within the CPE. The Ericsson IP-VPN solutions support multiple instances of overlapping address space without requiring network address translation. customers who share public networks. worrying that traffic originating from an unauthorized source outside the VPN can enter the VPN (possibly masquerading as a legitimate VPN host).

Ericsson products employ technologies that identify. • Regulation is accomplished by traffic conditioning—that is. the router uses the DSCP value in the clear-text header) or the MPLS label+CoS is used to map the packet to the behavior aggregate (and corresponding per-hop behavior) with strictly configured scheduling parameters. this model allows customers to vary. by shaping. The two VPN models put different requirements on • the engineering and provisioning of resources in the backbone. service providers want to know what impact VPN services will have on 183 . Connectivity models However. • Identification is accomplished by means of packet classification—that is. dropping. regulate. In some circumstances. by matching the components of a packet header against a list of filters. or re-marking packets based on the temporal characteristics of the associated packet stream (identified by a classifier) relative to the traffic profile of the SLA. the virtual circuit connectivity model supports only a few forwarding classes in the network. To properly enforce service differentiation. Scalability Obviously. • Isolation is achieved by using several queuing or policy-based routing mechanisms that provide dedicated router forwarding resources (buffers. Apart from being very straightforward. • Virtual circuit (VC)—traffic parameters and a QoS service class (delay and throughput sensitivity) are assigned to a label-switched path or ATM VC with dynamic per-hop admission control. Distinct admission control policies and traffic conditioning apply to each forwarding class. Like the DiffEricsson Review No. Ericsson offers two different connectivity models for controlling QoS in IP-VPNs: • Differentiated services—either the DiffServ code point (DSCP) in the packet (for pre-encapsulated packets. such as when a customer has stringent security requirements or wants to differentiate service to the stub link. without changing their contract. 2000 Serv connectivity model. the volume of traffic that is sent to any other hose endpoint. provided that the aggregate traffic entering and exiting each of the endpoints does not exceed the capacity of each hose. Different LSPs that belong to the same forwarding class are mapped to the same buffer or queue. and so on. 3. output link bandwidth) or special network paths that isolate enhanced-service traffic from congestion that has been induced by traditional best-effort traffic. and isolate traffic. to simplify the customer’s task of specifying the performance requirements of the VPN.PE CPE PE CPE PE Service provider network PE CPE CPE Figure 5 Hose model: Performance characteristics specified for traffic from customer site to the network. preemption priority. the classification must be performed at the customer site. regardless of the QoS model used. performance characteristics are defined solely for traffic entering into a hose stub link or exiting a hose to any other hose (Figure 5). and • the description and monitoring of the service level agreement.

end-users should be able to access the VPN over plain old telephone service (POTS) dial-up. this applies to the configuration of provider edge (PE) routers that implement key parts of the IP-VPN service. and so on. a site could participate in • an intranet VPN that connects it with other corporate sites. and eventually. One VPN might also function as a transit VPN which passes traffic that originates at a second VPN and is destined for a third VPN. If parts of the VPN use non-unique addressing that conflicts with globally assigned addresses. cable modem. because the CPE can be a laptop. these inter-provider VPNs will only be encountered where the primary service provider cannot offer full coverage for all customer sites or for all customer access technologies. Inter-provider operation Besides fixed-site access. cell phone. digital subscriber line (DSL). Ericsson’s IP-VPN solutions support techniques for increasing scalability in carrier backbones. For these customers. the VPN addresses take precedence over their global counterparts. from truly mobile devices such as personal digital assistants (PDA). Ericsson’s IP-VPN solutions support multiple tunneling mechanisms (MPLS and L2TP) that permit users who are connected via a fixed-site local area network (LAN) or traditional dial-up. and that they support standards-based operation. The site must communicate with each of the VPNs simultaneously. Interoperability Customers might want to access the global Internet and the VPN from the same service provider connection. For example. and • a third extranet that connects it with other organizations in the industry. their addresses must be unique. Manageability Making the configuration of equipment in the service provider’s network less complex will have a good effect on scalability. the IP-VPN solution must span multiple provider networks and ensure that all VPN forwarding. Global Internet access Some customers want separate providers to maintain distinct parts of their VPN. To minimize the impact on interoperation with different core devices (some of which may not support native MPLS). route propagation and QoS/SLAs function across provider boundaries. and the per-packet processing required to forward VPN traffic. Since access is not necessarily tied to a physical location. Inter-provider operation stipulates that the VPN models used must have minimum impact on provider core networks. 3. There is no current standard for non-MPLS VPNs (called IP overlay VPNs). Ericsson’s IP-VPN solutions support customer networks with globally unique addresses. to participate in the same IP-VPN. When multiple VPNs connect. security is a major concern—for instance. • an extranet that connects it with suppliers. Initially. it is believed that the industry’s standard forums can be induced to generate support for them. Ericsson will consider accelerating support for non-L2 tunneling mechanisms if doing so accelerates interoperability with third-party equipment. or PDA. DSL. Mobile and remote access subset of resources). however. given the obvious benefit of supporting multiple tunneling technologies. Concerns include the scalability of routing protocols. Ericsson Review No. In particular. Inter-VPN connectivity and policy Some customers require more than one VPN for inter-site communications. access might originate from another provider’s network. Some sites might have to participate in multiple VPNs. operational functionality and operating costs. 2000 . the solutions support MPLS and L3 tunneling technologies. and access must be tightly controlled (an industry-wide extranet might include competitors who should not be granted access to the corporate Intranet or who have access to only a 184 Ericsson’s IP-VPN solutions are designed to operate within multi-vendor networks.backbone resources. They also comply with industry standards for MPLS-VPNs in order to ensure interoperability within networks composed of multi-vendor PE solutions. Ericsson believes that compliance with appropriate requests for comments (RFC) on MPLS VPNs and dedicated interoperability testing will yield implementations which are interoperable with other PEs that adhere to the MPLS VPN RFC. stub link density (with physical or logical interfaces). such as a local dial-up Internet service provider (ISP) who operates in a wholesale scenario. Moreover. the CPE functionality must be simple and ubiquitous.

The CPE sends standard IP packets to the ingress edge router. The main concepts of this architecture are based on RFC 2547. is considered only by the egress edge router. The edge routers (AXI 510. The MPLS solution uses multiprotocol extensions to BGP to communicate VPN-specific routing information between edge routers. they do not require information on customer connections or VPNs. Overall topology MPLS-VPNs The VPN backbone is composed of the service provider’s core routers (P) and edge routers (PE) as illustrated in Figure 6. or • statically configured with site reachability information for the stub link. Two basic architectures are supported: MPLS-VPNs and IP-overlay VPNs. The core routers (P) are unaware of the existence of VPNs at the network’s edge boundaries. which routes the packets across MPLS tunnels to the egress edge router. A two-layer label stack is used across the backbone: the top layer identifies a single LSP connecting the ingress and egress edge router. EBGP) to communicate reachability information between the customer and service provider. they only need to know the internal topology of the backbone that connects the edge router—that is. The backbone that connects the ingress and egress edge routers is fully compliant with native MPLS. The core network (between the ingress and egress edge router) is composed of several routers or switches (P) that function as standard label switch routers. 3. 2000 185 . Since the routers (P) are only concerned with the top label. MPLS backbone PE CPE VR VR VR Global P P CPE PE VPN A2 P PE P VR VR VR Global VPN A3 CPE VPN A1 VR VR VR Global CPE Internet CPE Ericsson Review No. open shortest path first. The edge routers are fully meshed and communicate through iBGP sessions. which denotes the CPE destination. which are used to determine how a packet is to be routed. Each edge router maintains separate forwarding tables—every site to which the edge router is attached is mapped to one of these tables. AXI 512 or AXI 540) are • connected to customer edge routers via stub links (a physical or logical leased line) and can run dynamic routing protocols (routing information protocol. IP-overlay VPNs The IP-overlay model is similar to the MPLS model. whereas the bottom layer. RIP.Ericsson IP-VPN architecture The section that follows describes the internetwork part of Ericsson’s IP-VPN solutions. but instead of using MPLS tunnels VPN B1 VPN B2 Figure 6 MPLS-BGP/VPN architecture and components.

ATM QoS. usually without special encapsulation or tagging. or • L2TP headers (for IP-overlay VPNs) and sent to the egress edge router over an IP tunnel—a single L2TP tunnel that connects a pair of ingress and egress edge routers is used to multiplex traffic from many VRI contexts (using the tunnel ID field and a session ID field to identify the VRI context). And in cases of inter-provider operation. Traffic on the stub links can be transmitted in the clear (assuming the customer site includes minimal CPE services) or it can be tunneled or encrypted. This table is only searched if the customer interface has full global Internet connectivity. VPN customers with dial-up and broadband access connect to the network either via CPE services—Windows PC supporting point-to-point tunneling protocol (PPTP) or IPsec over L2TP—or via AXI 510 or AXI 512 access servers at the edge of the service provider’s network (in which case the 186 The CPE router sends standard L3 IP packets to the edge router. 3. A combination of DiffServ. The tunnels can be terminated at an entry point of the VPN within the service provider’s network or they can be terminated at the customer premises. This information is usually obtained via an Internet gateway protocol (IGP). Core devices are unaware of the existence and configuration of VPNs (and associated percustomer topology information) within the PEs. If a match is returned from the VRI-specific table. and customer-addressing limitations. it relaxes the requirements for supporting inter-provider MPLS. the router (P) only needs topology information on the ISP backbone. if no matching prefix is found. the router (P) forwards the packet using regular MPLS label-switched router (LSR) pop-and-swap on the top label. Basic forwarding path operation VR VR • Label swapping based on top level VR • Bind the label to corresponding VR Figure 7 VPN forwarding plane in action. such as OSPF or inEricsson Review No. The forwarding table contains all reachable prefixes that reside in any of the VPNs of which the interface is a member. the IP-overlay model supports L2TP tunneling. the service provider employs IP tunneling mechanisms. and MPLS+CoS is used to guarantee quality of service. Initially. If a matching prefix is found. 2000 . The use of L2TP allows IP-VPNs to be deployed on backbones that do not fully support native MPLS. thereby alleviating scalability concerns. which consists of global Internet prefixes—the complete BGP table.• Do lookup in VPN table • Determine path to egress router • Encapsulate in two-layer deep MPLS stack Internet tunnels originate on the access server). the edge router might look up the LPM in a global forwarding table. the packet is encapsulated in • a two-layer MPLS label stack (for MPLS VPNs) and forwarded along the LSP that connects the ingress edge router with the egress edge router. since this mechanism facilitates the multiplexing of VPN traffic onto a single tunnel. Where the ingress edge router is attached to a two-layer MPLS label stack on each packet. topology control. In either architecture. Since the top label defines the LSP that connects the ingress edge router to the egress edge router. Tunneling is used across the service provider’s backbone to support security. the edge router performs standard longest prefix match (LPM) lookup on the packet’s IPDA in a VRI-specific forwarding table. If the LPM lookups fail to return a match. to connect ingress and egress edge routers. the packet is forwarded to a network that resides in one of the VPNs. the packet is dropped and an “ICMP unreachable” message is generated (Figure 7). Using the virtual router interface (VRI) scope that has been configured for the virtual interface on which the packet arrives. fixed-site corporations are connected into the VPN via a stub link that terminates at the edge router.

and then uses the L2TP tunnel ID and session ID to identify the CPE router to which the packet is to be forwarded. 3. Since the edge router is configured to contain the VPN membership of each sub- • Translate IPv4 to VPN-unique address • Send MP-iBGP update to all Internet Figure 8 VPN control plane in action. while preserving the VRI-specific context of prefixes. The backbone-forwarding path is also completely protocol-independent. but require no information on VPNs or customer topology. In IP-overlay VPNs. is opaque to other routers. RIP. This label. the packet is forwarded across the appropriate DLCI. and provides the information that is needed to forward the packet to the appropriate CPE. IPDA. IGP (Static) VR VR iBGP/MP VR VR VR • Import from BGP • Translate VPN-unique address to IPv4 • Distribute to CE • Import from BGP • Translate VPN-unique address to IPv4 • Distribute to CE Ericsson Review No. static routing or RIP will become common methods of communicating routing information. In IP-overlay VPNs. which is assigned by the egress edge router. EBGP. BGP. The routers (P) must be able to route to addresses that belong to edge routers. packets received by the egress edge router from the upstream routers (P) arrive over an IP tunnel for which the edge router serves as a termination point. the ISP backbone serves as the core of an enterprise network. VCI. uses the second label in the stack to forward the packet to the appropriate egress interface for the destination CPE. OSPF. or subinterface (or using the appropriate tunneling or VLAN tagging mechanism to denote the VRI scope of the packet). The second label. and creating customized forwarding tables for each distinct VRI. given the requirements for simple configuration of the CPE. Thus. If the CPE is in multiple VRIs. any protocol that can be encapsulated in MPLS can be forwarded between edge routers. MP-BGP). Routing and processing route updates In VPN environments. is propagated via the routing protocols (multiprotocol-BGP. Ericsson’s IP-VPN solutions support the exchange of routing information with CPE devices using standard IP routing protocols (static routing. which acts as an MPLS label edge router (LER).termediate system-to-intermediate system (ISIS). whose scope solely applies to the egress edge router that assigns it. In all likelihood. 2000 187 . The service provider is therefore responsible for propagating reachability information between each customer site. and IP protocol field to identify the tunnel. The second label encodes the VRI scope of the packet and the next hop. The egress edge router. or ISIS). The edge router uses the IPSA. most packets that traverse the core are IP packets with the IPSA and IPDA set to addresses that belong to the ingress and egress edge routers.

each edge router obtains VRI-specific reachability information via the internal BGP (iBGP) with other edge routers. In addition. Thus. 2000 . When an edge router originates a route into iBGP. and BGP NEXT_HOP information is inherently an IPv4 address. This label is essential to the edge router. they must be qualified with the VRI context to which they belong. and then announces these prefixes to other edge routers on the backbone using multiprotocol extensions to BGP that allow each prefix to be qualified with its VRI context. regardless of the number of sites within a VPN. Prefixes are obtained from customers who use conventional protocols (or static routing information). customer routers need only peer to a single edge router. can be used to scale route distribution. with MPLSbased VPNs. customer packets must enter through the correct logical or physical interface. MP-BGP makes it possible to announce a VPN-IPv4 prefix. the label-switched paths are established from peer to peer based on the L3 topology. An isolated instance of the IGP is used with each customer site to ensure that routing domains are maintained as distinct. Thus. denotes the list of VPNs to which the route must be announced. These BGP routes must only be announced (via an IGP or EGP) to customers who are members of the VPN from which the route originated. The edge router inserts routes obtained from a CPE into the appropriate VRI table. but when non-unique prefixes are propagated across the provider’s backbone. 3. L2TP tunnels can also be multiplexed using the session or tunnel ID to reduce the number of tunnels in the backbone. target VPN (effectively a 64-bit extended communities at188 tribute). assuming appropriate security procedures by the service provider. thanks to label stacking. either via a static announcement or by means of redistribution from interior gateway protocol/external gateway protocol (IGP/EGP) with a CPE. In IP-overlay VPNs. In this case. A new BGP attribute. this approach generates numerous circuits that must be managed and processed. To further reduce the burden on edge routers. Because the entire label-switched path of the packet is pre-determined at the ingress point. routes learned via a sub-interface can be associated with the appropriate VRI without requiring any special protocol support on the CPE. the edge routers must only keep information on the VPN of directly attached routers. such as route reflectors. sites that share the same routing information or sites that belong to the same VPN can share the same VPN routing table. since customers can be members of multiple VPNs. In MPLS. the MPLS label—the second in the label stack—is used to forward the packet to the appropriate CPE (Figure 4). a rise in the number of customers or VPNs has no impact on the number of LSPs. The packet itself will not diverge from the provider’s backbone. Security MPLS-based VPNs provide a level of security that is similar to that provided by L2 ATM or frame-relay networks. In contrast. the core routers (P) need not know anything about VPNs. At the edge of a service provider network. For VPNs that include many sites. Packets entering through an interface for which Ericsson Review No. The label-swapping nature of MPLS makes it impossible for a third party to inject a packet into an MPLS tunnel. All VPN prefixes carried via MP-BGP across the backbone are qualified with the VPN in which they originated. which is a standard IPv4 prefix qualified with a 64-bit route distinguisher that communicates the VRI-specific context of that prefix. frame relay or ATM). Scalability In traditional connection-oriented networks (leased line. circuits are overlaid between each customer router to provide VPN connectivity.interface. the egress edge router attaches an identifier (L2TP tunnel and session IDs) to the MP-BGP announcement of the route. customers are assured that traffic injected into an MPLS tunnel will not diverge from that tunnel. In addition. edge routers will peer with route reflectors that serve the same set of VPNs. There is no one-to-one relationship between a customer site and VPN. Similarly. In traffic received from from the backbone and destined to this prefix. therefore. and propagates these prefixes to the CPE using standard IGP or EGP protocols (Figure 8). it includes BGP NEXT_HOP. exposure is limited to service provider staff. existing BGP techniques. which points to one of its own addresses and an MPLS label. MPLS tunnels can be shared by different VPNs (VR). so that individual edge routers need not store all VPN information. Furthermore. Standard BGP4 can announce only one unique instance of a prefix over a BGP session.

which makes it impossible for malefactors to enter the network via another port. • strict QoS based on expedited forwarding PHB. or authentication servers. firewalls. including via route filters. • assured service based on a subset of the assured forwarding PHB group. 3. VPN traffic remains separate at the backbone. In Ericsson’s VPN solutions. The ingress traffic-conditioning function is defined for the PHB. To prevent intrusion. Ericsson’s current network solutions define four service categories: Ericsson Review No. it processes the packet as if it had originated at the ingress edge router. • network control intended for routing protocol signaling. In IP-overlay VPNs that employ L2TP tunneling. when the egress edge router receives the packet. Inter-VPN communication can be tightly controlled in many ways. one forwarding class with two drop classes—a token-bucket-style traffic-conditioning function at the network ingress handles policing and marks traffic according to parameters (bandwidth per drop class) in the sevice level specification (SLS). DiffServ. • best-effort service. since admission can be controlled in each node during path signaling. The core of the network enforces the service classes based on the EXP value in the MPLS header. an unauthorized third-party might feasibly insert a packet into the IP tunnel. Traffic in violation of the negotiated rate is either dropped or re-marked to ensure that the appropriate level of service is provided. or both. Several service classes are supported in the core. VC-style QoS is suitable. service providers assign a route distinguisher (RD) to each customer. Each service category corresponds to an ordered traffic aggregate (OA) and a per-hop behavior (PHB) group that defines the forwarding behavior. Consequently. MPLS and CoS Due to the high processing and management costs in carrier networks. forging a packet using the appropriate IPSA and IPDA addresses and proper encapsulation. packets destined for the L2TP tunnels are authenticated using an IPsec authentication header (IPsec-AH). However. or • point-to-point virtual circuits when used to implement class of service (CoS). 2000 Figure 9 Ericsson AXI 540. access lists. policing. For this service category. traffic that is placed into manageable sets of service classes is more efficient and scales well. 189 . the bandwidth policing function is defined in the SLS. the QoS implementation is essentially based on the DiffServ mechanisms (RFC 2474 and RFC 2475). Finally. Where the backbone is based on MPLS transport. These are unknown to end-users. DiffServ is also applied in the edge in conjunction with MPLS trunking in the core. MPLS label. it is not possible to scale • quality of service when applied on a flowby-flow basis. Traffic sent from the CPE must be classified in accordance with the service committed to the customer and might be subject to metering. and shaping before it is queued or scheduled for transmission by the edge router.there is no associated VRF are dropped.

management. By default. 3. network control and assured service traffic are mapped to separate dedicated queues. Management and service provisioning Although not the main focus of this article. The AXD 301 can separate and isolate DiffServ/MPLS and native ATM traffic as defined in the MPLS ships-in-the-night concept. In IP-overlay VPNs. 2000 . Ericsson’s traffic engineering solutions enable operators to establish label-switched paths either manually or automatically. the following section briefly describes the management components and procedure for deploying VPNs. Router Core routers provide separate queues for each service category. others might be members of the intranet and an extranet. Traffic is scheduled and buffered or queued according to service categories and traffic mix.Customer care and billing (CCB) system Network resource manager (NRM) Policy deploym. etc) Router Router Figure 10 A high-level view of the Ericsson VPN management system. in order to optimize network performance and to facilitate more efficient and reliable management of network resources. On some interface types. While some sites might only be members of an intranet VPN. discovery. the appropriate DSCP field is marked in the outer IP packet header (encapsulating the UDP/L2TP packet) to ensure that the appropriate service is provided within the core. 1. The MPLS VPN architecture accommodates complex VPN topologies provided the extended attributes of BGP have been configured properly. The paths can also be computed online and established semi-dynamically whereby only the edge LSR is pre-configured. and from there a signaling protocol (resource reservation protocol/contraint-based LDP. Traffic engineering and MPLS used to set up explicit paths to interconnect edge router routers. the AXI 540 can also manage scheduling using a combination of fair round-robin and priority scheduling (for EF PHB). while best-effort traffic is handled together with unspecified bit rate (UBR) traffic. Extranets The MPLS VPN architecture does not make any distinction between intranets and extranets. The AXI 520 and AXI 540 employ the weighted round-robin scheduling discipline. Explicit paths can be set up based on the QoS/bandwidth. Management components If the core network is based on MPLS. the paths are calculated off-line and all label switch routers are manually pre-configured to install the forwarding state in routers. RSVP/CRLDP) is used to install the forwarding state in each LSR. traffic engineering (TE) mechanisms can be 190 The Ericsson VPN management system consists of the following components (Figure 10): Ericsson Review No. Certain sites within a VPN can be allowed to communicate directly. policy and administrative constraints instead of IGP topology alone. topology. Traffic engineering enables service operators to move traffic flows away from the shortest path selected by the IGP and onto potentially less congested physical paths across the network. whereas others might have restricted connectivity or might have to pass through a firewall before communicating with other sites. manager (PDM) Internet network manager (INM) Service level manager (SLM) Management platform (Comms. Besides the ATM service categories. additional categories (output queues) are provided for MPLS/DiffServ traffic. Ericsson’s IP management architecture was described in greater detail in Ericsson Review no. Connectivity between VPN sites is a matter of policy. strict QoS service is handled as constant bit rate (CBR) or real-time variable bit rate (rt-VBR). The admission control procedures defined by RSVP/CRLDP check the availability of resources when the path is established. To configure an LSP manually. 2000.

route target. and external service providers instead of expensive in-house specialists. packet classification rules and corresponding actions). such as access lists. It also informs the CCB of events that violate the SLA. QoS. and so on. • The IP network-performance monitor (INM) measures network performance.If events or alarms occur in the network— for example. The policy deployment manager receives high-level information from the CCB and determines the physical configuration to be applied to the network. • The network resource manager (NRM) takes steps that are necessary for deploying a VPN. 5. VPN topology. faults or performancerelated events from the INM—the SLM informs the CCB of correlated events that lead to SLA violations. multicast. Ericsson’s MPLS VPN solution is scalable and simple to deploy. A service-level agreement is negotiated—this agreement specifies VPN sites. and packetclassification rules and actions for each customer site. and so on. 2000 191 . 3. tests connectivity. drop levels). The PDM configures the VPN elements (virtual routers. thereby reducing the cost of deploying and operating VPN service. route distinguisher. and monitors thresholds. route distinguishers) that are affected by the addition or subtraction of a customer site. which is also part of the CCB. MPLS tunnels. iBGP sessions.A high-level CCB system provides the in- Ericsson Review No. such as telephony. Deploying VPN service terface to customer service representatives. queues. At the same time. e-commerce.• The customer care and billing system (CCB) contains a billing system and facilitates the definition of customers and the provisioning of new customer services. stub links. it measures one-way delay. • The service level manager (SLM) collects network events and alarms. the PDM is also responsible for configuring QoS-related elements. and so on. Based on the service-level specification from the CCB. interfaces. This includes the configuration of MPLS tunnels between PEs. A service-level specification (SLS).Once a customer site is configured (including virtual router instances. The implementation does not require any changes or additional functions on the customer’s intranet. This also applies to the configuration of BGP. information pertaining to the newly created VPN is passed to the INM. For example. the service provider’s backbone can be used in a reliable and cost-effective way as a platform for providing profitable value-added services. connectivity. 2. and security services for extranets. time frame. activation/deactivation time. centralized Web hosting. It can correlate network events and automatically filters out unimportant alarms. and QoS components (schedulers. requested bandwidth and QoS. but use shared public infrastructure instead of private equipment. route targets. The information in this agreement is then passed on to the policy deployment manager. Conclusion Network-based IP-VPNs give business customers the same services and benefits as they enjoy with their current networks.The underlying network must be configured before the VPN sites can be configured. 1. schedulers/drop levels in routers. includes the sites of a VPN. 4. 3. • The policy deployment manager (PDM) receives high-level service requirements from the CCB and maps them to appropriate configuration (CLI) commands that are necessary to configure a VPN. This initiates performance monitoring in the network and guarantees conformance with the SLA. It can seamlessly integrate customer routers into the service provider’s backbone. iBGP sessions.

Sign up to vote on this title
UsefulNot useful